0 Bewertungen0% fanden dieses Dokument nützlich (0 Abstimmungen)
648 Ansichten23 Seiten
ISMS Consultancy for JPKN Project Kick-off Meeting 12 th May 2011 Agenda Project Objective and Key Stakeholders Overview of ISMS Project Management Plan - Project Organization - Project Phases - Activities and Deliverables - Project Plan (WBS) Project Risks and Critical Success Factors Project Monitoring and Communication Plan Project "Scope" and "Not in Scope"
Originalbeschreibung:
Originaltitel
ISMS Consultancy for JPKN - Project Kickoff Meeting.pdf
ISMS Consultancy for JPKN Project Kick-off Meeting 12 th May 2011 Agenda Project Objective and Key Stakeholders Overview of ISMS Project Management Plan - Project Organization - Project Phases - Activities and Deliverables - Project Plan (WBS) Project Risks and Critical Success Factors Project Monitoring and Communication Plan Project "Scope" and "Not in Scope"
ISMS Consultancy for JPKN Project Kick-off Meeting 12 th May 2011 Agenda Project Objective and Key Stakeholders Overview of ISMS Project Management Plan - Project Organization - Project Phases - Activities and Deliverables - Project Plan (WBS) Project Risks and Critical Success Factors Project Monitoring and Communication Plan Project "Scope" and "Not in Scope"
12 th May 2011 Agenda Project Objective & Key Stakeholders Overview of ISMS Project Management Plan Project Organization Project Phases Activities & Deliverables Project Plan (WBS) Project Risks & Critical Success Factors Project Monitoring & Communication Plan Project Scope & Not in Scope Project Objective The main objective of this project is to achieve ISO/IEC 27001:2005 Certification for the JPKN Head Quarters (JPKN HQ) Scope of certification to be decided / agreed upon State Government Data Centre (JPKN DC) Key Stakeholders JPKN Sabah State Government organization, responsible for providing efficient IT services to various state government organizations and citizen services HeiTech Padu A leading ICT service provider in Malaysia. It manages many mission critical projects for both public and private sector organizations Paladion An Information Security and Risk Management service provider, serviced many public and private institutions around the world for their various needs in Information Security ISMS Overview Overview of ISMS ISMS is An organizational approach to Information Security Business risk based approach to establish, implement, operate, monitor, review, maintain and improve information security ISO/IEC 27001 Standard A management standard that helps to build, maintain and improve an Information Security Management System (ISMS) Based on Risk Assessment, Treatment Plan-Do-Check-Act model (similar to ISO/IEC 9001) 8 main clauses 11 domains & 133 controls Global acceptance No. of certifications worldwide 7136 (as at April 2011 ) Number of Certifications COUNTRY TOTAL Japan 3790 India 516 China 495 UK 460 Taiwan 410 Germany 154 Korea 106 Czech Republic 101 USA 99 Hungary 72 Spain 67 Italy 64 Poland 58 Malaysia 52 84 countries embarked on ISMS Malaysia is at no. 14 as at April 2011 ISO/IEC 27001 Requirements 8 Main Clauses Clause 1 : Scope Clause 2 : Normative Reference Clause 3 : Terms and Definitions Clause 4 : Info. Security Management System Clause 5 : Management Responsibility Clause 6 : Internal ISMS Audits Clause 7 : Management Review of the ISMS Clause 8 : ISMS Improvement ISO/IEC 27001 Annexure A Controls A.12 Information Systems Acquisition, Development and Maintenance A.11 Access Controls A.7 Asset Management A.5 Information Security Policy A.6 Organisation of Information Security A.8 Human Resource Security A.9 Physical & Environmental Security A.14 Business Continuity Management A.15 Compliance A.13 Information Security Incident Management A.10 Communication & Operations Management ISMS Process Roadmap ISO 27001 Certified AUDIT & CERTIFICATION Get audited and verified by Certification Body. Achieve certification RISK ASSESSMENT We are here today Find out where are we today FIXING THE GAPS RISK MANAGEMENT IMPLEMENT CONTROLS TRAINING & AWARENESS Good ISMS in place. Level defined by ISO 27001 Standard. Identify how far to where we want to reach Do the necessary to bridge the gap Project Management Plan Project Organization PROJECT ADVISORY BOARD Abdul Halim Md Lassim Abdullah Ahmad Firosh Ummer PROJECT DIRECTOR Wan Zailani Wan Ismail Deepak Jacob CORE TEAM LEADER & QUALITY ASSURANCE Siti Rozani Abd Razak Norisah Othman SECURITY CONSULTANT Paladion Offsite HeiTech Anan Adli / Erman