SlideShare a Scribd company logo

Popular Pitfalls in ISMS Compliance

Download as PPTX, PDF
Ramkumar Ramachandran
Ramkumar Ramachandran
1 of 27
<Public> 1 Popular pitfalls in ISMS Compliance An Auditor’s perspective
Public 2 Contents • Introduction • Standard Evolution • Standard Organization • Future of the standard • Implementation issues ✓
21-Sep-2007 Public 3 Standard Evolution 1995 1998 Initiative from Department of Trade and Industry BS 7799 Part 1 BS 7799 Part 2 1999 New issue of BS 7799 Part 1 & 2 2000 ISO/IEC 17799:2000 2001 BS 7799-2:2002 (drafted) Sep 2002 BS 7799-2:2002 Passed and accepted Jun 2005 ISO 17799:2005 ISO/IEC 27001:2005Oct 2005 ✓
Public 4 Standard Organization DOMAINS CONTROL OBJECTIVES CONTROLS ✓
21-Sep-2007 Public 5 Standard Organization ✓ 4 Information Security Management System 5 Management Responsibility 6 Internal ISMS Audits 7 Management review of the ISMS 8 ISMS improvement A.5 Information Security Policy A.6 Organization of Information Security A.7 Asset Management A.8 Human Resources Security A.9 Physical and Environmental Security A.10 Communications and Operations Management A.11 Access Control A.12 Information Systems Acquisition, Development and Maintenance A.13 Information Security Incident Management A.14 Business Continuity Management A.15 Compliance
Public 6 Standard Organization (contd.) Security policy Access control Asset Management Organization of Information Security Human Resources Security Physical and Environmental securityCommunications and operations management Information Systems Acquisition Development and Maintenance Information Incident Security Management Business Continuity Management Information Integrity Confidentiality Availability Compliance ✓
Public 7 Future of the standard ISO/IEC Standard Description 27000 Vocabulary and definitions 27001 Specification 27002 Code of Practice (ISO17799:2005) 27003 Implementation Guidance 27004 Metrics and Measurement 27005 Risk Management (BS 7799-3) ✓
Public 8 What is an implementation issue? • Standard directly demands and not complied with • Diluted implementation • Mis-interpretation of the standard ✓
Public 9 Implementation Issues - Scope • Scope of ISMS – Scope is very hazy, not including all the assets and technology • A good example of ISMS scope The ISMS scope covers all critical systems, applications, networks, telecommunication links, human resources, and information assets. The scope also includes business operations, administrative functions, customer information, buildings, equipment, tools and utilities used in the execution of business of the organization at site A and site B. ✓
Public 10 Implementation Issues - Policy • Security Policy – Not visible in the organization – Not spread across the organization – Does not help in arriving at security objectives • Other Policies – Many other policies not defined – Eg. Clear Desk Clear Screen policy – Mobile computing policy, Teleworking policy ✓
Public 11 Implementation Issues – Risk Assessment • Risk assessment not systematic • Risk assessment kicked off with false comfort of existing controls • Some core assets not identified – Eg. Design document in an IT organization • Arriving at acceptable risk level not scientific • Projects a no-residual-risk scenario ✓
Public 12 Implementation Issues – SoA Preparation • Only exclusions justified, inclusions should also be justified • Bi-directional tracing from risks to control and vice versa absent ✓
Public 13 Implementation Issues – Monitoring • Info security review very weak • Obsolete risks not removed • New risks not fully added ✓
Public 14 Implementation Issues – Internal Audit • Predominantly CISO and team are the Auditees • Sampling of other asset owners rare • Absence of qualified internal auditors ✓
Public 15 Implementation Issues – Management Review • All review inputs as required by the standard not addressed • Management appreciation for security issues very low ✓
Public 16 Implementation Issues – Improvement • CA is more prevalent than PA • Analysis of incidents / non- compliances weak ✓
Public 17 Implementation Issues – External Parties • Third party agreements do not stress security requirements • Third party Vendors not conspicuously identified in the facility ✓
Public 18 Implementation Issues – Asset Management • Server based software owners are identified but not their custodians • Only critical IT assets identified • Some core assets not properly identified • Asset labeling improper ✓
Public 19 Implementation Issues – H R security • No systematic screening • Awareness training weak • Removal of access rights weak • Awareness of social engineering very low ✓
Public 20 Implementation Issues – Physical and Environmental Security • Network cables run outside the security perimeter • No controls on piggy-backing • Structured cabling absent • Security of equipment off-premises very weak • Movement of media eg. CDs not- controlled ✓
Public 21 Implementation Issues – Communications and Operations Management • Disposal of media very weak • Safety of media-in-transit not properly addressed • Logs not reviewed periodically • Clock synchronization not done ✓
Public 22 Implementation Issues – Access Control • Privilege management weak • Printouts on printers not picked • Clear desk clear screen policy most violated • Unabated installation of freeware, shareware etc. • Laptops don’t have updated virus signature ✓
Public 23 Implementation Issues – IS acquisition, development and maintenance • Applies only for the IS developed to run the business Eg. ERP, Enterprise Project Management etc. • Impact analysis to changes very weak • Fallback plan on a un-successful software upgrade weak ✓
21-Sep-2007 Public 24 Implementation Issues – Incident Management • Incident management seen as an ‘impossible activity’ • Awareness to report an incident very low ✓
Public 25 Implementation Issues – BCP • BCPs are static • Scale of BCP very low vis-à-vis business need • BCP Testing not done ✓
Public 26 Implementation Issues – Compliance • One comprehensive list of applicable rules & regulations absent ✓
<Public> 27 Thank You… Ramkumar R www.linkedin.com/in/ramkumarr

