Popular Pitfalls In Isms Compliance


Published on

Independent view of what normally goes wrong in ISMS Audit

Published in: Education, Technology
1 Comment
  • positively venerate celebration of a mass your blog posts, a accumulation of essay is smashing.we have had to bookmark your site as well as allow to your feed.Your thesis looks lovely.Thanks for sharing.
    iso 9000
    Are you sure you want to  Yes  No
    Your message goes here
  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Popular Pitfalls In Isms Compliance

  1. 1. Popular pitfalls in ISMS Compliance A Certifying Body’s perspective
  2. 2. Contents <ul><li>Introduction </li></ul><ul><li>Standard Evolution </li></ul><ul><li>Standard Organization </li></ul><ul><li>Future of the standard </li></ul><ul><li>Implementation issues </li></ul>✓
  3. 3. Standard Evolution 1995 1998 Initiative from Department of Trade and Industry BS 7799 Part 1 BS 7799 Part 2 1999 New issue of BS 7799 Part 1 & 2 2000 ISO/IEC 17799:2000 2001 BS 7799-2:2002 (drafted) Sep 2002 BS 7799-2:2002 Passed and accepted Jun 2005 ISO 17799:2005 ISO/IEC 27001:2005 Oct 2005 ✓
  5. 5. Standard Organization ✓ Compliance A.15 Business Continuity Management A.14 Information Security Incident Management A.13 Information Systems Acquisition, Development and Maintenance A.12 Access Control A.11 Communications and Operations Management A.10 Physical and Environmental Security A.9 Human Resources Security A.8 Asset Management A.7 Organization of Information Security A.6 Information Security Policy A.5 ISMS improvement 8 Management review of the ISMS 7 Internal ISMS Audits 6 Management Responsibility 5 Information Security Management System 4
  6. 6. Standard Organization (contd.) Security policy Access control Asset Management Organization of Information Security Human Resources Security Physical and Environmental security Communications and operations management Information Systems Acquisition Development and Maintenance Information Incident Security Management Business Continuity Management Information Integrity Confidentiality Availability Compliance ✓
  7. 7. Future of the standard ✓ Risk Management (BS 7799-3) 27005 Metrics and Measurement 27004 Implementation Guidance 27003 Code of Practice (ISO17799:2005) 27002 Specification 27001 Vocabulary and definitions 27000 Description ISO/IEC Standard
  8. 8. What is an implementation issue? <ul><li>Standard directly demands and not complied with </li></ul><ul><li>Diluted implementation </li></ul><ul><li>Mis-interpretation of the standard </li></ul>✓
  9. 9. Implementation Issues - Scope <ul><li>Scope of ISMS </li></ul><ul><ul><li>Scope is very hazy, not including all the assets and technology </li></ul></ul><ul><li>A good example of ISMS scope </li></ul><ul><ul><li>The ISMS scope covers all critical systems, applications, networks, telecommunication links, human resources, and information assets. The scope also includes business operations, administrative functions, customer information, buildings, equipment, tools and utilities used in the execution of business of the organization at site A and site B. </li></ul></ul>✓
  10. 10. Implementation Issues - Policy <ul><li>Security Policy </li></ul><ul><ul><li>Not visible in the organization </li></ul></ul><ul><ul><li>Not spread across the organization </li></ul></ul><ul><ul><li>Does not help in arriving at security objectives </li></ul></ul><ul><li>Other Policies </li></ul><ul><ul><li>Many other policies not defined </li></ul></ul><ul><ul><li>Eg. Clear Desk Clear Screen policy </li></ul></ul><ul><ul><li>Mobile computing policy, Teleworking policy </li></ul></ul>✓
