Embed Size (px)
Citation preview
1
ISMSISMS Implementation Implementation
challengeschallengesReza TeyniaReza Teynia
CEO of KASYSCEO of KASYS
2
Reza TeyniaReza Teynia
• CEO of KASYS• Master Degree • Lead Auditor (QMS , ISMS, ITSM, BCM) in PECB, SGS, BV• More than 20 Years experiences
2
3
The illiterate of the 21st century will not be those who cannot read and write, but those who cannot learn, unlearn, and relearn.
Alvin TofflerAlvin Toffler
3
4
Importance of SecurityImportance of Security• One third of time spent online at work in non-work-related. Websense-IDC
• 80% of companies reported that employees had abused internet privileges such as downloading pornography. CSI/FBI
• 45% of businesses had reported unauthorized access by insiders. CSI/FBI
• Although There are more than 430 million users of consumer IM at work. Only one quarter of companies have a clearly defined policy on the use of IM at work. Silicon.com,
• 45% of the executable files downloaded through Kazaa contain malicious code. Trusecure,
• 73% of all movie searches on file-sharing networks were for pornography. Palisade Systems,
• 70% of porn is downloaded between 9am and 5pm. Sex Tracker
• 37% of at work internet users in the US had visited an X-rated website from work. ComScore Networks
• 77% of weekly online listening to internet radio takes place between 5 a.m. and 5 p.m. Arbitron
• 44% of corporate employees actively use streaming media. Nielsen NetRating
• Although 99% of companies use antivirus software, 82% of them were hit by viruses and worms. CSI/FBI
5
Top 10 Strategic Technology Trends for 2017 Top 10 Strategic Technology Trends for 2017 (Gartner)(Gartner)
• Advanced Machine Learning • Intelligent Apps • Intelligent Things • Virtual Reality • Block chain and Distributed office• Conversational System• Mesh App and Service Architecture• Digital Technology Platforms• Adaptive Security Architecture
6
Top 10 Technologies for Information Security in 2016 Top 10 Technologies for Information Security in 2016 (Gartner)(Gartner)
• Cloud Access Security Brokers• Endpoint Detection and Response• No signature Approaches for Endpoint Prevention• User and Entity Behavioral Analytics• Micro segmentation and Flow Visibility• Security Testing for DevOps (DevSecOps)• Intelligence-Driven Security Operations Center Orchestration Solutions• Deception• Pervasive Trust Services
7
ISMS Main ObjectivesISMS Main Objectives
Business Continuity Business Continuity
8
ISO27001 HistoryISO27001 History
8
9
ISO 27000 familyISO 27000 family
9
10
ISO 27001:2013 ClausesISO 27001:2013 ClausesClause Coverage
4 Context of the organisation Understanding the organisation and its context, and Interested parties, defining the ISMS scope
5 Leadership Demonstrate management commitment, create information security policy, determination of roles and responsibilities
6 Planning Requirements for risk assessment and treatment, information security objectives and planning to achieve them
7 Support Resourcing, competence, awareness, documentation and communication
8 Operation Operations, implementation of risk assessment and treatment
9 Performance evaluation Assessing the effectiveness of ISMS, internal audit and management review
10 Improvement Addressing non-conformities, continual improvement
10
11
ISO27001:2013 ControlsISO27001:2013 Controls
11
Ref Section Controls Content
A.5 Information security policies 2 Management direction
A.6 Organization of information security 7 Internal organisation
A.7 Human resource security 6 Prior to, during employment; termination and change
A.8 Asset management 10 Responsibilities, information classification, media handling
A.9 Access control 14 Business requirements, user management and responsibilities, systems and application access control
A.10 Cryptography 2 Cryptographic controls
A.11 Physical and environmental security 15 Secure areas, equipment
A.12 Operations security 14 Procedures and responsibilities, malware protection, backup, logging and monitoring, operational software, technical vulnerabilities, systems audits
A.13 Communications security 7 Network security, information transfer,
A.14 Systems acquisition, development and maintenance 13 Security requirements, development and support, test data
A.15 Supplier relationships 5 Information security in supplier relationships, service delivery,
A.16 Information security incident management 7 Management of incidents, improvement (of ISMS)
A.17 Information security aspects of business continuity 4 Continuity, redundancy (of facilities)
A.18 Compliance 8 Legal and contractual compliance, reviews
12
ISO/IEC 27001:2013ISO/IEC 27001:2013
• The standard has been prepared to provide requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS). The main objective of ISMS – preserve the confidentiality, integrity and availability of information. Applicable to all organizations, regardless of type, size or nature.
