GSU's Roadmap for a World-Class
Information Security Management
System– ISO/IEC 27001:2005
Tammy Clark, Chief Information Security Officer,
William Monahan, Lead Information Security
Administrator
“You will now have a starting place and a destination, and you will
be able to determine what it will cost you to get there. You will be
going someplace.” H. Stanley Judd
GSU’s Information Security
Roadmap
• JL Albert’s (CIO) Vision
and Support
• Strategic & Tactical
Planning
• Alignment with academic/
business objectives
• Incremental and
distributed deployments
• Continuous cycles of
reviews and
improvements
Strategic Choices Determine Our
Direction…
– WHY develop a World-Class
Information Security
Management System
(ISMS)?
– Critical success factors
– Using the ISO/IEC 2700127002
– Overview of ISO 27002
– Advantages of Using ISO
27001/27002
– Deming’s “Plan, Do, Check, Act”
model
– Building an Information
Security Management System
What a Long and Exhausting Road
Trip!
(Why Implement an ISMS?!)
 Protect the university’s
reputation
 Stop chasing compliance
(with legal and contractual
requirements)
 Ensure CIA (confidentiality,
integrity, and availability)
and reduce the chances of
business disruptions
 Reduce exposure for illegal
or malicious acts
committed with the
university's information
technology resources
 Ensure effective control
and continuous
improvement of
information security
 Implement a
comprehensive approach
(far beyond technical
sphere) –close the gaps
Navigate Around Traffic Jams and
Slow Downs
(Critical Success Factors)
 Align your course in
parallel with strategic
information technology and
business goals & objectives
 Provide a good set of
directions to your
navigator (and convince
him to drive)!
 Set realistic and
attainable milestones
upfront—and be prepared
to handle obstacles
 Get everyone traveling
in the same direction
 Advance your initiative
down the road
successfully through
collaborations with key
University stakeholders
 Avoid accidents and
dead ends! Continually
work behind the scenes to
promote the synergy of
people, processes &
technology
Chart a Course to Your Destination Using
ISO/IEC 27001 and
27002
ISO/IEC 27001
Requirements Certification
ISO/IEC 27002
Code of Practice Compliance
– This process involves the
auditing of an ISO/IEC
27002:2005 compliant ISMS to
the requirements of ISO/IEC
27001:2005.
– Users of the ISO/IEC 27002
framework need to carry out a
risk assessment to identify
which controls are relevant to
their own business environment
and implement them.
– The ISMS will be audited by an
accredited certification body
– The standard is also intended to
provide a guide for the
development of "organizational
security standards and effective
security management practices”
– Uses the word “shall”.
– Uses the word “should”.
Quick Overview of ISO 27002
•
Covers 11 information security
‘domains’:
– Information Security Policy
– Organization of information
security
– Asset Management
– Human resource security
– Physical and environmental
security
– Communication and
operations management
– Access control
– Information systems
acquisition, development and
maintenance
•
•
•
•
– Information security incident
management
– Business continuity
management
– Compliance
39 security objectives and a total
of 133 separate controls
Using its baseline security
approach enables an enterprise to
increase security levels using
existing resources without
additional costs
Comprehensive & holistic
Favors incremental deployment of
controls
Advantages of Using
ISO 27001
 A Framework which provides a
structure that organizations can
follow.
 Flexible and comprehensive
‘umbrella’ framework for your
information security program
 Helps everyone to be “on the
same page” because they can see
what is expected.
 Integrated into ITIL v3 (ISO
20000)
 Information security best practices
 Auditable
 Same process approach as
ISO 9000 Total Quality
Management Series and ISO
20000 Service Management
Process (Plan-Do-Check-Act)
Plan-Do-Check-Act




A ‘cycle’ of continuous
review and improvements
Plan—Establish
Do—Implement and
Operate
Check—Monitor and
Review
Act—Maintain and
Improve
PLAN Phase - Establish Your
ISMS







Define the Scope and Boundary of the
ISMS.
Define an ISMS Policy.
Define the risk assessment approach
Identify, analyze and evaluate the
risks to the assets identified in your
scope and select risk treatment
options.
Select controls and control objectives,
reasons for selection and prepare a
Statement of Applicability.
Obtain management approval of the
proposed residual risks.
Obtain management authorization to
implement and operate ISMS.
