HOME LAB : HANDS-ON
- Get link
- Other Apps
- Get link
- Other Apps
Two words on Knowledge and Skill.
Learning Objectives
Training will be 4 days and what will take away from this Training.
Two words on Knowledge and Skill.
Learning Objectives
Knowledge | Skill |
|
|
|
|
|
|
Three pillars: Confidentiality, Integrity and Availability [CIA]
Means cannot be challenged by anybody.
Means unaltered information. Information cannot be changed in-between end to end.
Also need to secure the in-between facility which is processing the information.
Business Continuity to some extent will be part of the Information Security Management system. And there will be separate Business continuity and Disaster management.
How the information should be discarded.
Reduce Security incidents, increase staff retention, Protection of brand and reputation, reduce costs of correction, customer retention, etc
Why is Information security management important within the organization?
To protect user’s data
To comply with Government Norms
To have control over the data management
Stats:
83% of org see damages to the org reputation as the biggest concern
93% - had staff related breaches.
51.6% - reduced security incidents from certified org
49% - lack of budget to improve Info security
15% - of small business detected breach
What Needs to be managed in a Information Security Management system?
Data, Physical assets, People Assets, etc
Framework: Sets of Principle, policy’s, rules, guidelines make a whole framework.
ISO International Organization for Standardization
IEC International Electrotechnical Commission
BSI started in 1901, wanted to start Tube railways and floated in tender. The big problem was getting 5 different plans which had different dimensions. This created the problem that they are not compatible within each other.
BS7799 :1995: - British standards published in 1995
2005: ISO re- nomenclature and published the 27001 by getting from BS.
27001: What has to be done.
27002: How it has to be done: - Implementation guideline:
Interested parties: Promoters or Shareholders, Employees, Government, neighbours, customers, vendors, etc.
Internal issue: When there are internal strikes.
External issue: Government regulatory compliance
Here boundaries are set for the rules and boundaries.
e.g.: in India security guards will be present to collect the ID proof and registry entry is made. The same company operating in JAPAN has no security guard. Since there is no practice of security guards in JAPAN.
Plan : requirements: - Clause 4 Context of the org. / 5 leadership / 6 Planning / 7 Support
DO : implement: - Clause 8 Operation
Check : Audits/ gaps/ managements review: - Clause 9 Performance evaluation
Act : Results/ improvement: - Clause 10 Improvement
comes from the interested parties, this will like defining the Scope and limits & boundaries.
1 Accountability | H |
2 Asset | N |
3 Availability | E |
4 Business continuity | J |
5 Confidentiality | G |
6 Control | K |
7 Corrective Action | B |
8 Risk Assessment | M |
9 External Context | A |
10 Risk | L |
11 Information Security | F |
12 Information Security Incident | C |
13 Integrity | P |
14 Internal Context | D |
15 Non-conformity | O |
16 Non-repudiation | I |
Regulatory Body: - RBI is the regulatory Body, SEBI regulatory for Stock exchanges
Legal: Requirements from the government
Contract: requirements which are passed on by working with clients which are laid upon by the regulatory body.
Statutory and regulatory requirements: As an ISMS manager: just telling them to follow. Do not be a SME in Statutory field to implement ISMS. Show what are the list of Statutory and regulatory requirements you are adhered to.
working under other organization: - Policies, regulation, contractual terms will be passed on to the vendor organization also.
4 Context of the organization
4.1 Understanding the organization and its context
4.2 Understanding the needs and expectations of interested parties
4.3 Determining the scope of the information security management system
4.4 Information security management system
Leadership and commitment
Policy
Organizational roles, responsibilities and authorities
Top management should create and provide resources,
Create security Policy, security objectives
Activity 7
Directions:
As directed by your tutor, consider clause 5 and in particular sub-clause 5.1 and identify
which leadership/commitment behaviours and competencies, with respect to information
security management, you would expect from the organization provided
*******************************************************************************
6.1 Actions to address risks and opportunities
6.1.1 General
6.1.2 Information security risk assessment
6.1.3 Information security risk treatment
6.2 Information security objectives and planning to achieve them
Notes:
Terms:
Vulnerability, probability, Risk Assessment, Risk Treatment Plan, Risk Rating, Security Control, Statement of applicability.
Information assert: Try to identify Information assert
Try to quantify the asset, which are high value and low value.
Quantify based on CIA
E.g., Rate the asset based on the scale 1, 2 & 3 to create asset value.
E.g., Formula for asset value; like: C + I + A = asset value
E.g., Confidentiality: when assert is public scale is 1
Public | Internal | Confidence | |
Confidentiality | 1 | 2 | 3 |
Integrity | 3 | 2 | 2 |
Availability | 3 | 3 | 3 |
Risk rating associated with the assert value
Probability with risk rating
How the Vulnerability is the probability increases.