Recommended

2015 05-kuwait-log maturity-compressed
2015 05-kuwait-log maturity-compressed2015 05-kuwait-log maturity-compressed
2015 05-kuwait-log maturity-compressedpromediakw
 
It audit methodologies
It audit methodologiesIt audit methodologies
It audit methodologiesSalih Islam
 
Lesson 1- Information Policy
Lesson 1- Information PolicyLesson 1- Information Policy
Lesson 1- Information PolicyMLG College of Learning, Inc
 
Structured NERC CIP Process Improvement Using Six Sigma
Structured NERC CIP Process Improvement Using Six SigmaStructured NERC CIP Process Improvement Using Six Sigma
Structured NERC CIP Process Improvement Using Six SigmaEnergySec
 
6 Tools for Improving IT Operations in ICS Environments
6 Tools for Improving IT Operations in ICS Environments6 Tools for Improving IT Operations in ICS Environments
6 Tools for Improving IT Operations in ICS EnvironmentsEnergySec
 
Presentation: TGA - Software inspections and therapeutic goods
Presentation: TGA - Software inspections and therapeutic goodsPresentation: TGA - Software inspections and therapeutic goods
Presentation: TGA - Software inspections and therapeutic goodsTGA Australia
 
We Bought Some Tools
We Bought Some ToolsWe Bought Some Tools
We Bought Some ToolsJim Bowker, CISSP
 
Cissp Week 24
Cissp Week 24Cissp Week 24
Cissp Week 24jemtallon
 

Recommended

2015 05-kuwait-log maturity-compressed
2015 05-kuwait-log maturity-compressed2015 05-kuwait-log maturity-compressed
2015 05-kuwait-log maturity-compressedpromediakw
 
It audit methodologies
It audit methodologiesIt audit methodologies
It audit methodologiesSalih Islam
 
Lesson 1- Information Policy
Lesson 1- Information PolicyLesson 1- Information Policy
Lesson 1- Information PolicyMLG College of Learning, Inc
 
Structured NERC CIP Process Improvement Using Six Sigma
Structured NERC CIP Process Improvement Using Six SigmaStructured NERC CIP Process Improvement Using Six Sigma
Structured NERC CIP Process Improvement Using Six SigmaEnergySec
 
6 Tools for Improving IT Operations in ICS Environments
6 Tools for Improving IT Operations in ICS Environments6 Tools for Improving IT Operations in ICS Environments
6 Tools for Improving IT Operations in ICS EnvironmentsEnergySec
 
Presentation: TGA - Software inspections and therapeutic goods
Presentation: TGA - Software inspections and therapeutic goodsPresentation: TGA - Software inspections and therapeutic goods
Presentation: TGA - Software inspections and therapeutic goodsTGA Australia
 
We Bought Some Tools
We Bought Some ToolsWe Bought Some Tools
We Bought Some ToolsJim Bowker, CISSP
 
