10 Steps for an effective ISMS

IntroductionInformation Security is becoming more and more of important in the present and coming days of business. To meet the increasing demand of protecting the information there are a lot of standards, guidelines, regulations and legal requirements are developed. With this article, I am summarizing the requirements for an effective Information Security Management System.

The 10 Steps/Phases

1. Assess the security posture
2. Draft an Information Security Strategic Plan
3. Review & create policies and standards
4. Get management buy-in
5. Prepare Information Security Plan
6. Assign Information Security Responsibilities
7. Form a cross functional management forum
8. Implement an incident response team
9. Security awareness program
10. Include Security into the organizational process framework

Lets have the details below

Assess the Security posture

During this phase, various tools are used to assess the security status of your organizations computing applications, networks, servers and desktops. This will result in a report, which describes about the security posture of your environment.

To assess your security posture an organization can hire external parties, if they do not have expertise in-house. This phase will show the gap between the present status and the status you want to achieve.

Information Security Strategic Plan

“Well planned is half done” as the quote says. Anyways, this is an important step. The plan needs to have your thoughts on how to fix the weakness you have identified in the phase 1. This will enable the management to understand the requirements of Information Security and works as justification for the budget you might ask for.

Include all the stakeholders in the plan and ensure that the responsibilities for the security improvements are spread across all your organizational units

Finally, no plan means everything you present is ad-hoc and the management buy-in might be a difficult task

Policies and Procedures

Assess the policies, if any. The policies shall meet the regulatory and legal requirements of the law of the land. More than that, policies shall address the organizational goals, missions and to the most, the Management Commitment. A policy says what should be the end result is. Policies shall be supported/enforced by standards and procedures.

The policies shall be supported by standards. A standard is the rule, which says, what will be allowed to meet the organization goal. A procedure is a detailed step-by-step activity on how to do what is allowed.

Policies shall have the following characteristics

• Focused on business, not in technology
• Represents the best interest of the organization
• Helps every one to attain their goals and shall represent the common benefit
• Legal and regulatory requirements are addressed
• Policy should come from the top management
• A policy should be enforceable
• Last, but not the least, the policy should sounds like common sense

Management buy-in

This stage is crucial for a successful implementation of ISMS. Till this phase, we have done the analysis and now it is the time to implement the plan. To ensure the acceptance by the end users, it has to be pushed from the management. So you need to convince the management about the importance of Information Security and how it will benefit the organization

• Talk business benefits, than technical advantages
• Get there involvement in deciding the most critical weaknesses according to the business
• Give an overall idea about the resource requirements including people, process and technology
• Budget – you decide

Annual Plan – Information Security

So you got management support and now its time for writing an implementation plan. Write a annual Information Security Plan. This shall include the

• Approach to protect the weaknesses identified
• Writing of standards, procedures and guidelines
• Review of your existing security posture periodically
• Management review meetings
• Auditing plan
• Corrective and preventive action plans
• Costs or budget

Security Responsibilities

Now it is time for forming teams to implement Information Security. Assign the responsibility to a single employee, normally the CISO or ISO, for our reference we will use CISO as the responsible person for the implementation of the ISMS. Let the CISO form a team of specialized experts. Now this team has to work with the cross-functional groups and the responsibilities shall be assigned to those groups. This will ensure a minimum staffing in the Information Security team and will ensure the participation from the other teams such as HR, Sales, Business Development, Marketing and the core business function.

The Information Security team should oversee the implementation than actually implementing it. Another team of auditing shall be formed and regular audits shall be performed to identify the improvement opportunities.

Another approach is to outsource both the functions. You think which is the best strategy for your organization.

Form a cross-functional management forum

Further to the discussion about the above phase form a management forum, where there is representations from all the departments of the organization. Information Security is the responsibility of everyone in the organization. Make all leaders to propagate the concept of information security to their respective teams.

This will also help you to solve inter-team conflicts related to information security and will have a platform to discuss the issues

Incident Response program

An incident response program is the platform where the security incidents should get reported. This will help you identify what are the incidents frequently occurring and what are the criticality and what measures to be incorporated to improve the organizations security posture.