DO Phase-Implement Your
ISMS
 Formulate and implement your
Risk Treatment Plan (RTP)
 Implement selected controls to
meet your control objectives
 Define metrics to measure the
effectiveness of your controls
 Implement a training and
awareness program
 Manage operations in accordance
with identified controls, policies
and procedures
 Implement procedures and
controls to manage incidents
CHECK Phase-Monitor
and Review Your ISMS
Execute monitoring and
review procedures:
– Documentary evidence of
monitoring such as logs, records,
files
– Measure effectiveness (metrics)
– Review risk assessments
– Conduct internal ISMS audits
– Management Reviews
– Update Security Plans
– Record actions and events
ACT Phase-Maintain
and Improve the ISMS
– Implement identified
improvements
– Take appropriate corrective
and preventive actions
– Communicate actions &
improvements to interested
parties
– Ensure improvements meet
objectives
Tactical Actions Moving Us
Closer to Our Destination…
 Annual Security Plan based on
ISO 27002
 Risk Management
 Automated Governance, Risk
and Compliance (Proteus)
 Communicate/Cooperate/
Collaborate
Annual Security Plan based on ISO 27002
(If You Don't Know Where You're Going, Any Road Will Get You There)
 Began in 2004 – First Plan
was Painful
 Incremental Approach
– 27002 Requirements
– Status of Security
– Proposed Action Items
 Plan is a Moving Target –
New Legislation, Standard,
& Compliance Requirements
 Tool to Solicit/Incorporate
Feedback
Risk Assessments
(Vote early and vote often)
 Risk Assessment Policy in 2005
– Required in ISO 17799:2005 update
– Approximately 50 Reviews/Year
(and growing)
 A Lot of Benefits from Proactive
Approach
– More Secure/Robust Services
– Found/Curtailed Some Craziness
– The Auditor Effect
– Foster/Strengthen Relationships &
Understanding
–
Risk Management System
(Trust But Verify)
 Trusted Third Party
(Internal Audit) is
Required
– Ensures Controls Were
Adequate/Commensurate
– Ensures Controls Were
Implemented in Timely
Manner
 We Must Continuously
Reevaluate Risk
Automated Governance, Risk and Compliance
(Proteus)
•
Online audit any part of your
organization against any standard
Online audit of external suppliers,
saves time & money
•
Create an Information Security focused
asset register
Links assets to legislation/controls
•
Define roles with meaning
Roles linked to controls/policy/procedures
•
Do business impact analysis simply &
easily
Quick win, keeps risk business focused
•
Identify the key services, assets & data
which need Business Continuity or DR
Reduce exposure
•
Perform Risk Assessments, simply &
easily
Reduces risks with countermeasures
•
Incident reporting with a difference
•
Build a central policy register
•
Helps you plan your security
investment
•
Provides you with a real time RiskView
Instantaneously sizes problem
Supports the audit process
Spend effectively & wisely
Manage more effectively
Some of the Benefits of Proteus
“The first rule of any technology used in a business is that automation applied to an efficient operation will magnify the efficiency.
The second is that automation applied to an inefficient operation will magnify the inefficiency.” - Bill Gates
 One Repository for ISMS Materials - Policies, Procedures, Objective Evidence, Action
Plans…
 Good Discretionary Access Control – Can Assign Access to Sites (Audit Points) –
Centralized Control/Distributed Administration
 Workflow Engine helps you collect information and stay in compliance
Communicate/Cooperate/Collaborate
 Centralized Control/Distributed Administration Model – IntruShield
IPS, ISS SiteProtector, Symantec System Center Console, Proteus,
On Line Security Awareness Classes, PGP Full Disk Encryption...
 Hyper Communicate – Monthly ITSSS, NEO, Web Presence…
 It is all about Relationships! – Know/Trust/Like
Governance Training
• BSI Americas Information Security
Training – ISO 27001/ISMS
http://www.bsiamericas.com/TrainingInformatio
nSecurity/index.xalter
• HISP (Holistic Information Security
Practitioner) Training/Certification
http://www.hispcertification.org/
References
– ISO/IEC 27001
standard
– BS 7799-3:2006 (Risk
Mgt)
– BS 25999 (Business
Continuity)
– BIP 0071-0074 (ISMS
Guidance Series from
BSI)
– ISO/IEC 27002
standard
– (ISO/IEC 27001:2005
in plain English)
http://www.praxiom.c
om/iso-27001overview.htm
– (ISO/IEC 27002:2005
in plain English)
http://www.praxiom.c
om/iso-17799overview.htm
Questions?
Feel free to write us!
Tammy Clark
([email protected])
William Monahan
([email protected])
T
Copyright Tammy L. Clark, October 2007. Permission is granted for this material to be shared for non-commercial, educational
purposes, provided that this copyright statement appears on the reproduced materials and with permission of author.