Tammy Clark, profile picture
Uploaded byTammy Clark
542 views

Gs Us Roadmap For A World Class Information Security Management System– Isoiec 270012005

GSU is developing an Information Security Management System (ISMS) based on the ISO/IEC 27001 standard to protect the university's reputation, ensure security and availability of information, and reduce risks. The roadmap involves strategic planning, continuous reviews and improvements, and incremental implementation of controls. It will align information security with business goals and provide comprehensive, auditable best practices for managing risks through plans, implementation, monitoring, and improvements.

Embed presentation

GSU's Roadmap for a World-Class Information Security Management System– ISO/IEC 27001:2005 Tammy Clark, Chief Information Security Officer, William Monahan , Lead Information Security Administrator “ You will now have a starting place and a destination, and you will be able to determine what it will cost you to get there. You will be going someplace.” H. Stanley Judd
GSU’s Information Security Roadmap JL Albert’s (CIO) Vision and Support Strategic & Tactical Planning Alignment with academic/ business objectives Incremental and distributed deployments Continuous cycles of reviews and improvements
Strategic Choices Determine Our Direction… WHY develop a World-Class Information Security Management System ( ISMS )? Critical success factors Using the ISO/IEC 27001-27002 Overview of ISO 27002 Advantages of Using ISO 27001/27002 Deming’s “ Plan, Do, Check, Act ” model Building an Information Security Management System WHICH ROAD DO I CHOOSE??! HOW DO I GET THERE??! WHERE DO I WANT TO GO?
What a Long and Exhausting Road Trip! (Why Implement an ISMS?!) Protect the university’s reputation Stop chasing compliance (with legal and contractual requirements) Ensure CIA (confidentiality, integrity, and availability) and reduce the chances of business disruptions Reduce exposure for illegal or malicious acts committed with the university's information technology resources Ensure effective control and continuous improvement of information security Implement a comprehensive approach (far beyond technical sphere) –close the gaps
Navigate Around Traffic Jams and Slow Downs (Critical Success Factors) Align your course in parallel with strategic information technology and business goals & objectives Provide a good set of directions to your navigator (and convince him to drive)! Set realistic and attainable milestones upfront—and be prepared to handle obstacles Get everyone traveling in the same direction Advance your initiative down the road successfully through collaborations with key University stakeholders Avoid accidents and dead ends ! Continually work behind the scenes to promote the synergy of people, processes & technology
Chart a Course to Your Destination Using ISO/IEC 27001 and 27002 ISO/IEC 27001 Requirements  Certification This process involves the auditing of an ISO/IEC 27002:2005 compliant ISMS to the requirements of ISO/IEC 27001:2005. The ISMS will be audited by an accredited certification body Uses the word “shall” . ISO/IEC 27002 Code of Practice  Compliance Users of the ISO/IEC 27002 framework need to carry out a risk assessment to identify which controls are relevant to their own business environment and implement them. The standard is also intended to provide a guide for the development of "organizational security standards and effective security management practices” Uses the word “should” .
Quick Overview of ISO 27002 Covers 11 information security ‘domains’: Information Security Policy Organization of information security Asset Management Human resource security Physical and environmental security Communication and operations management Access control Information systems acquisition, development and maintenance Information security incident management Business continuity management Compliance 39 security objectives and a total of 133 separate controls Using its baseline security approach enables an enterprise to increase security levels using existing resources without additional costs Comprehensive & holistic Favors incremental deployment of controls
Advantages of Using ISO 27001 Flexible and comprehensive ‘umbrella’ framework for your information security program Integrated into ITIL v3 (ISO 20000) Same process approach as ISO 9000 Total Quality Management Series and ISO 20000 Service Management Process (Plan-Do-Check-Act) A Framework which provides a structure that organizations can follow. Helps everyone to be “on the same page” because they can see what is expected. Information security best practices Auditable
Plan-Do-Check-Act A ‘cycle’ of continuous review and improvements Plan—Establish Do—Implement and Operate Check—Monitor and Review Act—Maintain and Improve
PLAN Phase - Establish Your ISMS Define the Scope and Boundary of the ISMS. Define an ISMS Policy. Define the risk assessment approach Identify, analyze and evaluate the risks to the assets identified in your scope and select risk treatment options. Select controls and control objectives, reasons for selection and prepare a Statement of Applicability. Obtain management approval of the proposed residual risks. Obtain management authorization to implement and operate ISMS.
DO Phase-Implement Your ISMS Formulate and implement your Risk Treatment Plan (RTP) Implement selected controls to meet your control objectives Define metrics to measure the effectiveness of your controls Implement a training and awareness program Manage operations in accordance with identified controls, policies and procedures Implement procedures and controls to manage incidents
CHECK Phase-Monitor and Review Your ISMS Execute monitoring and review procedures: Documentary evidence of monitoring such as logs, records, files Measure effectiveness (metrics) Review risk assessments Conduct internal ISMS audits Management Reviews Update Security Plans Record actions and events
ACT Phase-Maintain and Improve the ISMS Implement identified improvements Take appropriate corrective and preventive actions Communicate actions & improvements to interested parties Ensure improvements meet objectives
Tactical Actions Moving Us Closer to Our Destination… Annual Security Plan based on ISO 27002 Risk Management Automated Governance, Risk and Compliance (Proteus) Communicate/Cooperate/ Collaborate What Areas Pose the Greatest Risk??! Do You Have a Plan??! Can We All Work Together?
Annual Security Plan based on ISO 27002 (If You Don't Know Where You're Going, Any Road Will Get You There) Began in 2004 – First Plan was Painful Incremental Approach – 27002 Requirements – Status of Security – Proposed Action Items Plan is a Moving Target – New Legislation, Standard, & Compliance Requirements Tool to Solicit/Incorporate Feedback
Risk Assessments (Vote early and vote often) Risk Assessment Policy in 2005 – Required in ISO 17799:2005 update – Approximately 50 Reviews/Year (and growing ) A Lot of Benefits from Proactive Approach – More Secure/Robust Services – Found/Curtailed Some Craziness – The Auditor Effect – Foster/Strengthen Relationships & Understanding –
Risk Management System (Trust But Verify) Trusted Third Party (Internal Audit) is Required – Ensures Controls Were Adequate/Commensurate – Ensures Controls Were Implemented in Timely Manner We Must Continuously Reevaluate Risk
Automated Governance, Risk and Compliance (Proteus) Online audit any part of your organization against any standard Create an Information Security focused asset register Define roles with meaning Do business impact analysis simply & easily Identify the key services, assets & data which need Business Continuity or DR Perform Risk Assessments, simply & easily Incident reporting with a difference Build a central policy register Helps you plan your security investment Provides you with a real time RiskView Online audit of external suppliers, saves time & money Links assets to legislation/controls Roles linked to controls/policy/procedures Quick win, keeps risk business focused Reduce exposure Reduces risks with countermeasures Instantaneously sizes problem Supports the audit process Spend effectively & wisely Manage more effectively
Some of the Benefits of Proteus “ The first rule of any technology used in a business is that automation applied to an efficient operation will magnify the efficiency. The second is that automation applied to an inefficient operation will magnify the inefficiency.” - Bill Gates One Repository for ISMS Materials - Policies, Procedures, Objective Evidence, Action Plans… Good Discretionary Access Control – Can Assign Access to Sites (Audit Points) – Centralized Control/Distributed Administration Workflow Engine helps you collect information and stay in compliance
Communicate/Cooperate/Collaborate Centralized Control/Distributed Administration Model – IntruShield IPS, ISS SiteProtector, Symantec System Center Console, Proteus, On Line Security Awareness Classes, PGP Full Disk Encryption... Hyper Communicate – Monthly ITSSS, NEO, Web Presence… It is all about Relationships! – Know/Trust/Like
Governance Training BSI Americas Information Security Training – ISO 27001/ISMS http://www.bsiamericas.com/TrainingInformationSecurity/index.xalter HISP (Holistic Information Security Practitioner) Training/Certification http://www.hispcertification.org/
References ISO/IEC 27001 standard BS 7799-3:2006 (Risk Mgt) BS 25999 (Business Continuity) BIP 0071-0074 (ISMS Guidance Series from BSI) ISO/IEC 27002 standard (ISO/IEC 27001:2005 in plain English) http://www.praxiom.com/iso-27001-overview.htm (ISO/IEC 27002:2005 in plain English) http://www.praxiom.com/iso-17799-overview.htm
Questions? Feel free to write us! Tammy Clark (tlclark@gsu.edu) William Monahan (wmonahan@gsu.edu) T Copyright Tammy L. Clark, October 2007. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and with permission of author.

