ISMS Essentials. Version 1.1

Transcription

1 ISMS Essentials Version 1.1 This paper can serve as a guideline for the implementation of ISMS practices using BS7799 / ISO standards. To give an insight and help those who are implementing this for the first time and for those who will be coordinating with external consultants for ISMS implementations in their organizations. Saurabh, Shishir 5/9/2010

2 Document Revision History Date Document Version Document Revision Comments Prepared By Approved By 12 April 0.1 Draft Only Shishir Singh Under Review 16 May 1.1 Draft Only Saurabh Distribution List Document Sent To All QMS Students Purpose For Information References Reference Document Name Description Page No. N/A N/A N/A Disclaimer This document is prepared, reviewed and approved by the AIG Principal Consultant. All changes to this Document shall be reviewed and approved by AIG Principal Consultant. AIG Internal Page 2 of 59

3 Contents 1.0 PURPOSE AUDIENCE GLOSSARY 5 History of ISMS 6 ISO 27001:2005 vs. BS :2002 Comparison 8 BS :2002 Annex A 8 Why to Implement ISMS 9 What is Information 10 What is Information Security 10 Achieving Information Security 11 What is ISO27001? 11 ISO 27001:2005 PDCA Structure Domains of Information Management 13 ISMS Documentation 13 Documentation Requirement 14 Comparison Between ISO 9001 & ISO Introduction to ISO IEC The PDCA Model 16 Definitions: 16 General Approach 20 Implementation Process 42 Risk Assessment 43 Asset Inventory 43 Asset Value 44 Confidentiality 44 Integrity 44 Availability 45 Risk Value 45 Business Impact Analysis (BIA) 46 AIG Internal Page 3 of 59

4 Probability of Occurrence 46 Risk Assessment Tools 47 Why identify the risk value 47 Risk Management 47 Deciding Assets for Risk Mitigation 48 Different Methods of Handling Risks 48 Statement of Applicability (SOA) 50 Business Continuity Plan & Disaster Recovery (BCP & DR) 50 Business Impact Analysis 51 Audit 51 Pre-Assessment Audit (Adequacy Audit) 51 Document Review 52 On Floor Audit 52 Internal Audit 52 Desktop Audit 52 User Awareness Audit 53 Technical Audit: 53 Social Engineering 54 Physical Security 55 Post Audit Check 55 ISO Certification Process 57 User Awareness 58 Reference 58 Declaration 59 Disclaimer 59 Copyright Error! Bookmark not defined. AIG Internal Page 4 of 59

5 1.0 PURPOSE The purpose of this document is to serve as a reading material for all students of Advance Innovation Group. This document intends to be a quick reference guide to all in their pursuit to ISMS Implementation. 2.0 AUDIENCE The ISMS Essential Doc is intended for all the students of Advance Innovation Group. 3.0 GLOSSARY Terms / Acronyms / Abbreviations Description AIG Internal Page 5 of 59

6 History of ISMS 1992 The Department of Trade and Industry (DTI), which is part of the UK Government, publish a 'Code of Practice for Information Security Management' This document is amended and re-published by the British Standards Institute (BSI) in 1995 as BS Support and compliance tools begin to emerge, such as COBRA. David Lilburn Watson becomes the first qualified certified BS7799 c:cure Auditor AIG Internal Page 6 of 59

7 1999 The first major revision of BS7799 was published. Thsi included many major enhancements. Accreditation and certification schemes are launched. LRQA and BSI are the first certification bodies In December, BS7799 is again re-published, this time as a fast tracked ISO standard. It becomes ISO (or more formally, ISO/IEC 17799) The 'ISO Toolkit' is launched A second part to the standard is published: BS This is an Information Security Management Specification, rather than a code of practice. It begins the process of alignment with other management standards such as ISO A new version of ISO is published. This includes two new sections, and closer alignment with BS processes ISO is published, replacing BS7799-2, which is withdrawn. This is a specification for an ISMS (information security management system), which aligns with ISO and is compatible with ISO 9001 and ISO AIG Internal Page 7 of 59

8 ISO 27001:2005 vs. BS :2002 Comparison BS :2002 ISO 27001: ISMS requirements 4 Information security management system 4.1 General requirements 4.1 General requirements 4.2 Establishing and managing the ISMS 4.2 Establishing and managing the ISMS Establish the ISMS Establish the ISMS Implement and operate the ISMS Implement and operate the ISMS Monitor and review the ISMS Monitor and review the ISMS Maintain and improve the ISMS Maintain and improve the ISMS 4.3 Documentation requirements 4.3 Documentation requirements General General Control of documents Control of documents Control of records Control of records 5 Management responsibility 5 Management responsibility 5.1 Management commitment 5.1 Management commitment Provision of resources Provision of resources Training, awareness and competency Training, awareness and competence 6 Internal ISMS audits 6 Management review of the ISMS 7 Management review of the ISMS 6.1 General 7.1 General 6.2 Review input 7.2 Review input 6.3 Review output 7.3 Review output 6.4 Internal ISMS audits 7 ISMS improvement 8 ISMS improvement 7.1 Continual improvement 8.1 Continual improvement 7.2 Corrective action 8.2 Corrective action 7.3 Preventive action 8.3 Preventive action BS :2002 Annex A 36 control objectives 127 controls ISO 27001:2005 Annex A 39 control objectives 133 controls AIG Internal Page 8 of 59

9 Why to Implement ISMS The goal should be, to make the management understand the actual requirement for this implementation and also project the results / benefits of this project. Sometimes (depending on your nature of business) you do not even require to go in for the certification process. At times you might even not require certifying or implementing the process at all your branches. The best method to project requirement and results to the management is to map the any of your requirement into cost. Time is money and so if there is any disruption of service it will directly impact the business. Let us look at a case study here: Case Study There was a virus outbreak in an organization that affected just one project and it consists of 4 developers. The entire systems were brought to a halt and there was no way to work until the virus was completely cleared from the systems. The systems group with a two member team took about 3 hours to clear the virus and bring back the systems into operations. Let us now calculate the amount of loss the organization has gone through: Number of resources affected: 4 developers + 2 systems group member = 6 resources Developer Price / hour: Rs.1350/- (for example) Time lost: 3 hours Loss: Rs System group Price / hour: Rs.900/- (for example) Time lost: 3 hours Loss: Rs.5400 The total cost to the organization by just this event is Rs. 21,600/-. But again the developers need to spend another 3 hours to complete the job that was not done during the downtime. So, I would say the total cost lost to the organization is Rs.37800/-. In addition we will also loose the rapport with our clients. The management will understand figures; whether projected using the cost or the percentage of failures. Before we begin with this project, it is very important or let s says it is mandatory that we make management the actual requirement. Again we will require having a commitment from the management to support this implementation process throughout the project as this will be an organization wide effort rather than just the IT department. Information Security is everyone s responsibility AIG Internal Page 9 of 59

10 What is Information Information is an asset which, like other important business assets, has value to an organization and consequently needs to be suitably protected. Printed or written on paper Stored electronically Transmitted by mail or electronic means Spoken in conversations Information as a concept has many meanings. The concept of information is closely related to notions of constraint, communication, control, data, form, instruction, knowledge, meaning, mental stimulus, pattern, perception, and representation. In its most restricted technical meaning, information is an ordered sequence of symbols. What is Information Security Safe-guarding an organization's data from unauthorized access or modification to ensure its availability, confidentiality, and integrity. ISO defines this as the preservation of: AIG Internal Page 10 of 59

