Familiarizing with a major ISMS Standard

To familiarize ourselves with the ISO/IEC 27000 family of standards. To obtain a basic understanding of Management of Information Security.

  1. 1. INFSYS3848/6828 Assignment – 2: Familiarizing with a major ISMS Standard Dr. Shaji Khan Page 1 of 4 PointsPossible: 100 Due Date: February25, 2016 by 11:59pmCentral Time AssignmentOverview:ManagingInformationSecurityisnotatrivial task.Anyorganizationattempting to systematicallymanage informationsecuritywill needsome sortof a frameworkormodel thataidsin such management.Aswe learnedinclassthere are manypossibleapproachestoInfoSecManagement. One majorframeworkandaccompanyingsetof standardsis the ISO/IEC27000 familyof standards. AssignmentPurpose: 1) To familiarizeourselveswith the ISO/IEC27000 familyof standards 2) To obtaina basic understandingof Managementof InformationSecurity Assignment TASK 1. Please visithttp://standards.iso.org/ittf/PubliclyAvailableStandards/index.html 2. Look forISO/IEC 27000:2014 and downloadzipfile.Extractitto yourlocal machine to finda PDF document. o This isthe ISO/IEC27000 Version2014 standard.The standardprovidesanoverview of the InformationSecurityManagementSystem(ISMS) familyof standardsandlaysthe groundworkfororganizationstobeginadoptingotherstandardsinthisfamily. 3. Please read the entire document carefully(frompage IV until page 25) o Including,Foreword o Introduction o Scope o Termsand Definitions o Information SecurityManagementSystems (ISMS) o ISMS Familyof Standards After readingthe standard, please answer the followingquestionswithinthisword document. 1) The ISMS familyof standardswasdevelopedby ISO/IECJTC1/SC27. Brieflyexplainwhat ISO/IEC JTC1/SC27 means.[Hint:See ForewordandIntroduction inthe document] [5points] The ISO/IECJTC 1 isa jointtechnical committee.Thisjointtechnical committeehasamaintask to prepare InternationalStandards.The SC27 standsfor a subcommittee thatisforsecurity techniques.The ISO/IECJTC1/SC27 maintainsanexpertcommitteededicatedtothe developmentof international managementsystemsstandardsforinformationsecurity, otherwise knownasthe InformationSecurityManagementSystemfamilyof standards.Also,the ISO/IEC27000 was preparedbyISO/IECJTC 1. 2) Basedon this documentandclassdiscussions,briefly(halfasingle-spacedpage) explain (a) Whatis an ISMS? (b) Why isit important? [25 points]
  2. 2. INFSYS3848/6828 Assignment – 2: Familiarizing with a major ISMS Standard Dr. Shaji Khan Page 2 of 4 An ISMS consistsof policies,procedures,guidelines,andassociatedresourcesandactivities, collectivelymanagedbyan organization,inthe pursuitof protectingitsinformationassets. Establishing,implementing,operating,monitoring,reviewing,maintaining,andimprovingof an organizationsinformationsecurityisasystematicapproachtoachieve businessobjectives. There are nine differentfundamental principlesthatcontribute tothe successful implementationof anISMS. These are the awareness,assignmentof responsibility, incorporatingmanagementcommitment&interestsof stakeholders,enhancingsocietal values, riskassessments,securityincorporatedasanessential element,activeprevention&detection of ISincidents,ensuringacomprehensiveapproachtoIS management,andcontinual reassessmentof ISand makingof modificationsasappropriate.Informationsecurityhasthree maindimensionsof confidentiality,availability,andintegrity.InISMSthe managementportion involvesthe supervisionandmakingof decisionsnecessarytoachieve businessobjectives throughthe protectionof the organizationsinformation assets.The managementof information securityisexpressedbasedonformulationanduse of informationsecuritypolicies,procedures and guidelines.ISMSisimportantbecause the risksassociatedwithanorganizationsinformation assetsneedtobe addressed.The adoptionof ISMSis expectedtobe astrategicdecisionforan organizationanditis necessarythatthisdecisionisseamlesslyintegrated,scaledandupdatedin accordance to the needsof the organizationforall individualsof the organization. Needsand objectivesof anorganization,securityrequirements,the businessprocessemployedandthe size andstructure of the organizationare all keyfactorson how the designandimplementation of the organizationisinfluenced. ISMSisimportanttoboth the publicandprivate sectorsof an organization.ISMSinvolvesidentifyingwhichcontrolsare inplace andrequirescareful planning and attentiontodetail.Forexample,accesscontrolscanbe a combinationof technical (logical), physical,andadministrative (managerial) orindividuallyinthose areas. 3) Briefly(half asingle-spacedpage) explainthe stepslistedundersection3.5of thisdocument pertainingtoestablishing,monitoring,maintainingandimprovinganISMS.[25 points] Frame Riskor establishariskcontextisdescribingthe environmentinwhichrisk-based decisionsare made.The purpose istoproduce a riskmanagementstrategythataddresseshow organizationsintendtoassessrisk,respondtorisk,andmonitorrisk—makingexplicitand transparentthe riskperceptionsthatorganizationsroutinelyuse inmakingbothinvestmentand operational decisions.Establishingarealisticandcredible riskframe requiresthatorganizations identifyriskassumption,riskconstraints,risktolerance,andprioritiesandtrade-offs.Thisisto indicate whattype of riskyouare lookingintotodetermine whatstepsneedstobe takenunder assessingthe risk.Assessingthe riskistoidentifythe threatstothe organization,all vulnerabilities,the harm,andthe likelihoodthe harmwill cause.The endresultisthe determinationof the risk.Supportingthe riskassessmentisfoundbythe tools,techniques,and methodologiesthatare usedtoassesit,assumptionsrelatedtoriskassessment,constraintsthat may affectriskassessments,rolesandresponsibilities,how itiscollected,processed,& communicatedthroughorganizations,how theyare conducted,the frequencyof risk assessment,andhowthreatinformationisobtained.Respondingtoriskisthe next stepand is veryimportant.Respondingtothe riskcomponentpurpose istoprovide aconsistent, organization-wide,responsetoriskinaccordance withthe organizational riskframe by developingalternative coursesof actiontorespondtorisk,evaluating the alternativecoursesof
