Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Tammy Clark,  Chief Information Security Officer,  William Monahan , Lead Information Security Administrator Georgia State...
Today’s Agenda <ul><ul><li>Prerequisites For Success </li></ul></ul><ul><ul><li>Risk Management </li></ul></ul><ul><ul><li...
Prerequisites For Success <ul><li>We believe that the following are critical success factors: </li></ul><ul><ul><li>Top Ma...
Risk Management <ul><li>Risk Management Process Model </li></ul><ul><li>Asset Identification and Classification </li></ul>...
Risk Management  Process Model <ul><li>Assess and evaluate risks </li></ul><ul><li>Select, implement and operate controls ...
Identification of Assets <ul><li>Inventory and classification </li></ul><ul><li>Identify legal and business requirements r...
ISO 17799:2005  Controls and RTP <ul><li>133 Separate Controls and 11 domains capturing all aspects of information securit...
PDCA Model <ul><li>Plan—Establish the ISMS </li></ul><ul><li>Do—Implement and Operate the ISMS </li></ul><ul><li>Check—Mon...
PLAN-Establish Your ISMS <ul><li>First Steps (Prerequisites): </li></ul><ul><ul><li>Procure the ISO/IEC 27001:2005 standar...
PLAN-Establish Your ISMS <ul><li>Identify, analyze and evaluate the risks to the assets identified in your scope. </li></u...
DO Phase-Implement Your ISMS <ul><li>Implementation of the ISMS: </li></ul><ul><ul><li>Formulate a Risk Treatment Plan (RT...
  DO Phase-Operate    Your ISMS <ul><li>Operation of the ISMS: </li></ul><ul><ul><li>Manage operations in accordance with ...
  CHECK Phase-Monitor   and Review Your ISMS <ul><li>Execute monitoring and review procedures: </li></ul><ul><ul><li>Docum...
  ACT Phase-Maintain   and Improve the ISMS <ul><li>‘ Shall’ statements in the standard apply to this phase:: </li></ul><u...
  ISMS Documentation   Requirements <ul><li>Statements of policy and objectives </li></ul><ul><li>Scope and boundaries </l...
  Four Required Processes <ul><li>These processes are also required to be documented: </li></ul><ul><li>Document control <...
Governance Training <ul><li>BSI Americas ISO/IEC 27001:2005 Implementation Course </li></ul><ul><ul><li>http://www.bsiamer...
  Compliance VS Certification <ul><li>ISO/IEC 17799:2005 Compliance:  </li></ul><ul><ul><li>Users of the ISO/IEC 17799:200...
Other Considerations <ul><ul><li>The ISO/IEC 17799:2005 and 27001:2005 standards provide a comprehensive ‘umbrella’ framew...
GRC Software <ul><li>Automated help with risk assessments and treatment plans, incident response, BIA and asset management...
References <ul><ul><li>ISO/IEC 27001:2005 </li></ul></ul><ul><ul><li>BS 7799-3:2006 (Risk Mgt) </li></ul></ul><ul><ul><li>...
Questions? <ul><li>Tammy Clark  [email_address] </li></ul><ul><li>William Monahan i [email_address] </li></ul><ul><li>T </...
Upcoming SlideShare
Loading in …5
×

Developing A Risk Based Information Security Program

1,989 views

Published on

  • I absolutely adore reading your blog posts, the variety of writing is smashing.This blog as usual was educational, I have had to bookmark your site and subscribe to your feed in ifeed. Your theme looks lovely.Thanks for sharing.
    iso 9000
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

