“ Information is an asset which, like other important business assets, has value to the Government of Tanzania and consequently needs protection. Information security management systems protect information from a wide range of threats in order to ensure business continuity, minimize business damage and maximize return on investments and business opportunities. Information can exist in many forms. It can be printed or written on paper, stored electronically, transmitted by post or using electronic means, shown on films, or spoken in conversation. Whatever form the information takes, or means by which it is shared or stored, it should always be appropriately protected. Information security is the preservation of: a) availability: ensuring that authorized users have access to information and associated assets when required b) confidentiality: ensuring that information is accessible only to those authorized to have access; c) integrity: safeguarding the accuracy and completeness of information and processing methods” The word ‘systematic’ is fundamental to an ISMS – the range of threats, vulnerabilities and risks is such that it is only possible to be sure that there are no loopholes if the subject has been tackled comprehensively and very systematically – and this is made possible by the toolkit approach that you have taken.
Why re-invent the wheel? This is the key reason for using an international standard such as BS7799. If this is a 17799 implementation, remove the reference to external certifications and make the point that 100s of organizations are successfully implementing 17799 best practice systems right now. More importantly, the range of information security threats and the level of information-related regulation is now such that ISO27001 is likely to be taken up by as many organizations as tool up ISO9001 after it became an international standard in the 1990s. Designed to be integrated into ISO 9001 systems, an ISO27001 ISMS will become a basic requirement for doing business in the digital age
An ‘asset’ is anything that is valuable to us and which somebody else therefore wants…. Information security is achieved by implementing an appropriate set of controls, which could be policies, procedures, organizational structures, hardware architectures, and software functions. These controls need to be established to ensure that the specific security objectives of the organization are met. Improvement has to be continuous, because the bad guys are continuously evolving new ways to attacking us.
There are many threats – not all are real risks to the Government of Tanzania, whether because they are so unlikely, or the damage they do is so minor, etc We don’t implement controls willy-nilly – not only must the risk have a significant impact on the business, but the cost of implementing the control that reduces that risk to an acceptable level should not exceed the cost of the impact if the risk materialises. It is important to get across that controls REDUCE risk, they don’t eliminate them – it would not be commercial to try and eliminate all risks, so the objective is to reduce them to an acceptable level. It’s because of the range of the risks and the number and value of the assets that a systematic approach is required – to ensure that there are no gaps between controls or between assets…
This pyramid shows the four tiers of the ISMS documentation, as set out in section 2.2 of the ISMS manual – it is designed so that document authorization is kept at the most appropriate level – the board is accountable for information security and, therefore, for the policy and framework of information security – it approves the first version and any subsequent amendments (which should be infrequent). For instance, the board sets a policy that appropriate steps must be taken to protect the Government of Tanzania from viruses – but, at this level, it would be inappropriate to set out what those steps should be, both because the board should be delegating implementation of this principle and because these steps are likely to be amended as the organization seeks ways to improve its processes. The executive, working through an information security forum, is responsible for implementing the policy, which it does through a set of procedures – and this toolkit contains most of what you will need in this regard, and the tailoring to suit your own requirements will be quick and straightforward. Procedures describe operational responsibilities and relationships – who is responsible for doing which bit and when. For instance, there will be a procedure that requires anti-virus software at the gateway, and on individual machines, with specific update frequency, that sets out a requirement for appropriate staff training, and which identifies the key steps in responding to a virus attack. Procedures are owned by specific individuals or functions, as specified in each, and that person is responsible for keeping it current and for having it authorized by whoever he reports to. Working instructions are very detailed – they set out the step-by-step instructions for carrying out each of the tasks required by the procedures – for eg, the anti-virus work instructions will deal with how the anti-virus software is to be installed, on which machines, following what specific steps, in a way that ensures that any person could repeatedly perform the same task to the same standard. They are drawn up by the owners of individual information assets or systems and are subject to approval by that person’s line manager. With changes in hardware, software and working practices – usually as part of a process of continuous improvement – these working instructions are subject to continuous change, often in only minor ways. This documentation structure enables those changes to be made quickly and easily. Records describe what happened – for instance, they include log files.
There are two broad approaches to an ISMS project. Both are catered for by this toolkit. You only want to adopt one of them – so you need this slide or the next one, but not both. The first is to implement the ISMS on a mini-project basis – which means either on a subset of the organization basis or by subset of the ISMS. Whichever you choose, you need to have a clear rationale for the choice. If you are tackling it control-by-control, you should carry out a high-level risk assessment to determine the areas in which your risk (eg, from virus attack) is greatest and prioritize your project on that basis. The PDCA principle also applies when you proceed on a min-project basis. A key reason for choosing the ITG toolkit is that it enables you to proceed with a step-by-step approach, knowing that cross-linkages are already included in the documentation, so that your risk of missing these critical cross-overs is substantially reduced.
