A portion of an internal training session at EBSL Technologies Int\'l
Principles of IT Operations, to include ISO 27001, COBIL ,ITIL,IT Security, IT Frameworks.
08448380779 Call Girls In Friends Colony Women Seeking Men
Ebsl Technologies It Operations Internal Presentation
1. EBSL
IT Operations
EBSL Technologies Int'l
www.ebsltechnologies.com
internal consultant training
Presented by
Jon CRG Shende FBCS CITP
Director IT Services
Part 1
June 19th 2008
2. Welcome to EBSL Technologies Int'l
EBSL
Our following sessions will review principles of IT Operations
This will include :
•
Technical and management concepts within IT (e.g. standards &
preserving the C.I.A triad)
•
Frameworks
•
Planning for and Managing Risk with Disaster Recovery
•
An Interactive Workshop in Management Consulting
•
Metrics from 6 Sigma and Integrity Selling for your client facing
duties.
2
3. Frameworks Overview
EBSL
ISO 27001:2005 & BS 17799 – ISO 27002:2005
CoBIT - Control Objectives for Information and Related Technology
ITIL - IT Infrastructure Library
CMMi - Capability Maturity Model Integration
Firms need to be cognizant of framework overload
Organizations need to set implementation goals for frameworks with
adequate project management resources
Proceed cautiously with any framework roll-out as the of-chance of an
incorrect categorization of control objectives and/or application can
defeat the purpose of a framework implementation & ROI assessment
3
4. ISO 27001:2005 - basic overview
EBSL
ISO -International Organization for Standardization
•
ISO 27001/2 are management system standards that are applicable to
all industry sectors
•
ISO 27001 is a formal specification which defines specific
requirements for establishing an Information Security Management
System(ISMS).It is not a technical standard & emphasizes prevention
•
It is a management system that should guide in an organizational
balance of all aspects of security - physical,technical, procedural,
and employee following a Plan-Do-Check-Act, Process Approach
•
A Process Approach emphasizes user understanding of an
organization’s information security requirements and can help define
and establish information security policies and objectives.
4
5. Summarizing ISO 27001
EBSL
•
It defines an information management framework which sets;
directions, aims, objectives and defines a management approved
policy which holds management commitment
•
It's processes methodically identify security requirements by assessing
security risks. The results of these assessments help guide the
prioritizing of metrics to manage risks and the appropriate
management action. This guides the selection and implementation of
controls(policies, practices, procedures, organizational structures,
software/hardware functions) and mechanisms.
•
Controls implemented subjectively should follow the identification of
security requirements. Their aim, to ensure that risks are reduced to an
acceptable level while meeting an organization's security objectives.
5
6. ISO 27001/2 - basic overview 2
EBSL
ISO 27002
•
Follows on the guideline of ISO27001's ISMS
•
Can be regarded as a comprehensive collection of good security
processes
•
It is a standard code of practice which define techniques one can
implement to secure data
•
Both ISO 27001 & 27002 employs specific control statements which
satisfy control objectives. We can group controls into six categories
•
Detect, Protect, Deter, React, Avoid & Recover
•
Per CoBIT “Control objectives provide a complete set of high level
requirements to be considered by management”
6
7. ISO 27001/2 generic controls
EBSL
Control
. Control Objectives
Detect Identification of the occurrence of security event/s, then
implement protective, reactive or recovery safeguard mitigation
Protect Safeguarding vulnerable information assets and/or assets with
exposures to adverse security events
Deter Mitigate the possibility of undesirable events being attempted
React Minimize the impact of a security event with an adequate
response to ensure business continuity
Avoid Eliminate known vulnerabilities via patches,software updates,
signature updates and take steps to avoid new issues.
Recover After an event ensure that confidentiality,integrity and 7
availability of all information assets are restored to their
8. Controls
EBSL
•
Controls when properly implemented allow management to make well-
informed risk management decisions.
•
This leads to properly secured IT systems responsible for storing,
processing, or transmitting organizational data
•
Risk Management decisions justify IT related expenses via a
cost/benefit analysis as well as assist management in supporting a
system from it's documented risk management performance review
which should be auditable
•
Tying it together - for any one organization an integrated GRC mindset
needs to sit in front of operations i.e. Governance, Risk Management
and Compliance rather than being seen as three distinct entities
8
9. ISO 27001 questions
EBSL
Q. How does the ISO 27001/2 Series benefit our clients ?
•
It provides a uniform an effective information security management
process for an organization
•
Proper implementation provides protection of organizational interests
and that of their affiliates (subsidiaries, partners, vendors, customers)
•
It is the aim of senior management to ensure an organization's IT goals
align with it's business goals.
•
By implementing the metrics within 27001/2 senior management can
ensure that IT investments delivers value. Performance is accurately
measured and resources allocated in a manner to ensure effective risk
mitigation
9
10. ISO 27001 questions
EBSL
Q. What is an ISMS ?
•
The Information Security Management System(ISMS) specifies
requirements for establishing, implementing, operating, monitoring,
reviewing, maintaining and improving an organization's documented
ISMS.
•
It should maintain an overview of the organization's overall business
risks and specify requirements for the implementation of security
controls. Controls should be customized to the needs of the whole or
part of the organization.
10
11. Why a Risk Assessment Methodology(RAM)?
EBSL
Assuring information security is a portion of the larger subject of Risk
Mitigation & Management. The most important takeaway from ISO 27001
should be establishing a risk assessment methodology (RAM)
•
A RAM enables an IT Manager to secure data in a manner that enables
security
Implementing a RAM ensures controls necessary to protect the business are
•
defined and implemented
RAM Provides metrics: results that are repeatable and comparable which
•
can measure controls effectiveness
11
12. Why a Risk Assessment Methodology(RAM)?
EBSL
A RAM ensures that controls implemented will not be overly
complex,over-reaching or costly but rather tailored to organizational
needs.
ISO 27001/2 emphasizes the importance of controls which when
implemented, impacts an organization's security statically.
Controls need to be reassessed and at times either retired or improved
as necessary
A risk assessment methodology when properly implemented will
ensure that an organization has the means to protect it's business
functions at all times.
12
13. Risk Relationships
EBSL
Source SQUARE Process Nancy R. Mead, Software Engineering Institute 13
https://buildsecurityin.us-cert.gov/bsi/articles/best-practices/requirements/232-
BSI.html
14. Importance of Risk Management
EBSL
Organizations should
•
Establish and use a risk assessment methodology that takes into
consideration all legal and regulatory responsibilities in addition to
information security
•
Implement a framework for Conducting Risk Assessments
•
Quantify it's risks and either accept individual risks, or prioritize the
implementation of security controls to mitigate (or not ) these risks in
order of severity by developing a Risk Treatment Plan (RTP) which
either
•
Accepts, Avoids or Transfers Risk; or Implement pertinent security
controls.
14
15. Where do we go?
EBSL
•
Q1. How secure is the client if there are no metrics to measure
security ?
•
Q2. Is a system secure if it has never been breached ?
•
Q3. The aim of a business is to realize a return on investment ( ROI);
should ROI be more important than Risk Reduction Factor ?
•
Q4. How secure are e-business partners?
•
Q5. Are all the assets of an organization identified, listed and have
proper ownership ?
•
Q6 Does the organization have a reactive or proactive stance ?
15