Cissp Week 24
Cissp Week 24Cissp Week 24
Cissp Week 24jemtallon
 
Results of IT Security Analysis
Results of IT Security AnalysisResults of IT Security Analysis
Results of IT Security Analysiszohraz
 
Information Assurance And Security - Chapter 1 - Lesson 4
Information Assurance And Security - Chapter 1 - Lesson 4Information Assurance And Security - Chapter 1 - Lesson 4
Information Assurance And Security - Chapter 1 - Lesson 4MLG College of Learning, Inc
 
CIO Summit: Data Security in a Mobile World
CIO Summit: Data Security in a Mobile WorldCIO Summit: Data Security in a Mobile World
CIO Summit: Data Security in a Mobile WorldEdward Wendling
 
Surviving a HIPAA Audit: Five Crucial Steps
Surviving a HIPAA Audit: Five Crucial Steps Surviving a HIPAA Audit: Five Crucial Steps
Surviving a HIPAA Audit: Five Crucial Steps Compliancy Group
 
Chap01
Chap01Chap01
Chap01KASSAWMAR AYALEW
 
Rapid Risk Assessment: A New Approach to Risk Management
Rapid Risk Assessment: A New Approach to Risk ManagementRapid Risk Assessment: A New Approach to Risk Management
Rapid Risk Assessment: A New Approach to Risk ManagementEnergySec
 
Implementation of security standards and procedures
Implementation of security standards and proceduresImplementation of security standards and procedures
Implementation of security standards and proceduresStevenSegaert
 
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to KnowISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to KnowPECB
 
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to Know
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to KnowCMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to Know
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to KnowPECB
 
CISSP Chapter 1 BCP
CISSP Chapter 1 BCPCISSP Chapter 1 BCP
CISSP Chapter 1 BCPKarthikeyan Dhayalan
 
Active Directory in ICS: Lessons Learned From The Field
Active Directory in ICS: Lessons Learned From The FieldActive Directory in ICS: Lessons Learned From The Field
Active Directory in ICS: Lessons Learned From The FieldDigital Bond
 
CMMC, ISO/IEC 27701, and ISO/IEC 27001 — Best Practices and Differences
CMMC, ISO/IEC 27701, and ISO/IEC 27001 — Best Practices and DifferencesCMMC, ISO/IEC 27701, and ISO/IEC 27001 — Best Practices and Differences
CMMC, ISO/IEC 27701, and ISO/IEC 27001 — Best Practices and DifferencesPECB
 
Rothke Patchlink
Rothke PatchlinkRothke Patchlink
Rothke PatchlinkBen Rothke
 
Jupiter physical security ppt 2016 1
Jupiter physical security ppt 2016 1Jupiter physical security ppt 2016 1
Jupiter physical security ppt 2016 1Maxpromotion
 
Using IP Cameras and Advanced Analytics to help Protect Critical Infrastructure
Using IP Cameras and Advanced Analytics to help Protect Critical InfrastructureUsing IP Cameras and Advanced Analytics to help Protect Critical Infrastructure
Using IP Cameras and Advanced Analytics to help Protect Critical InfrastructureEnergySec
 
Lesson 4
Lesson 4Lesson 4
Lesson 4MLG College of Learning, Inc
 
20180529 scaf and cosmic presentaiton s rajagopal
20180529 scaf and cosmic presentaiton s rajagopal20180529 scaf and cosmic presentaiton s rajagopal
20180529 scaf and cosmic presentaiton s rajagopalCharles Symons
 
Cybersecurity Health Checks: Safeguarding Your Organisation
Cybersecurity Health Checks: Safeguarding Your OrganisationCybersecurity Health Checks: Safeguarding Your Organisation
Cybersecurity Health Checks: Safeguarding Your OrganisationLinkedIn Learning Solutions
 
The Importance of Security within the Computer Environment
The Importance of Security within the Computer EnvironmentThe Importance of Security within the Computer Environment
The Importance of Security within the Computer EnvironmentAdetula Bunmi
 
Incident Response: Don't Mess It Up, Here's How To Get It Right
Incident Response: Don't Mess It Up, Here's How To Get It RightIncident Response: Don't Mess It Up, Here's How To Get It Right
Incident Response: Don't Mess It Up, Here's How To Get It RightResilient Systems
 
Selling Quality to Senior Management - 3 0
Selling Quality to Senior Management - 3 0Selling Quality to Senior Management - 3 0
Selling Quality to Senior Management - 3 0Ramkumar Ramachandran
 
