Pray for Nate & Tammy Lashway Nate & Tammy Lashway Missionaries to Madagascar.
Tammy Clark, Chief Information Security Officer, William Monahan, Lead Information Security...
-
Upload
dwayne-greenley -
Category
Documents
-
view
212 -
download
0
Transcript of Tammy Clark, Chief Information Security Officer, William Monahan, Lead Information Security...
![Page 1: Tammy Clark, Chief Information Security Officer, William Monahan, Lead Information Security Administrator Georgia State University, Atlanta GA Developing.](https://reader035.fdocuments.us/reader035/viewer/2022070307/551aa68d5503466b3a8b5a6d/html5/thumbnails/1.jpg)
Tammy Clark, Chief Information Security Officer,
William Monahan, Lead Information Security Administrator
Georgia State University, Atlanta GA
Developing a Risk-Based Information Security Program
Copyright Tammy L. Clark, June 2007. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced
materials and with permission of author.
![Page 2: Tammy Clark, Chief Information Security Officer, William Monahan, Lead Information Security Administrator Georgia State University, Atlanta GA Developing.](https://reader035.fdocuments.us/reader035/viewer/2022070307/551aa68d5503466b3a8b5a6d/html5/thumbnails/2.jpg)
Today’s AgendaToday’s Agenda
– Prerequisites For Success– Risk Management– PDCA Model– Establishing an ISMS: The “Plan,
Do, Check, Act Phases”– Governance Training– Compliance vice Certification with
the ISO standards
![Page 3: Tammy Clark, Chief Information Security Officer, William Monahan, Lead Information Security Administrator Georgia State University, Atlanta GA Developing.](https://reader035.fdocuments.us/reader035/viewer/2022070307/551aa68d5503466b3a8b5a6d/html5/thumbnails/3.jpg)
Prerequisites For Prerequisites For SuccessSuccess
• We believe that the following are critical success factors:– Top Management Support– Collaborations with Key
Enterprise Stakeholders– Understanding of key strategic
business goals & objectives
![Page 4: Tammy Clark, Chief Information Security Officer, William Monahan, Lead Information Security Administrator Georgia State University, Atlanta GA Developing.](https://reader035.fdocuments.us/reader035/viewer/2022070307/551aa68d5503466b3a8b5a6d/html5/thumbnails/4.jpg)
Risk ManagementRisk Management
• Risk Management Process Model
• Asset Identification and Classification
• Risk Assessment Methodology
• ISO 17799/27001 Annex A
• Risk Treatment
![Page 5: Tammy Clark, Chief Information Security Officer, William Monahan, Lead Information Security Administrator Georgia State University, Atlanta GA Developing.](https://reader035.fdocuments.us/reader035/viewer/2022070307/551aa68d5503466b3a8b5a6d/html5/thumbnails/5.jpg)
Risk Management Risk Management Process ModelProcess Model
• Assess and evaluate risks
• Select, implement and operate controls to treat risks
• Monitor and review risks
• Maintain and improve risk controls
![Page 6: Tammy Clark, Chief Information Security Officer, William Monahan, Lead Information Security Administrator Georgia State University, Atlanta GA Developing.](https://reader035.fdocuments.us/reader035/viewer/2022070307/551aa68d5503466b3a8b5a6d/html5/thumbnails/6.jpg)
Identification of Identification of AssetsAssets• Inventory and classification
• Identify legal and business requirements relevant to the assets
• Valuation of identified assets taking requirements into account as well as impacts of loss of C.I.A.
• Identify threats and vulnerabilities
• Assessment of likelihood threats will result in vulnerabilities getting exploited
• Calculate risk
• Evaluate risks against a pre-defined risk scale
![Page 7: Tammy Clark, Chief Information Security Officer, William Monahan, Lead Information Security Administrator Georgia State University, Atlanta GA Developing.](https://reader035.fdocuments.us/reader035/viewer/2022070307/551aa68d5503466b3a8b5a6d/html5/thumbnails/7.jpg)
ISO 17799:2005ISO 17799:2005 Controls and RTP Controls and RTP• 133 Separate Controls and 11 domains capturing all
aspects of information security—a number of controls assist with implementing an ISMS
• ISO 17799:2005 contains guidance on how to implement these controls
• Risk Management is the cornerstone of the ISO 17799:2005 approach to designing a comprehensive information security program
• In developing a Risk Treatment Plan (RTP), you will select controls that assist in mitigating the risks you identified and you will also decide which risks your organization will accept, transfer or avoid
![Page 8: Tammy Clark, Chief Information Security Officer, William Monahan, Lead Information Security Administrator Georgia State University, Atlanta GA Developing.](https://reader035.fdocuments.us/reader035/viewer/2022070307/551aa68d5503466b3a8b5a6d/html5/thumbnails/8.jpg)
PDCA ModelPDCA Model
• Plan—Establish the ISMS• Do—Implement and Operate the ISMS• Check—Monitor and Review the ISMS• Act—Maintain and Improve the ISMS
![Page 9: Tammy Clark, Chief Information Security Officer, William Monahan, Lead Information Security Administrator Georgia State University, Atlanta GA Developing.](https://reader035.fdocuments.us/reader035/viewer/2022070307/551aa68d5503466b3a8b5a6d/html5/thumbnails/9.jpg)
PLAN-Establish PLAN-Establish Your ISMSYour ISMS
First Steps (Prerequisites):
– Procure the ISO/IEC 27001:2005 standard.
