Information Security Management System
Information Security Management System
Information Security Management System
Executive Summary:
An information security management system (ISMS) is, as the name implies, a set of policies
concerned with information security management. The key concept of ISMS is for an
organization to design, implement and maintain a coherent suite of processes and systems for
effectively managing information accessibility, thus ensuring the confidentiality, integrity and
availability of information assets and minimizing information security risks.
As with all management processes, an ISMS must remain effective and efficient in the long term,
adapting to changes in the internal organization and external environment. ISO 27001:2005
specifies the approach in the following sets using the PDCA (Plan-Do-Check-Act) methodology:
Security Management & Principles: The core components of risk management, information
security policy, procedures, standards, guidelines, baselines, classification, education, and
security organization serve as the foundation of information security. Security controls are
implemented and maintained to address the three interdependent principles present in all
programs: Confidentiality, Integrity and Availability, also known as the "CIA triad."
Security Management Responsibilities: This includes the resources, funding, and strategic
representation needed to participate in a security program. The assigned responsibilities get the
ISMS off the ground and keep it thriving and evolving as the environment changes. Management
support is one of the most important factors for the success of the security program.
Top-Down Approach: The top-down approach means that top management provides support
and direction, which is cascaded down through middle-level management and then to staff
members.
Security Awareness: To achieve the desired results of the security program, an organization
must communicate the "what, how and why" of security to their employees. This awareness
should be comprehensive, tailored, and organization-wide.
Business Continuity and Disaster Management: Ensures continuity, recovery and restoration
of the business in case of disaster. In the case of an emergency, it would involve getting critical
systems to another environment while repair of the original facilities is taking place.
Introduction:
Overview to Information Security Management System:
What is Information Security?
Information is a valuable asset in any organization, whether it's printed or written on paper, stored
electronically or sent by mail or electronic means.
To effectively manage the threats and risks to your organization's information you should establish an
Information Security Management System (ISMS).
Information Security has three primary goals, known as the security triad:
Confidentiality – Making sure that those who should not see your information can not see it.
Integrity – Making sure the information has not been changed from how it was intended to be.
Availability – Making sure that the information is available for use when you need it.
As you can see, the security triad can be remembered as the letters CIA. These principals are simplistic
when broken down, but when you think about it more in depth, all steps taken within security are to
help complete one or more of these three security goals. When most people think about Information
Security, they will generally only think of the first item, Confidentiality, and for good reason, since that's
all the media seems to think security is about. Confidentiality is also, ironically, the one of the three
goals you most often do not need. A public web-site does not want to be confidential; it would defeat
the point of being public.
In order to promote Confidentiality, you have several tools at your disposal, depending on the nature of
the information. Encryption is the most commonly thought of method used to promote Confidentiality,
but other methods include Access Control Lists (ACLs) that keep people from having access to
information, using smart cards plus pin numbers to prevent unauthorized people into your building and
INFORMATION SECURITY MANAGEMENT SYSTEM
looking around, or even explaining to your employees what information about the company they can
and can not disclose over the phone.
Integrity is the part of the triad that affects the most people in the IT world, but few seem to notice it,
and fewer still think of it as a security issue. The files on your operating system must maintain a high
level of integrity, but worms, viruses and trojans are a major issue in IT, and can also be a way that an
attacker can get information out of your network, or inject his own information into it. And integrity is
not just about malicious parties, it also covers items such as disk errors, or accidental changes made to
files by unauthorized users. Access control lists (ACLs), physical security, and regular backups all fall
under integrity (And sometimes confidentiality and availability. One fix can solve multiple problems).
