ISO/IEC 27001: Case Study – Data Centre Implementation
Transcript of ISO/IEC 27001: Case Study – Data Centre Implementation
![Page 1: ISO/IEC 27001: Case Study – Data Centre Implementation](https://reader034.fdocuments.us/reader034/viewer/2022051521/5868bb731a28ab5e1c8b4898/html5/thumbnails/1.jpg)
©Gamma Secure Systems Limited, 2007
ISO/IEC 27001: Case Study – Data Centre Implementation
Dr. David Brewer, FBCS, MIOD
Conference of IT Heads of Banks, RBI, CAB, Pune 22 September 2007
![Page 2: ISO/IEC 27001: Case Study – Data Centre Implementation](https://reader034.fdocuments.us/reader034/viewer/2022051521/5868bb731a28ab5e1c8b4898/html5/thumbnails/2.jpg)
©Gamma Secure Systems Limited, 2007
Agenda
General facts
Strategy
Approach
Results
Conclusions
![Page 3: ISO/IEC 27001: Case Study – Data Centre Implementation](https://reader034.fdocuments.us/reader034/viewer/2022051521/5868bb731a28ab5e1c8b4898/html5/thumbnails/3.jpg)
©Gamma Secure Systems Limited, 2007
GENERAL FACTS
![Page 4: ISO/IEC 27001: Case Study – Data Centre Implementation](https://reader034.fdocuments.us/reader034/viewer/2022051521/5868bb731a28ab5e1c8b4898/html5/thumbnails/4.jpg)
©Gamma Secure Systems Limited, 2007
Four data centres
![Page 5: ISO/IEC 27001: Case Study – Data Centre Implementation](https://reader034.fdocuments.us/reader034/viewer/2022051521/5868bb731a28ab5e1c8b4898/html5/thumbnails/5.jpg)
©Gamma Secure Systems Limited, 2007
Milestones
M1 – Contract award
M2 – ISMS approved
M3 – Ready for certification
M4 – Recommended for certification
M5 – Fully operational
![Page 6: ISO/IEC 27001: Case Study – Data Centre Implementation](https://reader034.fdocuments.us/reader034/viewer/2022051521/5868bb731a28ab5e1c8b4898/html5/thumbnails/6.jpg)
©Gamma Secure Systems Limited, 2007
Project plan
Build (M1-M3) 7 weeks
M4 3 months later (dependent upon certification body constraints)
M5 at first surveillance visit
![Page 7: ISO/IEC 27001: Case Study – Data Centre Implementation](https://reader034.fdocuments.us/reader034/viewer/2022051521/5868bb731a28ab5e1c8b4898/html5/thumbnails/7.jpg)
©Gamma Secure Systems Limited, 2007
STRATEGY
![Page 8: ISO/IEC 27001: Case Study – Data Centre Implementation](https://reader034.fdocuments.us/reader034/viewer/2022051521/5868bb731a28ab5e1c8b4898/html5/thumbnails/8.jpg)
©Gamma Secure Systems Limited, 2007
Risk as a Function of Time
Risk (no controls)
Residual Risk
Risk Appetite
Mitigating effect of controls
Risk changes with time
New/improved controls are used to mitigate the risk
Residual risk must be within the risk appetite
Else you stop work while things are fixedOr risk appetite must be increased
There will be little/no evidence of related security incidents
![Page 9: ISO/IEC 27001: Case Study – Data Centre Implementation](https://reader034.fdocuments.us/reader034/viewer/2022051521/5868bb731a28ab5e1c8b4898/html5/thumbnails/9.jpg)
©Gamma Secure Systems Limited, 2007
Strategies
Build a brand new systemAim to comply with ISO/IEC 27002Carry out the Risk Assessment/Treatment and determine the controls from that
Go with what you have today
Start-up – usually 2
1
2
3
![Page 10: ISO/IEC 27001: Case Study – Data Centre Implementation](https://reader034.fdocuments.us/reader034/viewer/2022051521/5868bb731a28ab5e1c8b4898/html5/thumbnails/10.jpg)
©Gamma Secure Systems Limited, 2007
Strategy 1 – New (27002)
Develop brand new policies and procedures according to ISO/IEC 27002
UpsideLooks fantastic
DownsideCan take a long time (1½ - 2 years)Control might be counter-cultural or over-the-topToo much documentation that nobody readsRisk assessment might be meaninglessScope for plenty of non-conformitiesManagement system process often get forgotten
Vasa: sank in 1628 within 1 mile of the start of her maiden voyage
As the controls are “new” no one knows what to do, so the
auditor is likely to find that they are not followed. They
will take time to bed in.
