View
2
Download
0
Category
Preview:
Citation preview
Session 211 1 28.3.2000
#211Creating the ISMS
(Information Security Management System)
Peter R. Bitterli, CISAhttp://www.bitterli-consulting.chprb@bitterli-consulting.ch
Please observe the copyright: You are allowed to use and further
distribute this presentation only with this copyright notice attached.
If you use parts of this documentation in presentations or other
diagrams you have to refer to the source. Any commercial use of
this presentation is only allowed with written consent of the author.
Session 211 2 28.3.2000
Published Session ContentsCreating the Information Security Management System
The participants will learn about:Information Security Policies andProcedures
Information SecurityOrganisation: Tasks, Staffing,Reporting
Examples of Key InformationSecurity Projects: IT ResourcesOwnership, Security Awareness,Single Point of Reference
Effective Operation andMonitoring of Security Controls
Periodic Review of ImplementedControls
Organising the Information SecurityManagement System in medium to
large enterprises can be quiet adifficult task. This session willdemonstrate how to set up an
information security organisationthat defines, regulates, coordinates
and reviews the corporateinformation security issues.
Based on ideas of the INFOSECBusiness Advisory Group of the EU
framework, the session willprovide workable directions on
how to get the job done.
Session 211 3 28.3.2000
Creating the ISMSAn expansion of the IBAG Framework for Commercial IT-Security
Members (1994/95)European Security Forum (ESF)Comité Européen des Assurances (CEA)International Chamber of Commerce (ICC)International Information Integrity Institute (I4)Associated Banks of Europe Corporation (ABECOR)Information Systems Audit and Control Association (ISACA)European Confederation of Institutes of Internal Auditing (ECIIA)X/Open, OSITOP, EWOS, ECMA, EUROBIT, …
IBAG=Infosec Business Advisory Group of the European Community
Session 211 4 28.3.2000
Commercial IT Security InterestsIBAG Framework for Commercial IT-Security
Session 211 5 28.3.2000
The “Original” IBAG FrameworkCreating the Information Security Management System
PolicySecurityPolicy
Organisation
PracticesAreas/Topics
BaselineControls
SpecificControls
ProceduresMonitoring/
ReviewInstallation/Operation
ori
gina
lly
7 K
ey T
asks
Session 211 6 28.3.2000
9 K
ey T
asks
The Enhanced IBAG FrameworkCreating the Information Security Management System
Structure and some ideas taken from IBAG.Contents of key tasks from different sources
and personal experience
PolicySecurityPolicy
Organisation Ownership Awareness
PracticesAreas/Topics
BaselineControls
SpecificControls
ProceduresMonitoring/
ReviewInstallation/Operation
My additions to theIBAG Framework
Session 211 7 28.3.2000
Policy SecurityPolicy Organisation Ownership Awareness
PracticesAreas/Topics
BaselineControls
SpecificControls
Procedures Motitoring/ReviewOperation
The IBAG Policies LevelCreating the Information Security Management System
COBIT Control Objectives
PO 6.2 Management’s Responsibility for Policies
Management should assume full responsibility for formulating,developing, documenting, promulgating and controlling policies coveringgeneral aims and directives. Regular reviews of policies forappropriateness should be carried out. The complexity of the writtenpolicies and procedures should always be commensurate with theorganisation size and management style.
PO 6.3 Communication of Organisation Policies
Management should ensure that organisational policies arecommunicated to and understood by all levels in the organisation.
PO 6.4 Policy Implementation Resources
After communication, appropriate resources should be earmarked bymanagement for the implementation of its policies. Management shouldalso monitor the timeliness of the policy implementation.
PO 6.5 Maintenance of Policies
Policies should be adjusted regularly to accommodate changingconditions. Policies should be re-evaluated, at least annually or uponsignificant changes to the operating or business environment, to assesstheir adequacy and appropriateness, and amended as necessary.Management should provide a framework and process for the periodicreview and approval of standards, policies, directives and procedures.
PO 6.6 Compliance with Policies, Procedures and Standards
Management should ensure that appropriate procedures are in place todetermine whether personnel understand the implemented policies andprocedures, and that the polices and procedures are being followed.Compliance procedures for ethical, security and internal control standardsshould be set by top management and promoted by example.
PO 6.8 Security and Internal Control Framework Policy
Senior management should assume full responsibility for developing andmaintaining a framework policy which establishes the organisation’s overallapproach to security and internal control. The policy should comply withoverall business objectives and be aimed at minimisation of risks throughpreventive measures, timely identification of irregularities, limitation of lossesand timely restoration. Measures should be based on cost-benefit analyses andshould be prioritised. In addition, senior management should ensure that thishigh-level security and internal control policy specifies the purpose andobjectives, the management structure, the scope within the organisation, thedefinition and assignment of responsibilities for implemen-tation at all levels,and the definition of penalties and disciplinary actions associated with failingto comply with security and internal control policies.
Session 211 8 28.3.2000
IT Security PolicyCreating the Information Security Management System
Foundation for allsecurity related workNeeds support bysenior management
Three tier approachPolicy shouldintegrate all securityrelated activities K
ey T
ask
#1
HighLevelPolicy
DetailedPolicy
(Baseline ControlObjectives)
Guidelines
Session 211 9 28.3.2000
High level IT Security PolicyCreating the Information Security Management System
ContainsDefinition of IT securityResponsibilities
Business managersIT security officersIT security steering groupOwners of IT resourcesAll employees
Legal requirementsData protection / privacySoftware copyrightIntellectual property rightsSafeguarding of recordsTransborder data flow
Key
Tas
k #1
High level policySigned by the CEOPurpose/scope of IT securityHigh-level requirements validfor everyoneKnown to all employees (shouldconfirm receipt, understandingand future compliance)
Session 211 10 28.3.2000
7 PHYSICAL AND ENVIRONMENTAL SECURITY
7.1 Secure Areas
Critical or sensitive business information processes and facilities to
support them should be housed in secure areas. Such facilities
should also be physically protected from unauthorized access,
damage and interference.
