Transcript Ajai's Presentation - Network Magazine India

ADDRESSING CORPORATE CONCERNS
ON
INFORMATION SECURITY
MANAGEMENT
WITH ISO 17799/BS 7799.
Ajai K. Srivastava
G.M. Marketing
BSI India
Presentation Outline
1. The Global Information Village
2. The Need for Protection
3. BS 7799– An Overview
4. Implementing an ISMS based on
BS7799
5. Benefits of using BS7799
1.THE GLOBAL INFORMATION VILLAGE
www.bsiindia.com
The Global Information Village
www.bsiindia.com
The Paradigm Shift in the Nature of
Information
INDUSTRIAL ECONOMY
INFORMATION ECONOMY
 INFORMATION AS
 INFORMATION AS
NOUN
 Static:e.g. memo;
financial report etc
 Automation : An
Idiot Savant –
assisting in
managing repetitive
discrete steps
VERB
 Dertouzos:
“Information Work”
e.g. Designing a
building
 Dominates the
terrain; 50 to 60 % of
an Industrialised
country’s GNP
www.bsiindia.com
THE DIGITAL NERVOUS SYSTEM
Basic Operations
Business
Reflexes
DIGITAL
NERVOUS
SYSTEM
Strategic
Thinking
Customer Interaction
BUSINESS @ THE SPEED OF THOUGHT
www.bsiindia.com
INFORMATION FLOW
IS THE LIFEBLOOD
OF YOUR BUSINESS
www.bsiindia.com
 Information tends to be the most
undervalued asset a business has.
 Information can directly affect the
most valuable asset a business has
IMAGE
www.bsiindia.com
“Information is an asset which, like
other important business assets, has
value to an organization and
consequently needs to be suitably
protected.”
ISO/IEC 17799:2000
www.bsiindia.com
2.THE NEED FOR PROTECTION
www.bsiindia.com
Information Security
ATTACK
INFORMATION
www.bsiindia.com
ATTACK
Typical Technology Responses
www.bsiindia.com
Information Security
ATTACK
INFORMATION
www.bsiindia.com
ATTACK
Information Security
ATTACK
INFORMATION
www.bsiindia.com
ATTACK
Information Security
INFORMATION
www.bsiindia.com
Management System – Building Blocks
Management
Total
Core Processes System
Business Management
Inputs
Outputs
Support Processes
Resource
www.bsiindia.com
Environment
Information
Security
Quality
Risk
Business
Management
System
Health and
Safety
Improvement
www.bsiindia.com
People
Quality
ISO9001:2000
QS-9000 / TS 16949
AS9000 / AS9100
TL9000
H&S
OHSAS 18001
Environment
ISO 14001
Info Sec
BS 7799
Business
Management System
BSI - IMS
Risk
BSI Risk Mgmt
Improvement
ISO 9004
www.bsiindia.com
Customers
BS 8600
Stakeholders Involved
Management Systems & Standards
ISO 9004 Performance Improvement
All Interested Parties
ISO 17799 Information Security Management
OHSAS 18001 Health and Safety Management
ISO 14001 Environmental Management
ISO 9001 Quality Management
Increasing Aspects Covered
www.bsiindia.com
Managing your Risks
www.bsiindia.com
Information Security Assurance
 3 different layers
• PRODUCT LEVEL ASSURANCE
– e.g. Firewall- Product is fit for its Purpose
• PROCESS LEVEL ASSURANCE
– e.g. Credit card Transactions- Robust Processes to
protect interested parties
• MANAGEMENT SYSTEM LEVEL ASSURANCE
– e.g ISMS- Systemic Proactive responses aligned to
business objectives to protect ALL stakeholders
:Management,Employees,Customers,Suppliers,Users,
Regulatory etc.
www.bsiindia.com
The Virtuous M S Spiral
Continual Improvement
Commitment
and Policy
Management
Review
Planning
Checking and
Corrective
Action
Implementation
and Operation
www.bsiindia.com
ISMS – Your Competitive Edge
Managing Risks to Information Assets to:
Protect Brand
Retain Customers, and
Enhance Market Capitalization
Information Security Management must be
viewed as a strategic dimension of your business
www.bsiindia.com
Critical Security Concerns
VIRUSES –22%
HACKERS – 21%
R.A.CONTROLS-17%
INTERNET SECURITY-17%
DATA PRIVACY- 10 %
The First Global Information Security Survey –KPMG 2002
www.bsiindia.com
What is the damage
QUANTIFIABLE
The average direct loss
of all
breaches suffered by
each
organization is
USD$108,000.
