ISMS Consultancy for JPKN

Project Kick-off Meeting

12
th
May 2011
Agenda
Project Objective & Key Stakeholders
Overview of ISMS
Project Management Plan
Project Organization
Project Phases
Activities & Deliverables
Project Plan (WBS)
Project Risks & Critical Success Factors
Project Monitoring & Communication Plan
Project Scope & Not in Scope
Project Objective
The main objective of this project is to achieve
ISO/IEC 27001:2005 Certification for the
JPKN Head Quarters (JPKN HQ)
Scope of certification to be decided / agreed upon
State Government Data Centre (JPKN DC)
Key Stakeholders
JPKN Sabah State Government organization,
responsible for providing efficient IT services to
various state government organizations and
citizen services
HeiTech Padu A leading ICT service provider in
Malaysia. It manages many mission critical
projects for both public and private sector
organizations
Paladion An Information Security and Risk
Management service provider, serviced many
public and private institutions around the world
for their various needs in Information Security
ISMS Overview
Overview of ISMS
ISMS is
An organizational approach to Information
Security
Business risk based approach to
establish,
implement, operate,
monitor, review,
maintain and improve information security
ISO/IEC 27001 Standard
A management standard that helps to build,
maintain and improve an Information Security
Management System (ISMS)
Based on
Risk Assessment, Treatment
Plan-Do-Check-Act model (similar to ISO/IEC 9001)
8 main clauses
11 domains & 133 controls
Global acceptance
No. of certifications worldwide 7136 (as at April 2011 )
Number of Certifications
COUNTRY TOTAL
Japan 3790
India 516
China 495
UK 460
Taiwan 410
Germany 154
Korea 106
Czech Republic 101
USA 99
Hungary 72
Spain 67
Italy 64
Poland 58
Malaysia 52
84 countries
embarked on ISMS
Malaysia is at no. 14
as at April 2011
ISO/IEC 27001 Requirements
8 Main Clauses
Clause 1 : Scope
Clause 2 : Normative Reference
Clause 3 : Terms and Definitions
Clause 4 : Info. Security Management System
Clause 5 : Management Responsibility
Clause 6 : Internal ISMS Audits
Clause 7 : Management Review of the ISMS
Clause 8 : ISMS Improvement
ISO/IEC 27001 Annexure A Controls
A.12
Information Systems
Acquisition, Development
and Maintenance
A.11
Access
Controls
A.7
Asset
Management
A.5
Information
Security Policy
A.6
Organisation of
Information Security
A.8
Human
Resource
Security
A.9
Physical &
Environmental
Security
A.14
Business Continuity
Management
A.15
Compliance
A.13
Information Security
Incident Management
A.10
Communication
& Operations
Management
ISMS Process Roadmap
ISO 27001
Certified
AUDIT & CERTIFICATION
Get audited and
verified by
Certification
Body. Achieve
certification
RISK
ASSESSMENT
We are here today
Find out where
are we today
FIXING THE GAPS
RISK
MANAGEMENT
IMPLEMENT
CONTROLS
TRAINING &
AWARENESS
Good ISMS in place.
