Sec 270 02 sect 01av1
Upcoming SlideShare
Loading in...5
×
 

Sec 270 02 sect 01av1

on

  • 466 views

 

Statistics

Views

Total Views
466
Views on SlideShare
466
Embed Views
0

Actions

Likes
0
Downloads
3
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • The statement of applicability (also known as an SOA) is a document which identifies the controls chosen for your environment, and explains how and why they are appropriate. The SOA is derived from the output of the risk assessment/ risk treatment plan and, if ISO27001 compliance is to be achieved, must directly relate the selected controls back to the original risks they are intended to mitigate. Normally the controls are selected from ISO17799, but it is possible to also include own controls. A number of sector specific schemes are being introduced which stipulate additional mandatory controls.The SOA should make reference to the policies, procedures or other documentation or systems through which the selected control will actually manifest.It is also good practise to document the justification of why those controls not selected were excluded.
  • Confidentiality – Ensuring that information accessible only to those authorized to have accessIntegrity – Safeguarding the accuracy and completeness of information and processing methodsAvailability – Ensuring that authorized users have access to information and associated assets when required

Sec 270 02 sect 01av1 Sec 270 02 sect 01av1 Presentation Transcript

  • Implementing IT Security ProgramImplementing ISO 27001 can enable enterprises tobenchmark against competitors and to provide relevantinformation about IT security to vendors andcustomers, and it can enable management to demonstratedue diligence. It can forester efficient security costmanagement, compliance with laws and regulations, and acomfortable level of interoperability due to a common setof guidelines followed by the organizations. It can improveQA for IT security and increase security awareness amongemployees, customers, vendors, etc. John Jay College of Criminal Justice © 2012
  • Cost of Implementation• Internal resouces• External resources• Certification• Implementation John Jay College of Criminal Justice © 2012
  • Planning for ISO 27001• Business continuity planning• System access control• System acquisition, development and maintenance• Physical and environmental security• Compliance• Information security incident management• Personnel security• Security organization• Communication and operations management• Asset classification and control• Security policies John Jay College of Criminal Justice © 2012
  • Three stages of Certification process1. Informal review of the IT security program• Organization’s security policy• Risk treatment plan• Statement of applicability2. Independent tests of the IT security program against the requirements and to obtain management support3. Follow-up reviews or periodic audits to confirm that the organization remains in compliance with the standard. John Jay College of Criminal Justice © 2012
  • Planning• Commitment of senior management are essential• Team required – Internal audit – IT – Legal – HR John Jay College of Criminal Justice © 2012
  • Decision Making• Business objectives and priorities• Existing IT maturity levels• User acceptability and awareness• Internal audit capability• Contractual obligations• Customer requirements• The enterprise’s ability to adapt to change• Adherence to internal processes• Existing compliance efforts and legal requirements• Existing training programs John Jay College of Criminal Justice © 2012
  • Implementation• Define an IT security policy• Define the scope of the project• Peform a security risk assessment• Manage the identified risk• Select controls to be implemented and applied• Prepare an Statement of applicability John Jay College of Criminal Justice © 2012
  • 1. Identify Business Objectives• Increased marketing potential• Assurance to the business partners of the organization’s status with respect to information security• Assurance to customers and partners about the organization’s commitment to information security, privacy and data protection• Increased revenue and profitability by providing the highest level of security for customers’ sensitive data• Identification of information assets and effective risk assessments• Preservation of the organization’s reputation and standing among industry leaders• Compliance with industry regulation John Jay College of Criminal Justice © 2012
  • 2. Obtain Management Support• An information security policy• Information security objectives and plans• Roles and responsibilities for information security or a segregation of duties matrix that shows the list of the roles related to information security• An announcement or communication to the organization about the importance of adhering to the information security policy• Sufficient resources to manage, develop, maintain and implement the IT security program• Determination of the acceptable level of risk• Management review of the IT security program at planned intervals• Assurance that personnel affected by the IT security program are provide with training• Appointment of competent people for the roles and responsibilities that they are assigned to fulfill John Jay College of Criminal Justice © 2012
  • 3. Select the Proper Scope of Implemenation• The selected scope helps to achieve the identified business objectives• The organization’s overal scale of operations is an integral parameter needed to determine the compliance process’s complexity level• To find out the appropriate scale of operations, organizations need to consider the number of employees, business processes, work locations, and products or services offered• What areas, locations, assets and technologies of the organizations will be controlled by the IT security program• Will suppliers be required to abide by the IT security program• Are there dependencies on other organizations? Should they be considered?• Any regulatory or legislative standards that apply to the areas covered by the IT security program that should be identified. John Jay College of Criminal Justice © 2012
  • 4. Define a Method of Risk Assessment• The method to be used to assess the risk to identified information assets• Which risk are intolerable and therefore, need to be mitigated• Managing the residual risk through carefully considered policies, procedures and controls John Jay College of Criminal Justice © 2012
  • 5. Prepare and Inventory of IT Assets to Protect, and Rank Assets According to Risk Classification Based on Risk Assessment• For assets, identify the CIA impact levels: high, medium and low• Identify risks, and classify them according to their severity and vulnerability• After identifying the risks and the levels of CIA, assign values to the risks.• Based on risk values, determine whether the risk is tolerable and whether to implement a control to eliminate or reduce the risk. John Jay College of Criminal Justice © 2012
  • 6. Manage the Risks, and Create a Risk Treatment Plan• Acceptable risk treatment (accept, transfer, reduce, avoid)• Identification of operational controls and additional proposed controls, with the help of gap analysis• A proposed control implementation schedule John Jay College of Criminal Justice © 2012
  • 7. Set Up Policies and Procedures to Control RisksStatements of policy or a detailed procedure and responsibility document to identify user roles for consistent and effective implementation of policies and procedures. John Jay College of Criminal Justice © 2012
  • 8. Allocate Resources, and Train the StaffIT security program highlights one of the important commitments for management: sufficient resources to manage, develop, maintain and implement the IT security program John Jay College of Criminal Justice © 2012
  • 9. Monitor the Implementation of the IT security programPeriodic internal audit for monitoring and review. Audit review consists of testing of controls and identifying corrective / preventive actions. John Jay College of Criminal Justice © 2012
  • 10. Prepare for the Certification AuditConduct a full cycle of internal audits, management reviews and activities in the process and retains evidence of the responses taken as result of those reviews and audits. This should be reviewed annually. John Jay College of Criminal Justice © 2012
  • 11. Conduct Periodic Reassessment Audits• Follow-up reviews or periodic audits confirm that the organization remains in compliance with the standard. John Jay College of Criminal Justice © 2012
  • ConclusionThe true success of ISO 27001 is its alignment with the business objectives and effectiveness in realizing those objectives. IT and other departments play an important role in implementing the IT security program. To achieve the planned return on investment, the implementation plan has to be developed with an end goal in mind. Training and internal audit are major parts of IT security program implementation.ISO 27001 certification will help assure most business partners of an organization’s status with respect to information security without the necessity of conducting their own security reviews. An organization would choose to be certified against the ISO 27001 standard to provide confidence to their customer base and partners. John Jay College of Criminal Justice © 2012