"I am Certified, but am I Safe?" - Information Security Summit, Kuala Lumpur, Malaysia, June, 2011
-
Upload
anup-narayanan -
Category
Technology
-
view
397 -
download
1
description
Transcript of "I am Certified, but am I Safe?" - Information Security Summit, Kuala Lumpur, Malaysia, June, 2011
![Page 1: "I am Certified, but am I Safe?" - Information Security Summit, Kuala Lumpur, Malaysia, June, 2011](https://reader035.fdocuments.us/reader035/viewer/2022070320/5586200ed8b42abe278b52d1/html5/thumbnails/1.jpg)
“I am certified, but am I safe?”
Anup Narayanan, CISA, CISSP
Founder & CEO, ISQ World
![Page 2: "I am Certified, but am I Safe?" - Information Security Summit, Kuala Lumpur, Malaysia, June, 2011](https://reader035.fdocuments.us/reader035/viewer/2022070320/5586200ed8b42abe278b52d1/html5/thumbnails/2.jpg)
Agenda What exactly is Certification? The audit process & fear: Why? The cost of poor implementation Getting your ISMS right The ISM3 model The CXO’s Security Plan How do I know I am safe?
![Page 3: "I am Certified, but am I Safe?" - Information Security Summit, Kuala Lumpur, Malaysia, June, 2011](https://reader035.fdocuments.us/reader035/viewer/2022070320/5586200ed8b42abe278b52d1/html5/thumbnails/3.jpg)
What exactly is Certification?
An explanation in simple terms
![Page 4: "I am Certified, but am I Safe?" - Information Security Summit, Kuala Lumpur, Malaysia, June, 2011](https://reader035.fdocuments.us/reader035/viewer/2022070320/5586200ed8b42abe278b52d1/html5/thumbnails/4.jpg)
The auditor looks for two factors
The existence of the ISMS
Is the P-D-C-A (Plan-Do-Check-Act) model is in place
Scope, Security forum, Asset classification list, Risk
analysis, documents etc.
The functioning of the ISMS
Review and improvement processes, CHECK and ACT
phase.
Auditor - “Have you done a root cause
analysis?”
Not just identifying, but solving
If the auditor is satisfied, you are recommended
for the certification
![Page 5: "I am Certified, but am I Safe?" - Information Security Summit, Kuala Lumpur, Malaysia, June, 2011](https://reader035.fdocuments.us/reader035/viewer/2022070320/5586200ed8b42abe278b52d1/html5/thumbnails/5.jpg)
The essence of ISO 27001/ ISMS Tells you what to do:
Implement an ISMS (Information Security Management System) fit for business
Does it tell you how to do it? Not very well!! ISO 27002 is a good guide, but subject to poor
interpretation Not the fault of the standard
![Page 6: "I am Certified, but am I Safe?" - Information Security Summit, Kuala Lumpur, Malaysia, June, 2011](https://reader035.fdocuments.us/reader035/viewer/2022070320/5586200ed8b42abe278b52d1/html5/thumbnails/6.jpg)
Example
“Build a vehicle”
![Page 7: "I am Certified, but am I Safe?" - Information Security Summit, Kuala Lumpur, Malaysia, June, 2011](https://reader035.fdocuments.us/reader035/viewer/2022070320/5586200ed8b42abe278b52d1/html5/thumbnails/7.jpg)
Poor Interpretation
Good Interpretation
![Page 8: "I am Certified, but am I Safe?" - Information Security Summit, Kuala Lumpur, Malaysia, June, 2011](https://reader035.fdocuments.us/reader035/viewer/2022070320/5586200ed8b42abe278b52d1/html5/thumbnails/8.jpg)
The audit process & fear
Why?
