Information Security Management

1
Security Management
Information Security Management Management
System Requirements, Code of Practice for
Controls, and Risk Management
supervision
Assistant Professor Dr. Sanaa Wafa Al-Sayegh
Tamer abo lehia
ITGD 2202
2
Background of ISMS Standards

• Information Security Management System (ISMS)
  standards have been produced to help
  organisations come up with cost effective answers
  to questions like
• Why do the same type of information security
  problem come up again and again?
• Why does the IT department keep asking for more
  and more money to solve information security
  problems (that dont go away)?
• How can we do information security well when IT
  is core to our business, but not our core
  business?
• Origins in UK business in the 1990s, pooling
  knowledge of best practice
• Initial focus on controls (now published as
  ISO/IEC 177992005)
• Enhanced with a management decision making
  framework (now published as ISO/IEC 270012005)
• Recently internationalised and updated by ISO/IEC

STANDARDS AUSTRALIA SECURITY FORUM
3
Organisations involved in the development of the
ISMS Standards

• Nationally
• Large corporates (e.g. ANZ, Shell, Bluescope,
  Telstra)
• Information and IT security specialists (e.g.
  Witham Labs, Pacific Research, Fujitsu,
  Megaprime)
• Internationally
• Representatives from large corporates in the IT
  and other sectors, information security
  specialists from specialist business and
  government organizations
• Australia, Austria, Belgium, Brazil, Canada,
  China, Czech Republic, Denmark, Finland, France,
  Germany, India, Italy, Japan, Kenya, Luxembourg,
  Malaysia, New Zealand, Netherlands, Norway,
  Poland, Russia, Singapore, Spain, South Africa,
  South Korea,Sri Lanka, Sweden, Switzerland, UK,
  Ukraine, USA

STANDARDS AUSTRALIA SECURITY FORUM
4
The target audience and the value the ISMS
Standards bring to the market

• These standards are relevant to any organisation
  reliant on information and IT
• Large corporates
• SMEs
• Government agencies
• Focus is on organizations that cant justify a
  staff of information security specialists
• Value is provided by making pooled, peer
  reviewed, best practices for the management and
  implementation of an information security
  programme available to all at a modest cost

STANDARDS AUSTRALIA SECURITY FORUM
5
Objectives of the Standards
The ISMS standards specify a framework for
organisations to manage information security
aspects of their business, and if necessary to
demonstrate to other parties (e.g. business
partners, auditors, customers, suppliers) their
ability to manage information security.
STANDARDS AUSTRALIA SECURITY FORUM
6
Key Elements / Scope of the ISMS Standards

• ISO/IEC 27001 Information Security Management
  Systems - Requirements is the foundational
  standard it is applicable to all types of
  organisation and all sectors of the economy.
• It specifies a risk-based management system that
  is designed to ensure that organisations select
  and operate adequate and proportionate (i.e. cost
  effective) security controls to protect
  information assets.
• It uses the plan-do-check-act (improve) model
  used in environment and quality management
  standards.
• It is specified to allow implementation
  integrated within broader management systems.
• The standard shows how requirements relate to
  the OECD Guidelines for the Security of
  Information Systems and Networks.

STANDARDS AUSTRALIA SECURITY FORUM
7
Content of the ISMS Standards

• Foundations (ISO/IEC 27001)
• Establishing, implementing, operating,maintaining
  and improving an ISMS
• Documentation requirements
• Management responsibilities
• Internal audits and management reviews
• Supporting Standards
• ISO/IEC 27000 - ISMS fundamentals and vocabulary
  (under development)
• ISO/IEC 27002 - Code of practice for information
  security management
  (controls) (ISO/IEC 17799 to be renumbered next
  year)
• ISO/IEC 27003 - ISMS implementation Guide (under
  development)
• ISO/IEC 27004 Measurement and metrics (under
  development)
• ISO/IEC 27005 Risk management (under
  development)
• ISO/IEC 27006 Requirements for the
  accreditation of bodies providing
  certification of ISMS (under
  development)

STANDARDS AUSTRALIA SECURITY FORUM
8
ISMS - the tip of the iceberg

• There are also generally applicable ISO/IEC
  and/or Australian/NZ Standards covering
• Digital signatures
• Encryption (algorithms,modes of operation,key
  management)
• Entity authentication
• Hash functions
• Intrusion detection
• IT evidence collection
• Message authentication codes

• Network security
• Non repudiation
• Prime numbers
• Random numbers
• Security evaluation of products
• Security incident management
• Time-stamping
• Trusted third party services

STANDARDS AUSTRALIA SECURITY FORUM
9
Call to action
Poor information security outcomes are commonly
the result of poor management and not poor
technical controls.

• The 27000 series of ISMS Standards tackle the
  information problems we face from the management
  perspective.
• It is not easy, but it is best practice and it
  works

STANDARDS AUSTRALIA SECURITY FORUM
10
Reference

• From internet