Upload
dandoch
View
214
Download
0
Embed Size (px)
Citation preview
7/29/2019 Information Security Challenges in Emerging Market
1/26
Thursday, March 11, 2010 ISACA Kenya Chapter Presentation
Information Security Challenges
in Emerging Markets
What, Why & How
Presented By Daniel Udochi
CISA, CISM, Certified QA Lead Auditor
7/29/2019 Information Security Challenges in Emerging Market
2/26
Thursday, March 11, 2010 ISACA Kenya Chapter Presentation
AGENDA
Information SecurityIntroduction & Overview
Information Security ManagementThe
Challenge
ISO 27001Background & Overview
Implementing an ISMS Based on ISO 27001
CSFs
7/29/2019 Information Security Challenges in Emerging Market
3/26
Thursday, March 11, 2010 ISACA Kenya Chapter Presentation
Basic Definitions
Information - A meaningful collection of data (facts, ideas, etc)
about a particularsubject
Security Assurance that something of value (asset) is protectedagainst loss, attack orharm
Information Security refers to the use of suitable set of controls to provide assurance for the continued attainment of thespecific security objectives associated with an organizationsinformation assets.
IS Audit an independent process of collecting and evaluatingevidence to assess the current (and continued) effectiveness orotherwise of information security controls.
7/29/2019 Information Security Challenges in Emerging Market
4/26
Thursday, March 11, 2010 ISACA Kenya Chapter Presentation
Confidentiality
AvailabilityIntegrity
InformationSecurity
Confidentiality: ensuring thatinformation is accessible only to thoseauthorized to have access
Information Security - Objective
Integrity: safeguarding the accuracyand completeness of information and
processing methods
Availability: ensuring that authorizedusers have access to information andassociated assets as & when required.
In addition to these cardinal properties areAuthenticity,Accountability, Non-repudiationand
Reliability
Preservation of Confidentiality, Integrity and Availability of information
assets.
7/29/2019 Information Security Challenges in Emerging Market
5/26
Thursday, March 11, 2010 ISACA Kenya Chapter Presentation
Information Security - Scope
All forms of informationhard copy (paper),
electronic, audio, video, etc.
Information Storage & Retrieval
Manual and Electronic archiving systems
Information processing
Computers, manual clerk processing etc
Information transmission
LAN, WAN, Internet etc.
Supporting facilities and infrastructure Buildings, Processes, People etc
7/29/2019 Information Security Challenges in Emerging Market
6/26
Thursday, March 11, 2010 ISACA Kenya Chapter Presentation
A Challenge for Emerging Markets ?
When I took office, only high energy physicists had ever heard of what is called the
World Wide Web... Now even my cat has it's own page - Bill Clinton 42nd US President (1993 - 2001)
Rapidly changing and ever increasing convergence of technologies
Phenomenal growth rate and expansion of the internet and themyriad of available services
High adoption rate of new technologies by previously technology-shy nations in the emerging markets of developing world in order
to leverage new opportunities
Diverse and ever-increasing spectrum of threats to information andassociated assets.
Pervasive nature of information systems and services leading to
increased vulnerability to security threats.
The Chinese word for Risk - - is symbolized by twocharacters
Opportunity & Danger
7/29/2019 Information Security Challenges in Emerging Market
7/26Thursday, March 11, 2010 ISACA Kenya Chapter Presentation
Extra! ExtraRead All About it
"Global Village" once a vision of Marshall McLuhan (1911
1980)now Reality! - same global risks, poor awareness & readiness levels
7/29/2019 Information Security Challenges in Emerging Market
8/26Thursday, March 11, 2010 ISACA Kenya Chapter Presentation
Information SecurityHow?
Establish Security Requirements Risk Assessment
Legal, statutory, regulatory and contractualrequirements.
Internal set of principles, objectives andrequirements for information processing.
Select Suitable Controls Best Practices
Information Security Management ModelsISO27001, COBIT, ITIL, SSE-CMM etc.
Implement Control Monitoring & Feedback Control Assessment
Risk Management
Improve!
7/29/2019 Information Security Challenges in Emerging Market
9/26Thursday, March 11, 2010 ISACA Kenya Chapter Presentation
Management Commitment
(at all Levels)
Risk &
Vulnerability
Assessment
Information Security Mgt. System
Security Policy
Technology
Strategy &
Usage
Business
Initiatives &
Processes
Enforcement
Processes
Monitoring
Processes
Recovery
Processes
Admin & End User Guideline & Procedures
Security Model
Security Architecture & Technical Standards
Information SecurityHow?