Level defined by ISO
27001 Standard.
Identify how far to where we want to reach
Do the necessary to bridge the gap
Project Management Plan
Project Organization
PROJECT ADVISORY BOARD
Abdul Halim Md Lassim
Abdullah Ahmad
Firosh Ummer
PROJECT DIRECTOR
Wan Zailani Wan Ismail
Deepak Jacob
CORE TEAM LEADER &
QUALITY ASSURANCE
Siti Rozani Abd Razak
Norisah Othman
SECURITY CONSULTANT
Paladion Offsite
HeiTech Anan Adli /
Erman Halimi
BACK-END SUPPORT TEAM
Paladion - Offsite
HeiTech Izah Suziah /
Mas Dewi Murni
JPKN PROJECT SPONSOR
Dr Hj. Mingu Hj. Jumaan
JPKN PROJECT LIAISON
Daniel Ng
JPKN CORE TEAM
Technical & Operations Team
PROJECT MANAGER
CONSULTANT
Manjot Singh
Hariharan (Backup)
Project Phases
Phase I
Scope and Security Organization
Phase II
Risk Assessment & Risk Treatment
Phase III
ISMS Documentation
Phase IV
Security Training & ISMS Implementation
Phase V
Pre-Certification Internal Audits
Phase VI
Achieve ISO/IEC 27001 Certification
Activities & Deliverables
Phase I Scope &
Security
Organization
[~ 2 Weeks]
Project Initiation & Kick-
off
Formulate Scope
Document
Establish Organization
Structure
Security Coordinators
Roles & Responsibilities
System Study Report
Phase II Risk
Assessment & Risk
Treatment
[~ 6 Weeks]
Asset Classification
Guidelines & Asset
Register
Vulnerability Assessment
for a Sample of IT
Systems
Risk Assessment
Risk Treatment Plan &
Implementation Plan
Statement of Applicability
Phase III ISMS
Documentation
[~ 3-4 Weeks]
Review & Enhancement
of Security Policies &
Procedures
High-level BCP/DR
Framework
Security Program Metrics
for ISMS Effectiveness
Phase IV Security
Training & ISMS
Implementation
[~ 2-3 Weeks]
Security Awareness
Training for all levels of
Management
Implementation Support
Phase V Pre-
Certification
Internal Audits
[~ 2 Weeks]
Conduct Internal Audits
Assisting in closing any
gaps found during the
Internal Audits
Phase VI Achieve
ISO/IEC 27001
Certification
[1 + 1 Week]
Phase I & Phase II
External Audit Support
Phase I & Phase II Follow-
up support
Activities & Deliverables
Project Plan
Project Risks
Risks / Impacts Mitigation
Communication gaps between
HeiTech -Paladion and JPKN
project teams during system
study phase - leading to re-work
on existing controls and gaps in
Asset identification
Information Gathering Questionnaire to stay focused
Continuous availability of JPKN process and asset owners
of all processes and assets, during the system study phase
Sign-off from JPKN team on the information gathered
Delay in implementation of
identified gaps in technical and
process controls
Training on identified risk treatment to the core
implementation team of JPKN
Formal approval & acceptance of the Risk Treatment Plan
by JPKN Project Liaison and close tracking of
implementation
Delayed response from
stakeholder teams on open
queries and decision making
Service Level Agreements (SLA) on response time
Escalation process shall be defined
Attrition & Transfer of JPKNs
core team resources responsible
for the implementation of
technical and process controls
Documentation of risk treatment shall mitigate this risk to
an extent
Train the trainer on the risk treatment and trainer train the
new core team resources
Project Critical Success Factors
Management Commitment
Appointing a Management Representative (CISO)
Involve Internal Auditors from other department / areas of
operation
Timely review, response, resolution and endorsements
Availability & Involvement of the core team throughout
the project
Provide all necessary documents and information
related to JPKN Operations
Prioritization of control implementation to generate
records / evidence at the earliest
Information Security Awareness to all users
Monitoring & Communication Plan
Project Monitoring
Weekly meeting on every
Friday
Milestone review meeting
as per the project plan
Management review
meeting once in a month
Ad-hoc meetings based on
the necessity
Project Communication
Messages & Documents
(Deliverables) shall be
delivered through e-mail to
the concerned
e-mail communication of
minutes and action points
to all the core team
members
Presentation to
Management on the status
and progress of the project
in a periodic manner
Project Scope
Project Scope / In-Scope
System Study, GAP Analysis, Asset Inventory
Risk Assessment (includes VA for sample IT Assets), SoA
Development of Technical Controls, Development of
Process Controls, Training on Risk Treatment, Best
Practices Documentation / Guide
Product Comparison & Advice (if required)
Recommendations, Development & Documentation of
Security Policies and ISMS Manual
User Awareness Training
Metrics Identification
Out of Scope
Not in Scope / Out of Scope
Supply of products (Software tools, hardware, etc.)
Technical Security Implementation
Process Security Implementation
Generation and maintenance of Records
Extensive (expertise) security training on various or
specific expertise, areas and tools.
And other things not mentioned in scope
Questions