Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
Use-Case Example - EU Data Protection and E-Privacy Requirements
Practitioner Insights and GoodPractices of IT Risk ManagementWho should read this paperWho should read this paper
The information in this whitepaper is relevant to Chief InformationOfficer, Chief Information Security Officer, Audit Practitioner, ITDirector, IT Security Practitioner, Risk Officer
WH
ITE PAPER
:PR
ACTITIO
NER
INSIG
HTS A
ND
GO
OD
PRAC
TICES O
F IT RISK
MA
NAG
EMEN
T. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Content
Executive Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Information-Centric IT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Key Strategies for Simple and Secure Access to Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Reduce the Risk of Data Breaches and Data Loss . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Guidance for Practical Implementation of Risk Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Use-Case: Good Practices and Solution Mapping to Meet EU Data Protection and E-Privacy Principles. . . . . . . . . . . . . . . . . . . . . . . . 8
Appendix A - ISO 27001/27002 Implementation Best Practices, Benefits and Control Clauses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Appendix B - Best Practices Map to IT Projects and Symantec Enterprise Solutions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Practitioner Insights and Good Practices of IT Risk ManagementUse-Case Example - EU Data Protection and E-Privacy Requirements
Executive Overview
Risk assessment and risk management are core components of any information security management standard and framework like
ISO/IEC 27001:20051, PCI-DSS2 or CobiT®3. Developing a complete IT risk management strategy helps organisations to recognize the
significance of IT risk, and gives a basis for developing awareness of IT risks, and the analysis of business risk impact. A proper risk
assessment and risk management methodology helps organisations to build a solid "community of purpose" to break down the silos
and to build proper communication between the IT organisation and the strategic business by acquiring and sharing usable information
using a common language. With other words, it helps to consistently report and communicate on the business impact - value and risk -
of using IT4. For IT governance, risk, and compliance decision-makers, increased visibility with the organisation means better preparation
to talk about IT risks within the context of financial, operational, regulatory, and reputational impact5.
Information security management standards and frameworks suggest good practices for risk management, or refer to complementary
risk management standards and frameworks like ISO 27005, ISO 31000, or Risk IT. However, they do not provide clear guidance on the
practical implementation of these, nor do they suggest any priority for their achievement.
This whitepaper outlines key strategies for simple and secure access to information - within the context of an information-centric IT
function. It also shows how to reduce the risk of data breaches and data loss. Finally it gives clear guidance for practical implementation
of risk management using ISO 27002- and ITIL®6-based good practices by looking into the use-case of mapping solutions to meet EU data
protection and e-privacy requirements and principles.
Information-Centric IT
The IT function has traditionally focused on systems and physical infrastructure. In a system-centric world, data has been highly
centralised and used for backward-looking historical reporting.
Going forward, the IT function is evolving to provide even greater business value by focusing on information. Data is increasingly
distributed to a wide range of endpoints and devices – decentralised so to speak. Also, data is easily accessible to users throughout an
organisation. Last but not least, data is used for predictive analytics; not just to analyze the past.
With the transformation of system-
centric IT to information-centric IT,
information security management
system standards like ISO 27001
become more important than ever,
and more complex than ever.
Information - which consists of processed, organized, structured or presented data in a given
context so as to make it useful - provides organisations and individuals greater productivity,
agility and collaboration. On the flip side, moving to a more information-centric world
requires determining what data assets are critical. It also requires determining how data is
captured, catalogued, analyzed, stored, retained, and purged. Structured information - in
contrast to unstructured data - requires very different priorities and skills than just
managing the physical infrastructure in a system-centric manner.
With the transformation of system-centric IT to information-centric IT, information security management system standards like
ISO 27001 become more important than ever, and more complex than ever, not just due to the transition to internet-wide collaboration,
social networking, cloud computing and data volume explosions, but also due to more and stronger data protection and e-privacy
requirements of internal and external mandates and legislations.