7/29/2019 Information Security Challenges in Emerging Market
10/26Thursday, March 11, 2010 ISACA Kenya Chapter Presentation
ISO 27001 Background
BS7799 created in 1999 by the British Standards Institute(BSI) as a two-part documentIS Standard & ISCertification scheme.
Standards adopted by ISO and converted into ISO 27001
Standard for Information Security Management
Postulates a Risk Assessment approach as a basis forestablishing required controls.
Uses the Demming Plan-Do-Check-Act approach to ISMSimplementation and operation.
7/29/2019 Information Security Challenges in Emerging Market
11/26Thursday, March 11, 2010 ISACA Kenya Chapter Presentation
ISO 27001 Overview Security Policy
Organizing Information Security Asset Management
Human Resources Security
Physical and Environmental Security
Communications and Operations Mgt. Access Control
Information Systems Acquisition,
Development & Maintenance
Information Security Incident Mgt. Business Continuity Management
Compliance
Control Objectives specifies what needs to be achieved; while controls
are the recommended actions to achieve the Objective
7/29/2019 Information Security Challenges in Emerging Market
12/26Thursday, March 11, 2010 ISACA Kenya Chapter Presentation
Security Policy
Key Requirements
Information security policy document
Policy review & authorization procedure
Policy evaluation criteria
Deliverables
Policy communication & awareness
ObjectiveTo provide management direction and support for information
security and demonstrate management commitment to
information security.
7/29/2019 Information Security Challenges in Emerging Market
13/26Thursday, March 11, 2010 ISACA Kenya Chapter Presentation
Organizing Information Security
Key Requirements
Management information security forum
Information security coordination
Defined information security roles & responsibilities
Authorization process for info. processing facilities
Specialist Services
Deliverables
IS methodologies and processes e.g. risk assessment
Info Sec. incident review & corrective actions
Enterprise-wide information security visibility &
awareness
Objective
To establish the management structure/frameworkfor the
initiation, maintenance and control of information security within
the organization.
7/29/2019 Information Security Challenges in Emerging Market
14/26
Thursday, March 11, 2010 ISACA Kenya Chapter Presentation
Asset Management
Key Requirements
Accountability of Information Assets
Information Classification
Deliverables
Information Asset Inventory
Nominated owner for key information assets
Information Classification scheme/guideline
Objective
To ensure that major organizational information assets areaccounted for and protected as appropriate.
7/29/2019 Information Security Challenges in Emerging Market
15/26
Thursday, March 11, 2010 ISACA Kenya Chapter Presentation
HR Security
Key Requirements
Security in job definition & sourcing User training
Security incident response
Deliverables
Defined roles and responsibilities for security Formal verification process and checklists
Confidentiality / Non -disclosure agreements
User training records
Incident reporting & Disciplinary procedures
Objective
To reduce the risks of human error, theft, fraud or misuse oforganizational facilities by addressing security responsibilities at
recruitment and throughout an individuals employment.
7/29/2019 Information Security Challenges in Emerging Market
16/26
Thursday, March 11, 2010 ISACA Kenya Chapter Presentation
Physical & Environmental Security
Key Requirements
Secure Areas Equipment Security
General Controls
Deliverables
Effective & adequate physical security & controls IPF location based on security requirements
Formal maintenance procedure & records
Off-site and equipment disposal procedures
Clear desk/Screen Policy
Objective
To prevent unauthorized access, damage and interference tobusiness premises and information by ensuring that sensitive IPFs
are housed in secure and adequately protected areas.
7/29/2019 Information Security Challenges in Emerging Market
17/26
Thursday, March 11, 2010 ISACA Kenya Chapter Presentation
Installs in a few seconds Doesnt need batteries
Impossible to detect ordisable with software
Stores up to 2,000,000
keystrokes can be Stored with 128 bit encryption
Works on all operatingsystems
Prices from only $139
Physical Security - Relevance
7/29/2019 Information Security Challenges in Emerging Market
18/26
Thursday, March 11, 2010 ISACA Kenya Chapter Presentation
Comm. & Operational Management
Key Requirements
Operational procedures &
responsibilities System planning &
acceptance
Information & software
exchange
Deliverables Change mgt & capacity monitoring processes
Antivirus monitoring and control processes
Adequate segregation of duties
Acceptable Use policy
Objective
To ensure the correct & secure operation of IPFs by definingresponsibilities and procedures for the mgt & ops of the facilities.