11 Achieving Information Security What is ISO27001? An internationally recognized structured methodology dedicated to information security A management process to evaluate, implement and maintain an Information Security Management System (ISMS) A comprehensive set of controls comprised of best practices in information security Applicable to all industry sectors Emphasis on prevention AIG Internal Page 11 of 59

12 ISO 27001, titled "Information Security Management - Specification with Guidance for Use", is the replacement for the original document, BS It is intended to provide the foundation for third party audit, and is 'harmonized' with other management standards, such as ISO 9001 and ISO The basic objective of the standard is to help establish and maintain an effective information management system, using a continual improvement approach. It implements OECD (Organization for Economic Cooperation and Development) principles, governing security of information and network systems. ISO 27001:2005 PDCA Structure AIG Internal Page 12 of 59

13 11 Domains of Information Management ISMS Documentation AIG Internal Page 13 of 59

14 Documentation Requirement The ISMS documentation shall include: a) Documented statements of the ISMS policy and objectives b) The scope of the ISMS c) Procedures and controls in support of the ISMS d) A description of the risk assessment methodology e) The risk assessment report f) The risk treatment plan g) Documented procedures needed by the organization to ensure the effective planning, operation and control of its information security processes and describe how to measure the effectiveness of controls h) Records required by this International Standard i) The Statement of Applicability. Comparison Between ISO 9001 & ISO ISO 9001 ISO Quality Policy & Objectives ISMS Manual Control Manual Quality Manual 6 Mandatory Procedures 5 Mandatory Procedures Departmental Manual Introduction to ISO IEC ISO IEC is an information security management standard. It defines a set of information security management requirements. These requirements are defined in sections 4, 5, 6, 7, and 8. The purpose of ISO IEC is to help organizations establish and maintain an information security management system (ISMS). ISO IEC applies to all types of organizations. It doesn t matter what the organization does or what size it is. ISO IEC can help organization meet its information security management needs and requirements. ISO IEC is designed to be used for certification purposes. In other words, once the organization has established ISMS that meets both the ISO IEC requirements and the organization s needs, the organization can ask the Certification Body to audit their system. If the registrar likes what it sees, it will issue an official certificate that states that the ISMS meets the AIG Internal Page 14 of 59

15 ISO IEC requirements. According to ISO IEC the organization must meet every requirement (specified in clauses 4, 5, 6, 7, and 8) if it wish to claim that the organization ISMS complies with the standard. However, while the organization must meet every requirement, the size and complexity of information security management systems varies quite a bit. How the organizations meet each of the ISO requirements, and to what extent, depends on many factors, including organizations: Size and structure Needs and objectives Security requirements Business processes ISO IEC also lists a set of control objectives and controls. These are listed in Annex A (our Part 9) and come from the ISO IEC ( ) information security standard. While ISO IEC expects the organization to meet every requirement, it does allow to exclude selected Annex A control objectives and controls if the organization can justify doing so. More precisely, we may ignore or exclude selected control objectives and controls under the following circumstances: We may exclude selected control objectives and controls if they address security risks that you can be accepted and if we can show that our decision to accept these risks complies with the organization s official risk acceptance criteria. We must also be able to justify exclusion decision. We must also be able to show that accountable persons have accepted the associated risks. We may exclude selected control objectives and controls if we have used a risk assessment to identify the organization s information security requirements and we believe that these requirements will, nevertheless, be met. We may exclude selected control objectives and controls whenever this does not impair ability and responsibility to meet organization s information security requirements. We may exclude selected control objectives and controls if you can show that all applicable legal and regulatory requirements will, nevertheless, be met. We may exclude selected control objectives and controls whenever this does not impair the ability and responsibility to meet all applicable legal and statutory requirements. AIG Internal Page 15 of 59

16 The PDCA Model ISO IEC uses the Plan-Do-Check-Act (PDCA) model. ISO IEC has used this model to organize the standard and we can use it to help establish information security management system (ISMS). ISO IEC uses this model in the following way: PLAN. Section 4 expects you to plan the establishment of organization s ISMS. DO. Section 5 expects you to implement, operate, and maintain ISMS. CHECK. Sections 6 and 7 expect you to monitor, measure, audit, and review ISMS. ACT. Section 8 expects you to take corrective and preventive actions and continually improve ISMS. Since ISO IEC has used a PDCA model to organize the ISO IEC standard, it is conveniently designed to facilitate system development. If we follow the five general steps (sections 4 to 8) that make up the standard, we will automatically develop comprehensive ISMS. Definitions: Asset In the context of ISO and ISO 27002, an asset is any tangible or intangible thing that has value to an organization. Availability Availability is a characteristic that applies to assets. An asset is available if it is accessible and usable when needed by an authorized entity. In the context of this standard, assets include things like information, systems, facilities, networks, and computers. All of these assets must be available to authorized entities when they need to access or use them. Confidentiality Confidentiality is a characteristic that applies to information. To protect and preserve the confidentiality of information means to ensure that it is not made available or disclosed to unauthorized entities. In this context, entities include both individuals and processes. Control A control is any administrative, management, technical, or legal method that is used to manage risk. Controls are safeguards or countermeasures. Controls include things like practices, policies, procedures, programs, techniques, technologies, guidelines, and organizational structures. Corrective actions Corrective actions are steps that are taken to address existing nonconformities and make improvements. Corrective actions deal with actual nonconformities (problems), on es that have already occurred. They solve existing problems by removing their causes. In general, the corrective action process can be thought of as a problem solving process. Document The term document refers to information and the medium that is used to bring it into existence. Documents can take any form or use any type of medium. The extent of ISMS documentation AIG Internal Page 16 of 59

17 will depend on the scope of ISMS, the complexity of security requirements, the size of organization, and the type of activities it carries out. Information processing facility An information processing facility is defined as any system, service, or infrastructure, or any physical location that houses these things. A facility can be either an activity or a place; it can be either tangible or intangible. Information security Information security is all about protecting and preserving information. It s all about protecting and preserving the confidentiality, integrity, authenticity, availability, and reliability of information. Information security event An information security event indicates that the security of an information system, service, or network may have been breached or compromised. An information security event indicates that an information security policy may have been violated or a safeguard may have failed. Information security incident An information security incident is made up of one or more unwanted or unexpected information security events that could very likely compromise the security of information and weaken or impair business operations. Information security management system (ISMS) An information security management system (ISMS) includes all of the policies, procedures, plans, processes, practices, roles, responsibilities, resources, and structures that are used to protect and preserve information. It includes all of the elements that organizations use to manage and control their information security risks. An ISMS is part of a larger management system. Information security policy An information security policy statement expresses management s commitment to the implementation, maintenance, and improvement of its information security management system. Integrity To preserve the integrity of information means to protect the accuracy and completeness of information and the methods that are used to process and manage it. Management review The purpose of a management review is to evaluate the overall performance of an organization's information security management system and to identify improvement opportunities. Owner In the context of ISO and ISO 27002, an owner is a person or entity that has been given formal responsibility for the security of an asset or asset category. It does not mean that the AIG Internal Page 17 of 59

