Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Is awareness government


Published on

Published in: Technology
  • Be the first to comment

Is awareness government

  1. 1. An Overview byZaituni Mmari(Information Security Officer)
  2. 2. Four Questions What’s it all about? Why does it matter to the Government of Tanzania? How does it work? What do we have to do to the Government of Tanzania?
  3. 3. What is Information Security? The use of an ISMS (Information Security Management System) for the systematic preservation, in the Government of Tanzania, of the  Availability  Confidentiality  Integrity  Of its information (and its information systems)Information risk All information systems have vulnerabilities that can be exploited by threats in ways that can have significant impacts on the government of TZ info system effectiveness,value and long term survival have significant impacts on the government of Tanzania effectiveness, profitability, value and long term survival. when exploited, those threats will have an impact on the TZ government IS effectiveness and NOT directly on the TZ gov effectiveness Also involves  Authenticity  Accountability  Non-repudiation  Reliability
  4. 4. Why do we need to Implement an ISMSto the Government of Tanzania? We have valuable assets  Intellectual Property  Government valuable information  Data about staff, customers, suppliers  Organizational know-how We have legal and regulatory compliance requirements  Data protection and privacy  Specific legislation We are IT dependent  An IT failure (eg hardware, power failure, acts of nature) is a institution failure  IT is not completely secure  IT is not inter-compatible
  5. 5. Why does information security matter tothe Government of Tanzania? External threats  Viruses, worms, Trojans  100,000+ ‘in the wild’  Hackers – with automated attacks  Now big business (botnets, zero-day attacks)  Spam – 80%+ of all e-mail  Now big business (botnets, blended attacks)  Cyber-criminals – phishing, identify theft, grand larceny  Fraud, cyber terrorism  Competitors  Malcontents, activists  Anyone with a computer! Internal threats  fraud, error, unauthorized or illegal system use, data theft
  6. 6. How can ISO27001/ISO17799 standardHelp the Government of Tanzania? A Standard is  “a document established by consensus and approved by a recognized body, that provides for common and repeated use rules, guidelines or characteristics for activities or their results, aimed at the achievement of the optimum degree of order in a given context” Two part ISMS standard  ISO 27001 (BS7799-2) specifies how to design an information security management system (‘ISMS’)  How the ISMS should work, not what should be in it  ISO17799 (BS7799-1) is an international code of practice for information security best practice that supports and fleshes out BS7799-2  What should be in the ISMS, not how it should work History and future  BS7799 originated in UK, part 1 adopted by ISO  Revised every five years  Now ten years old  1300+ BS7799-2 certifications  Even more ISO17799 systems in place  No the ISO 27001 series from November 2005
  7. 7. Why the Government of Tanzania have touse the standard? Best practice specification and guidance A MANAGEMENT SYSTEM  Technology agnostic  Non-technical  Non-jurisdictional Systematic and comprehensive Proven in many industries and organizations Includes international best practice Internationally understood Capable of external certification Commonly accepted best practice 100+ new BS7799-2 certifications /month ISO27001 and ISO9001
  8. 8. What is an ISMS? A defined, documented management system (within a defined organization, the ‘scope’). It contains  A board approved, high level information security policy  Defines information security, the components and purpose of the ISMS, and evidences to the business that management are committed to a defined and systematic approach to information security  A corporate risk treatment plan  Describes how different types of risk are to be treated  An inventory of important information assets (data and systems) that fall within the scope  An assessment of vulnerabilities, threats and risks (‘risk assessment’) to those assets  An ISMS Manual that contains a Statement of Applicability  identifies a set of controls (responses to/countermeasures for) that respond to each of the identified risks  A comprehensive, inter-related suite of processes, policies, procedures & work instructions The ISMS must be  Systematically implemented and managed  Reviewed, audited and checked  Continuously improved Certification  Valuable but not always essential  The final stage  Carried out by a third party certification body  Evidence as to the completeness and quality of the ISMS
  9. 9. ISO 27001 - a Closer Look ISO 27001:2005 (BS7799-2:2005) is the current version “Information security management systems – specification with guidance for use”  “Specification” means “this is how it must be done” Specification for  Establishing and managing the ISMS  Implementing and operating the ISMS  Monitoring and reviewing the ISMS  Maintaining and improving the ISMS  Control of documents  Management responsibility  Management review of the ISMS  ISMS Improvement  Control objectives and controls (Annex A)  Not exhaustive
  10. 10. What is a ‘Control’? A vulnerability gives rise to a threat  A threat might have an impact (financial, operational) if it materialises  A risk is a threat that has a likelihood of materialising and an impact  Risks are at different levels (eg high/catastrophic, medium/affordable, low/insignificant A control is a response to or countermeasure for a risk  (a threat ≠ a risk)  Controls reduce risk, they don’t eliminate them Controls should only be implemented in response to a specific, identified risks A combination of technology, behaviour and procedure  Eg: anti-virus control:  Software installed on gateway and desktops  Procedure for ensuring regular updates  Trained to not open unexpected attachments Cost of control ≤ cost of impact Every asset has multiple risks Every risk has a control Some controls apply to many risks ISO17799 has best practice guidance on control selection
