Sie sind auf Seite 1von 50

INFORMATION SECURITY MANAGEMENT

SYSTEM

Using ISO 27001:2005 & ISO 27002:2007


For

Ensuring Confidentiality
Assuring Integrity & Availability

by
Capt. Raj
CEO
MacroFirm Technology
Capt.raj@macrofirmtechnology.com

© 2007 MacroFirm Technology.


All rights reserved.
Discussion Outline
 Introduction to Information Security
 Industry Statistics on Security Breeches and Incidents
 What is ISO 27001
 The ISMS Implementation Methodology
 The Key Controls of ISO 27002, 27799, etc

© 2007 MacroFirm Technology.


All rights reserved.
Introduction to Information Security

© 2007 MacroFirm Technology.


All rights reserved.
Introduction
What are Information?

 Stored on Computers
 Transmitted across networks
 Printed out or written on paper
 Sent by fax
 Stored on tapes or on disks
 Spoken in conversations (including
telephone)
 Shown on films or presentations

4
© 2007 MacroFirm Technology.
All rights reserved.
Introduction

Information Classification

© 2007 MacroFirm Technology.


All rights reserved.
Introduction

Uses of Information Technology Infrastructure

• Data Collection
• Data Analysis, Reduction and
Reporting
• Statistical Analysis
• Process control
• Automated Test and Inspection
• System Design
• Document Management
6
© 2007 MacroFirm Technology.
All rights reserved.
Introduction

Uses of Information Technology Infrastructure


• Internet Access
• E-mail
• Chatting
• Instant Messaging
• Video Conferencing
• Virtual Teaming
• E-Learning
• E-Commerce
• Website Design

7
© 2007 MacroFirm Technology.
All rights reserved.
Challenge of Managing the IT Infrastructure
f Lo ndon
o Changing
Ll o yd’s 2001 Changing
r f o rces e – Jan Technologies
Technologies
Hackers
Hackers&& e it
Hack e web s
Loss
Lossof
ofCompetitive
Competitive
s
to clo
Extremists
Extremists Advantage
On a Advantage
ve
TRUST orga rage, 60
ni % of
secu sations h
TRUST
Secur ri
ity a
Barcla lapse close years ty breach ve suffere
ys s t 90 ses - 200 i n th e da
Augus ’ online ban t ha 4 l a s t two
t 2000 k–
e y f ound busines
surv pled te r Opportunities for
One t of sam compu eriod – Opportunities for
n ed
e nth p
FRAUD
perc xperienc m o
FRAUD
had
e n a 12 i n the
i t
hes cen 004
b reac 62 per a r c h 2 Viruses
Viruses&&Worms Worms
ro m - M
up f us year
“Free” Access
“Free” Access for for
io
prev
Employees
Employees New
NewIT ITProjects
Projects

f e m a ils e d by a
t
nu m ber o es detec ose
Malici Outsourcing
Outsourcing The ng v irus e r v i c er
ou i ni gs -
$13.2 s code atta conta scannin 400 mark
B c ng n
2001 . economic ks had IT System Crashes leadi the one i
- Jan impac e
abov t 2003
IT System Crashes
2002 t in
s
A ugu
8
© 2007 MacroFirm Technology.
All rights reserved.
What is Information Security?

 In the context of ISO 27001, Information Security is defined as the


preservation of:

 Confidentiality: ensuring that information is only accessible


only to those authorized to have access.

 Integrity: safeguarding the accuracy and completeness of


information and processing methods.

 Availability: ensuring that authorized users have access to


information and associated assets when required.

 In addition, other properties such as authenticity, accountability,


non-repudiation and reliability can also be involved.

© 2007 MacroFirm Technology.


All rights reserved.
Three Aspects of Information Security

Confidentiality Availability

Information should Information should


be available only to be accessible to
authorized Information those who are
individuals authorized to access
it when they need it
Integrity

Information should
be modified only by
authorized
individuals

© 2007 MacroFirm Technology.


All rights reserved.
Information Security: Management Challenge or
Technical Issue?

80 % is Management Information security must


 Infosec Policies be seen as a management
and business challenge,
 Infosec Responsibilities
not simply as technical
 Infosec Awareness/Training issue to be handed over
 Business Continuity Planning experts. To keep your
20 % is Technology business secure, you must
understand both the
 Systems, Tools, Architectures,
etc. problems and the solutions.

© 2007 MacroFirm Technology.


All rights reserved.
Why Information Security?