This massively parallel approach will bring fast completion of the project. It requires effective project management and commitment from all the information asset owners to take part in the process and deliver their part of it quickly and completely. Management and the board support the process and it is seen to have a high level of importance.
This slide is for dealing with staff concerns – some typical concerns are included here, but you should modify the template to reflect what your internal feedback indicates are your internal issues, and the answers that you put up should reflect your considered and honest management response to those concerns.
An Overview byZaituni Mmari(Information Security Officer)
Four Questions What’s it all about? Why does it matter to the Government of Tanzania? How does it work? What do we have to do to the Government of Tanzania?
What is Information Security? The use of an ISMS (Information Security Management System) for the systematic preservation, in the Government of Tanzania, of the Availability Confidentiality Integrity Of its information (and its information systems)Information risk All information systems have vulnerabilities that can be exploited by threats in ways that can have significant impacts on the government of TZ info system effectiveness,value and long term survival have significant impacts on the government of Tanzania effectiveness, profitability, value and long term survival. when exploited, those threats will have an impact on the TZ government IS effectiveness and NOT directly on the TZ gov effectiveness Also involves Authenticity Accountability Non-repudiation Reliability
Why do we need to Implement an ISMSto the Government of Tanzania? We have valuable assets Intellectual Property Government valuable information Data about staff, customers, suppliers Organizational know-how We have legal and regulatory compliance requirements Data protection and privacy Specific legislation We are IT dependent An IT failure (eg hardware, power failure, acts of nature) is a institution failure IT is not completely secure IT is not inter-compatible
Why does information security matter tothe Government of Tanzania? External threats Viruses, worms, Trojans 100,000+ ‘in the wild’ Hackers – with automated attacks Now big business (botnets, zero-day attacks) Spam – 80%+ of all e-mail Now big business (botnets, blended attacks) Cyber-criminals – phishing, identify theft, grand larceny Fraud, cyber terrorism Competitors Malcontents, activists Anyone with a computer! Internal threats fraud, error, unauthorized or illegal system use, data theft
How can ISO27001/ISO17799 standardHelp the Government of Tanzania? A Standard is “a document established by consensus and approved by a recognized body, that provides for common and repeated use rules, guidelines or characteristics for activities or their results, aimed at the achievement of the optimum degree of order in a given context” Two part ISMS standard ISO 27001 (BS7799-2) specifies how to design an information security management system (‘ISMS’) How the ISMS should work, not what should be in it ISO17799 (BS7799-1) is an international code of practice for information security best practice that supports and fleshes out BS7799-2 What should be in the ISMS, not how it should work History and future BS7799 originated in UK, part 1 adopted by ISO Revised every five years Now ten years old 1300+ BS7799-2 certifications Even more ISO17799 systems in place No the ISO 27001 series from November 2005
Why the Government of Tanzania have touse the standard? Best practice specification and guidance A MANAGEMENT SYSTEM Technology agnostic Non-technical Non-jurisdictional Systematic and comprehensive Proven in many industries and organizations Includes international best practice Internationally understood Capable of external certification Commonly accepted best practice 100+ new BS7799-2 certifications /month ISO27001 and ISO9001
What is an ISMS? A defined, documented management system (within a defined organization, the ‘scope’). It contains A board approved, high level information security policy Defines information security, the components and purpose of the ISMS, and evidences to the business that management are committed to a defined and systematic approach to information security A corporate risk treatment plan Describes how different types of risk are to be treated An inventory of important information assets (data and systems) that fall within the scope An assessment of vulnerabilities, threats and risks (‘risk assessment’) to those assets An ISMS Manual that contains a Statement of Applicability identifies a set of controls (responses to/countermeasures for) that respond to each of the identified risks A comprehensive, inter-related suite of processes, policies, procedures & work instructions The ISMS must be Systematically implemented and managed Reviewed, audited and checked Continuously improved Certification Valuable but not always essential The final stage Carried out by a third party certification body Evidence as to the completeness and quality of the ISMS
ISO 27001 - a Closer Look ISO 27001:2005 (BS7799-2:2005) is the current version “Information security management systems – specification with guidance for use” “Specification” means “this is how it must be done” Specification for Establishing and managing the ISMS Implementing and operating the ISMS Monitoring and reviewing the ISMS Maintaining and improving the ISMS Control of documents Management responsibility Management review of the ISMS ISMS Improvement Control objectives and controls (Annex A) Not exhaustive
What is a ‘Control’? A vulnerability gives rise to a threat A threat might have an impact (financial, operational) if it materialises A risk is a threat that has a likelihood of materialising and an impact Risks are at different levels (eg high/catastrophic, medium/affordable, low/insignificant A control is a response to or countermeasure for a risk (a threat ≠ a risk) Controls reduce risk, they don’t eliminate them Controls should only be implemented in response to a specific, identified risks A combination of technology, behaviour and procedure Eg: anti-virus control: Software installed on gateway and desktops Procedure for ensuring regular updates Trained to not open unexpected attachments Cost of control ≤ cost of impact Every asset has multiple risks Every risk has a control Some controls apply to many risks ISO17799 has best practice guidance on control selection
ISO17799 – a Closer Look ISO/IEC 17799:2005 is the current version “Information technology – Security Techniques - Code of practice for information security management” “establishes guidelines and general principles for initiating, implementing, maintaining, and improving information security management in an organization. The objectives outlined provide general guidance on the commonly accepted goals of information security management” “The control objectives and controls in ISO/IEC 17799:2005 are intended to be implemented to meet the requirements identified by a risk assessment. [It] is intended as a common basis and practical guideline for developing the Government of Tanzania security standards and effective security management practices, and to help build confidence in inter-organizational activities.”