Availability is the part of the triad most administrators have to worry about at work, and with good
reason. It's the most common, and most visible, part of the security triad, and it is part of the job duties
of just about every administrator, even non-security based ones. It's mostly about system uptime for
them, but it can also cover subjects such as accidentally denying a user access to a resource they should
have, having a user locked out of the front door because the biometrics does not recognize his
fingerprints (False negative), or even major issues such as natural disasters, and how the company
should recover in case of one
Business Challenge:
Dependence on information systems and services means organizations are more vulnerable to security
threats. Information is an asset which, like other important business assets, has value to an organization
and consequently needs to be suitably protected. By proper identification and classification of those
assets and a systematic risk assessment of threats and vulnerabilities your company can select
appropriate controls to manage those risks and demonstrate that it is preserving confidentiality,
integrity and availability of those information assets to clients, consumers, shareholders, authorities and
society at large.
An information security management system (ISMS) is a formal, controlled set of processes and
procedures dealing with the management of information security within an organization. The
implementation of an ISMS is a key step that any organization in possession of valuable
information assets should consider. This article offers an overview of the implementation
process, and explains the benefits of an ISMS.
An ISMS offers a number of significant benefits to both the organization and its customers.
ISO 27001 is an internationally recognized standard codifying the audit requirements for an Information
Security Management System, or ISMS. This standard was the first of the ISO27XXX series first published
by the International Organization for Standardization, or ISO (www.iso.ch), in October 2005. ISO 27001 is
high level, broad in scope, and conceptual in nature. This approach allows it to be applied across
multiple types of enterprises and applications. ISO 27001 is the only information security “standard”
devoted to information security management audit criteria in a field generally governed by specific
operational audit criteria. As a standard that is primarily conceptual, ISO 27001 is not:
A technical standard.
Product or technology driven.
An equipment evaluation methodology.
The information security field has traditionally been based on sound “best practices” and “guidelines”.
While this cumulative wisdom of the ages is valid, it is also subject to various interpretations and
implementations, not always consistent or harmonious. Furthermore, without the risk justification
required by ISO 27001 “best practice” is in reality “best guess” devoid of the underlying analysis that
makes control implementation both justifiable and defensible. ISO 27001 offers the following benefits:
Background
ISO 27001 is a direct descendent of the British Standards Institute (BSI) Information Security
Management standard BS 7799-2. BSI has long been proactive in the evolving field of Information
Security. In response to industry demands, a working group devoted to Information Security was first
established in the early 1990’s, culminating in a “Code of Practice for Information Security
Management” in 1993. This work evolved into the first version of the BS 7799 standard released in 1995.
In the late 1990’s, in response to industry demands, BSI formed a program to accredit auditing firms, or
“Certification Bodies,” as competent to audit to BS 7799. Simultaneously, a steering committee was
formed, culminating with the update and release of BS 7799 in 1998, 1999, 2000, and finally in 2002. By
this time, information security had become headline news and a concern to computer users worldwide.
While some organizations utilized the BS 7799 standard, demand grew for an internationally recognized
information security standard under the aegis of an internationally recognized body, such as the ISO.
This demand led to the updating and release of BS7799-2 as ISO 27001 in October of 2005.
Both standards serve distinct purposes, hence it is important to understand the differences
between ISO 27001 and ISO 27002.
A process is considered to be any activity using resources and managed in order to enable the
transformation of inputs into outputs. A process approach is when individual processes and
their interactions are bundled into a cohesive package, or system, chartered to accomplish
something. ISO 27001 is implemented through the creation and maintenance of an Information
Security Management System or ISMS chartered with establishing, implementing, operating,
monitoring, reviewing, maintaining, and improving an organizations information security.
INFORMATION SECURITY MANAGEMENT SYSTEM
PDCA Model
True to its roots in Quality Management, ISO 27001 has adopted the closed loop PDCA (PLAN …DO
…CHECK and ACT) and this is a good place to either start or review the progress of
the implementation.
The Plan, Do, Check and Act framework is cyclic and has to be continuously done for long run and with
the solid backing of the management.
It is recommended that the ISMS be based on the Deming Wheel model introduced in BS7799-2002 Part
2 (PDCA - Plan, Do, Check & Act), which is a defacto methodology and ensures that the correct
components are engaged, evaluated, monitored and improved on a continuous basis.
Key Benefits:
1- Due to dependability of information and information systems, confidentiality, integrity and
availability of information is essential to maintain competitive edge, cash-flow, profitability and
commercial image.
