ISMS Implementation Pitfalls & Misconceptions

advertisement
ISACA Lietuvos skyriaus (180)
Birželio mėnesio susitikimas
ISMS Implementation Pitfalls & Misconceptions
JATIN SEHGAL
Quality Manager
EY CertifyPoint
2010-06-16
0
Agenda
Confidential
01
Introduction to ISO/IEC 27003:2010
02
Completing the Deming Cycle (Plan-Do-Check-ACT)
03
Achieving performance during ISMS implementation
04
Defining Scope & Boundaries of ISMS
05
Challenges faced by organizations when implementing an ISMS
06
Common Pitfalls and Mistakes in ISMS Implementation.
ISMS Implementation – “Pitfalls & Misconceptions”
1
Introduction to ISO/IEC 27003:2010
Confidential
ISMS Implementation – “Pitfalls & Misconceptions”
2
ISO 27003:2010 - Introduction
1.
Introduction
2.
Scope
3.
Terms and definitions
4.
Obtaining management approval for initiating an ISMS project
5.
Defining ISMS scope, boundaries and ISMS policy
6.
Conducting information security requirements analysis
7.
Conducting risk assessment and planning risk treatment
8.
ISMS improvement
9.
Designing the ISMS
10.
Appendix A : Checklist description
11.
Appendix B : Roles and responsibilities for Information Security
12.
Appendix C : Information about Internal Auditing
13.
Appendix D: Structure of policies
14.
Appendix E: Monitoring and measuring
This International Standard focuses on the critical aspects needed for successful design and implementation of an Information Security Management System
(ISMS) in accordance with ISO/IEC 27001:2005.
Confidential
ISMS Implementation – “Pitfalls & Misconceptions”
3
What do you want to achieve?
Security
Security
Certification
Certification
Confidential
ISMS Implementation – “Pitfalls & Misconceptions”
4
Completing the Deming Cycle (Plan-Do-Check-ACT)
Confidential
ISMS Implementation – “Pitfalls & Misconceptions”
5
The DEMING CYCLE – Plan, Do, Check, Act
Plan
Act
3
1
Deming Cycle
2
DoDo
Check
Confidential
ISMS Implementation – “Pitfalls & Misconceptions”
6
Information Security Management System
► A management system is a proven framework for managing and continually improving an organization's policies, procedures and
processes.
► An ISMS is part of the overall management system, based on a business risk approach, to establish, implement, operate, monitor,
review, maintain and improve information security.
► A management system is a means by which business processes remain concurrent with business and are repeatable. Combined with the
information security objectives, ISMS is defined using a Plan- Do-Check-Act cycle.
►Plan-Do-Check-Act is a cyclical process
► With each iteration you can expand the policy and objectives, and
the scope of the ISMS.
Confidential
ISMS Implementation – “Pitfalls & Misconceptions”
7
Information Security Management System
Documentation requirements
► A successful ISMS Meeting Requirements of ISO 27001:2005 requires documentation
► If an organization is planning to become certified, documentation will be essential
► Certifying bodies performing audits will use documentation as integral component of certification process
► This is where many companies fail!
Management requirements
► ISO/IEC 27001:2005 defines certain management responsibility and requirements
► These include commitments to the ISMS, resource management, and training, awareness, and readiness
► Management needs to understand the key role they play in a successful ISMS
Information Security Control requirements
► Based on the outcome of IS risk assessment and management decision (expectations)
Confidential
ISMS Implementation – “Pitfalls & Misconceptions”
8
The ISMS in More Detail
Establish ISMS
•Define the scope & Boundaries
•Define ISMS policy
•Define risk assessment approach
•Identify and assess risks
•Evaluate options for treatment of risks
•Selection of controls (annex A)
•Obtain management approval
•Prepare a Statement of Applicability
Plan
Maintain and improve ISMS
•Implement identified improvements
•Take corrective and preventive actions
•Communicate actions and improvements
Act
Do
Implement and operate ISMS
•Formulate and implement risk treatment plan
•Implementing selected controls
•Implement training and awareness programs
•Manage operations of the ISMS
•Manage resources for the ISMS
•Implement procedures for detecting/handling
security incidents
Confidential
Check
Monitor and review ISMS
•Execute monitoring procedures
•Review and measure effectiveness of ISMS
•Conduct internal ISMS audits
•Undertake management review
•Update security plans
•Record actions and events that impact ISMS
ISMS Implementation – “Pitfalls & Misconceptions”
9
Introduction to Information Security Management System (3)
Management framework
policies relating to
ISO 27001:2005
Requirement 4
Level 2
Level 3
Level 4
Confidential
ISMS Design
Level 1
Policy, scope
risk assessment,
statement of applicability
Describes processes – who,
what, when, where (4.1- 4.10)
Describes how tasks and specific activities are done
Provides objective evidence of compliance to ISMS requirements clause 3.6
Policies/Procedures
Work Instructions,
checklists,
forms, etc.