A team shall be organized to analyze the type of incidents, root cause, corrective action and preventive action.

Reducing the number of incidents and the freshness of the incidents will show whether you are in the right track. During this process address the following

• Detect
• Respond
• Manage
• Mitigate

Prepare a plan, policy and specific procedures for responding to incidents

Security Awareness

“Security is as strong as your weakest link”. This phrase is used by many of the security professionals and I am supporting it. So who is the weakest link? It is human beings to my experience. Lets a your employee has a strong password and if he tell this to someone then the password lost the strength.

Educate everyone in your organization, your contractors and others whom you think important for your information security.

Use various methods like corporate presentations, role-play, induction training etc… You should have innovative ways to perform this activity.

Integrate to organizational process framework

Now integrate this to your organizational process framework like CMMi, PCMM, and ISO9001 etc. This will help the employee to have one single process framework. Otherwise, there will be a lot of resistance from the employees when you perform an audit or ask the teams to send a separate report for information security.

Conclusion

Information Security is a business requirement. An organization should follow a process-based security than a product-based security

How to implement ISO 27001 ?

nformation Security Standards

Information Security is a business requirement in today’s corporate world. These requirements are driven either by business need or by regulations. Many organizations find it difficult to derive a framework for defining the requirements. Publicly accepted, known Information Security Standards comes handy at this stage. There are many standards available and ISO27001 is an ISO accredited standard for Information Security Management.

What is ISO27001?

ISO 27001 is derived from the well-known BS7799 Standard. In 2005, BSI published the new version of BS7799 standard and is also adopted by ISO as ISO 27001 standard.

Why should you implement?

There are several reasons why an organization should implement ISO27001 standard and the primary one will be the business demand. Every one, who is dealing with you, need to keep there information secure. The ISO27001 certification confirms that there are certain level of protection is in place so as to protect the information / data handled.

ISO 27001 also works as a framework from where one can start the information security management initiative in your organization.

Steps involved in implementing ISO27001

There are different ways of implementing ISO27001 and exact steps may not be able to reproduce for another organization. The below given steps are from a high-level overview perspective. Details need to be defined for every organization and it will be unique for them.

• Define the scope of implementation
• Define the Corporate Information Security Policy / Statement
• Identification of Information Assets and classify them
• Define a Risk Assessment and management methodology and Identify the risks associated with each asset
• Map the ISO27001 controls which is applicable for mitigating the risks identified
• Document the Statement of applicability using the selected controls
• Define the associated policies, standards and procedures
• Communicate the policies and procedures to the entire organizations
• Implement the identified controls and document it.
• Perform Security Awareness training for the organization.
• Conduct periodic internal audits
• Engage a third party to do audits
• Proactively close the gaps identified during the audits
• Maintain matrices of the security practice to ensure continuous improvement
• Perform certification audit.
• Post certification tasks

The post certification is important for any organization. Unlike other certifications, ISO27001 requires you to undergo periodic surveillance audits and show continuous improvement on Information Security Management.

This requires organizations to perform continuous improvement in terms of security management. Perform periodic audits, report audit reports and close all the findings. This becomes a never ending cycle and continuous improvement need to be captured using matrices

This post is just a highlevel overview of implementing ISO 27001.

Secure your password

Authentication is nothing but the process of validating the user, ensuring that you are who you say you are. There are different approaches towards authentication.

These are broadly classifed into three catagories, something

• What you know (Passwords, and passphrases)
• what you have (Smartcards, proximity cards)
• what you are (Biometric)

A strong authentication mechanism shall make use of more than one solutions from above like a finger print and a password.

