Is awareness government
-
Upload
hamisi-kibonde -
Category
Technology
-
view
1.859 -
download
1
description
Transcript of Is awareness government
An Overviewby
Zaituni Mmari(Information Security Officer)
Four Questions
What’s it all about?Why does it matter to the Government of
Tanzania?How does it work?What do we have to do to the Government of
Tanzania?
What is Information Security? The use of an ISMS (Information Security Management System) for the
systematic preservation, in the Government of Tanzania, of the Availability Confidentiality Integrity Of its information (and its information systems)Information risk
All information systems have vulnerabilities that can be exploited by threats in ways that can have significant impacts on the government of TZ info system effectiveness,value and long term survival have significant impacts on the government of Tanzania effectiveness, profitability, value
and long term survival. when exploited, those threats will have an impact on the TZ government IS effectiveness and NOT directly on the TZ gov effectiveness
Also involves Authenticity Accountability Non-repudiation Reliability
Why do we need to Implement an ISMS to the Government of Tanzania?We have valuable assets
Intellectual Property Government valuable information Data about staff, customers, suppliers Organizational know-how
We have legal and regulatory compliance requirements Data protection and privacy Specific legislation
We are IT dependent An IT failure (eg hardware, power failure, acts of
nature) is a institution failure IT is not completely secure IT is not inter-compatible
Why does information security matter to the Government of Tanzania?External threats
Viruses, worms, Trojans 100,000+ ‘in the wild’
Hackers – with automated attacks Now big business (botnets, zero-day attacks)
Spam – 80%+ of all e-mail Now big business (botnets, blended attacks)
Cyber-criminals – phishing, identify theft, grand larceny Fraud, cyber terrorism Competitors Malcontents, activists Anyone with a computer!
Internal threats fraud, error, unauthorized or illegal
system use, data theft
How can ISO27001/ISO17799 standard Help the Government of Tanzania? A Standard is
“a document established by consensus and approved by a recognized body, that provides for common and repeated use rules, guidelines or characteristics for activities or their results, aimed at the achievement of the optimum degree of order in a given context”
Two part ISMS standard ISO 27001 (BS7799-2) specifies how to design an information
security management system (‘ISMS’) How the ISMS should work, not what should be in it
ISO17799 (BS7799-1) is an international code of practice for information security best practice that supports and fleshes out BS7799-2 What should be in the ISMS, not how it should work
History and future BS7799 originated in UK, part 1 adopted by ISO Revised every five years Now ten years old 1300+ BS7799-2 certifications Even more ISO17799 systems in place No the ISO 27001 series from November 2005
Why the Government of Tanzania have to use the standard?Best practice specification and guidanceA MANAGEMENT SYSTEM
Technology agnostic Non-technical Non-jurisdictional
Systematic and comprehensiveProven in many industries and organizations Includes international best practice Internationally understoodCapable of external certificationCommonly accepted best practice100+ new BS7799-2 certifications
/month ISO27001 and ISO9001
What is an ISMS? A defined, documented management system (within a defined organization, the ‘scope’). It contains A board approved, high level information security policy
Defines information security, the components and purpose of the ISMS, and evidences to the business that management are committed to a defined and systematic approach to information security
A corporate risk treatment plan Describes how different types of risk are to be treated
An inventory of important information assets (data and systems) that fall within the scope
An assessment of vulnerabilities, threats and risks (‘risk assessment’) to those assets An ISMS Manual that contains a Statement of Applicability
identifies a set of controls (responses to/countermeasures for) that respond to each of the identified risks
A comprehensive, inter-related suite of processes, policies, procedures & work instructions
The ISMS must be Systematically implemented and managed Reviewed, audited and checked Continuously improved
Certification Valuable but not always essential The final stage Carried out by a third party certification body Evidence as to the completeness and quality of the ISMS
ISO 27001 - a Closer Look ISO 27001:2005 (BS7799-2:2005) is the current version“Information security management systems – specification
with guidance for use”“Specification” means “this is how it must be done”
Specification forEstablishing and managing the ISMSImplementing and operating the ISMSMonitoring and reviewing the ISMSMaintaining and improving the ISMSControl of documentsManagement responsibilityManagement review of the ISMSISMS ImprovementControl objectives and controls (Annex A)
Not exhaustive
What is a ‘Control’? A vulnerability gives rise to a threat
A threat might have an impact (financial, operational) if it materialises A risk is a threat that has a likelihood of materialising and an impact Risks are at different levels (eg high/catastrophic, medium/affordable,
low/insignificant A control is a response to or countermeasure for a risk
(a threat ≠ a risk) Controls reduce risk, they don’t eliminate them
Controls should only be implemented in response to a specific, identified risks
A combination of technology, behaviour and procedure Eg: anti-virus control:
Software installed on gateway and desktops Procedure for ensuring regular updates Trained to not open unexpected attachments
Cost of control ≤ cost of impact Every asset has multiple risks Every risk has a control Some controls apply to many risks ISO17799 has best practice guidance on control selection
ISO17799 – a Closer LookISO/IEC 17799:2005 is the current version“Information technology – Security Techniques - Code of
practice for information security management”“establishes guidelines and general principles for
initiating, implementing, maintaining, and improving information security management in an organization. The objectives outlined provide general guidance on the commonly accepted goals of information security management”
“The control objectives and controls in ISO/IEC 17799:2005 are intended to be implemented to meet the requirements identified by a risk assessment. [It] is intendedas a common basis and practical guideline for developing the Government of Tanzania security standards andeffective security management practices, and tohelp build confidence in inter-organizational activities.”