![Page 9: "I am Certified, but am I Safe?" - Information Security Summit, Kuala Lumpur, Malaysia, June, 2011](https://reader035.fdocuments.us/reader035/viewer/2022070320/5586200ed8b42abe278b52d1/html5/thumbnails/9.jpg)
Analysis The purpose of the ISMS is not well
understood The implementation process is not well
understood The audit process is not well understood You are misguided by ill-informed people
![Page 10: "I am Certified, but am I Safe?" - Information Security Summit, Kuala Lumpur, Malaysia, June, 2011](https://reader035.fdocuments.us/reader035/viewer/2022070320/5586200ed8b42abe278b52d1/html5/thumbnails/10.jpg)
Some facts! Fallacy - I must select as many controls as
possible Truth – Choose those controls that are
required (some of them will be mandatory)
Fallacy – I must produce a ton of documentation
Truth – I must produce documents that I will read
Fallacy – The auditors will be tough and strict Truth – The auditors know their job and you
should know yours
![Page 11: "I am Certified, but am I Safe?" - Information Security Summit, Kuala Lumpur, Malaysia, June, 2011](https://reader035.fdocuments.us/reader035/viewer/2022070320/5586200ed8b42abe278b52d1/html5/thumbnails/11.jpg)
This leads to….ISMS fatigue After the first few years, you will not be able
to maintain all controls – Managers will grumble
Leads to poor maintenance of controls This will lead to “quick-fixes” that open more
vulnerabilities Slowly controls weaken and people start
finding alternates to avoid the ISMS that opens more weaknesses
![Page 12: "I am Certified, but am I Safe?" - Information Security Summit, Kuala Lumpur, Malaysia, June, 2011](https://reader035.fdocuments.us/reader035/viewer/2022070320/5586200ed8b42abe278b52d1/html5/thumbnails/12.jpg)
The cost of poor implementation
A poorly implemented ISMS leads to more security weaknesses rather than not having one
![Page 13: "I am Certified, but am I Safe?" - Information Security Summit, Kuala Lumpur, Malaysia, June, 2011](https://reader035.fdocuments.us/reader035/viewer/2022070320/5586200ed8b42abe278b52d1/html5/thumbnails/13.jpg)
Getting your ISMS right
Information Security Goals, Targets and Processes (Not Controls)
![Page 14: "I am Certified, but am I Safe?" - Information Security Summit, Kuala Lumpur, Malaysia, June, 2011](https://reader035.fdocuments.us/reader035/viewer/2022070320/5586200ed8b42abe278b52d1/html5/thumbnails/14.jpg)
My primary focus is to constantly increase
shareholder value
Depends on: Customer
retention & acquisition
Depends on: TRUST
Depends on: Continuous
availability of services
Depends on: Continuous
availability of Information and
Information Systems
INFORMATION SECURITY
![Page 15: "I am Certified, but am I Safe?" - Information Security Summit, Kuala Lumpur, Malaysia, June, 2011](https://reader035.fdocuments.us/reader035/viewer/2022070320/5586200ed8b42abe278b52d1/html5/thumbnails/15.jpg)
On the Internet ….
The customer cannot see you
They don’t know how you look like,
or talk…
This makes it difficult for you to influence the perception of TRUST on the internet using visible factors…
Trust & the impersonal nature of the Internet
TRUST on the Internet is based on measurable factors such as Availability of Services
Hence, you need Information Security, to be there, when the customer needs you
![Page 16: "I am Certified, but am I Safe?" - Information Security Summit, Kuala Lumpur, Malaysia, June, 2011](https://reader035.fdocuments.us/reader035/viewer/2022070320/5586200ed8b42abe278b52d1/html5/thumbnails/16.jpg)
The purpose of the ISMS
Helped by
Business Targets
Business Goals
Profitable, Be ethical, Socially
responsible
Generate $X through sales
Sales: Sell products & Services
HR: hire the right people
Pay Bills/ Salaries/
Taxes on time
Finance: Process
payments, pay bills & salaries,
accounting
Maintain the offices and
facilities
Admin: Maintenance
functions, HVAC etc.
Where does Information Security fit in?
![Page 17: "I am Certified, but am I Safe?" - Information Security Summit, Kuala Lumpur, Malaysia, June, 2011](https://reader035.fdocuments.us/reader035/viewer/2022070320/5586200ed8b42abe278b52d1/html5/thumbnails/17.jpg)
Realize this…
No two businesses are alike, hence no two ISMS’s are alike
Be Confident! Build an ISMS fit-for your business!