18 asset belongs to the owner in a legal sense. Asset owners are formally responsible for making sure that assets are secure while they are being developed, produced, maintained, and used. PDCA model PDCA stands for Plan-Do-Check- Act. ISO IEC says that every ISMS process should be structured using the PDCA model. This means that every process should be planned (Plan); implemented, operated, and maintained (Do); monitored, audited, and reviewed ( Check); and improved (Act). Policy A policy statement defines a general commitment, direction, or intention. An information security policy statement expresses management s commitment to the implementation, maintenance, and improvement of its information security management system. Preventive actions Preventive actions are steps that are taken to avoid potential nonconformities and make improvements. Preventive actions address potential nonconformities (problems), ones that haven't yet occurred. Preventive actions prevent the occurrence of problems by removing their causes. In general, the preventive action process can be thought of as a risk management process. Procedure Procedures control processes or activities. A well defined procedure controls a logically distinct process or activity, including the associated inputs and outputs. Procedures can be very general or very detailed, or anywhere in between. While a general procedure could take the form of a simple flow diagram, a detailed procedure could be a one page form or it could be several pages of text. A detailed procedure defines the work that should be done, and explains how it should be done, who should do it, and under what circumstances. In addition, it explains what authority and what responsibility has been allocated, which supplies and materials should be used, and which documents and records must be used to carry out the work. While quality procedures may be documented or undocumented, ISO usually expects them to be documented. Process In general, a process uses resources to transform inputs into outputs. In every case, inputs are turned into outputs because some kind of work or activity is carried out. ISO IEC recommends that you structure ISMS processes using the Plan-Do-Check-Act (PDCA) model. This means that every process should be planned (Plan); implemented, operated, and maintained (Do); monitored, audited, and reviewed (Check); and improved (Act). Process approach The process approach is a management strategy. When managers use a process approach, it means that they control their processes, the interaction between these processes, and the inputs and outputs that glue these processes together. It means that they manage by focusing AIG Internal Page 18 of 59

19 on processes and on inputs and outputs. ISO IEC suggests that you use a process approach to control ISMS processes. Record A record is a document that contains objective evidence which shows how well activities are being performed or what kind of results are actually being achieved. It always documents what has happened in the past. Records can take any form or use any type of medium. Requirement A requirement is a need, expectation, or obligation. It can be stated or implied by an organization, its customers, or other interested parties. There are many types of requirements. Some of these include security requirements, contractual requirements, management requirements, regulatory requirements, and legal requirements. Residual risk Residual risk is the risk left over after you ve implemented a risk treatment decision. It s the risk remaining after you ve done one of the following: accepted the risk, avoided the risk, transferred the risk, or reduced the risk. Risk The concept of risk combines three ideas: it selects an event, and then combines its probability with its potential impact. It asks two questions: what is the probability that a particular event will occur in the future? And what negative impact would this event have if it actually occurred? So, a high risk event would have both a high probability of occurring and a big negative impact if it occurred. The concept of risk is always future oriented: it worries about the impact events could have in the future. Risk acceptance Risk acceptance is part of the risk treatment decision making process. Risk acceptance means that you ve decided that you can live with a particular risk. Risk analysis Risk analysis uses information to identify possible sources of risk. It uses information to identify threats or events that could have a harmful impact. It then estimates the risk by asking: what is the probability that this event will actually occur in the future? And what impact would it have if it actually occurred? Risk assessment A risk assessment combines two techniques: a risk analysis and a risk evaluation. Risk evaluation A risk evaluation compares the estimated risk with a set of risk criteria. This is done in order to determine how significant the risk really is. The estimated risk is established by means of a risk analysis. Risk management AIG Internal Page 19 of 59

20 Risk management is a process that includes four activities: risk assessment, risk acceptance, risk treatment, and risk communication. Risk management includes all of the activities that an organization carries out in order to manage and control risk. Risk treatment Risk treatment is a decision making process. For each risk, risk treatment involves choosing amongst at least four options: accept the risk, avoid the risk, transfer the risk, or reduce the risk. In general, risks are treated by selecting and implementing measures designed to modify risk. Standard A standard is a document. It is a set of rules that control how people develop and manage materials, products, services, technologies, tasks, processes, and systems. ISO IEC standards are agreements. ISO IEC refers to them as agreements because its members must agree on content and give formal approval before they are published. ISO IEC standards are developed by technical committees. Members of these committees come from many different countries. Therefore, ISO standards tend to have very broad support. Statement of applicability A Statement of Applicability is a document that lists organization s information security control objectives and controls. In order to figure out what organization s unique information security controls and control objectives should be, you need to carry out a risk assessment, select risk treatments, identify all relevant legal and regulatory requirements, study contractual obligations, and review organization s own business needs and requirements. Once you ve done all of this, you should be ready to prepare organization s unique Statement of Applicability. Third party In the context of a specific issue, a third party is any person or body that is recognized as independent of the people directly involved with the issue in question. Threat A threat is a potential event. When a threat turns into an actual event, it may cause an unwanted incident. It is unwanted because the incident may harm an organization or system. Vulnerability Vulnerability is a weakness in an asset or group of assets. An asset s weakness could allow it to be exploited and harmed by one or more threats. General Approach The general approach that organizations take to develop their own unique ISMS will automatically take the following steps: 1. Define the scope and boundaries of the ISMS 2. Define the organization s ISMS policy 3. Define the approach to risk management AIG Internal Page 20 of 59

21 4. Identify the organization s security risks 5. Analyze and evaluate the security risks 6. Identify and evaluate the risk treatment options 7. Select control objectives and controls to treat risks 8. Prepare a detailed Statement of Applicability 9. Develop a risk treatment plan to manage the risks 10. Implement the organization s risk treatment plan 11. Implement the organization s security controls 12. Implement the organization s educational programs 13. Manage and operate the organization s ISMS 14. Implement the organization s security procedures 15. Use procedures and controls to monitor the ISMS 16. Use procedures and controls to review the ISMS 17. Perform regular reviews of organization s ISMS 18. Verify that the security requirements are being met 19. Review the risk assessments on a regular basis 20. Review the residual risks on a regular basis 21. Review acceptable levels of risk on a regular basis 22. Perform regular internal audits of the ISMS 23. Perform regular management reviews of the ISMS 24. Update the organization s information security plans 25. Implement ISMS improvements 26. Take appropriate corrective actions 27. Take appropriate preventive actions 28. Communicate ISMS changes to interested parties 29. Establish records that document the organization s decisions 30. Document the organization s ISMS 31. Protect and control the ISMS documents 32. Establish records for the organization s ISMS 33. Maintain records for the organization s ISMS Implementation of ISMS as per the standard 4. ESTABLISH ORGANIZATION S ISMS 4.1 STUDY GENERAL ISMS REQUIREMENTS Define organization s ISMS Implement organization s ISMS Operate organization s ISMS Monitor organization s ISMS Review organization s ISMS Maintain organization s ISMS Improve organization s ISMS Document organization s ISMS AIG Internal Page 21 of 59

22 4.2 DEVELOP ORGANIZATION S ISMS DEFINE AND PLAN ISMS Define the scope and boundaries of ISMS Define organization s ISMS policy Define approach to risk assessment Identify organization s security risks Analyze and evaluate organization s security risks Identify and evaluate risk treatment options and actions Select control objectives and controls to treat risks Make sure that management formally approves all residual risks (those that are left over after risk treatment decisions have been implemented) Get authorization from management before implement and operate organization s ISMS Prepare a Statement of Applicability that lists organization s specific control objectives and controls IMPLEMENT AND OPERATE ISMS Develop a risk treatment plan to manage organization s information security risks Implement organization s risk treatment plan Implement organization s security controls Implement organization s educational programs Manage and operate organization s ISMS Manage organization s ISMS resources Implement organization s security procedures MONITOR AND REVIEW ISMS Use procedures and controls to monitor ISMS Use procedures and controls to review ISMS Perform regular reviews of ISMS Verify that security requirements are being met Review risk assessments on a regular basis Review residual risks on a regular basis Review acceptable levels of risk on a regular basis Perform regular internal audits of ISMS Perform regular management reviews of ISMS Update information security plans Maintain a record of ISMS events and actions MAINTAIN AND IMPROVE ISMS Implement ISMS improvements Take appropriate corrective actions AIG Internal Page 22 of 59