In this session I am putting my effort to share my views on selecting the passwords and securing them. Certain Don’ts and Do’s in password usage

What Not to Use

• Don’t use your login name in any form (as-is, reversed, capitalized, doubled, etc.).
• Don’t use your first or last name in any form.
• Don’t use use your spouse’s or child’s name.
• Don’t use other information easily obtained about you. This includes license plate numbers, telephone numbers, social security numbers, the brand of your automobile, the name of the street you live on, etc.
• Don’t use a password of all digits, or all the same letter. This significantly decreases the search time for a cracker.
• Don’t use a word contained in (English or foreign language) dictionaries, spelling lists, or other lists of words.
• Don’t use a password shorter than six characters.
• Don’t share your password with anyone

What to Use

• Do use a password with mixed-case alphabetic characters.
• Do use a password with nonalphabetic characters, e.g., digits or punctuation.
• Do use a password that is easy to remember, so you don’t have to write it down.
• Do use a password that you can type quickly, without having to look at the keyboard. This makes it harder for someone to steal your password by watching over your shoulder.
• Method to Choose Secure and Easy to Remember Passwords ( Yes you have to remember the password and should not write down the same anywhere)

Replace the alphabets of letters with similar special charectors or numerics Eg: “Information” shall be reconsidered as “1nf0rMat10N”

Choose a line or two from a song or poem, and use the first letter of each word. Eg: “I am sitting in the boaring room !” can be written like this “1aSItbR!”

Ok these are just examples.. keep on making yourself and dont use any of these

BS7799 - IT Security Controls

Technical Security Controls, commonly known as IT Security controls, is an important component for protecting your IT infrastructure of your organization. The IT Infrastructure protection has to ensure the data security. This can be achieved at various layers.

Let us take the following approach. An external party looking at your IT Infrastructure, the first thing they could see is the network infrastructure.

So the first step is to protect you Network Perimeter. This can be achieved via implementing Firewalls, Intrusion Detection Systems, and Intrusion Prevention Systems etc. The next step is to protect the computers exposed to the internet, for that you have to identify which all systems requires access from out side network, that is Internet. Pull them into a separate network, called de-militarized zone, set access privileges so that the access is restricted. This sets your network perimeter comparatively protected.

Internal Network is another component which requires attention. Logically divide your network and restrict access using VLANs. Establish VPN so that secure encrypted communications takes place from external users and third parties. Deploy Internet Proxy to route your internal internet requests. If you have wireless networks, mandate VPN for your wireless security.

Servers, they are the next component in focus. Server’s store, process or transmit your data. It is important to secure the servers and the best method is to harden the servers. Stop all unwanted services and disable ports. Enable logging, and monitor all logs. In addition, install Host Intrusion Detection System and monitor. Patch management is another important protection mechanism. This will protect you from getting exploited from known OS vulnerabilities.

Other computers, desktops, as well deserve similar respect like Servers. Protect them by deploying effective patch management and vulnerability management.

To protect the both servers and desktops from virus and other malicious code, deploy antivirus in your computers. Update the virus definitions regularly; it is a good idea to subscribe to the antivirus service provider. Virus exploits vulnerabilities, so Vulnerability Management is a important practice to follow.

Authentication is another key factor for protecting the computers from unauthorized access. An effective Identity Management and Access Management system will help your organization to establish Single Sign-on. Single Sign-on will help you establish an effective User Management. Another good point about Single Sign-on is the fact that users will need to remember only one user name and password for accessing information across the applications. So, Single Sign-on will help your users from writing down the various user accounts and passwords.

Next focus is on your Application. An application can be separated into 3 parts namely the Application program, the Application Server and the Database. We have to protect all of them. Perform an application code review and application security assessment. Plug the vulnerabilities and harden your application. Establish access control list and define who can access what application module. Application Servers are mostly vendor provided softwares. Establish vulnerability management for your Application Server ensuring the vulnerabilities are plugged. This will protect your applications from getting hacked, to a certain extent.

Protect your Database or data from unauthorized access, modification or destruction. There are several mechanisms you can follow. Here is a list of some of them.

• Establish access control mechanism and define who can access what data.
• Encryption of data. Encrypt the information wherever possible.
• Backup you data regularly

This article briefs you about the IT Security requirements for an effective Information Security Management System. This does not mean that the information above is comprehensive and it might require you to have additional technical controls in place to protect your IT Infrastructure.

