A Practical Approach to Implement a Risk Based ISMS

Transcription

1 A Practical Approach to Implement a Risk Based ISMS Pascal Reiniger Chief Information Security Officer Kanton Basel-Stadt Zürich Security Interest Group Switzerland

2 Agenda 1. Introduction 2. Threats and Vulnerabilities 3. Probabilities and Damages 4. How to Build a Risk Based ISMS 2

3 Run Kanton Basel-Stadt IT Management at Kanton Basel-Stadt Legende: Delegation Head of Member/Guest Staatskanzlei FD Regierungsrat WSU BVD JSD ED PD GD FD Decides on Regulations GD IT Finanzverwaltung Conference for Organisation and IT (KOI) PD IT Plan ISO ISO-eGOV ISO-RSM ISO-SIP Business & e-gov. Board (BEB) ED JSD IT IT Zentraler Personaldienst Risk & Security Board (RSB) BVD IT Steuerverwaltung Immobilien Basel- Stadt IT Board (ITB) WSU IT ZID Build Definition of Regulations Gerichte IT 3

4 Starting Point By law organizations are required to have adequate organizational and technical controls in place to ensure the security of their ICT infrastructure. While every organization needs to develop their own ISMS, the basics are more or less the same. In the end the security controls must cover the risks and should not cost more than the potential damage of the risks. In This Presentations: Pragmatic starting points and important activities are emphasized using a yellow box. 4

5 Definitions of ISMS Information Security Management System (Wikipedia): Framework of processes and regulations within an organization to ensure the long term definition, monitoring, control and improvement of information security. ISMS according to ISO 27002: An ISMS is a systematic approach to managing sensitive company information so that it remains secure. It includes people, processes and IT systems by applying a risk management process. It can help small, medium and large businesses in any sector keep information assets secure. 5

6 Cyber Risk Cyber Risks are not specific IT risks, but a group of risks which have a significant impact and have not yet been in the focus of your attention because so far it has been unthinkable or technically not possible. The Security Landscape has changed fundamentally because of the massive increase of technological connectivity. 6

7 Understand The Whole «Risks Picture»! IT Risk = fx (Threat + Vulnerability + Probability * Damage) Threat: intent to inflict harm or loss on another party or part of your environment with a negative potential outcome. Vulnerability: Technical Weakness or flaw which can be exploited to circumvent defense mechanism and take control. Probability: Likelihood of an occasion to happen. Damage: Theft of intellectual or monetary property, SIGS Implement a Risk loss Based ISMS of 7

8 Agenda 1. Introduction 2. Threats and Vulnerabilities 3. Probabilities and Damages 4. How to Build a Risk Based ISMS 8

9 Threats IT Risk = fx (Threat + Vulnerability + Probability * Damage) Threats are outside of your controlled area and either 1. open or covert intents to inflict harm or loss on another party (physical, financial, intellectual) fueled by motivations or 2. part of your environment with a negative potential outcome (earthquake, flood, storm, new competitors etc.). You can try to avoid threats (e.g. retail companies without cash handling) or minimize threats (e.g. don t take political stands or reduce public information about your organization). You must systematically track threats to know where to focus your attention and to find and evaluate vulnerabilities! 9

10 Paradigm Shift in IT Security Threats and attacks are getting technically more advanced, persistent and complex (multilayered) using the increased connectivity. APT's include amongst other 1. Social Engineering aimed at individual employees (=Spearfishing) and 2. new backdoors through the Internet of Things (IoT) The New IT Security Paradigm: Prevention is not sufficient anymore (Firewall, Antivirus etc.) You Have to assume to already be hacked successfully! Tools are needed, to find and stop intruders. The protection must be centered around the data. 10

11 Lines of Defense under the new Paradigm Prevention: Keep Hackers and Malware from entering the network is still important but not enough. Detection: Recognize Intruders and their activities after a successful breach. Reaction: Isolate systems and or hardware and repair the aftermath of an incident. Still important, but not enough. 11

12 Vulnerabilities IT Risk = fx (Threat + Vulnerability + Probability * Damage) Vulnerabilities are the (natural) threats you have under estimated (e.g. floods or earthquake) or the cracks in your technical defenses which attackers will find and exploit. Vulnerabilities are technical weakness or flaws which can be exploited to circumvent defense mechanisms and take control. You must have a systematic and ongoing vulnerability management in place including vulnerability scans and a systematic patch management! Check it against threats. 12

13 Vulnerabilities Blue: Total number of known vulnerabilities Red: Known vulnerabilities top 10 most important IT-providers (10 years) Security vulnerabilities are increasing consistently. An ISMS is needed to manage, monitor and secure the systems, network and data 13