1-See International Standards Organization (ISO): www.iso.org2-See Payment Card Industry (PCI) Security Standards Council: www.pcisecuritystandards.org3-See Information Systems Audit and Control Association (ISACA): www.isaca.org4-For further information about best performers data driven reporting and communication techniques, and what to do to make IT integral to the business of an organisation, see IT Policy Compliance Group research paper
"Data Driven Reporting and Communications about IT" – February 2012 - www.itpolicycompliance.com/research-reports/data-driven-reporting-and-communications-about-it/5-See whitepaper by Forrester: www.symantec.com/content/en/us/enterprise/white_papers/b-strengthening_ties_between_it_security_and_the_business_WP.en-us.pdf6-See official ITIL website: www.itil-officialsite.com
Practitioner Insights and Good Practices of IT Risk ManagementUse-Case Example - EU Data Protection and E-Privacy Requirements
1
To provide the right balance of information
confidentiality, availability, and
integrity, organisations should adopt at least
5 key strategies to cover the implications
outlined above. These 5 key strategies are
identity security, device security, information
protection, context and relevance (getting the
right information to the right person at the
right time), and public/private cloud
computing.
These are key areas to provide organisations
with simple and secure access to
information, assuring that their information
is properly managed and secure from
anywhere.
Key Strategies for Simple and Secure Access to Information
Information access is becoming mobile and device-agnostic. This results into new risk implications.
First, everything is revolving around people and information. Devices like desktops, laptops, tablets or smartphones are irrelevant. The
most popular devices today won't likely have the same popularity three years from now. Also the applications don't matter that much,
because it is not important if organisations use on-premise mail server today and tomorrow they use a cloud-based email service. It is
just about getting the information from one place to another. What matters is the people and the intellectual property, the formula to the
new chemical compound for example, or credit card details. It is about the data, and the information.
Secondly, personal and business lives are coming together. People post private- and business-related news from the same social network
accounts. In recent surveys many people admitted that they check their email within 30 minutes of getting up in the morning. Personal
lives and business lives have crossed over.
Third, there is the need for simple and secure access to information from anywhere, at home, at work, in the park, on the ski slopes, etc...
Lastly, organisations have to be more scalable and more cost effective. CIOs often say their budgets don't get bigger and they have got to
get more done. They are always trying (and being pushed by the strategic business organisation) to become more cost effective, more
scalable, and more efficient.
These implications are driving the transformation towards information-centric IT function, and having a profound impact on
both individuals and organisations. Strategic technology trends like cloud computing, virtualisation and mobility help to simplify
information access, and organisations are already aware of the benefits associated with it. However, due to information explosion and
significant increases of the threat landscape, information security and data governance remains a strong concern. Organisations want
highly available information, but also have to ensure that data is secure, and processed in compliance with mandates and legislations.
Practitioner Insights and Good Practices of IT Risk ManagementUse-Case Example - EU Data Protection and E-Privacy Requirements
2
Reduce the Risk of Data Breaches and Data Loss
The transposition of mandatory security breach notification requirements (i.e. EU Directive 2009/136/EC which amends E-Privacy
Directive 2002/58/EC) into certain country legislations7 drives security investments of organisations to implement stronger security
standards that protect personal information, and prevent data breaches and data loss.
In order to prevent data breaches and data loss, it is essential to understand why they occur. Third-party research into the root causes of
data breaches, including data from the Open Security Foundation8, reveals three main types:
• Well-meaning insiders, i.e. by data exposed on servers and desktops, a lost or stolen laptop, email, web mail, removable devices,
third-party data loss incidents by i.e. contractors or outsourcing partners, or by the spread of sensitive data from automated business
processes.
• Targeted attacks, i.e. caused by improper credentials from factory default settings, SQL injection attacks on websites or targeted
malware such as root kits and hidden remote access tools.
• Malicious insiders, i.e. by employees who knowingly steal data as part of an identity theft ring, terminated or disgruntled former
employees, people that store company data on a home system in order to build a library of work samples for future career
opportunities or just traditional industrial espionage.