23 Take appropriate preventive actions Apply the security lessons that have been learnt Communicate ISMS changes to all interested parties Make sure that organization s ISMS changes achieve the intended objectives 4.3 DOCUMENT ORGANIZATION S ISMS DEVELOP ISMS DOCUMENTS AND RECORDS Establish records that document decisions Document organization s ISMS CONTROL ISMS DOCUMENTS Protect and control ISMS documents Establish a procedure to control ISMS documents CONTROL ISMS RECORDS Establish records for organization s ISMS Maintain records for organization s ISMS 5. MANAGE ORGANIZATION S ISMS 5.1 SHOW THAT YOU SUPPORT ISMS Demonstrate that management supports the establishment of an ISMS Demonstrate that management supports the implementation of an ISMS Demonstrate that management supports the operation of ISMS Demonstrate that management supports the monitoring of ISMS Demonstrate that management supports the review of ISMS Demonstrate that management supports the maintenance of ISMS Demonstrate that management supports the improvement of ISMS 5.2 MANAGE ISMS RESOURCES PROVIDE RESOURCES FOR ISMS Identify organization s ISMS resource needs Provide the resources that ISMS needs Identify the resources that will be needed in order to ensure that organization s information security procedures support its business requirements Identify the resources needed to meet organization s legal security requirements Identify the resources needed to meet organization s regulatory security requirements AIG Internal Page 23 of 59

24 Identify the resources needed to meet organization s contractual security obligations Identify the resources needed to ensure that all implemented security controls are correctly applied Identify the resources needed to ensure that ISMS management reviews are routinely carried out Identify the resources needed to ensure that the top management will be able to react appropriately to the results of ISMS management reviews Identify the resources needed to ensure that you will be able to improve the effectiveness of ISMS when required to do so ENSURE THAT ISMS PERSONNEL ARE COMPETENT Ensure that all ISMS personnel are competent and can perform the tasks that are assigned to them Evaluate the effectiveness of organization s ISMS personnel training and employment activities Maintain records that document the competence of personnel performing work that affects ISMS Make personnel aware of how important their information security activities are 6. AUDIT ORGANIZATION S ISMS ESTABLISH AN INTERNAL AUDIT PROCEDURE Establish an internal ISMS audit procedure Document internal ISMS audit procedure PLAN INTERNAL AUDITS Plan internal ISMS audit projects and activities Figure out how often internal audits should be done Schedule internal audits at planned intervals Clarify the scope of each internal ISMS audit Specify the audit criteria for each internal audit Define internal ISMS audit methods Select internal ISMS auditors CONDUCT INTERNAL AUDITS Carry out regular internal ISMS audits Audit organization s ISMS control objectives Audit organization s ISMS controls Audit organization s ISMS processes Audit organization s ISMS procedures TAKE REMEDIAL ACTION AIG Internal Page 24 of 59

25 Eliminate nonconformities and their causes Take follow up actions to ensure that nonconformities and causes have been eliminated without undue delay Verify that remedial actions have actually been taken Report the results of verification activities 7. REVIEW ORGANIZATION S ISMS 7.1 PERFORM MANAGEMENT REVIEWS Carry out management reviews of ISMS Make sure that organization s management people review ISMS at planned intervals Examine the performance of ISMS Examine the ongoing suitability of ISMS Examine the ongoing adequacy of ISMS Examine the ongoing effectiveness of ISMS Assess whether or not organization s ISMS should be changed or improved Assess whether or not information security policy should be changed or improved Assess whether or not information security objectives should be changed or improved Keep a record of ISMS management reviews Record the results of ISMS management reviews 7.2 EXAMINE MANAGEMENT REVIEW INPUTS Examine information about ISMS (inputs) Examine the results of prior management reviews Examine the results of previous ISMS audits Examine previous ISMS measurement results Examine the status of previous remedial actions Examine security issues that were inadequately addressed during the previous risk assessment Examine opportunities to improve ISMS Examine changes that might affect ISMS 7.3 GENERATE MANAGEMENT REVIEW OUTPUTS Generate decisions and actions (outputs) Generate management review decisions and actions to improve organization s ISMS Generate management review decisions and actions to update organization s ISMS Generate management review decisions and actions to respond to events that affect the ISMS Generate management review decisions and actions to address ISMS resource needs 8. IMPROVE ORGANIZATION S ISMS AIG Internal Page 25 of 59

26 8.1 CONTINUALLY IMPROVE ISMS Improve the effectiveness of ISMS Use security policy to continually improve the effectiveness of ISMS Use security objectives to continually improve the effectiveness of ISMS Use security audit results to continually improve the effectiveness of ISMS Use management reviews to continually improve the effectiveness of ISMS Use corrective actions to continually improve the effectiveness of ISMS Use preventive actions to continually improve the effectiveness of ISMS Use monitoring process to continually improve the effectiveness of ISMS 8.2 CORRECT ACTUAL ISMS NONCONFORMITIES Establish a corrective action procedure to prevent the recurrence of actual nonconformities Make sure that corrective action procedure expects you to identify actual nonconformities Make sure that corrective action procedure expects you to identify the causes of nonconformities Make sure that procedure expects you to evaluate whether you need to take action Make sure that procedure expects you to develop corrective actions when they are needed Make sure that procedure expects you to prevent the recurrence of actual nonconformities Make sure that corrective action procedure expects the organization to eliminate the causes of organization s nonconformities. Make sure that procedure expects the organization to record the results of any corrective actions taken Make sure that procedure expects you to review the results of any corrective actions taken Document corrective action procedure Implement corrective action procedure Use organization s corrective action procedure to identify nonconformities Use organization s corrective action procedure to identify causes Use procedure to evaluate whether or not you need to take corrective action Use procedure to develop corrective actions whenever corrective actions are actually needed Use procedure to take corrective actions Use procedure to prevent the recurrence of actual nonconformities Use procedure to eliminate the causes of actual nonconformities Use procedure to record the results of any corrective actions taken Use procedure to review the corrective actions that have been taken. Maintain corrective action procedure. AIG Internal Page 26 of 59

27 8.3 PREVENT POTENTIAL ISMS NONCONFORMITIES Establish a preventive action procedure to prevent the occurrence of potential nonconformities Make sure that preventive action procedure expects the organization to identify potential nonconformities Make sure that procedure expects the organization to identify the causes of potential nonconformities Make sure that procedure expects you to evaluate whether or not organization needs to take preventive action Make sure that procedure expects you to develop preventive actions when they are needed Make sure that procedure expects you to prevent the occurrence of potential nonconformities Make sure that procedure expects you to eliminate the causes of potential nonconformities Make sure that procedure expects you to record the results of any preventive actions taken Make sure that procedure expects you to review the results of any preventive actions taken Document preventive action procedure Implement preventive action procedure Use organization s preventive action procedure to identify potential nonconformities Use preventive action procedure to identify the causes of potential nonconformities. Use preventive action procedure to evaluate whether or not you need to take preventive action Use preventive action procedure to develop preventive actions whenever they are needed Use procedure to take preventive actions Use preventive action procedure to prevent the occurrence of potential nonconformities. Use preventive action procedure to eliminate the causes of potential nonconformities Use preventive action procedure to record the results of any preventive actions taken Use preventive action procedure to review the preventive actions that have been take Maintain preventive action procedure Information Security Controls 5. Security Policy Management Objectives AIG Internal Page 27 of 59