Choose only processes that are useful for your business, not because someone else too does it.
![Page 18: "I am Certified, but am I Safe?" - Information Security Summit, Kuala Lumpur, Malaysia, June, 2011](https://reader035.fdocuments.us/reader035/viewer/2022070320/5586200ed8b42abe278b52d1/html5/thumbnails/18.jpg)
Using ISM3 to implement ISO 27001
ISM3 – Information Security Management Maturity Model
![Page 19: "I am Certified, but am I Safe?" - Information Security Summit, Kuala Lumpur, Malaysia, June, 2011](https://reader035.fdocuments.us/reader035/viewer/2022070320/5586200ed8b42abe278b52d1/html5/thumbnails/19.jpg)
ISM3 Recently adopted as The Open Group Standard -
www.ism3.com ISM3 provides a set of “security management
processes” that are consistent with business goals You can select “Maturity Levels” based on
available resources
Level 1: Low risk
environment
Level 2: Normal risk environmen
ts
Level 3: Normal to High-Risk
Environments – IT
Service Providers/
e-Commerce
Level 4: High risk
environments – Public companies,
Finance
Level 5: High risk
environments +
Mandatory Metrics
![Page 20: "I am Certified, but am I Safe?" - Information Security Summit, Kuala Lumpur, Malaysia, June, 2011](https://reader035.fdocuments.us/reader035/viewer/2022070320/5586200ed8b42abe278b52d1/html5/thumbnails/20.jpg)
Security Investment & Risk Reduction
![Page 21: "I am Certified, but am I Safe?" - Information Security Summit, Kuala Lumpur, Malaysia, June, 2011](https://reader035.fdocuments.us/reader035/viewer/2022070320/5586200ed8b42abe278b52d1/html5/thumbnails/21.jpg)
The advantage of process based approach A process;
Gives more clarity on what needs to be done Makes you realize the amount of resources that
needs to be assigned to execute it Hence, you will select those processes that
are truly required for the ISMS This leads to building an ISMS “for your
business” and “not for certification”
![Page 22: "I am Certified, but am I Safe?" - Information Security Summit, Kuala Lumpur, Malaysia, June, 2011](https://reader035.fdocuments.us/reader035/viewer/2022070320/5586200ed8b42abe278b52d1/html5/thumbnails/22.jpg)
The CXO’s Security Plan
![Page 23: "I am Certified, but am I Safe?" - Information Security Summit, Kuala Lumpur, Malaysia, June, 2011](https://reader035.fdocuments.us/reader035/viewer/2022070320/5586200ed8b42abe278b52d1/html5/thumbnails/23.jpg)
As the CEO, you want to spend
less but effective time on information
security.
So, your plan must be simple, precise and must give you answers
to 3 questions.
![Page 24: "I am Certified, but am I Safe?" - Information Security Summit, Kuala Lumpur, Malaysia, June, 2011](https://reader035.fdocuments.us/reader035/viewer/2022070320/5586200ed8b42abe278b52d1/html5/thumbnails/24.jpg)
What are my information assets? (Give me the latest list)
What are the threats to my information assets? (Give me the newest threats? )
What are the vulnerabilities that can be exploited by these threats? (What are we doing about them?)
1 - Assets
2 - Threats
3 - Vulnerabilities (Weaknesses)
The 3 questions are…..
![Page 25: "I am Certified, but am I Safe?" - Information Security Summit, Kuala Lumpur, Malaysia, June, 2011](https://reader035.fdocuments.us/reader035/viewer/2022070320/5586200ed8b42abe278b52d1/html5/thumbnails/25.jpg)
Your plan centers around “Assets”, “Threats” and “Vulnerabilities”
In fact, you must work together with your information security officer to have the latest list of, Assets, Threats & Vulnerabilities briefed to you at regular intervals (at-least once a month or quarter)
![Page 26: "I am Certified, but am I Safe?" - Information Security Summit, Kuala Lumpur, Malaysia, June, 2011](https://reader035.fdocuments.us/reader035/viewer/2022070320/5586200ed8b42abe278b52d1/html5/thumbnails/26.jpg)
Idea!
