Embed Size (px)
Citation preview
Information Security Management System
ISO/IEC 27001: 2005Introduction and Requirement's
.
An information security management system (ISMS) is a set of policies and procedures for systematically managing an organization's sensitive data. The goal of an ISMS is to minimize risk and ensure business continuity by pro-actively limiting the impact of a security breach.
Information Security Management System Overview
Components of Information Security Program
Risk Management. Policy Management Organizing Information Security Asset Protection Human Resource Security Physical and Environmental Security Communication and Operations Management Access Control Information Systems Acquisition, Development and
Maintenance Incident Management Disaster Recovery Management Compliance
Develop an enterprise-wide information security strategy and game plan
Get corporate “buy in” for the enterprise information security program-effective programs start at the top.
Build information security monitoring control procedures into the infrastructure of the enterprise.
Establish level of “due diligence” for information security.
Focus initially on mission/business case impacts—bring in threat information only when specific and credible.
Building an Effective Enterprise Information Security Program
Categorize the information system
Select set of minimum (baseline) security controls
Refine the security control set based on risk assessment
Document security controls in system security plan
Implement the security controls for the information system
Assess the security controls
Determine bank-level risk and risk acceptability
Authorize information system operation
Monitor security controls on a continuous basis
Strategy for Effectively Managing Security Risk
Information Security Risk Assessment
- 6 -
Risk Assessment Process Overview
Managing Enterprise Risk Framework
In system security plan, provides a an overview of the security requirements for the
information system and documents the security controls planned or in place
SP 800-18
Security Control Documentation
Defines category of information system according to potential
impact of loss
FIPS 199 / SP 800-60
Security Categorization
Selects minimum security controls (i.e., safeguards and countermeasures) planned or in place to
protect the information system
SP 800-53 / FIPS 200
Security Control Selection
Determines extent to which the security controls are implemented correctly, operating as
intended, and producing desired outcome with respect to meeting security requirements
SP 800-53A / SP 800-37
Security Control Assessment
SP 800-53 / FIPS 200 / SP 800-30
Security Control Refinement
Uses risk assessment to adjust minimum control set based on local conditions, required threat coverage,
and specific agency requirements
SP 800-37
System Authorization
Determines risk to bank operations, bank assets, or individuals and, if acceptable, authorizes
information system processing
SP 800-37
Security Control Monitoring
Continuously tracks changes to the information system that may affect security controls and
assesses control effectiveness
Implements security controls in new or legacy information systems;
implements security configuration checklists
Security Control Implementation
SP 800-70
Risk Management Framework
Security Life Cycle
Determine security control effectiveness(i.e., controls implemented correctly, operating as intended,
meeting security requirements for information system).
ASSESSSecurity Controls
Define criticality/sensitivity of information system according to potential worst-case,
adverse impact to mission/business.
CATEGORIZE Information System
Starting Point
Continuously track changes to the information system that may affect security controls and reassess control effectiveness.
MONITORSecurity Controls
AUTHORIZE Information System
Determine risk to organizational operations and assets, individuals, other organizations, and the
Nation; if acceptable, authorize operation.Implement security controls within enterprise architecture using sound systems engineering
practices; apply security configuration settings.
IMPLEMENT Security Controls
SELECT Security Controls
Select baseline security controls; apply tailoring guidance and supplement controls
as needed based on risk assessment.
Information Security Program
Effective Enterprise Information Security Program
Don’t be overwhelmed with the enormity or complexity of the information security problem—take one step at a time and build on small successes
Don’t tolerate indifference to enterprise information security problems
Manage enterprise risk—don’t try to avoid it!