Objective: To prevent unauthorized access, damage
and interference to business premises and
information services.
7.1.1 Physical security perimeter
a M The perimeter of any XXXXXX building or site should be
physically sound. The external walls should be of solid construction
and all external doors should be suitably protected against un-
authorized access (e.g. control mechanisms, bars, alarms etc.).
External protection should be considered for windows, particular at
ground level.
There should be no gaps in the perimeter or areas
where a break-in could easily occur.
b M Security perimeters should be clearly defined for all (inside) areas.
The security of the perimeter should be consistent with the value or
classification of the assets or services under protection.
A security perimeter is something which builds a
barrier e.g. a wall, a card controlled entry gate or a
manned reception desk (see 7.1.3). The siting and
strength of each barrier depends on the result of a
risk assessment.
c M A manned reception area or other means to control physical access
to the site or building should be in place.
Access to sites and buildings should be restricted to
holders of valid identity passes.
d R All fire doors on a security perimeter should alarmed and should
slam shut.
7.1.2 Physical entry controls
a M Visitors should be supervised or cleared and their date and time of
entry and departure recorded. Visitors should stay inside a separated
visitor visiting area, if possible, and only be granted access to the
rest of the building for specific, authorized purposes. There they
should be required to wear some form of visible identification.
Visitors and long term contractors should be issued
with instructions on the security requirements of the
site and on emergency procedures.
b M All personnel should be encouraged to question unescorted strangers
not wearing visible identification.
c M Access rights should be revoked immediately for staff and third
parties (e.g. consultants and contractors) who stop working for
XXXXXX.
d M Access rights should be updated and regularly reviewed (i.e. once
every three months).
This ensures continued business need of existing
privileges granted.
e M Access to archives containing sensitive information, to computer or
communications rooms and to other secure must be controlled and
restricted to authorized staff only. An audit trail of all access should
be securely maintained.
Access should be granted through use of
authentication controls (e.g. swipe card) to authorize
and validate all access.
7.1.3 Securing offices, rooms and facilities
a M Key facilities should be sited to avoid access by public. They should
give minimum indication of their purpose, with no obvious signs,
outside or inside the building. Directories and internal telephone
books identifying locations of sensitive information processing
facilities should not be publicly available.
Personnel should only be aware of the existence of,
or activities within, a secure area on a need to know
basis.
Middle levelCreating the ISMS
Middle level policiesDefinition of responsibility,authority, accountabilitySecurity objectives for“all” topics (see area/topics)
30-100 more general
or 400-600 detailed
Re-evaluate anuallyUse “Areas/Topics” forstructure
Example on the right taken from theBSI Code of Practice (BS7799-1:1999);changed by author; for demonstrationpurposes only.
Key
Tas
k #1
Session 211 11 28.3.2000
GuidelinesCreating the ISMS
Lower level guidelinesTwo types
General / generic
Technology specific
Clear and conciseEasy to handleIn electronic formUse “Areas/Topics” forstructure
Example guideline “Physical AccessSecurity” on the right fordemonstration purposes only!
Key
Tas
k #1
Guideline Physical Access Security (Part 3)Contents for demonstration purposes only!
3.1 Zoning concept
3.1.1 The floor space should be divided in clearly defined areas (i.e. zones), grouping together
common activities and responsibilities. For each zone, the group of persons allowed
access to it and the relevant access times should be clearly defined.
3.1.2 Areas for receiving visitors should be clearly separated from the rest of the building.
3.1.3 Every department head must regularly receive and review a listing of all persons in their
zone who currently are allowed access.
3.1.4 A list of managers who are authorised to grant access to the premises should be kept up-
to-date. This list should be periodically reviewed by the higher-level managers.
3.1.5 High-risk tasks (e.g. handling large volumes of valuables) and critical IT resources (e.g.
telephone exchange, servers, host, ...) should each be in a separate " high-risk" zone.
3.1.6 High-risk zones should be further compartmentalised (e.g. to prevent access to critical IT
resources). If more than a very limited number of persons have access to such a high risk-
zone, modems, servers and other equipment should be placed inside locked racks or
partitioned off with lattice.
3.2 Access control
3.2.1 The access to the building should be physically restricted to authorised persons.
3.2.2 Access to any inside zone should be regulated by an automatic access control system,
operated by an identification badge. All such doors should sound an audible alarm if the
door stays open for more than just a few seconds.
3.2.3 All employees and other authorised persons should visibly wear an identification badge
on their outer garments so that the information on the badge is clearly visible.
3.2.4 Identification badges and physical access cards that have been lost or stolen should be
reported immediately.
3.2.5 Employees who have forgotten their identification badge must obtain a temporary badge
by providing a driver's license or another piece of picture identification. Such a temporary
badge is valid for a single day only.
3.2.6 Employees must not permit unknown or unauthorised persons to pass through doors and
other entrances to restricted areas at the same time when authorised persons go through.
3.2.7 Employees should not attempt to enter restricted areas for which they have not received
access authorisation.
Session 211 12 28.3.2000
IT Security OrganisationCreating the Information Security Management System
Single point of focus
Must integrate and co-ordinateall security tasks and activities
Must provide necessaryknow-howMust be business oriented K
ey T
ask
#2
Become the security hub of your company – recognised,competent and available (Pierre-Luc Réfalo, France)
Session 211 13 28.3.2000
Business Trends Foster ChangesCreating the Information Security Management System
Some business trendsHigh rate of restructuring,take-over, spin-off, …Shorter cycles for developingcrucial business applicationsFurther outsourcing of key ITelements (e.g. WAN, fire-walls,web-server, LAN, PC support)E-business (B2B, B2C)Further decentralisation withhigh diversity of ITBudget cuts
This will meanIT related security risks and theresponsibilities of IT securitystaff will grow at a high rateMore and increasinglyprofessional staff is neededIT security responsibilities aswell as know-how will moveoutwards to business unitsBusiness managers are forced tomonitor adequacy of system ofinternal controls
Key
Tas
k #2
Session 211 14 28.3.2000
Sound Organisation StructureCreating the Information Security Management System
Responsibility for securityResponsibility will shift fromIT to business (dangerous ?)
