Information Security Challenges in Emerging Markets

What, Why & How

Presented By Daniel Udochi CISA, CISM, Certified QA Lead Auditor Thursday, March 11, 2010 ISACA Kenya Chapter Presentation

AGENDA

Information Security Introduction & Overview Information Security Management The Challenge

ISO 27001 Background & Overview

Implementing an ISMS Based on ISO 27001 CSFs

Thursday, March 11, 2010

ISACA Kenya Chapter Presentation

Basic Definitions
Information - A meaningful collection of data (facts, ideas, etc)
about a particular subject

Security Assurance that something of value (asset) is protected

against loss, attack or harm

Information Security refers to the use of suitable set of

controls to provide assurance for the continued attainment of the specific security objectives associated with an organizations information assets.

IS Audit an independent process of collecting and evaluating

evidence to assess the current (and continued) otherwise of information security controls.
Thursday, March 11, 2010

effectiveness or

ISACA Kenya Chapter Presentation

Information Security - Objective

Preservation of Confidentiality, Integrity and Availability of information assets. Confidentiality: ensuring that information is accessible only to those authorized to have access
Confidentiality

Integrity: safeguarding the accuracy

and completeness of information and processing methods

Information Security

Availability: ensuring that authorized

users have access to information and associated assets as & when required.

Integrity

Availability

In addition to these cardinal properties are Authenticity, Accountability, Non-repudiation and Reliability
Thursday, March 11, 2010 ISACA Kenya Chapter Presentation

Information Security - Scope

All forms of information hard copy (paper), electronic, audio, video, etc. Information Storage & Retrieval
Manual and Electronic archiving systems

Information processing
Computers, manual clerk processing etc

Information transmission
LAN, WAN, Internet etc.

Supporting facilities and infrastructure

Buildings, Processes, People etc

Thursday, March 11, 2010

ISACA Kenya Chapter Presentation

A Challenge for Emerging Markets ?

Rapidly changing and ever increasing convergence of technologies

Phenomenal growth rate and expansion of the internet and the myriad of available services
High adoption rate of new technologies by previously technology shy nations in the emerging markets of developing world in order to leverage new opportunities Diverse and ever-increasing spectrum of threats to information and associated assets. Pervasive nature of information systems and services leading to increased vulnerability to security threats.
nd

When I took office, only high energy physicists had ever heard of what is called the World Wide Web... Now even my cat has it's own page - Bill Clinton 42 US President (1993 - 2001)

The Chinese word for Risk - - is symbolized by two characters Opportunity & Danger
Thursday, March 11, 2010 ISACA Kenya Chapter Presentation

Extra! Extra Read All About it

"Global Village" once a vision of Marshall McLuhan (1911 1980) now Reality! readiness levels Kenya Chapter Presentation Thursday, March 11, 2010 - same global risks, poor awareness & ISACA

Information Security How?

Establish Security Requirements

Risk Assessment Legal, statutory, regulatory and contractual requirements. Internal set of principles, objectives and requirements for information processing.

Select Suitable Controls

Best Practices Information Security Management Models ISO 27001, COBIT, ITIL, SSE-CMM etc.

Implement Control Monitoring & Feedback

Control Assessment Risk Management

Thursday, March 11, 2010

Improve!
ISACA Kenya Chapter Presentation

Information Security How?

Technology Strategy & Usage Business Initiatives & Processes Risk & Vulnerability Assessment

Security Policy

Security Model
Security Architecture & Technical Standards Admin & End User Guideline & Procedures Enforcement Processes Monitoring Processes Recovery Processes

Information Security Mgt. System

Thursday, March 11, 2010

Management Commitment (at all Levels)

ISACA Kenya Chapter Presentation

ISO 27001 Background

BS7799 created in 1999 by the British Standards Institute (BSI) as a two-part document IS Standard & IS Certification scheme. Standards adopted by ISO and converted into ISO 27001 Standard for Information Security Management Postulates a Risk Assessment approach as a basis for establishing required controls. Uses the Demming Plan-Do-Check-Act approach to ISMS implementation and operation.

Thursday, March 11, 2010

ISACA Kenya Chapter Presentation

ISO 27001 Overview

Security Policy Organizing Information Security Asset Management Human Resources Security Physical and Environmental Security Communications and Operations Mgt. Access Control Information Systems Acquisition, Development & Maintenance Information Security Incident Mgt. Business Continuity Management Compliance Control Objectives specifies what needs to be achieved; while controls are the recommended actions to achieve the Objective ISACA Kenya Chapter Presentation Thursday, March 11, 2010

Security Policy
Objective To provide management direction and support for information security and demonstrate management commitment to information security.