Getting internal buy-in
Getting internal buy-inGetting internal buy-in
Getting internal buy-inCharityComms
 

More Related Content

What's hot

Results of IT Security Analysis
Results of IT Security AnalysisResults of IT Security Analysis
Results of IT Security Analysiszohraz
 
Information Assurance And Security - Chapter 1 - Lesson 4
Information Assurance And Security - Chapter 1 - Lesson 4Information Assurance And Security - Chapter 1 - Lesson 4
Information Assurance And Security - Chapter 1 - Lesson 4MLG College of Learning, Inc
 
CIO Summit: Data Security in a Mobile World
CIO Summit: Data Security in a Mobile WorldCIO Summit: Data Security in a Mobile World
CIO Summit: Data Security in a Mobile WorldEdward Wendling
 
Surviving a HIPAA Audit: Five Crucial Steps
Surviving a HIPAA Audit: Five Crucial Steps Surviving a HIPAA Audit: Five Crucial Steps
Surviving a HIPAA Audit: Five Crucial Steps Compliancy Group
 
Rapid Risk Assessment: A New Approach to Risk Management
Rapid Risk Assessment: A New Approach to Risk ManagementRapid Risk Assessment: A New Approach to Risk Management
Rapid Risk Assessment: A New Approach to Risk ManagementEnergySec
 
Implementation of security standards and procedures
Implementation of security standards and proceduresImplementation of security standards and procedures
Implementation of security standards and proceduresStevenSegaert
 
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to KnowISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to KnowPECB
 
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to Know
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to KnowCMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to Know
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to KnowPECB
 
Active Directory in ICS: Lessons Learned From The Field
Active Directory in ICS: Lessons Learned From The FieldActive Directory in ICS: Lessons Learned From The Field
Active Directory in ICS: Lessons Learned From The FieldDigital Bond
 
CMMC, ISO/IEC 27701, and ISO/IEC 27001 — Best Practices and Differences
CMMC, ISO/IEC 27701, and ISO/IEC 27001 — Best Practices and DifferencesCMMC, ISO/IEC 27701, and ISO/IEC 27001 — Best Practices and Differences
CMMC, ISO/IEC 27701, and ISO/IEC 27001 — Best Practices and DifferencesPECB
 
Rothke Patchlink
Rothke PatchlinkRothke Patchlink
Rothke PatchlinkBen Rothke
 
Jupiter physical security ppt 2016 1
Jupiter physical security ppt 2016 1Jupiter physical security ppt 2016 1
Jupiter physical security ppt 2016 1Maxpromotion
 
Using IP Cameras and Advanced Analytics to help Protect Critical Infrastructure
Using IP Cameras and Advanced Analytics to help Protect Critical InfrastructureUsing IP Cameras and Advanced Analytics to help Protect Critical Infrastructure
Using IP Cameras and Advanced Analytics to help Protect Critical InfrastructureEnergySec
 
20180529 scaf and cosmic presentaiton s rajagopal
20180529 scaf and cosmic presentaiton s rajagopal20180529 scaf and cosmic presentaiton s rajagopal
20180529 scaf and cosmic presentaiton s rajagopalCharles Symons
 
Cybersecurity Health Checks: Safeguarding Your Organisation
Cybersecurity Health Checks: Safeguarding Your OrganisationCybersecurity Health Checks: Safeguarding Your Organisation
Cybersecurity Health Checks: Safeguarding Your OrganisationLinkedIn Learning Solutions
 
The Importance of Security within the Computer Environment
The Importance of Security within the Computer EnvironmentThe Importance of Security within the Computer Environment
The Importance of Security within the Computer EnvironmentAdetula Bunmi
 
Incident Response: Don't Mess It Up, Here's How To Get It Right
Incident Response: Don't Mess It Up, Here's How To Get It RightIncident Response: Don't Mess It Up, Here's How To Get It Right
Incident Response: Don't Mess It Up, Here's How To Get It RightResilient Systems
 

What's hot (20)

Results of IT Security Analysis
Results of IT Security AnalysisResults of IT Security Analysis
Results of IT Security Analysis
 
Information Assurance And Security - Chapter 1 - Lesson 4
Information Assurance And Security - Chapter 1 - Lesson 4Information Assurance And Security - Chapter 1 - Lesson 4
Information Assurance And Security - Chapter 1 - Lesson 4
 