4- Through a proper risk assessment, threats to assets are identified, vulnerability to and likelihood
of occurrence is evaluated and potential impact is estimated, so your investment is allocated
where it is necessary.
To implement the ISMS process lets look at the various points that need to be covered under each
domain. A brief explanation is given and examples quoted wherever necessary.
The team:
We will require forming a team to take this forward. We will require having a person who will be the
primary interface between the implementation team and the senior management. Let us name this
person as the Chief Information Security Officer (CISO). The CISO will be responsible in getting formal
approvals from the management and also should be capable of taking decisions on behalf of the
management.
We will also require having a project manager who will be overall in charge of the project and will be
reporting to the CISO. Let us name his as the Information Security Officer (ISO). The implementation
team members can be selected from every team / group / department within your scope, which will
help in a smooth implementation process.
ISMS can be implemented for just a department, for just one floor of an organization, for the entire or
part of an organization. You will require having a discussion with the senior management and pen down
the areas where you would like to implement ISMS practices. This has to be clearly defined in your
Information Security Policy document.
INFORMATION SECURITY MANAGEMENT SYSTEM
Business process study of individual departments: We have already identified the departments within
the scope and also we have one member from each department to be a part of our implementation
team. Have a discussion with these team members to understand the process involved in carrying out
their task within their department.
For ex: let us take one part of the HR department. If we looking at the hiring process of
the HR department, there would be different levels of interviews, every interview will
have it own standards and methods, after the interviews are over, there will be a offer
given and on acceptance the candidate joins the organization. Once the joining
formalities are over, there will be a background check done of the employee.
Implementation Issues:
Security Awareness Program is a very important issue. A Tool is essential to make security policies visible
across the organization and to translate policy objectives into actual compliance.
INFORMATION SECURITY MANAGEMENT SYSTEM
Risk Assessment
Asset Inventory Information can exist in different forms and those that hold this
information are known as information assets. This can be
All the information assets of these departments should be identified and documented.
On identifying these assets it will be a good practice to label these assets. A format
needs to be defined to label all the assets within the organization.
Every asset will have an asset owner and an asset custodian. We will require
documenting the asset owner and the asset custodian of a particular asset.
For ex: Let us take the case of a critical server in the organization. The owner of the
server (hardware) would be the server group, the application owner might be the
application group and the owner of the data residing in the server might be the system
development group. This will vary from server to server or organization to organization
or might be the same. It is also possible that the owner and custodian of the hardware,
software and data be the same. This needs to be identified and documented.
Asset Value Asset value can be defined by looking at confidentiality, integrity and
availability of an asset. Let me give you an example which will be easier to understand.
Let us take the mail server of the organization. The asset owner of the server and the
custodian of the data been the server group and asset owner of the data been everyone
who uses the server. Let us define a scale of 1-5 to record and assign a value to the
owners and custodians views.
Confidentiality
Q. What if an intruder or another employee of a lower access level gets to read
confidential top management mails?
Answer 1: It is very critical. Since the top management exchanges a lot of information
through emails.
Answer 2: It is not very critical. Since all our communication is encrypted using digital
signatures, there is a very rare chance of information leakage.
Integrity
Q. What if an intruder or another employee tries to modify the contents of the mail and
the mail delivered is something different?
INFORMATION SECURITY MANAGEMENT SYSTEM
For ex: The CEO sends out a mail to the CFO to donate Rs.1, 00,000 for a charity.
Someone in between tampers the mail and changes the amount to Rs.7, 00,000 and give
his account number.
Availability
Q. What happens if there is a hardware failure and the server is not available to the
organization?
Answer 1: It is very critical. We might even have the mails coming in not been
delivered. There might be a data corruption and there is a possibility of users losing
their mails.
Answer 2: It is not very critical. My servers run on redundancy and I have a backup MX
record created. If there is a hardware failure, the backup server and MX record will take
over and there will not disruption to the services.
Now let us arrive at the asset value by using a simple method. Note: various other
methods are also available, this is just an example.