More Related Content

PPT
Developing A Risk Based Information Security Program
byTammy Clark
 
PPT
Use of the COBIT Security Baseline
byBarry Caplin
 
PPT
Security policy
byDhani Ahmad
 
PDF
Iso 27001 Checklist
byCraig Willetts ISO Expert
 
PDF
Implementing a Security Framework based on ISO/IEC 27002
bypgpmikey
 
PPTX
Presentation on iso 27001-2013, Internal Auditing and BCM
byShantanu Rai
 
PPTX
The Fundamentals of HIPAA Privacy & Security Risk Management
byKeySys Health
 
PPT
The best way to use ISO 27001
bypowertech
 
Developing A Risk Based Information Security Program
byTammy Clark
 
Use of the COBIT Security Baseline
byBarry Caplin
 
Security policy
byDhani Ahmad
 
Iso 27001 Checklist
byCraig Willetts ISO Expert
 
Implementing a Security Framework based on ISO/IEC 27002
bypgpmikey
 
Presentation on iso 27001-2013, Internal Auditing and BCM
byShantanu Rai
 
The Fundamentals of HIPAA Privacy & Security Risk Management
byKeySys Health
 
The best way to use ISO 27001
bypowertech
 

What's hot

PPTX
What is iso 27001 isms
byCraig Willetts ISO Expert
 
PDF
Isms awareness presentation
byPranay Kumar
 
PDF
Steps to iso 27001 implementation
byRalf Braga
 
PPTX
Iso27001 Audit Services
bymcloete
 
PDF
Iso 27001 metrics and implementation guide
bymfmurat
 
PPTX
Security Policies and Standards
byprimeteacher32
 
PPTX
ISO 27005 - Digital Trust Framework
byMaganathin Veeraragaloo
 
PPT
Information Security Management Systems(ISMS) By Dr Wafula
byDiscover JKUAT
 
PPTX
Isms
bypenetration Tester
 
PDF
How Does the New ISO 27001 Impact Your IT Risk Management Processes?
byLars Neupart
 
PPT
ISMS implementation challenges-KASYS
byReza Teynia ISMS, ITSM, MSc
 
PDF
Iso 27001 2013
byMagda CHELLY, Ph.D, S-CISO, CISSP®
 
PDF
Information Security Risk Management Overview
byWesley Moore
 
PDF
Information security management system (isms) overview
byJulia Urbina-Pineda
 
PPT
Implementing security
byDhani Ahmad
 
DOCX
Iso 27001 2013 Standard Requirements
byUppala Anand
 
PPTX
Information Security Governance and Strategy
byDam Frank
 
DOCX
Business continuity-plan-template
byMohamed Owaish
 
PDF
How the the 2013 update of ISO 27001 Impacts your Risk Management
byLars Neupart
 
