Dresdner

Information security
daniel.dresner@ncc.co.uk
2005
PROVIDING PERSONAL AND PROFESSIONAL The National FOR IT LEADERS2008 DEVLOMENT Computing Centre
You cant undisclose a disclosure1 The National Computing Centre The landscape of Information Security standards Introduce a corporate information security programme step-by-step Good practice security controls for information management
Act How do we do it better next time?

EFQM Excellence Model ISO/IEC 24766 Information technology Guidelines for requirements engineering tool capabilities Towards Software Excellence Capability Maturity Model
ISO 9001 Quality management systems
TickIT ISO/IEC 15288 System Life Cycle Processes
Plan What to do? How to do it?

BS 25777 IT service continuity
ISO 27001 Information security management systems. Requirements
BS 10008 Evidential weight and legal admissibility of electronic information
ISO 15504 Software process assessment
ISO/IEC TR 15443-3 Framework for IT security assurance: Analysis of assurance methods Accredit UK
All business or service processes need the ability to go through iterative phases of plan-do-check-act. This chart shows how the top 8 national and international standards (emboldened text) form part of the best practice framework in information technology. This standards framework is the foundation for organisations to accept the technical standards of particular technologies including those special to vendors. Control Objectives for Information and Related Technology (CobIT)
ISO/IEC 20000 IT service management ISO/IEC 25000 Quality characteristics
ISO/IEC 24762 Guidelines for ICT disaster recovery services
Check Did it go according to plan?
Data Protection Act 1998
ISO 18019 Guidelines for the design and preparation of user documentation for application software
Do Do what was planned

The National Computing Centre 2009
Gerry ONeill, CEO, IISP

The National Computing Centre 2008 www.ncc.co.uk
ISO/IEC 12207 Software life cycle BS ISO/IEC 38500 processes Corporate governance of information technology STARTS Software Techniques e-Government Interoperability for Reliable, Framework (e-GIF) Trusted Systems ISO 27005 Information security: risk management
ITadviser Benchmarks Guidelines Seminars Home
The National Computing Centre Corporate Advisory Service

School User Intermediary User Home User Small Business User University User
Legal Guidance Best Practice
User
Central Government Research User
Training
Local Government User
National Infrastructure User
Corporate User
Small Business User
Rapid Surveys RFI service Round Tables Bespoke Reports Advisory services
3 o. N
Technical Consultant
System Developer
System Analyst
System Tester
Technical Support
Technical Support
Human Firewall
The National Computing Centre doesnt do escrow!

History (Learning Lessons)

1994: Security Breaches Survey 1995: DTI Code of Practice/BS 7799 1999: BS 7799
Code of practice for information security (the catalogue of controls)
2000: ISO 17799 (aka BS 7799 Part 1)

No certificates!
2002: BS 7799 Part 2 (Plan-Do-Check-Act)

Specification for and information security management system
2005: ISO 17799 (Revised):=27002 2005 ISO 27001 (aka BS 7799 Part 2)
4
The landscape of Information Security standards
What they really mean

ISO 27001 (BS 7799 Part 2)
Information security management system requirements Plan-do-check-act Like ISO 9001/ISO 20000 Certification Benchmark
ISO 27002 (ISO 17799; BS 7799 Part 1)

6
Code of practice Catalogue of 135 controls! Pick and mix using ISO 27001 No certificates!
Quality policy Preventive action Customer feedback Responsibility, authority and communication Measurement Resource management
Product realisation Human resources Design and development review
Purchasing
7
A taxonomy of treatment (not a wish list)

gement
TickIT
Plan What to do?
rocesses need the ability to go ISO/IEC 20000 do-check-act. This chart shows IT service management ternational standards (emboldened practice framework in information hnology. ISO/IEC 25000 s the foundation for organisations Quality characteristics cal standards of particular g those special to vendors. ISO/IEC 24762 Guidelines for ICT disaster recovery services
ISO 18019 Guidelines for the design and preparation of user documentation for application software ection 8