Ask your Information Security Officer to create a threat and
vulnerability pipe.
![Page 27: "I am Certified, but am I Safe?" - Information Security Summit, Kuala Lumpur, Malaysia, June, 2011](https://reader035.fdocuments.us/reader035/viewer/2022070320/5586200ed8b42abe278b52d1/html5/thumbnails/27.jpg)
March
•Security survey reveals poor user security awareness
•SANS reports 5 vulnerabilities that affects our applications
Feb
•Some web applications do not have privacy policy displayed
•Backup restoration is not tested
Jan
•Background verification of new employees not uniformly done
•Information security risks not considered as part of business continuity plan
A sample threat & vulnerability pipe
Latest threats and vulnerabilities go on top
![Page 28: "I am Certified, but am I Safe?" - Information Security Summit, Kuala Lumpur, Malaysia, June, 2011](https://reader035.fdocuments.us/reader035/viewer/2022070320/5586200ed8b42abe278b52d1/html5/thumbnails/28.jpg)
So, the next time you are with your information security officer, you know what
to ask….
Could you please tell me the top 3 items off the top of the threat &
vulnerability pipe?
Hmm…she is getting security
sharp!
![Page 29: "I am Certified, but am I Safe?" - Information Security Summit, Kuala Lumpur, Malaysia, June, 2011](https://reader035.fdocuments.us/reader035/viewer/2022070320/5586200ed8b42abe278b52d1/html5/thumbnails/29.jpg)
Remember!
A good security manager will tell you your weaknesses and not always your strengths!
![Page 30: "I am Certified, but am I Safe?" - Information Security Summit, Kuala Lumpur, Malaysia, June, 2011](https://reader035.fdocuments.us/reader035/viewer/2022070320/5586200ed8b42abe278b52d1/html5/thumbnails/30.jpg)
How do I know that I am safe?
![Page 31: "I am Certified, but am I Safe?" - Information Security Summit, Kuala Lumpur, Malaysia, June, 2011](https://reader035.fdocuments.us/reader035/viewer/2022070320/5586200ed8b42abe278b52d1/html5/thumbnails/31.jpg)
How do I know that I am Safe? You are safe when,
You know what your business is about? You know the Information Systems that are
required to attain business goals You know the risks to the Information Systems You have reduced the risks as best possible
You know exactly what your weaknesses are and are prepared for it
![Page 32: "I am Certified, but am I Safe?" - Information Security Summit, Kuala Lumpur, Malaysia, June, 2011](https://reader035.fdocuments.us/reader035/viewer/2022070320/5586200ed8b42abe278b52d1/html5/thumbnails/32.jpg)
The Art of War – Sun Tzu
It is said that if you know your enemies and know yourself, you will not be imperiled in a hundred battles;
if you do not know your enemies but do know yourself, you will win one and lose one;
if you do not know your enemies nor yourself, you will be imperiled in every single battle.
![Page 33: "I am Certified, but am I Safe?" - Information Security Summit, Kuala Lumpur, Malaysia, June, 2011](https://reader035.fdocuments.us/reader035/viewer/2022070320/5586200ed8b42abe278b52d1/html5/thumbnails/33.jpg)
Please keep in mind
Information Security does not earn you big money. But it ensures that you keep earning the big money.
….because, information security influences the way your customers TRUST and BUY your brand.
![Page 34: "I am Certified, but am I Safe?" - Information Security Summit, Kuala Lumpur, Malaysia, June, 2011](https://reader035.fdocuments.us/reader035/viewer/2022070320/5586200ed8b42abe278b52d1/html5/thumbnails/34.jpg)
© First Legion Consulting34
Than
k
You
Anup Narayanan,Founder & Principal Architect
ISQ World, A First Legion [email protected]