In many cases, breaches are caused by a combination of these factors. For example, targeted attacks are often enabled inadvertently by
well-meaning insiders who fail to comply with security policies, which can lead to a breach.
Successful prevention and protection strategies9 are both risk-based and content-aware. Preventing data breaches is all about risk
reduction. To reduce risk, organisations must know where the data is stored, where it is going, and how it is used. Organisations should
select solutions based on an operational security model that is risk-based, content-aware, responsive to threats in real time, and
workflow-driven to automate data security processes. This helps to monitor systems and protect information from both internal and
external threats across every tier of the IT infrastructure.
Guidance for Practical Implementation of Risk Management
The following compilation of ISO 27002- and ITIL®-based good practices provides clear guidance on the practical implementation for
organisation seeking to improve its risk management effectiveness.
It involves both information security and operational efficiency. Each of these may be considered as constituting different aspects of the
IT risks faced by an organisation. Operational efficiency addresses the risk that an organisation's IT systems may fail to achieve the
availability, performance, and agility needed to meet business challenges. Information security, on the other hand, addresses the risk
that an organisation's IT systems may fail to protect it from regulatory and IT failure, and from the loss of information confidentiality,
integrity, and availability.
In either case, risks can be addressed through the same set of generic solutions. To achieve the management of both operational
efficiency and information security risks, the following 18 generic solutions have been identified. These are grouped into the four
categories Strategy, Service Support, Service Delivery, and Security.
7-European Network and Information Security Agency (ENISA) reviewed the current situation of data breach notification in the EU - www.enisa.europa.eu/act/it/library/deliverables/dbn8-http://datalossdb.org9-http://www.symantec.com/business/solutions/projects/projectdetail.jsp?solid=sol_info_risk_comp&solfid=sol_data_loss_prevention&projectid=data_breach_prevention
Practitioner Insights and Good Practices of IT Risk ManagementUse-Case Example - EU Data Protection and E-Privacy Requirements
3
STRATEGY
IT and Security Policy,
Strategic Management and
Architecture
• Strategic alignment of IT to business objectives
• IT compliance with governance, legal and regulatory requirements
• Optimal use of IT KPIs such as Balanced Score Cards, SLAs, policies, standards and procedures
to meet changing business needs and effectively manage information risk
Organizational Structure,
Roles and Responsibility
• Assignment of appropriate responsibilities and accountability for IT service delivery, service
support and risk management
• Allocation of resources necessary to meet requirements for these items
• Effective management of these items
Governance, Compliance and
Continuous Improvement
• Continuous, secure improvement in IT strategy
• Effective use of IT KPIs such as Balanced Score Cards, SLAs, policies, standards and procedures
• Efficient monitoring of these items
• Effective maintenance and auditing of monitoring records
• Appropriate, timely action taken as a result of audits
Data Lifecycle Management
• Strategic management of data creation, processing, storage, transmission and destruction
• Information access and storage appropriate to business needs
• Information access and storage compliant with governance, legal and regulatory requirements
Strategic solutions, which address compliance risk, cover the following major functions:
• Alignment to business objectives and compliance with governance, legal and regulatory requirements
• Optimizing Key Performance Indicators (KPIs), Service Level Agreements (SLAs), policies, standards and procedures
• Management communication, monitoring, auditing and ongoing improvement
• Management and compliance for data and information access and storage
Practitioner Insights and Good Practices of IT Risk ManagementUse-Case Example - EU Data Protection and E-Privacy Requirements
4
SERVICE SUPPORT
Asset Inventory
Classification and
Management
• Creation and maintenance of dynamic inventory of all significant IT assets