![Page 11: ISO/IEC 27001: Case Study – Data Centre Implementation](https://reader034.fdocuments.us/reader034/viewer/2022051521/5868bb731a28ab5e1c8b4898/html5/thumbnails/11.jpg)
©Gamma Secure Systems Limited, 2007
Strategy 2 – New (Tailored)
Develop brand new policies and procedures driven by actual needs
UpsideCustom made
DownsideMay still take a long time (6 – 18 months)Scope for non-conformities while new controls are bedded inManagement system process may get forgotten
![Page 12: ISO/IEC 27001: Case Study – Data Centre Implementation](https://reader034.fdocuments.us/reader034/viewer/2022051521/5868bb731a28ab5e1c8b4898/html5/thumbnails/12.jpg)
©Gamma Secure Systems Limited, 2007
Strategy 3 – Now
Just document the controls as they are now
UpsideVery quick (3 – 4 months)Focus is on the management system processesUse the management system to manage change
DownsideWriting down what you do now can be soul destroyingMust accept that weak controls represent an acceptable riskSome scope for non-conformities if actual practices are indefensible or corrective actions not in place
![Page 13: ISO/IEC 27001: Case Study – Data Centre Implementation](https://reader034.fdocuments.us/reader034/viewer/2022051521/5868bb731a28ab5e1c8b4898/html5/thumbnails/13.jpg)
©Gamma Secure Systems Limited, 2007
Which is Best?
Strategy 1 is a hiding to nothing
Strategy 2 and 3 are compatible, but why wait?
Apply 3, the use it to create 2
![Page 14: ISO/IEC 27001: Case Study – Data Centre Implementation](https://reader034.fdocuments.us/reader034/viewer/2022051521/5868bb731a28ab5e1c8b4898/html5/thumbnails/14.jpg)
©Gamma Secure Systems Limited, 2007
ISO 9001 Experience
Early implementations typically Strategy 1Quality managers documented nice to have systemsLots of non-conformitiesLots of retrospective activity prior to audits
Now frowned upon by assessors
Best advice “just document what you do”
It’s then into the continuous improvement cycle
![Page 15: ISO/IEC 27001: Case Study – Data Centre Implementation](https://reader034.fdocuments.us/reader034/viewer/2022051521/5868bb731a28ab5e1c8b4898/html5/thumbnails/15.jpg)
©Gamma Secure Systems Limited, 2007
APPROACH
![Page 16: ISO/IEC 27001: Case Study – Data Centre Implementation](https://reader034.fdocuments.us/reader034/viewer/2022051521/5868bb731a28ab5e1c8b4898/html5/thumbnails/16.jpg)
©Gamma Secure Systems Limited, 2007
OverviewClassroom/on-the-job training, throughout at least one PDCA cycle
Event-impact RTPs
Role Model
To-Do-List concept
Template ISMS
Overarching/subordinate ISMS
Integrate with existing internal control structures
Marshal existing procedures/ records
Combine with ISO 9001
Combine with CVa, etc
3-6 months
![Page 17: ISO/IEC 27001: Case Study – Data Centre Implementation](https://reader034.fdocuments.us/reader034/viewer/2022051521/5868bb731a28ab5e1c8b4898/html5/thumbnails/17.jpg)
©Gamma Secure Systems Limited, 2007
Role Model
![Page 18: ISO/IEC 27001: Case Study – Data Centre Implementation](https://reader034.fdocuments.us/reader034/viewer/2022051521/5868bb731a28ab5e1c8b4898/html5/thumbnails/18.jpg)
©Gamma Secure Systems Limited, 2007
InformationISMS
Acts to reduce riskto acceptable level
Informationusers
Use
Instruct and monitor
ISF
Owns/looks after
Owns
ISMSAdministratorProvides
managementinformation
Direct
Manages
PolicyMakers
Set organisation-wide policy
Provide feedback/request policyenhancements
InternalISMS
Auditors
CertificationAuditors Certify
Audit
Provide feedbackProvide feedback
ISMSAdvisor
Advise
Advise
Advise
ISMSTrainer
Train
Advise
Role Model
Information Security Forum (ISF)
ISMS Administrator
Internal ISMS Auditor
ISMS Trainer
ISMS Advisor