 Protects information from a range of threats

 Ensures business continuity

 Maximize return on investments and business


opportunities

 It is a business issue!

© 2007 MacroFirm Technology.


All rights reserved.
How to Achieve Information Security?

 Information security is achieved by evaluating


business risks and other risks faced by the
organisation, mitigate the risks by implementing a
suitable set of controls, which could be policies,
practices, procedures, organizational structures and
software functions.

 These controls need to be established to ensure that


the specific security objectives (without dampening
the business objectives) of the organization are met.

© 2007 MacroFirm Technology.


All rights reserved.
Information Security – A Human Behavioral Problem

What Do Companies Say: What Does FBI Say About Companies:


66% have information security problems 91% have detected employee abuse
65% were attacked by own employees 70% indicate the Internet as a frequent
51% see information security as a priority attack point
40% do not investigate security incidents 64% have suffered financial losses
38% have detected attacks that blocked 40% have detected attacks from outside
their IT systems 36% have reported security incidents.
Only 33% can detect attacks and intrusions
Source: FBI Computer Crime and
Source: EY Information Security Survey Security Survey 2001
2001 - 2002

© 2007 MacroFirm Technology.


All rights reserved.
BPO clients more wary of info security leaks'
— Forrester study sees impact on growth

STRENGTHENING its earlier claim that a slew of


incidents of information security breach, including the
Msource case, would dampen the industry's growth
rate, a recent Forrester study has found that an
overwhelming majority of 31 foreign BPO clients
surveyed plan to step up investigation of vendor's security
and
business processes, to mitigate risks.

© 2007 MacroFirm Technology.


All rights reserved.
Reaction from State Side
When asked how recent incidents of security
breach had impacted their offshore BPO plans,
the clients surveyed — most of them in the US
— admitted to some change or addition in their
Vendor Selection Process.
They said this would come in the form of
additional controls, such as increasing call
monitoring ratio, or changing the ratio of call
centre agent versus supervisors, or cross
examination of databases.

© 2007 MacroFirm Technology.


All rights reserved.
The Incident(s)
• The survey by Forrester comes in the wake of recent
information security breaches, both onshore and
offshore. MasterCard International said a security
breach of credit card payment data had exposed about
40 million cards of all brands to potential fraud in what
one analyst termed was the biggest privacy breach
ever.
• In April, some former employees of Mphasis BFL's BPO
operation Msource in Pune were arrested for allegedly
stealing over $350,000 from four Citibank customers,
sending shock waves through the Indian IT-enabled
services sector.
Source: The Hindu June 22nd 06
© 2007 MacroFirm Technology.
All rights reserved.
The Impact
Following the incident, Forrester had said that the
case, coupled with high call centre attrition
rates, would severely dampen BPO growth rate
in the next 18 months in India and elsewhere.

It had warned that call centre BPO growth could


drop by as much as 30 per cent.

© 2007 MacroFirm Technology.


All rights reserved.
Data Theft Scandal: Press has a field day in
UK
In spite of NASSCOM writing to Dispatches (Channel
4), for evidence regarding the details of the
allegations, expressing doubts about the veracity of
'The Data Theft Scandal' report to be aired by
Channel 4, they refused to provide that information,
prior to airing of the program. NASSCOM had urged
the TV channel to fully co-operate with authorities to
find out the 'corrupt staff' associated with Indian call-
centres. A program, based on the same alleged
criminals, was aired by Channel 4 in the UK on
October 5. The Channel 4 program is understood to
have spent over a year trying to locate security
lapses in India's call centre industry.
Source: OffshoreTimes.com

© 2007 MacroFirm Technology.


All rights reserved.
Implications
The media along with the unions in both US and
UK have always sympathized with the workers
whose jobs were persevered to be technically
outsourced to countries like India, Philippines
and others.

Any such incidents from the service provider will


not only have an impact to the particular
organization but will spill over to the country it
is based in.

