Mitigating Risks Through ISMS Framework

by A K SHARMA
Additional Director STQC, Department of IT Ministry of Commns. & IT Govt. of India [email protected]

STQC- A Brief Overview

3/10/2014

Risk Mitigation Through ISMS Framework

Standardisation Testing Quality Certification

Standardisation Testing & Quality Certification Directorate
Department of Electronics and Information Technology 3 Govt. of India 3/10/2014
Risk Mitigation Through ISMS Framework

Objective

Q
To be a key enabler in making Indian IT organisations
achieve compliance with International Quality Standards and

compete globally

3/10/2014

Risk Mitigation Through ISMS Framework

STQC CORE Functions

Test Laboratories

Testing

IT Services

STQC IT Centres

Calibration

STQC Core Functions

Certification

Calibration Laboratories

STQC Certification Cells

Training

CETEs and IIQM

3/10/2014

Risk Mitigation Through ISMS Framework

STQC Network
Solan Mohali Delhi Jaipur Guwahati Agartala

Countrywide network comprising STQC HQs at New Delhi and 15 subordinate units

Kolkata Mumbai Pune Hyderabad Goa

STQC HQs

Regional Test Labs

Test & Dev. Centres Centre for Reliability

Bengaluru

Regional Certification Cells

Chennai

IT Services Centre for Electronics Test Engg

ThiruPuram

Indian Institute for Quality Management

3/10/2014

Risk Mitigation Through ISMS Framework

STQC Services for IT Sector

Information Security

Software Quality evaluation

Standards formulation

STQC IT

IT Service Management

Quality Management in IT Industry

Quality Assurance Services for eGov

7

3/10/2014

Risk Mitigation Through ISMS Framework

Framework for Risk Mitigation

What Type of Framework ?

3/10/2014

Risk Mitigation Through ISMS Framework

Framework Which is
Flexible Dynamic Effective Covers
to incorporate other best practices (IM, RM, BCM, SLM .) in keeping pace with changing technological infrastructure enough to address Business needs Key issues related to People, Process, Technology

3/10/2014

Risk Mitigation Through ISMS Framework

Why ISO/IEC 27001 Framework

Based on Risk Assessment & Treatment Importance to Business Context Emphasis on Management of Technology Change, Config Effective Mix of HR, Tech, Legal and contractual issues Demonstrable Compliance thru Third party Certification

3/10/2014

Risk Mitigation Through ISMS Framework

10

What is needed?
Management concerns
Market reputation
Business continuity Disaster recovery Business loss Loss of confidential data Loss of customer confidence Legal liability Cost of security

Security Measures/ Controls

Technical Procedural Physical Logical Personnel Management

3/10/2014

Risk Mitigation Through ISMS

11

ISO 27001:2005: Addressing Management Concerns

A.5 Security Policy A.6 Organizational Security A.7 Asset classification & control A.8 Personnel Security A.9 Physical & environmental security A.10 Communications & operations management A.11 Systems development & maintenance

A.12 Access control A.13 Incident Management A.14 Business continuity A.15 Compliance
3/10/2014

Risk Mitigation Through ISMS Framework

12

ISO 27001: 2013 High Level Structure

Introduction 1. Scope 2. Normative references 3. Terms and definition
7. Support

7.1 resources 7.2 Competence 7.3 Awareness 7.4 Communication 4. Context of the organization 7.5 Documented Information 4.1. Understanding the organisation and its context. 7.5.1 General 4.2. Understand the needs and expectations of 7.5.2 Creating & Updating 7.5.3 Control of documented information interested parties. 8. Operation 4.3. Determining the scope of the ISMS.

4.4 ISMS management system 5. Leadership 5.1 Leadership and commitment 5.2 Policy 5.3 Organization roles, responsibilities and authorities 6. Planning

8.1 Operational planning and control

9. Performance evaluation

9.1 Monitoring, measurement, analysis and evaluation

9.2 Internal Audit 9.3 Management Review 6.1 Actions to address risks and opportunities10. Improvement 10.1 Non Compliance & Corrective action 6.2 ISMS objectives and planning to achieve them

10.2 Continual improvement

3/10/2014

Risk Mitigation Through ISMS Framework

13

6. Planning
6.1 Actions to address risks and opportunities

When planning for the ISMS, the organization shall consider the issues referred to in 4.1 and the requirements referred to in 4.2 and determine the risks and opportunities that need to be addressed to

assure the ISMS can achieve its intended outcome(s)

prevent, or reduce, undesired effects achieve continual improvement. The organization shall plan:

a) actions to address these risks and opportunities, and b) how to

integrate and implement the actions into its ISMS processes evaluate the effectiveness of these actions.

3/10/2014

Risk Mitigation Through ISMS Framework

14

8.