Implémentation of Information Security
Risk assessment Security planning, policies, procedures Configuration management and control Contingency planning Incident response planning Security awareness and training Security in acquisitions Physical security Personnel security Security assessments and authorization Continuous monitoring Change Management
Access control mechanisms Identification & authentication mechanisms (Biometrics, tokens, passwords) Audit mechanisms Encryption mechanisms Boundary and network protection devices (Firewalls, guards, routers, gateways) Intrusion protection/detection systems Security configuration settings Anti-viral, anti-spyware, anti-spam software Smart cards Patch management
Links in the Security Chain: Management, Operational, and Technical Controls
Business Continuity Plan Overview
Information Security Policy
- 18 -
Information Security Strategic Planning
Availability: Policies, and monitoring controls. These controls are used to ensure that authorized users have access to the information that they need to perform they daily job functions . The main objective is to protect against intentional or accidental attempts to deny authorized employees access to the financial information .
Integrity of Data or Systems: The system and data integrity relate to: Maintaining and assuring the accuracy and consistency of data over its entire life-cycle, and is a critical aspect to the design, implementation and usage of any system which stores, processes, or retrieves data. example; policies, and controls. These controls are used to ensure that the information has not been altered in an unauthorized manner and that the systems is not accessed from unauthorized personnel.
Confidentiality of Data or Systems: The information stored on a system is protected against unintended or unauthorized access. Since systems are sometimes used to manage sensitive information, Data Confidentiality is often a measure of the ability of the system to protect its data. The procedure is documented into policies, and controls matrix and risk assessment used to protect the information of customers and the bank against unauthorized access or usages.
- 19 -
Regulatory Compliance
External Regulations and Standards:
Federal Banking
New York State Banking
ISO 17799-2005 Establishes guidelines and general principles for initiating, implementing, maintaining, and improving information security management within the bank.
Internal Regulations:
Bank Security: Plan, Policy, Standards , Procedures and risk assessment.
Internal Audits.
Head Office Audit.
In general, compliance means conforming to a rule, such as a specification, policy, standard or law. Regulatory compliance describes the goal that organizations aspire to achieve in their efforts to ensure that they are aware of and take steps to comply with relevant laws and regulations.
Information Security Overview
- 20 -
Manual
- 21 -
Information Security Officer Responsibilities:
Maintain current with the information security and best practices.
Develop; policies, procedures, plan, guidelines, and risk assessment plan for the information security planning that advocate stability of the infrastructure.
Develop ; Plan, policies, procedures, standards, and guidelines . Maintain the information security policies and procedures in compliance with the New York State Banking, and Federal Banking regulations.
Respond to a security events by ordering emergency actions to protect the bank and its customers from loss of information and assets .
Responsible to ( monitor the system security events alerts report) from network and firewall. Determine its accuracy for suspicious activities.
Response to a security threat by; Notifying the incidence response team. Analyze the root of cause, and correct the affected application or systems. Take suitable actions through the course of the security incident. The accuracy that will include, identify the threat, and to restrict intrusion from the network and the firewall. Generate, and escalate the incident including alerting the network administrator and management .
The security officer is also responsible for the security of access to all bank logical and physical systems.
Maintain a high level of monitoring controls for the integrity, confidentiality, and availability for the infrastructures.
Participate with technical groups and management in the development and the implementation of new security strategies and monitoring controls.
Perform regular security audits of critical security systems , applications and generated supporting documentation and controls.
Participate with technical groups and management in the development and the implementation of new security strategies.
Prepare daily and monthly security activities reports on current state of controls; risk maters, breach of security and access issues.
Prepare monthly analysis, metrics, matrix and exception reports reflecting the activities of the logical / physical security.
Provide and presented; weekly/monthly/annual reports to management related to security activities: Current state, accesses, monitoring controls initiatives, on-going projects, goals including employs awareness training.
Participate in the contingency test at the disaster recovery site, including for the BCP and the DR testing initiatives.
Review and assessed ways to streamline and automate user’s security monitoring functions in order to be proactive.
Perform security orientation for new employees, education program and security awareness training. Review and approved change control system requests; for the network /firewall and users access
requests .
Information Security Officer Responsibilities: Cont’d
Conduct and review user accounts access every three months: (user re-certifications privileges and roles based access) with department managers and management.
Ensure accounts are properly monitored /disabled /deleted when users are transferred, terminated, or out of office.
