An ISMS Implementation Practice in Environments with ... · PDF fileAn ISMS Implementation...
Transcript of An ISMS Implementation Practice in Environments with ... · PDF fileAn ISMS Implementation...
An ISMS Implementation Practice in Environments with Limited ResourcesPrepared for APEC-OECD Workshop on Security of Information Systems and Networks
September 05, 2005Sophie, Lihsuan Liang, Project Manager
NII Enterprise Promotion Association
2
Outline
• Prolog• Mechanism Design• Methodology• Practice (school-net in Chinese Taipei)• Future developments
3
Prolog
• Security threat for small and medium enterprises (SMEs)– Factors make SMEs prime security targets - heavily rely on Microsoft– More than half of the SMEs that receive successful Internet attacks
won't know they were attacked.– 70% attacks that cause more than $50,000 in damage involve an insider
• Simple and Affordable Steps for SMEs:– Educate system administrators & users on security policies and
procedures – evaluate the patch status of all production systems– Don't give users administrative privileges on their PCs.– Configure the email server to block potential dangerous attachments – Disable all inactive accounts and close out obvious vulnerabilities.– Perform full anti-virus scans on all systems, using the latest signatures– Protect every Internet connection with a certified firewall
Source: Gartner
4
It’s possible to have affordable ISMS solution for units with simple networks.
How can we apply this model to a group of units with similar network environments?
5
Mechanism design principles
• Neutral operation body• Developing unified standard,
guidance, operation manuals
• Optimizing existing management structure
• Including certification and auditing functions
• Covering awareness and education promotion activities
• Cost sharing for affordable pricing
Authority
ISMS Promotion Committee
Management body
Small and Medium units
Training, professional certifying
Auditing,certification,general awareness
ISMS ConsultingSecond-tier training
Financial supportAuthorize
6
Mechanism Operations
• Certification / auditing services– Ensuring the quality of ISMS implementation– Verifying the compliance to the standard or guidance
• Standard version updates– Following the change nature of information threats and risks
• Promotion activities / training sessions– Training for trainers– Training for qualified auditors– Training for administrators– Training for users
• Publications
Awareness& training planning, materials
Certification and audit criteria and
procedure
Standards,Guidelines,
SOP
7
Methodology
• Simplify the existing large scale ISMS standards (e.g. BS7799)– Considering the common natures in Internet and information
facility usage of the specific group– Preparing “statement of inapplicability (SOI)“ based on the
controls– The rest becomes a guidance (tailor to be more specific to
school environment)– Providing operation instructions based on the guidance contexts– Offering security level options– Designing different training/awareness courses for different
groups of targets, such as courses for school principal, for system manager, for regular teachers
8
Example - SOI
Most of the primary/secondary schools do not have their own routers. Local network centers take the duty to centrally manage the router. Hence, the port diagnosis control is waived
Access to diagnostic ports shall be securely controlled.
9.4.5 Remote diagnostic port protection
Media being transported shall be protected from unauthorized access, misuse or corruption
Electronic commerce shall be protected from fraudulent activity, contract dispute and disclosure or modification of information.
Control Contexts defined in CNS17800/BS7799
Considering the benchmark of investment and return, this control activity shall be done by user education
8.7.2Security of media in transit
Electronic commerce activities are rare or none in most of the primary/secondary schools, the relevant controls can be waived .
8.7.3 Electronic commerce security
Reasons of IncompatibilitySecurity controls
9
School-net in Chinese TaipeiTaiwan Academic Network (TANET) management infrastructures
TANET Backbone
RNC Regional NetworkCenter (RNC)
RNC
University Networks
University Networks
Local NetworkCenter (LNC)
LNC
Primary, secondary and high schools
13 RNCs
25 LNCsLNC
4000+ Schools
10
Information security concerns
• Infrastructures– all the primary and secondary schools have broadband access
to TANet (by ADSL, FTTx) since 2000– Each of the schools has at least one computer cluster
• Information security risks– Personal data theft and abuse, misuse of computer and
networks, managing downloads, computer virus, malicious software, relay…
• Concerns for both LNCs and schools– Limited IT budgets and resources– Lack of full time IT personnel– Changing nature of the threat– No unified ISMS guidelines and relevant references tailored
11
Roles of Schools• As an information
user
ISMS practice in schools
Local Network Center
LNC
ISMS Promotion Committee
Services offered by local NC• Centralized network security
controls• School ISMS implementation
support• Training sessions • Awareness raising • Certifications to Schools• Security incidents response
Services offered by Committee• Seed lecture training• Overall awareness planning• Auditing to LNCs• Security incidents report
Primary, secondary and high schools
LNC
12
In PracticesPrinciples
Operation manual is able to apply to all 25 LNCs.
Cost sharing for affordable pricing
awareness and education promotion activities are added to both Committee and LNC responsibilities
Covering awareness and education promotion activities
certification and auditing functions are added to the Committee responsibilities
Including certification and auditing functions
Security functions are added to the LNC operation
Optimizing existing management structure
Two sets of guideline and training materials (with differing levels) are developed for LNC and schools.
Developing unified standard, guidance, operation manual
ISMS Promotion Committee shall be formed by a group of professionals from academic, government and private sector.
Neutral operation body
13
Future developments
• Management controls in ISMS are more challenging– The importance of awareness
• Differing target, differing priority, and differing promotion strategies– Top management IT staff generals
• Information security e-learning center– now under development– designing e-learning content with easy & practical approach – considering learners as information users rather than system
administrators– security awareness assessment campaign– to share with APEC & OECD members
• Suggest to form a study group under eSTG of APEC TEL– as a start point for further international collaborations on resolving
security concerns for small and medium organizations
Thank you for your attentions
Sophie, Lihsuan [email protected],tw