Hierarchical Security Management 2nd Security Workshop: Future Security January 16-17, 2007 Sophia Antipolis, France Johan D. Bakker MSc CISSP ISSAP Royal Dutch Telecom (KPN) Agenda • ISO 27001 • Organizing security governance • Hierarchical ISMS approach • Future work • Questions 1 ETSI, 16-17 January, Sophia Antipolis, France - Hierarchical Security Management ISO 27001 What ISO 27001 does: Plan Provides a model and requirements for establishing, implementing, operating, monitoring, reviewing, Act Do Check maintaining and improving an Information Security Management System (ISMS) 2 ETSI, 16-17 January, Sophia Antipolis, France - Hierarchical Security Management ISO 27001 What ISO 27001 doesn’t do: Specify organizational requirements and structure for security governance and compliance reporting for a large and complex organization… .....that offers hundreds of products and services, with 16.000 employees, organized in a score of different departments within 5 different market or corporate segments. 3 ETSI, 16-17 January, Sophia Antipolis, France - Hierarchical Security Management Organizing security governance Policy Corporate Security Policy #1.1 #2.1 #1.3 Security Management Requirements Rules Security Design principles and axioms Means Security Management Implementation Manual Functional Security Policies Baseline Security Controls #4 #2.2 Introduction into the CSPF #1.2 #3 4 CSP Compliance Framework #5 Guidelines, templates, methods, tools #6 #7 Security Report Repository for Support Functions ETSI, 16-17 January, Sophia Antipolis, France - Hierarchical Security Management Organizing security governance CISO / CFO Corporate Center Strategic MT MT Tactical Reporting Units (TRU) MT Tactical …….(5 TRU’s)…… MT MT MT MT MT Operational Reporting Units (ORU) 5 MT MT Operational ETSI, 16-17 January, Sophia Antipolis, France - Hierarchical Security Management Organizing security governance Governance CISO / CFO Strategic MT MT Tactical …….(5 TRU’s)…… MT MT MT MT MT MT MT MT Operational 6 ETSI, 16-17 January, Sophia Antipolis, France - Hierarchical Security Management Organizing security governance Governance Compliance reporting CISO / CFO MT MT …….(5 TRU’s)…… MT 7 MT MT MT MT MT ETSI, 16-17 January, Sophia Antipolis, France - Hierarchical Security Management MT MT Hierarchical ISMS approach - What if…. …the same ISMS approach could be used for the operational, tactical and strategic level? Then, all levels could share the same vocabulary, document templates, concepts…. To enable this, it is required to parameterize some concepts in the ISMS process, depending on the scope and abstraction level. 8 ETSI, 16-17 January, Sophia Antipolis, France - Hierarchical Security Management Hierarchical ISMS approach - Parameters to an ISMS • What is in Scope of the ISMS? • What is the Context of the ISMS? • Related to what type of Assets? • What Aspects of the assets is focussed on? • What type of Risks are managed? • What type of Controls are available? 9 ETSI, 16-17 January, Sophia Antipolis, France - Hierarchical Security Management Hierarchical ISMS approach - Parameter values Strategic Tactical Operational (typical 27001) Scope KPN Enterprise Tactical Reporting Unit Product(s), service(s) or process(es) Context Market, legal, regulatory, societal developments, KPN Mission Business developments, demand/supply chain, tactical scopes, CSP Cust. requirements, CSP and local policies and procedures Security aspects Enterprise impact, tactical level of compliance Business impact, operational level of compliance Confidentiality, Integrity and Availability Assets The KPN Brand(s) Products, services and processes Typical Information assets Risks Enterprise risks Business risks Security risks Controls CSP Framework, tactical ISMS’s SLA’s, local policies operational ISMS’s ISO/IEC 17799:2005 controls 10 ETSI, 16-17 January, Sophia Antipolis, France - Hierarchical Security Management Hierarchical ISMS approach - Benefits • Defined enterprise-wide governance approach • Uniform dossier templates • Shared vocabulary • Solid bases for compliance reporting 11 ETSI, 16-17 January, Sophia Antipolis, France - Hierarchical Security Management Future work…. • Risk aggregation • Compliance metrics • Integration into a single management system • Corporate Baseline - COSO II (SOx), ISO9001 & ISO27001 • amended with ISO14000, ISO10002, SAS70, ITIL, etc. • depending on the type of department 12 ETSI, 16-17 January, Sophia Antipolis, France - Hierarchical Security Management Questions 13 ETSI, 16-17 January, Sophia Antipolis, France - Hierarchical Security Management