CIO Summit: Data Security in a Mobile World
CIO Summit: Data Security in a Mobile WorldCIO Summit: Data Security in a Mobile World
CIO Summit: Data Security in a Mobile World
 
Surviving a HIPAA Audit: Five Crucial Steps
Surviving a HIPAA Audit: Five Crucial Steps Surviving a HIPAA Audit: Five Crucial Steps
Surviving a HIPAA Audit: Five Crucial Steps
 
Chap01
Chap01Chap01
Chap01
 
Rapid Risk Assessment: A New Approach to Risk Management
Rapid Risk Assessment: A New Approach to Risk ManagementRapid Risk Assessment: A New Approach to Risk Management
Rapid Risk Assessment: A New Approach to Risk Management
 
Implementation of security standards and procedures
Implementation of security standards and proceduresImplementation of security standards and procedures
Implementation of security standards and procedures
 
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to KnowISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
 
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to Know
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to KnowCMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to Know
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to Know
 
CISSP Chapter 1 BCP
CISSP Chapter 1 BCPCISSP Chapter 1 BCP
CISSP Chapter 1 BCP
 
Active Directory in ICS: Lessons Learned From The Field
Active Directory in ICS: Lessons Learned From The FieldActive Directory in ICS: Lessons Learned From The Field
Active Directory in ICS: Lessons Learned From The Field
 
CMMC, ISO/IEC 27701, and ISO/IEC 27001 — Best Practices and Differences
CMMC, ISO/IEC 27701, and ISO/IEC 27001 — Best Practices and DifferencesCMMC, ISO/IEC 27701, and ISO/IEC 27001 — Best Practices and Differences
CMMC, ISO/IEC 27701, and ISO/IEC 27001 — Best Practices and Differences
 
Rothke Patchlink
Rothke PatchlinkRothke Patchlink
Rothke Patchlink
 
Jupiter physical security ppt 2016 1
Jupiter physical security ppt 2016 1Jupiter physical security ppt 2016 1
Jupiter physical security ppt 2016 1
 
Using IP Cameras and Advanced Analytics to help Protect Critical Infrastructure
Using IP Cameras and Advanced Analytics to help Protect Critical InfrastructureUsing IP Cameras and Advanced Analytics to help Protect Critical Infrastructure
Using IP Cameras and Advanced Analytics to help Protect Critical Infrastructure
 
Lesson 4
Lesson 4Lesson 4
Lesson 4
 
20180529 scaf and cosmic presentaiton s rajagopal
20180529 scaf and cosmic presentaiton s rajagopal20180529 scaf and cosmic presentaiton s rajagopal
20180529 scaf and cosmic presentaiton s rajagopal
 
Cybersecurity Health Checks: Safeguarding Your Organisation
Cybersecurity Health Checks: Safeguarding Your OrganisationCybersecurity Health Checks: Safeguarding Your Organisation
Cybersecurity Health Checks: Safeguarding Your Organisation
 
The Importance of Security within the Computer Environment
The Importance of Security within the Computer EnvironmentThe Importance of Security within the Computer Environment
The Importance of Security within the Computer Environment
 
Incident Response: Don't Mess It Up, Here's How To Get It Right
Incident Response: Don't Mess It Up, Here's How To Get It RightIncident Response: Don't Mess It Up, Here's How To Get It Right
Incident Response: Don't Mess It Up, Here's How To Get It Right
 

Viewers also liked

Selling Quality to Senior Management - 3 0
Selling Quality to Senior Management - 3 0Selling Quality to Senior Management - 3 0
Selling Quality to Senior Management - 3 0Ramkumar Ramachandran
 
Getting internal buy-in
Getting internal buy-inGetting internal buy-in
Getting internal buy-inCharityComms
 
Selling security to the C-level
Selling security to the C-levelSelling security to the C-level
Selling security to the C-levelDonald Tabone
 
ISMS Part I
ISMS Part IISMS Part I
ISMS Part Ikhushboo
 
Cloud Security: Perception Vs. Reality
Cloud Security: Perception Vs. RealityCloud Security: Perception Vs. Reality
Cloud Security: Perception Vs. RealityInternap
 
ISO 9001-2015 Revision Training Presentation
ISO 9001-2015 Revision Training PresentationISO 9001-2015 Revision Training Presentation
ISO 9001-2015 Revision Training PresentationDQS Inc.
 