Information securitycommittee (steering group)
High level bodyBalancing the different needs,projects and activitiesApproving policies, guidelines,action plans, budgetsMonitoring status, costsRegular meetings (3-6/year)
Key
Tas
k #2
Information Security OfficersSmall team for entire companyOne per business unitMake things happenShare know-how and experience
Security co-ordination(informal or formal)
Physical security & safetyLegal departmentPersonnelRisk Management…
Session 211 15 28.3.2000
Owner 1
Owner 2Owner 3
Key
Tas
k #3
OwnershipCreating the Information Security Management System
COBIT Control Objectives
PO 4.7 Ownership and Custodianship
Management should create a structure forformally appointing the data owners andcustodians. Their roles and responsibilities shouldbe clearly defined.
PO 4.8 Data and System OwnershipManagement should ensure that all informationassets (data and systems) have an appointedowner who makes decisions about classificationand access rights. System owners typicallydelegate day-to-day custodianship to the systemsdelivery/operations group and delegate securityresponsibilities to a security administrator.Owners, however, remain accountable for themaintenance of appropriate security measures.
The key to success
Individual accountability
Augments efficiency andeffectiveness of security
Practicable ifconsequently applied
Session 211 16 28.3.2000
Business Objectives/DriversCreating the Information Security Management System
Objectives of ownership:Achieve personal accountabilityfor all IT resourcesAgree and communicate thelevel of protection requiredDefine/implement monitoringand incident handlingDefine/implement changemanagementHighlight the most critical ITresources
based on ideas of the European Security Forum
Business drivers for ownership:Minimising risk of majorincidentsPushing risk decisions back tobusinessKeeping up with good practiceEnsuring compliance withstatutory obligationsClarifying externalresponsibilities (3rd parties)Demonstrating properstewardship
Key
Tas
k #3
Session 211 17 28.3.2000
Ownership Types - QuestionsCreating the Information Security Management System
Types of ownersOwners of business processesOwners of IT resources (COBIT)
Information: Data objects in their widestsense, i.e., external and internal, structured andnon-structured, graphics, sound, etc.
Application systems: Understood to be thesum of manual and programmed procedures
Technology: Covers hardware, operatingsystems, database management systems,networking, multimedia, etc
Facilities: Resources to house and supportinformation systems
People: Staff skills, awareness and productivityto plan, organise, acquire, deliver, support andmonitor information systems and services
Key
Tas
k #3
PO, AI, DS, M: importantIT processes (COBIT)
Peo
ple
Business process
Information
Application System
Technology
Facilities
Peo
ple
PO2
PO10/11, AI1/2/5/6, DS11
DS4/5/9
DS4/5/12
PO6/7, DS7/8
PO9/10, AI4/5/6, DS11/13, M1/2
Session 211 18 28.3.2000
Ownership Roles - QuestionsCreating the Information Security Management System
Peo
ple
Business process
Information
Application System
Technology
Facilities
?
?
Key
Tas
k #3
Owner
User
Custodian(Operations)
Owner 2InformationExchangeAgreement
Custodian(Developers)
BusinessRequirementsSpecifications
PO10/11, AI1/2/4/5
ServiceLevel
AgreementDS1/2/3/4/5/10
help desk
DS8/10
UserProcedures
Manual
AI 4.3
PO, AI, DS, M: importantIT processes (COBIT)
Session 211 19 28.3.2000
Benefits of OwnershipCreating the Information Security Management System
Sound ownershiparrangements benefit abusiness by:
Strengthening accountabilityAvoiding expenditure onunnecessary controlsEstablishing levels of protectioncommensurate with riskReducing security incidentsFostering 3rd-parties’ tradingFacilitating the secureinterchange of information
Key
Tas
k #3
Not so much to do, because:Many forms of ownership arealready in place informallyAll owners of businessprocesses are (should be)known anyhowLegal obligations indirectlyfoster ownership issues
Data protection legislation
Banking legislation
Governance standards
Session 211 20 28.3.2000
Key
Tas
k #4
Security AwarenessCreating the Information Security Management System
COBIT Control Objectives
PO 6.11 Communication of IT Security Awareness
An information technology security awareness programmeshould communicate the information technology securitypolicy to each information technology user and assure acomplete understanding of the importance of informationtechnology security. It should convey the message thatinformation technology security is to the benefit of theorganisation, all its employees, and that everybody isresponsible for it. The information technology securityawareness programme should be supported by, andrepresent, the view of senior management.
DS 7.3 Security Principles and Awareness Training
All personnel should be trained and educated in systemsecurity principles. Senior management should provide aneducation and training programme that includes: ethicalconduct of the information services function, securitypractices to protect against harm from failures affectingavailability, confidentiality, integrity and performance ofduties in a secure manner.
Permanent task ofmanagement
Seeks/provides positiveattitude
Close collaboration ofinternal control structure
Needs formal program andprofessional marketing
Managers, employeesThird-partiesCustomers, businesspartners, media
Session 211 21 28.3.2000
Selling IT SecurityCreating the Information Security Management System
Why is it so difficult to sellIT Security?
Unsuccessful track recordFailure to fulfil management’sexpectationsLack of organisationalunderstanding by security staffFailure in co-ordination in thecontrol functionsEvolving organisationstructuresLack of co-ordinated ITsecurity sales program
Some marketing issuesMake people want to be secureDisplay high-level supportEncourage people to be alertPoint out the risksBe simple but comprehensiveBe targeted and never assumeknowledgeBe entertaining and amusingBe two-way
Key
Tas
k #4
Adequate control (i.e. security)without awareness is impossible !