The local media will have more “Ammo” if that


country is not “politically aligned” with the big 2.
© 2007 MacroFirm Technology.
All rights reserved.
BPO: More Bad News
The bad news seems to never end for the BPO industry.
The latest scam where an employee of HSBC has been
arrested for defrauding 20 London- based customers to
the tune of £230,000 has made headlines not only in
India but globally as well. Newspapers have been quick
to remind the readers lest they forget about the BPO
"hall of shame."
Its most unfortunate that all the companies in
the industry have been tarred with the same
brush, irrespective of the activity of the
individual firm or its credentials.
© 2007 MacroFirm Technology.
All rights reserved.
How the Indian BPO Industry responded
to this crisis …….
• Most of the BPO companies providing
services to UK clients ensure compliance
with UK Data Protection Act 1998 (DPA)
through contractual agreements
• Companies dealing with US clients require
compliance depending upon the industry
served. Eg Healthcare requires
compliance with HIPAA, Financial services
require compliance with GLBA and BS
7799
© 2007 MacroFirm Technology.
All rights reserved.
• Many companies in India are undergoing/have
undergone SAS 70 & BS 7799 Audit. SAS-70
assignments help service companies operating
from India to implement and improve internal
controls, ensure minimal disruptions to business
from clients' auditors.
• NASSCOM has been working closely with the
ITES BPO industry to create an information
security culture within these segments. Indian
companies have raised their quality standards in
recent years to meet international demands.
- Vice President Nasscom 2006
© 2007 MacroFirm Technology.
All rights reserved.
Malaysian Figures

© 2007 MacroFirm Technology.


All rights reserved.
© 2007 MacroFirm Technology.
All rights reserved.
What Do Companies Say:
0% 10% 20% 30% 40% 50% 60%

Employee Awareness 56%

Tools/Security Solutions 44%

People Skills 40%

Budget 37%

Management Support 26%

Other Reasons 8%

© 2007 MacroFirm Technology.


All rights reserved.
Security as we know it !!
"You mean people can just walk in
and walk out with data?"
c ed m y s ystems
“ I h a ve outsour e t o a s ecurity
CEO: aintenan c
g an d m
monitorin

company

CFO: “We have invested RM 750,000 on IT security and l s”.


w al
Back-ups” e
fir
MD: M a ve
y clien “ Ih
No ex t
ternal server and T O :
hacke datab C
r can ase is
come isolat
in” ed fro
m the
webse
rver.
My Response to them: Its like building a solid
front door and leaving your window open.
© 2007 MacroFirm Technology.
All rights reserved.
Medco sys admin gets 30 months for planting logic bomb
Inside saboteur could have crippled pharmacists' ability to check for deadly
drug interactions, U.S. attorney says- Jan 2008

January 08, 2008 (Computerworld) -- A former systems administrator at


Medco Health Solutions Inc. was sentenced to 30 months in federal prison
today for planting a logic bomb that could have taken down a corporate
network that held customer health care information.
Yung-Hsun Lin, 51, of Montville, N.J., was sentenced in U.S. District Court in
Newark, N.J. Lin, who faced a maximum of 10 years in prison, pleaded
guilty to one count of computer fraud in September. He was responsible for
programming and maintaining the servers at Medco, where he worked from
1997 to 2005.

© 2007 MacroFirm Technology.


All rights reserved.
Understanding Threats, Vulnerabilities, and Risks

What can
Happen?
How can it
Threats happen?

Vulnerabilities
Integrity Confidentiality

Availability

Risks
Threats +
Vulnerabilities
© 2007 MacroFirm Technology.
All rights reserved.
Understanding Threats, Vulnerabilities, and Risks

Spoofing
Computer
Snooping
hardware and
Phishing software
threat +
Malicious Codes Poor procedures vulnerability
Abuse system of Poor oversight /
privileges enforcement
Sabotage
© 2007 MacroFirm Technology.
All rights reserved.
Security Threats

© 2007 MacroFirm Technology.


All rights reserved.
Risk Assessment and Management
Man-Made Unintentional
Intentional Viruses, Accidental Power loss,
Espionage, Sharing Forgetting Password,
Passwords, Inadequate Unattended Terminal
Backups Display, Food/Drinks

NATURAL

Hurricane, Fire, Flood,


Earthquake

© 2007 MacroFirm Technology.


All rights reserved.
Risk Assessment and Management

Terrorists White Collar Hackers Open


Crime Source

Enterprise Architecture

Disasters Extranets Script IP Theft


Copiers

© 2007 MacroFirm Technology.


All rights reserved.
Risk Assessment and Management
Risk Assessment refers to
assessment of threats to, impacts on
and vulnerabilities of assets and the
likelihood of their occurrence.
What are
It produces an estimate of the risk to you going
an asset at a given point of time. It to protect?
answers the following questions:

What can go wrong?