Key Requirements Information security policy document Policy review & authorization procedure Policy evaluation criteria
Deliverables Policy communication & awareness
Thursday, March 11, 2010 ISACA Kenya Chapter Presentation

Organizing Information Security

Objective To establish the management structure/framework for the initiation, maintenance and control of information security within the organization. Key Requirements Management information security forum Information security coordination Defined information security roles & responsibilities Authorization process for info. processing facilities Specialist Services Deliverables IS methodologies and processes e.g. risk assessment Info Sec. incident review & corrective actions Enterprise-wide information security visibility & awareness ISACA Kenya Chapter Presentation Thursday, March 11, 2010

Asset Management
Objective To ensure that major organizational information assets are accounted for and protected as appropriate. Key Requirements Accountability of Information Assets Information Classification Deliverables Information Asset Inventory Nominated owner for key information assets Information Classification scheme/guideline
Thursday, March 11, 2010 ISACA Kenya Chapter Presentation

HR Security
Objective To reduce the risks of human error, theft, fraud or misuse of organizational facilities by addressing security responsibilities at recruitment and throughout an individuals employment. Key Requirements Security in job definition & sourcing User training Security incident response Deliverables Defined roles and responsibilities for security Formal verification process and checklists Confidentiality / Non -disclosure agreements User training records Incident reporting & Disciplinary procedures
Thursday, March 11, 2010 ISACA Kenya Chapter Presentation

Physical & Environmental Security

Objective To prevent unauthorized access, damage and interference to business premises and information by ensuring that sensitive IPFs are housed in secure and adequately protected areas. Key Requirements Secure Areas Equipment Security General Controls

Deliverables

Thursday, March 11, 2010

Effective & adequate physical security & controls IPF location based on security requirements Formal maintenance procedure & records Off-site and equipment disposal procedures Clear desk/Screen Policy
ISACA Kenya Chapter Presentation

Physical Security - Relevance

Installs in a few seconds Doesnt need batteries Impossible to detect or disable with software

Stores up to 2,000,000 keystrokes can be Stored with 128 bit encryption Works on all operating systems Prices from only $139
Thursday, March 11, 2010 ISACA Kenya Chapter Presentation

Comm. & Operational Management

Objective To ensure the correct & secure operation of IPFs by defining responsibilities and procedures for the mgt & ops of the facilities. Key Requirements Operational procedures & Protection against malicious software responsibilities House keeping System planning & Network management acceptance Media handling & security Information & software exchange Deliverables Change mgt & capacity monitoring processes Antivirus monitoring and control processes Adequate segregation of duties Acceptable Use policy
Thursday, March 11, 2010 ISACA Kenya Chapter Presentation

Access Control
Objective To control access to information & business processes on the basis of business and security requirements. Key Requirements Defined business requirement for access control User access management Procedures & Responsibilities Network Access Control Network Access Control Operating System Access Control Application Access Control Monitoring System Access & Use Mobile Computing & Teleworking

Deliverables Access control policy & password management guide Access management processes review, authorization etc
Thursday, March 11, 2010

ISACA Kenya Chapter Presentation

System Acquisition, Dev. & Maint.

Objective To ensure that security is built into information systems by identifying & agreeing security requirements prior to development of information systems. Key Requirements Defined security requirements for systems & applications Input, processing & output controls Program library controls Change mgt & control Deliverables System impact/risk assessment prior to implementation Change authorization procedures Documented control requirements and control assessment processes
Thursday, March 11, 2010 ISACA Kenya Chapter Presentation

Information Security Incident Mgt.

Objective To ensure info security events and weaknesses are communicated and managed in a consistent and effective manner allowing timely corrective action to be taken. Key Requirements Formal information security event reporting, response and escalation procedures. Single point of contact for all incident reporting Clear R&R defined for staff and vendor personnel Routine assessment/review of IS Incident processes and procedures

Thursday, March 11, 2010

ISACA Kenya Chapter Presentation

Business Continuity Management

Objective To counteract interruptions to business activities and protect critical processes from the effects of major failures or disasters. Key Requirements Formal impact analysis and BC Plan Documented test scenarios and associated success criteria On-going BCP review and maintenance Deliverables BC Plan and maintenance schedule Test procedures and associated success criteria BCP change management & authorization schedule
Thursday, March 11, 2010 ISACA Kenya Chapter Presentation

Compliance
Objective To avoid breaches of any criminal and civil law, statutory, regulatory or contractual obligations and of any security requirements.` Key Requirements Schedule of applicable legal, statutory, regulatory or contractual obligations. Formal IPR management processes. Data protection and privacy controls Routine assessment/audit of compliance with Security policies Deliverables Infosec assessment/audit procedures & reports IPR and data privacy protection procedures Change mgt. & control procedures
Thursday, March 11, 2010 ISACA Kenya Chapter Presentation

Documented System Overview

The basic hierarchy structure of a documented system
Pervasive rule that sets the overriding tone for all activities of a function or group of functions in the organization

Policy Procedure Work Instructions

Logical sequence of activities required to achieve a defined goal/objective. Basically describes the Who, What, How Detailed and comprehensive (almost elementary) step-by-step instruction for achieving specific tasks within the procedure Records produced in the course of daily business operations and show compliance with Policy, Procedure/ Work Instructions

Quality (Work) Records

Thursday, March 11, 2010

ISACA Kenya Chapter Presentation

Critical Success Factors

Security Policy, Objectives & Activities that are in sync with business objectives;

an approach to implementing security that is consistent with the organizational culture; visible support and commitment from management; a good understanding of the security requirements, risk assessment and risk management; effective marketing of security to all managers and employees; distribution of guidance on information security policy and standards to all employees and contractors; providing appropriate training and education; a comprehensive and balanced system of measurement which is used to evaluate performance in information security management and feedback suggestions for improvement.
Thursday, March 11, 2010 ISACA Kenya Chapter Presentation

Daniel Udochi Zain Africa Regional Manager, Revenue Assurance & Fraud Management Dandoch@gmail.com

Thursday, March 11, 2010

Copyright Daniel Udochi 2010 All Rights Reserved. No part of this document may be reproduced without written consent from the author ISACA Kenya Chapter Presentation