Effective ISMS Development

Contact: Travis Hyde, CEO, Orange Parachute

thyde@orangeparachute.com
800.841.9329 x705
 Less Effective Approaches
• Product / Toolkit based approach
– Offers the ease of obtaining generic pre-written “policies”
– Can only cover those controls addressable by “policy”
– Cannot address controls that require an organizational component
– Cannot justify selection of controls
– Is not defensible
– Creates a false sense of security
• Linear approach
– Broadly follows the guidelines presented in the ISO Standard
– Implements the ISMS by following the guidelines to the letter, not
spirit and intent
– Sometimes performed by internal teams without external assistance
– Several vendors use this ‘closed’ approach, or use hybrid approach
that combines this and a product based approach
– The approach is not easily extensible, thereby limiting the ISMS to a
specific part of the organization after attaining certification

ISMS Development and Approach © Orange Parachute

 Common Shortcomings with Less
Effective Approaches
Technical Shortcomings

• Incomplete Risk Assessment Process

• Incomprehensive Asset Listing
• Lack of Assurance for Controls Effectiveness
• Improper Interpretation of Controls
• Scope Minimization
• Difficulties in Developing Comprehensive BCP Plan

ISMS Development and Approach © Orange Parachute

 Common Shortcomings with Less
Effective Approaches (cont’d)
Management Shortcomings

• Lack of Documentation
• Failure to Define Specific Roles and Responsibilities in Information Security
• Difficulties in Conducting Regular Management Reviews and Implementing
Suggestions
• Lack of a Comprehensive ISMS Project Plan
• ISMS regarded as a one-off project, rather than a continuous one
• Failure to Obtain Enough Support from Top Management
• Difficulties in Conducting Internal Audit
• Difficulties in Writing Proper Security Policies, Procedures & Guidelines

ISMS Development and Approach © Orange Parachute

 Orange Parachute’s Approach
• Systematic
– Follows, implements and adopts every requirement of the
Standard by the letter and spirit
– Our experienced consultants work with the client to
understand the cultural, business and organizational
environments, and build an ISMS adopted to the client
– Proven tools and templates are utilized to speed-up the
implementation process
• Process based
– Takes into account the legal and regulatory environment
– Works within the existent culture and values
– Produces justifiable, risk based requirements, processes, roles,
and activities
– Is defensible and extensible

ISMS Development and Approach © Orange Parachute

 How we implement the ISMS
The Process

Determine scope of
Secure Management Create information
the Information
Commitment security organization
Security Program

Identify security
Assess risk Mitigate risk
domains

Audit

ISMS Development and Approach © Orange Parachute

 How we implement and certify an ISMS?
Build a program
ISO27001 based ISMS to manage the Information Security Program
once 

Extend the program

to  Data Center Call Center Production Area Branch Office
ISO27001 certified ISO27001 managed ISO27001 managed ISO27001 managed
several security Security Domain Security Domain Security Domain Security Domain
domains and certify

• We use ISO27001 to manage Information Security Programs

• An Information Security Program may have governance over
multiple security domains
• Security domains serve as the basis of establishing scope for
ISO27001 certification
• Security domains are where ISO27002/ISO27001 Annex A controls
ultimately reside
• Scope of an ISO27001 Information Security Program and ISO27001
registration may not be the same

ISMS Development and Approach © Orange Parachute

 Our Implementation Focus
• Effective communication
– Consistent terms and definitions
• Understand relationships
– RACI
– Empowered through charters and plans
• Scope the program
– Program span of control
• Define / package sensible operational areas (security domains)
– Operational span of control
• Perimeters
• Assets
• Leverage security domains for
– Risk assessment
– Incident response
– BC/DR
– Certification

ISMS Development and Approach © Orange Parachute

 Orange Parachute’s Approach:
• ISMS Framework – A real life sample
(Sample)

ISMS Development and Approach © Orange Parachute

 Our Implementation Focus (contd.)
Risk Assessment methodology

– By audience
• Strategic: liability
• Tactical: vulnerability
• Operational: gap:
– By environment:
• Raw,
• Residual
• Accepted

ISMS Development and Approach © Orange Parachute

 Our Implementation Focus (contd.)
Selection of controls

– Tactical control objectives

• From tactical risk assessment
– Tactical controls
• From ISO27001 Annex A
– Operational control objectives
• Domain specific and derived from Tactical controls
– Operational controls
• Domain specific and derived from operational control objectives
– Technical
– Procedural
– Temporal
– Taskings

ISMS Development and Approach © Orange Parachute

 Our Implementation Focus (contd.)
Operational control elements

– Technical
• Devices
• Configurations
– Procedural
• Standard operating procedures (SOP’s)
– Temporal
• Domain schedules
– Tasking
• Individually assigned responsibilities