Records
ISMS Implementation – “Pitfalls & Misconceptions”
10
Achieving performance during ISMS implementation
Confidential
ISMS Implementation – “Pitfalls & Misconceptions”
11
Achieving performance during ISMS implementation
► Spend time to clearly define the scope & boundaries of ISMS.
► Develop an ISMS Project Plan and get it approved by Management.
► Identify Quick Win Solutions and Do not wait for the release of ISPP.
► Keep the release date and effective date of ISMS with some gap to identify opportunities for improvement.
► Keep management involved at each step and define critical success factors.
► Categorize implementation of Security Controls based on the “High”, “Medium” and “Low” priority.
► Identify implementation interdependencies at an initial stage and prioritize accordingly.
► Keep pace with the changes in the security environment that might affect implementation.
► Treat it like a formal security project.
► Arrange workshops, awareness sessions and prepare communication strategies to spread knowledge from the beginning.
► Secure required resources for the project before initiating.
Confidential
ISMS Implementation – “Pitfalls & Misconceptions”
12
Defining Scope & Boundaries of ISMS
Confidential
ISMS Implementation – “Pitfalls & Misconceptions”
13
Defining Scope & Boundaries of ISMS
► Office Buildings,
► Rooms,
► Remote Locations,
► Sites, etc.
Location
Organization & Structure
► Hardware,
► Software,
► People,
► Services, etc.
ISMS SCOPE
► Departments,
► Business Processes,
► Roles, etc.
Enterprise Assets
Technology
► Applications,
► Servers,
► Network Infrastructure,
► Domains/Security Zones, etc.
Confidential
ISMS Implementation – “Pitfalls & Misconceptions”
14
Challenges faced by organizations when implementing an ISMS
Confidential
ISMS Implementation – “Pitfalls & Misconceptions”
15
Challenges faced by organizations when implementing an ISMS
► Lack of management commitment (inadequate governance/enforcement) and budget;
►Bringing the cultural change in the organization (resistance by employees or feeling of security as an additional burden);
►Lack of skilled resources;
► Unclear or unrealistic scope and boundaries of ISMS (confusion on where to start and where to stop);
►Legacy systems hinder the implementation of security controls;
►Confusion related with automation or manual use of processes;
► Too many tools to choose from, but none suiting to exact requirements;
►Fear of loosing operations leading to a sluggish progress;
►Lack of clarity of end results;
►Roles not clear to employees;
►Lack of knowledge of risk exposures or changes to the risk appetite;
►Lack of ownership & integration amongst various (in scope) departments;
►A perception of ISMS as a highly complex system and seemingly huge task;
►To many versions of same document resulting in confusion.
Confidential
ISMS Implementation – “Pitfalls & Misconceptions”
16
Common Pitfalls and Mistakes in ISMS Implementation
Confidential
ISMS Implementation – “Pitfalls & Misconceptions”
17
Common Pitfalls
►Pressure to go in for certification immediately after the implementation of an ISO 27001 ISMS.
►Lose sight on the mandatory requirements of ISO 27001:2005.
►Written policies and procedures that are not mapped to SoA and ISMS requirements;
► Risk assessment results are not linked with selection of controls;
► Evidence of management support not enough or clear;
►Security policies are vague (too high level) or too complex;
►Lack of understanding of security responsibilities and management intent;
► Lack of resources for ISMS implementation leading to a unmanageably long project;
► No way of fully understanding the security program deficiencies, and having a standardized way of improving upon the deficiencies;
► Lack of knowledge of applicable regulations, laws, or policies;
► Relying fully on technology or on manual procedures for all security solutions;
► A “fire alarm” approach to any breaches instead of a calm proactive and detective approach;
► A false sense of security with an undercurrent of confusion;
►Lack of integration with business processes
►Bypassing policies and taking exceptions, loosing the spirit of ISMS.
Confidential
ISMS Implementation – “Pitfalls & Misconceptions”
18
Questions
Confidential
ISMS Implementation – “Pitfalls & Misconceptions”
19
Confidential
Ernst & Young CertifyPoint
Thank You
Jatin Sehgal
+31 6 2908 4825
Jatin.sehgal@nl.ey.com
Download