Session 211 22 28.3.2000
Selling IT Security (Key Issues)Creating the Information Security Management System
Know your businessKnow business objectivesUnderstand operationsAnalyse business needs andwhat could threaten businessobjectives being met
Sales strategySell to more than just one levelKnow your target audienceAvoid negative securityawarenessKnow sales techniques
Prepare productArticle and violation reporting
Poster, flyers, mouse mats, …
Personal presentations
Video and film presentations
One-to-one selling
Implementation
MaintenanceKeep management informedDemonstrate resultsPublish successesCarry out approved plans
Key
Tas
k #4
Session 211 23 28.3.2000
Selling IT Security to ManagersCreating the Information Security Management System
Security Policy, BaselineControls, Guidelines
Present and ask for feedbackLet them explain to others
Awareness materialsPresent and discuss; ask foraccompanying letterHave them talk about thisduring meetings
Distribute articlesWith a commenting letterIn person (“have you seen …?”)
Report on security mattersIn person once every monthFixed item on agenda
Encourage managers to attendmeetings, seminars, conferences
Be prepared before facingsenior management
Anticipate questions andobjections (FAQ)Ask them for a decisionHandout materialFollow-up visit
Key
Tas
k #4
Session 211 24 28.3.2000
Policy SecurityPolicy Organisation Ownership Awareness
Practices Areas/Topics
BaselineControls
SpecificControls
Procedures Monitoring/Review
ImplementationOperation
The IBAG Practices LevelCreating the Information Security Management System
COBIT Control Objectives
PO 6.8 Security and Internal Control Framework Policy
… Measures should be based on cost-benefit analyses and should beprioritised …
PO 9.1 Business Risk Assessment
Management should establish a systematic risk assessment framework.Such a framework should incorporate a regular assessment of therelevant information risks to the achievement of the business objectives,forming a basis for determining how the risks should be managed to anacceptable level. The process should provide for risk assessments at boththe global level and system specific levels (for new projects as well as on arecurring basis) and should ensure regular updates of the riskassessment information with results of audits, inspections and identifiedincidents.
PO 9.2 Risk Assessment Approach
Management should establish a general risk assessment approach whichdefines the scope and boundaries, the methodology to be adopted for riskassessments, the responsibilities and the required skills. The quality ofthe risk assessments should be ensured by a structured method andskilled risk assessors.
PO 9.3 Risk Identification
The risk assessment approach should focus on the examination of theessential elements of risk such as assets, threats, vulnerabilities,safeguards, consequences and likelihood of threat.
PO 9.4 Risk Measurement
The risk assessment approach should ensure that the analysis of riskidentification information results in a quantitative and/or qualitativemeasurement of risk to which the examined area is exposed. The riskacceptance capacity of the organisation should also be assessed.
PO 9.5 Risk Action Plan
The risk assessment approach should provide for the definition of a riskaction plan to ensure that cost-effective controls and security measuresmitigate exposure to risks on a continuing basis.
PO 9.6 Risk Acceptance
The risk assessment approach should ensure the formal acceptance ofthe residual risk, depending on risk identification and measurement,organisational policy, uncertainty incorporated in the risk assessmentapproach itself and the cost effectiveness of implementing safeguardsand controls. The residual risk should be offset with adequate insurancecoverage.
Session 211 25 28.3.2000
Define Areas/Topics (Scope)Creating the Information Security Management System
Define areas of focus/interestConsider business priorities
Consider IT security issues
DTI Code of Practice (BS7799)• security policy & organisation• personnel security• asset classification and control• system access control• physical & environmental security• computer and network management• system development/maintenance• business continuity planning• compliance CISA Candidates Guide
• organisation & management• operations• system software• logical, physical & environmental security• business continuity planning• system development/maintenance• application
IBAG Framework• management of security• personnel & organisation• physical access• logical access• data security• hardware• environment• operating system• software utilities• operations• communications• applications development• purchased software• end-user computing
COBIT 2nd editionPO 1 Define a Strategic IT PlanPO 2 Define the Information ArchitecturePO 3 Determine the Technological DirectionPO 4 Define the IT Organisation and RelationshipsPO 5 Manage the IT InvestmentPO 6 Communicate Management Aims and DirectionPO 7 Manage Human ResourcesPO 8 Ensure Compliance with External RequirementsPO 9 Assess RisksPO 10 Manage ProjectsPO 11 Manage QualityAI 1 Identify SolutionsAI 2 Acquire and Maintain Application SoftwareAI 3 Acquire and Maintain Technology ArchitectureAI 4 Develop and Maintain IT ProceduresAI 5 Install and Accredit SystemsAI 6 Manage ChangesDS 1 Define Service LevelsDS 2 Manage Third-Party ServicesDS 3 Manage Performance and CapacityDS 4 Ensure Continuous ServiceDS 5 Ensure Systems SecurityDS 6 Identify and Attribute CostsDS 7 Educate and Train UsersDS 8 Assist and Advise IT CustomersDS 9 Manage the ConfigurationDS 10 Manage Problems and IncidentsDS 11 Manage DataDS 12 Manage FacilitiesDS 13 Manage OperationsM 1 Monitor the ProcessesM 2 Assess Internal Control AdequacyM 3 Obtain Independent AssuranceM 4 Provide for Independent Audit
Key
Tas
k #5
Session 211 26 28.3.2000
Areas/Topics: Set PrioritiesCreating the Information Security Management System
