Vijay_Challenges of an ISMS Implementation

Preview:

Citation preview

CHALLENGES OF AN ISMS IMPLEMENTATION

VIJANDRAN RAMASAMY - CISSPINFORMATION SECURITY OFFICER

ISM INSURANCE SERVICES MALAYSIA BERHAD

CHALLENGES OF AN ISMS IMPLEMENTATION

AGENDACertification Program at ISMCommon Problems FacedKey Concerns on the Current StandardCritical Success FactorsRecommendationsResources

BUSINESS FOCUS FOR ISM

ISM Insurance Services Malaysia Berhad is the leading provider of insurance and takafulshared services in the region..ISM Knowledge Management System (ISM-KMS)ISM Fraud Management System (ISM-FMS)ISM Electronic Exchange System (ISM-EES)

ISMS STANDARD

The ISO/IEC 27001:2005 International Standard establishes guidelines, and general principles for initiating, implementing, maintaining, & improving information security management in an organization.

The control objectives, & controls of this International Standard are intended to be implemented to meet the requirements identified by a risk assessment.

PURPOSE OF ISMS

To protect ISM Insurance Services Malaysia Berhad (ISM) from adverse impact on its reputation, & operations that could result from failures of Confidentiality, Integrity, and Availability.

Information security is the preservation of “C-I-A”.

SCOPE OF CERTIFICATION FOR ISMS

The ISMS scope is for the entire operations of ISM. ISM is made up of 5 functional units:

1. Actuarial & Statistical Services

2. Administration & Accounts

3. Anti-Fraud Services4. IT Services5. Research &

Development Services

ISMS CONTROL OBJECTIVES AND CONTROLS

There are in total 11 control objectives, & 133 individual controls. For ISM, it has been determined that 131 controls are applicable for our organization.

ISMS CONTROL OBJECTIVES

Security Policy (1)• Management direction and support

Organization of Information Security (2)• Infrastructure, third party access and controlling

security of outsourced information processingAsset Management (3)• Identifying, classifying and protecting assets and

information

ISMS CONTROL OBJECTIVES

Human Resources Security (4)• Addressing roles and responsibilities, screening,

training, disciplinary process, termination.Physical and Environmental Security (5)• Managing physical access to prevent loss, damage,

theft, compromise.

ISMS CONTROL OBJECTIVES

Communications and Operations Management (6)• Ensuring correct and secure operations in computer

and network systems, third party services, media (disks), electronic messaging, monitoring.

Access Control (7)• Controlling access to information, enforced by

controlling and monitoring access rights to networked devices, operating systems, applications, both directly on the organization’s network and via remote access.

ISMS CONTROL OBJECTIVES

Information Systems Acquisition, Development and Maintenance (8)• Building security into information systems.

Information Security Incident Management (9)• Damage control, reporting, collecting evidence.

ISMS CONTROL OBJECTIVES

Business Continuity Management (10)• Counteracting interruptions and minimizing their

impact.Compliance (11)• Avoiding breaches of law, regulatory or contractual

requirements.

CHALLENGES OF AN ISMS IMPLEMENTATION

CERTIFICATION PROGRAM AT ISMOne of the key initiatives set by the Board of Directors.Balancing the need for accessibility and the preservation of “C-I-A”.Comprehensive insurance databases requires clearly defined security responsibilities that establish accountability.As Key Performance Indicator (KPI) for the organization.

CHALLENGES OF AN ISMS IMPLEMENTATION

CERTIFICATION PROGRAM AT ISMDecember 2005 – Program Start.August 2006 – Stage 1 Audit by SIRIM.September 2006 – Stage 2 Audit by SIRIM.November 2006 –Obtained ISMS certification in accordance to ISO/IEC 27001:2005.

CONSIDERATIONS FOR OBTAINING ISMS CERTIFICATIONObtaining senior management commitment.Setting the ISMS scope.Personnel awareness and training.No magic bullet/formula.Asset identification and classification.Implementation flaws.Risk assessment.Resources.