ISMS Development and Approach © Orange Parachute

 Our Implementation Focus (contd.)
Example
– Risk basis (tactical)
• Threat: Unauthorized disclosure
• Vulnerability: weak logon procedure
– A 11.5 Access control
• Objective: To prevent unauthorized access to operating systems
– A 11.5.1 control
• Secure logon procedure
– Access to operating systems shall be controlled by a secure logon
procedure
– Specific domain objective with windows platforms
– Objective: To provide a secure logon procedure for windows platforms
– Domain control: technical: windows configuration
• Password masking
• Lockout after 3 failed attempts
• Password hashing
• Password history with no re-use

ISMS Development and Approach © Orange Parachute

 Sample of Key Deliverables from our
Implementations
Fully documented management intent and support
• Policies (vision)
• Charters (empowerment)
• Program plans (strategy)
Fully documented information security direction
• Standards (requirements)
• Processes (methodologies)
• Activities (schedules)
• Roles (responsibilities)
Domain specific operational details
• Specifications
• Standard Operating Procedures (SOP’s)
• Job descriptions
• Tasking

ISMS Development and Approach © Orange Parachute

 Process Example
Process: Supplier Governance Process Owner: ISO
Business Unit: Information Security Approver: ISMS Oversight Committee
Author: Date Approved:
Frequency: As required Version 1.1
Requestor

Pending Business Output from

Contract Supplier
Evaluation
Process

Incorporate
Information
Security

Determine data Identify required protection

Analyst

types involved protection levels requirements in

contract

Info Governance Info Security

Matrix Standards

Review contract Negotiate process Assign roles and Assign task

specifications hand-off points responsibilities schedules
ISO

Info Security
Functional Roles Activity matrix
Processes

Security
Output

Input to Risk Specifications for Third party SLA Input to ISMS

Assessment Contract Conformance
Process Process

ISMS Development and Approach © Orange Parachute

 Trends
• Worldwide demand for standardized and
internationally sanctioned information security
certification
– Certification is already a requirement in some markets
– Competitive edge
– Interoperability
– Due diligence concerns

• Continued focus on a process based approach

– Integration with other process based management
systems
– Integration with other process based operational models
– Manages the quality of information

ISMS Development and Approach © Orange Parachute

 Attributes of an Orange Parachute
ISMS
• Addresses risk at all levels
– Strategic
– Tactical
– Operational
• Extensible
• Defensible / Justifiable
• Minimizes change
• Helps plan continuity in the workforce
• Compatible and integrated with other ISO and other standards (ISO 9001,
ISO 20000, ISO 27005, BS 25999, etc.)
• Compatible with other catalog of controls (CoBit, PCI, FISAP)
• Meets information protection requirements required by various laws and
regulations, such as Sarbanes Oxley, HIPAA, GLBA, SB 1386, etc.

ISMS Development and Approach © Orange Parachute

 Summary / Benefits
• The ISO27002/ISO27001 family is an internationally recognized benchmark
for Information Security Management
– ISO27002 is used to deploy comprehensive information security
controls.
– ISO27001 is used to manage Information Security Programs and
certify discrete operational areas.
• ISO27001/2 may serve as an umbrella under which an organization can
address multiple information protection regulations.
– Most are already mapped to ISO27002 controls
– All can be managed by ISO27001
• ISO27001 can be used to certify due diligence. Areas of application
include:
– security assessments of supplier / vendor / service provider 3rd
parties,
– reducing redundant audit overheads,
• A standards based ISMS is defensible, extensible, flexible and efficient.

ISMS Development and Approach © Orange Parachute

 Successful Client Certifications
Certified Clients:

• Federal Reserve NY – BS7799-2

• The World Bank – ISO 27001
• McQuarie Corporate Communications (Australia) – BS7799-2
• Premier Bank – ISO 27001
• International Monetary Fund (IMF) – ISO 27001
• Merrill Corporation – ISO 27001
• Convey Compliance Systems – ISO 27001
• DCM Services – ISO 27001
• Pacific Life Insurance Company – ISO 27001

Some Additional Clients:

• Blue Cross Blue Shield
• Coventry Healthcare
• RxHub
• Merck & Co., Inc.
• Nielsen Media Research
• Wake County Public Schools
• ConocoPhillips
• American Express
• Ameriprise Financial
• FINRA/NASD
• INTUIT
• National City Bank
• PSECU

ISMS Development and Approach © Orange Parachute

 Thank you!

800.841.9329 x1
info@orangeparachute.com

www.orangeparachute.com