28 5.1 Establish a comprehensive information security policy Establish a comprehensive information security policy Make sure that information security policy provides clear direction for information security program Make sure that information security policy shows that management is committed to information security Make sure that management supports organization s information security policy Make sure that information security policy shows that management is prepared to support an ongoing commitment to information security Make sure that information security policy is consistent with business objectives Make sure that information security policy meets organization s business requirements Make sure that information security policy complies with all relevant laws and regulations 6. Corporate Security Management Objectives 6.1 Establish an internal security organization Establish a management framework to control how organization implements information security Make sure that management approves organization s information security policy Make sure that management assigns security roles Make sure that management coordinates the implementation of security across organization Make sure that management reviews the implementation of security across organization Make sure that you have access to information security experts and advisors within own organization Make sure that internal experts are able to provide specialized information security advice Make sure that you have access to external security experts, advisors, and authorities. Use external advisors to help you monitor changes in security standards Use external advisors to help you monitor changes in security assessment methods Use external advisors to help you keep up with industrial security trends Make sure that external information security experts and advisors can help you to deal with security incidents Make sure that organization encourages the use of a multi disciplinary approach to information security 6.2 Control external party use of information Maintain the security of organization s information whenever it is being accessed by external parties Maintain the security of organization s information whenever it is being processed by external parties Maintain the security of organization s information whenever it is being managed by external parties AIG Internal Page 28 of 59

29 Maintain the security of organization s information processing facilities whenever they are being managed by external parties Maintain the security of organization s information processing facilities whenever they are being accessed by external parties Maintain the security of organization s information processing facilities whenever information is processed by external parties. Maintain the security of information processing facilities whenever external parties are allowed to communicate with these facilities Make sure that the security of organization s information processing facilities is not compromised by the influence of external party products or services Make sure that the security of information is not compromised by external party products or services Control external party access to information Control external party access to information processing facilities Control how external parties process information Control how external parties use organization s information for communication purposes Carry out a risk assessment whenever there is a business need to allow external parties to access organization s information processing facilities Make sure that risk assessments examine security implications whenever there is a need to allow external parties to access information processing facilities Make sure that risk assessments identify control requirements whenever there is a need to allow external parties to access information processing facilities Establish agreements that identify the controls that must be applied whenever there is a need to allow external parties to access information processing facilities Carry out a risk assessment whenever there is a business need to allow external parties to access information Make sure that risk assessments examine security implications whenever there is a need to allow external parties to access information Make sure that risk assessments identify control requirements whenever there is a need to allow external parties to access information Establish agreements that identify the controls that must be applied whenever there is a need to allow external parties to access information 7. Organizational Asset Management Objectives 7.1 Establish responsibility for organization's assets Protect organization s assets Use controls to protect assets Account for organization s assets Nominate owners for all organizational assets Make nominated owners responsible for protecting organization s assets Assign responsibility for the maintenance of asset controls Make asset owners responsible for protecting organization s assets even though owners may have delegated the responsibility for implementing controls AIG Internal Page 29 of 59

30 7.2 Use an information classification system Provide an appropriate level of protection for organization s information Establish an information classification system Use classification system to define security levels Specify how much protection is expected at each level Assign a security priority to each information security level Use organization s information classification system to specify how information should be protected at each level Use organization s information classification system to specify how information should be handled at each level 8. Human Resource Security Management Objectives 8.1 Emphasize security prior to employment Reduce the risk of theft, fraud, or misuse of facilities by making sure that all prospective employees understand their responsibilities before organization hire them Reduce the risk of theft, fraud, or misuse of facilities by making sure that all prospective contractors understand their responsibilities before the organization hire them Reduce the risk of theft, fraud, or misuse of facilities by making sure that all third-party users understand their responsibilities before the organization allow them to use facilities Reduce the risk of theft, fraud, or misuse of facilities by making sure that all prospective employees are suitable given the roles that they will be asked to carry out Reduce the risk of theft, fraud, or misuse of facilities by making sure that all prospective contractors are suitable given the tasks that they will be asked to carry out Reduce the risk of theft, fraud, or misuse of facilities by making sure that all third party users are suitable before the organization allow them to use facilities Use job descriptions to specify the security responsibilities that new personnel will be asked to carry out Use employment terms and conditions to specify the security responsibilities that new personnel will be asked to carry out Screen all employees before the organization hire them, especially when they will be asked to perform sensitive jobs Screen all contractors before you hire them, especially when they will be asked to provide sensitive services Screen all third-party users, especially when they will be allowed to access sensitive information Ask prospective employees to sign agreements that specify what their security roles and responsibilities are Ask prospective contractors to sign agreements that specify what their security roles and responsibilities are Ask prospective third-party users to sign agreements that specify what their security roles and responsibilities are 8.2 Emphasize security during employment AIG Internal Page 30 of 59

31 Emphasize the need to protect information Emphasize the need to reduce risk of human error Make employees aware of information security threats and concerns Make contractors aware of information security threats and concerns Make third party users aware of information security threats and concerns Make employees aware of their information security responsibilities Make contractors aware of their information security responsibilities Make third party users aware of their information security responsibilities Make employees aware of their information security liabilities Make contractors aware of their information security liabilities Make third party users aware of their information security liabilities Make sure that employees know how to support and apply security policy during the course of their work Make sure that contractors know how to support and apply security policy during the course of their work Make sure that third party users know how to support and apply security policy during the course of their work Make managers responsible for ensuring that employees carry out their security responsibilities throughout the course of their employment with organization Provide an adequate level of security education and training to organization s employees Provide an adequate level of security education and training to organization s contractors Provide an adequate level of security education and training to all third party users Minimize security risk by ensuring that employees know how to use organization s security procedures Minimize security risk by ensuring that contractors know how to use organization s security procedures Minimize security risk by ensuring that third party users know how to use security procedures Minimize security risk by ensuring that employees know how to use information processing facilities Minimize security risk by ensuring that contractors know how to use information processing facilities Minimize security risk by ensuring that third party users know how to use information processing facilities. Establish a formal disciplinary process that must be used to handle security breaches 8.3 Emphasize security at termination of employment Control how employees are terminated Control how contractors are terminated Control how third party users are terminated Control how employees are reassigned Control how contractors are reassigned Control how third party users are reassigned AIG Internal Page 31 of 59

32 Make sure that employees, contractors, and third party users exit organization in an orderly manner Make sure that employees, contractors, and third party users change their work assignments in an orderly manner Make managers responsible for controlling how employees, contractors, and third party users are terminated or reassigned Make sure that all equipment is returned when employees, contractors, or third party users are terminated or reassigned Make sure that all access rights and privileges are removed when employees, contractors, or third party users are terminated or reassigned 9. Physical and Environmental Security Management Objectives 9.1 Use secure areas to protect facilities Use physical methods to prevent unauthorized access to organization s information and premises Use physical methods to prevent people from damaging information and premises Use physical methods to prevent people from interfering with information and premises Keep organization s critical or sensitive information processing facilities in secure areas Use defined security perimeters to protect critical or sensitive information processing facilities Use appropriate security barriers to protect critical or sensitive information processing facilities Use entry controls to protect critical or sensitive information processing facilities Make sure that physical protection methods are commensurate with identified security risks 9.2 Protect organization s equipment Prevent damage to organization s equipment Prevent the loss of organization s equipment Prevent the theft of organization s equipment Protect equipment from physical threats Protect equipment from environmental threats Protect equipment in order to avoid work interruptions Protect equipment in order to avoid unauthorized access to organization s information Protect equipment through proper disposal Use secure siting strategies to protect equipment Use special controls to safeguard supporting facilities 10. Communications and Operations Management Objectives 10.1 Establish procedures and responsibilities AIG Internal Page 32 of 59