Business issues/prioritiesTravelling userE-Business
Business to business
Business to customers
Virtual enterprisesTime to productive use of newsystemsUse COBIT’s “Management’sIT Concerns Diagnostic” form
Key
Tas
k #5
IT security issues/prioritiesSingle-sign onSingle point of referenceNotebook encryptionVPNActive contentWeb-servers / DMZ / firewall
Session 211 27 28.3.2000
Technology Concerns to Management (Gartner Group) Management Internet / IntranetEnterprise Packaged
SolutionsClient/Server Architecture
Workgroups and
GroupWareNetwork Management
RISK FACTORS
IT in
itia
tive
s in
lin
ew
ith b
usi
ness
str
ate
gy
IT p
olic
ies
and c
orp
ora
te
gove
rnance
Util
isin
g I
T f
or
com
pe
titiv
e a
dva
nta
ge
Conso
lidatin
g the IT
infr
ast
ruct
ure
Reduci
ng c
ost
of
IT o
wners
hip
Acq
uirin
g a
nd d
eve
lopin
gsk
ills
Unauth
orise
d a
ccess
to c
orp
ora
te n
etw
ork
Unauth
orise
d a
ccess
to
confid
entia
l mess
ages
Loss
of
inte
grity
–co
rpora
te tra
nsa
ctio
ns
Leaka
ge o
fco
nfid
en
tial d
ata
Inte
rru
ptio
n t
o s
erv
ice
ava
ilab
ility
Vir
us
Infe
ctio
n
Fa
ilure
to
me
et
use
rre
quirem
ents
Failu
re t
o in
tegra
te
No
t co
mp
atib
le w
ithte
chnic
al i
nfr
ast
ruct
ure
Vendor
support
pro
ble
ms
Exp
en
sive
/co
mp
lex
imp
lem
en
tatio
n
Failu
re t
o c
oord
inate
requirem
ents
Acc
ess
contr
ol p
roble
ms
No
t co
mp
atib
le w
ithte
chnic
al i
nfr
ast
ruct
ure
End u
ser
managem
ent
pro
ble
ms
Contr
ol o
f so
ftw
are
vers
ions
Hig
h c
ost
s of ow
ners
hip
Qu
alit
y co
ntr
ol
Acc
ess
contr
ol
Info
rmal p
roce
dure
s
Da
ta in
teg
rity
Config
ura
tion c
ontr
ol
Ava
ilab
ility
Se
curi
ty
Config
ura
tion c
ontr
ol
Inci
dent
managem
ent
Cost
s
Support
and
main
tenance
PLANNING & ORGANISATION
PO1 Define a Strategic IT Plan
PO2 Define the Information Architecture
PO3 Determine the Technological Direction
PO4 Define the IT Oranisation and Relationships
PO5 Manage the Investment in IT
PO6 Communicate Management Aims and Direction
PO7 Manage Human Resources
PO8 Ensure Compliance with External Requirements
PO9 Assess Risks
PO10 Manage Projects
PO11 Manage Quality
ACQUISITION & IMPLEMENTATIONAI1 Identify Solutions
AI2 Acquire and Maintain Application Software
AI3 Acquire and Maintain Technology Architecture
AI4 Develop and Maintain IT Procedures
AI5 Install and Accredit Systems
AI6 Manage Changes
DELIVERY & SUPPORT
DS1 Define Service Levels
DS2 Manage Third-Party Services
DS3 Manage Performance and Capacity
DS4 Ensure Continuous Service
DS5 Ensure Systems Security
DS6 Identify and Attribute Costs
DS7 Educate and Train Users
DS8 Assist and Advise IT Customers
DS9 Manage the Configuration
DS10 Manage Problems and Incidents
DS11 Manage Data
DS12 Manage Facilities
DS13 Manage Operations
MONITORING
M1 Monitor the Processes
M2 Assess Internal Control Adequacy
M3 Obtain Independent Assurance
M4 Provide for Independent Audit
Management s IT ConcernsCreating the Information Security Management System
Key
Tas
k #5
COBIT Implementation Tool Set
Session 211 28 28.3.2000
Baseline controls= best practices
COBITCode of Practice (BS7799-1:1999)
Must correspond to policies
Don’t reinvent the wheel
Do what experts agree isimportant
1.1
2.1
2.2
3.13.2
4.14.2
4.35.1
5.2
6.1
6.2
6.3
6.46.
56.6
6.7
7.17.27.3
7.4
7.5
7.6
7.78.1
8.28.3
8.49.
110
.1
10.2
10.3 Key
Tas
k #6
Baseline ControlsCreating the Information Security Management System
Avoid detailed riskassessment and savetime and money
X
Session 211 29 28.3.2000
The COBIT Framework isfocussed on IT governance,not information securitymanagement.
COBIT (part III) containscontrol objectives, notcontrols (control procedures)
Example on the right taken fromCOBIT 2nd edition; changed by author;for demonstration purposes only.
Baseline Controls Source: COBITCreating the Information Security Management System
Key
Tas
k #6
Business Processes
IT Resources
information criteria• effectiveness• efficiency• confidentiality• integrity• availability• compliance• reliability
Monitoring
Delivery &Support
Acquisition &Implementation
Planing &Organisation
• data• applications• technology• facilites• people
PO7 Manage Human Resources
Control over the IT process of
managing human resources
that satisfies the business requirement
to maximise personnel contributions to the IT processes
is enabled by
sound personnel management techniques
and takes into consideration
• recruitment and promotion
• qualification requirements
• training
• awareness building• cross training
• clearance procedures
• objective and measurable performance evaluation
PO 7.1 Personnel Recruitment and Promotion
Management should implement and regularly assess the needed processes to ensure that personnel recruiting and
promotion practices are based on objective criteria and consider education, experience and responsibility. These
processes should be in line with the overall organisation’s policies and procedures in this regard.
PO 7.2 Personnel Qualifications
Management of the information services function should regularly verify that personnel performing specific tasks are
qualified on the basis of appropriate education, training and/or experience, as required. Management should encourage
personnel to obtain membership in professional organisations.
PO 7.3 Personnel Training
Management should ensure that employees are provided with orientation upon hiring and with on-going training to
maintain their knowledge, skills, abilities and security awareness to the level required to perform effectively. Education
and training programmes conducted to effectively raise the technical and management skill levels of personnel should
be reviewed regularly.
PO 7.4 Cross-Training or Staff Back-up
Management should provide for sufficient cross-training or back-up of identified key personnel to address
unavailabilities. Personnel in sensitive positions should be required to take uninterrupted holidays of sufficient length to
exercise the organisation’s ability to cope with unavailabilities and to detect fraudulent activity.