Certification auditor (optional)
Policy Maker
![Page 19: ISO/IEC 27001: Case Study – Data Centre Implementation](https://reader034.fdocuments.us/reader034/viewer/2022051521/5868bb731a28ab5e1c8b4898/html5/thumbnails/19.jpg)
©Gamma Secure Systems Limited, 2007
The “To-Do-List”Concept
![Page 20: ISO/IEC 27001: Case Study – Data Centre Implementation](https://reader034.fdocuments.us/reader034/viewer/2022051521/5868bb731a28ab5e1c8b4898/html5/thumbnails/20.jpg)
©Gamma Secure Systems Limited, 2007
The “To-Do-List” ConceptManagement standards, including ISO/IEC 27001 insist that the management processes must be in place
But new security processes may be required because risks change
At any point in time:Existing security procedures in placeNewly identified ones still-to-do
Managed using a “To-Do-List”
![Page 21: ISO/IEC 27001: Case Study – Data Centre Implementation](https://reader034.fdocuments.us/reader034/viewer/2022051521/5868bb731a28ab5e1c8b4898/html5/thumbnails/21.jpg)
©Gamma Secure Systems Limited, 2007
The “To-Do-List” ConceptManagement standards, including ISO/IEC 27001 insist that the management processes must be in place
But new security processes may be required because risks change
At any point in time:Existing security procedures in placeNewly identified ones still-to-do
Managed using a “To-Do-List”
Can have entries in progress
Entries will be corrective, preventive or improving in nature
There should be evidence that any risk is being managed
![Page 22: ISO/IEC 27001: Case Study – Data Centre Implementation](https://reader034.fdocuments.us/reader034/viewer/2022051521/5868bb731a28ab5e1c8b4898/html5/thumbnails/22.jpg)
©Gamma Secure Systems Limited, 2007
Which Means …Management standards, including ISO/IEC 27001 insist that the management processes must be in place
But new security processes may be required because risks change
At any point in time:Existing security procedures in placeNewly identified ones still-to-do
Managed using a “To-Do-List”
Can have entries in progress
Entries will be corrective, preventive or improving in nature
There should be evidence that any risk is being managedDon’t like what you do now, think it a
non-acceptable risk in the near future, or just want to improve - just put on the To-Do-List with an appropriate
priority
![Page 23: ISO/IEC 27001: Case Study – Data Centre Implementation](https://reader034.fdocuments.us/reader034/viewer/2022051521/5868bb731a28ab5e1c8b4898/html5/thumbnails/23.jpg)
©Gamma Secure Systems Limited, 2007
Template ISMS
![Page 24: ISO/IEC 27001: Case Study – Data Centre Implementation](https://reader034.fdocuments.us/reader034/viewer/2022051521/5868bb731a28ab5e1c8b4898/html5/thumbnails/24.jpg)
©Gamma Secure Systems Limited, 2007
Template ISMS
Consultants’ productivity aid to speed the ISMS build process and ensure nothing is omitted
Two current forms:Microsoft Word documentAdobe Dreamweaver web site
On the case study we used:Microsoft FrontPage web site
![Page 25: ISO/IEC 27001: Case Study – Data Centre Implementation](https://reader034.fdocuments.us/reader034/viewer/2022051521/5868bb731a28ab5e1c8b4898/html5/thumbnails/25.jpg)
©Gamma Secure Systems Limited, 2007
Original FrontPage formatWe complete these partsCovers every requirement of
ISO/IEC 27001
Version control
Checklists
![Page 26: ISO/IEC 27001: Case Study – Data Centre Implementation](https://reader034.fdocuments.us/reader034/viewer/2022051521/5868bb731a28ab5e1c8b4898/html5/thumbnails/26.jpg)
©Gamma Secure Systems Limited, 2007
Current Word format
![Page 27: ISO/IEC 27001: Case Study – Data Centre Implementation](https://reader034.fdocuments.us/reader034/viewer/2022051521/5868bb731a28ab5e1c8b4898/html5/thumbnails/27.jpg)