What is iso 27001 isms
byCraig Willetts ISO Expert
 
Isms awareness presentation
byPranay Kumar
 
Steps to iso 27001 implementation
byRalf Braga
 
Iso27001 Audit Services
bymcloete
 
Iso 27001 metrics and implementation guide
bymfmurat
 
Security Policies and Standards
byprimeteacher32
 
ISO 27005 - Digital Trust Framework
byMaganathin Veeraragaloo
 
Information Security Management Systems(ISMS) By Dr Wafula
byDiscover JKUAT
 
Isms
bypenetration Tester
 
How Does the New ISO 27001 Impact Your IT Risk Management Processes?
byLars Neupart
 
ISMS implementation challenges-KASYS
byReza Teynia ISMS, ITSM, MSc
 
Iso 27001 2013
byMagda CHELLY, Ph.D, S-CISO, CISSP®
 
Information Security Risk Management Overview
byWesley Moore
 
Information security management system (isms) overview
byJulia Urbina-Pineda
 
Implementing security
byDhani Ahmad
 
Iso 27001 2013 Standard Requirements
byUppala Anand
 
Information Security Governance and Strategy
byDam Frank
 
Business continuity-plan-template
byMohamed Owaish
 
How the the 2013 update of ISO 27001 Impacts your Risk Management
byLars Neupart
 

Viewers also liked

PPTX
Road map to safety ppt
byDoug Crann
 
PDF
Enterprise Mobility - Strong Mobile Strategy (7 steps to get you started)
byTkXel
 
PPT
Enterprise Mobility Strategy
byFreeform Dynamics
 
PDF
Code coverage
byVijayan Reddy
 
PPTX
Roadmap to world class safety for
byvinuvinu
 
PDF
Code Coverage
byErnani Omar Cruz
 
PPT
Code coverage
byReturn on Intelligence
 
PPTX
BT Global Services - Our approach to Innovation
byGrace Kermani
 
PDF
Finding Bugs Faster with Assertion Based Verification (ABV)
byDVClub
 
PPTX
Mobile roadmap & maturity model
byPatrick McLean
 
PDF
Code Coverage Revised : EclEmma on JaCoCo
byEvgeny Mandrikov
 
PPT
New product development cycle model
byMohit Singla
 
PPTX
Code coverage analysis in testing
byNi
 
PPTX
New product development strategy style 5 powerpoint presentation templates
bySlideTeam.net
 
PDF
Session 7 code_functional_coverage
byNirav Desai
 
PDF
Pragmatic Code Coverage
byAlexandre (Shura) Iline
 
PDF
Code coverage & tools
byRajesh Kumar
 
PDF
Build a successful enterprise mobility strategy
byAjit Gokhale
 
PPTX
Developing a Modern Mobile App Strategy
byTodd Anglin
 
PDF
Tma World Viewpoint: Building Global Alignment Through Enterprise Wide Learning
byTMA World
 
Road map to safety ppt
byDoug Crann
 
Enterprise Mobility - Strong Mobile Strategy (7 steps to get you started)
byTkXel
 
Enterprise Mobility Strategy
byFreeform Dynamics
 
Code coverage
byVijayan Reddy
 
Roadmap to world class safety for
byvinuvinu
 
Code Coverage
byErnani Omar Cruz
 
Code coverage
byReturn on Intelligence
 
BT Global Services - Our approach to Innovation
byGrace Kermani
 
Finding Bugs Faster with Assertion Based Verification (ABV)
byDVClub
 
Mobile roadmap & maturity model
byPatrick McLean
 
Code Coverage Revised : EclEmma on JaCoCo
byEvgeny Mandrikov
 
New product development cycle model
byMohit Singla
 
Code coverage analysis in testing
byNi
 
New product development strategy style 5 powerpoint presentation templates
bySlideTeam.net
 
Session 7 code_functional_coverage
byNirav Desai
 
Pragmatic Code Coverage
byAlexandre (Shura) Iline
 
Code coverage & tools
byRajesh Kumar
 
Build a successful enterprise mobility strategy
byAjit Gokhale
 
Developing a Modern Mobile App Strategy
byTodd Anglin
 
Tma World Viewpoint: Building Global Alignment Through Enterprise Wide Learning
byTMA World
 

Similar to Gs Us Roadmap For A World Class Information Security Management System– Isoiec 270012005

PPTX
Iso 27001 awareness
byÃsħâr Ãâlâm
 
PPT
isms-presentation.ppt
byHasnolAhmad2
 
PPT
Is awareness government
byHamisi Kibonde
 
PDF
ISO27001: Implementation & Certification Process Overview
byShankar Subramaniyan
 
PPTX
Information Security Management System ISO/IEC 27001:2005
byControlCase
 
PPTX
Information security
byavinashbalakrishnan2
 
PPT
ISMS Requirements
byhumanus2
 
PDF
ISO 27001
byn|u - The Open Security Community
 
PPT
ISMS Part I
bykhushboo
 
PPT
Iso27001 Isaca Seminar (23 May 08)
bysamsontamwaiho
 
PDF
A to Z of Information Security Management
byMark Conway
 
PPTX
Iso 27001 isms presentation
byMidhun Nirmal
 
PPTX
Information security management system
byArani Srinivasan
 
PPT
Overview of ISO 27001 ISMS
byAkhil Garg
 
PPT
University iso 27001 bgys intro and certification lami kaya may2012
byHakem Filiz
 