• Classification of assets by ability to support critical business tasks
• Management of assets to support and enhance business functionality, meet governance and
legal and regulatory requirements and minimise risk impact
Physical and Environmental
Management
• Management of physical environment to minimise compromise of information confidentiality,
integrity and availability
• Physical efficiency and effectiveness of IT systems
• Compliance with appropriate health and safety and environmental regulation and legislation
Configuration, Change and
Release Management
• Full description of IT systems configuration using logical data model
• Controlled and secure changes to IT systems
• Changes support overall business strategy
• Changes conform with SLAs
Incident, Response and
Problem Management
• Effective IT incident response and problem management processes
• Effective escalations procedures
• Effective management of incident impact
• Effective management of day-to-day problems and issues
• Continuous improvement in incident management and problem handling
Service Support solutions, which address performance risk, cover the following major functions:
• Assets understood and managed to support critical business tasks, enhance business functionality and minimize risk impact
• Physical environment managed to ensure physical efficiency and effectiveness of IT systems
• IT systems optimally configured and changed to support business strategy and to conform with Service Level Agreements (SLAs)
• Response to problems and incidents effective and efficient
• Continuous improvement in incident management and problem handling
Practitioner Insights and Good Practices of IT Risk ManagementUse-Case Example - EU Data Protection and E-Privacy Requirements
5
SERVICE DELIVERY
Service-Level
Management
• Ability to define appropriate, business-aligned SLA's, and to measure IT performance against defined
SLA's
• Maintenance and improvement of IT service quality, security, availability, performance and capacity
• Alignment of IT to overall business
Application Design,
Development and
Testing
• Good practice in choosing new applications
• Good standards, processes and procedures for testing new applications
• Usability, functionality and security of new applications
• Secure and controlled transfer of new applications from development to production environments
Operational Design,
Workflows and
Automation
• Effective design and integration of application and infrastructure management
• Appropriate deployment of resources to meet application SLA's
• Implementation of a highly adaptive and flexible service infrastructure
Capacity Management
• Cost-effective fulfilment of capacity and performance requirements
• Effective capture of IT service and infrastructure requirements to meet upcoming business needs
• Implementation of proactive Application Performance Management
Systems Build and
Deployment
• Optimized deployment of new and updated IT infrastructure components through use of effective
configuration management
• Effective management and approval processes for new IT systems, related to IT and business needs,
timely and secure deployment of new and updated systems
Service Continuity
Management
• IT systems and infrastructure minimize business impact from disruptive and damaging incidents
• Effective, business-aligned IT recovery plans built and maintained
• IT recovery plans continuously tested and improved
Availability
Management
• Cost-effective maximization of IT availability
• Successful protection of asset availability against internal and external events and threats
• Maintenance and improvement of resilient structures, processes and organisations to maintain
business-oriented service quality
Service Delivery solutions, which address availability risk, cover the following major functions:
• Service Level Agreements (SLAs) aligned to business and continuously measured, maintained and improved
• New applications appropriately chosen, tested and installed so as to minimize business disruption, delivered in accordance with SLAs
• Capacity and performance meet upcoming business needs
• Business impact from incidents minimized
• IT availability maximized to maintain business-oriented service quality
Practitioner Insights and Good Practices of IT Risk ManagementUse-Case Example - EU Data Protection and E-Privacy Requirements
6
SECURITY
Authentication,
Authorization and Access
Management
• Appropriate and secure use of the organization's business-critical data and IT systems
