Introduction to standards & frameworks

Role Improve the business processes ISO 9000, Six Sigma Regulatory Imposition/Governance SoX, Basel II, COSO IT focused discipline ISO 27001, CMM, ITIL, ISO 20000, CobiT Governance and continuity ISO 38500 and BS25999 Commonality Many are certifiable May require multiple certifications Significant overlap with each other Differences Focus areas and objectives The processes and applicable procedures

Page 1

Presentation title

Introduction to standards & frameworks

Most Quality Management Systems and frameworks, by their very nature, overlap with each other. However, there is no straight comparison between standards, frameworks and best practices. They serve different purposes and are not mutually exclusive. The most common overlaps are in the areas of quality management, training, audit documentation and conformance.

BS 25999 CobiT ISO 38500 ISO 9000

ISO 27001 ITIL

ISO 20000 CMM

Other Best Practices, Procedures and Guidelines

Share a common set of principles and practices:

Senior Management Commitment, Leadership, Costumer Focus, People Focus, Management by Process, Systemic View Focus, Learning and Improvement and Win-Win Partnership.

Page 2

Presentation title

Introduction to standards & frameworks

ISO 27001 An overview

ISO/IEC 27001:2005

Published by ISO and IEC, ISO/IEC 27001 is an international standard for ISMS Provides information to responsible parties for implementing information security Basis for developing security standards, and management practices within an organization to improve reliability on information security Through the process of regular risk assessment & continuous improvement, it lays down the roadmap to identify, assess, mitigate and monitor the IS risks. Selection of adequate security controls that protect information assets and give confidence to interested stakeholders.

Page 3

Presentation title

Introduction to standards & frameworks

COBIT An overview

COBIT

Control Objectives for Information and related Technology (COBIT) is a set of best practices (framework) for IT governance, providing management tools such as metrics and maturity models. It also provides greater focus on alignment of business and IT goals, and greater clarity on IT delivering value, performance management, governance, ownership and assurance requirements. It includes 34 high-level control objectives grouped under the domains of

Planning and Organization Acquisition and Implementation Delivery and Support, and

Monitoring and Evaluation.

The current version is COBIT 4.1.

Page 4

Presentation title

Introduction to standards & frameworks

ISO 38500 An overview

ISO/IEC 38500:2008

The ISO/IEC 38500:2008, Corporate governance of information technology standard, provides a framework for effective governance of IT to assist those at the highest level of organizations to understand and fulfill their legal, regulatory, and ethical obligations in respect of their organizations use of IT. ISO/IEC 38500 is applicable to organizations from all sizes, including public and private companies, government entities, and not-for-profit organizations. This standard provides guiding principles for directors of organizations on the effective, efficient, and acceptable use of Information Technology (IT) within their organizations. The framework comprises definitions, principles and a model. It sets out six principles for good corporate governance of IT:

Responsibility Strategy Acquisition Performance Conformance Human behaviour

Page 5

Presentation title

Introduction to standards & frameworks

Information Technology Infrastructure Library (ITIL) An overview ITIL v2

Developed by the Office of Government Commerce (OGC) in the UK Is a set of concepts and policies for managing the Information Technology (IT) services (ITSM), developments and operations. Used by organizations world-wide as a comprehensive and consistent source of good practice to establish and improve capabilities in Service Management. ITIL gives a detailed description of a number of important IT practices with comprehensive checklists, tasks and procedures that any IT organization can tailor to its needs.

Planning to implement service management The business

Service support The Business Perspective Service delivery Security management IT infrastructure management

The Technology

Application management

Page 6

Presentation title

Introduction to standards & frameworks

Information Technology Infrastructure Library (ITIL) An overview

ITIL v3

Framework of best practice guidance for ITSM Addresses particular "point of pain" Addresses issues such as services, quality, organization, and policy and process management Key changes from ITIL v2 to ITIL v3

Service Design

Business and IT From Alignment to Integration

From Value Chain Management to Value Service Network Integration From Linear Service Catalogues to Dynamic Service Portfolios From Integrated Processes to The Service Management Lifecycle

ITIL
Service Operation Service Transition

Integrate business and IT strategy

Agile service design Clarity in management of service providers Improve measurement and demonstrate value

Page 7

Presentation title

Introduction to standards & frameworks

ISO 20000 overview An overview

ISO/IEC 20000

Published by ISO and IEC in December 2005, ISO/IEC 20000 is the first international standard for IT Service Management Based on, and supersede the earlier British Standard, BS 15000 Enables the organizations to benchmark their capability in delivering managed services, measuring service levels and assessing performance Issued under 2 parts