PPT
Iso27001 Isaca Seminar (23 May 08)
bysamsontamwaiho
 
PPT
4 System For Information Security
byAna Meskovska
 
PDF
G12: Implementation to Business Value
byHyTrust
 
PDF
ISO_27001___2005_OASIS
byDermot Clarke
 
DOC
Reporting about Overview Summery of ISO-27000 Se.(ISMS)
byAHM Pervej Kabir
 
Iso 27001 awareness
byÃsħâr Ãâlâm
 
isms-presentation.ppt
byHasnolAhmad2
 
Is awareness government
byHamisi Kibonde
 
ISO27001: Implementation & Certification Process Overview
byShankar Subramaniyan
 
Information Security Management System ISO/IEC 27001:2005
byControlCase
 
Information security
byavinashbalakrishnan2
 
ISMS Requirements
byhumanus2
 
ISO 27001
byn|u - The Open Security Community
 
ISMS Part I
bykhushboo
 
Iso27001 Isaca Seminar (23 May 08)
bysamsontamwaiho
 
A to Z of Information Security Management
byMark Conway
 
Iso 27001 isms presentation
byMidhun Nirmal
 
Information security management system
byArani Srinivasan
 
Overview of ISO 27001 ISMS
byAkhil Garg
 
University iso 27001 bgys intro and certification lami kaya may2012
byHakem Filiz
 
Iso27001 Isaca Seminar (23 May 08)
bysamsontamwaiho
 
4 System For Information Security
byAna Meskovska
 
G12: Implementation to Business Value
byHyTrust
 
ISO_27001___2005_OASIS
byDermot Clarke
 
Reporting about Overview Summery of ISO-27000 Se.(ISMS)
byAHM Pervej Kabir
 

More from Tammy Clark

PPT
Start With A Great Information Security Plan!
byTammy Clark
 
PPT
Supplement To Student Guide Seminar 03 A 3 Nov09
byTammy Clark
 
PPT
How Do You Create A Successful Information Security Program Hire A Great Iso!!
byTammy Clark
 
PPT
How Technology, People, And Processes Converged To Achieve A 95 Percent Reduc...
byTammy Clark
 
PPT
How To Successfully Defend Against Irc Bots, Compromises, And Information Leaks
byTammy Clark
 
PPT
The Impact Of Breaches On Higher Ed Tlc 27 Sep09
byTammy Clark
 
PPTX
The Cost Of Preventing Breaches Educause Nat Conf Denver Nov 09
byTammy Clark
 
PPT
Giving The Heave Ho To Worms, Spyware, And Bots!
byTammy Clark
 
PPT
Mc Afee And Georgia State University Taking Aim At Network Intruders With I...
byTammy Clark
 
Start With A Great Information Security Plan!
byTammy Clark
 
Supplement To Student Guide Seminar 03 A 3 Nov09
byTammy Clark
 
How Do You Create A Successful Information Security Program Hire A Great Iso!!
byTammy Clark
 
How Technology, People, And Processes Converged To Achieve A 95 Percent Reduc...
byTammy Clark
 
How To Successfully Defend Against Irc Bots, Compromises, And Information Leaks
byTammy Clark
 
The Impact Of Breaches On Higher Ed Tlc 27 Sep09
byTammy Clark
 
The Cost Of Preventing Breaches Educause Nat Conf Denver Nov 09
byTammy Clark
 
Giving The Heave Ho To Worms, Spyware, And Bots!
byTammy Clark
 
Mc Afee And Georgia State University Taking Aim At Network Intruders With I...
byTammy Clark
 

Recently uploaded

PPTX
Building Cyber Resilience for 2026: Best Practices for a Secure, AI-Driven Bu...
byYasir Naveed Riaz
 
PPTX
Cloud-and-AI-Platform-FY26-Partner-Playbook.pptx
byiuiuiuiu1
 
PDF
API-First Architecture in Financial Systems
bycyy111112
 
PDF
Vibe Coding vs. Spec-Driven Development [Free Meetup]
byHaim Michael
 
PPTX
wob-report.pptxwob-report.pptxwob-report.pptx
byssuser0d171c
 
PDF
Data Virtualization in Action: Scaling APIs and Apps with FME
bySafe Software
 
PDF
Session 1 - Solving Semi-Structured Documents with Document Understanding
byDianaGray10
 
PDF
DevFest El Jadida 2025 - Product Thinking
byElmehdi AMLOU
 
PPTX
Conversational Agents – Building Intelligent Assistants [Virtual Hands-on Wor...
byUiPathCommunity
 
PPTX
Coded Agents – with UiPath SDK + LangGraph [Virtual Hands-on Workshop]
byUiPathCommunity
 
PDF
December Patch Tuesday
byIvanti
 
PDF
Our Digital Tribe_ Cultivating Connection and Growth in Our Slack Community 🌿...
bysanjeetmishra30
 
PPTX
THIS IS CYBER SECURITY NOTES USED IN CLASS ON VARIOUS TOPICS USED IN CYBERSEC...
byMelissaGblinwon
 
PDF
The year in review - MarvelClient in 2025
bypanagenda
 
PPTX
Software Analysis &Design ethiopia chap-2.pptx
byAbbas484771
 
PPTX
Cybercrime in the Digital Age: Risks, Impact & Protection
byYasir Naveed Riaz
 
