Upload
others
View
8
Download
0
Embed Size (px)
Citation preview
Implementation Planforan ISMSaccording toISO/IEC27001:2013MASTERPROGRAMINSECURITYOFINFORMATIONANDCOMMUNICATIONTECHNOLOGIES(MISTIC)
Student:PlácidoRodalCastroConsultant:AntonioJoséSegoviaHenares
Index ofContent1. Introduction2. Objectives3. Xintiba4. Planning5. GapAnalysis6. Document ManagementSystem7. Information SecurityRisk Assesment8. Proposal Projects9. Compliance Audit10. Conclusions
Introduction
ØTheobjectiveofthisdocumentistopresenttheimplementationplanforanISMS(Informationsecuritymanagementsystem)accordingtoISO/IEC27001:2013forXintiba.
ØThissystemincludesallofthe policies, procedures,plans,processes,practices,roles,responsibilities,resources,andstructures thatareused toprotectandpreservetheinformationandassetsofthecompany.
Objectives
Bestpracticesofinformationsecuritymanagement:Mosteffectivestrategyforkeepingorganizationsanduserssafe.
Ø Improvedreputationandstakeholderconfidence.
Ø Complywithrelevantlegislation.
Ø Buildstrustandcredibilityinthemarket.
Ø Costsavingsbyminimizingincident.
Ø Ensuresinformationisprotectedandavailable.
Xintiba
Ø XintibaisacompanyfromthenorthofMexicothatdevelopsvideogamesforchildrenandhandicappeople.Byusingthesevideogames,theyattempttoacceleratetheacquisitionofcertaincognitiveskillsthatmayhelpthesepeopleadaptandperforminsociety.
Ø Theyhavepublishedthefirstvideogamespecificallydesignedforchildrenwithautism.
Ø Thedatacollectedisshowninatoolforvisualizingandcommunicatingimportantbusinessdataandisusedbyemployees,parentsandphysicians.
Xintiba
CEOOffice1
MarketingandSales
Office1
SalesExecutive
Office1
PublicityManager
Office1
FinanceandHROffice1
OperationsOffice1&2
PMOffice1
R&DOffice1
Factory(Dev)
Office2
DesignOffice2
CIOOffice2
SysAdminOffice2
CISOOffice2
ISOOffice2
ISMROffice2
GapAnalysisID Section Accomplishment
A.5 Information security policies 0 %A.6 Organization of information
security8 %
A.7 Human resource security 2 %A.8 Asset management 22 %A.9 Access control 14 %A.10 Cryptography 0%A.11 Physical and environmental
security0.1 %
A.12 Operations security 2 %A.13 Communications security 14 %A.14 System acquisition,
development and maintenance46%
A.15 Supplier relationships 44%A.16 Information security incident
management17%
A.17 Information security aspects ofbusiness continuitymanagement
45%
A.18 Compliance 0%
Document ManagementSystemØ Informationsecuritypolicy.
Ø ISMSinternalauditprocedure.
Ø ISMSKeyperformanceindicators.
Ø ISMSManagementreview.
Ø ISMSrolesandresponsibilities.
Document ManagementSystemØ Informationsecuritypolicy
• ThepurposeofaninformationsecuritypolicyistoprovideasecurityframeworkthatwillensuretheprotectionofXintibaphysicalandinformationtechnologyassets.
• Allusersmustfollowandacceptresponsibilitiesshowninthispolicy.Itistheuser'sresponsibilitytocarefullyuseandprotectthoseresources,aswellascomplywithallXintibapolicies,regulations,lawsandcontractualobligations.
• XintibawillperiodicallyauditandchecktheInformationSecuritypolicy.
Document ManagementSystemØ ISMSinternalauditprocedure
• Thepurposeoftheinternalauditprocedureistocheck,atleastonceevery12months,thatallaspectsoftheISMSarefunctioningasintendedandthecomplianceoftheISMStotheISO/IEC27001standardismaintainedatanacceptablelevel.