Payment card industry data security standard

The Payment Card Industry Data Security Standard (PCI – DSS) is, now, a group effort by worlds leading financial companies like American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International.

The primary focus is to safeguard the customer card information so as to protect them from fraud and misuse of the cards. This effort led them to derive a standard which is mandatory for many organizations to comply with. To achieve compliance, these organizations need to implement the PCI-DSS standard. The standard has defined 12 requirements / safeguards to comply with.

1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
5. Use and regularly update anti-virus software
6. Develop and maintain secure systems and applications
7. Restrict access to cardholder data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
12. Maintain a policy that addresses information security

Compliance to all 12 requirements as laid out by the PCI security standards councill, is required by all applicable organizations. The requirements apply to all members, merchants, and service providers that store, process, or transmit cardholder data.

One can download the complete standard from the following URL.

https://www.pcisecuritystandards.org/tech/download_the_pci_dss.htm

UK-EU Regulations

In the last post many of the US regulations were discussed. This post focus on the UK regulations which has a Information Security Impact

The Turnbull Guidance 1999

Known as “Internal Control: Guidance for Directors on the Combined Code”, this regulation’s principal aim is to encourage companies to identify and manage internal and external risk within their organizations.

IT security represents a major risk to business continuity. Security information management tools can help IT departments draw up reports demonstrating management of information security and business continuity risk.

Applicable for all companies listed on the UK Stock Exchange must implement the findings

The Companies Act 1985 Regulations 2005

These sets of regulations amend the Companies Act of 1985 and introduce the need for an Operating and Financial Review. This must contain a fair review of the business of the company and a description of the principal risks and uncertainties facing the company. This review must also include business analysis via key performance indicators.

This set of regulations includes similar information security requirements as with the Turnbull Guidance; Information security measures are needed to manage risk by ensuring business continuity and protect IP rights. Requirements state that processes should also protect the data information used to create the reports provided to auditors and directors.

The Companies Act 2004

Known as the UK Companies (Audit, Investigations and Community Enterprise) Act 2004 it aims to improve the reliability of financial reporting and the independence of auditors while strengthening the role of the Financial Reporting Review Panel (FRRP) in enforcing good accounting and reporting, by giving it new powers to require necessary documents.

Information security solutions can help maintain the integrity and availability of these pieces of information.

The Act affects all companies audited in the UK and their directors.

Money Laundering Regulations 2003 (MLR)

Businesses must appoint a money laundering reporting officer (MLRO) to train employees on the relevant principals and requirements of the legislation, verify the identity of new clients, and maintain records of client identification and transactions for five years. Information security technologies and procedures are needed to ensure that records are not lost, corrupted or defaced in any way.

Applicable for financial services institutions as well as relevant professionals and other ‘relevant’ industries including estate agencies, insolvency practitioners, tax consultants, accountants, finance and real estate legal services professionals and organizations dealing in goods involving transactions of more than €15,000.

EU Data Protection Directive

The directive covers the processing of personal data, including automatically-processed data and manual data in a filing system. Conditions include the confidentiality and security of processing as well as provisions for transfer to a third country. Organizations must implement appropriate measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure, or access.

The US Safe Harbor Arrangement is a streamlined process for US companies to comply with the Directive, developed by the US Department of Commerce in consultation with EU.

The 95/46/EU Data Protection Directive applies to member countries within the EU and other countries that conduct business with member countries.

EC Privacy and Electronic Communication Regulations (EC Directive) – 2003

The legislation protects the public from electronic marketing practices that cause nuisance, offence and invasion of privacy.

IT security solutions and processes should be put in place to ensure that electronic marketing records are both available and correct.

Electronic service providers need both business continuity measures to maintain system and network uptime as well as measures put in place for more general data protection issues relating to customer data sets.

Organizations that use email marketing must comply with the regulations; additionally telecom companies and ISPs must implement security technologies and practices to safeguard their services.