PDF
Decoding the DNA: The Digital Networks Act, the Open Internet, and IP interco...
byCSUC - Consorci de Serveis Universitaris de Catalunya
 
PDF
Is It Possible to Have Wi-Fi Without an Internet Provider
bySidra Jefferi
 
PPTX
Chapter 3 Introduction to number system.pptx
byGetachewAbera9
 
PDF
GPUS and How to Program Them by Manya Bansal
byScyllaDB
 
Building Cyber Resilience for 2026: Best Practices for a Secure, AI-Driven Bu...
byYasir Naveed Riaz
 
Cloud-and-AI-Platform-FY26-Partner-Playbook.pptx
byiuiuiuiu1
 
API-First Architecture in Financial Systems
bycyy111112
 
Vibe Coding vs. Spec-Driven Development [Free Meetup]
byHaim Michael
 
wob-report.pptxwob-report.pptxwob-report.pptx
byssuser0d171c
 
Data Virtualization in Action: Scaling APIs and Apps with FME
bySafe Software
 
Session 1 - Solving Semi-Structured Documents with Document Understanding
byDianaGray10
 
DevFest El Jadida 2025 - Product Thinking
byElmehdi AMLOU
 
Conversational Agents – Building Intelligent Assistants [Virtual Hands-on Wor...
byUiPathCommunity
 
Coded Agents – with UiPath SDK + LangGraph [Virtual Hands-on Workshop]
byUiPathCommunity
 
December Patch Tuesday
byIvanti
 
Our Digital Tribe_ Cultivating Connection and Growth in Our Slack Community 🌿...
bysanjeetmishra30
 
THIS IS CYBER SECURITY NOTES USED IN CLASS ON VARIOUS TOPICS USED IN CYBERSEC...
byMelissaGblinwon
 
The year in review - MarvelClient in 2025
bypanagenda
 
Software Analysis &Design ethiopia chap-2.pptx
byAbbas484771
 
Cybercrime in the Digital Age: Risks, Impact & Protection
byYasir Naveed Riaz
 
Decoding the DNA: The Digital Networks Act, the Open Internet, and IP interco...
byCSUC - Consorci de Serveis Universitaris de Catalunya
 
Is It Possible to Have Wi-Fi Without an Internet Provider
bySidra Jefferi
 
Chapter 3 Introduction to number system.pptx
byGetachewAbera9
 
GPUS and How to Program Them by Manya Bansal
byScyllaDB
 

Gs Us Roadmap For A World Class Information Security Management System– Isoiec 270012005