VENDOR SELECTION CRTERIA

Service fee structure.RFP scope requirements.Technology infrastructure.Organization track record – customer base.Other factors – ISMS certified.

CHALLENGES OF AN ISMS IMPLEMENTATION

ISMS IMPLEMENTATION CONCEPTPLAN-DO-CHECK-ACTPDCA Model was adopted to provide systematic approach in developing, implementing, and improving the ISMS.

PHASE 1: ISMS PLANNING

ISMSCertification

Road Map

EstablishRoles

DevelopSecurity

Policy

Training & Awareness on

ISO/IEC 27001:2005

ISMS Awareness Training

Security Awareness Training

ISO/IEC 27001:2005 Implementation Course

ISO/IEC 27001:2005 Lead Auditor Course

ISMS Policy

Information Security Policy

Information Security Forum

ISMS Steering Committee

ISMS Secretariats

ISMS Internal Auditor

ISMS Implementation Team

Certification Roadmap

PHASE 2: ISMS IMPLEMENTATION

Scoping & Definition

of ISMS

GapAnalysis

Risk Assessment &

Treatment

Implement Controls

& Procedures

Internal Audit,

Corrective & Preventive

Action

ManagementReview

Review on ISMS Effectiveness

Internal Audit Report

Corrective Action

Preventive Action

Records Maintenance

IS Risk Assessment Methodology

IS Risk Assessment Report

Risk Treatment Plan

Develop relevant policies & procedures

Develop security metrics

Gap Analysis Report

ISMS Scope Statement

ISMS Scope Document

ISMS Statement of Applicability

PHASE 3: ISMS CERTIFICATION

Application Stage 1 Audit Stage 2 Audit Certification

CertifiedOnsite AuditDocumentation Audit

Application for Certification to SIRIM

PHASE 4: ISMS MAINTENANCE AND CONTINOUS IMPROVEMENT

Enhance security controls and implementation.Evaluation of controls effectiveness.Measurement of effectiveness of control.Enhance security metrics.

COMMON PROBLEMS FACED

Lack of understanding of the requirements.Unrealistic or impractical scoping.Resource allocation.Inadequate enforcement.Security is not well integrated into current management systems or processes.Keeping the ball rolling.

KEY CONCERNS ON THE CURRENT STANDARD

Control-driven, extensive elaboration on control implementation.• Lose sight on some of the mandatory requirements in

ISO/IEC 27001:2005Tendency for individual interpretation of the standard, different auditors may have different focus and expectations.

KEY CONCERNS ON THE CURRENT STANDARD

Efficient method for security risk assessment is still lacking.Lack of guidance on security metrics measurement.• How do I measure effectiveness of ISMS?• How do I define the desired state of my ISMS?• How do I benchmark my ISMS implementation?

CRITICAL SUCCESS FACTORS

Senior management commitment – resources, funding, time, people.Seamless integration of ISMS into current management systems.Proper assurance and governance framework established.Balancing of business and security requirements.

POST-IMPLEMENTATIONIMPROVEMENTS

Account Management – SUMSite-To-Site VPN (STS-VPN)High availability and load balancing of ISM computer and communication systems.Development of applications based on SDLC as per ISMS control objective.Implementation and testing of disaster recovery plans.Establishment of DRC site.

RECOMMENDATIONS

Guidance on effective ISMS scoping.Interrelate to other standards and regulatory compliance (e.g. ITIL, GPIS-1, SOX, Basel II, etc.).To supplement ISO/IEC 27001:2005 with more implementation guidance, especially in the are of security metrics and measurement, risk assessment.To have more objective way of measurement based on a security maturity model or progressive improvement.ISO/IEC 27003 – Working Draft for ISMS Implementation Guidance.

RESOURCES

Here are a few good resources to check when considering ISMS implementations and certifications:

www.irca.orgwww.iso27001security.comwww.iso27001certificates.comwww.sirim.my/iscg

THANK YOU

“INFORMATION SECURITY IS EVERYONE’S RESPONSIBILITY

EVERY DAY”

VIJAY@ISM.NET.MYWWW.ISM.NET.MY

Recommended