33 Define responsibilities that explain how information processing facilities should be managed and operated Assign responsibility for the management and operation of organization s information processing facilities Establish procedures to operate and control organization s information processing facilities Use procedures to ensure that information processing facilities are always secure and operated correctly Segregate information processing duties in order to prevent damage or misuse caused by negligence or sabotage 10.2 Control third party service delivery Control how third parties deliver services to organization Make sure that third parties comply with information security requirements Make sure that third parties comply with third party service delivery agreements Make sure that third parties maintain an appropriate level of information security for the duration of their contracts Monitor third parties in order to ensure that service delivery continues to comply with third party agreements Control changes to third party service delivery agreements in order to ensure that they comply with all requirements 10.3 Carry out future system planning activities Avoid future system failures by developing plans to ensure that adequate information processing capacity and resources will be available in the future Avoid future system failures by projecting what system performance requirements will be in the future Avoid future system overloads by projecting what information processing capacity and resource requirements will be in the future Establish the operational requirements of new systems prior to their acceptance and use Document the operational requirements of new systems prior to their acceptance and use Test the operational requirements of new systems prior to their acceptance and use 10.4 Protect against malicious and mobile code Protect the integrity of software Protect the integrity of information Prevent the introduction of malicious code and unauthorized mobile code Detect the introduction of malicious code and unauthorized mobile code Protect organization's software and information processing facilities against computer viruses Protect software and information processing facilities against network worms Protect software and information processing facilities against Trojan horses Protect software and information processing facilities against logic bombs Make users aware of the dangers and the damage that malicious code can cause AIG Internal Page 33 of 59

34 Make sure that managers have established controls that staff can use to prevent malicious code Make sure that managers have established controls that staff can use to detect the existence of malicious code Make sure that managers have established controls that staff can use to remove malicious code Make sure that managers have taken steps to control mobile code 10.5 Establish backup procedures Maintain the availability and integrity of information and information processing facilities by backing up data Develop procedures to implement data backup policy and strategy Develop data restoration procedures and make sure that restoration activities are rehearsed 10.6 Protect computer networks Protect the information on networks Protect the infrastructure that supports networks Protect networks that span organizational boundaries Protect sensitive information passing over public networks 10.7 Control how media are handled Control organization s media Protect organization s media Prevent unauthorized disclosure by protecting media Prevent unauthorized modifications by protecting media. Prevent the removal of assets by protecting media Prevent the destruction of assets by protecting media Prevent business interruptions by protecting media Establish operating procedures to protect documents Establish operating procedures to protect computer media Establish operating procedures to protect input/output data Establish procedures to protect system documentation Make sure that operating procedures prevent unauthorized disclosures Make sure that operating procedures prevent the unauthorized modification of media Make sure that operating procedures prevent the unauthorized destruction of media Make sure that operating procedures prevent the unauthorized removal of media 10.8 Protect exchange of information Protect and control the exchange of information within own organization Protect and control the exchange of software within own organization Protect and control the exchange of information between organization and other external organizations AIG Internal Page 34 of 59

35 Protect and control the exchange of software between organization and other external organizations Establish a formal policy to control how information and software is exchanged between organizations Use formal agreements to control how information and software is exchanged between organizations Comply with all relevant legislation that governs and controls the exchange of information and software between organizations Establish procedures to protect information and physical media exchanged within or between organizations Establish standards to protect information and physical media exchanged within or between organizations 10.9 Protect electronic commerce services Make sure that organization s electronic commerce (ecommerce) services are secure Make sure that ecommerce service usage is secure Consider security if you use ecommerce services Consider security if the organization process online transactions Protect the integrity of information that is published using publicly accessible systems Protect the availability of information that is published using publicly accessible systems Establish controls to protect ecommerce activities Monitor information processing facilities Monitor information processing systems in order to detect unauthorized activities Record information security events Use operator logs to detect information system problems Use fault logging to detect information system problems Make sure that information monitoring and logging activities comply with all relevant legal requirements Use system monitoring to check how effective controls are Use system monitoring to verify that information processing activities comply with organization s access policy 11. Information Access Control Management Objectives 11.1 Control access to information Control access to organization s information Make sure that information access controls meet organization s business requirements Make sure that information access controls meet organization s security requirements Control access to information processing facilities Make sure that facility access controls meet organization s business requirements Make sure that facility access controls meet organization s security requirements AIG Internal Page 35 of 59

36 Control access to business processes Make sure that process access controls meet organization s business requirements Make sure that process access controls meet organization s security requirements Make sure that access control rules comply with information dissemination policies Make sure that access control rules comply with information authorization policies 11.2 Manage user access rights Control authorized access to information systems Prevent unauthorized access to information systems Establish formal procedures to control how the right to access information systems and services is allocated Ensure that access allocation procedure controls all stages of the users access life cycle from initial user registration to final de-registration Ensure that access allocation procedure pays special attention to the allocation of privileged access rights which allow users to override normal system controls 11.3 Encourage good access practices Prevent unauthorized user access to information and information processing facilities Prevent information and information processing facilities from being exposed to possible loss or damage Prevent the theft of information and information facilities Ask authorized users to help you control access to information systems and information processing facilities Make authorized users responsible for helping you to control access to information and information processing facilities Make users aware of what they must do to control access Make users aware of what they must do to protect passwords Make users aware of what they must do to protect equipment Reduce the risk of unauthorized access or damage to papers, media, and facilities by implementing a clear desk policy Reduce the risk of unauthorized access or damage to papers, media, and facilities by implementing a clear screen policy 11.4 Control access to network services Prevent unauthorized access to internal networked services Prevent unauthorized access to external networked services Control access to internal networked services Control access to external networked services Control access by using the appropriate interfaces between network and networks owned by other organizations AIG Internal Page 36 of 59

37 Control access by using the appropriate interfaces between network and public networks Control access to networks by using the appropriate authentication mechanisms for users and equipment Control user access to information services 11.5 Control access to operating systems Prevent unauthorized access to operating systems Restrict operating system access to authorized users Establish ways of controlling access to operating systems Make sure that operating system access control methods comply with access control policy Make sure that access control methods are capable of authenticating authorized users Make sure that access control methods are capable of recording successful and failed authentication attempts Make sure that access control methods are capable of recording the use and abuse of special system privileges Make sure that access control methods are capable of issuing alarms when system security policies are violated Make sure that access control methods are capable of restricting user connection time when appropriate 11.6 Control access to applications and systems Prevent unauthorized access to information held in organization s application systems Use security facilities to restrict logical access to organization s application systems Use security facilities to restrict logical access within organization s application systems Make sure that access to application systems and information is regulated by a formal business access control policy Make sure that application systems control user access to application system functions Make sure that application systems control user access to information held within application systems Make sure that application systems can prevent utilities that are capable of overriding or bypassing system or application controls, from having unauthorized access Make sure that application systems can prevent operating system software that is capable of overriding or bypassing controls, from having unauthorized access Make sure that application systems can prevent malicious software, that is capable of overriding or bypassing controls, from having unauthorized access. Make sure that application systems do not compromise the security of other interrelated application systems 11.7 Protect mobile and teleworking facilities Make sure that information is protected when mobile computing facilities are being used AIG Internal Page 37 of 59