  • 1.
    GSU's Roadmap fora World-Class Information Security Management System– ISO/IEC 27001:2005 Tammy Clark, Chief Information Security Officer, William Monahan , Lead Information Security Administrator “ You will now have a starting place and a destination, and you will be able to determine what it will cost you to get there. You will be going someplace.” H. Stanley Judd
  • 2.
    GSU’s Information SecurityRoadmap JL Albert’s (CIO) Vision and Support Strategic & Tactical Planning Alignment with academic/ business objectives Incremental and distributed deployments Continuous cycles of reviews and improvements
  • 3.
    Strategic Choices DetermineOur Direction… WHY develop a World-Class Information Security Management System ( ISMS )? Critical success factors Using the ISO/IEC 27001-27002 Overview of ISO 27002 Advantages of Using ISO 27001/27002 Deming’s “ Plan, Do, Check, Act ” model Building an Information Security Management System WHICH ROAD DO I CHOOSE??! HOW DO I GET THERE??! WHERE DO I WANT TO GO?
  • 4.
    What a Longand Exhausting Road Trip! (Why Implement an ISMS?!) Protect the university’s reputation Stop chasing compliance (with legal and contractual requirements) Ensure CIA (confidentiality, integrity, and availability) and reduce the chances of business disruptions Reduce exposure for illegal or malicious acts committed with the university's information technology resources Ensure effective control and continuous improvement of information security Implement a comprehensive approach (far beyond technical sphere) –close the gaps
  • 5.
    Navigate Around TrafficJams and Slow Downs (Critical Success Factors) Align your course in parallel with strategic information technology and business goals & objectives Provide a good set of directions to your navigator (and convince him to drive)! Set realistic and attainable milestones upfront—and be prepared to handle obstacles Get everyone traveling in the same direction Advance your initiative down the road successfully through collaborations with key University stakeholders Avoid accidents and dead ends ! Continually work behind the scenes to promote the synergy of people, processes & technology
  • 6.
    Chart a Courseto Your Destination Using ISO/IEC 27001 and 27002 ISO/IEC 27001 Requirements  Certification This process involves the auditing of an ISO/IEC 27002:2005 compliant ISMS to the requirements of ISO/IEC 27001:2005. The ISMS will be audited by an accredited certification body Uses the word “shall” . ISO/IEC 27002 Code of Practice  Compliance Users of the ISO/IEC 27002 framework need to carry out a risk assessment to identify which controls are relevant to their own business environment and implement them. The standard is also intended to provide a guide for the development of "organizational security standards and effective security management practices” Uses the word “should” .
  • 7.
    Quick Overview ofISO 27002 Covers 11 information security ‘domains’: Information Security Policy Organization of information security Asset Management Human resource security Physical and environmental security Communication and operations management Access control Information systems acquisition, development and maintenance Information security incident management Business continuity management Compliance 39 security objectives and a total of 133 separate controls Using its baseline security approach enables an enterprise to increase security levels using existing resources without additional costs Comprehensive & holistic Favors incremental deployment of controls
  • 8.
    Advantages of Using ISO 27001 Flexible and comprehensive ‘umbrella’ framework for your information security program Integrated into ITIL v3 (ISO 20000) Same process approach as ISO 9000 Total Quality Management Series and ISO 20000 Service Management Process (Plan-Do-Check-Act) A Framework which provides a structure that organizations can follow. Helps everyone to be “on the same page” because they can see what is expected. Information security best practices Auditable
  • 9.
    Plan-Do-Check-Act A ‘cycle’of continuous review and improvements Plan—Establish Do—Implement and Operate Check—Monitor and Review Act—Maintain and Improve
  • 10.
    PLAN Phase -Establish Your ISMS Define the Scope and Boundary of the ISMS. Define an ISMS Policy. Define the risk assessment approach Identify, analyze and evaluate the risks to the assets identified in your scope and select risk treatment options. Select controls and control objectives, reasons for selection and prepare a Statement of Applicability. Obtain management approval of the proposed residual risks. Obtain management authorization to implement and operate ISMS.
  • 11.
    DO Phase-Implement YourISMS Formulate and implement your Risk Treatment Plan (RTP) Implement selected controls to meet your control objectives Define metrics to measure the effectiveness of your controls Implement a training and awareness program Manage operations in accordance with identified controls, policies and procedures Implement procedures and controls to manage incidents
  • 12.
    CHECKPhase-Monitor and Review Your ISMS Execute monitoring and review procedures: Documentary evidence of monitoring such as logs, records, files Measure effectiveness (metrics) Review risk assessments Conduct internal ISMS audits Management Reviews Update Security Plans Record actions and events
  • 13.
    ACTPhase-Maintain and Improve the ISMS Implement identified improvements Take appropriate corrective and preventive actions Communicate actions & improvements to interested parties Ensure improvements meet objectives
  • 14.
    Tactical Actions MovingUs Closer to Our Destination… Annual Security Plan based on ISO 27002 Risk Management Automated Governance, Risk and Compliance (Proteus) Communicate/Cooperate/ Collaborate What Areas Pose the Greatest Risk??! Do You Have a Plan??! Can We All Work Together?
  • 15.
    Annual Security Planbased on ISO 27002 (If You Don't Know Where You're Going, Any Road Will Get You There) Began in 2004 – First Plan was Painful Incremental Approach – 27002 Requirements – Status of Security – Proposed Action Items Plan is a Moving Target – New Legislation, Standard, & Compliance Requirements Tool to Solicit/Incorporate Feedback
  • 16.
    Risk Assessments (Voteearly and vote often) Risk Assessment Policy in 2005 – Required in ISO 17799:2005 update – Approximately 50 Reviews/Year (and growing ) A Lot of Benefits from Proactive Approach – More Secure/Robust Services – Found/Curtailed Some Craziness – The Auditor Effect – Foster/Strengthen Relationships & Understanding –
  • 17.
    Risk Management System(Trust But Verify) Trusted Third Party (Internal Audit) is Required – Ensures Controls Were Adequate/Commensurate – Ensures Controls Were Implemented in Timely Manner We Must Continuously Reevaluate Risk
  • 18.
    Automated Governance, Riskand Compliance (Proteus) Online audit any part of your organization against any standard Create an Information Security focused asset register Define roles with meaning Do business impact analysis simply & easily Identify the key services, assets & data which need Business Continuity or DR Perform Risk Assessments, simply & easily Incident reporting with a difference Build a central policy register Helps you plan your security investment Provides you with a real time RiskView Online audit of external suppliers, saves time & money Links assets to legislation/controls Roles linked to controls/policy/procedures Quick win, keeps risk business focused Reduce exposure Reduces risks with countermeasures Instantaneously sizes problem Supports the audit process Spend effectively & wisely Manage more effectively
  • 19.
    Some of theBenefits of Proteus “ The first rule of any technology used in a business is that automation applied to an efficient operation will magnify the efficiency. The second is that automation applied to an inefficient operation will magnify the inefficiency.” - Bill Gates One Repository for ISMS Materials - Policies, Procedures, Objective Evidence, Action Plans… Good Discretionary Access Control – Can Assign Access to Sites (Audit Points) – Centralized Control/Distributed Administration Workflow Engine helps you collect information and stay in compliance
  • 20.
    Communicate/Cooperate/Collaborate Centralized Control/DistributedAdministration Model – IntruShield IPS, ISS SiteProtector, Symantec System Center Console, Proteus, On Line Security Awareness Classes, PGP Full Disk Encryption... Hyper Communicate – Monthly ITSSS, NEO, Web Presence… It is all about Relationships! – Know/Trust/Like
  • 21.
    Governance Training BSIAmericas Information Security Training – ISO 27001/ISMS http://www.bsiamericas.com/TrainingInformationSecurity/index.xalter HISP (Holistic Information Security Practitioner) Training/Certification http://www.hispcertification.org/
  • 22.
    References ISO/IEC 27001standard BS 7799-3:2006 (Risk Mgt) BS 25999 (Business Continuity) BIP 0071-0074 (ISMS Guidance Series from BSI) ISO/IEC 27002 standard (ISO/IEC 27001:2005 in plain English) http://www.praxiom.com/iso-27001-overview.htm (ISO/IEC 27002:2005 in plain English) http://www.praxiom.com/iso-17799-overview.htm
  • 23.
    Questions? Feel freeto write us! Tammy Clark (tlclark@gsu.edu) William Monahan (wmonahan@gsu.edu) T Copyright Tammy L. Clark, October 2007. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and with permission of author.