ISO 17799:2005 - Contents 11 Chapters, 132 controls Best practice control objectives and controls for: security policy; organization of information security; asset management; human resources security; physical and environmental security; communications and operations management; access control; information systems acquisition, development and maintenance; information security incident management; business continuity management; compliance Not exhaustive
How do we create an ISMS? PLAN • PDCA Identify assets, scope, carry out risk assessment, create policies, processes ACT DO Implement the defined and agreed processes CHECK No action required for accepted PLAN risks CHECK DO Assess performance against defined policies ACT Take corrective and preventive action to continually improve the operation of the ISMS
Documentation Structure Four tiers Setting the policy - strategic, high level, Document type (required 1: Policy relatively unchanging – Board approved ISMS authorization) (Board) manual, SoA, risk treatment plan all reflect Detail in ISMS Manual 2.2 principles and demonstrate board accountability Implementing the policy – setting out 2: Procedures business requirements, procedures and processes – change infrequently but have (Executive) multiple overlaps and impacts on operational activity and business behavioursMaking the policy work - detailed,step-by-step descriptions of how to 3: Work Instructionsperform individual tasks – subject (Operational)to regular review and improvementRecords of what happened 4: Records– minutes, logs, reports,etc – information about (All users and usages)how the ISMS is performing
Sequential mini-projects Design and implement the ISMS area-by-area Divisional, geographic, functional OR Control-by-control (priority determined by a high level strategic risk assessment) Standard PDCA approach always applies Identify scope of the mini-project (plan) Identify assets within the scope (plan) Allow for multiple scopes applying to the same assets Risk assessment for those assets (plan) Identify appropriate control(s) and gain approval (plan) Ensure overlaps are identified and allowed for Cross linkages are already in the templates Implement chosen control (including training) (do) Monitor, review and audit control operation (check) Identify and implement improvements (act)
Massively parallel approach Designed to get the whole organization to project completion quickly and completely All procedures tackled simultaneously All work instructions tackled simultaneously and in parallel Implementation of procedures and work instructions happens as soon as each is complete Monitor, audit and review cycle starts immediately each work instruction is implemented This approach works best in organizations that already have an ISMS that needs to be documented and brought into line with international best practice Only possible using the ITG toolkit, because the templates all exist and all cross-linkages and dependencies have been identified and included. Requires experienced project management, a committed project team and focused top management support
Some concerns? Procedure for procedure’s sake Leads to robust, improvable processes that make the business work better Restrictive on staff Yes, but it also clarifies what is acceptable and what isn’t, so that everyone is ‘on the same page’ Just another management system It’s an extension to existing management systems (and is integrated into them) Removes IT uncertainty, improves internal efficiencies, improves customer service Who really cares? Our users Regulators and the law Our business partners You – because it makes your working environment more efficient with fewer interruptions
Summary of benefits Recognized accreditation Assurance to our customers that their data is safe with us Assurance to our employees, partners and suppliers that their data is safe with us Information security policy that fits the business needs Reduced outages, stoppages and other information security frustrations Aligned with government goals Security spend proportionate to value at risk Everyone responsible, not just IT department Formalisation of policies and procedures that are already in place
Next steps Management owns information security, approves the policy Departments are responsible for their own assets and processes, risks and counter-measures You are all responsible for key parts of the information and IT infrastructure Information asset and process inventory Identification, by asset and process, of vulnerabilities, threats, impacts and risks Finalization of draft procedures to tie in with policy and Statement of Applicability Commencement of work instruction drafting Should be carried out by individual asset owners/system administrators Timetable Start date Finish date Other issues