• Access to applications, systems and data only by authorized users
• Effective and efficient maintenance and updating of user access authorization
Network, Protocol and Host
Security
• Effective management of risk from threats to networked IT systems
• Effective detection and prevention of threats and fixing network vulnerabilities
• Effective identification of permitted network protocols and services and control of network data-
flow
Training and Awareness
• Full understanding of roles and responsibilities for IT service support and risk management
• Enhanced awareness and understanding of results of incorrect, inappropriate and insecure
behaviour and a reduction in such behaviour
• Enhanced awareness and understanding of governance, legal and regulatory requirements
• Reduction of errors and omissions
Security solutions, which address security risk, cover the following major functions:
• Business-critical IT systems used and information accessed only by authorized persons at all times
• Effective management of internal and external threats to, and vulnerabilities of IT systems
• Incorrect, inappropriate and insecure behaviour by IT users minimized
• Governance, legal and regulatory requirements fully recognized and understood by all users of IT systems
• Errors and omissions by all users of IT systems minimized
Practitioner Insights and Good Practices of IT Risk ManagementUse-Case Example - EU Data Protection and E-Privacy Requirements
7
PrinciplesPrinciples ISO 27002 and ITILISO 27002 and ITIL® Good Practices® Good Practices TTechnologechnology Solutiony Solution
Good practices to meet the governance principles of all following articles:
• Assignment, resource allocation and effective management of appropriate responsibilities and accountability for IT services
• Effective and continuous monitoring, maintenance, auditing and improvements of IT- and security policies and procedures
• Strategic alignment of information access and storage with governance, legal and regulatory requirements
• Strategic management of data creation, processing, storage, transmission and destruction
• Service continuity management to minimise impact from disruptive and damaging incidents
• Effective maintenance and updating of access to applications, systems, and data only by authorized users
Article 6
• Data controllers to process personal data
for purposes compatible with those for
which it was initially collected
• Personal data shall not be kept for longer
than necessary
• Data shall be accurate and updated where
necessary
• Lawful and purpose-compatible data
availability, accuracy (including
minimisation), portability, and deletion
• Classification and management of IT- and
information assets to meet governance, legal
and regulatory requirements, and to minimise
the risk impact
• Archiving
• Backup and Recovery
• Data Loss Prevention
• Discovery and Retention
Management
• Identity and Authentication
• IT Governance
• Storage Management
Article 16
• Confidentiality of personal data
processing
• Any person acting under the authority of
the controller or of the processor,
including the processor himself, who has
access to personal data must not process
them except on instructions from the
controller, unless he is required to do so
by law
• Management of physical environment to
minimise compromise of information
confidentiality, integrity and availability
• Continuous awareness training and
understanding of roles and responsibilities,
personal and organisational consequences of
incorrect and insecure behaviour, to reduce
errors and omissions
• Data Loss Prevention
• Identity and Authentication
• IT Governance
• Security Management
Use-Case: Good Practices and Solution Mapping to Meet EU Data Protection and E-Privacy Principles
The EU Data Protection Directive and E-Privacy Directive principles have been adopted into local country law of all EU member states,
like UK Data Protection Act 1998. Many non-EU countries did implement similar principles as part of their Bill of Rights and/or their
electronic communication and electronic transaction legislations. The following maps outline how the previously defined ISO 27002- and
ITIL®-based good practices on information security and operational efficiency can help to meet those principles (in this use-case,
principles from articles of the EU Data Protection Directive 95/46/EC), and what technology solutions can help to support these good
practices.