  11. 11. Implementation Issues – Risk Assessment <ul><li>Risk assessment not systematic </li></ul><ul><li>Risk assessment kicked off with false comfort of existing controls </li></ul><ul><li>Some core assets not identified </li></ul><ul><ul><li>Eg. Design document in an IT organization </li></ul></ul><ul><li>Arriving at acceptable risk level not scientific </li></ul><ul><li>Projects a no-residual-risk scenario </li></ul>✓
  12. 12. Implementation Issues – SoA Preparation <ul><li>Only exclusions justified, inclusions should also be justified </li></ul><ul><li>Bi-directional tracing from risks to control and vice versa absent </li></ul>✓
  13. 13. Implementation Issues – Monitoring <ul><li>Info security review very weak </li></ul><ul><li>Obsolete risks not removed </li></ul><ul><li>New risks not fully added </li></ul>✓
  14. 14. Implementation Issues – Internal Audit <ul><li>Predominantly CISO and team are the Auditees </li></ul><ul><li>Sampling of other asset owners rare </li></ul><ul><li>Absence of qualified internal auditors </li></ul>✓
  15. 15. Implementation Issues – Management Review <ul><li>All review inputs as required by the standard not addressed </li></ul><ul><li>Management appreciation for security issues very low </li></ul>✓
  16. 16. Implementation Issues – Improvement <ul><li>CA is more prevalent than PA </li></ul><ul><li>Analysis of incidents / non-compliances weak </li></ul>✓
  17. 17. Implementation Issues – External Parties <ul><li>Third party agreements do not stress security requirements </li></ul><ul><li>Third party Vendors not conspicuously identified in the facility </li></ul>✓
  18. 18. Implementation Issues – Asset Management <ul><li>Server based software owners are identified but not their custodians </li></ul><ul><li>Only critical IT assets identified </li></ul><ul><li>Some core assets not properly identified </li></ul><ul><li>Asset labeling improper </li></ul>✓
  19. 19. Implementation Issues – H R security <ul><li>No systematic screening </li></ul><ul><li>Awareness training weak </li></ul><ul><li>Removal of access rights weak </li></ul><ul><li>Awareness of social engineering very low </li></ul>✓
  20. 20. Implementation Issues – Physical and Environmental Security <ul><li>Network cables run outside the security perimeter </li></ul><ul><li>No controls on piggy-backing </li></ul><ul><li>Structured cabling absent </li></ul><ul><li>Security of equipment off-premises very weak </li></ul><ul><li>Movement of media eg. CDs not-controlled </li></ul>✓
  21. 21. Implementation Issues – Communications and Operations Management <ul><li>Disposal of media very weak </li></ul><ul><li>Safety of media-in-transit not properly addressed </li></ul><ul><li>Logs not reviewed periodically </li></ul><ul><li>Clock synchronization not done </li></ul>✓
  22. 22. Implementation Issues – Access Control <ul><li>Privilege management weak </li></ul><ul><li>Printouts on printers not picked </li></ul><ul><li>Clear desk clear screen policy most violated </li></ul><ul><li>Unabated installation of freeware, shareware etc. </li></ul><ul><li>Laptops don’t have updated virus signature </li></ul>✓
  23. 23. Implementation Issues – IS acquisition, development and maintenance <ul><li>Applies only for the IS developed to run the business Eg. ERP, Enterprise Project Management etc. </li></ul><ul><li>Impact analysis to changes very weak </li></ul><ul><li>Fallback plan on a un-successful software upgrade weak </li></ul>✓
  24. 24. Implementation Issues – Incident Management <ul><li>Incident management seen as an ‘impossible activity’ </li></ul><ul><li>Awareness to report an incident very low </li></ul>✓
  25. 25. Implementation Issues – BCP <ul><li>BCPs are static </li></ul><ul><li>Scale of BCP very low vis-à-vis business need </li></ul><ul><li>BCP Testing not done </li></ul>✓
  26. 26. Implementation Issues – Compliance <ul><li>One comprehensive list of applicable rules & regulations absent </li></ul>✓
  27. 27. Queries <ul><li>Floor is yours…! </li></ul>✓
  28. 28. Thank You… R.Ramkumar