Mark E.S. Bernard Risk Management Approach to Security of Internal and External Services
 

Mark E.S. Bernard Risk Management Approach to Security of Internal and External Services

on

  • 3,054 views

Risk Management Approach to Security of Internal and External Services

Risk Management Approach to Security of Internal and External Services

Statistics

Views

Total Views
3,054
Views on SlideShare
3,048
Embed Views
6

Actions

Likes
4
Downloads
149
Comments
4

1 Embed 6

https://twitter.com 6

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Mark E.S. Bernard Risk Management Approach to Security of Internal and External Services Mark E.S. Bernard Risk Management Approach to Security of Internal and External Services Presentation Transcript

  • *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** Compiled by; Mark E.S. Bernard, ISO 27001 Lead Auditor, CISSP, CISM, SABSA-F2, CISA, CRISC, CGEIT
  • *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** Under pinning contracts and Service Level Agreements New agreements are fairly straight forward and its important for the information security officer to work with procurement and/or contract management. Any existing Underpinning Contracts (UC) and Service Level Agreements (SLA) must be revised during the OLA design process. Everyone involved should be aware of any UC’s or OLA’s that apply to the provision of a specific service. Driven by the contractual, legal and regulatory requirements of the organization. The Service Provider provides the following services in that context: • Performance and Capacity Planning • 24x7 Performance Monitoring • Custom Infrastructure Design and Build • Systems Security Management • Procurement, License, Maintenance and Audit of Licenses • Business Continuity, High Availability, and Disaster Recovery • Problem and Incident Handling • Secure Data Storage • Production Deployment
  • *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** In order to satisfy the specific information security requirements for risk management between the client, internal departments and external service providers, vendors and suppliers. The scope of services needs to be evaluated to empower governance by determining which party is responsible for specific risks and the controls designed to mitigate those risks. For example Operational Level Agreements could be established internally between the business unit or line of business seeking ISO 27001 Registration /Certification and other internal departments like IT, HR and Facilities.
  • *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** Similarly, Service Level Agreements could be established between the business unit or line of business seeking ISO 27001 Registration /Certification and external parties like, Cloud Computing Services, Vendors and Suppliers.
  • *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** A Risk Assessment is necessary once all assets have been identified within the scope of service. These assets are utilized for the product or service delivery and the revenue stream.
  • *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** Risks associated with strategic planning, credit, market and financial that are considered open and ongoing versus mitigated and closed can be added to the Risk Registry. Within the columns scale 1 – 5 impact a threshold can be added for clarity. These risk are for internal report purposes and probable would not be shared or reviewed with the external party.
  • *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** Risks associated with compliance to statutes, regulations and contractual obligations that are considered open and ongoing versus mitigated and closed can be added to the Risk Registry. Within the columns scale 1 – 5 impact a threshold can be added for clarity.
  • *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** Risks associated with operations are the most common risks that external parties can positively or negatively impact. that are considered open and ongoing versus mitigated and closed can be added to the Risk Registry. Within the columns scale 1 – 5 impact a threshold can be added for clarity.
  • *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** The Risk Assessment workflow to assess Service Providers will require access to internal resources and normally a Service Desk ticket is required. Within many organizations the Service Desk plans a critical role in the OLA and SLA process by flagging events, incidents and problems the negatively impact service level agreements.
  • *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** Due to the close integration of internal departments and divisions there are a number of services which are unique to security. The following service catalogue identifies seven potential service.
  • *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** It is necessary to establish an Operational Level Agreement with Service Management Metrics, so that conformity with ISO/IEC 27001 can be managed without Corp IS becoming a formal entity within the scope of registration/ certification. This is in conformity with ISO27k clause A.10.2 Key A=Acceptable, M=Marginal, U=Unsatisfactory