PO 7.5 Personnel Clearance Procedures
Management of the information services function should ensure that their personnel are subjected to security clearance
before they are hired, transferred or promoted, depending on the sensitivity of the position. An employee who was not
subjected to such a clearance when first hired, should not be placed in a sensitive position until a security clearance has
been obtained.
PO 7.6 Employee Job Performance Evaluation
Management should implement an employee performance evaluation process and make sure that the evaluation is
performed against established standards and specific job responsibilities on a regular basis. Employees should receive
counseling on performance or conduct whenever appropriate.
PO 7.7 Job Change and Termination
Session 211 30 28.3.2000
The BSI Code of Practice forInformation SecurityManagement (CoP) isfocussed on informationsecurity management, noton IT governance.
Example on the right taken from theBSI Code of Practice (BS7799-1:1999);changed by author; for demonstrationpurposes only.
6 PERSONNEL SECURITY
6.1 Security in job definition and resourcing
Security should be addressed at the recruitment stage, included in
job descriptions and contracts, and monitored during an individual’semployment.
6.1.1 Including security in job description
a Managers should ensure that job descriptions address all relevantsecurity roles and responsibilities.
6.1.2 Personnel screening and policy
a At the time of a job application the following checks should be
made for all types of employees:
• availability of at least two satisfactory character references, one
business and one personal;
• a check (for completeness and accuracy) of the applicant’scurriculum vitae;
• confirmation of claimed academic and professionalqualifications;
• independent identity check (passport or similar document).
c A similar screening process should be carried out for contractors and
temporary staff (see 6.1.2 a and 6.1.2 b).
Where these staff are provided through an agency, the contract with
the agency should clearly specify the agency’s responsibilities for
screening and the notification procedures they need to follow if
screening has not been completed or if the results give cause fordoubt or concern.
e The work of all staff should be subject to periodic review andapproval procedures by a more senior member of staff.
6.1.3 Confidentiality agreements
a All employees should sign a separate confidentiality (non-
disclosure) agreement as part of their initial conditions ofemployment.
b Agency staff and third party staff (including all temporary staff)
should be required to personally sign a confidentiality (non-
disclosure) agreement prior to access to the premises or connectionto the information processing facilities.
6.1.4 Terms and condition of employment
a The terms and conditions of employment should state theemployee’s responsibilities for information security. In particular:
• legal responsibilities e.g. regarding copyright laws, data
protection legislation;
• classification and management of employer’s data.
Baseline Controls Source: COPCreating the Information Security Management System
Key
Tas
k #6
Code ofPractice
1Sicherheitsvorschriften
1.1Vorschriften zur
Informationssicherheit
2Sicherheitsorganisation
2.1Organisation der
Informationssicherheit
2.2Sicherheit beim Zugang
durch Fremdunternehmen
3Klassifizierung/Überwachung
der Anlagen und Bestände
3.1Verantwortlichkeiten fürAnlagen und Bestände
3.2Klassifizierungder Information
4Sicherheit beim Personal
4.1Sicherheit in der
Personalanstellung
4.2Benutzerschulung
4.3Reaktion auf sicherheits-
relevante Vorfälle
5Physische und umgebungs-
bezogene Sicherheit
5.1Sicherheitszonen
5.2Sicherheit der Geräte
6Computer- und
Netzwerkmanagement
6.1Betriebsverfahren undVerantwortlichkeiten
6.2Planung/Übernahme von
Anwendungen
6.3Schutz vor
bösartiger Software
6.4Operating und
Datensicherung
6.5Netzwerkmanagementund Netzwerksicherheit
6.6Sicherer
Umgang mit Medien
6.7Daten- und
Softwareaustausch
7Kontrolle der
Systemzugriffe
7.1Geschäftsanforderungenfür den Systemzugriff
7.2Administration
von Berechtigungen
7.3Verantwortung der Benutzer
7.4Sicherheit des
Zugriffs zum Netz
7.5Sicherheit des
Zugriffs zum Computer
7.6ApplikatorischerZugriffssicherheit
7.7Überwachung von
Systemzugriff/-benutzung
8Entwicklung und Unterhaltvon Anwendungssystemen
8.1Festlegung von
Sicherheitsanforderungen
8.2Sicherheit in
Anwendungssystemen
8.3Sicherheit von
Anwendungssystemdateien
8.4Sicherheit in Entwicklungs-
und Supportumgebungen
9Geschäftskontinuitätsplanung
9.1Verfahren der
Geschäftskontinuitätsplanung
10Erfüllung der
Verpflichtungen
10.1Erfüllung gesetzlicher
Verpflichtungen
10.2Sicherheitsprüfungen
von IT–Systemen
10.3Überlegungen zur
Systemrevision
Session 211 31 28.3.2000
Specific ControlsCreating the Information Security Management System
COBIT Control Objectives
PO 6.10 Issue Specific Policies
Measures should be put in place to ensure that issue-specific policiesare established to document management decisions in addressingparticular activities, applications, systems or technologies.
PO 10.9 Planning of Assurance Methods
Assurance tasks are to be identified during the planning phase of theproject management framework. Assurance tasks should supportthe accreditation of new or modified systems and should assure thatinternal controls and security features meet the relatedrequirements.
AI 1.8 Risk Analysis Report
The organisation’s system development life cycle methodologyshould provide, in each proposed information system development,implementation or modification project, for an analysis anddocumentation of the security threats, potential vulnerabilities andimpacts, and the feasible security and internal control safeguards forreducing or eliminating the identified risk. This should be realised inline with the overall risk assessment framework.
AI 1.9 Cost-Effective Security Controls
Management should ensure that the costs and benefits of security arecarefully examined in monetary and non-monetary terms toguarantee that the costs of controls do not exceed benefits. Thedecision requires formal management sign-off.