Developing A Risk Based Information Security Program

  1. 1. Tammy Clark, Chief Information Security Officer, William Monahan , Lead Information Security Administrator Georgia State University, Atlanta GA Developing a Risk-Based Information Security Program Copyright Tammy L. Clark, June 2007. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and with permission of author.
  2. 2. Today’s Agenda <ul><ul><li>Prerequisites For Success </li></ul></ul><ul><ul><li>Risk Management </li></ul></ul><ul><ul><li>PDCA Model </li></ul></ul><ul><ul><li>Establishing an ISMS: The “Plan, Do, Check, Act Phases” </li></ul></ul><ul><ul><li>Governance Training </li></ul></ul><ul><ul><li>Compliance vice Certification with the ISO standards </li></ul></ul>
  3. 3. Prerequisites For Success <ul><li>We believe that the following are critical success factors: </li></ul><ul><ul><li>Top Management Support </li></ul></ul><ul><ul><li>Collaborations with Key Enterprise Stakeholders </li></ul></ul><ul><ul><li>Understanding of key strategic business goals & objectives </li></ul></ul>
  4. 4. Risk Management <ul><li>Risk Management Process Model </li></ul><ul><li>Asset Identification and Classification </li></ul><ul><li>Risk Assessment Methodology </li></ul><ul><ul><li>ISO 17799/27001 Annex A </li></ul></ul><ul><li>Risk Treatment </li></ul>
  5. 5. Risk Management Process Model <ul><li>Assess and evaluate risks </li></ul><ul><li>Select, implement and operate controls to treat risks </li></ul><ul><li>Monitor and review risks </li></ul><ul><li>Maintain and improve risk controls </li></ul>
  6. 6. Identification of Assets <ul><li>Inventory and classification </li></ul><ul><li>Identify legal and business requirements relevant to the assets </li></ul><ul><li>Valuation of identified assets taking requirements into account as well as impacts of loss of C.I.A. </li></ul><ul><li>Identify threats and vulnerabilities </li></ul><ul><li>Assessment of likelihood threats will result in vulnerabilities getting exploited </li></ul><ul><li>Calculate risk </li></ul><ul><li>Evaluate risks against a pre-defined risk scale </li></ul>
  7. 7. ISO 17799:2005 Controls and RTP <ul><li>133 Separate Controls and 11 domains capturing all aspects of information security—a number of controls assist with implementing an ISMS </li></ul><ul><li>ISO 17799:2005 contains guidance on how to implement these controls </li></ul><ul><li>Risk Management is the cornerstone of the ISO 17799:2005 approach to designing a comprehensive information security program </li></ul><ul><li>In developing a Risk Treatment Plan (RTP), you will select controls that assist in mitigating the risks you identified and you will also decide which risks your organization will accept, transfer or avoid </li></ul>
  8. 8. PDCA Model <ul><li>Plan—Establish the ISMS </li></ul><ul><li>Do—Implement and Operate the ISMS </li></ul><ul><li>Check—Monitor and Review the ISMS </li></ul><ul><li>Act—Maintain and Improve the ISMS </li></ul>
  9. 9. PLAN-Establish Your ISMS <ul><li>First Steps (Prerequisites): </li></ul><ul><ul><li>Procure the ISO/IEC 27001:2005 standard. </li></ul></ul><ul><ul><li>Obtain full executive management support. </li></ul></ul><ul><ul><li>Define the Scope and Boundary of the ISMS. </li></ul></ul><ul><ul><li>Define an ISMS Policy. </li></ul></ul><ul><ul><li>Define the risk assessment approach </li></ul></ul>
  10. 10. PLAN-Establish Your ISMS <ul><li>Identify, analyze and evaluate the risks to the assets identified in your scope. </li></ul><ul><li>Identify and evaluate risk treatment options. </li></ul><ul><li>Select controls and control objectives and reasons for selection. </li></ul><ul><li>Obtain management approval of the proposed residual risks. </li></ul><ul><li>Obtain management authorization to implement and operate ISMS. </li></ul><ul><li>Prepare a “statement of applicability”. </li></ul>
  11. 11. DO Phase-Implement Your ISMS <ul><li>Implementation of the ISMS: </li></ul><ul><ul><li>Formulate a Risk Treatment Plan (RTP) </li></ul></ul><ul><ul><li>Implement your RTP </li></ul></ul><ul><ul><li>Implement selected controls to meet your control objectives </li></ul></ul><ul><ul><li>Define metrics to measure the effectiveness of your controls </li></ul></ul><ul><ul><li>Implement a training and awareness program </li></ul></ul>
  12. 12. DO Phase-Operate Your ISMS <ul><li>Operation of the ISMS: </li></ul><ul><ul><li>Manage operations in accordance with identified controls, policies and procedures </li></ul></ul><ul><ul><li>Manage resources and ensure that there are sufficient resources to operate, monitor, review, maintain and improve the ISMS </li></ul></ul><ul><ul><li>Implement procedures and controls to manage incidents </li></ul></ul>
