Documente Academic
Documente Profesional
Documente Cultură
An Information Security Management System (ISMS) is way to protect and manage information based on a systematic business risk approach, to establish, implement, operate, monitor, review, maintain, and improve information security. It is an organizational approach to information security.
It is important to keep the scope manageable. Only parts of the organization, such as a logical or physical grouping within the organization should be considered. Large organizations might need several Information Security Management Systems in order to maintain manageability. For example, they might have one ISMS for their Finance department and the networks used by that department and a separate ISMS for their Software Development department and systems. The end result of this exercise should be a documented scope for the ISMS. This may be a few statements or paragraphs. The documented scope often becomes one of the first sections of an organizations Security Manual. D. Risk Management i) Define method of Risk Assessment - Risk assessment is the process of identifying risks by analyzing threats to, impacts on, and vulnerabilities of information and information systems and processing facilities, and the likelihood of their occurrence. Choosing a risk assessment method is one of the most important parts of establishing an ISMS. The method chosen must help Evaluate risk based on levels of confidentiality, integrity, and availability; Set objectives to reduce risk to an acceptable level; Determine criteria for accepting risk; and Evaluate risk treatment options. The organizations approach to information security risk management and the criteria for information security risk evaluation and the degree of assurance required have to be clearly determined and documented. ii) Information Asset Inventory - Organisation has to prepare e a list of the information assets to be protected and an owner for each of those assets. It has to also identify where the information is located and how critical or difficult it would be to replace. This list should be part of the risk assessment methodology document that was created in the previous step. A sample of such a list is given in Table 1 below:
Table 1: Information Asset Inventory
Asset 1. Strategic Details Medium and long Owner CEO Location CEO PC CIA Profile Replacement Value High Risk Value Control Sufficient control?
2. 3.
CEO
CEO PC
Medium
iii) Identify Risks - For each asset defined in the previous step, risks have to be identified and classified according to their severity and vulnerability. In addition, the impact that loss of confidentiality, integrity, and availability may have on the assets has to be determined. A sample is shown in Table 2. To begin identifying risks, actual or potential threats and vulnerabilities for each asset have to be identified. A threat is something that could cause harm. For example, a threat could be an Intentional, accidental, or man-made act that could inflict harm or an act of God (such as a hurricane or tsunami) A vulnerability is a source or situation with a potential for harm (for example, a broken window is a vulnerability; it might encourage harm, such as a break in). A Risk is a combination of the likelihood and severity or frequency that a specific threat will occur.
Table 2: Information Asset Risk Identification
Asset 1. 2. 3. Strategic Information Project Plans .....etc. Details Medium and long term plans Short Term Plans Owner CEO CEO Location CEO PC CEO PC CIA Profile C:High I: High A: Med C: High I: High A: Low Replacement Value High Medium Risk Value Control Sufficient control?
iv) Assess Risks & Probability of Occurance - After the Organisation has identified the risks, it needs to assign values to the risks. The values will help the Organisation determine if the risk is tolerable or not and whether it needs to implement a control to either eliminate or reduce the risk. To assign values to risks, the considerations will be: The value of the asset being protected, The frequency with which the threat or vulnerability might occur, and The damage that the risk might inflict on the company or its customers or partners.
Table 3: Information Asset Risk Assessment
Asset 1. 2. 3. Strategic Information Project Plans .....etc. Details Medium and long term plans Short Term Plans Owner CEO CEO Location CEO PC CEO PC CIA Profile C:High I: High A: Med C: High I: High A: Low Replacem ent Value High Medium Risk Value High Medium Control Sufficient control?
2.
CEO
CEO PC
Medium
Mediu m
Yes
3.
E. Business Impact Analysis (BIA) A BIA report quantifies the importance of business components and suggests appropriate fund allocation for measures to protect them. The possibilities of failures are likely to be assessed in terms of their impacts on safety, finances, marketing, legal compliance, and quality assurance. Where possible, impact is expressed monetarily for purposes of comparison. For example, a business may spend three times as much on marketing in the wake of a disaster to rebuild customer confidence. This is an essential component of an organization's business continuance plan; it includes an exploratory component to reveal any vulnerabilities, and a planning component to develop strategies for minimizing risk. The result of analysis is a business impact analysis report, which describes the potential risks specific to the organization studied. One of the basic assumptions behind BIA is that every component of the organization is reliant upon the continued functioning of every other component, but that some are more crucial than others and require a greater allocation of funds in the wake of a disaster. For example, a business may be able to continue more or less normally if the cafeteria has to close, but would come to a complete halt if the information system crashes. A sample series of questions a BIA team must look to answer will be: What critical interdependencies exist between internal systems, applications, business processes, and departments? What specialized equipment is required and how is it used? How would the department function if the mainframe, network and/or Internet access were not available? What single points of failure exist and how significant are those risks? What are the critical outsourced relationships and dependencies?
F. Business Continuity Planning (BCP) & Disaster Recovery (DR) Business Continuity Planning involves identifying, developing, acquiring, documenting and testing procedures and resources that will ensure continuity of an organisation's key operations in the event of an accident, disaster, emergency, and/or threat. It involves risk mitigation planning (reducing possibility of the occurrence of adverse events), and Disaster Recovery planning (ensuring continued operation in the aftermath of a disaster). These plans are drawn up based on the BIA Report, as this gives a clear indication of the business critical processes that have to be focussed on. Some basics to cover in a Business Continuity plan are: Develop and practice a contingency plan that includes a succession plan for the CEO. Train backup employees to perform emergency tasks. Determine offsite crisis meeting places and crisis communication plans for top executives.
Disaster Recovery Plan is a subset of BCP. But covers elaborate details such as a documentation of the procedures as to declaring emergency, evacuation of site pertaining to nature of disaster, active backup, notification of the related officials/DR team/staff, notification of procedures to be followed when disaster breaks out, alternate location specifications, etc. It is beneficial to be prepared in advance with sample DRPs and disaster recovery examples so that every individual in an organization are better educated on the basics. Documentation should include identification and contact details of key personnel in the disaster recovery team, their roles and responsibilities in the team.
Phase 4 describes the immediate elimination of minor flaws. If fundamental or extensive changes are needed, one must of course return to the planning phase again. This model is named after the individual phases ("Plan", "Do", "Check", "Act") and is thus also referred to as the PDCA model. The PDCA cycle is considered as an upward spiral as each cycle will be perfecting the ISMS resulting in the next cycle's extent being a little lesser than the previous.
Concluding Remarks
The management system concept is being applied across many new disciplines. With the ratification of the ISO27001 standard, information security management systems have achieved new prominence, in some arenas becoming an essential requirement. In conclusion, an ISMS: Integrates information security risk into enterprise risk management. Documents informed choice decision making and due diligence. Provides a framework for regulatory compliance. Offers a structure to efficiently and effectively integrate people, process, and technology. Furnishes a mechanism for monitoring and reporting. Is business friendly, and a market differentiator.
References: http://www.csoonline.com
Useful Books and information on Business Continuity and Disaster Recovery: The Disaster Recovery Handbook: A Step-By-Step Plan - By Wallace and Webber (Anacom 2010) Building an Enterprise-Wide Business Continuity Program - By Kelley Okolita (CRC Press 2009) A Risk Management Approach to Business Continuity: Aligning Business Continuity with Corporate Governance - by Julia Graham et al (Rothstein Associates 2006)