Richard Henson University of Worcester February 2017 COMP3371 Cyber Security Richard Henson University of Worcester February 2017
Week 2: Developing an Information Security Management System (ISMS) Objectives: Explain why security is a process, and not just something that can be “bought” Explain the term ISMS and how it relates to information security policy Explain the standards an organisation can aspire towards as it develops controls and an ISMS
What is an Information Security Management System (ISMS)? A system for managing information security in an organisation many organisations still don’t treat information security seriously… still see security as something they can spend a little money on now and then
Developing an ISMS Each organisation is different! No template “one size fits all” ISMS is therefore possible one reason for an IS policy is that it will ensure that a system is place
Information Assurance A set of organisational processes to manage information security require some kind of ISMS to ensure that they are not neglected different information assurance standards have been developed to encourage appropriate ISMS development and use
An ISMS that is “fit for purpose” Organisation needs to know (or acknowledge through the work of an analyst) all aspects of how data is managed requires an understanding of processes and associated data can then identify data flows, etc… Risk assessment required to determine where controls on data flows are needed unless explicitly stated, ISO27001 assumes all controls needed no point spending money on controls where they are not needed but exemptions need justifying…
PCI DSS: Approach to Security Controls; less focus on ISMS System devised by Credit Card Companies (i.e. banks…) https://www.pcisecuritystandards.org/ Guidelines for a number of years… Now with v3 a sting in the tail for the SME heavy fines possible can be refused business merchant facilities… Will affect small businesses WORLDWIDE selling online directly to consumers
Requirements for PCI DSS compliance? (1) 12 controls (11 Technical) Install and maintain a firewall configuration to protect cardholder data Do not use vendor-supplied defaults for system passwords and other security parameters Protect stored cardholder data Encrypt transmission of cardholder data across open, public networks Use and regularly update anti-virus software or programs
What is needed for PCI DSS compliance? (2) Develop and maintain secure systems and applications Restrict access to cardholder data by business need-to- know Assign a unique ID to each person with computer access Track and monitor all access to network resources and cardholder data Regularly test security systems and processes Maintain a policy that addresses information security for employees and contractors
PCI DSS issues Is it realistic? Is it essential? How can it be policed? Discussion in groups…
ISO27001 ISO27001 standard (“gold standard”) developed from a British standard BS7799 lists over 100 possible controls but good risk assessment can reduce the number actually used how many are actually needed? depends on an organisation’s processes for each control not used non-use needs to be justified…
IASME & Cyber Essentials IASME uses principles of ISMS and like ISO27001 uses 100+ controls… designed to be more SME friendly ISMS development tricky for SMEs… Cyber Essentials requires only 5 controls… all essentially technical Cyber Essentials now a minimum for government contracts useful starting point? No IS policy! Some documented process expected
Policy and System! Policy is a series of statements… what the organisation would like to do, and aspires to do will only be an aspiration until implementation writing policy easy… writing policy capable of implementation more difficult!
How would you set up an Information Security policy? Who would write it? who would approve it Discussion again in groups could you “outsource”? If done internally who would be involved in implementation?