Operations

8.2 Information Security Risk Assessment 8.3 Information Security Risk Treatment

3/10/2014

Risk Mitigation Through ISMS Framework

15

Risk Assessment- Building Block for ISMS

Status Appraisal Technical compliance
Documents & Management Inputs

Training

Understand Business Requirements

Study Critical Information Assets

Review Current IS Security Environment

Network review

Training

Training Develop Security Policy and Plan

Policy Review

Analyze Risks & Exposures

Risk Analysis

Training Internal Audit Technical compliance

Certification Implement & Operate ISMS ISMS Certification

3/10/2014

Risk Mitigation Through ISMS Framework

16

Risk Assessment Components and their Relationship

Threats exploit Vulnerabilities

Protect against Security Controls Met by

increase reduce

increase

expose

Security Risks increase Asset Values & Impacts

Assets

indicate Security Requirements

have

3/10/2014

Risk Mitigation Through ISMS Framework

17

RA/RTP in ISO/IEC 27001

Driven by ISO 31000: 2009 Risk Management Principles and Guidelines

Establishes Principles needed to manage risks effectively

3/10/2014

Risk Mitigation Through ISMS Framework

18

Relationships between RM Principles, Framework and Processes (from ISO 31000)

3/10/2014

Risk Mitigation Through ISMS Framework

19

PRINCIPLES

a) b) c) d) e) f) g) h) i) j) k)

Creates value Integral part of organizational processes Part of decision making Explicitly addresses uncertainty Systematic, structured and timely Based on the best available information Tailored Takes human and cultural factors into account Transparent and inclusive Dynamic, iterative and responsive to change Facilitates continual improvement and enhancement of the organization

3/10/2014

Risk Mitigation Through ISMS Framework

20

Information security risk management process

Source : ISO/IEC 27005:2008

3/10/2014

Risk Mitigation Through ISMS Framework

21

Possible inputs for the risk assessment process

List of known threats and vulnerabilities History of natural/ un-natural disturbances in the

location(s) of operation Past security incidents/ breach data Vulnerability assessment reports Penetration test reports Discussion with stake-holders.

3/10/2014

Risk Mitigation Through ISMS Framework

22

(Possible) Pitfalls in risk assessment

Unavailability of proper data as indicated in

earlier slide Risk assessment tend to be voluminous task and therefore given up in between Risk assessment output matched with known and manageable risks All assets not covered in the risk assessment Risk assessment output either too optimistic (All risks within acceptable limits) or too pessimistic (most assets beyond acceptable risks).
Risk Mitigation Through ISMS Framework 23

3/10/2014

Practical tips
Finalise the RA and RM Procedure

The procedure should be quite elaborative; should have

adequate granularity to ensure sufficient resolution in risk for different asset values and their associated threats and vulnerabilities.
Train the concerned groups on this procedure All asset owners to find risks. There may be a common

person so as to ensure uniformity.

Risk assessment should be iterative exercise. For those

assets found to have higher risk, it is desirable to have a moderation session along with stakeholders and security co-ordination group before the findings are presented to management.
3/10/2014

Risk Mitigation Through ISMS Framework

24

Summary
Risk Assessment is one of the most important task in

evaluating the security requirements of the organization The Organization need to evolve a suitable Risk Assessment strategy and define the Acceptable Risk Levels. Risk assessment should cover all the assets covered in the scope Risk Assessment is not a once off exercise and has to be periodically done.

3/10/2014

Risk Mitigation Through ISMS Framework

25

THANK YOU

PROCESS FLOW DIAGRAM

3/10/2014

Risk Mitigation Through ISMS Framework

27

Risk management
The process of identifying, controlling and

minimizing or eliminating security risks (that may affect information systems) for affordable cost. RM includes RA and Risk Treatment.

Transfer

Avoid

Accept

Reduce
Probability

3/10/2014

Risk Mitigation Through ISMS Framework

28

EXTERNAL CONTEXT
The external context can include,
The external context is the external environment in which the organization seeks to achieve its objectives.

the social and cultural, political, legal, regulatory, financial, technological, economic, natural and competitive environment, whether international, national, regional or local; key drivers and trends having impact on the objectives of the organization; and relationships with, perceptions and values of external stakeholders.

3/10/2014

Risk Mitigation Through ISMS Framework

29

EXTERNAL CONTEXT
The external context is the external environment in which the organization seeks to achieve its objectives.

The external context can include, the social and cultural, political, legal, regulatory, financial, technological, economic, natural and competitive environment, whether international, national, regional or local; key drivers and trends having impact on the objectives of the organization; and relationships with, perceptions and values of external stakeholders.

3/10/2014

Risk Mitigation Through ISMS Framework

30

RISK TREATMENT

5.5.1
c) removing the risk source; d) changing the likelihood; e) changing the consequences; f) sharing the risk with another party or parties (including contracts and risk financing); and g) retaining the risk by informed decision.

3/10/2014

Risk Mitigation Through ISMS Framework

31