Protection against malicious
software House keeping
Network management
Media handling & security
7/29/2019 Information Security Challenges in Emerging Market
19/26
Thursday, March 11, 2010 ISACA Kenya Chapter Presentation
Access Control
Key Requirements
Defined business
requirement for accesscontrol
User access management
Procedures &
Responsibilities
Network Access Control
Deliverables
Access control policy & password management guide
Access management processesreview, authorization etc
Objective
To control access to information & business processes on thebasis of business and security requirements.
Network Access Control
Operating System AccessControl
Application Access Control
Monitoring System Access &
Use
Mobile Computing &
Teleworking
7/29/2019 Information Security Challenges in Emerging Market
20/26
Thursday, March 11, 2010 ISACA Kenya Chapter Presentation
System Acquisition, Dev. & Maint.
Key Requirements
Defined security requirements for systems & applications Input, processing & output controls
Program library controls
Change mgt & control
Deliverables
System impact/risk assessment prior to implementation
Change authorization procedures
Documented control requirements and control
assessment processes
Objective
To ensure that security is built into information systems byidentifying & agreeing security requirements prior to development
of information systems.
7/29/2019 Information Security Challenges in Emerging Market
21/26
Thursday, March 11, 2010 ISACA Kenya Chapter Presentation
Information Security Incident Mgt.
Key Requirements
Formal information security event reporting, response andescalation procedures.
Single point of contact for all incident reporting
Clear R&R defined for staff and vendor personnel
Routine assessment/review of IS Incident processes andprocedures
Objective
To ensure info security events and weaknesses are communicated andmanaged in a consistent and effective manner allowing timely
corrective action to be taken.
7/29/2019 Information Security Challenges in Emerging Market
22/26
Thursday, March 11, 2010 ISACA Kenya Chapter Presentation
Business Continuity Management
Key Requirements
Formal impact analysis and BC Plan
Documented test scenarios and associated success criteria On-going BCP review and maintenance
Deliverables
BC Plan and maintenance schedule
Test procedures and associated success criteria
BCP change management & authorization
schedule
Objective
To counteract interruptions to business activities and protectcritical processes from the effects of major failures or disasters.
7/29/2019 Information Security Challenges in Emerging Market
23/26
Thursday, March 11, 2010 ISACA Kenya Chapter Presentation
Compliance
Key Requirements
Schedule of applicable legal, statutory, regulatory or contractual
obligations. Formal IPR management processes.
Data protection and privacy controls
Routine assessment/audit of compliance with Security policies
Deliverables
Infosec assessment/audit procedures & reports
IPR and data privacy protection procedures
Change mgt. & control procedures
Objective
To avoid breaches of any criminal and civil law, statutory, regulatoryor contractual obligations and of any security requirements.`
7/29/2019 Information Security Challenges in Emerging Market
24/26
Thursday, March 11, 2010 ISACA Kenya Chapter Presentation
Documented System Overview
The basic hierarchy structure of a documented system
Policy
Procedure
Work Instructions
Quality (Work) Records
Logical sequence of activities required to
achieve a defined goal/objective. Basicallydescribes the Who, What, How
Pervasive rule that sets the overriding tone for
all activities of a function or group of functions
in the organization
Detailed and comprehensive (almost
elementary) step-by-step instruction for
achieving specific tasks within the procedure
Records produced in the course of daily
business operations and show compliance
with Policy, Procedure/ Work Instructions
7/29/2019 Information Security Challenges in Emerging Market
25/26
Thursday, March 11, 2010 ISACA Kenya Chapter Presentation
Critical Success Factors Security Policy, Objectives & Activities that are in sync with
business objectives; an approach to implementing security that is consistent with
the organizational culture;
visible support and commitment from management;
a good understanding of the security requirements, riskassessment and risk management;
effective marketing of security to all managers and employees;
distribution of guidance on information security policy andstandards to all employees and contractors;
providing appropriate training and education;
a comprehensive and balanced system of measurement whichis used to evaluate performance in information securitymanagement and feedback suggestions for improvement.
7/29/2019 Information Security Challenges in Emerging Market
26/26
Thursday March 11 2010 ISACA Kenya Chapter Presentation
Daniel UdochiZain Africa
Regional Manager, Revenue Assurance & Fraud Management
Copyright Daniel Udochi 2010
All Rights Reserved. No part of this document may be reproduced withoutwritten consent from the author