Editor's Notes

  • #2 Background: GSU is located in downtown Atlanta – approximately 27,000 students (undergraduate & graduate) - second largest university in Georgia. CIO – JL Albert Information Security Program – Tammy Clark (CISO), William Monahan (Information Security Lead Admin), Miss Nancy Chang (Information Security Intermediate). Started aligning the university’s security plan with ISO 17799 (now ISO 27002) in September of 2004 (what the standard says – current state of security– strategic & tactical goals) – incrementally have addressed the 133 controls (risk assessments, data classification, incident response, security awareness training…) – taking it to the next level with ISO 27001 ((ISMS) = controls + governance))
  • #3 Can only provide a 3000’ view of our ISMS activities in 45 minutes. It is all about governance – In the early stages of the GSU Information Security program (2000-2004), a myriad of initiatives, processes (technology/people/processes) were introduced to the enterprise. The program evolved from reactive mode (chasing the threats and problems) to proactive (managing information security, large scale incident reductions, preventive and corrective actions). From late 2004 – 2006, the next phase of the program was a campus wide effort to comply with ISO 27002 (17799), through assessing the control objectives, individual controls and ensuring that GSU was either mitigating risk, accepting risk, transferring risk, or not affected…all of which had to be justified by top management and University IT department heads and managers. Finally, in 2007, our CIO JL Albert went forward in championing the initiative to get 2 areas of the University certified under ISO 27001. From Nov 2005 going forward, a major paradigm shift happened at GSU, when the Security Review policy was brought forward by JL to the President, and sanctioned/mandated security reviews on IT projects that cost over $4999. JL instituted an ITPR process which included a security review and approval as the final step in the process. This allowed Information Security to recommend controls and re-engineered processes that integrated information security into the departments’ business processes. The resultant effect has been that the university’s information security program is viewed as a business enabler, a change agent, and integral to the success of the University’s academic and business objectives.
  • #4 Strategic planning ensures that University information security program objectives are met in a consistent, measureable, and cost effective manner. It provides an umbrella framework that allows for prioritization, gap analysis, metrics, and effective integration of security processes and solutions into the University’s infrastructure. At the strategic operational level, there is a consistent push each year to prioritize action items based on the results of targeted risk assessments, regulatory and policy implications and/or guidance, and University strategic academic and business goals. This all works behind the scenes to keep the information security program poised to take advantage of opportunities to integrate into business processes, influence decisions of top management about future directions of information technology, and build the perception that information security adds value to the overall enterprise.
  • #5 Meeting between Mao and Dr. Kissinger – you have to sell 27001. Selling Points for Top Management – Protecting the university’s reputation. Compliance More robust and reliable infrastructure due to the reduction of business discontinuities that arise when security defenses are breached. Avoid liability for illegal or malicious acts committed with the university's computer or network resources. Selling Points for Key Enterprise Stakeholders – Protecting their department’s reputation. Compliance More robust and reliable infrastructure due to the reduction of business discontinuities that arise when security defenses are breached. Avoid liability for illegal or malicious acts committed with the university's computer or network resources. Understanding of Key Strategic and Business Goals – Business objectives and ISMS objectives should be aligned – not just CIA – privacy, nonrepudiation, transparency, ethics, democracy… Researcher example - Identity management/digital signatures/federation via smart card technologies
  • #6 Top Management support is critical. At GSU, our CIO ‘sells’ our ISMS initiative to top management at the University (President, Provost, Deans, VP’s, etc.), while CISO and staff continually promote the concepts and initiatives to middle tier managers and below. All in all, without that level of support and participation that our CIO provides, the chances for success would measurably decrease. You’ve got to find a myriad of ways to demonstrate to your CIO/top management that information security governance is a top priority and critical to the success of your program and initiatives to protect confidential data. COMMUNICATE, COLLABORATE, AND CELEBRATE THE ACHIEVEMENT OF GOALS , SMALL OR LARGE, ALONG THE PATHWAYS TO YOUR FINAL DESTINATION!
  • #7 ISO 27001 Certification The ISO 27001: 2005 certification process is comprised of two steps, which at minimum provides one control into the organization, dependent of its size and its objectives concerning risk management (ISMS scope and limits). The first stage has as a goal the purpose of enabling auditors to understand how an ISMS is registered in the policy, and the risk management objectives of the organization. In this regard, the auditors will have knowledge of documents relating to the creation (definition of scope and limits, control objectives…) and ISMS implementation (assessment report, treatment plans…). An assessment report could be produced. The second stage will be to confirm that the organization, in the process of installing and improving its ISMS, acts in accordance with its policies, objectives, and business processes. It is based on the results of the first stage. This organizational audit will seek to confirm that ISMS complies with the requirements of the ISO 27001: 2005 standard. The auditors will obtain knowledge of the ISMS performance reports, its controls, procedures, and processes. A report audit will be produced, and the certification from the appreciation of certification chosen. The ISO 27001: 2005 certification requires 3 years (repeatable after audit) during which the organization receives monitoring control. Revised in 2005 and renamed in 2007, ISO 27002 is a guide of good practices for information security management which can represent an interest for any type of organization (companies, governmental bodies…) no matter its size or its branch of industry. This standard defines objectives and recommendations in terms of information security and its ambition is to answer global information security concerns in regards to the organizations total activities.
  • #8 Control Objectives (Annex A of ISO 27001)corresponding with the domains in ISO 27002, along with a description of controls: See http://www.praxiom.com/iso-17799-objectives.htm
  • #9 Using the ISO 27000 series to framework your information security program: Compatible with other standards and guidelines Assists with compliance Customizable—not a ‘one size fits all’ approach Favors incremental deployment of controls Assists in integrating business requirements with IT and information security goals/objectives Helps you to prioritize areas of greatest risk/need Consistent and measurable