ISO 17799:2005 - Contents11 Chapters, 132 controlsBest practice control objectives and controls for:
security policy; organization of information security; asset management; human resources security; physical and environmental security; communications and operations management; access control; information systems acquisition, development and
maintenance; information security incident management; business continuity management; compliance
Not exhaustive
How do we create an ISMS?PLAN
Identify assets, scope, carry out risk assessment, create policies, processes
DO
Implement the defined and agreed processes
No action required for accepted risks
CHECK
Assess performance against defined policies
ACT
Take corrective and preventive action to continually improve the operation of the ISMS
PLAN
ACT
CHECK
DO
• PDCA
ISMS Project Roadmap
Documentation StructureFour tiers
Document type (required authorization)
Detail in ISMS Manual 2.2
Making the policy work - detailed, step-by-step descriptions of how to perform individual tasks – subject to regular review and improvement
Records of what happened – minutes, logs, reports, etc – information about how the ISMS is performing
1: Policy(Board)
2: Procedures(Executive)
3: Work Instructions(Operational)
4: Records(All users and usages)
Setting the policy - strategic, high level, relatively unchanging – Board approved ISMS manual, SoA, risk treatment plan all reflect principles and demonstrate board accountability
Implementing the policy – setting out business requirements, procedures and processes – change infrequently but have multiple overlaps and impacts on operational activity and business behaviours
Sequential mini-projects Design and implement the ISMS area-by-area
Divisional, geographic, functional OR
Control-by-control (priority determined by a high level strategic risk assessment)
Standard PDCA approach always applies Identify scope of the mini-project (plan) Identify assets within the scope (plan)
Allow for multiple scopes applying to the same assets Risk assessment for those assets (plan) Identify appropriate control(s) and gain approval (plan)
Ensure overlaps are identified and allowed for Cross linkages are already in the templates
Implement chosen control (including training) (do) Monitor, review and audit control operation (check) Identify and implement improvements (act)
Massively parallel approach Designed to get the whole organization to project completion
quickly and completely All procedures tackled simultaneously All work instructions tackled simultaneously and in parallel Implementation of procedures and work instructions happens as
soon as each is complete Monitor, audit and review cycle starts immediately each work
instruction is implemented This approach works best in organizations that already have an
ISMS that needs to be documented and brought into line with international best practice
Only possible using the ITG toolkit, because thetemplates all exist and all cross-linkages and dependencies have been identified and included.
Requires experienced project management, a committed project team and focused top managementsupport
Some concerns? Procedure for procedure’s sake
Leads to robust, improvable processes that make the business work better
Restrictive on staff Yes, but it also clarifies what is acceptable and what isn’t, so that
everyone is ‘on the same page’ Just another management system
It’s an extension to existing management systems (and is integrated into them)
Removes IT uncertainty, improves internal efficiencies, improves customer service
Who really cares? Our users Regulators and the law Our business partners You – because it makes your working environment more
efficient with fewer interruptions
Summary of benefitsRecognized accreditation
Assurance to our customers that their data is safe with us
Assurance to our employees, partners and suppliers that their data is safe with us
Information security policy that fits the business needsReduced outages, stoppages and other information
security frustrationsAligned with government goalsSecurity spend proportionate to value at riskEveryone responsible, not just IT departmentFormalisation of policies and procedures that
are already in place
Next steps Management owns information security, approves the policy Departments are responsible for their own assets and processes,
risks and counter-measures You are all responsible for key parts of the information and IT
infrastructure Information asset and process inventory Identification, by asset and process, of vulnerabilities, threats,
impacts and risks Finalization of draft procedures to tie in with policy and
Statement of Applicability Commencement of work instruction drafting
Should be carried out by individual asset owners/system administrators Timetable
Start date Finish date
Other issues
Remember!
???
Thank you