UK Data Protection Act

The Act makes it a legal obligation for anyone processing personal data to establish good practice in managing and using the data. Anyone processing personal information must comply with eight enforceable principles of good information handling practice. Good information security practice is implied in all eight, but explicitly in Principle 7, which relates to the prevention of unauthorized or unlawful processing, and of accidental loss or damage to data.

Companies must ensure that both organizational as well as technical means must be used to protect personal information.

Any organization collecting personal data is covered by the Act

The Freedom of Information Act 2000 – UK

The Act states that public authority information cannot be altered, defaced or destroyed. Public authorities need to implement effective records and document management systems and IT security solutions are required to ensure the uptime of these systems and that both the information and the records kept on them are not altered or corrupted in any way.

The Act gives the general public access to information held by public authorities.

EU Annex 11, Computerized Systems

The central consideration of this regulation is that “records are accurately made and protected against loss or damage or unauthorized alteration so that there is a clear and accurate audit trail throughout the manufacturing process”.

Annex 11 applies to all pharmaceutical manufacturers in the EU using computerized systems in manufacturing, storage, distribution, and quality control of medicinal products

Annex 11 applies to all pharmaceutical manufacturers in the EU using computerized systems in manufacturing, storage, distribution, and quality control of medicinal products

Information Security regulations

Information Security is paramount in todays world. The owrld of information security is driven by the business needs and regulations. To achieve compliance, organizations often choose well known standards as benchmarks.Many countries have enforced regulations to protect the interests of the common public. Protection of everyone’s privacy is one among the top priorities of every government. Other than privacy, regulations protect investor interests, security of personal, financial information etc..

Here is a list of Security and Privacy regulations in various countries

United States of America

HIPAA - Health Insurance Portability and Accountability Act

To improve the efficiency and effectiveness of the health care system, the Health Insurance Portability and Accountability Act (HIPAA) of 1996, Public Law 104-191, included “Administrative Simplification” provisions that required Health and Human Services (HHS) to adopt national standards for electronic health care transactions.

The information security references in HIPAA are the following rules

HIPAA Security - The HIPAA Security rule describes the requirements to secure the electronic protected health information(ePHI)

HIPAA Privacy - The HIPAA privacy rule make the law of the need of keeping the health informaiton private.

More details about HIPAA can be found at http://www.hhs.gov/ocr/hipaa/

HIPAA applies to all healthcare providers, payers, and clearinghouses in the US.

SOX - Sarbanes-Oxley Act

The Sarbanes-Oxley Act is designed to review dated legislative audit requirements to protect investors by improving the accuracy and reliability of corporate disclosures, covering issues such as establishing a public company accounting oversight board, corporate responsibility, auditor independence, and enhanced financial disclosure.

All companies publicly traded in the United States and regulated by the Securities and Exchange Commission (SEC), including US-based companies as well as all international companies that have shares traded on a US exchange.

GLBA- Gramm-Leach-Bliley Act

GLBA includes provisions to establishing administrative, physical, and technical safeguards to protect the security, confidentiality, and integrity of consumer financial information. GLBA applies to financial institutions in the US, such as banks, securities firms, insurance companies, and other companies selling financial products.

California Assembly Bill 1950

California’s Assembly Bill 1950 expands on the privacy requirements of Senate Bill 1386 and requires that organizations take “reasonable precautions” to protect California residents’ personal data from modification, deletion, disclosure, and misuse rather than just report on its disclosure.

This bill is applicable to state Agencies, persons, or businesses conducting business in California, that own or license computerized data containing personal information.

Authentication in an Internet Banking Environment(FFIEC November 2005 Guidance)

This guidance recommends that financial institutions and their application service providers (ASPs) deploy security measures to reliably authenticate their online banking customers. It considers single-factor authentication, as the only control mechanism, to be inadequate for online banking. Banks should use authentication methods that are both effective and appropriate to the risks associated with online banking. These methods include multifactor authentication, layered security, or other controls reasonably calculated to mitigate those risks.

