Developing a Risk-Based Information Security Program Tammy Clark, Chief Information Security Officer, William Monahan, Lead Information Security Administrator Georgia State University, Atlanta GA GSU is located in downtown Atlanta – approximately 27,000 students (undergraduate & graduate) - second largest university in Georgia. CIO – JL Albert Information Security Program – Tammy Clark (ISO), William Monahan (InfoSec Lead Admin), Miss Nancy Chang (InfoSec Intermediate). Started aligning the university’s security plan with ISO 17799 in September of 2004 (what the standard says – current status – strategic & tactical goals) – incrementally have addressed the 133 controls (risk assessments, data classification, incident response, security awareness training…) – taking it to the next level with ISO 27001 ((ISMS) = controls + governance)) – you can get certified with 27001 (not 17799, 17799 is a Code of Practice for Information Security Management, 27001 are the requirements for Information Security Management) Copyright Tammy L. Clark, June 2007. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and with permission of author.
Today’s Agenda Prerequisites For Success Risk Management PDCA Model Establishing an ISMS: The “Plan, Do, Check, Act Phases” Governance Training Compliance vice Certification with the ISO standards Can only provide a 3000’ view of our ISMS activities in 45 minutes. It is all about governance – Compare and contrast information technology services to manufacturing processes. Quality Management System via ISO 9001 – manufacturing has matured over the previous 30 years (in the 1970’s buy a car that was made on either a Monday or a Friday) Information Security Management System via ISO 27001 (controls & governance) The processes and services of the Information Security and Finance Departments at Georgia State University are in the Information Security Management System (ISMS) – planning to add Development (amongst others) in 2008
Prerequisites For Success We believe that the following are critical success factors: Top Management Support Collaborations with Key Enterprise Stakeholders Understanding of key strategic business goals & objectives Meeting between Mao and Dr. Kissinger – you have to sell 27001. Selling Points for Top Management – Protecting the university’s reputation. Compliance More robust and reliable infrastructure due to the reduction of business discontinuities that arise when security defenses are breached. Avoid liability for illegal or malicious acts committed with the university's computer or network resources. Selling Points for Key Enterprise Stakeholders – Protecting their department’s reputation. Understanding of Key Strategic and Business Goals – Business objectives and ISMS objectives should be aligned – not just CIA – privacy, nonrepudiation, transparency, ethics, democracy… Researcher example - Identity management/digital signatures/federation via smart card technologies
Risk Management Risk Management Process Model Asset Identification and Classification Risk Assessment Methodology ISO 17799/27001 Annex A Risk Treatment GSU implemented a Risk Assessment policy in November of 2005 (as a byproduct of updated ISO 17799:2005 updates) – are conducting approximately 50 risk assessments per year – this proactive approach has yielded big dividends Not just about recommending managerial and technical controls – have improved efficiencies via Risk Assessments (secure LDAP) Most nonconformities are a result of recommendations not being implemented or undue delay. High Risk – mitigation plan immediately Medium Risk – do it within one year Low Risk – not going to worry about it
Risk Management Process Model Assess and evaluate risks Select, implement and operate controls to treat risks Monitor and review risks Maintain and improve risk controls Would rate GSU as a 2.5 out of 5 on the Capability Maturity Model. We do not have a third party (internal audit) following up on our High Risk projects to ensure that controls were adequate/commensurate with risk and that they were implemented in a timely manner – will be done before preassessment in October. ISO mandates that we reevaluate risk – lessons learned from shredders. We are migrating from NIST 800-30 to BS 7799-3:2005 for our Risk Assessments. NIST Special Publication 800-30, "Risk Management Guide for Information Technology Systems." BS 7799-3:2005 Information security management systems. Guidelines for information security risk management". Internal auditors and BSI will keep everyone honest – what gets checked gets done
Identification of Assets Inventory and classification Identify legal and business requirements relevant to the assets Valuation of identified assets taking requirements into account as well as impacts of loss of C.I.A. Identify threats and vulnerabilities Assessment of likelihood threats will result in vulnerabilities getting exploited Calculate risk Evaluate risks against a pre-defined risk scale Data classification from Georgia Board of Regents (below) – have developed policy (Information Protection Policy) and procedures (XP, Red Hat, Mac) around these data categories. Confidential data. Requires the highest levels of restriction due to risk of harm that may result from disclosure or inappropriate use. This includes information whose improper use or disclosure could adversely affect the ability of the University to accomplish its mission, records about individuals requesting protection under the Family Educational Rights and Privacy Act of 1974 (FERPA), or data not releasable under the Georgia Open Records Act or the Georgia Open Meetings Act. Social Security account numbers are considered CONFIDENTIAL data. Sensitive Data. Users must obtain specific authorization to access these elements since unauthorized disclosure, alteration, or destruction will cause perceivable damage to the University. It is assumed that all administrative output from the central administrative systems is classified as sensitive unless otherwise indicated. The specification of data as sensitive should include reference to the legal or externally imposed constraint that requires this restriction, the categories of users typically given access to the data, and under what conditions or limitations access is typically given. Included here would be credit card account numbers, user id/password combinations. Unrestricted Data. No access restrictions. Available to the general public.