Service delivery processes

Information security management Budgeting and accounting for IT services

Capacity management Service level management Service reporting

Service continuity and availability management

Control processes
Configuration Management Change Management

Release Part 1: Specification Provides requirements for IT processes

Service Management Part 2: Code of practice Represents an industry Release management consensus on guidance to auditors and assistance to service providers

Resolution processes
Incident management Problem management

Relationship processes
Business relationship management Supplier management

ISO 20000:2005 standard

Page 8

Presentation title

Introduction to standards & frameworks

BS 25999 An overview

BS 25999

British standard for business continuity management (BCM), has been developed to help minimize the risk of disruptions. It establishes the process, principles and terminology of BCM. It provides a basis for understanding, developing and implementing business continuity within the organization. BS 25999 is suitable for any organization, large or small, from any sector. The BS 25999 comprises of two parts:

BS 25999-1:2006 - Code of Practice for BCM (provides BCM best practice recommendations) BS 25999-2:2006 - A Specification for BCM (provides the requirements for a BCMS based on BCM best practice)

Page 9

Presentation title

Introduction to standards & frameworks

ISO 9000 An overview

ISO 9000

ISO 9000 is a family of standards for quality management systems. Structure

ISO 9000 lays down what requirements an organization's quality system must meet. Effective, December 15, 2000, the ISO 9000 standards were revised as follows:

ISO 9000:2000, Quality management systems - Fundamentals and vocabulary ISO 9001:2000, Quality management systems - Requirements Revised to include concepts from the former ISO 9001, 9002, and 9003 standards. ISO 9004:2000, Quality management systems - Guidelines for performance improvements.

Environment

Quality Management System Audit and Certification Self Declaration and External Audit Quality Management System ISO 9000 is a family of standards that addresses quality management systems within an organization

Positioning

Page 10

Presentation title

Introduction to standards & frameworks

Capability Maturity Model (CMM) An overview

CMM

The Capability Maturity Model (CMM) is a methodology used to develop and refine an organization's software development process. The model describes a five-level evolutionary path of increasingly organized and systematically more mature processes. The Capability Maturity Model involves the following aspects:

Maturity Levels: A 5-Level process maturity continuum - where the uppermost (5th) level is a notional ideal state where processes would be systematically managed by a combination of process optimization and continuous process improvement. Key Process Areas: A Key Process Area (KPA) identifies a cluster of related activities that, when performed collectively, achieve a set of goals considered important. Goals: The goals of a key process area summarize the states that must exist for that key process area to have been implemented in an effective and lasting way. The goals signify the scope, boundaries, and intent of each key process area. Common Features: Common features include practices that implement and institutionalize a key process area. There are five types of common features: Commitment to Perform, Ability to Perform, Activities Performed, Measurement and Analysis, and Verifying Implementation. Key Practices: The key practices describe the elements of infrastructure and practice that contribute most effectively to the implementation and institutionalization of the KPAs.

Page 11

Presentation title

Introduction to standards & frameworks

Six sigma An overview

Six sigma

Six Sigma is a process of quality measurement, which helps the organization in the improvement of their quality. Six Sigma seeks to improve the quality of process outputs by identifying and removing the causes of defects (errors) and minimizing variability in manufacturing and business processes. Six Sigma doctrine asserts that:

Continuous efforts to achieve stable and predictable process results (i.e. reduce process variation) are of vital importance to business success. Manufacturing and business processes have characteristics that can be measured, analyzed, improved and controlled. Achieving sustained quality improvement requires commitment from the entire organization, particularly from top-level management.

Page 12

Presentation title

Introduction to standards & frameworks

Six sigma An overview

Page 13

Presentation title

ISO 27001:2005 structure

ISO 27001:2005
0 Introduction 1 Scope 2 Normative References Annex A (A.5 to A.15)
Security policy Organization of Information Security Asset management Human resources security Physical and environmental security Communications & operations management Access control Information systems acquisition, development and maintenance Information Security incident management Business continuity management Compliance

3Terms & Definitions

Clause 4 to 8 Annex A (normative) Control objectives and controls (A.5 to A.15)

Annex B (informative) OECD principles and this International Standard

Annex C (informative) Correspondence between ISO 9001:2000, ISO 14001:2004 and this International Standard