©Gamma Secure Systems Limited, 2007
Template ISMS
![Page 28: ISO/IEC 27001: Case Study – Data Centre Implementation](https://reader034.fdocuments.us/reader034/viewer/2022051521/5868bb731a28ab5e1c8b4898/html5/thumbnails/28.jpg)
©Gamma Secure Systems Limited, 2007
The Plan in Action
![Page 29: ISO/IEC 27001: Case Study – Data Centre Implementation](https://reader034.fdocuments.us/reader034/viewer/2022051521/5868bb731a28ab5e1c8b4898/html5/thumbnails/29.jpg)
©Gamma Secure Systems Limited, 2007
Phase A (Constructing the ISMS)
Meetings as necessary to obtain info to construct the ISMS
Inaugural ISF meeting
Review meetings
Initiate certification arrangements
![Page 30: ISO/IEC 27001: Case Study – Data Centre Implementation](https://reader034.fdocuments.us/reader034/viewer/2022051521/5868bb731a28ab5e1c8b4898/html5/thumbnails/30.jpg)
©Gamma Secure Systems Limited, 2007
Create the ISMS
![Page 31: ISO/IEC 27001: Case Study – Data Centre Implementation](https://reader034.fdocuments.us/reader034/viewer/2022051521/5868bb731a28ab5e1c8b4898/html5/thumbnails/31.jpg)
©Gamma Secure Systems Limited, 2007
Create the ISMS
![Page 32: ISO/IEC 27001: Case Study – Data Centre Implementation](https://reader034.fdocuments.us/reader034/viewer/2022051521/5868bb731a28ab5e1c8b4898/html5/thumbnails/32.jpg)
©Gamma Secure Systems Limited, 2007
Create the ISMS
![Page 33: ISO/IEC 27001: Case Study – Data Centre Implementation](https://reader034.fdocuments.us/reader034/viewer/2022051521/5868bb731a28ab5e1c8b4898/html5/thumbnails/33.jpg)
©Gamma Secure Systems Limited, 2007
Phase B (Preparation for certification)
Training: auditors and administrators
ISF Meeting (system review and agree readiness for certification)
Security awareness seminar (whole department)
![Page 34: ISO/IEC 27001: Case Study – Data Centre Implementation](https://reader034.fdocuments.us/reader034/viewer/2022051521/5868bb731a28ab5e1c8b4898/html5/thumbnails/34.jpg)
©Gamma Secure Systems Limited, 2007
Phase C (Certification)
![Page 35: ISO/IEC 27001: Case Study – Data Centre Implementation](https://reader034.fdocuments.us/reader034/viewer/2022051521/5868bb731a28ab5e1c8b4898/html5/thumbnails/35.jpg)
©Gamma Secure Systems Limited, 2007
RESULTS
![Page 36: ISO/IEC 27001: Case Study – Data Centre Implementation](https://reader034.fdocuments.us/reader034/viewer/2022051521/5868bb731a28ab5e1c8b4898/html5/thumbnails/36.jpg)
©Gamma Secure Systems Limited, 2007
Certification
![Page 37: ISO/IEC 27001: Case Study – Data Centre Implementation](https://reader034.fdocuments.us/reader034/viewer/2022051521/5868bb731a28ab5e1c8b4898/html5/thumbnails/37.jpg)
©Gamma Secure Systems Limited, 2007
Commendation
![Page 38: ISO/IEC 27001: Case Study – Data Centre Implementation](https://reader034.fdocuments.us/reader034/viewer/2022051521/5868bb731a28ab5e1c8b4898/html5/thumbnails/38.jpg)
©Gamma Secure Systems Limited, 2007
CONCLUSIONS
![Page 39: ISO/IEC 27001: Case Study – Data Centre Implementation](https://reader034.fdocuments.us/reader034/viewer/2022051521/5868bb731a28ab5e1c8b4898/html5/thumbnails/39.jpg)
©Gamma Secure Systems Limited, 2007
Conclusions
Fundamental management system is quick to build
It’s a management issue
The concepts work in practice
Together they meet the challenges of Basel II
But not only that, they are a driver for success
![Page 40: ISO/IEC 27001: Case Study – Data Centre Implementation](https://reader034.fdocuments.us/reader034/viewer/2022051521/5868bb731a28ab5e1c8b4898/html5/thumbnails/40.jpg)
©Gamma Secure Systems Limited, 2007
ISO/IEC 27001: Case Study –Data Centre Implementation
Dr. David Brewer, FBCS, [email protected]
Any Questions?