The next step is to identify the risk value of this particular asset. Let us see how to arrive
at the risk value.
Risk Value The risk value for an asset has to be determined by identifying the possible
threats that can impact the CIA of the asset, how much impact will it cause, what is the
frequency of the impact and the asset value.
Let us take the mail server as mentioned above for this example. We have already
identified the asset value, now we need to list down the threats to the mail server.
Power failures
INFORMATION SECURITY MANAGEMENT SYSTEM
Hardware failure
Fire
Virus attacks / Malicious code injection
Intruders (Hacking), Denial of Service (DoS attack)
Mail accidentally sent to a different recipient
Data corruption / data loss
Unauthorized access
Link failure
Natural calamities
BIA is performed to analyze the impact on the system due to various unprecedented
events or incidents. Various failure scenarios and its possible business impacts are
analyzed. This includes technical problems, human resources and other events.
We have already identified the asset value which is based on the threats and
vulnerabilities, that will show us the impact on business. Why do we need to have
another analysis?
BIA is different from Risk assessment. Risk Assessment will identify the possible threats
and vulnerabilities and how those will impact the asset and business. The asset value
shows how critical is that asset to the organization.
BIA is based on time. If there is a server crash, let's take the mail server as per the
example above, how much time can the organization go without an email server.
This is derived by doing the business impact analysis. The different steps to be followed
in determining the business impact is as shown below:
Identify the critical resource, which has already been done during accumulating the
assets and deriving the asset value. List down all possible impact to business and
prioritize the assets. In this example of deriving the BIA, we shall use a scale of 1 to 5
and since mail server is critical to the organization, we shall take 4 as the BIA value.
INFORMATION SECURITY MANAGEMENT SYSTEM
Probability of Occurrence
For this example, let us consider the probability of occurrence to be rated at Medium
which will have the value as 0.4. Let us now see how we can arrive at the risk value.
Here we have taken the example of a mail server and determined the risk value. In cases where you do a
risk assessment on a desktop or some templates, the risk value might be much lower. By this method
you will be able to decide as which assets need to be considered for risk treatment in the next phase
and the rest can be ignored. This is done because, if we do a risk treatment on assets that has a low risk
value, the money spent to mitigate risk on those assets might be much higher than the cost of the asset
on the loss it could cause to the business. We have the risk value and have decided to do a risk
treatment for this asset as it is a very important asset for the organization.
Risk Management:
Let us see how we can eliminate or reduce the risk due to the above mentioned threats, by mapping
each threat to an available ISO 27001 standards.
INFORMATION SECURITY MANAGEMENT SYSTEM
Above is the example of how we can map each threat identified to ISO 27001 controls
and also to find how to minimize the risk.
Having the asset value and risk value determined, the management should now decide
on assets that have to be considered for risk mitigation. This is mandatory because,
some of the controls that need to be implemented to mitigate risk might cost the
organization more than the asset value. Assets that can be recreated (such as templates,
standard forms etc) without causing any impact to the business can to be eliminated
from risk mitigation process.
Risk Acceptance: To accept the risk and continue operating or to implement controls to
lower the risk to an acceptable level. We need to give a high priority to the business
requirements, while also looking at how to safeguard information. There are instances
where we will require accepting certain risk and seeing to that the business
requirements are met.
For example: Due to some testing purpose who need to move one of your servers to the
DMZ zone for a particular period of time. Since this testing is mandatory, it can be
considered as an acceptable risk for that period. But this should be agreed by the
management and the asset owners.
Risk Avoidance: To avoid the risk by eliminating the risk cause and/or consequence. If
there is an old system (Windows 98 running some proprietary application), which
cannot be patched for the current vulnerabilities and is of not much use to the
organization can be eliminated by switching off the machine.
INFORMATION SECURITY MANAGEMENT SYSTEM
Risk Limitation: To limit the risk by implementing controls that minimizes the adverse
impact of a threat's on an asset. By implementing anti-virus server in the organization
does not ensure that the assets will be protected from virus attacks. This is a method of
minimizing the risk from known virus attacks.