– Obtain full executive management support.
– Define the Scope and Boundary of the ISMS.
– Define an ISMS Policy.
– Define the risk assessment approach
![Page 10: Tammy Clark, Chief Information Security Officer, William Monahan, Lead Information Security Administrator Georgia State University, Atlanta GA Developing.](https://reader035.fdocuments.us/reader035/viewer/2022070307/551aa68d5503466b3a8b5a6d/html5/thumbnails/10.jpg)
PLAN-Establish PLAN-Establish Your ISMSYour ISMS
• Identify, analyze and evaluate the risks to the assets identified in your scope.
• Identify and evaluate risk treatment options.
• Select controls and control objectives and reasons for selection.
• Obtain management approval of the proposed residual risks.
• Obtain management authorization to implement and operate ISMS.
• Prepare a “statement of applicability”.
![Page 11: Tammy Clark, Chief Information Security Officer, William Monahan, Lead Information Security Administrator Georgia State University, Atlanta GA Developing.](https://reader035.fdocuments.us/reader035/viewer/2022070307/551aa68d5503466b3a8b5a6d/html5/thumbnails/11.jpg)
DO Phase-Implement DO Phase-Implement Your ISMSYour ISMSImplementation of the ISMS:– Formulate a Risk Treatment Plan (RTP)– Implement your RTP– Implement selected controls to meet your
control objectives– Define metrics to measure the
effectiveness of your controls– Implement a training and awareness
program
![Page 12: Tammy Clark, Chief Information Security Officer, William Monahan, Lead Information Security Administrator Georgia State University, Atlanta GA Developing.](https://reader035.fdocuments.us/reader035/viewer/2022070307/551aa68d5503466b3a8b5a6d/html5/thumbnails/12.jpg)
DO Phase-Operate DO Phase-Operate Your ISMS Your ISMS
Operation of the ISMS:– Manage operations in accordance with
identified controls, policies and procedures– Manage resources and ensure that there
are sufficient resources to operate, monitor, review, maintain and improve the ISMS
– Implement procedures and controls to manage incidents
![Page 13: Tammy Clark, Chief Information Security Officer, William Monahan, Lead Information Security Administrator Georgia State University, Atlanta GA Developing.](https://reader035.fdocuments.us/reader035/viewer/2022070307/551aa68d5503466b3a8b5a6d/html5/thumbnails/13.jpg)
CHECK Phase-MonitorCHECK Phase-Monitor and Review Your ISMS and Review Your ISMS
Execute monitoring and review procedures:
– Documentary evidence of monitoring such as logs, records, files
– Measure effectiveness (metrics)– Review risk assessments– Conduct internal ISMS audits– Management Reviews– Update Security Plans– Record actions and events
![Page 14: Tammy Clark, Chief Information Security Officer, William Monahan, Lead Information Security Administrator Georgia State University, Atlanta GA Developing.](https://reader035.fdocuments.us/reader035/viewer/2022070307/551aa68d5503466b3a8b5a6d/html5/thumbnails/14.jpg)
ACT Phase-MaintainACT Phase-Maintain and Improve the ISMS and Improve the ISMS
‘Shall’ statements in the standard apply to this phase::– Implement identified improvements– Take appropriate corrective and preventive
actions– Communicate actions & improvements to
interested parties– Ensure improvements meet objectives
![Page 15: Tammy Clark, Chief Information Security Officer, William Monahan, Lead Information Security Administrator Georgia State University, Atlanta GA Developing.](https://reader035.fdocuments.us/reader035/viewer/2022070307/551aa68d5503466b3a8b5a6d/html5/thumbnails/15.jpg)
ISMS DocumentationISMS Documentation Requirements Requirements
• Statements of policy and objectives• Scope and boundaries• Procedures and controls• Description of Risk Assessment Methodology• Risk Assessment Report and RTP• Metrics• Objective evidence • SOA
![Page 16: Tammy Clark, Chief Information Security Officer, William Monahan, Lead Information Security Administrator Georgia State University, Atlanta GA Developing.](https://reader035.fdocuments.us/reader035/viewer/2022070307/551aa68d5503466b3a8b5a6d/html5/thumbnails/16.jpg)