GBP 30,000
INR 500,000
The First Global Information Security Survey – KPMG 2002
www.bsiindia.com
What is the damage
INCALCULABLE
The Loss Of
 Productivity
 Recovery Costs
 Customers
 Market Capitalisation
 Shareholder Value
 Credibility
www.bsiindia.com
Common Myths About
Information Security
 Myth 1:
– Information Security is the concern and responsibility of the
MIS/IT manager
 Myth 2:
– Security Threats from outsiders are the greatest source of
risks
 Myth 3:
– Information Security is assured by safeguarding networks
and the IT infrastructure
 Myth 4:
– Managing People issues is not as important
 Myth 5:
– Adopting latest technological solutions will increase security
www.bsiindia.com
3.BS 7799 – AN OVERVIEW
www.bsiindia.com
What is Information Security
 ISO 17799:2000 defines this as the
preservation of:
– Confidentiality
• Ensuring that information is accessible only to those
authorized to have access
– Integrity
• Safeguarding the accuracy and completeness of
information and processing methods
– Availability
• Ensuring that authorized users have access to
information and associated assets when required
ISO/IEC 17799:2000
www.bsiindia.com
ISO/IEC 17799 ?
 What it is:
 What it is not:
 An internationally recognized
 A technical standard
structured methodology
dedicated to information
security
 A defined process to
evaluate, implement,
maintain, and manage
information security
 A comprehensive set of
controls comprised of best
practices in information
security
 Product or technology driven
 An equipment evaluation
methodology such as the
Common Criteria/ISO 15408)
 Related to the "Generally
Accepted System Security
Principles," or GASSP
 Related to the five-part
 Developed by industry for
industry
"Guidelines for the Management
of IT Security," or GMITS/ISO
TR 13335
www.bsiindia.com
What does it comprise ?
 ISO/IEC 17799:2000
Code of Practice for Information Security
 BS 7799-2:2002
Specification for information security
management systems
www.bsiindia.com
BS 7799-2:2002
•MMeasure Performance of the ISMS
•IIdentify Improvements in the ISMS and effectively implement them.
•TTake appropriate corrective & preventive action
•CCommunicate the results and actions and consult with all parties
Act
involved.
•RRevise the ISMS where necessary
•EEnsure that the revision achieve their intended objectives.
•DDefine ISMS Scope and Policy
•DDefine a systematic approach to risk
assessment
•IIdentify the risk
•AApply the systematic approach for assessing
the risk
•IIdentify and Evaluate options for the
treatment of risk.
•SSelect Control Objectives and Controls for the
treatment of risks.
Plan
•EExecute Procedures to and Other Controls
•UUndertake regular reviews of the effectiveness of
the ISMS
•RReview the level of residual risk and acceptable
risk
•EExecute the management procedure
•R Record and report all actions and events
•IImplement a specific management
program
•IImplement controls that have been
selected
•MManage Operations
•MManage Resources
•IImplement Procedures and Other Control
Processes
Do
www.bsiindia.com
Check
BS 7799 –10 Domains of Information Management
Information
Security Policy
Security
Organisation
Compliance
Asset
Classification
Controls
Continuity
Planning
System
Development
Personnel
Security
Access
Controls
Physical
Security
Communications
Management
www.bsiindia.com
4.IMPLEMENTING AN ISMS BASED ON BS 7799
www.bsiindia.com
BS 7799Registrations
Around the Globe
Region
Australia
Austria
Brazil
China
Egypt
Finland
Germany
Greece
Hong Kong
Hungary
Iceland
India
Ireland
Italy
Japan
Korea
Malaysia
Mexico
Norway
Singapore
Spain
Sweden
Switzerland
Taiwan
UAE
UK
USA
Numb er of Certificates
5
2
2
5
1
8
8
2
7
3
1
13
3
11
34
11
1
1
7
9
1
4
1
4
1
91
3
239
www.bsiindia.com
BS 7799Registrations
In India
Sl.