14 Agenda 1. Introduction 2. Threats and Vulnerabilities 3. Probabilities and Damages 4. How to Build a Risk Based ISMS 14

15 Probabilities and Damages IT Risk = fx (Threat + Vulnerability + Probability * Damage) Damages are negative events like e.g. 1. theft of physical, intellectual or monetary property, 2. loss of physical functionality or image, 3. compensation claims etc. Probability is the likelihood of those events to happen. Probabilities can be guessed or calculated, but hardly ever exactly predicted. SIGS Implement a Risk Based ISMS 15

16 Probabilities and Damages Because probabilities are the deciding factor to quantify risks even though they can hardly ever be exactly predicted, they are very often misused to manipulating risks! Most of the time a qualitative grouping is better than a pseudo exact quantification of risks. If you do calculate risks quantitatively, at least use an independent standard framework to compare the outcome! Never loose sight of the gross risks without any probability and without any security measures! 16

17 Probability (qualitatively or quantitatively) Kanton Basel-Stadt Risk Management Risks: - Less is more! - Has to be easy to differentiate - Risks should correspond to the groups of measures, e.g. people, organization, disasters, Malicious, compliance etc. Damages (qualitatively or quantitatively) 17

18 Understand the Business Risks Only the business can define how severe a risk is affecting the business and what exactly are the costs. Therefore the business must decide on: RPO: Recovery Point Objective (last backup = max. data loss) RTO: Recovery Time Objective (max. downtime) Classification of systems and data Priority of systems and data Possible damages If risks can not be objectively calculated, make group decision. 18

19 Agenda 1. Introduction 2. Threats and Vulnerabilities 3. Probabilities and Damages 4. How to Build a Risk Based ISMS 19

20 Step 1: Define Vision and Make Assessment 1. Start with a vision (= ISMS House) - Use a familiar (IT) language, e.g. Plan, Build, Run. 2. Assess that status of your ISMS Framework (= Regulations) - Prioritize what regulations need to be defined and when? - Check priorities and deadlines against project needs and plans! 3. Get resources for in depth analysis (time, people, funds) - List shortcomings. - List approved and funded projects to improve situations. 4. Build Awareness with ISMS stakeholders - Top Management about the need to have an ISMS. - legal, audit and employees on regulations and processes. - Show organizational readiness compared with benchmarks. 20

21 Examples for IT Security Benchmarks Benchmarks on IT Security Staff 1 information security staff per 1000 users; 3-5 information security staff per 100 IT staff; information security staff per 100 IT staff; information security staff per 100 IT staff; 3 4 information security staff per 100 IT staff; 1.75 information security staff per internal IT auditor; 1 information security staff per 5000 networked devices; 5% - 8% of overall IT budget allocated to information security; 10% of overall IT budget allocated to information security; 3% - 11% of overall IT budget allocated to information security (Source: K. Aubuchon 2010, InfoSecIsland.com) 21

22 Build ISMS an Vision ISMS 22

23 Step 2: Define Information Security Concept 5. Define a general concept on how to evaluate IT security requirements and IT risks, e.g.: - Confidentiality (including privacy) - Availability (including capacity) - Integrity (including verifiability and non-repudiancion) 6.Define Risk Management concept and integrate it all daily processes, e.g. evaluation of security requirements, risk analysis, definition of security measurements, exception requests, audits, change mgmt, security reporting etc. 7. Consolidate and share information on a need to know basis. 23

24 Step 3: Build an ISMS System 8. Build a central DMS data management system for all ISMS data and activities. 9. Automate ISMS activities as far as possible, e.g. using web forms, workflows, automated data import etc. 10. Build risk management tool on basis of DMS. Use of the shelf risk management tool. 11. Prioritize and plan projects based on quick wins. Start small, show benefits and gain followers. 24

25 Step 4: Risk Based ISMS Activities Risk based approach for planning and executing ISMS activities (based on the same overall risk concepts): 12. Perform audits where you expect the biggest risks. Secure a budget for external security specialists to perform vulnerability and penetration tests. 13. Prepare information security reporting based on the same risk concepts. Close the circle, i.e. report on threats, vulnerabilities, probabilities and damages. Report on business critical assets, systems and data based on risk using undisputable objective known data, e.g. number of unpatched systems, emergency and failed change transports, incidents, security audits, results of phishing tests etc. 25

26 Thank you for your attention! Questions? Pascal Reiniger Leiter kantonale Fachstelle Informationssicherheit (CISO) Finanzdepartement Informatiksteuerung und Organisation (ISO) Kanton Basel-Stadt 26