Viewers also liked (10)

Selling Quality to Senior Management - 3 0
Selling Quality to Senior Management - 3 0Selling Quality to Senior Management - 3 0
Selling Quality to Senior Management - 3 0
 
Getting internal buy-in
Getting internal buy-inGetting internal buy-in
Getting internal buy-in
 
Bab 01 complete
Bab 01 completeBab 01 complete
Bab 01 complete
 
Selling security to the C-level
Selling security to the C-levelSelling security to the C-level
Selling security to the C-level
 
A Senior Management
A Senior ManagementA Senior Management
A Senior Management
 
ISMS Part I
ISMS Part IISMS Part I
ISMS Part I
 
Cloud Security: Perception Vs. Reality
Cloud Security: Perception Vs. RealityCloud Security: Perception Vs. Reality
Cloud Security: Perception Vs. Reality
 
Infosec Audit Lecture_4
Infosec Audit Lecture_4Infosec Audit Lecture_4
Infosec Audit Lecture_4
 
ISO 9001-2015 Revision Training Presentation
ISO 9001-2015 Revision Training PresentationISO 9001-2015 Revision Training Presentation
ISO 9001-2015 Revision Training Presentation
 
Introduction to ISO 9001:2015
Introduction to ISO 9001:2015Introduction to ISO 9001:2015
Introduction to ISO 9001:2015
 

Similar to Popular Pitfalls in ISMS Compliance

ISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewShankar Subramaniyan
 
7 Habits of Highly Secure Organizations
7 Habits of Highly Secure Organizations7 Habits of Highly Secure Organizations
7 Habits of Highly Secure OrganizationsHelpSystems
 
CNIT 160 Ch 4a: Information Security Programs
CNIT 160 Ch 4a: Information Security ProgramsCNIT 160 Ch 4a: Information Security Programs
CNIT 160 Ch 4a: Information Security ProgramsSam Bowne
 
GDPR compliance and information security: Reducing data breach risks
GDPR compliance and information security: Reducing data breach risksGDPR compliance and information security: Reducing data breach risks
GDPR compliance and information security: Reducing data breach risksIT Governance Ltd
 
CNIT 160 Ch 4a: Information Security Programs
CNIT 160 Ch 4a: Information Security ProgramsCNIT 160 Ch 4a: Information Security Programs
CNIT 160 Ch 4a: Information Security ProgramsSam Bowne
 
ISO 27001 Awareness IGN Mantra 2nd Day, 2nd Session.
ISO 27001 Awareness IGN Mantra 2nd Day, 2nd Session.ISO 27001 Awareness IGN Mantra 2nd Day, 2nd Session.
ISO 27001 Awareness IGN Mantra 2nd Day, 2nd Session.IGN MANTRA
 
Nist cybersecurity framework isc2 quantico
Nist cybersecurity framework isc2 quanticoNist cybersecurity framework isc2 quantico
Nist cybersecurity framework isc2 quanticoTuan Phan
 
Governance and management of IT.pptx
Governance and management of IT.pptxGovernance and management of IT.pptx
Governance and management of IT.pptxPrashant Singh
 
CISSP Prep: Ch 1: Security Governance Through Principles and Policies
CISSP Prep: Ch 1: Security Governance Through Principles and PoliciesCISSP Prep: Ch 1: Security Governance Through Principles and Policies
CISSP Prep: Ch 1: Security Governance Through Principles and PoliciesSam Bowne
 
Dr. Almerindo Graziano - log maturity-compressed
Dr. Almerindo Graziano - log maturity-compressedDr. Almerindo Graziano - log maturity-compressed
Dr. Almerindo Graziano - log maturity-compressedpromediakw
 
Transform your IT into a Strategic Asset
Transform your IT into a Strategic AssetTransform your IT into a Strategic Asset
Transform your IT into a Strategic AssetYJT Solutions
 
CIO IT Audit Survival TNS07
CIO IT Audit Survival TNS07CIO IT Audit Survival TNS07
CIO IT Audit Survival TNS07Thomas Danford
 

Similar to Popular Pitfalls in ISMS Compliance (20)

Popular Pitfalls In Isms Compliance
Popular Pitfalls In Isms CompliancePopular Pitfalls In Isms Compliance
Popular Pitfalls In Isms Compliance
 
ISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process Overview
 
7 Habits of Highly Secure Organizations
7 Habits of Highly Secure Organizations7 Habits of Highly Secure Organizations
7 Habits of Highly Secure Organizations
 
CNIT 160 Ch 4a: Information Security Programs
CNIT 160 Ch 4a: Information Security ProgramsCNIT 160 Ch 4a: Information Security Programs
CNIT 160 Ch 4a: Information Security Programs
 
GDPR compliance and information security: Reducing data breach risks
GDPR compliance and information security: Reducing data breach risksGDPR compliance and information security: Reducing data breach risks
GDPR compliance and information security: Reducing data breach risks
 
CNIT 160 Ch 4a: Information Security Programs
CNIT 160 Ch 4a: Information Security ProgramsCNIT 160 Ch 4a: Information Security Programs
CNIT 160 Ch 4a: Information Security Programs
 
Web Application Security: Beyond PEN Testing
Web Application Security: Beyond PEN TestingWeb Application Security: Beyond PEN Testing
Web Application Security: Beyond PEN Testing
 
Khas bank isms 3 s
Khas bank isms 3 sKhas bank isms 3 s
Khas bank isms 3 s
 
Chapter 02
Chapter 02Chapter 02
Chapter 02
 
ISO 27001 Awareness IGN Mantra 2nd Day, 2nd Session.
ISO 27001 Awareness IGN Mantra 2nd Day, 2nd Session.ISO 27001 Awareness IGN Mantra 2nd Day, 2nd Session.
ISO 27001 Awareness IGN Mantra 2nd Day, 2nd Session.
 
Nist cybersecurity framework isc2 quantico
Nist cybersecurity framework isc2 quanticoNist cybersecurity framework isc2 quantico
Nist cybersecurity framework isc2 quantico
 
Auditing
AuditingAuditing
Auditing
 
Governance and management of IT.pptx
Governance and management of IT.pptxGovernance and management of IT.pptx
Governance and management of IT.pptx
 
CISSP Prep: Ch 1: Security Governance Through Principles and Policies
CISSP Prep: Ch 1: Security Governance Through Principles and PoliciesCISSP Prep: Ch 1: Security Governance Through Principles and Policies
CISSP Prep: Ch 1: Security Governance Through Principles and Policies
 
Dr. Almerindo Graziano - log maturity-compressed
Dr. Almerindo Graziano - log maturity-compressedDr. Almerindo Graziano - log maturity-compressed
Dr. Almerindo Graziano - log maturity-compressed
 
Lesson 2
Lesson 2Lesson 2
Lesson 2
 
Itrisksisaudit1
Itrisksisaudit1Itrisksisaudit1
Itrisksisaudit1
 
Transform your IT into a Strategic Asset
Transform your IT into a Strategic AssetTransform your IT into a Strategic Asset
Transform your IT into a Strategic Asset
 
Info.ppt
Info.pptInfo.ppt
Info.ppt
 
CIO IT Audit Survival TNS07
CIO IT Audit Survival TNS07CIO IT Audit Survival TNS07
CIO IT Audit Survival TNS07
 