Structure of the standard: • 7 mandatory clauses. • 114 controls spread across 14 domains and 35 control objectives.
13
Top tips for implementing ISO/IEC 27001Top tips for implementing ISO/IEC 27001
• Get commitment and support from senior management.• Engage the whole business with good internal communication.• Compare existing information security management with ISO/IEC 27001
requirements.• Get customer and supplier feedback on current information security.• Establish an implementation team to get the best results.• Map out and share roles, responsibilities and timescales.• Adapt the basic principles of the ISO/IEC 27001 standard to your business.• Motivate staff involvement with training and incentives.• Share ISO/IEC 27001 knowledge and encourage staff to train as internal auditors.• Regularly review your ISO/IEC 27001 system to make sure you are continually
improving it.
14
ISO 27001 Survey ISO 27001 Survey source : ISO 27001 Global Report 2016source : ISO 27001 Global Report 2016
• 53 countries participated in the survey, with a large portion of respondents representing the UK (41%), followed by India (10%) and the USA (7%).• 29% of organizations had an annual turnover of over US$100 million (£76
million), while 26% had a turnover of less than $5 million (£3.8 million).• The majority of respondents were from the technology sector (27%), business
services/consulting (14%) and financial services (13%), followed by government/local authorities (10%)• Individuals responsible for general IT functions (e.g. IT managers/directors) and
compliance/risk managers accounted for the largest number of respondents (each accounting for 16% of respondents), followed by consultants (15%).• 80% of respondents’ organizations were either certified to ISO 27001 (40%) or
were in the process of getting certified to ISO 27001 in the near future (40%).
15
ISO 27001 Survey ISO 27001 Survey source : ISO 27001 Global Report 2016source : ISO 27001 Global Report 2016
• ISO 27001 directly improves an organization's information security posture• Resistance from executive teams about information security is still a
concern• Implementers struggle with key areas of ISO 27001 implementation• Supply chain demands are driving certification• The median length of time for an ISO 27001 certification project is 6 -
12 months• In general, companies are not tracking implementation costs
16
ISO 27001 Survey ISO 27001 Survey source : ISO 27001 Global Report 2016source : ISO 27001 Global Report 2016
• Most companies do not employ a full time ISMS manager• Almost a third of respondents do not assess C, I and A separately in
the risk assessment• 76% of respondents follow an asset-based risk assessment
methodology• Only 23% use ISO 27001:2013 controls in isolation• Only half of individuals managing the ISMS have a formal ISO 27001
qualification• There is a strong need for external assistance and support• ISO 27001 delivers ROI , TCO
17
IT'S NOT JUST THE IT DEPARTMENT IT'S NOT JUST THE IT DEPARTMENT Source: British-assessmentSource: British-assessment
• Information security isn’t just about websites, clouds, emails and apps. It’s about everything in your business• ISMS applies to everyone, wherever they are and whatever they do in
your organization • You’ll need to consider systems and procedures that everyone must
follow. • Don’t restrict your policies to only your direct employees.
18
Key ChallengesKey Challenges
• Top management commitment and support • Raise awareness and build security culture • Systematically follow implemented ISMS processes • Ensure continual improvement of ISMS • Involvement of employee• Relation between IT / IS into core business
19
ISO Survey 2015ISO Survey 2015
20
ISO Survey 2015ISO Survey 2015
Overview
Year 2009 2010 2011 2012 2013 2014 2015
TOTAL 12935 15626 17355 19620 21604 23005 27536
Africa 47 46 40 64 99 79 129
Central / South America 100 117 150 203 272 273 347
North America 322 329 435 522 712 814 1445
Europe 3563 4800 5289 6379 7952 8663 10446
East Asia and Pacific 7394 8788 9665 10422 10116 10414 11994
Central and South Asia 1303 1328 1497 1668 2002 2251 2569
Middle East 206 218 279 332 451 511 606
21
ISO Survey 2015ISO Survey 2015
Year 2010 2011 2012 2013 2014 2015Country 218 279 332 451 511 606Bahrain 8 6 15 20 26 27Iran, Islamic Republic of 7 13 4 9 23 23Iraq 1 0 1 0Israel 86 110 130 185 201 246J ordan 2 1 3 2 2 1Kuwait 18 15 17 15 18 20Lebanon 1 3 3 3 1 2Oman 9 11 10 11 8 7Palestine 1 1 1 1Qatar 6 9 7 23 28 35Saudi Arabia 23 37 46 59 72 65Syrian Arab Republic 0 0United Arab Emirates 57 73 96 123 131 179Yemen 0 0
I SO/ IEC 27001 - Middle East
22
"The only thing harder than planning for Security is explaining why you didn't….“