Practitioner Insights and Good Practices of IT Risk ManagementUse-Case Example - EU Data Protection and E-Privacy Requirements
8
PrinciplesPrinciples ISO 27002 and ITILISO 27002 and ITIL® Good Practices® Good Practices TTechnologechnology Solutiony Solution
Good practices to meet the governance principles of all following articles:
• Assignment, resource allocation and effective management of appropriate responsibilities and accountability for IT services
• Effective and continuous monitoring, maintenance, auditing and improvements of IT- and security policies and procedures
• Strategic alignment of information access and storage with governance, legal and regulatory requirements
• Strategic management of data creation, processing, storage, transmission and destruction
• Service continuity management to minimise impact from disruptive and damaging incidents
• Effective maintenance and updating of access to applications, systems, and data only by authorized users
Article 17
• Obligation upon data controllers and
processors to apply technical and
organizational measures
• Protect data against accidental or
unlawful destruction loss, disclosure, and
other forms of unlawful processing
• Access control and authentication against
unauthorised disclosure
• Effective management and continuous
improvements of incident response and problem
management processes, incident impact and
problem handling
• Effective risk management, detection and
prevention of threats and
vulnerabilities, limitation of access to IT services
on "need to know" and "need to do" basis
• Continuous awareness training and
understanding of roles and responsibilities,
personal and organisational consequences of
incorrect and insecure behaviour, to reduce
errors and omissions
• Data Loss Prevention
• Encryption
• Endpoint Security
• Identity and Authentication
• IT Governance
• Messaging & Web Security
• Security Management
Article 25
• Personal data shall not be transferred to a
country or territory outside the European
economic area, unless adequate level of
protection for personal data is ensured
• Classification and management of IT- and
information assets to meet governance, legal
and regulatory requirements, and to minimise
the risk impact
• Effective communications and operations
management to ensure correct, secure and
lawful operation of information processing and
transmission facilities
• Archiving
• Data Loss Prevention
• Discovery and Retention
Management
• Identity and Authentication
• IT Governance
• Messaging Management
Now and in the future we are faced with more and stronger data-protection and e-privacy requirements of internal and external
mandates and legislations. The EU and non-EU countries already introduced new legislations like mandatory breach notification
requirements, and the EU is also working on a revision of the EU Data Protection Directive 95/46/EC, to enact new rules changing the
existing data protection regime, that will have a significant impact on individuals and organisations in a number of areas. More and
stronger legislations - in addition to trends like internet-wide collaboration, social networking, cloud computing and data volume
explosions - mean that risk management and information security management system standards and frameworks become more
important than ever, and more complex than ever.
Practitioner Insights and Good Practices of IT Risk ManagementUse-Case Example - EU Data Protection and E-Privacy Requirements
9
Appendix A - ISO 27001/27002 Implementation Best Practices, Benefits and Control Clauses
ISO/IEC 27001:2005 standard provides a model for establishing, implementing, operating, monitoring, reviewing, maintaining and
improving an Information Security Management System (ISMS).
• Confidentiality - ensuring that
information is accessible only to those
authorised to have access
• Integrity - safeguarding the accuracy and
completeness of information and
processing methods
• Availability - ensuring that authorised
users have access to information and
associated assets when required
ISO 27002 is the "Code of Practice" for information security management and provides best
practice recommendations for use by those responsible for initiating, implementing or
maintaining an ISMS. Information security is defined within the standard in the context of
the Confidentiality-Integrity-Availability triad.
ISO 27002 contains the following twelve control clauses:
• Risk Assessment and Treatment - IT risk management recognize the significance of IT
risk, and gives a basis for developing awareness of IT risks, and the analysis of business
risk impact
• Information Security Policy - To provide management direction and support for Information security
• Organisation of Information Security - Management framework for implementation
• Asset Management - To ensure the security of valuable organisational IT and its related assets
• Human Resources Security - To reduce the risks of human error, theft, fraud or misuse of facilities
• Physical & Environmental Security - To prevent unauthorised access, theft, compromise, damage, information and information
processing facilities
• Communications & Operations Management - To ensure the correct and secure operation of information processing facilities
• Access Control - To control access to information and information processing facilities on "need to know" and "need to do" basis
• Systems Development & Maintenance - To ensure security built into information systems
• Information Security Incident Management - To ensure information security events and weaknesses associated with information
systems are communicated
• Business Continuity Management - To reduce disruption caused by disasters and security failures to an acceptable level
• Compliance - To avoid breaches of any criminal and civil law, statutory, regulatory or contractual obligations and of any security
requirements
Within each section, information security controls and their objectives are specified and outlined. The information security controls are
generally regarded as best practice means of achieving those objectives. For each of the controls, implementation guidance is provided.
The implementation of information security management systems spans across the strategic business and the IT operation departments.
Without the buy-in from strategic business, IT would operate in silos without aligning the information security objectives to the business
objectives. On the other side, strategic business has to include IT operations from the beginning in planning and execution of new
business strategies and objectives such as online store or external customer portals. Establishing an information assurance dialogue
between the IT department and the rest of the business organisation requires that a common language is spoken, that risk assessment is
treated in a mutually agreed way, and that a clear standard is used to explore the management of risk.