Page 14

Presentation title

Clause 4
4 Information security management system

4.1 General requirements 4.2 Establishing and managing the ISMS

4.2.1 Establish the ISMS 4.2.2 Implement and operate the ISMS 4.2.3 Monitor and review the ISMS 4.2.4 Maintain and improve the ISMS 4.3.1 General 4.3.2 Control of documents 4.3.3 Control of records

4.3 Documentation requirements

Page 15

Presentation title

Clause 5
5 Management responsibility

5.1 Management commitment 5.2 Resource management

5.2.1 Provision of resources 5.2.2 Training, awareness and competence

Page 16

Presentation title

Clause 6
6 Internal ISMS audits

Page 17

Presentation title

Clause 7
7 Management review of the ISMS

7.1 General 7.2 Review input 7.3 Review output

Page 18

Presentation title

Clause 8
8 ISMS improvement

8.1 Continual improvement 8.2 Corrective action 8.3 Preventive action

Page 19

Presentation title

Security Policy
Objective:

Information security policy.

Covers:

Information security policy document Review of Informational Security Policy

Page 20

Presentation title

Organisation of Information Security

Objective:

Internal Organization External Parties

Covers:

Management commitment to information security Information security coordination Allocation of information security responsibilities Authorization process for information processing facilities Confidentiality agreements Contact with authorities Contact with special interest groups Independent review of information security Identification of risks related to external parties Addressing security when dealing with customers Addressing Security in third party agreements
Presentation title

Page 21

Asset Management
Objective: Responsibility for assets Information classification
Covers: Inventory of assets Ownership of assets Acceptable use of assets Classification guidelines Information labelling and handling
Page 22 Presentation title

Human Resource Security

Objective:

Prior to employment During employment Termination or change of employment

Covers:

Roles and responsibilities Screening Terms and conditions of employment Management responsibilities Information security awareness, education and training Disciplinary process Termination responsibilities Return of assets Removal of access rights

Page 23

Presentation title

Physical & Environmental Security

Objective:

Secure Areas Equipment Security

Covers:

Physical Security Perimeter Physical entry Controls Securing Offices, rooms and facilities Protecting against external and environmental threats Working in Secure Areas Public access delivery and loading areas Cabling Security Equipment Maintenance Securing of equipment off-premises Secure disposal or re-use of equipment Removal of property

Page 24

Presentation title

Communication & Operations Management

Objective:

Operational Procedures and responsibilities Third party service delivery management System planning and acceptance Protection against malicious and mobile code Backup Network Security Management Media handling Exchange of Information Electronic Commerce Services Monitoring

Covers:

Documented Operating procedures Change management Segregation of duties

Page 25

Presentation title

Communication & Operations Management (Contd..)

Separation of development, test and operational facilities Service delivery Monitoring and review of third party services Managing changes to third party services Capacity Management System acceptance Controls against malicious code Controls against mobile code Information backup Network Controls Security of network services Management of removable media Disposal of Media Information handling procedures Security of system documentation Information exchange policies and procedures Exchange agreements

Page 26

Presentation title

Communication & Operations Management (Contd..)

Exchange agreements Electronic Messaging Business information systems Electronic Commerce On-Line Transactions Publicly available information Audit logging Monitoring system use Protection of log information Administrator and operator logs Fault logging 27 Page Clock synchronisation Presentation title

Access Control
Objective:

Business Requirement for Access Control User Access Management User Responsibilities Network Access Control Operating system access control Application and Information Access Control Mobile Computing and tele-working

Covers:

Access Control Policy User Registration Privilege Management User Password Management Review of user access rights Password use
Presentation title

Page 28

Access Control

Unattended user equipment Clear desk and clear screen policy Policy on use of network services User authentication for external connections Equipment identification in networks Remote diagnostic and configuration port protection Segregation in networks Network connection control Network routing control Secure log-on procedures User identification and authentication Password management system Use of system utilities Session time-out Limitation of connection time Information access restriction Sensitive system isolation Mobile computing and communications Teleworking

Page 29

Presentation title

Information system acquisition, development and maintenance

Objective:

Security requirements of information systems Correct processing in applications Cryptographic controls Security of system files Security in development and support processes Technical Vulnerability Management

Covers:

Security requirements analysis and specification Input data validation Control of internal processing Message integrity Output data validation Policy on use of cryptographic controls Key management Control of operational software Protection of system test data
Presentation title

Page 30

Information system acquisition, development and maintenance (Contd)

Access Control to program source code Change control procedures Technical review of applications after operating system changes Restriction on changes to software packages Information leakage Outsourced software development Control of technical vulnerabilities