No.
Name of Company
1
Churchill India (P) Ltd, New Delhi
2
Cognizant Technology Solutions, Chennai
3
4
Hughes Software System, Gurgaon
ICICI OneSource Limited
5
Larsen & Toubro Ltd, Mumbai and Vadodara
6
Mascot Systems Ltd.
7
Satyam Computer Systems, Secundrabad
8
Shipara Technologies Ltd
9
ST Microelectronics Ltd, Noida
10
Tata Iron and Steel Company Ltd
11
Wipro Technologies
12
Xansa
13
Xansa (India) Ltd
www.bsiindia.com
Building a Management System
Measure/Analyse
Progress
Develop
INPUT Management System Build Process
Client
Business
Awareness
Client
Consultant
BSI
www.bsiindia.com
OUTPUT
BSI
Certification
Business
Improvement
Initiating BS 7799 Implementation
 Step 1
ISMS – Defining Policy & Organization
Structure
 Step 2
ISMS – Defining the Scope
 Step 3
ISMS - Risk Assessment
 Step 4
ISMS - Risk Management
 Step 5
ISMS – Choosing Controls
 Step 6
ISMS - Statement of Applicability
www.bsiindia.com
Risk Assessment and
Risk Management Process
Asset Identification
and Valuation
Risk Assessment
Identification of
Vulnerabilities
Evaluation of Impacts
Identification of
Threats
Business Risks
Rating/ranking of Risks
Degree of Assurance
Review of existing
Risk Management
security controls
Identification of
Gap analysis
Risk Acceptance
(Residual risk)
new security
controls
Implementation and
Risk Reduction
www.bsiindia.com
Policy and
Procedures
BS 7799 Implementation
Management
Review
Information
Security Policy
Security
Organisation
Corrective
Action
Act
Check
Check
Process
Plan
Classify
Assets
Do
Apply the
Controls
Operationalise
Process
www.bsiindia.com
ISMS Documentation
Management framework
policies relating to
Level 1
BS 7799-2
Security Manual
Policy, scope
risk assessment,
statement of applicability
Level
2
Level
3
Level
4
Describes processes – who,
what, when, where
Procedure
Describes how tasks and specific
activities are done
Provides objective evidence of compliance
to
ISMS requirements
www.bsiindia.com
Work Instructions
checklists,
forms, etc.
Records
Critical Success Factors
 Security policy that reflects business objectives
 Implementation approach is consistent with company culture
 Visible support and commitment from management
 Good understanding of security requirements, risk assessment
and risk management
 Effective marketing of security to all managers and employees
 Providing appropriate training and education
 A comprehensive and balanced system of measurement which is
used to evaluate performance in information security management
and feedback suggestions for improvement
www.bsiindia.com
5.BENEFITS OF BS 7799
www.bsiindia.com
Benefits of BS 7799 certification
 Opportunity to identify and fix weaknesses
 Senior Management take ownership of
information Security
 Provides confidence to trading partners and
customers
 Independent review of your information Security
Management System
www.bsiindia.com
Key Challenges facing executives
– Enterprises must manage threats to Information security
across many fields while attackers can choose to specialize
in narrow fields of competencies
– Fractured Corporate response to such focused attacks
– To think precisely about the concept of threat in the
security context of the organization
– Executives must develop non traditional competencies in
strategic risk management
– Executives must manage
ENTERPRISE SECURITY PROACTIVELY
www.bsiindia.com
Further Information
Email:
[email protected]
Tel:
+11 2371 9002/3
Fax:
+11 2373 9003