INFORMATION SECURITY MANAGEMENT SYSTEM

INFORMATION SECURITY MANAGEMENT SYSTEM

IDEA BEHIND THE AUDIT

           Security Audits are an essential component to an organization's security strategy. Apart from security, they enable staff to meet regulatory requirements, validate that existing controls protect business functions, and determine when new controls are required. Unlike an audit in which the auditor uses a checklist and pen to determine compliance, a security audit requires having an understanding of the organization's business functions and objectives -- to really dig deep within systems and networks. According to the Information Systems Audit and Control Association, in a security audit approach, auditors are not just relying on security; they also are relying on internal and operational controls as well as knowledge of the company or the business. Thus, a security-based audit provides a more thorough assessment of security risks and enables managers to make informed decisions based on their risk appetites. Aligning enterprise IT decisions and practices with the level of acceptable risk in an organization is the driver for beginning a security audit.

SECURITY PERIMETER

         The security perimeter is both a conceptual and physical boundary within which your security audit will focus, and outside of which your audit will ignore. You ultimately decide for yourself what your security perimeter is, but a general rule of thumb is that the security perimeter should be the smallest boundary that contains the assets that you own and/or need to control for your own company's security.

NECESSARY EVIL

            The security audit is a practice that could best be filed under the "necessary evil" category. While no business owner, executive or IT manager relishes the thought of enduring an end-to-end security examination, it's generally understood that an audit is the best and only way to fully ensure that all of a business's security technologies and practices are performing in accordance with established specifications and requirements.

A BOON FOR THE ORGANIZATION

          Security audits are typically conducted for the purposes of business-information security, risk management and regulatory compliance. If performed correctly, a security audit can reveal weaknesses in technologies, practices, employees and other key areas. The process can also help companies save money by finding more efficient ways to protect IT hardware and software, as well as by enabling businesses to get a better handle on the application and use of security technologies and processes. As bothersome as security audits are, business owners, executives and IT managers who truly understand them realize that periodic examinations can actually help ensure that security strategies are in sync with overall business activities and goals.

AFTERMATH AND FOLLOW-UP

           Shortly after the audit concludes, the auditors will usually brief a company's owners, executives and managers on what they've discovered and if any immediate remedial action is necessary. A few days or weeks later, the auditors usually issue a formal report. Stakeholders can use both the meeting and the report as opportunities to gain insight into their security practices and make improvements. While a security audit is usually a specific event, IT security is an ongoing process. As a business designs, deploys and maintains its security policies, technologies and practices, it should strive to maintain a constant state of preparedness that will allow it to pass a security audit at any given moment.

TOOLBOX FOR SECURITY AUDIT

      Security review and security audit is an essential task for all organizations. It is no less than the protection of critical assets. However, with the growing complexity of IT infra-structure and the diverse range of platforms, this can be extremely difficult. Have you really got the expertise in-house to fully review your various systems? What level of assurance do you have that you have not missed something, however knowledgeable your staff? How thorough is your audit or review in reality? To help address these concerns, and for simple cost effectiveness, more and more organizations are now employing toolkits as the basis of their reviews. Our Security Audit Toolbox has brought together a collection of the most widely used and most trusted audit toolkits. For convenience, these can all be downloaded on purchase.

BENEFITS OF COMPLIANCE

• Improved effectiveness of Information Security

• Market Differentiation

• Provides confidence to trading partners, stakeholders, and customers  (certification demonstrates 'due diligence') 

• The only standard with global acceptance

• Potential lower rates on insurance premiums

• Compliance with mandates and laws (e.g., Data Protection Act, Communications Protection Act)

• Reduced liability due to unimplemented or enforced policies and procedures

• Senior Management takes

• Ownership of Information Security 

• Standard covers IT as well as organization, personnel, and facilities

• Focused staff responsibilities

• Independent review of the Information Security Management System

• Better awareness of security

• Combined resources with other Management Systems (eg. QMS)

• Mechanism for measuring the success of the security controls

CRITICAL SUCCESS FACTORS

• Security policy that reflects business objectives.

• Implementation approach consistent with company culture. 

• Visible support and commitment from management. 

• Good understanding of security requirements, risk assessment and risk management. 

• Effective marketing of security to all managers and employees. 

• Providing appropriate training and education.

• A comprehensive and balanced system of measurement which is used to evaluate performance in information security management and feedback suggestions for improvement. 

• Use of automated Security Policy Management tool.