AI 2.12 Controllability
The organisation’s system development life cycle methodologyshould require that adequate mechanisms for assuring the internalcontrol and security requirements be specified for each informationsystem development or modification project. The methodologyshould further ensure that information systems are designed toinclude application controls which guarantee the accuracy,completeness, timeliness and authorisation of inputs, processing andoutputs. Sensitivity assessment should be performed duringinitiation of system development or modification. The basic securityand internal control aspects of a system to be developed or modifiedshould be assessed along with the conceptual design of the system inorder to integrate security concepts in the design as early as possible.
AI 5.7 Security Testing and Accreditation
Management should define and implement procedures to ensure thatoperations and user management formally accept the test results andthe level of security for the systems, along with the remainingresidual risk.
Key
Tas
k #7
Baseline Controls
Spec
ific
Con
trol
s
Spec
ific
Con
trol
s
Spec
ific
Con
trol
s
Session 211 32 28.3.2000
Implementing Specific ControlsCreating the Information Security Management System
Key
Tas
k #7
Evaluate threats, exposures,risks
Define additional controlobjectives
Specify, select or developspecific controls
Determine if controls areadequate
Evaluate residual risks
Baseline Controls
Spec
ific
Con
trol
s
Spec
ific
Con
trol
s
Spec
ific
Con
trol
s
Session 211 33 28.3.2000
Threat / Risk AssessmentCreating the Information Security Management System
Key
Tas
k #7
Control risks•Control environment, culture•Reorganisations, outsourcing•Employees, stress, overtime•Management’s control attitude•Leadership, board, key staff•Policies, procedures, documents•Segregation of duties•Confidentiality, integrity, availability,efficiency, effectiveness
•Compliance, reliability
Risikoanalyse zur Ermittlung kritischer PC'sDescription/Question Weight/Key Factor Result
1 Does your department use amicrocomputer?
0 = No5 = Yes
1
2 Internal Storage Capacity 0 = No PC1 = Up to 16K2 = Up to 32K3 = Up to 64 K4 = Up to 128K5 = More than 128 K
3
3 Is micro shared with otherdepartments ?
0 = No PC / No5 = Yes
1
4 Languages 0 = No PC / No3 = Basic5 = Other
2
5 How long has yourdepartment been using amicrocomputer?
0 = No PC1 = less than 6 months3 = 6-12 months5 = Over 12 months
1
6 Average hours used perweek
0 = No PC1 = Up to 102 = 11-203 = 21-304 = 31 - 405 = greater than 40
1
7 Peripherals 0 = No PC1 = Printer2 = Floppy disk3 = Printer & floppies4 = Fixed disk5 = Modem/IRMA Board
3
8 Purchased Software 0 = No PC1 = Text editor / Word processor3 = Financial Accounting5 = Complex/multiple applications
2
9 In-House DevelopedApplications
0 = No PC1 = Text editor / Word processor3 = Financial Accounting5 = Complex/multiple applications
3
10 Source of Input Data 0 = No PC / none3 = Other5 = B&D files or DB
1
11 Is your micro linked to othermicros or mainframes?
0 = No PC / No3 = To other micros
3
12 Documentation available 0 = No PC1 = Operations, SW-Program3 = Operations, no software5 = None
1
13 Future acquisition/development plans
0 = None3 = Long term5 = Short term
1
14 Number of persons usingmicrocomputer
0 = No PC3 = 2-55 = One or greater than 5
1
15 Training provided 0 = No PC1 = Formal training3 = Other5 = None
1
16 Do you have controlconcerns or other commentsregarding your micro?
0 = No PC / No5 = Yes
1
TotalVerfahren Black & Decker, 1984
1 2 3 4 5 6 7 8 9 10
01
23
45
1.1
2.1
2.23.1
3.24.1
4.24.3
5.15.2
6.1
6.2
6.36.
46.56.6
6.7
7.17.27.37.4
7.5
7.67.7
8.18.2
8.38.4
9.1
10.1
10.2
10.3
II0%
20%
40%
60%
AACC
survival?serious
significantlow
none
Business/inherent risks•Products /service offered•Market (national/international)•Size, financial situation•Contracts and liability•Operations•Tax and political situation• Information technology used•Technological trends anddevelopments
•Complexity--
- S
chaden +
++
--- Wahrscheinlichkeit +++
Risk = Probability x DamageRi = wi * Ai
Total riskR = Ri = (wi * Ai)(Sum of all partly risks)
An illusion of mathematical correctness
Session 211 34 28.3.2000
Risk Analysis to Discover Crititcal IT-Processes (Typical Example)
Importance Performance Xnotrated
X does not apply X not sure
X not sure X poor
X not important X satisfactory
X somewhat important X very good
X very important IT-Process X excellent
X PO1 Define a Strategic Information Technology Plan X
X PO2 Define the Information Architecture X
X PO3 Determine Technological Direction X
X PO4 Define the IT Organisation and Relationships X
X PO5 Manage the Investment in Information Technology X
X PO6 Communicate Management Aims and Direction X
X PO7 Manage Human Resources X
X PO8 Ensure Compliance with External Requirements X
X PO9 Assess Risks X
X PO10 Manage Projects X
X PO11 Manage Quality X
X AI1 Identify Solutions X
X AI2 Acquire and Maintain Application Software X
X AI3 Acquire and Maintain Technology Architecture X
X AI4 Develop and Maintain IT-Procedures X
X AI5 Install and Accredit Systems X
X AI6 Managing Changes X
X DS1 Define Service Levels X
X DS2 Manage Third-Party Services X
X DS3 Manage Performance and Capacity X
X DS4 Ensure Continuous Service X
X DS5 Ensure Systems Security X
X DS6 Identify and Allocate Costs X
X DS7 Educate and Train Users X
X DS8 Assisting and Advising IT-Customers X
X DS9 Manage the Configuration X
X DS10 Manage Problems and Incidents X
X DS11 Manage Data X
X DS12 Manage Facilities X
X DS13 Manage Operations X
X M1 Monitor the Process X
X M2 Assess Internal Control Adequacy X
X M3 Obtain Independent Assurance X
X M4 Provide for Independent Audit X
COBIT 2nd Edititon Implementation Tool Set, 1998
Risk AnalysisCOBIT (34 IT-Processes)
Critical IT-Processes (Example)
excellent very good satisfactory poor not sure
veryimportant
PO10 DS11 M1PO9 DS2 DS4
DS10 PO1 DS1 PO3
somewhatimportant
PO5 PO11 AI2AI6 DS5
PO4 AI4 DS8DS13
AI3 M2 PO8
not important DS6 DS12 DS3 DS9 PO6 AI1 AI5 M4 DS7 M3
not sure PO2 PO7
Identify critical IT processesfor a particular application
Key
Tas
k #7
Session 211 35 28.3.2000
Policy SecurityPolicy
Organisation Ownership Awareness
Practices Areas/Topics
BaselineControls
SpecificControls
Procedures Monitoring/Review
Implementation/
Operation
The IBAG Procedures LevelCreating the Information Security Management System
COBIT Control Objectives
AI 4.2 User Procedures Manuals
The organisation’s system development life cycle methodology shouldprovide that adequate user procedures manuals be prepared andrefreshed as part of every information system development,implementation or modification project.