Risk Planning: To manage risk by developing a risk mitigation plan that prioritizes,
implements and maintains control. We foresee some of the risks due to natural
calamities. For the case of fire, it is recommended to have fire drills at regular intervals,
have fire extinguishers placed at fire prone areas; marking fire exists and keeping those
paths clear with no obstructions, have documented procedures and guidelines on
operations of fire extinguishers and how to act during a fire.
Risk Transfer: To transfer the risk by using other options to compensate for the loss,
such as purchasing insurance. Risk can also be transferred by having a contract with
your vendors. In the means of annual maintenance contract (AMC's) or any other
agreement of having spares at your location.
SOA is a document that states all of the ISO 27001 controls. This requires identifying
those that are applicable and give a justification for choosing that particular control. A
justification also needs to be given for that control that not been chosen for
implementation.
This SOA document will be provided to clients and external trusted authorities on
demand, for them to identify the level of implementation of security practices in the
organization. The headers of the SOA document can be as mentioned below. This is just
an example
INFORMATION SECURITY MANAGEMENT SYSTEM
To help review or design security controls, they can be classified by several criteria, for example
according to the time that they act, relative to a security incident:
Before the event, preventive controls are intended to prevent an incident from occurring
e.g. by locking out unauthorized intruders;
During the event, detective controls are intended to identify and characterize an incident
in progress e.g. by sounding the intruder alarm and alerting the security guards or police;
After the event, corrective controls are intended to limit the extent of any damage
caused by the incident e.g. by recovering the organization to normal working status as
efficiently as possible.
(Some security professionals would add further categories such as deterrent controls and
compensation. Others argue that these are subsidiary categories. This is simply a matter of
semantics.)
Security controls can also be categorized according to their nature, for example:
Control Areas
ISO 27001 defines a management system as organizational structure, policies, planning
activities, responsibilities, practices, procedures, processes, and resources. ISO 27001 further
defines ISMS as that part of the overall management system, based on a risk approach, to
establish, implement, operate, monitor, review, maintain and improve information security.
This comprehensiveness causes an ISO 27001 ISMS to potentially interact with multiple
enterprise departments and programs such as:
Human Resources
INFORMATION SECURITY MANAGEMENT SYSTEM
Legal / Compliance
Audit
Facilities
Business Continuity
Operations
Physical Security
In order to accomplish this goal, ISO 27001 has identified 5 control areas, 12 control objectives,
and 78 controls. Each control is defined as an auditable requirement. It should be noted that
implementation of a control may involve interaction with other departments and programs
previously mentioned. The ISO 27001 control areas, control objectives and key control
attributes are summarized below.
Mandatory controls
The controls detailed within ISO 27001 sections 4-8 are required for conformance to this
standard.
Management responsibility
This control area addresses the need for clearly assigned ISMS management responsibilities
including: Management commitment – management identification and communication of
information security control objectives and risk tolerance. Resource management – provisioning
of adequate resources to meet the defined control objectives and ensuring competency in
execution.
ISMS. Review input – the various sources of metrics required for a comprehensive management
review. Review output – the various management review decision criteria and the need to track
changes resulting from these management decisions.
ISMS improvement
This control area addresses the need for mechanisms to continually improve the ISMS
including: Continual improvement – tools and techniques to measure and monitor the ISMS
performance. Corrective action – reactive identification and root cause analysis of existent ISMS
non-conformities as well as tracking of remediation actions. Preventive action – proactive
identification and root cause analysis of potential ISMS non-conformities as well as tracking of
remediation actions.
Discretionary controls
The controls detailed within ISO 27001 Annex A are the same controls detailed within ISO
27002, but without the implementation guidance provided within ISO 27002. ISO 27001
requires that these Annex A controls be completely addressed, but not necessarily
implemented. The business friendly stance of ISO 27001 allows for risk acceptance based upon
organizational risk tolerance criteria established by management. Those Annex A controls not
implemented must have documented risk acceptance justification. There are 11 domains in the
ISO 27001 version which are as follows:
1- Information Security Policy: describe how your security policies are documented, approved,
published, reviewed and updated.
