Information Security Challenges in Emerging Market

7/29/2019 Information Security Challenges in Emerging Market

1/26

Thursday, March 11, 2010 ISACA Kenya Chapter Presentation

Information Security Challenges

in Emerging Markets

What, Why & How

Presented By Daniel Udochi

CISA, CISM, Certified QA Lead Auditor


2/26


AGENDA

Information SecurityIntroduction & Overview

Information Security ManagementThe

Challenge

ISO 27001Background & Overview

Implementing an ISMS Based on ISO 27001

CSFs


3/26


Basic Definitions

Information - A meaningful collection of data (facts, ideas, etc)

about a particularsubject

Security Assurance that something of value (asset) is protectedagainst loss, attack orharm

Information Security refers to the use of suitable set of controls to provide assurance for the continued attainment of thespecific security objectives associated with an organizationsinformation assets.

IS Audit an independent process of collecting and evaluatingevidence to assess the current (and continued) effectiveness orotherwise of information security controls.


4/26


Confidentiality

AvailabilityIntegrity

InformationSecurity

Confidentiality: ensuring thatinformation is accessible only to thoseauthorized to have access

Information Security - Objective

Integrity: safeguarding the accuracyand completeness of information and

processing methods

Availability: ensuring that authorizedusers have access to information andassociated assets as & when required.

In addition to these cardinal properties areAuthenticity,Accountability, Non-repudiationand

Reliability

Preservation of Confidentiality, Integrity and Availability of information

assets.


5/26


Information Security - Scope

All forms of informationhard copy (paper),

electronic, audio, video, etc.

Information Storage & Retrieval

Manual and Electronic archiving systems

Information processing

Computers, manual clerk processing etc

Information transmission

LAN, WAN, Internet etc.

Supporting facilities and infrastructure Buildings, Processes, People etc


6/26


A Challenge for Emerging Markets ?

When I took office, only high energy physicists had ever heard of what is called the

World Wide Web... Now even my cat has it's own page - Bill Clinton 42nd US President (1993 - 2001)

Rapidly changing and ever increasing convergence of technologies

Phenomenal growth rate and expansion of the internet and themyriad of available services

High adoption rate of new technologies by previously technology-shy nations in the emerging markets of developing world in order

to leverage new opportunities

Diverse and ever-increasing spectrum of threats to information andassociated assets.

Pervasive nature of information systems and services leading to

increased vulnerability to security threats.

The Chinese word for Risk - - is symbolized by twocharacters

Opportunity & Danger


7/26Thursday, March 11, 2010 ISACA Kenya Chapter Presentation

Extra! ExtraRead All About it

"Global Village" once a vision of Marshall McLuhan (1911

1980)now Reality! - same global risks, poor awareness & readiness levels



Information SecurityHow?

Establish Security Requirements Risk Assessment

Legal, statutory, regulatory and contractualrequirements.

Internal set of principles, objectives andrequirements for information processing.

Select Suitable Controls Best Practices

Information Security Management ModelsISO27001, COBIT, ITIL, SSE-CMM etc.

Implement Control Monitoring & Feedback Control Assessment

Risk Management

Improve!



Management Commitment

(at all Levels)

Risk &

Vulnerability

Assessment

Information Security Mgt. System

Security Policy

Technology

Strategy &

Usage

Business

Initiatives &

Processes

Enforcement

Processes

Monitoring

Processes

Recovery

Processes

Admin & End User Guideline & Procedures

Security Model

Security Architecture & Technical Standards

Information SecurityHow?



ISO 27001 Background

BS7799 created in 1999 by the British Standards Institute(BSI) as a two-part documentIS Standard & ISCertification scheme.

Standards adopted by ISO and converted into ISO 27001

Standard for Information Security Management

Postulates a Risk Assessment approach as a basis forestablishing required controls.

Uses the Demming Plan-Do-Check-Act approach to ISMSimplementation and operation.



ISO 27001 Overview Security Policy

Organizing Information Security Asset Management

Human Resources Security

Physical and Environmental Security

Communications and Operations Mgt. Access Control

Information Systems Acquisition,

Development & Maintenance

Information Security Incident Mgt. Business Continuity Management

Compliance

Control Objectives specifies what needs to be achieved; while controls

are the recommended actions to achieve the Objective



Security Policy

Key Requirements

Information security policy document

Policy review & authorization procedure

Policy evaluation criteria

Deliverables

Policy communication & awareness

ObjectiveTo provide management direction and support for information

security and demonstrate management commitment to

information security.



Organizing Information Security

Key Requirements

Management information security forum

Information security coordination

Defined information security roles & responsibilities

Authorization process for info. processing facilities

Specialist Services

Deliverables

IS methodologies and processes e.g. risk assessment

Info Sec. incident review & corrective actions

Enterprise-wide information security visibility &

awareness

Objective

To establish the management structure/frameworkfor the

initiation, maintenance and control of information security within

the organization.


14/26


Asset Management

Key Requirements

Accountability of Information Assets

Information Classification

Deliverables

Information Asset Inventory

Nominated owner for key information assets

Information Classification scheme/guideline

Objective

To ensure that major organizational information assets areaccounted for and protected as appropriate.