For every risk there can be any opportunity.
Risk Avoid or termination, Risk Accept, Risk Share or transfer
Risk Transfer:
E.g., Cell phone tower: where there will be backup generators -the diesel will be stolen or wastage. They transferred to vendors to look into the DC backups.
Risk Treatment:
Lowering the risk / means reducing the Vulnerability
Threat and Vulnerability
Threat: earthquakes are threat; hackers are threat
Vulnerability are gaps in the system, through which problem can arise.
Residual risk:
Left over risk and risk owner must be identified for residual risk
When Mitigation plan is implemented and lowering the risk probability
Risk owner is equal to asset owner
RTP: have to lower the risk from higher risk
A.5 Information security policies
A.6 Organization of information security
A.7 Human resource security
A.8 Asset management
A.9 Access control
A.10 Cryptography
A.11 Physical and environmental security
A.12 Operations security
A.13 Communications security
A.14 System acquisition, development and maintenance
A.15 Supplier relationships
A.16 Information security incident management
A.17 Information security aspects of business continuity management
A.18 Compliance
14 Security clause headings
35 security categories
114 controls
The statement of applicability is these are the control which will be used and not used. The justification has to be given why it is used and why not used, for treating the RISK in the organization.
Objective means: to achieve the target or goals
E.g., Objective
Zero security data breach
100 % compliance to infosec audit
As per policy all the employees will change the password every 90 days
100% of pen-testing to happen for all the projects in every quarter.
98% of awareness of Infosec training has to be completed by the vendors
Top management will provide the support.
7.2 Competence
By three ways: Education arranging training and Experience
7.3 Awareness
Senior management has to create awareness about Information security among the employees.
7.4 Communication
7.5 Documented information
Number | ISO 27001 clause | Statement | True / False |
7.1 | Shall provide the resources for continual improvement of its ISMS | T | |
7.1 | Where applicable, evaluate the effectiveness of training | T | |
7.2 | Retain documented information as evidence of competence | T | |
7.2 | Retain documented information as evidence of competence | T | |
7.2 | Taking action to ensure competence does not always require formal training | T | |
7.2 | Determine necessary competence for everyone | F | |
7.2 | It is always necessary to provide training to ensure competence | F | |
7.3 | Persons affected by the ISMS shall be aware of their contribution to the effectiveness of the ISMS | T | |
7.3 | Everyone must be aware of the IS policy | T | |
7.3 | Persons affecting the ISMS in their work shall be aware of the implications of not conforming with the ISMS requirements | T | |
7.4 | Must determine the need for internal and external communications relevant to the ISMS | T | |
7.4 | Need to have a communication process | T | |
7.4 | Everybody should receive every communication relevant to the ISMS | F | |
7.5.1 | Documented information must be the same for every organization implementing ISO 27001 | F | |
7.5.2 | Language and graphics of documented information must be appropriate | T | |
7.5.2 | Appropriate review, and approval for adequacy, is necessary for every document within the organization | T | |
7.5.3 | Documented information required by the ISMS needs to always be adequately protected | T | |
7.5.3 | Access to documents implies a decision regarding the permission to view only | F | |
7.5.3 | Not all documented information required by the ISMS needs to be controlled | F | |
7.5.3 | Documented information required by the ISMS must always be available to everyone and suitable for use | F | |
7.5.3 | Retention of every document is always required, but disposal of these documents is good practice when existing storage space has run out | F | |
7.5.3 | All documented information of external origin shall always be identified and controlled | F |
Clause 8 is also the DO part from PDCA
8.1 Operational planning and control
8.2 Information security risk assessment
8.3 Information security risk treatment
Problem Statement:
Organization A: An IT Support and Services Provider. The organization’s purpose is to
provide IT support and hosting services to both public and private sector organizations.
Internal Issues:
Directions, Part 1:
As directed by your tutor, consider your assigned organization and identify some probable
internal issues and external issues that are relevant to its purpose as well as interested
parties relevant to the ISMS. Individually write down that needs to be shared as required.
Points Discussed:
Interested parties:
Customer
Top management
Employees
Internal Issues: -
Down time of the service should not exceed less than 1HR. –
RISK:
Customer satisfaction going down
Financial loss
Appropriate access control to be provided for intended parties
RISK:
Confidentiality of the data not maintained.
Awareness of ISMS policy should not reduce less 95%.
RISK:
Not meeting the STD requirement of ISO27001
Reducing in Bandwidth of internet will impact services.
RISK:
Availability of hosted services is impacted
External Issues: -
Zero security breaches in the Cloud Framework.
Adherence to Government norms for protecting data.
9.1 Monitoring, measurement, analysis and evaluation
9.2 Internal audit
9.3 Management review
Here Monitoring and measurement is done.
The Objectives which are identified earlier will be monitored and measured.
