Hierarchical Security Management 2nd Security Workshop: Future Security January 16-17, 2007

advertisement
Hierarchical Security Management
2nd Security Workshop: Future Security
January 16-17, 2007
Sophia Antipolis, France
Johan D. Bakker MSc CISSP ISSAP
Royal Dutch Telecom (KPN)
Agenda
• ISO 27001
• Organizing security governance
• Hierarchical ISMS approach
• Future work
• Questions
1
ETSI, 16-17 January, Sophia Antipolis, France - Hierarchical Security Management
ISO 27001
What ISO 27001 does:
Plan
Provides a model and requirements
for establishing, implementing,
operating, monitoring, reviewing,
Act
Do
Check
maintaining and improving an
Information Security Management System (ISMS)
2
ETSI, 16-17 January, Sophia Antipolis, France - Hierarchical Security Management
ISO 27001
What ISO 27001 doesn’t do:
Specify organizational requirements and
structure for security governance and compliance
reporting for a large and complex organization…
.....that
offers hundreds of products and services, with 16.000 employees,
organized in a score of different departments within 5 different market or
corporate segments.
3
ETSI, 16-17 January, Sophia Antipolis, France - Hierarchical Security Management
Organizing security governance
Policy
Corporate
Security
Policy
#1.1
#2.1
#1.3
Security Management Requirements
Rules
Security
Design principles
and axioms
Means
Security
Management
Implementation
Manual
Functional
Security
Policies
Baseline
Security
Controls
#4
#2.2
Introduction
into the
CSPF
#1.2
#3
4
CSP
Compliance
Framework
#5
Guidelines,
templates,
methods, tools
#6
#7
Security Report
Repository for
Support
Functions
ETSI, 16-17 January, Sophia Antipolis, France - Hierarchical Security Management
Organizing security governance
CISO / CFO
Corporate Center
Strategic
MT
MT
Tactical Reporting
Units (TRU)
MT
Tactical
…….(5 TRU’s)……
MT
MT
MT
MT
MT
Operational
Reporting
Units (ORU)
5
MT
MT
Operational
ETSI, 16-17 January, Sophia Antipolis, France - Hierarchical Security Management
Organizing security governance
Governance
CISO / CFO
Strategic
MT
MT
Tactical
…….(5 TRU’s)……
MT
MT
MT
MT
MT
MT
MT
MT
Operational
6
ETSI, 16-17 January, Sophia Antipolis, France - Hierarchical Security Management
Organizing security governance
Governance
Compliance
reporting
CISO / CFO
MT
MT
…….(5 TRU’s)……
MT
7
MT
MT
MT
MT
MT
ETSI, 16-17 January, Sophia Antipolis, France - Hierarchical Security Management
MT
MT
Hierarchical ISMS approach - What if….
…the same ISMS approach could be used for
the operational, tactical and strategic level?
Then, all levels could share the same
vocabulary, document templates, concepts….
To enable this, it is required to parameterize
some concepts in the ISMS process, depending
on the scope and abstraction level.
8
ETSI, 16-17 January, Sophia Antipolis, France - Hierarchical Security Management
Hierarchical ISMS approach - Parameters to an ISMS
• What is in Scope of the ISMS?
• What is the Context of the ISMS?
• Related to what type of Assets?
• What Aspects of the assets is focussed on?
• What type of Risks are managed?
• What type of Controls are available?
9
ETSI, 16-17 January, Sophia Antipolis, France - Hierarchical Security Management
Hierarchical ISMS approach - Parameter values
Strategic
Tactical
Operational
(typical 27001)
Scope
KPN Enterprise
Tactical Reporting Unit
Product(s), service(s)
or process(es)
Context
Market, legal,
regulatory, societal
developments, KPN
Mission
Business
developments,
demand/supply chain,
tactical scopes, CSP
Cust. requirements,
CSP and local
policies and
procedures
Security
aspects
Enterprise impact,
tactical level of
compliance
Business impact,
operational level of
compliance
Confidentiality,
Integrity and
Availability
Assets
The KPN Brand(s)
Products, services and
processes
Typical Information
assets
Risks
Enterprise risks
Business risks
Security risks
Controls
CSP Framework,
tactical ISMS’s
SLA’s, local policies
operational ISMS’s
ISO/IEC 17799:2005
controls
10
ETSI, 16-17 January, Sophia Antipolis, France - Hierarchical Security Management
Hierarchical ISMS approach - Benefits
• Defined enterprise-wide governance approach
• Uniform dossier templates
• Shared vocabulary
• Solid bases for compliance reporting
11
ETSI, 16-17 January, Sophia Antipolis, France - Hierarchical Security Management
Future work….
• Risk aggregation
• Compliance metrics
• Integration into a single management system
• Corporate Baseline - COSO II (SOx), ISO9001 & ISO27001
• amended with ISO14000, ISO10002, SAS70, ITIL, etc.
• depending on the type of department
12
ETSI, 16-17 January, Sophia Antipolis, France - Hierarchical Security Management
Questions
13
ETSI, 16-17 January, Sophia Antipolis, France - Hierarchical Security Management
Related documents
Download