Practitioner Insights and Good Practices of IT Risk ManagementUse-Case Example - EU Data Protection and E-Privacy Requirements
10
Plan (establish the ISMS) - Establish ISMS policy, objectives,
processes and procedures relevant to managing risk and
improving information security to deliver results in accordance
with an organization's overall policies and objectives.
Do (implement and operate the ISMS) - Implement and
operate the ISMS policy, controls, processes and procedures.
Check (monitor and review the ISMS) - Assess and, where
applicable, measure process performance against ISMS policy,
objectives and practical experience and report the results to
management for review.
Act (maintain and improve the ISMS) - Take corrective and
preventive actions, based on the results of the internal ISMS
audit and management review or other relevant information, to
achieve continual improvement of the ISMS.
Unfortunately, "geeks speak" doesn't always translate well into "businesses speak", and vice versa. Therefore standards like ISO 27001
help to build this "community of purpose" between strategic business and IT operation departments using a common spoken language,
and will result into various benefits on each community level:
• Commitment on organisational level
• Compliance on legal level
• Risk Management on operational level
• Credibility and Confidence on commercial level
• Reduced Costs on financial level
• Improved Employee Awareness on human level
In ISO 27001 and ISO 27002 standard as well as in other ISMS standards and frameworks, the "Plan-Do-Check-Act" (PDCA) model is
applied to structure all ISMS processes.
The following diagram illustrates how an ISMS takes as input the information security requirements and expectations of the interested
parties and through the necessary actions and processes produces managed information security outcomes that meets those
requirements and expectations.
The outer circle outlines a usual implementation process of ISO 27001 and 27002 from the initial written policy to the scope definitions
and asset classifications, selection and implementation of controls, down to the actual operation of the ISMS with continuous
monitoring, corrective and preventive actions, as well as frequent management reviews to constantly improve the established ISMS.
Practitioner Insights and Good Practices of IT Risk ManagementUse-Case Example - EU Data Protection and E-Privacy Requirements
11
Appendix B - Best Practices Map to IT Projects and Symantec Enterprise Solutions
The following map illustrates how the previously defined ISO 27002- and ITIL®-based good practices map to IT projects and Symantec
enterprise solutions.
Practitioner Insights and Good Practices of IT Risk ManagementUse-Case Example - EU Data Protection and E-Privacy Requirements
12
About Symantec
Symantec is a global leader in providing security,
storage, and systems management solutions to
help consumers and organizations secure and
manage their information-driven world. Our
software and services protect against more risks
at more points, more completely and efficiently,
enabling confidence wherever information is used
or stored. Headquartered in Mountain View, Calif.,
Symantec has operations in 40 countries. More
information is available at www.symantec.com.
For specific country offices
and contact numbers,
please visit our website.
Symantec World Headquarters
350 Ellis St.
Mountain View, CA 94043 USA
+1 (650) 527 8000
1 (800) 721 3934
www.symantec.com
Symantec helps organizations secure and managetheir information-driven world with IT Compliance,discovery and retention management, data lossprevention, and messaging security solutions.
Copyright © 2012 Symantec Corporation. All rightsreserved. Symantec, the Symantec Logo, and theCheckmark Logo are trademarks or registeredtrademarks of Symantec Corporation or its affiliates inthe U.S. and other countries. Other names may betrademarks of their respective owners.All information or part thereof available here is meantfor public awareness only. Views expressed herein areviews of the respective authors and should not beconstrued as legal advice or legal opinion. Further, thegeneral availability of information or part thereof doesnot intend to constitute legal advice in any mannerwhatsoever.3/2012 21230240
Practitioner Insights and Good Practices of IT Risk ManagementUse-Case Example - EU Data Protection and E-Privacy Requirements