Managing Information Security as a Process First step… identify all systems that carry information and decide what controls are in place to protect them test those controls for potential security breaches identify what has been forgotten secure as appropriate through further controls Next step: once secure, develop a strategy to MANAGE this process over time... implement that strategy
Informatiom Security Strategy: Where to start? Can’t START with technology need to start with ISSUES that need addressing policy to address them should follow Should be primarily “top down” concerned with policies, not technical matters… can be supplemented by “bottom up” approach
Policy and Technology Policy always a headache for organisations to implement requires employee training may cause employee unrest Technologies can be used to implement policies degree of success in the latter depends on: communication of policies (and WHY!) understanding of technologies
Information Security Policy matters Threats… who will quantify? Head of IT? External Consultant? both? Who will suggest strategies to mitigate against those threats? as above? Who will make the policies? Senior Management (with guidance…)
Creating a Policy Same principles apply as with ANY change in organisational policy MUST come from the top!!! Possible implementation issues also needs to be: identified communicated to employees Problem: Senior Management generally don’t understand IT… unlikely to stand in front of employees and discuss…
IT Manager, and Implementation Needs to be able to do it right… likely to need a big budget! Big responsibility on the IT manager to convince senior management: that the policy (change) really is necessary! that the organisation won’t suffer financially the consequences of NOT changing
Going beyond a Creating a Policy… According to the latest figures, many businesses say they DO have an information security policy big questions… is it implemented??? will it be? by when? One possible approach to making sure policy gets through to all parts of an organisation is to implement PCI-DSS or other information assurance standard
Information Security Management Oversee implementation of policy will be never ending! Can’t begin to evolve into an ISMS until policy has been agreed and signed off…
Making a start… (1) Devise a set of agreed procedures to protect data Accept that administering them is an organisational level matter Acknowledge the iterative nature of checking implementation & agree a rate of iteration (e.g. yearly) Now have the makings of an ISMS first stage towards ISO27001
Making a start… (2) Appoint someone with institutional responsibility in control of the policy-making, and evolution Role should not be outsourced! need to provide advice, expertise, implement procedures need realistic budget that takes into account the resource and human cost…
The Costs of securing data Hardware/software cost fixed and easily determined Human resource cost cost of Information Security supremo cost the organisation of using staff to implement and enforce data security procedures more difficult to quantify cost of testing knowledge off/retraining employees
Costs of Securing Data Isolated LAN, with no internet connectivity no need to worry about data in and data out via the Internet less stringent procedures may be needed/enforced employees could still mess up or steal data LAN connected to the Internet: “secret” data? highly rigorous procedures, implemented frequently – very expensive no real secrets (political or commercial) more infrequent cycle, less exhaustive procedures much cheaper…
The Costs of Data Breach? Groups again…
The Costs of Data Breach People not able to work… Organisation not able to communicate effectively with customers… Embarrassment of reporting in the media loss of reputation Fines, etc., by FCA or ICO Fall in stock market price Increase in insurance premiums Not getting future contracts…
Information Security Procedures In groups, discuss: possible procedures the organisation could set up… how expensive such procedures might be to implement… how “realistic” procedures could be laid out in a policy…
Writing that Policy (1) Written as a “Management Report” e.g. http://www.computerweekly.com/answer/Information-security-policy-template-and-tips Should be agreed by SMT and reflect: their objectives for security of information top-down… strategy for achieving those objectives requires liaison to find out what is feasible
Writing… (2) Why not just buy a “security-policy-in-a-box” ? SMT won’t have the time! needs to be explained in detail by a security professional once understood… needs to be formally agreed upon by SMT
Writing… (3) Even if WAS possible to for management to endorse an off-the-shelf policy… not the right approach to attempt to teach management how to think about security! their organisation is unique!
Writing… (4) First step should be to find out how management views security security policy… set of management mandates “top-down” only provides requirements for the security professional to obey… too restricting without liaison first… (needs some “bottom-up” input
Writing (5) As a result of discussion with SMT… Example: top level Develop top-level IS policy Includes all topics for policy, but does not break them down into the sort of detail needed for implementation Example: top level Example PCI-DSS: http://www.lse.ac.uk/intranet/LSEServices/IMT/about/policies/documents/PCI-DSS-Information-Security-Policy.pdf
Writing (6): What to include… What are your security objectives, and how do you measure them? What types of information do you handle, and how do the different types of information need to be protected? How do you assess risks and select security controls?
What to include… cont How do you manage and report incidents, and learn from them? Who is responsible for security? What is acceptable employee use for Internet, email and other communication channels?
Writing (7) To implement a top level policy… need to liaise with relevant staff and create operational policy e.g. acceptable passwords e.g. acceptable use of email Operational policies can be shared with employees during a training session… not just an email with link… (!)
How achieving a Information Assurance “badge” could help with implementing policy… Whatever the business: any new work will have a cost that cost needs to be qualified More cost means less profit… what is the ROI of achieving a high level of information security? badge can be used to impress (potential) customers
Potential Financial Benefits of Information Assurance? Need to be sold to senior mgt… less risk of losing valuable (even strategically important…) data less likely to get embarrassing leaks, which could even get to the media (!) less likely to fall foul of the law (!) Evidence from an ever growing set of examples of businesses who have done both of the above lost customers AND share price dropped…