Halimi BACK-END SUPPORT TEAM Paladion - Offsite HeiTech Izah Suziah / Mas Dewi Murni JPKN PROJECT SPONSOR Dr Hj. Mingu Hj. Jumaan JPKN PROJECT LIAISON Daniel Ng JPKN CORE TEAM Technical & Operations Team PROJECT MANAGER CONSULTANT Manjot Singh Hariharan (Backup) Project Phases Phase I Scope and Security Organization Phase II Risk Assessment & Risk Treatment Phase III ISMS Documentation Phase IV Security Training & ISMS Implementation Phase V Pre-Certification Internal Audits Phase VI Achieve ISO/IEC 27001 Certification Activities & Deliverables Phase I Scope & Security Organization [~ 2 Weeks] Project Initiation & Kick- off Formulate Scope Document Establish Organization Structure Security Coordinators Roles & Responsibilities System Study Report Phase II Risk Assessment & Risk Treatment [~ 6 Weeks] Asset Classification Guidelines & Asset Register Vulnerability Assessment for a Sample of IT Systems Risk Assessment Risk Treatment Plan & Implementation Plan Statement of Applicability Phase III ISMS Documentation [~ 3-4 Weeks] Review & Enhancement of Security Policies & Procedures High-level BCP/DR Framework Security Program Metrics for ISMS Effectiveness Phase IV Security Training & ISMS Implementation [~ 2-3 Weeks] Security Awareness Training for all levels of Management Implementation Support Phase V Pre- Certification Internal Audits [~ 2 Weeks] Conduct Internal Audits Assisting in closing any gaps found during the Internal Audits Phase VI Achieve ISO/IEC 27001 Certification [1 + 1 Week] Phase I & Phase II External Audit Support Phase I & Phase II Follow- up support Activities & Deliverables Project Plan Project Risks Risks / Impacts Mitigation Communication gaps between HeiTech -Paladion and JPKN project teams during system study phase - leading to re-work on existing controls and gaps in Asset identification Information Gathering Questionnaire to stay focused Continuous availability of JPKN process and asset owners of all processes and assets, during the system study phase Sign-off from JPKN team on the information gathered Delay in implementation of identified gaps in technical and process controls Training on identified risk treatment to the core implementation team of JPKN Formal approval & acceptance of the Risk Treatment Plan by JPKN Project Liaison and close tracking of implementation Delayed response from stakeholder teams on open queries and decision making Service Level Agreements (SLA) on response time Escalation process shall be defined Attrition & Transfer of JPKNs core team resources responsible for the implementation of technical and process controls Documentation of risk treatment shall mitigate this risk to an extent Train the trainer on the risk treatment and trainer train the new core team resources Project Critical Success Factors Management Commitment Appointing a Management Representative (CISO) Involve Internal Auditors from other department / areas of operation Timely review, response, resolution and endorsements Availability & Involvement of the core team throughout the project Provide all necessary documents and information related to JPKN Operations Prioritization of control implementation to generate records / evidence at the earliest Information Security Awareness to all users Monitoring & Communication Plan Project Monitoring Weekly meeting on every Friday Milestone review meeting as per the project plan Management review meeting once in a month Ad-hoc meetings based on the necessity Project Communication Messages & Documents (Deliverables) shall be delivered through e-mail to the concerned e-mail communication of minutes and action points to all the core team members Presentation to Management on the status and progress of the project in a periodic manner Project Scope Project Scope / In-Scope System Study, GAP Analysis, Asset Inventory Risk Assessment (includes VA for sample IT Assets), SoA Development of Technical Controls, Development of Process Controls, Training on Risk Treatment, Best Practices Documentation / Guide Product Comparison & Advice (if required) Recommendations, Development & Documentation of Security Policies and ISMS Manual User Awareness Training Metrics Identification Out of Scope Not in Scope / Out of Scope Supply of products (Software tools, hardware, etc.) Technical Security Implementation Process Security Implementation Generation and maintenance of Records Extensive (expertise) security training on various or specific expertise, areas and tools. And other things not mentioned in scope Questions