ISO 17799:2005 Controls and RTP 133 Separate Controls and 11 domains capturing all aspects of information security—a number of controls assist with implementing an ISMS ISO 17799:2005 contains guidance on how to implement these controls Risk Management is the cornerstone of the ISO 17799:2005 approach to designing a comprehensive information security program In developing a Risk Treatment Plan (RTP), you will select controls that assist in mitigating the risks you identified and you will also decide which risks your organization will accept, transfer or avoid Risk acceptance—Say you know you need to develop a Disaster Recovery plan on your campus but you lack necessary resources and funding—you go to upper management requesting funds and they advise you that they can’t justify that expense—that is risk acceptance and you should then obtain a signed statement that upper management has decided to accept that particular risk Risk Transfer—You do business with a third party and outsource the operations, support and maintenance of a particular application that is critical to the university and which happens to house repositories of student data. You will want to forge an agreement or contract (addendum is fine) with that third party in the event a data breach occurs that incorporates their responsibilities since you have outsourced that function to them—hold them responsible Risk Avoidance—You learn that an office on campus plans to do credit card transactions and is wanting to use a vendor that is not Visa PCI certified, which will pose a significant risk if any data breaches occur. Once you advise the office that they are taking on an enormous risk if they proceed, they decide to forego that in favor of a sanctioned solution—you have then succeeded in avoiding this risk…
PDCA Model Plan—Establish the ISMS Do—Implement and Operate the ISMS Check—Monitor and Review the ISMS Act—Maintain and Improve the ISMS ISMS concept—a set of management system processes to achieve effective information security—should become an integral part of an organization’s operating and business culture, based on a defined approach to risk management, and include management support and commitment, the scope (which parts of the organization you want to include in this system), policies, planning activities, responsibilities, practices, procedures, processes, and resources, and an ongoing program of continuous improvement ISO/IEC 27001:2005 is a set of requirements using ‘shall’ statements (as you recall, the ISO 17799 uses ‘should’ statements) that are specified in clauses 1-8 of the standard, that cover all of the requirements associated with the PDCA approach
PLAN-Establish Your ISMS First Steps (Prerequisites): Procure the ISO/IEC 27001:2005 standard. Obtain full executive management support. Define the Scope and Boundary of the ISMS. Define an ISMS Policy. Define the risk assessment approach Scope—definition is up to you—suggest you take an incremental approach of incorporating two or three areas of your campus such as Information Security, Finance, Alumni and focus on building the framework out before you add additional areas. Scope—should be defined in terms of characteristics of the business: location, assets, technology, take into account interfaces and dependencies ISMS has with other parts of your campus that are not within the scope (HR, Legal, etc.), third parties your campus partners with (in Georgia, the Board of Regents supplies IT support and services to many of the USG campuses) Policy—Keep it clear and succinct; include scope and boundaries; provide management support and direction; set objectives; establish risk assessment criteria Risk Assessment Approach—Up to you to choose the method that works best for your university—with expectation that results are comparable and reproducible
PLAN-Establish Your ISMS Identify, analyze and evaluate the risks to the assets identified in your scope. Identify and evaluate risk treatment options. Select controls and control objectives and reasons for selection. Obtain management approval of the proposed residual risks. Obtain management authorization to implement and operate ISMS. Prepare a “statement of applicability”. Statement of applicability or SOA: A Statement of Applicability is a document that lists your organization’s information security control objectives and controls. In order to figure out what your organization’s unique information security controls and control objectives should be, you need to carry out a risk assessment, select risk treatments, identify all relevant legal and regulatory requirements, study your contractual obligations, and review your organization’s own business needs and requirements. Once you’ve done all of this, you should be ready to prepare your organization’s unique Statement of Applicability. Excerpted from: http://www.praxiom.com/iso-27001-definitions.htm