• Thiswillhelpensurethatnotonlypoliciesandproceduresarebeingappliedbutnewbestpracticescanbegatheredandapplied.
Document ManagementSystemØ ISMSKeyperformanceindicators
• Xintibawillevaluatetheinformationsecurityperformanceandtheeffectivenessoftheinformationsecuritymanagementsystem.
§ EffectiveSecurityPolicy§ Incidentmanagement§ PercentofbusinessinitiativessupportedbytheISMS§ Numberofsecurity-relatedservicedowntimes§ Durationofserviceinterruptions§ Incidentresolutiontime§ Numberofimprovementinitiatives
§ %ofITbudgetsusedtomanagingITrisks
§ Numberofnewthreatsandrisksidentifiedcomparedtopreviousriskassessment
§ Timebetweenidentificationofnon-complianceandimplementationoffixes
§ NumberofsecurityincidentscausedbyattacksfromtheNET
§ NumberofSecurityincidentscausedbymalicioussoftware
Document ManagementSystemØ ISMSManagementreview
• Topmanagementreviewstheorganization’sinformationsecuritymanagementsystematscheduledintervalstoensureitscontinuingsuitability,adequacyandeffectiveness.
• Managementmeetingreviewsshouldbeheldperiodicallyinordertomeasuretheeffectivenessofthemanagement system.Firstly,timeframesbetweenmeetingsstartasmonthlybutprobablytheycouldbeincreasedwhenthesystembecomesmoremature.
• TheattendeesofmanagementreviewmeetingsconsistinISMSSteeringCommittee(CISO,ISMR,ISOandCIO),CEOandHRmanager.However,outsideconsultantswillbeinvitedtosomemeetings.
Document ManagementSystemØ Methodologyfortheriskmanagement
• XintibamethodologyfortheriskmanagementisbasedonMagerit V3.0methodology.
• Magerit implementtheRiskManagementProcesswithinaworkingframeworkforgoverningbodiestomakedecisionstakingintoaccounttherisksderivedfromtheusageofinformationtechnologies.
• Theobjectiveistoprotecttheorganization’smissiontakingdifferentsecuritydimension´srequirementsintoaccount.
Compliance AuditID Section Before NowA.5 Information security
policies 0% 80%
A.6 Organization of informationsecurity 8% 70%
A.7 Human resource security 2% 75%A.8 Asset management 22% 50%A.9 Access control 14% 83%A.10 Cryptography 0% 30%A.11 Physical and environmental
security 0.1% 8%
A.12 Operations security 2% 53%A.13 Communications security 14% 55%A.14 System acquisition,
development andmaintenance
46% 45%
A.15 Supplier relationships 44% 44%A.16 Information security
incident management 17% 25%
A.17 Information securityaspects of businesscontinuity management
45% 20%
A.18 Compliance 0% 40%
Lessons Learned1. It is very important toexplain indetail tothe employees the projects that the company
wants tocarry out.If they don’t understand what the targetis,they will not cooperateproperly.
2. Securityis not aproject,it is akey piece ofthe company.It is very important todevotetimeandpatience toexplaining tomanagershow important it is.
3. The first stages inasecuritization project arethe easiest.The complexity begins when wereach high levels ofprocess maturity,andit is also harder tomaintain safetylevels than toachieve them.
4. Computer security requires tobeupdating daily,therefore,it is important todevotetimetoresearch,have contact with authorities andperiodically work with an outsides consultants.
Conclusions
ØWehavefinishtheprojectcomplyingwiththeproposedobjectivesbutweexpectreachmorematuritylevelofsecurity.
Ø ThisprojectisthefirststeptointroducesecurityasakeyelementinXintiba.TheplaniscontinueworkinghardtostarttheISO/IEC27001certificationatthefinalsemesterof2017.
Ø Theprojectplanningwasfollowedproperlyatthebeginning,butonthefinalweekstheprojectswereclosedinparallelbecausewewereshortoftime.
ØWehadsomeissueswiththirdpartyemployeesandcompanies.Also,withsomeinternalemployeeswhowerelowfocusedontheproject.