1
Limiting electronic fraud through an Information
Security Management System (ISMS) An
Introduction to ISO 27001"Presented to the
ICGFM Annual ConferenceMay 2006James St.
ClairSenior ManagerGrant Thornton LLPGlobal
Public Sector
2
Disclaimer

• The views expressed do not necessarily reflect
  the views of Grant Thornton LLP

3
Areas of Discussion

• Global trends in Electronic Finance (E-Finance)
• Risks to E-Finance
• Establishing a policy framework
• Overview of Information Security Management
• Questions?

4
Presentation Objectives

• Familiarize the audience with the pervasiveness
  of E-Finance
• Discuss how E-Finance is vulnerable
• Outline steps to implement a framework to limit
  risk
• Discuss the specifics of an Information Security
  Management System

5
The Growth of Electronic Finance
6
Electronic Finance is now the world standard

• E-Finance consists of four primary categories
• Electronic Funds Transfer (EFT)
• Electronic Benefits Transfers (EBT)
• Electronic Data Interchange (EDI)
• Electronic Trade Confirmations (ETC)
• Additionally, the communications channels used
  for E-Finance have grown
• Home PCs
• E-Banking
• Phones and PDAs

7
Growth of E-Finance has been tremendous

• E-Finance accounts for over 2 trillion a day
• Percentage of banking online has risen from 5 to
  50 in 5 years
• Number of connect countries and individuals has
  exploded globally
• Internet availability in developing countries
• 90 penetration of mobile phone markets
• Wireless applications for daily business
• Proliferation of e-credit mechanisms

8
The Risks to Electronic Finance
9
Risks to E-Finance have also grown explosively

• Sheer number of global internet users have
  created a "wild west" for conducting business
• "Open" nature of the Internet now its biggest
  flaw
• Tremendous growth in the technology to create
  financial havoc
• Data and records theft that used to take days can
  be reduced to minutes
• Lack of appreciation in how accessible data can
  really be
• What is your risk?

10
Primary types of threats

• Electronic Fraud
• Identity theft
• Access manipulation
• Security Breaches
• Hacking
• Viruses and "spy-ware"

11
Legal and Policy framework for Information
Security
12
Policy and Law are the first step to limiting
risk

• Legal framework
• Countries and organizations have been active in
  developing the legal framework needed to
  prosecute electronic crime
• OECD
• UN
• OAS
• Most importantly, efforts are made to enforce the
  laws once created

13
Policy and Law are the first step to limiting
risk (cont'd)

• Policy requirements
• Oorganizations must have an adequate policy
  framework to enforce good security
• Policies are clearly understood and enforced and
  based on applicable law
• What should an information security policy
  framework look like?

14
ISO 27001 The framework for an Information
Security Management System (ISMS)
15
ISO/IEC 270012005 - Specification

• Specifies requirements for establishing,
  implementing, and documenting Information
  Security Management Systems (ISMS)
• Specifies requirements for security controls to
  be implemented according to the needs of
  individual organizations
• Consists of 11 control sections, 39 control
  objectives, and 133 controls
• Is aligned with ISO/IEC 177992005

Source BSI America
16
Development of ISO/IEC 270001 "family" of
standards
Source BSI America
17
Key considerations for ISO/IEC 270012005

• Integrates IT security policy and procedures with
  existing organization practices
• Implements a means for continuous compliance and
  improvement
• Reinforces IT security as part of good corporate
  governance
• Built on internationally accepted standards
• Implementation of OECD principles for privacy
  and security

18
Harmonization example
Image courtesy of BSI America
19
Growing Acceptance
Source http//www.xisec.com/
20
Registration of ISMS
Organizations are registered (or certificated) by
a Registration Body in accordance with the
requirements of a scheme such as exists for ISO
9001, ISO 14001, or ISO/IEC 27001 Registration
Bodies (and in some instances auditors) are
accredited by a recognized body (e.g., UKAS,
IRCA, ANAB) to conduct assessment and
certification to a recognized scheme
21
Government Benefits of an ISMS

• Helps build a positive image for government
  agencies, as well as a reinforce a country's
  political and financial status in the world
  market
• Provides satisfaction and confidence that
  citizens information security requirements are
  being met and privacy is being protected
• Reduces liability and risk due to implemented or
  enforced policies and procedures (due diligence)
• Gain improvement of process efficiency and the
  management of security costs

22
What steps are necessary to implement an ISMS?

• An organizational investment
• Requires "buy-in" from all members of the
  organization
• Must be implemented with existing Risk management
  efforts
• Make sure you understand legal issues as well as
  technical

23
Questions to ask of your ISMS

• Has your scope been defined?
• Who should be involved in developing and
  maintaining our ISMS?
• Cannot be assigned like another IT project
• Do IT Security plans exist for all agencies, and
  are they tested in any format?
• Has proper resources been allocated?

24
Questions?Thank You!
James A.St.Clair, CISM Senior Manager Global
Public Sector Grant Thornton LLP T 703.637.3078
F 703.837.4455 C 703.727.6332 E
Jim.StClair_at_gt.com