  • #10 The use of the PDCA model not only assists in the development of a comprehensive and effective Information Security Management System—it also emphasizes development and improvement of policies, objectives, processes and procedures, routine reviews and continuous improvements
  • #11 The Plan phase The plan phase represents the development of the information security management system framework and takes into account the characteristics of the organization (mission, location, assets, activities, corporate culture…) as well as any laws, regulations, and contractual obligations to which it is subjected. When the global framework of information security management is established, it must determine the specific settings of ISMS. Scope—definition is up to you—suggest you take an incremental approach of incorporating two or three areas of your campus such as Information Security, Finance, Alumni and focus on building the framework out before you add additional areas. Should be defined in terms of characteristics of the business: location, assets, technology, take into account interfaces and dependencies ISMS has with other parts of your campus that are not within the scope (HR, Legal, etc.), third parties your campus partners with (in Georgia, the Board of Regents supplies IT support and services to many of the USG campuses) Policy—Keep it clear and succinct; include scope and boundaries; provide management support and direction; set objectives; establish risk assessment criteria Risk Assessment Approach—Up to you to choose the method that works best for your university—with expectation that results are comparable and reproducible
  • #12 The Do phase This step concerns the ISMS implementation and integration within the organization. In this regard, the fist step is the definition of a risk treatment plan, measure system, and efficiency assessment in regards to implemented controls. The measure and assessment system of controls efficiency should enable the production of reproducible and comparable results. This system should consider the rapport between control costs and their efficiency. The second step in the ISMS introduction phase is the implementation regarding the risk treatment plan containing the chosen controls and also a training program. A training program will ensure that individuals are skilled in order to carry out the tasks assigned to them. It also determines the necessary skills for the achievement of their tasks and if necessary to propose training and to evaluate this efficiency. The organization will keep an outline of competences and qualifications acquired. The last step concerns ISMS management and resource sufficiency. It is advisable to make sure that the ISMS established is compatible not only with identified controls but also with the policies and procedures selected. Moreover, in order to ensure the longevity of continuous improvement processes, the organization must identify and provide the necessary resources to introduce, review, maintain and improve the ISMS.
  • #13 The Check phase Opportunity to forge a partnership/collaborative working relationship with your internal auditors. We found that the following encouraged their active participation and interest: --Clearly defined objectives and goals --Attainable scope/certification timeframe --Automated process to audit ISMS that would save time and effort --Future state: demonstrated value of project in terms of time savings for auditors as we bring departments in under our 27001 project, all of the objective evidence will be within our automated system and our internal auditors, provisioned with accounts, will be able to examine a myriad of supporting documentation and processes that allow them to assess risk, compliance, controls, etc. Auditable requirements in ISO 27001: --Required processes: Document control Internal audits Corrective Actions Preventive Actions --Required documentation: Statements of policy and objectives Scope and boundaries Procedures and controls Description of Risk Assessment Methodology Risk Assessment Report and RTP Metrics Objective evidence SOA
  • #14 The Act phase The Check phase should identify any necessary ISMS improvements in order to ensure that the information security risks are correctly managed. An organization must not only implement improvements but also preventive actions in order to anticipate all incapability’s between the different ISMS processes. In this regard, it must consider controls, processes, policies, and procedures already established in order to ensure that ISMS functions will work correctly. It is then necessary to communicate with key stakeholders in connection with actions and implemented improvements in order to preserve the dynamic of continuous improvement. Indeed, the success of this management’s information security approach depends on the full comprehension of ISMS components. Finally, as for each process or action, the organization should ensure, by means of assessment that the evaluation achieves its objectives. This measurement step will allow the documentation of the organization’s risk management progression.
  • #16 If You Don't Know Where You 're Going , Any Road Will Get You There In December of 2004, we developed a holistic, comprehensive security plan based on ISO 17799—133 controls and 11 domain areas As we developed the initial plan, we conducted a ‘state of security’ assessment in each domain area and developed action plans to address deficiencies We modify our plan each year to incorporate changes in the ISO 17799 standard, as well as new requirements due to compliance legislation, university policies, risk analyses We also develop action plans each year which lead to the addition of policies, procedures, and new solutions being layered into our security infrastructure
  • #17 Vote early and vote often GSU implemented a Risk Assessment policy in November of 2005 (as a byproduct of updated ISO 17799:2005 updates) – are conducting approximately 50 risk assessments per year – this proactive approach has yielded big dividends Not just about recommending managerial and technical controls – have improved efficiencies via Risk Assessments (secure LDAP) Most nonconformities are a result of recommendations not being implemented or undue delay. High Risk – mitigation plan immediately Medium Risk – do it within one year Low Risk – not going to worry about it
  • #18 Would rate GSU as a 2.5 out of 5 on the Capability Maturity Model. We just started having a third party (internal audit) following up on our High Risk projects to ensure that controls were adequate/commensurate with risk and that they were implemented in a timely manner – will be done before preassessment in December. ISO mandates that we reevaluate risk – lessons learned from shredders. We are migrating from NIST 800-30 to BS 7799-3:2005 for our Risk Assessments. NIST Special Publication 800-30, "Risk Management Guide for Information Technology Systems." BS 7799-3:2005 Information security management systems. Guidelines for information security risk management" . Internal auditors and BSI will keep everyone honest – what gets checked gets done
  • #24 Copyright Tammy Clark, May 2007. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by pe