Popular Pitfalls in ISMS Compliance

  • 2. Public 2 Contents • Introduction • Standard Evolution • Standard Organization • Future of the standard • Implementation issues ✓
  • 3. 21-Sep-2007 Public 3 Standard Evolution 1995 1998 Initiative from Department of Trade and Industry BS 7799 Part 1 BS 7799 Part 2 1999 New issue of BS 7799 Part 1 & 2 2000 ISO/IEC 17799:2000 2001 BS 7799-2:2002 (drafted) Sep 2002 BS 7799-2:2002 Passed and accepted Jun 2005 ISO 17799:2005 ISO/IEC 27001:2005Oct 2005 ✓
  • 5. 21-Sep-2007 Public 5 Standard Organization ✓ 4 Information Security Management System 5 Management Responsibility 6 Internal ISMS Audits 7 Management review of the ISMS 8 ISMS improvement A.5 Information Security Policy A.6 Organization of Information Security A.7 Asset Management A.8 Human Resources Security A.9 Physical and Environmental Security A.10 Communications and Operations Management A.11 Access Control A.12 Information Systems Acquisition, Development and Maintenance A.13 Information Security Incident Management A.14 Business Continuity Management A.15 Compliance
  • 6. Public 6 Standard Organization (contd.) Security policy Access control Asset Management Organization of Information Security Human Resources Security Physical and Environmental securityCommunications and operations management Information Systems Acquisition Development and Maintenance Information Incident Security Management Business Continuity Management Information Integrity Confidentiality Availability Compliance ✓
  • 7. Public 7 Future of the standard ISO/IEC Standard Description 27000 Vocabulary and definitions 27001 Specification 27002 Code of Practice (ISO17799:2005) 27003 Implementation Guidance 27004 Metrics and Measurement 27005 Risk Management (BS 7799-3) ✓
  • 8. Public 8 What is an implementation issue? • Standard directly demands and not complied with • Diluted implementation • Mis-interpretation of the standard ✓
  • 9. Public 9 Implementation Issues - Scope • Scope of ISMS – Scope is very hazy, not including all the assets and technology • A good example of ISMS scope The ISMS scope covers all critical systems, applications, networks, telecommunication links, human resources, and information assets. The scope also includes business operations, administrative functions, customer information, buildings, equipment, tools and utilities used in the execution of business of the organization at site A and site B. ✓
  • 10. Public 10 Implementation Issues - Policy • Security Policy – Not visible in the organization – Not spread across the organization – Does not help in arriving at security objectives • Other Policies – Many other policies not defined – Eg. Clear Desk Clear Screen policy – Mobile computing policy, Teleworking policy ✓
  • 11. Public 11 Implementation Issues – Risk Assessment • Risk assessment not systematic • Risk assessment kicked off with false comfort of existing controls • Some core assets not identified – Eg. Design document in an IT organization • Arriving at acceptable risk level not scientific • Projects a no-residual-risk scenario ✓
  • 12. Public 12 Implementation Issues – SoA Preparation • Only exclusions justified, inclusions should also be justified • Bi-directional tracing from risks to control and vice versa absent ✓
  • 13. Public 13 Implementation Issues – Monitoring • Info security review very weak • Obsolete risks not removed • New risks not fully added ✓
  • 14. Public 14 Implementation Issues – Internal Audit • Predominantly CISO and team are the Auditees • Sampling of other asset owners rare • Absence of qualified internal auditors ✓
  • 15. Public 15 Implementation Issues – Management Review • All review inputs as required by the standard not addressed • Management appreciation for security issues very low ✓
  • 16. Public 16 Implementation Issues – Improvement • CA is more prevalent than PA • Analysis of incidents / non- compliances weak ✓
  • 17. Public 17 Implementation Issues – External Parties • Third party agreements do not stress security requirements • Third party Vendors not conspicuously identified in the facility ✓
  • 18. Public 18 Implementation Issues – Asset Management • Server based software owners are identified but not their custodians • Only critical IT assets identified • Some core assets not properly identified • Asset labeling improper ✓
  • 19. Public 19 Implementation Issues – H R security • No systematic screening • Awareness training weak • Removal of access rights weak • Awareness of social engineering very low ✓
  • 20. Public 20 Implementation Issues – Physical and Environmental Security • Network cables run outside the security perimeter • No controls on piggy-backing • Structured cabling absent • Security of equipment off-premises very weak • Movement of media eg. CDs not- controlled ✓
  • 21. Public 21 Implementation Issues – Communications and Operations Management • Disposal of media very weak • Safety of media-in-transit not properly addressed • Logs not reviewed periodically • Clock synchronization not done ✓
  • 22. Public 22 Implementation Issues – Access Control • Privilege management weak • Printouts on printers not picked • Clear desk clear screen policy most violated • Unabated installation of freeware, shareware etc. • Laptops don’t have updated virus signature ✓
  • 23. Public 23 Implementation Issues – IS acquisition, development and maintenance • Applies only for the IS developed to run the business Eg. ERP, Enterprise Project Management etc. • Impact analysis to changes very weak • Fallback plan on a un-successful software upgrade weak ✓
  • 24. 21-Sep-2007 Public 24 Implementation Issues – Incident Management • Incident management seen as an ‘impossible activity’ • Awareness to report an incident very low ✓
  • 25. Public 25 Implementation Issues – BCP • BCPs are static • Scale of BCP very low vis-à-vis business need • BCP Testing not done ✓
  • 26. Public 26 Implementation Issues – Compliance • One comprehensive list of applicable rules & regulations absent ✓