These audits internal and external are conducted
Documentation must be maintained
Internal Audit
Conformance and non – conformance
As an external auditor will look into the internal NC’s are reported and closed.
Activity 11
10.1 Nonconformity and corrective action
10.2 Continual improvement
Read the standards 27001 and 27002
Remaining activities to be completed
Annexure A has to be read.
A.5 Information security policies
A.5.1 Management direction for information security
A.5.1.1 Policies for information security
A.5.1.2 Review of the policies for information security
A.6 Organization of information security
A.6.1 Internal organization
A.6.1.1 Information security roles and responsibilities
A.6.1.2 Segregation of duties
A.6.1.3 Contact with authorities
A.6.1.4 Contact with special interest groups
A.6.1.5 Information security in project management
A.6.2 Mobile devices and teleworking
A.6.2.1 Mobile device policy
A.6.2.2 Teleworking
A.7 Human resource security
A.7.1 Prior to employment
A.7.1.1 Screening
A.7.1.2 Terms and conditions of employment
A.7.2 During employment
A.7.2.1 Management responsibilities
A.7.2.2 Information security awareness, education and training
A.7.2.3 Disciplinary process
A.7.3 Termination and change of employment
A.7.3.1 Termination or change of employment responsibilities
A.8 Asset management
A.8.1 Responsibility for assets
A.8.1.1 Inventory of assets
A.8.1.2 Ownership of assets
A.8.1.3 Acceptable use of assets
A.8.1.4 Return of assets
A.8.2 Information classification
A.8.2.1 Classification of information
*******************************************************************************
Activity 14:
S no | Terms | Definition |
Authentication | E. Provisions of assurance that a claimed characteristic of an entity is correct | |
Control objective | K. Statement describing what is to be achieved as a result of implementing controls | |
Risk evaluation | A. Process of comparing the results of risk analysis with risk criteria to determine whether the risk and/or its magnitude is acceptable or tolerable | |
Risk treatment | L. To modify risk | |
Levels of risk | B. Magnitude of a risk expressed in terms of the combination of consequences and their likelihood | |
Procedure | ||
Process | ||
Risk criteria | ||
Residual Risk | F. Risk remaining after risk treatment | |
Statement of applicability | K. Statement describing what is to be achieved as a result of implementing controls | |
Validation | ||
Risk management | D. Documented statement describing the control objectives and controls that are relevant and applicable to the organizations ISMS |
Gap analysis:
Top management interest
Understanding requirements. Legal and guidance.
Baseline review, Gantt chart & resource requirements
Approve & communicate implement plan
Baseline for awareness:
information related to Information Security management has to be made aware by making them take exams.
Baseline for competence:
Baseline is 30% must be implementer and rest 70% should be aware of ISMS
It is a Microsoft Project Plan and WBS.
E.g., for a bank one ISMS Manager would be recruited.
Fill in the gaps:
Implement and operate the plan
Any Improvement from filling the gap
Refer to the page 73 from the file [02 slide*.PDF]
Baseline creation / Review:
Identify the minimum document requirements
Baseline Gap analysis
Iso 27001 Clause reference | |||
4.1 | True | True | False |
4.2 | F | ||
4.3 | F | ||
4.4 | F | ||
F | |||
T | T | T | |
T | T | T | |
F | |||
F | |||
F | |||
F | |||
Process: is the key for the organization to last for centuries
Plan : requirements: - Clause 4 Context of the org. / 5 leadership / 6 Planning / 7 Support
DO : implement: - Clause 8 Operation
Check : Audits/ gaps/ managements review: - Clause 9 Performance evaluation
Act : Results/ improvement: - Clause 10 Improvement
Plan | J, H, k, D, F, L, A, E, I |
Do | B |
Check | C |
Act | G |
Required documented information
Control of documentation information
27001 clauses | Documents Requirements |
4.1 | External Issues, Internal issues Requirements of interested properties |
4.2 | |
4.3 | Scope |
4.4 | |
5.1 | Leadership Commitments policy Information Security Policy / objective |
5.2 | Policy – InfoSec Policy |
5.3 | Infosec Roles and responsibilities document |
6.1.1 | Risk and opportunities |
6.1.2 | Infosec risk assessment |
6.1.3 | Risk treatment plan Control inclusion and exclusion |
6.2 | |
7.1 | Resource Plan |
7.2 | Competence Plan |
8.1 | |
8.2 | |
8.3 | |
9.1 | Audit Process |
9.2 | Audit Plan |
9.3 | List |
10.1 | NC report |
MRM | |
Business Continuity process |
Exercises Activity 18: home work
Activity 19: Create Gantt Chart
Create a Excel and do the Gantt chart
Define the scope: Decide of the organization
Call Centre: 50 to 100 people will be working, for Airtel, dealing with customers of the Airtel
Telecom Company: SIM CARD
Department:
It Network Department, HR Department, Telecom regulatory, Physical Scope, Centre situated, Staff,
Core Business activities:
In bound: answering the question from the custom
Call centre 24/7
Scope:
Type of activities: Inbound
Locations: Pune, Chennai
Departments: It Network Department, HR Department, Telecom regulatory, Physical Scope, Centre situated, Staff,
Services: voice calls, SIM card delivery
Requirement from Leadership and Commitment
Info sec Policy and objectives
Integration of Info sec
Resources needed
Direction and supporting
Continual improvements.