  13. 13. CHECK Phase-Monitor and Review Your ISMS <ul><li>Execute monitoring and review procedures: </li></ul><ul><ul><li>Documentary evidence of monitoring such as logs, records, files </li></ul></ul><ul><ul><li>Measure effectiveness (metrics) </li></ul></ul><ul><ul><li>Review risk assessments </li></ul></ul><ul><ul><li>Conduct internal ISMS audits </li></ul></ul><ul><ul><li>Management Reviews </li></ul></ul><ul><ul><li>Update Security Plans </li></ul></ul><ul><ul><li>Record actions and events </li></ul></ul>
  14. 14. ACT Phase-Maintain and Improve the ISMS <ul><li>‘ Shall’ statements in the standard apply to this phase:: </li></ul><ul><ul><li>Implement identified improvements </li></ul></ul><ul><ul><li>Take appropriate corrective and preventive actions </li></ul></ul><ul><ul><li>Communicate actions & improvements to interested parties </li></ul></ul><ul><ul><li>Ensure improvements meet objectives </li></ul></ul>
  15. 15. ISMS Documentation Requirements <ul><li>Statements of policy and objectives </li></ul><ul><li>Scope and boundaries </li></ul><ul><li>Procedures and controls </li></ul><ul><li>Description of Risk Assessment Methodology </li></ul><ul><li>Risk Assessment Report and RTP </li></ul><ul><li>Metrics </li></ul><ul><li>Objective evidence </li></ul><ul><li>SOA </li></ul>
  16. 16. Four Required Processes <ul><li>These processes are also required to be documented: </li></ul><ul><li>Document control </li></ul><ul><li>Internal audits </li></ul><ul><li>Corrective Actions </li></ul><ul><li>Preventive Actions </li></ul>
  17. 17. Governance Training <ul><li>BSI Americas ISO/IEC 27001:2005 Implementation Course </li></ul><ul><ul><li>http://www.bsiamericas.com/TrainingInformationSecurity/index.xalter </li></ul></ul><ul><li>HISP (Holistic Information Security Practitioner) Training/Certification </li></ul><ul><ul><li>http://www.hispcertification.org </li></ul></ul>
  18. 18. Compliance VS Certification <ul><li>ISO/IEC 17799:2005 Compliance: </li></ul><ul><ul><li>Users of the ISO/IEC 17799:2005 framework need to carry out a risk assessment to identify which controls are relevant to their own business environment and implement them. </li></ul></ul><ul><ul><li>The framework uses the word “should” . </li></ul></ul><ul><li>ISO/IEC 27001:2005 Certification: </li></ul><ul><ul><li>This process involves the auditing of an ISO/IEC 17799:2005 compliant ISMS to the requirements of ISO/IEC 27001:2005. </li></ul></ul><ul><ul><li>The standard uses the word “shall” . </li></ul></ul><ul><ul><li>The ISMS will be audited by an accredited certification body such as Certification Europe , British Standards Institute, Lloyds, KPMG or BVQI. </li></ul></ul>
  19. 19. Other Considerations <ul><ul><li>The ISO/IEC 17799:2005 and 27001:2005 standards provide a comprehensive ‘umbrella’ framework for your information security program </li></ul></ul><ul><ul><ul><li>Compatible with other standards and guidelines </li></ul></ul></ul><ul><ul><ul><li>Assist with compliance </li></ul></ul></ul><ul><ul><ul><li>Meant to be a long term endeavor </li></ul></ul></ul><ul><ul><ul><li>Favor incremental deployment of controls </li></ul></ul></ul><ul><ul><ul><li>Assist in integrating business requirements with IT and information security goals/objectives </li></ul></ul></ul><ul><ul><ul><li>Help you to prioritize areas of greatest risk/need </li></ul></ul></ul>
  20. 20. GRC Software <ul><li>Automated help with risk assessments and treatment plans, incident response, BIA and asset management </li></ul><ul><ul><li>Proteus Enterprise: </li></ul></ul><ul><ul><li> http://infogov.co.uk </li></ul></ul><ul><ul><li>Automated help with Security & Compliance Gap Analysis based on the HISP methodology </li></ul></ul><ul><ul><li>Compliantz Health Check: https://www.compliancehealthcheck.com </li></ul></ul>
  21. 21. References <ul><ul><li>ISO/IEC 27001:2005 </li></ul></ul><ul><ul><li>BS 7799-3:2006 (Risk Mgt) </li></ul></ul><ul><ul><li>BIP 0071-0074 (ISMS Guidance Series from BSI) </li></ul></ul><ul><ul><li>ISO/IEC 17799:2005 (Controls) </li></ul></ul><ul><ul><li>http://www.praxiom.com/iso-27001.htm (ISO/IEC 27001:2005 in plain English) </li></ul></ul><ul><ul><li>http://www.praxiom.com/iso-17799-2005.htm (ISO/IEC 17799:2005 in plain English) </li></ul></ul>
  22. 22. Questions? <ul><li>Tammy Clark [email_address] </li></ul><ul><li>William Monahan i [email_address] </li></ul><ul><li>T </li></ul>Copyright Tammy L. Clark, June 2007. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and with permission of author.

×