38 Make sure that security initiatives address the risks that mobile computing activities create Make sure that mobile security initiatives address the risks associated with having to work in an unprotected environment Make sure that information is protected when teleworking facilities are being used Make sure that security initiatives address the risks that teleworking activities create Take steps to protect teleworking sites Establish arrangements that support and protect organization s teleworking activities 12. Systems Development and Maintenance Objectives 12.1 Identify information system security requirements Make sure that security is part of information systems Identify the security requirements that organization s information systems must meet before you start the system development process Identify the security requirements that information systems must meet before you implement these systems Identify the security requirements that operating systems must meet before you develop or implement such systems Identify the security requirements that business applications must meet before you develop or implement them Identify the security requirements that user developed applications must meet before you implement them Identify the security requirements that off-the-shelf products must meet before you implement or install them Identify the security requirements that infrastructure must meet before you develop or implement infrastructure Identify the security requirements that services must meet before you develop or implement these services Document the security requirements that information systems must meet Make sure that documentation justifies and explains why security requirements must be met Make sure that security is part of the business justification for developing or implementing information systems 12.2 Make sure applications process information correctly Make sure that applications process information correctly Prevent errors from occurring in applications Prevent the loss of information in applications Prevent the misuse of information in applications Prevent the unauthorized modification of information Make sure security controls are designed into applications Design security controls into user developed applications Use security controls to validate input data Use security controls to validate internal processing AIG Internal Page 38 of 59

39 Use security controls to validate output data Design additional security controls into systems that process valuable, sensitive, or critical information Design additional security controls into systems that have an impact on valuable, sensitive, or critical assets Use security risk assessments to identify security requirements and to select controls for systems 12.3 Use cryptographic controls to protect information Use cryptographic controls to protect the confidentiality, authenticity, and integrity of organization s information Establish a policy on the use of cryptographic controls 12.4 Protect and control organization's system files Ensure the security of organization s system files Control access to organization s system files Control access to program source code Make sure that IT projects and support activities do not compromise the security of system files Make sure that sensitive or critical data is not exposed in test environments 12.5 Control development and support processes Control organization s information system development projects and support environments Maintain the security of application system software throughout the development process Maintain the security of information throughout the development process Make sure that application system managers are also responsible for the security of development projects and support environments Make sure that application system managers are responsible for ensuring that all system changes are checked in order to ensure that they do not compromise the security of the system Make sure that application system managers are responsible for ensuring that all system changes are checked to ensure that they do not compromise the security of the operating environment 13. Information Security Incident Management Objectives 13.1 Report information security events and weaknesses Make sure that information system security incidents are promptly reported Make sure that information system security events and weaknesses are promptly communicated AIG Internal Page 39 of 59

40 Make sure that information security incident reports and communications allow timely corrective actions to be taken Establish formal security event reporting procedures Establish formal security escalation procedures Make sure that all employees know how to report information security events and weaknesses Make sure that all contractors know how to report information security events and weaknesses Make sure that all third party users know how to report information security events and weaknesses Make sure that employees are officially required to report information security events and weaknesses to a designated point of contact Make sure that contractors are officially required to report information security events and weaknesses to a designated point of contact Make sure that third party users are officially required to report information security events and weaknesses to a designated point of contact 13.2 Manage information security incidents and improvements Make sure that organization's information security incident management approach is both effective and consistently applied Make people responsible for handling information security events and weaknesses once they have been reported Establish procedures for handling information security events and weaknesses once they have been reported Continually improve how you manage organization s information security incidents Continually improve how you respond to organization s information security incidents Continually improve how you monitor organization s information security incidents Continually improve how you evaluate organization s information security incidents Collect evidence about information security incidents whenever it is required in order to support legal action 14. Business Continuity Management Objectives 14.1 Use continuity management to protect information Establish a business continuity management process Use business continuity management process to counteract interruptions in business activities Use business continuity management process to protect critical business processes during major information system failures Use business continuity management process to minimize the impact on organization during major information system failures Use business continuity management process to ensure that essential operations are resumed as quickly as possible Use business continuity management process to ensure that lost information assets are recovered as quickly as possible AIG Internal Page 40 of 59

41 Use business continuity management process to recover information assets that have been lost or damaged by natural disasters Use business continuity management process to recover information assets that have been lost or damaged by equipment failures Use business continuity management process to recover information assets that have been lost or damaged by deliberate action Use business continuity management process to recover information assets that have been lost or damaged by accidents Use business continuity management process to integrate the need to restore critical business processes with the need to also restore information assets after a business interruption Use business continuity management process to integrate the need to restore critical operations with the need to also restore information assets after a business interruption Use business continuity management process to integrate the need to restore critical facilities with the need to also restore information assets after a business interruption Use business continuity management process to integrate the need to restore critical materials with the need to also restore information assets after a business interruption Use business continuity management process to integrate the need to restore critical staffing levels with the need to also restore information assets after a business interruption Use business continuity management process to integrate the need to restore critical transportation systems with the need to also restore information assets after a business interruption Carry out a business impact analysis in order to identify and evaluate the impact that major destructive events could have on critical business processes Analyze the impact that disasters could have on critical business processes Analyze the impact that security failures could have on critical business processes Analyze the impact that a loss of service could have on critical business processes Analyze the impact that unavailable services could have on critical business processes Develop and implement business continuity plans in order to ensure that essential operations can be restored within a reasonable period of time Make sure that information security is integrated into organization s overall business continuity process Make sure that information security is integrated into organization s many management processes Establish preventive controls that you can use to help prevent the loss of information assets Establish recovery controls that you can use to help restore information assets after a business interruption Establish controls that can help you to identify risks Establish controls that can help you to reduce risks Establish controls that can help you to limit the damage that serious incidents could cause Establish controls that can help you to ensure that business process information is readily available 15. Compliance Management Objectives 15.1 Comply with legal requirements Make sure that information systems comply with all relevant statutory security requirements AIG Internal Page 41 of 59

42 Make sure that information systems comply with all relevant regulatory security requirements Make sure that information systems comply with all relevant contractual security requirements Design information systems in compliance with all relevant statutory, regulatory, and contractual security requirements Operate information systems in compliance with all relevant statutory, regulatory, and contractual security requirements Manage information systems in compliance with all relevant statutory, regulatory, and contractual security requirements Make sure that the users of information systems comply with all relevant statutory, regulatory, and contractual security requirements Consult with legal experts in order to ensure that information systems comply with all relevant national and international legal security requirements 15.2 Perform security compliance reviews Make sure that systems comply with organization s security policies Make sure that systems comply with organization s security standards Review the security of information systems Make sure that information security reviews are carried out on a regular basis Review the security of information systems by examining how well they comply with security policies Audit technical platforms and information systems by examining how well they comply with relevant security implementation standards Audit technical platforms and information systems by examining how well they comply with documented security control requirements 15.3 Carry out controlled information system audits Perform audits of information systems Establish controls to safeguard operational systems while information system audits are being performed Establish controls to safeguard audit software and data files while information system audits are being performed Establish controls to safeguard the integrity of audit tools Establish controls to prevent the misuse of audit tools Implementation Process Let us now look at the various points that need to be covered under each domain. A brief explanation is given and examples quoted wherever necessary. AIG Internal Page 42 of 59