Investment
Resources
Infrastructure
Defining and roles the responsibilities
Will show the intention of the organization and will be the driving force.
Roles, Responsibility and authorities: for an ISMS Manager
CIA on information assets
Risk criteria 🡪 Risk acceptance Criteria/ Criteria for performing
Asset Register
Cause
Sources
Statement of applicability
Activity 26 / 27 / 28 / 29: home work
*******************************************************************************
Awareness
Communications: Posters, Emails
Documented information
Documentation must be revisited every year, why?
The Organisation is called as Living or dynamic organization, hence there will be changes and documentation should reflect those changes.
Activity 30: Communication Process
What is the process? Certain input, to get desired output based on the certain steps
Who to communicate, when to, who shall, on what to…?
Process should have:
Input:
Steps:
Output:
Risk treatment Plan:
Risk treatment Options | Control selected | Source |
Security Incidents
Internal Audits
Consistency results
Monitoring
Measuring
Effectiveness of ISMS
Evaluation
Internal Audit
External Audit
Weekly check on Latest Windows Security patches whether installed in all the machines?
DRBC Plan is conducted every 6 moths
Performance Evaluation
Internal Audit
Management Review
Gap Analysis is also a type of Audit
Inputs 🡪 Audit activity 🡪 Outputs
Three Things about Audit
Intent: means expectation
Implementation
Effectiveness
Positive Findings means Conformance.
Negative Findings means Non-Conformance.
As an Auditor you are not there to give any suggestions or do consulting
Also called as Aide Memory
Has Security been employed?
Scope: Physical Security
| |
| |
| |
| |
| |
| |
| |
| |
| |
|
Leadership = guidance’s [leadership are Born]
Management = controls [Mangers are created]
Kotter’s 8 Steps to successful change.
1) Increase urgency - inspire people to move, make objectives real and relevant.
2) Build the guiding team - get the right people in place with the right emotional
commitment, and the right mix of skills and levels.
3) Get the vision right - get the team to establish a simple vision and strategy, focus on
emotional and creative aspects necessary to drive service and efficiency.
4) Communicate for buy-in - Involve as many people as possible, communicate the
essentials, simply, and to appeal and respond to people's needs. De-clutter
communications - make technology work for you rather than against.
5) Empower action - Remove obstacles, enable constructive feedback and lots of support
from leaders - reward and recognise progress and achievements.
6) Create short-term wins - Set aims that are easy to achieve - in bite-size chunks.
Manageable numbers of initiatives. Finish current stages before starting new ones.
7) Don't let up - Foster and encourage determination and persistence – on-going change -
encourage on-going progress reporting - highlight achieved and future milestones.
8) Make change stick - Reinforce the value of successful change via recruitment,
promotion, new change leaders. Weave change into culture.
Example:
Confidentiality and Integrity: the balance sheet will be confidence till published to public. Once published Integrity becomes High and confidentiality becomes zero.
Controls are required to reduce the RISK.
*******************************************************************************
Why ISMS?
Improved security for the organization and its clients
Increase in the quality of information security processes and procedures
PLAN: 4 Context of the organization
5 Leadership
6 Planning
7 Support
| DO: 8 Operation
|
ACT: 10 Improvement
| CHECK: 9 Performance and Evaluation
|
Clause 4: Context of Org
Clause 6: Planning
A risk assessment process should then be defined that identifies risks associated with the
loss of confidentiality, integrity and availability for information within the scope of the ISMS,
analyses the risks and then evaluates them
Clause 7: Support
Leadership will provide the support
Clause 8: Operation
Info sec Risk Assessment
Info sec Risk Treatment
Statement of Applicability: 114 Controls are present. When the controls are not applied, then the reason will be provided.
Clause 9: Performance evaluation
Internal Audits
Management Review
Clause 10: Improvement
Non-Conformity and corrective action
Continual Improvement
Implementation: of ISMS -
Determine the Need for Documentation
Baseline Gap Analysis
Project Plan: Gannt Chart
Scope of ISMS
Leadership Commitments and Roles, responsibility & Authorities.
Risk Identification:
Reduce/ Treat
Avoid/ Terminate
Accept/ Tolerate
Transfer/ share
Audit:
Intent
implement
Effectiveness
Non conformity reports
Management Review
Change Management
Comments
Post a Comment