Page 31

Presentation title

Information Security Incident Mangement

Objective: Reporting information security events and weaknesses Management of information security incidents and improvements

Covers:

Reporting information security events Reporting security weaknesses Responsibilities and procedures Learning from information security incidents Collection of evidence
Presentation title

Page 32

Business Continuity Management

Objective:

Information security aspects of business continuity management

Covers:
Including information security in the business continuity management process Business continuity and risk assessment Developing and implementing continuity plans including information security Business continuity planning framework Testing, maintaining title and re-assessing business continuity Page 33 Presentation plans

Compliance
Objective

Compliance with legal requirements Compliance with security policies and standards, and technical compliance Information Systems audit considerations

Covers:

Identification of applicable legislation Intellectual property rights (IPR) Protection of organizational records Data protection and privacy of personal information Prevention of misuse of information processing facilities Regulation of cryptographic controls Compliance with security policies and standards Technical compliance checking Information systems audit controls Protection of information system audit tools

Page 34

Presentation title

Implementation of an ISMS
Define the scope and boundaries, security policy Define the risk assessment approach Identify the risks

Assets/Threats/Vulnerabilities/Impacts

Analyze and evaluate the risks Identify and evaluate options for the treatment of risks Select control objectives and controls for the treatment of risks Obtain management approval of the proposed residual risks Obtain management authorization to implement and operate the ISMS Prepare a Statement of Applicability Formulate and implement the risk treatment plan

Page 35

Presentation title

Implementation of an ISMS
Implement controls to meet the control objectives Measure the effectiveness of the selected controls or groups of controls Implement training and awareness Manage operations and resources Implement sub-policies or procedures Monitor and review the ISMS

Effectiveness of the ISMS controls Risk Assessments Internal ISMS audits and management review Corrective and preventive actions Ensure improvements achieve their intended objectives

Maintain and improve the ISMS

Page 36

Presentation title

Structure of ISMS
Electronic Stand alone Intranet Manual Paper Consider how to control Distribution Updates Authorization

Page 37

Presentation title

Is the organization ready for a ISO 27001:2005 Audit?

Ensure All clauses 4 to 8 defining the set of processes for the ISMS implemented Appropriate controls A5 to A15 implemented

Page 38

Presentation title

Final steps in implementation

Training Initial awareness

Ongoing Specific policies

Internal ISMS audits Competent auditors (internal/external) Audit process and reporting Management Review Regular Basis Scope remains adequate Improvements in ISMS process are identified
Page 39 Presentation title

Re-evaluating the system

Risk assessment and risk treatment are not one-off events ISMS should identify how the system is to be re-evaluated and updated

Page 40

Presentation title

Assessment time requirements

Depends on a variety of factors Size of scope of activities covered by assessment Number of sites within scope Business function within scope Other certifications may be taken into account

E.g. ISO 9001:2000

Page 41

Presentation title

Assessment and certification

Stage 1- Documentation audit

Generally conducted on site Examines the ISMS framework for compliance with ISO 27001:2005 Looks at policy, scope, risk management, selection of controls and statement of applicability Auditors will probably not look in depth at specific procedures, but will expect adequate sign-posting to standards, procedures and work instructions

Stage 2 Implementation audit

Follow up non-conformities from Stage 1 Documentation Audit Verify implementation and operation of ISMS

More focused Drill Down

The Assessment Team Leader makes a recommendation but not make final decision for certification confirmed by office.
Page 42 Presentation title

Certification
A certificate will be issued for ISO 27001 certification The certificate is valid for a period of three years, excepting suspension, withdrawal or cancellation. The certificate carries wording relating to scope and reference to the Statement of Applicability (SOA) available at the time of assessment
Continuing surveillance audit

Carries out a surveillance audit generally twice per year Aims to cover the scope of certification over a three year cycle Intermediate audits (i.e. Special Visits) may be carried

At the end of this period the certification body can extend the certificate for a new period of three years on condition of a positive re-assessment
Page 43 Presentation title

Implementation challenges
Mindset about Information security as Information technology security Implementation of security controls across departments other than IT Security awareness training Adopting the right methodology for risk assessment Investment decisions/ budget constraints Resistance in terms of added documentation Implementation delays due to work overload, cost deduction and lack of top management involvement Identification of CISO, where the company has a small or medium size IT team Independence of CISO from IT team Exception process Managing existing contracts and agreements Change in scope of certification Resignations / change at the top management

Page 44

Presentation title