Ensure access to assets, data and applications is limited to authorized users, processes, or devices.• Ensure generic user ID's, high profiles and administrator’s accounts are properly managed ,
monitored and secured as well.• Implement, maintained “SoD” (user’s access control matrix) for privileges values, and role based
access accounts.• Manage access control risk assessments and tested segregation of duties to conform to user’s job
description.• Perform risk analysis assessments audit of users profiles/rights for; network, VPN, firewall and
banking applications.
Information Security Officer Responsibilities: Cont’d
• Administrate the activities of the security user’s administration, and internet customers. Grant access , maintain accounts privileges for; network, systems, firewall, applications, mainframe and RSA SecurID’s
• Grant low level permissions and restricted user’s access during off business hours, and restricted access to the internet . Identify control gaps and recommended remediation and improvements.
• Maintain security documentation: standards, roles-base access policy, access controls, policy, procedures, risk assessments, user system access procedures to insure compliance with New York State banking and federal regulations.
• Maintain users’ profiles matrix database. Perform audits, and risk analysis in accordance to job segregation of duties
• Manage the exits process of users access rights, transfer process for user access rights and users’ accounts; for employees, consultants, visitors and vendors in regard to access accounts.
• Monitor internal systems and applications to ensure that appropriated access levels were maintained and approved.
• Perform internal compliance audit for users’ re-certification: (Parameters account privileges, access roles base access profile, rights for folders, and files access) for the network, firewall, VPN, its business applications and systems.
• Perform risk analysis assessments audit of users profiles/rights for; network, VPN, firewall, systems and applications.
• Interface as security liaison (internal, external) and Federal Reserve Bank, New York State banking auditors and head office security department).
• Manage the incident response planning and investigation of security events by ordering emergency action.
Security Officer Responsibilities: Cont’d
System and Application Access Control
- 25 -
compliance offi
- 26 -
- 27 -
Cont’d
Remote Access
Enforce tighter controls for user access through management approvals process including performing infrastructure network , firewall, and systems audits.
Implement strong controls over the network, firewall, systems and remote access in order to prevent potential vindictive access to the firewall or the network.
Control access and monitor all VPN remote users access for proper login authorization.
Secure VPN remote access devices by using strong authentication and encryption to secure access to the infrastructure.
Re.: Pandemic Project
Security Access Controls
- 28 -
Data Security
Computers and Laptops usage: Computer and laptops must be updated (Virus definition)
regularly with all security definitions and patches. Computers or laptops are only taken out of the office after appropriate authorization has been granted by information Security Officer. No Bank information is to be saved in the computers or laptop hard drive , or on the desktop .
Access to folders on the network. Provide users with limited privileges access for a period of time to access restricted information required to perform additional job functions.
Security Access Controls
Cont’d
- 29 -
Account Management Access Controls
Cont’dUser Access Control Authentication
Verify the identity of each users based on a unique credentials to the application or system. The purpose of verifying the identity is based on the separation of duties for each employee.
Selecting authentication is based on the risk associated with the application or systems.
Make sure in providing access privileges to employees. (The request is based on the identity of the user requesting access to a system or an application).
Verify the identity of a user by having authorization controls in place. It is very important to maintain a strong monitoring process and controls and low access privileges be assigned.
Monitor the access rights to ensure that user has the required access privileges for that period of allocated time requested. (The user current business hours and off hours period should included into system and the request form).
Utilize the time-of-day by limiting or restricting access to employees by using appropriate, logging access privilege's . The access request must be removed from the system or application after user complete his, or her work assignment .
Information Security Risk Analysis Monitoring
System and Application Monitoring Controls
- 32 -
- 33 -
Network and Firewall Monitoring Tools
- 35 -
- 36 -
Awareness Security Training
Employees are expected to remain diligent at all times in order to identify and report suspicious individuals. Employees should immediately contact the Bank’s Information Security Officer when suspicious activities or individuals have been identified. Care should be taken to avoid allowing persons unknown to you to enter the Bank premises behind you. Such persons should be challenged, and not allowed to enter without proper authorization .
Cont’dAwareness Security Training
.
Thank you for taking the time to view this Presentation
Leon Michel Blum