  11. 11. ISO17799 – a Closer Look ISO/IEC 17799:2005 is the current version “Information technology – Security Techniques - Code of practice for information security management” “establishes guidelines and general principles for initiating, implementing, maintaining, and improving information security management in an organization. The objectives outlined provide general guidance on the commonly accepted goals of information security management” “The control objectives and controls in ISO/IEC 17799:2005 are intended to be implemented to meet the requirements identified by a risk assessment. [It] is intended as a common basis and practical guideline for developing the Government of Tanzania security standards and effective security management practices, and to help build confidence in inter-organizational activities.”
  12. 12. ISO 17799:2005 - Contents 11 Chapters, 132 controls Best practice control objectives and controls for:  security policy;  organization of information security;  asset management;  human resources security;  physical and environmental security;  communications and operations management;  access control;  information systems acquisition, development and maintenance;  information security incident management;  business continuity management;  compliance Not exhaustive
  13. 13. How do we create an ISMS? PLAN • PDCA Identify assets, scope, carry out risk assessment, create policies, processes ACT DO Implement the defined and agreed processes CHECK No action required for accepted PLAN risks CHECK DO Assess performance against defined policies ACT Take corrective and preventive action to continually improve the operation of the ISMS
  14. 14. ISMS Project Roadmap
  15. 15. Documentation Structure  Four tiers Setting the policy - strategic, high level,  Document type (required 1: Policy relatively unchanging – Board approved ISMS authorization) (Board) manual, SoA, risk treatment plan all reflect  Detail in ISMS Manual 2.2 principles and demonstrate board accountability Implementing the policy – setting out 2: Procedures business requirements, procedures and processes – change infrequently but have (Executive) multiple overlaps and impacts on operational activity and business behavioursMaking the policy work - detailed,step-by-step descriptions of how to 3: Work Instructionsperform individual tasks – subject (Operational)to regular review and improvementRecords of what happened 4: Records– minutes, logs, reports,etc – information about (All users and usages)how the ISMS is performing
  16. 16. Sequential mini-projects Design and implement the ISMS area-by-area  Divisional, geographic, functional OR  Control-by-control (priority determined by a high level strategic risk assessment) Standard PDCA approach always applies  Identify scope of the mini-project (plan)  Identify assets within the scope (plan)  Allow for multiple scopes applying to the same assets  Risk assessment for those assets (plan)  Identify appropriate control(s) and gain approval (plan)  Ensure overlaps are identified and allowed for  Cross linkages are already in the templates  Implement chosen control (including training) (do)  Monitor, review and audit control operation (check)  Identify and implement improvements (act)
  17. 17. Massively parallel approach Designed to get the whole organization to project completion quickly and completely All procedures tackled simultaneously All work instructions tackled simultaneously and in parallel Implementation of procedures and work instructions happens as soon as each is complete Monitor, audit and review cycle starts immediately each work instruction is implemented This approach works best in organizations that already have an ISMS that needs to be documented and brought into line with international best practice Only possible using the ITG toolkit, because the templates all exist and all cross-linkages and dependencies have been identified and included. Requires experienced project management, a committed project team and focused top management support
  18. 18. Some concerns? Procedure for procedure’s sake  Leads to robust, improvable processes that make the business work better Restrictive on staff  Yes, but it also clarifies what is acceptable and what isn’t, so that everyone is ‘on the same page’ Just another management system  It’s an extension to existing management systems (and is integrated into them)  Removes IT uncertainty, improves internal efficiencies, improves customer service Who really cares?  Our users  Regulators and the law  Our business partners  You – because it makes your working environment more efficient with fewer interruptions
  19. 19. Summary of benefits Recognized accreditation  Assurance to our customers that their data is safe with us  Assurance to our employees, partners and suppliers that their data is safe with us Information security policy that fits the business needs  Reduced outages, stoppages and other information security frustrations  Aligned with government goals  Security spend proportionate to value at risk  Everyone responsible, not just IT department  Formalisation of policies and procedures that are already in place
  20. 20. Next steps Management owns information security, approves the policy Departments are responsible for their own assets and processes, risks and counter-measures You are all responsible for key parts of the information and IT infrastructure Information asset and process inventory Identification, by asset and process, of vulnerabilities, threats, impacts and risks Finalization of draft procedures to tie in with policy and Statement of Applicability Commencement of work instruction drafting  Should be carried out by individual asset owners/system administrators Timetable  Start date  Finish date Other issues
  21. 21. Remember!
  22. 22. ???
  23. 23. Thank you