ISO/IEC 15288 How to do it? System 27001 Life Cycle BS 25777 Processes on security IT service continuity nt systems. ements BS 10008 Evidential weight and legal admissibility 12207 ISO/IEC of electronic information Software life cycle BS ISO/IEC 38500 processes Corporate governance of information technology STARTS Software Techniques e-Government Interoperability for Reliable, Framework (e-GIF) Trusted Systems ISO 27005 Information security: risk management
ISO/IEC 27001 in 13 Steps
2005
PROVIDING PERSONAL AND PROFESSIONAL The National FOR IT LEADERS2008 DEVLOMENT Computing Centre
Project plan
(1) Senior management acceptance and endorsement of security (2) Information security organisation and infrastructure (3) High level security policy (4) Staff training and education creating security awareness (5) Identify and classify the assets (6) Risk assessment (7) (8) Risk treatment plan Security standards document (control measures) Statement of applicability System security plans and procedures Monitor and review the ISMS performance Maintain the ISMS; continuous improvement Extending the scope
(9) (10) (11) (12)
(13)
10
Project plan
(9) (10) (11) (12)
(13)
11
Project plan
(9) (10) (11) (12)
(13)
12
Project plan
(9) (10) (11) (12)
(13)
13
Project plan
(9) (10) (11) (12)
(13)
14
15
Project plan
(9) (10) (11) (12)
(13)
16
Project plan
(9) (10) (11) (12)
(13)
17
Project plan
(9) (10) (11) (12)
(13)
18
Project plan
(9) (10) (11) (12)
(13)
19
Project plan
(9) (10) (11) (12)
(13)
20
Project plan
(9) (10) (11) (12)
(13)
21
How serious are the threats to our assets?
How much risk can we accept for each asset?
(10) System security plans and procedures
3. Risk Assessment
Test
4. Security Controls
Update
What is our commitment to security?
How is risk kept to acceptable levels?
2. Policy
Secu Security Incid rity ents Incidents
S In ec ci ur de ity nt s
What level of risk can we accept?
5. Applicability
Reappraise
Which assets are protected by which controls?

Invoke
Asset ownership?
1. Scope
What assets are we protecting?
22
Management Controlled Cost
What are the priorities for the business?
6. Business Continuity
How do we do all this?
7. Processes
Are we achieving set service level measures?
Project plan
(9) (10) (11) (12)
(13)
23
Project plan
(1) Senior management acceptance and endorsement of security (2) Information security organisation and infrastructure time (3) High level security policy (4) Staff training and education creating security awareness (5) Identify and classify the quality assets (6) Risk assessment (7) (8) Risk treatment plan Security standards document (control measures) Statement of applicability System security plans and procedures Monitor and review the ISMS performance Maintain the ISMS; continuous improvement Extending the scope
(9) (10) (11) (12)
content
cost
(13)
24
Project plan
(9) (10) (11) (12)
(13)
25
15.1.3 Protection of organizational records (ISO/IEC 27002:2007)

Categorise records manage according to impact level Protect against deterioration
Long term storage - use paper and microfiche (encrypt?!)
Guide retention, storage media type, handling, and disposal to meet business, statutory, regulatory or contractual requirements Keep inventory of sources of key information Implement procedures (with/without technology) to protect records and information from:
Loss Destruction Falsification.

26
Store cryptographic keys and programs to enable decryption See ISO 15489-1 . . .
ISMS=RMS
ISMSIT
Final thought
2008
The year of lost data (UK)
2009
The year of encryption
2010
The year of lost encryption keys
Think: Retrieval and retention not loss

27
Good security is an enabler

You cant undisclose a disclosure The National Computing Centre The landscape of Information Security standards Introduce a corporate information security programme step-by-step Good practice security controls for information management
Act How do we do it better next time?

