“I am certified, but am I                   safe?”         Anup Narayanan, CISA, CISSP           Founder & CEO, ISQ World
Agenda   What exactly is Certification?   The audit process & fear: Why?   The cost of poor implementation   Getting y...
What exactly is Certification?      An explanation in simple terms
The auditor looks for two factors   The existence of the ISMS       Is the P-D-C-A (Plan-Do-Check-Act) model is in place...
The essence of ISO 27001/ ISMS   Tells you what to do:       Implement an ISMS (Information Security Management        S...
Example“Build a vehicle”
Poor                 Interpretation    GoodInterpretation
The audit process & fear         Why?
Analysis   The purpose of the ISMS is not well understood   The implementation process is not well understood   The aud...
Some facts!   Fallacy - I must select as many controls as possible   Truth – Choose those controls that are required    ...
This leads to….ISMS fatigue   After the first few years, you will not be able to    maintain all controls – Managers will...
The cost of poor implementationA poorly implemented ISMS leads to more security weaknesses                rather than not ...
Getting your ISMS rightInformation Security Goals, Targets and Processes (Not                       Controls)
My primary focusis to constantly    increase  shareholder      value Depends on:                                    Depend...
Trust & the impersonal nature of the Internet  The customer                 They don’t know                             ho...
The purpose of the ISMS                                                                      Profitable, BeBusiness Goals ...
Realize this…   No two businesses are alike, hence no two ISMS’s    are alike   Be Confident! Build an ISMS fit-for your...
Using ISM3 to implement ISO           27001ISM3 – Information Security Management Maturity Model
ISM3   Recently adopted as The Open Group Standard -    www.ism3.com   ISM3 provides a set of “security management proce...
Security Investment & Risk Reduction
The advantage of process based approach   A process;       Gives more clarity on what needs to be done       Makes you ...
The CXO’s Security Plan
As the CEO, youSo, your plan must  want to spend lessbe simple, precise and must give time  but effective you   on informa...
The 3 questions are…..1 - Assets What are my information assets? (Give me the latest list)2 - ThreatsWhat are the threats ...
Your plan centers around “Assets”, “Threats” and                “Vulnerabilities”In fact, you must work together with your...
Idea!Ask your Information SecurityOfficer to create a threat and      vulnerability pipe.
A sample threat & vulnerability pipe          Latest threats and          vulnerabilities go on top        • Security surv...
Hmm…she please tell me the top 3 items      Could you is getting       off the top of the threat & vulnerability       sec...
Remember!A good security manager will tell you your weaknesses and not                                        always your ...
How do I know that I am safe?
How do I know that I am Safe?   You are safe when,       You know what your business is about?       You know the Infor...
The Art of War – Sun TzuIt is said that if you know your enemies andknow yourself, you will not be imperiled in ahundred b...
Please keep in mindInformation Security does not earn you big money. But itensures that you keep earning the big money.….b...
An u p              Na r a y a n a n ,                             Fo u n d e r      &                          Pr i n c i...
Upcoming SlideShare
Loading in …5
×

"I am Certified, but am I Safe?" - Information Security Summit, Kuala Lumpur, Malaysia, June, 2011

633 views

Published on

A talk that highlights how organizations can pursue ISO 27001 certification with the right kind of expectations, on what it guarantees and what it does not.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

"I am Certified, but am I Safe?" - Information Security Summit, Kuala Lumpur, Malaysia, June, 2011

