100 likes | 261 Views
Security Management. Information Security Management – Management System Requirements, Code of Practice for Controls, and Risk Management. supervision. Assistant Professor Dr. Sana’a Wafa Al-Sayegh. Tamer abo lehia. ITGD 2202. Background of ISMS Standards.
E N D
Security Management Information Security Management – Management System Requirements, Code of Practice for Controls, and Risk Management supervision Assistant Professor Dr. Sana’a Wafa Al-Sayegh Tamer abo lehia ITGD 2202
Background of ISMS Standards Information Security Management System (ISMS) standards have been produced to help organisations come up with cost effective answers to questions like: • Why do the same type of information security problem come up again and again? • Why does the IT department keep asking for more and more money to solve information security problems (that don’t go away)? • How can we do information security well when IT is core to our business, but not our core business? Origins in UK business in the 1990’s, pooling knowledge of best practice • Initial focus on controls (now published as ISO/IEC 17799:2005) • Enhanced with a management decision making framework (now published as ISO/IEC 27001:2005) Recently internationalised and updated by ISO/IEC STANDARDS AUSTRALIA SECURITY FORUM
Organisations involved in the development of the ISMS Standards • Nationally: • Large corporates (e.g. ANZ, Shell, Bluescope, Telstra) • Information and IT security specialists (e.g. Witham Labs, Pacific Research, Fujitsu, Megaprime) • Internationally: • Representatives from large corporates in the IT and other sectors, information security specialists from specialist business and government organizations • Australia, Austria, Belgium, Brazil, Canada, China, Czech Republic, Denmark, Finland, France, Germany, India, Italy, Japan, Kenya, Luxembourg, Malaysia, New Zealand, Netherlands, Norway, Poland, Russia, Singapore, Spain, South Africa, South Korea,Sri Lanka, Sweden, Switzerland, UK, Ukraine, USA STANDARDS AUSTRALIA SECURITY FORUM
The target audience and the value the ISMS Standards bring to the market • These standards are relevant to any organisation reliant on information and IT • Large corporates • SMEs • Government agencies • Focus is on organizations that can’t justify a staff of information security specialists • Value is provided by making pooled, peer reviewed, best practices for the management and implementation of an information security programme available to all at a modest cost STANDARDS AUSTRALIA SECURITY FORUM
Objectives of the Standards The ISMS standards specify a framework for organisations to manage information security aspects of their business, and if necessary to demonstrate to other parties (e.g. business partners, auditors, customers, suppliers) their ability to manage information security. STANDARDS AUSTRALIA SECURITY FORUM
Key Elements / Scope of the ISMS Standards • ISO/IEC 27001: ‘Information Security Management Systems - Requirements’ is the foundational standard; it is applicable to all types of organisation and all sectors of the economy. • It specifies a risk-based management system that is designed to ensure that organisations select and operate adequate and proportionate (i.e. cost effective) security controls to protect information assets. • It uses the ‘plan-do-check-act (improve)’ model used in environment and quality management standards. • It is specified to allow implementation integrated within broader management systems. • The standard shows how requirements relate to the OECD Guidelines for the Security of Information Systems and Networks. STANDARDS AUSTRALIA SECURITY FORUM
Plan Establish the ISMS Implement and operate the ISMS Maintain and improve the ISMS Do Act Monitor and review the ISMS Check Content of the ISMS Standards • Foundations (ISO/IEC 27001): • Establishing, implementing, operating,maintaining and improving an ISMS • Documentation requirements • Management responsibilities • Internal audits and management reviews • Supporting Standards: • ISO/IEC 27000 - ISMS fundamentals and vocabulary (under development) • ISO/IEC 27002 - Code of practice for information security management (controls) (ISO/IEC 17799 to be renumbered next year) • ISO/IEC 27003 - ISMS implementation Guide (under development) • ISO/IEC 27004 – Measurement and metrics (under development) • ISO/IEC 27005 – Risk management (under development) • ISO/IEC 27006 – Requirements for the accreditation of bodies providing certification of ISMS (under development) STANDARDS AUSTRALIA SECURITY FORUM
ISMS - the tip of the iceberg • There are also generally applicable ISO/IEC and/or Australian/NZ Standards covering: • Digital signatures • Encryption (algorithms,modes of operation,key management) • Entity authentication • Hash functions • Intrusion detection • IT evidence collection • Message authentication codes • Network security • Non repudiation • Prime numbers • Random numbers • Security evaluation of products • Security incident management • Time-stamping • Trusted third party services STANDARDS AUSTRALIA SECURITY FORUM
Call to action Poor information security outcomes are commonly the result of poor management and not poor technical controls. • The 27000 series of ISMS Standards tackle the information problems we face from the management perspective. • It is not easy, but it is best practice and it works STANDARDS AUSTRALIA SECURITY FORUM
Reference • From internet