EFQM Excellence Model ISO/IEC 24766 Information technology Guidelines for requirements engineering tool capabilities Towards Software Excellence Capability Maturity Model
ISO 9001 Quality management systems
TickIT ISO/IEC 15288 System Life Cycle Processes
Plan What to do? How to do it?

BS 25777 IT service continuity
ISO 27001 Information security management systems. Requirements
BS 10008 Evidential weight and legal admissibility of electronic information
ISO 15504 Software process assessment
ISO/IEC TR 15443-3 Framework for IT security assurance: Analysis of assurance methods Accredit UK
All business or service processes need the ability to go through iterative phases of plan-do-check-act. This chart shows how the top 8 national and international standards (emboldened text) form part of the best practice framework in information technology. This standards framework is the foundation for organisations to accept the technical standards of particular technologies including those special to vendors. Control Objectives for Information and Related Technology (CobIT)
ISO/IEC 20000 IT service management ISO/IEC 25000 Quality characteristics
ISO/IEC 24762 Guidelines for ICT disaster recovery services
Check Did it go according to plan?
Data Protection Act 1998
ISO 18019 Guidelines for the design and preparation of user documentation for application software

28
ISO/IEC 12207 Software life cycle BS ISO/IEC 38500 processes Corporate governance of information technology STARTS Software Techniques e-Government Interoperability for Reliable, Framework (e-GIF) Trusted Systems ISO 27005 Information security: risk management
PAS 77:2006
IT Service continuity
29
30

Dresdner

Transféré par

Informations du document

Description originale:

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

Dresdner

Transféré par

Droits d'auteur :

Formats disponibles

Information security

Act How do we do it better next time?

ISO 9001 Quality management systems

TickIT ISO/IEC 15288 System Life Cycle Processes

Plan What to do? How to do it?

ISO 27001 Information security management systems. Requirements

BS 10008 Evidential weight and legal admissibility of electronic information

ISO 15504 Software process assessment

ISO/IEC 20000 IT service management ISO/IEC 25000 Quality characteristics

ISO/IEC 24762 Guidelines for ICT disaster recovery services

Check Did it go according to plan?

Data Protection Act 1998

Do Do what was planned

Gerry ONeill, CEO, IISP

The National Computing Centre 2008 www.ncc.co.uk

ITadviser Benchmarks Guidelines Seminars Home

The National Computing Centre Corporate Advisory Service

Legal Guidance Best Practice

Central Government Research User

Local Government User

National Infrastructure User

Small Business User

The National Computing Centre doesnt do escrow!

History (Learning Lessons)

2000: ISO 17799 (aka BS 7799 Part 1)

2002: BS 7799 Part 2 (Plan-Do-Check-Act)

The National Computing Centre 2009

The landscape of Information Security standards

The National Computing Centre 2009

What they really mean

ISO 27002 (ISO 17799; BS 7799 Part 1)

The National Computing Centre 2009

Product realisation Human resources Design and development review

A taxonomy of treatment (not a wish list)

Plan What to do?

Do Do what was planned

The National Computing Centre 2008 www.ncc.co.uk

ISO/IEC 27001 in 13 Steps

(9) (10) (11) (12)

The National Computing Centre 2009

(9) (10) (11) (12)

The National Computing Centre 2009

(9) (10) (11) (12)

The National Computing Centre 2009

(9) (10) (11) (12)

The National Computing Centre 2009

(9) (10) (11) (12)

The National Computing Centre 2009

The National Computing Centre 2009

(9) (10) (11) (12)

The National Computing Centre 2009

(9) (10) (11) (12)

The National Computing Centre 2009

(9) (10) (11) (12)

The National Computing Centre 2009

(9) (10) (11) (12)

The National Computing Centre 2009

(9) (10) (11) (12)

The National Computing Centre 2009

(9) (10) (11) (12)

The National Computing Centre 2009

How serious are the threats to our assets?

How much risk can we accept for each asset?