CONTROL OBJECTIVES AND CONTROLS IN ISO 27001

      The following are the minimum control objectives and controls in ISO 27001, and they align directly with those in ISO 17799. Minimally, these objectives and controls shall be a part of the ISMS. Additional objectives and controls may be necessary, depending on the organization’s requirements.

PREPARING FOR CERTIFICATION

The steps involved in preparing for ISO 27001 certification are-:

• A business case is developed: Before embarking on the certification trail, organizations must carefully evaluate the costs and benefits of having it. If the overhead of obtaining  the certification outweighs the potential benefits to the organization, then it may not make sense to go after it, though using the standard as a framework can still be valuable. 

• Management is forced to take an active role: The requirements of this standard not only make management accountable, but also ensure that they stay involved in the risk management process. If an organization creates controls that are not enforced, or performs a risk assessment without properly responding, management will be held liable. Hence, management should help create realistic controls and make sure that risk assessments are addressed in a timely fashion. 

PREPARING FOR CERTIFICATION

• The security scope is carefully defined: The scope should identify not only the exclusions, but also the inclusions. ISO 27001 provides the controls required to address generic information security risks. It may not contain controls that address all of the threats faced by your organization; only a careful risk assessment can identify these inclusions. Conversely, not all controls may apply to an organization. It's important, however, to determine each guideline's applicability and document what  is left behind. 

• Measurement metrics are defined: The standard mandates the development and maintenance of information security controls, but appropriate measurements for each  control are what make these controls effective. The remote access policy, for example, may stipulate that no remote administration will      be performed for critical systems, but it's important to translate the policy into quantifiable metrics: How many people tried to access critical systems? How many succeeded? Were there any exceptions granted? What percentage of remote access users have access to these systems? 

• A realistic certification timeline is set: Getting certified as quickly as possible should not be the goal. A certification plan should be developed based on the company's culture and maturity. Organizations should   initially define a narrow scope and  expand to other areas of the organization over time.

SYSTEM ADMINISTRATION

This consists of 4 key steps:

• Establish Effective Security Configurations 

• Maintain Software

• Detect Security Breaches

• Respond Intelligently to Incidents

DETECT SECURITY BREACHES

• Quick response to a security breach(or a lapse in security) is most valuable and economical.

• Intrusion detection systems (IDS) can be set up to check for such breaches.

• Total cost of acquisition, tuning and management can be high.

• But cost of undetected & uncontrolled penetration can be much higher.

ASSET PROTECTION

The protection of assets can be broken down into two parts:-

1.Approving security changes.

2.Monitoring the security of the network.

FRAMEWORK 1 : DEFENSE IN DEPTH (DID)

• Defense in depth is the concept of protecting a computer network with a series of defensive mechanisms such that if one mechanism fails, another will already be in place to thwart an attack.

• It is originally a military strategy which seeks to delay rather than prevent the advance of an attacker, buying time by yielding space. 

• In terms of computer network defense, defense in depth measures should not only prevent security breaches, but buy an organization time to detect and respond to an attack, therefore reducing and mitigating the breach's impact.

• For example, to protect against an unskilled hacker or against somebody who does not have much knowledge about the organization’s networks, the first layer of defense would be a firewall. Firewalls are can be extremely effective, but at the same time they cannot be relied on as the only means of securing a network perimeter. Network based intrusion detection systems (IDS) can provide the other layer of perimeter defense. A network based IDS can identify attacks that could otherwise go undetected, will sometimes take defensive measures such as interacting with the firewall to stop certain traffic, alert an administrator of a problem and can help identify the vulnerability that was exploited in the event of a successful attack.

FRAMEWORK 2 : OCTAVE

OCTAVE stands for Operationally Critical Threat, Asset and Vulnerability Evaluation

• Devloped and launched in 2001

• Currently used by US military and a growing number of larger organisations

• Concept of OCTAVE : OCTAVE is a riskbased strategic assessment and planning technique for security. OCTAVE is self-directed, meaning that people from an organization assume responsibility for setting the organization’s security strategy.

• OCTAVE is targeted at organizational risk and focused on strategic, practice-related issues.

• When applying OCTAVE, a small team of people from the operational (or business) units and the information technology (IT) department work together to address the security needs of the organization, balancing the three key aspects of operational risk, security practices, and technology. 

• While OCTAVE is meant for large organizations, a second process OCTAVE-S was developed and tested for small organizations, ranging from 20 to 80 people. It is designed for organizations that can empower a team of three to five people to conduct all evaluation activities, without the need for formal data-gathering activities.

- : Thank You For Visit : -