How bad could it be?
How likely is it to occur?
How to manage the risk?
© 2007 MacroFirm Technology.
All rights reserved.
Risk Assessment and Management Process
Asset Identification
and Valuation

Identification of
Vulnerabilities

Identification of
Threats

Evaluation of
Business Risks Impacts

Rating/Ranking of Level of Acceptable


Risks Risk
© 2007 MacroFirm Technology.
All rights reserved.
Risk Assessment and Management Process (2)

Review of Existing
Security Controls

Identification New
Security Controls

Policy and
Procedures
Gap Analysis

Risk Acceptance Implementation and


(Residual Risk) Risk Reduction

© 2007 MacroFirm Technology.


All rights reserved.
Security Controls

Measures to Prevent, Detect or Reduce the Risk.


Effective security generally requires combination of the
following:

Detection Correction
Deterrence Recovery
(Avoidance)
Monitoring
Prevention
Awareness
Limitation

© 2007 MacroFirm Technology.


All rights reserved.
Who needs ISMS?

 Every organisation which feels that


information is the key business driver.
BASICALLY EVERYBODY!!!!!!!!!!!!!!!
• Banks
• IT and software development companies
• IT Service providers
• R & D Centres
• Outsourcing Companies
• DR centres
• Data Centres
• Government (example: tax office)
• Consultancy Firms
• Hospitals
• Schools and Universities
© 2007 MacroFirm Technology.

All rights reserved. Insurance Companies
Why should an organization go for ISMS?

 ISO 27001 defines best practice for Information Security


Management

 Without a formal Information Security Management


System (ISMS) such as ISO 27001 based system,
security will be compromised – Its just a matter of
time.

 Information Security needs in the first line a


management process, not a technological process.

© 2007 MacroFirm Technology.


All rights reserved. 39
Who Do I Involve?

Top Management
Heads of Department
HR Manager
IT Manager / Sys Administrator
Process Owners
Physical Security Manager/ Guard

© 2007 MacroFirm Technology.


All rights reserved.
ISMS Implementation Methodology

© 2007 MacroFirm Technology.


All rights reserved.
ISO 27001 Implementation Methodology
Projectinitiation
Project initiation

ISMSDefinition
ISMS Definition

Riskassessment
assessment
Risk 8 Steps to follow when
implementing the ISO 27001
Riskmanagement
management
Risk standard.
Trainingand
Training andawareness
awareness

Preparingfor
Preparing forthe
theaudit
audit

Audit
Audit

Ongoingimprovement
Ongoing improvement
© 2007 MacroFirm Technology.
All rights reserved.
Whatever the type or size of a business
(multinational or SME), all organizations are
vulnerable to threats that jeopardize the
confidentiality, integrity and availability of
important data. The sooner protective action is
taken, the more inexpensive and effective the
security.

© 2007 MacroFirm Technology.


All rights reserved.
Control and Continual Improvement

Whether you are ISO 27001 certified or not, it is


important to regularly verify and improve your
management framework after its implementation.
Inspections and updates should be performed
regularly, as security is a field that is ever-changing.
For example, outdated antivirus software is of very
little use.

© 2007 MacroFirm Technology.


All rights reserved.
Future of ISMS
Industry Specific ISMS on the cards for 2008
Healthcare
Automotive
Banking & Finance
Telco
Supplychain
IT Service providers

© 2007 MacroFirm Technology.


All rights reserved.
Needs for Health Care Security (HIPAA Chain of Trust)

© 2007 MacroFirm Technology.


All rights reserved.
Health Care ISMS = Management System +
Generic Controls + Health care controls

Annex
AnnexAA(normative)
(normative)
Control
Control objectivesand
objectives and
ISO/IEC
ISO/IEC controls
controls
ISO/IEC
ISO/IEC 17799:2005
17799:2005
27799:2007
27799:2007 Security
Security
Health informatics -- techniques - Code of
Health informatics -- techniques - Code of
Information security practice for
Information security practice for
management in information security
management in information security
health using ISO/IEC management
health using ISO/IEC management
17799
17799

© 2007 MacroFirm Technology.


All rights reserved.
ITU Security Standard

© 2007 MacroFirm Technology.


All rights reserved.
ISO 29001- Supply Chain and Transportation Security
& EU Regulations

© 2007 MacroFirm Technology.


All rights reserved.
Conclusion
Take care of………….

PEOPLE

PROCESS

TECHNOLOGY

In that order

For Further Information on MDeC Support for MSC


Status companies on ISMS, please contact Mr. Muhu
kmuhu@mdec.com.my

© 2007 MacroFirm Technology.


All rights reserved.