  • *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** It is necessary to establish an Operational Level Agreement with Service Management Metrics, so that conformity with ISO/IEC 27001 can be managed without Corp IS becoming a formal entity within the scope of registration/ certification. This is in conformity with ISO27k clause A.10.2 Key A=Acceptable, M=Marginal, U=Unsatisfactory
  • *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** The Service Desk function facilitates a crucial function within Service Management it helps to capture relevant data against Operational Level Agreement criteria to facilitate monitoring by management and subsequent management decision making. The creation of Service Desk Tickets, assignment and prioritization needs to be closely mapped to Operational Level Objectives. The following provides some examples of Service Desk ticket prioritization and OLA criteria.
  • *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** Priority 1 - Indicates a deficiency with a TechSecure service, which has a critical impact on our Customer’s business processes which needs to be immediately corrected. Using a work around or manual process cannot reduce the impact. All involved parties, including individuals in the Customer’s organization, are expected to work continuously (24 X 7) until the incident is resolved or until the Priority is reduced. During regular business hours, the following service levels apply: •Incident is accepted within 15 minutes; •Incident is updated within 1 hour with updates provided every hour until resolution; •Target Resolution time is 2 hours
  • *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** Priority 2 - Indicates a deficiency with a TechSecure service, which has a critical impact on our Customer’s business processes which needs to be immediately corrected within the agreed upon SLA /OLA terms. A limited work around or manual process is available. All involved parties, including individuals in the Customer’s organization, are expected to work during regular business hours until the incident is resolved or until the Priority is reduced. During regular business hours, the following service levels apply: • Incident is accepted within 30 minutes; • Incident is updated within 90 minutes with updates provided every 90 minutes until resolution; • Target Resolution time is 4 hours.
  • *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** Priority 3 - Indicates a deficiency with a TechSecure service, which has a critical impact on our Customer’s business processes which needs to be immediately corrected within the SLA /OLA terms. Work is expected to continue during regular business hours until the incident is resolved or until the Priority is reduced. During regular business hours, the following service levels apply: •Incident is accepted within 2 hours; •Incident is updated within 4 hours with updates provided every 4 hours until resolution; •Target Resolution time is 1 business day.
  • *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** Priority 4 - Indicates a deficiency with a TechSecure service, which has a critical impact on our Customer’s business processes which needs to be immediately corrected within the agreed upon SLA /OLA terms. Work is expected to continue during business hours until the incident is resolved. During regular business hours, the following service levels apply: •Incident is accepted within 2 hours; •Incident is updated within 1 business day with updates provided every business day; •Target Resolution time is 3 business days.
  • *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** Priority 5 - Indicates a deficiency with a TechSecure service which cannot be rectified without a patch, fix or update assistance from outside agencies such as the software vendor. Work is expected to continue during business hours until the incident is resolved. During regular business hours, the following service levels apply: •Incident is accepted within 2 hours; •Incident is updated within 3 business day with updates provided weekly; •Target Resolution time is 1-3 business days after fix, patch or resolution is received or next available scheduled change window as required.
  • *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** Service Reports must be provided on daily, weekly, monthly, quarterly and annually or at the intervals agreed to within the SLA /OLA. These reports compare the agreed to service levels and the service levels against factually results. The following is a sample of the monthly Services Management Report: •Production Environment Support during Published Hours of Service •Monitoring and Support of Nightly Process Activity •Test Infrastructure and Application Support during Published Hours of Service •User Application Support •Non-Business Hours on Call Response •Information Security Threat, Vulnerability and Risk, Remediation •Continuous Improvement Initiatives •Fiscal Year 2013/14 Release Management •Change Management •Infrastructure and Application Support Services •Accomplishments this Month •Investigations and Resolutions •Operations Support Services •Accomplishments this Month •Scheduled Service Interruptions •Unscheduled Service Interruptions •Business Continuity Plan •Security Patch
  • *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** For more information contact Skype; Mark_E_S_Bernard Twitter; @MESB_TechSecure LinkedIn; http://ca.linkedin.com/in/markesbernard