AI 4.3 Operations Manual
The organisation’s system development life cycle methodology shouldprovide that an adequate operations manual be prepared and kept up-to-date as part of every information system development, implementation ormodification project.
DS 8.1 Help Desk
User support should be established within a ”help desk” function.Individuals responsible for performing this function should closelyinteract with problem management personnel.
DS 10.1 Problem Management System
Information services function management should define and implementa problem management system to ensure that all operational eventswhich are not part of the standard operation (incidents, problems anderrors) are recorded, analysed and resolved in a timely manner. Incidentreports should be established in the case of significant problems.
DS 10.2 Problem Escalation
Management should define and implement problem escalation proceduresto ensure that identified problems are solved in the most efficient way on atimely basis. These procedures should ensure that these priorities areappropriately set. The procedures should also document the escalationprocess for the activation of the information technology continuity plan.
DS 10.3 Problem Tracking and Audit Trail
The problem management system should provide for adequate audit trailfacilities which allow tracing from incident to underlying cause (e.g.,package release or urgent change implementation) and back. It shouldclosely interwork with change management, availability management andconfiguration management.
DS 13.1 Processing Operations Procedures and Instructions Manual
The information services function should establish and documentstandard procedures for information technology operations (includingnetwork operations). All information technology solutions and platformsin place should be operated using these procedures, which should bereviewed periodically to ensure effectiveness and adherence.
DS 13.6 Operations Logs
Management controls should guarantee that sufficient chronologicalinformation is being stored in operations logs to enable the reconstruction,timely review and examination of the time sequences of processing andother activities surrounding or supporting processing.
Session 211 36 28.3.2000
Life Cycle Approach
Key
Tas
k #8
Implementation & OperationCreating the Information Security Management System
Establish implementationplan
Install and updateproducts and systems
Implement and updateprocedures
Train staff and users
Operate securitymechanisms
Re-adjust wherenecessary
(IT) Security
AwarenessResponsibilityPolicy
Baseline Security Controls
System Specific Controls
Defi
nit
ion
Imp
lem
enta
tio
n
Op
erat
ion
Mo
nit
ori
ng
Au
dit
/Rev
iew
Ch
ang
e-M
gm
t.
Session 211 37 28.3.2000
M 1.1 Collecting Monitoring Data
M 2.2 Timely Operation of Internal Controls
M 2.3 Internal Control Level Reporting
M 2.1 Internal Control Monitoring
M 2.4 Operational Security and Internal Control Assurance
M 3.1 Independent Security and Internal Control Certification/Accreditation of Information Technology
Services
M 3.2 Independent Security and Internal Control Certification/Accreditation of Third-Party Service Providers
M 3.3 Independent Effectiveness Evaluation of Information Technology Services
M 3.4 Independent Effectiveness Evaluation of Third-Party Service Providers
M 3.5 Independent Assurance of Compliance with Laws and Regulatory Requirements and Contractual Commitments
M 3.6 Independent Assurance of Compliance with Laws and Regulatory Requirements and Contractual Commitmentsby Third-Party Service Providers
Key
Tas
k #9
Monitor & Review OperationsCreating the Information Security Management System
COBIT Control Objectives
PO 3.2 Monitor Future Trends and Regulations
PO 4.9 Supervision
PO 6.6 Compliance with Policies, Procedures and Standards
PO 8.1 External Requirements Review
PO 8.2 Practices and Procedures for Complying with ExternalRequirements
PO 8.3 Safety and Ergonomic Compliance
PO 8.4 Privacy, Intellectual Property and Data Flow
PO 8.6 Compliance with Insurance Contracts
DS 1.4 Monitoring and Reporting
DS 2.8 Monitoring
DS 5.7 Security Surveillance
DS 5.10 Violation and Security Activity Reports
DS 5.11 Incident Handling
DS 10.3 Problem Tracking and Audit Trail
Session 211 38 28.3.2000 Key
Tas
k #9
Monitoring ComplianceCreating the Information Security Management System
Compliance Monitoring /Review Process
Defined requirementssufficient?Policies, regulations andguidelines still adequate?Policies are complied withControls are effectiveControls are relevant tobusinessRecommend improvements
Monitoring & InvestigationAn incident response team willbecome more importantIncidents (attacks) are highlydifficult to investigateBeware of data protectionlegislation
… be preparedAwareness training is betterthan sanctioningDefine sanctions in advanceBe fair and consistent
Session 211 39 28.3.2000
PolicySecurityPolicy
Organisation Ownership Awareness
PracticesAreas/Topics
BaselineControls
SpecificControls
ProceduresMonitoring/
ReviewInstallation/Operation
SummaryCreating the Information Security Management System
Only 9 key tasks
Start tomorrow
You needLong term commitment from
Senior management
Team members and leader
Team of 5-7, well trained anddedicatedA top “IT Security Officer”
Recommended