Four Required ProcessesFour Required Processes These processes are also required to be
documented:
• Document control• Internal audits• Corrective Actions• Preventive Actions
![Page 17: Tammy Clark, Chief Information Security Officer, William Monahan, Lead Information Security Administrator Georgia State University, Atlanta GA Developing.](https://reader035.fdocuments.us/reader035/viewer/2022070307/551aa68d5503466b3a8b5a6d/html5/thumbnails/17.jpg)
Governance TrainingGovernance Training
• BSI Americas ISO/IEC 27001:2005 Implementation Course
– http://www.bsiamericas.com/TrainingInformationSecurity/index.xalter
• HISP (Holistic Information Security Practitioner) Training/Certification– http://www.hispcertification.org
![Page 18: Tammy Clark, Chief Information Security Officer, William Monahan, Lead Information Security Administrator Georgia State University, Atlanta GA Developing.](https://reader035.fdocuments.us/reader035/viewer/2022070307/551aa68d5503466b3a8b5a6d/html5/thumbnails/18.jpg)
Compliance VS CertificationCompliance VS Certification• ISO/IEC 17799:2005 Compliance:
– Users of the ISO/IEC 17799:2005 framework need to carry out a risk assessment to identify which controls are relevant to their own business environment and implement them.
– The framework uses the word “should”.
• ISO/IEC 27001:2005 Certification: – This process involves the auditing of an ISO/IEC 17799:2005
compliant ISMS to the requirements of ISO/IEC 27001:2005.– The standard uses the word “shall”.– The ISMS will be audited by an accredited certification body
such as Certification Europe, British Standards Institute, Lloyds, KPMG or BVQI.
![Page 19: Tammy Clark, Chief Information Security Officer, William Monahan, Lead Information Security Administrator Georgia State University, Atlanta GA Developing.](https://reader035.fdocuments.us/reader035/viewer/2022070307/551aa68d5503466b3a8b5a6d/html5/thumbnails/19.jpg)
Other ConsiderationsOther Considerations
– The ISO/IEC 17799:2005 and 27001:2005 standards provide a comprehensive ‘umbrella’ framework for your information security program
• Compatible with other standards and guidelines
• Assist with compliance
• Meant to be a long term endeavor
• Favor incremental deployment of controls
• Assist in integrating business requirements with IT and information security goals/objectives
• Help you to prioritize areas of greatest risk/need
![Page 20: Tammy Clark, Chief Information Security Officer, William Monahan, Lead Information Security Administrator Georgia State University, Atlanta GA Developing.](https://reader035.fdocuments.us/reader035/viewer/2022070307/551aa68d5503466b3a8b5a6d/html5/thumbnails/20.jpg)
GRC SoftwareGRC Software• Automated help with risk assessments
and treatment plans, incident response, BIA and asset management– Proteus Enterprise:
http://infogov.co.uk
Automated help with Security & Compliance Gap Analysis based on the HISP methodology
– Compliantz Health Check: https://www.compliancehealthcheck.com
![Page 21: Tammy Clark, Chief Information Security Officer, William Monahan, Lead Information Security Administrator Georgia State University, Atlanta GA Developing.](https://reader035.fdocuments.us/reader035/viewer/2022070307/551aa68d5503466b3a8b5a6d/html5/thumbnails/21.jpg)
ReferencesReferences
– ISO/IEC 27001:2005– BS 7799-3:2006 (Risk Mgt)– BIP 0071-0074 (ISMS Guidance Series from
BSI)– ISO/IEC 17799:2005 (Controls)– http://www.praxiom.com/iso-27001.htm
(ISO/IEC 27001:2005 in plain English)– http://www.praxiom.com/iso-17799-2005.htm
(ISO/IEC 17799:2005 in plain English)
![Page 22: Tammy Clark, Chief Information Security Officer, William Monahan, Lead Information Security Administrator Georgia State University, Atlanta GA Developing.](https://reader035.fdocuments.us/reader035/viewer/2022070307/551aa68d5503466b3a8b5a6d/html5/thumbnails/22.jpg)
Questions?Questions?
Tammy Clark [email protected]
William Monahan [email protected]
T
Copyright Tammy L. Clark, June 2007. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced
materials and with permission of author.