This is applicable for all financial institutions in the U.S., including banks, brokerages, credit unions and the like, and ASPs that offer Internet banking applications.

21 CFR Part 11

21 CFR Part 11 outlines the US Food and Drug Administration’s requirements for electronic records and electronic signatures. It is designed to prevent fraud while permitting the widest possible use of electronic technology within the pharmaceutical industry.

Organizations must implement controls to ensure authenticity, integrity, confidentiality, and non-repudiation of electronic records. In some cases, organizations must also implement measures such as encryption and digital signatures.

All organizations regulated by the FDA, which includes pharmaceutical, biotech, medical device, food, and cosmetic companies.

California Information Practice Act ( SB 1386)

This regulation requires organizations conducting business in California to disclose any security breach that occurs to any California resident whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. Since the law requires notification of security breaches involving “unencrypted” sensitive data, there is a safe harbor for those organizations which have encrypted the data.

This is applicable for all State Agencies, persons, or businesses conducting business in California, that own or license computerized data containing personal information.

North American Electric Reliability Council

The stated purpose is “to protect the critical cyber assets essential to the reliability of the bulk electric system.”

The standard includes:

• additional detail to clarify technical requirements and compliance measures
• authorization requirements to place these measures into production
• access authorization process requirements
• generic account management requirements
• change control and configuration management requirements
• operating status monitoring tools
• backup and recovery requirements
• Applicable for all entities responsible for planning, operating, and using the bulk electric system must comply with NERC reliability standards.

Federal Information Security Management Act (FISMA)

FISMA requires federal agencies to develop, document, and implement agency-wide programs to secure data and information systems supporting agency operations and assets, including those managed by other agencies or contractors.

Applicable for all Federal agencies, state, local, and tribal governments, as well as private sector organizations composing the critical infrastructure of the United States.

USA PATRIOT Act

The Act gives federal officials greater authority to track and intercept communications, both for law enforcement and foreign intelligence gathering purposes.

All US companies and companies conducting business in the US are affected by this regulation

Federal Information Processing Standards (FIPS)

For applications or devices that include cryptography, U.S. federal government agencies are required to use a cryptographic product that has been Federal Information Processing Standard (FIPS) 140 validated or Common Criteria (CC) validated, and most CC Protection Profiles rely on FIPS validation for cryptographic security.

The FIPS 140 requirement “. . . is applicable to all U.S. government departments and agencies which use cryptographic-based security systems to protect unclassified information including any organization selling products to U.S. and Canadian government agencies.

About

Presently, the articles at www.ciso.in is edited by Binoy Koonammavu. If you wish to be part of this editorial group, you are most welcome to submit your paper.

Binoy Koonammavu

Binoy is a professional Information Security Consultant. He has about 12 years of experience in the IT, Information Security and Business Continuity industry. He is considered to be an expert in the fields of Information Security, Network security and developing Information Security Management System. He is a SBCI, CISM, CISA, CISSP and a BS7799 Lead Auditor and also held various vendor certifications. He has recently acquired the Cobit Foundation certification

Career Summary

• About 12 years of professional experience
• About 8 years of Business Continuity and Information Security experience
• Handling leadership roles for about 8 years
• Certified Information Security Manager (CISM)
• Specialist of Business Continuity Institute (SBCI)
• Certified Information Systems Security Professional (CISSP)
• Certified Information Systems Auditor (CISA)
• Business Continuity Certified Expert (BCCE)*
• BS7799-2 : 2002 Lead Auditor and Certified Implementer
• ISO 27001 Lead Implementer 
• Certified - COBIT Foundation
  

Positions held in the past and Companies worked

• Burgan Bank, Kuwait – Manager – IT Security
• UST Global Inc, USA – Practice Director – Information Security
• ValueMentor Consulting, India – Information Security Architect
• US Technology, India – Lead – Information Security
• Network Solutions, India – Sr. Network Engineer

Memberships

• The Business Continuity Institute
• ISACA
• ISC2 

Contact:

Binoy can be contacted at b i n o y @ c i s o . i n  
Phone +965-6660 9759