2- Organization of Security Policy: describe how your company is organized in terms of its
approach to information security.
3- Asset Management: describe how your assets are identified and managed, and how information
within your organization is classified, labeled and handled.
4- Human Resources Security: describe how your employees understand their responsibilities and
how you ensure continued appropriate access to information before, during, and after
employment.
5- Physical and Environmental Security: describe how you prevent unauthorized physical access,
damage and interference to your organization’s premises and information.
6- Communications and Operations Management: describe how your organization ensures the
correct and secure operation of information processing facilities, through:
- operational procedures and responsibilities
- 3rd party service delivery management
INFORMATION SECURITY MANAGEMENT SYSTEM
9- Information Security Incident Management: describe how your organization ensures that
information security weaknesses and events are communicated in a timely manner.
10- Business Continuity Management: describe how your organization counteracts interruptions to
business activities and protects critical business processes from the effects of major failures or
disasters, and ensures their timely resumption.
11- Compliance: describe how your organization ensures compliance with organizational security
policies and standards.
BS 7799 (ISO 27001) consists of 134 best security practices or controls (covering 11 Domains which
was discussed above) which organizations can adopt to build their Security Infrastructure.
Even if an organization decides not go in for the certification, BS 7799 (ISO 27001) model helps
organizations maintain organizational security through ongoing, integrated management of policies
and procedures, personnel training, selecting and implementing effective controls, reviewing their
effectiveness and improvement.
INFORMATION SECURITY MANAGEMENT SYSTEM
Conclusion:
Information is now globally accepted as being a vital asset for most organizations and businesses. As
such, the confidentiality, integrity, and availability of vital corporate and customer information may be
essential to maintain competitive edge, cash-flow, profitability, legal compliance and commercial image.
ISO 27001 is intended to assist with this task. It is easy to imagine the consequences for an organisation
if its information was lost, destroyed, corrupted, burnt, flooded, sabotaged or misused. In many cases it
can (and has) led to the collapse of companies.
Research conducted in several offices has shown that technical security controls are used at a
good level. Unfortunately, organizational security controls are at a satisfactory level. This is so
because the implementation of technical security controls is the responsibility of an information
technology officer, who has the relevant qualifications, whereas the organisational security
controls are the responsibility of all employees. The implementation of such security controls
will require substantial changes in the organization’s culture.
Due to that reason the implementation phase should be accompanied by a series of employee
training courses. Their purpose is to acquaint employees with the new ways of the work
organisation and to explain the reasons for introducing changes. Next, there comes the
development and implementation of the risk treatment plan that will define the actions that need
to be undertaken, their sequence, and the positions that are responsible for the introduction of
changes should be indicated. The further stage includes the implementation of security controls
provided for in the statement of acceptability, and defining the way of measuring their
effectiveness. The measurement should allow not only for the assessment of system operations in
the future, but also the results of comparisons of changes in time.
Developed nations are today at the forefront of developing and defining standards in Information Security, significant
amongst them being COBIT, ISO 27001, ISM3 etc. The primary purpose of this standard is to provide a single framework
for effective Information Security management. This includes in general,
Having a vision defining the importance of Information Security from a business perspective.
Integrating technical and non-technical security approaches.
Planning and implementing solutions.
A method for continuous improvement.
Adequate documentation.
Steps to ensure continuity of business.
A significant change in outlook which standards have brought about can be summarized below,
An organization stands to lose it’s chance for good business with intelligent customers if they do not pay
attention to Information Security or rather see it as an area purely concerning the IT department.
The realization that customers need assurance that there is adequate protection for critical information.
The catalyst for this change in approach has been standards and guidelines. The current international standards in
Information Security work around the principle of ISMS. These standards approach Information Security in a top-down
manner, with the initiatives towards ISMS set and supported by the senior management and implemented by the lower
rungs of the organization.