  1. 1. “I am certified, but am I safe?” Anup Narayanan, CISA, CISSP Founder & CEO, ISQ World
  2. 2. Agenda What exactly is Certification? The audit process & fear: Why? The cost of poor implementation Getting your ISMS right The ISM3 model The CXO’s Security Plan How do I know I am safe?
  3. 3. What exactly is Certification? An explanation in simple terms
  4. 4. The auditor looks for two factors The existence of the ISMS  Is the P-D-C-A (Plan-Do-Check-Act) model is in place  Scope, Security forum, Asset classification list, Risk analysis, documents etc. The functioning of the ISMS  Review and improvement processes, CHECK and ACT phase.  Auditor - “Have you done a root cause analysis?”  Not just identifying, but solving If the auditor is satisfied, you are recommended for the certification
  5. 5. The essence of ISO 27001/ ISMS Tells you what to do:  Implement an ISMS (Information Security Management System) fit for business Does it tell you how to do it?  Not very well!!  ISO 27002 is a good guide, but subject to poor interpretation  Not the fault of the standard
  6. 6. Example“Build a vehicle”
  7. 7. Poor Interpretation GoodInterpretation
  8. 8. The audit process & fear Why?
  9. 9. Analysis The purpose of the ISMS is not well understood The implementation process is not well understood The audit process is not well understood You are misguided by ill-informed people
  10. 10. Some facts! Fallacy - I must select as many controls as possible Truth – Choose those controls that are required (some of them will be mandatory) Fallacy – I must produce a ton of documentation Truth – I must produce documents that I will read Fallacy – The auditors will be tough and strict Truth – The auditors know their job and you should know yours
  11. 11. This leads to….ISMS fatigue After the first few years, you will not be able to maintain all controls – Managers will grumble  Leads to poor maintenance of controls This will lead to “quick-fixes” that open more vulnerabilities Slowly controls weaken and people start finding alternates to avoid the ISMS that opens more weaknesses
  12. 12. The cost of poor implementationA poorly implemented ISMS leads to more security weaknesses rather than not having one
  13. 13. Getting your ISMS rightInformation Security Goals, Targets and Processes (Not Controls)
  14. 14. My primary focusis to constantly increase shareholder value Depends on: Depends on: Customer Depends on: Continuous retention & TRUST availability of acquisition services Depends on: Continuous availability of Information and Information Systems INFORMATION SECURITY
  15. 15. Trust & the impersonal nature of the Internet The customer They don’t know how you look like, orHence, you needInternet is based on measurable factors cannot see you Information Security, to be there, when TRUST on the suchthe customer needs talk… as Availability of Services you This makes it difficult for you to influence the perception of TRUST On the Internet …. on the internet using visible factors…
  16. 16. The purpose of the ISMS Profitable, BeBusiness Goals ethical, Socially responsibleBusiness Targets Generate $X through sales Pay Bills/ Salaries/ Taxes on time Maintain the offices and facilities Finance: Process Helped by Sales: Sell products & Services HR: hire the right people payments, pay bills & salaries, accounting Admin: Maintenance functions, HVAC etc. Where does Information Security fit in?
  17. 17. Realize this… No two businesses are alike, hence no two ISMS’s are alike Be Confident! Build an ISMS fit-for your business! Choose only processes that are useful for your business, not because someone else too does it.
  18. 18. Using ISM3 to implement ISO 27001ISM3 – Information Security Management Maturity Model
  19. 19. ISM3 Recently adopted as The Open Group Standard - www.ism3.com ISM3 provides a set of “security management processes” that are consistent with business goals You can select “Maturity Levels” based on available resources Level 3: Level 4: Normal to Level 5: High risk Level 1: Low Level 2: High-Risk High risk environment risk Normal risk Environments environments s – Public environment environments – IT Service + Mandatory companies, Providers/ e- Metrics Finance Commerce
  20. 20. Security Investment & Risk Reduction
  21. 21. The advantage of process based approach A process;  Gives more clarity on what needs to be done  Makes you realize the amount of resources that needs to be assigned to execute it Hence, you will select those processes that are truly required for the ISMS This leads to building an ISMS “for your business” and “not for certification”
  22. 22. The CXO’s Security Plan
  23. 23. As the CEO, youSo, your plan must want to spend lessbe simple, precise and must give time but effective you on information answers to 3 security. questions.
  24. 24. The 3 questions are…..1 - Assets What are my information assets? (Give me the latest list)2 - ThreatsWhat are the threats to my information assets? (Give me the newest threats? )3 - Vulnerabilities (Weaknesses)What are the vulnerabilities that can be exploited by these threats? (What are we doing about them?)
  25. 25. Your plan centers around “Assets”, “Threats” and “Vulnerabilities”In fact, you must work together with your informationsecurity officer to have the latest list of, Assets, Threats& Vulnerabilities briefed to you at regular intervals (at-least once a month or quarter)
  26. 26. Idea!Ask your Information SecurityOfficer to create a threat and vulnerability pipe.
  27. 27. A sample threat & vulnerability pipe Latest threats and vulnerabilities go on top • Security survey reveals poor user security awareness • SANS reports 5 vulnerabilities that affects our applicationsMarch • Some web applications do not have privacy policy displayed • Backup restoration is not testedFeb • Background verification of new employees not uniformly done • Information security risks not considered as part of business Jan continuity plan
  28. 28. Hmm…she please tell me the top 3 items Could you is getting off the top of the threat & vulnerability security sharp! pipe?So, the next time you are with your information security officer, you know what to ask….
  29. 29. Remember!A good security manager will tell you your weaknesses and not always your strengths!
  30. 30. How do I know that I am safe?
  31. 31. How do I know that I am Safe? You are safe when,  You know what your business is about?  You know the Information Systems that are required to attain business goals  You know the risks to the Information Systems  You have reduced the risks as best possible  You know exactly what your weaknesses are and are prepared for it
  32. 32. The Art of War – Sun TzuIt is said that if you know your enemies andknow yourself, you will not be imperiled in ahundred battles;if you do not know your enemies but do knowyourself, you will win one and lose one;if you do not know your enemies nor yourself,you will be imperiled in every single battle.
  33. 33. Please keep in mindInformation Security does not earn you big money. But itensures that you keep earning the big money.….because, information security influences the way yourcustomers TRUST and BUY your brand.
  34. 34. An u p Na r a y a n a n , Fo u n d e r & Pr i n c i p a l Ar c h i t e c t I S Q Wo r l d , A F i r s t34 © First Legion Consulting L e g i o n

×