DO Phase-Implement Your ISMS Implementation of the ISMS: Formulate a Risk Treatment Plan (RTP) Implement your RTP Implement selected controls to meet your control objectives Define metrics to measure the effectiveness of your controls Implement a training and awareness program
DO Phase-Operate Your ISMS Operation of the ISMS: Manage operations in accordance with identified controls, policies and procedures Manage resources and ensure that there are sufficient resources to operate, monitor, review, maintain and improve the ISMS Implement procedures and controls to manage incidents
CHECK Phase-Monitor and Review Your ISMS Execute monitoring and review procedures: Documentary evidence of monitoring such as logs, records, files Measure effectiveness (metrics) Review risk assessments Conduct internal ISMS audits Management Reviews Update Security Plans Record actions and events
ACT Phase-Maintain and Improve the ISMS ‘Shall’ statements in the standard apply to this phase:: Implement identified improvements Take appropriate corrective and preventive actions Communicate actions & improvements to interested parties Ensure improvements meet objectives
ISMS Documentation Requirements Statements of policy and objectives Scope and boundaries Procedures and controls Description of Risk Assessment Methodology Risk Assessment Report and RTP Metrics Objective evidence SOA
Four Required Processes These processes are also required to be documented: Document control Internal audits Corrective Actions Preventive Actions Document Control—A documented procedure shall be established to define the management actions needed to approve documents prior to issue, review, update, re-approve, ensure change and version control, control distribution, ensure integrity, etc. (Section 4.3.2 of ISO/IEC 27001:2005) Internal audits – Responsibilities and requirements for planning and conducting audits, and for reporting results and maintaining records shall be defined in a documented procedure (Section 6 of ISO/IEC 27001:2005) Corrective Actions – Documented procedure to identify non-conformities, and determine and implement corrective actions (Section 8.2 of ISO/IEC 27001:2005) Preventive Actions – Documented procedure that shall define requirements for identifying potential non-conformities and causes, determining and implementing preventive actions (Section 8.3 of ISO/IEC 27001:2005)
Governance Training BSI Americas ISO/IEC 27001:2005 Implementation Course http://www.bsiamericas.com/TrainingInformationSecurity/index.xalter HISP (Holistic Information Security Practitioner) Training/Certification http://www.hispcertification.org
Compliance VS Certification ISO/IEC 17799:2005 Compliance: Users of the ISO/IEC 17799:2005 framework need to carry out a risk assessment to identify which controls are relevant to their own business environment and implement them. The framework uses the word “should”. ISO/IEC 27001:2005 Certification: This process involves the auditing of an ISO/IEC 17799:2005 compliant ISMS to the requirements of ISO/IEC 27001:2005. The standard uses the word “shall”. The ISMS will be audited by an accredited certification body such as Certification Europe, British Standards Institute, Lloyds, KPMG or BVQI.
Other Considerations The ISO/IEC 17799:2005 and 27001:2005 standards provide a comprehensive ‘umbrella’ framework for your information security program Compatible with other standards and guidelines Assist with compliance Meant to be a long term endeavor Favor incremental deployment of controls Assist in integrating business requirements with IT and information security goals/objectives Help you to prioritize areas of greatest risk/need
GRC Software Automated help with risk assessments and treatment plans, incident response, BIA and asset management Proteus Enterprise: http://infogov.co.uk Automated help with Security & Compliance Gap Analysis based on the HISP methodology Compliantz Health Check: https://www.compliancehealthcheck.com
References ISO/IEC 27001:2005 BS 7799-3:2006 (Risk Mgt) BIP 0071-0074 (ISMS Guidance Series from BSI) ISO/IEC 17799:2005 (Controls) http://www.praxiom.com/iso-27001.htm (ISO/IEC 27001:2005 in plain English) http://www.praxiom.com/iso-17799-2005.htm (ISO/IEC 17799:2005 in plain English)
Questions? Tammy Clark tlclark@gsu.edu William Monahan istwcm@langate.gsu.edu T Copyright Tammy L. Clark, June 2007. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and with permission of author. Copyright Tammy Clark, May 2007. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by pe