  3. 3. INFSYS3848/6828 Assignment – 2: Familiarizing with a major ISMS Standard Dr. Shaji Khan Page 3 of 4 action,determiningappropriatecoursesof actionconsistentwithorganizational tolerance,& implementingriskresponsesbasedonselectedcoursesof action.Monitoringthe riskmust happenovertime andcontinuously.The purpose tomonitoringthe riskistoi) verifythe planned riskresponse measuresare implementedandinformationsecurityrequirementsderived from/traceable toorganizational missions/businessfunctions,federallegislation,directives, regulations,policies, andstandards,andguidelinesare satisfied,ii) determinethe ongoing effectivenessof riskresponsemeasuresfollowingimplementation,andiii) identifyrisk- impactingchangestoorganizational informationsystemsandthe environmentsinwhichthe systemsoperate.Overall,establishing,monitoring,maintainingandimprovinganISMSis always beingdone inan organizationtohelpthemdeterminewhatriskstheycanaccept or cannot accept.For example,alarge organizationsuchasMaritz needstodetermine if theycanallow spam email tocome into the environmentandthenrespondtothe riskbylettingthe entire organizationwhatneedstobe done tohelpnotharm theircredentialsoroffice equipment. 4) Explaininsufficientdepth, eachof the three componentsof anoverall “RiskAssessment”process – 1) RiskIdentification,2) RiskAnalysis,and3) RiskEvaluation [25 points] RiskIdentificationisthe processof finding,recognizing,anddescribingrisks.Thisfirststepisto finda riskand assessthe riskto see how to prioritize andquantifyforriskacceptance and objectivesrelevanttothe organization.Identificationisthe mostimportantpartof the process because thisishowan organizationdetermineswhattype of riskisoccurringso that waythey can proceedto the analysispartof the process.RiskAnalysis(orEstimation) isthe processto comprehendthe nature of riskandto determine the level of risk.Thisshouldincludethe systematicapproachof estimatingthe magnitudeof those risks.Inthisprocess,the organization will determine the nature of how the riskisgoingto affectthemornot affectthem. Thisis also the part of the processwhere we determine the nextstepof the processbystartingtoevaluate the risk.RiskEvaluationisthe processof comparingthe resultsof riskanalysiswithriskcriteria to determine whetherthe riskand/oritsmagnitude isacceptable ortolerable.Riskcriteria termsof reference againstwhichthe significance of riskisevaluated.Theseare setbythe organization.Forexample,if the riskislowerthan5% thenwe wouldjustaccept itand not do anythingaboutit.Thisis the processof comparingthe estimatedrisksagainstriskcriteriato determine the significance of the risks.Inthislastpartof the process,an organizationwould discoverif theycanaccept the risk or not.Dependingonthe magnitude dependsonwhatthey can or cannot do. Forexample,Maritzassessesthe riskof theiremployeesopeninganemail that containsa virus.What wouldtheydo?Well theycouldsaywe cannotriskeveryone opening thisand affectingthe technologythroughoutthe whole organization.Sotheywouldsendan email ashighimportance advisingof phishingemailsandscamsthatcouldof came throughto the employeescomputer. MaritzITcannot juststop the email since theydidnotknow directly it wasa virusemail.Bynotifyingthe employeestheyare acceptingthe factthatsome may open it nowknowingwhatitisbut alsoacceptingthat some maynot evenopenitat all. 5) WhichISMS standard providesnormativerequirementsforthe developmentandoperationof an ISMS? Brieflyexplain the significance of thisstandardbeing“normative.” [10points] ISO/IEC27001 is the standardthat providesthe normative requirements forthe development and operationof anISMS. Normative includesasetof controlsfor the control and mitigationof
  4. 4. INFSYS3848/6828 Assignment – 2: Familiarizing with a major ISMS Standard Dr. Shaji Khan Page 4 of 4 the risksassociatedwiththe informationassetswhichthe organizationseekstoprotectby operatingitsISMS.So therefore organizations operatinganISMSmay have itsconformity auditedandcertified. 6) WhichISMS standard providesadetailedview of abroadset of security controlswhichcould potentiallybe appliedwithinanorganization? [5points] ISO/IEC27002 is the standardthat providesthe code of practice for informationsecurity controls. 7) WhichISMS standard providesdetailedoverview of aprocessorientedriskmanagementapproach whichcan be adoptedwithinanoverall ISMSframework? [5points] ISO/IEC27000 is the standardthat providesthe standardsdescribinganoverviewand terminology. SUBMISSIONINSTRUCTIONS: 1. Type your answerswithinthisdocument orcreate a new document.Be sure to name your documentinthe followingformat: FirstName_LastName_Assignment2 2. Submitthe documentviathe “Assignment-2”assignmentpage onMyGateway.Be sure to hit submit. PENALTY FOR LATE SUBMISSIONS: Late submissionswillreceive a10% automaticdeductionforeach24 hourperiodafterthe due date/time until nopointsremain. GETTING HELP: 1. Visittutorsinthe CITIL (ESH 204). InformationlistedonMyGateway/FacultyInformation. 2. Call (314-489-9733) / email (shajikhan@umsl.edu)instructoranytime.