15/26


HR Security

Key Requirements

Security in job definition & sourcing User training

Security incident response

Deliverables

Defined roles and responsibilities for security Formal verification process and checklists

Confidentiality / Non -disclosure agreements

User training records

Incident reporting & Disciplinary procedures

Objective

To reduce the risks of human error, theft, fraud or misuse oforganizational facilities by addressing security responsibilities at

recruitment and throughout an individuals employment.


16/26


Physical & Environmental Security

Key Requirements

Secure Areas Equipment Security

General Controls

Deliverables

Effective & adequate physical security & controls IPF location based on security requirements

Formal maintenance procedure & records

Off-site and equipment disposal procedures

Clear desk/Screen Policy

Objective

To prevent unauthorized access, damage and interference tobusiness premises and information by ensuring that sensitive IPFs

are housed in secure and adequately protected areas.


17/26


Installs in a few seconds Doesnt need batteries

Impossible to detect ordisable with software

Stores up to 2,000,000

keystrokes can be Stored with 128 bit encryption

Works on all operatingsystems

Prices from only $139

Physical Security - Relevance


18/26


Comm. & Operational Management

Key Requirements

Operational procedures &

responsibilities System planning &

acceptance

Information & software

exchange

Deliverables Change mgt & capacity monitoring processes

Antivirus monitoring and control processes

Adequate segregation of duties

Acceptable Use policy

Objective

To ensure the correct & secure operation of IPFs by definingresponsibilities and procedures for the mgt & ops of the facilities.

Protection against malicious

software House keeping

Network management

Media handling & security


19/26


Access Control

Key Requirements

Defined business

requirement for accesscontrol

User access management

Procedures &

Responsibilities

Network Access Control

Deliverables

Access control policy & password management guide

Access management processesreview, authorization etc

Objective

To control access to information & business processes on thebasis of business and security requirements.

Network Access Control

Operating System AccessControl

Application Access Control

Monitoring System Access &

Use

Mobile Computing &

Teleworking


20/26


System Acquisition, Dev. & Maint.

Key Requirements

Defined security requirements for systems & applications Input, processing & output controls

Program library controls

Change mgt & control

Deliverables

System impact/risk assessment prior to implementation

Change authorization procedures

Documented control requirements and control

assessment processes

Objective

To ensure that security is built into information systems byidentifying & agreeing security requirements prior to development

of information systems.


21/26


Information Security Incident Mgt.

Key Requirements

Formal information security event reporting, response andescalation procedures.

Single point of contact for all incident reporting

Clear R&R defined for staff and vendor personnel

Routine assessment/review of IS Incident processes andprocedures

Objective

To ensure info security events and weaknesses are communicated andmanaged in a consistent and effective manner allowing timely

corrective action to be taken.


22/26


Business Continuity Management

Key Requirements

Formal impact analysis and BC Plan

Documented test scenarios and associated success criteria On-going BCP review and maintenance

Deliverables

BC Plan and maintenance schedule

Test procedures and associated success criteria

BCP change management & authorization

schedule

Objective

To counteract interruptions to business activities and protectcritical processes from the effects of major failures or disasters.


23/26


Compliance

Key Requirements

Schedule of applicable legal, statutory, regulatory or contractual

obligations. Formal IPR management processes.

Data protection and privacy controls

Routine assessment/audit of compliance with Security policies

Deliverables

Infosec assessment/audit procedures & reports

IPR and data privacy protection procedures

Change mgt. & control procedures

Objective

To avoid breaches of any criminal and civil law, statutory, regulatoryor contractual obligations and of any security requirements.`


24/26


Documented System Overview

The basic hierarchy structure of a documented system

Policy

Procedure

Work Instructions

Quality (Work) Records

Logical sequence of activities required to

achieve a defined goal/objective. Basicallydescribes the Who, What, How

Pervasive rule that sets the overriding tone for

all activities of a function or group of functions

in the organization

Detailed and comprehensive (almost

elementary) step-by-step instruction for

achieving specific tasks within the procedure

Records produced in the course of daily

business operations and show compliance

with Policy, Procedure/ Work Instructions


25/26


Critical Success Factors Security Policy, Objectives & Activities that are in sync with

business objectives; an approach to implementing security that is consistent with

the organizational culture;

visible support and commitment from management;

a good understanding of the security requirements, riskassessment and risk management;

effective marketing of security to all managers and employees;

distribution of guidance on information security policy andstandards to all employees and contractors;

providing appropriate training and education;

a comprehensive and balanced system of measurement whichis used to evaluate performance in information securitymanagement and feedback suggestions for improvement.


26/26

Thursday March 11 2010 ISACA Kenya Chapter Presentation

Daniel UdochiZain Africa

Regional Manager, Revenue Assurance & Fraud Management

[email protected]

Copyright Daniel Udochi 2010

All Rights Reserved. No part of this document may be reproduced withoutwritten consent from the author

Documents

Information Security Challenges in Emerging Market