43 The team We will require forming a team to take this forward. We will require having a person who will be the primary interface between the implementation team and the senior management. Let us name this person as the Chief Information Security Officer (CISO). The CISO will be responsible in getting formal approvals from the management and also should be capable of taking decisions on behalf of the management. We will also require having a project manager who will be overall in charge of the project and will be reporting to the CISO. Let us name his as the Information Security Officer (ISO). The implementation team members can be selected from every team / group / department within your scope, which will help in a smooth implementation process. Define the Scope ISMS can be implemented for just a department, for just one floor of an organization, for the entire or part of an organization. You will require having a discussion with the senior management and pen down the areas where you would like to implement ISMS practices. This has to be clearly defined in your Information Security Policy document. Business process study of individual departments: We have already identified the departments within the scope and also we have one member from each department to be a part of our implementation team. Have a discussion with these team members to understand the process involved in carrying out their task within their department. For ex: let us take one part of the HR department. If we looking at the hiring process of the HR department, there would be different levels of interviews, every interview will have it own standards and methods, after the interviews are over, there will be a offer given and on acceptance the candidate joins the organization. Once the joining formalities are over, there will be a background check done of the employee. This process of hiring an employee, which is a part of the HR department need to be documented and is known as Business Process study and it has to be done for each and every department within the scope. The process of having the business process study document is not a mandatory requirement as ISO standards, but will help in the later stages for identifying the assets involved in carrying out their tasks and also to value those assets. Risk Assessment Asset Inventory Information can exist in different forms and those that hold this information are known as information assets. This can be Information / Data asset Technology Asset People Asset Service Asset AIG Internal Page 43 of 59

44 All the information assets of these departments should be identified and documented. On identifying these assets it will be a good practice to label these assets. A format needs to be defined to label all the assets within the organization. Every asset will have an asset owner and an asset custodian. We will require documenting the asset owner and the asset custodian of a particular asset. For ex: Let us take the case of a critical server in the organization. The owner of the server (hardware) would be the server group, the application owner might be the application group and the owner of the data residing in the server might be the system development group. This will vary from server to server or organization to organization or might be the same. It is also possible that the owner and custodian of the hardware, software and data be the same. This needs to be identified and documented. Asset Value Asset value can be defined by looking at confidentiality, integrity and availability of an asset. Let me give you an example which will be easier to understand. Let us take the mail server of the organization. The asset owner of the server and the custodian of the data been the server group and asset owner of the data been everyone who uses the server. Let us define a scale of 1-5 to record and assign a value to the owners and custodians views. Confidentiality Q. What if an intruder or another employee of a lower access level gets to read confidential top management mails? Answer 1: It is very critical. Since the top management exchanges a lot of information through s. Answer 2: It is not very critical. Since all our communication is encrypted using digital signatures, there is a very rare chance of information leakage. For answer 1 the confidentiality value is 4 For answer 2 the confidentiality value is 2 Integrity Q. What if an intruder or another employee tries to modify the contents of the mail and the mail delivered is something different. For ex: The CEO sends out a mail to the CFO to donate Rs.1, 00,000 for a charity. Someone in between tampers the mail and changes the amount to Rs.7, 00,000 and give his account number. Answer 1: It is very critical. AIG Internal Page 44 of 59

45 Answer 2: It is not very critical as all the internal and external mail communication are encrypted For answer 1 the integrity value is 4 For answer 2 the integrity value is 2 Availability Q. What happens if there is a hardware failure and the server is not available to the organization?? Answer 1: It is very critical. We might even have the mails coming in not been delivered. There might be a data corruption and there is a possibility of users losing their mails. Answer 2: It is not very critical. My servers run on redundancy and I have a backup MX record created. If there is a hardware failure, the backup server and MX record will take over and there will not disruption to the services. For answer 1 the availability value is 4 For answer 2 the availability value is 2 Now let us arrive at the asset value by using a simple method. Note: various other methods are also available, this is just an example. Asset value = Confidentiality + Availability + Integrity Mail Server Value = = 12 (for very critical) Mail Server Value = = 8 (for not critical) The next step is to identify the risk value of this particular asset. Let us see how to arrive at the risk value. Risk Value The risk value for an asset has to be determined by identifying the possible threats that can impact the CIA of the asset, how much impact will it cause, what is the frequency of the impact and the asset value. Let us take the mail server as mentioned above for this example. We have already identified the asset value, now we need to list down the threats to the mail server. Power failures Hardware failure Fire Virus attacks / Malicious code injection Intruders (Hacking), Denial of Service (DoS attack) Mail accidentally sent to a different recipient Data corruption / data loss AIG Internal Page 45 of 59

46 Unauthorized access Link failure Natural calamities Business Impact Analysis (BIA) BIA is performed to analyze the impact on the system due to various unprecedented events or incidents. Various failure scenarios and its possible business impacts are analyzed. This includes technical problems, human resources and other events. Now you might ask me, we have already identified the asset value which is based on the threats and vulnerabilities, that will show us the impact on business. Why do we need to have another analysis??? BIA is different from Risk assessment. Risk Assessment will identify the possible threats and vulnerabilities and how those will impact the asset and business. The asset value shows how critical is that asset to the organization. BIA is based on time. If there is a server crash, let's take the mail server as per the example above, how much time can the organization go without an server. This is derived by doing the business impact analysis. The different steps to be followed in determining the business impact is as shown below: Identify the critical resource, which has already been done during accumulating the assets and deriving the asset value. List down all possible impact to business and prioritize the assets. In this example of deriving the BIA, we shall use a scale of 1 to 5 and since mail server is critical to the organization, we shall take 4 as the BIA value. Probability of Occurrence The probability of occurrence is required to understand the frequency at which such failures occur. This is based upon previous experiences and also looking at the current implementation. The probability of occurrence is measured on a scale of 0.1 to 1. Refer to the table as mentioned below. AIG Internal Page 46 of 59

47 Pr For this example, let us consider the probability of occurrence to be rated at Medium which will have the value as 0.4. Let us now see how we can arrive at the risk value. Risk Value = Asset value * Business Impact * Probability of Occurrence Risk Value = 12 * 4 * 0.4 = 19.2 Risk Assessment Tools Various other tools that can be used for risk assessment are Asset Track -- CRAMM Riskwatch RA2 art of risk -- com/ict/security/bip0022.xalter Exrisk -- Risk Point -- Why identify the risk value Here we have taken the example of a mail server and determined the risk value. In cases where you do a risk assessment on a desktop or some templates, the risk value might be much lower. By this method you will be able to decide as which assets need to be considered for risk treatment in the next phase and the rest can be ignored. This is done because, if we do a risk treatment on assets that has a low risk value, the money spent to mitigate risk on those assets might be much higher than the cost of the asset on the loss it could cause to the business. We have the risk value and have decided to do a risk treatment for this asset as it is a very important asset for the organization. Risk Management Let us see how we can eliminate or reduce the risk due to the above mentioned threats, by mapping each threat to an available ISO standards. Threats ISO Controls Implementation AIG Internal Page 47 of 59

48 Threats ISO Controls Implementation Power Failures A UPS, generator Hardware Failures A AMC's Fire A Fire Extinguishers, Sprinklers Virus, Malicious Code injection A Anti-virus, Anti-spam, spy ware removal tool Hacking, DoS attacks A.6.2.1, A.6.2.3, A Perimeter Security Devices, Adequate Network controls Mail accidentally sent to a different recipient A Digital Signatures Data Corruption / Data Loss A Backup Unauthorized access A , A , A Active Directory, User access rights Link failure A.14.1 Business Continuity Plans Natural Calamities A Identification of such areas, Insurance, Disaster Recovery sites Above is the example of how we can map each threat identified to ISO controls and also to find how to minimize the risk. Deciding Assets for Risk Mitigation Having the asset value and risk value determined, the management should now decide on assets that have to be considered for risk mitigation. This is mandatory because, some of the controls that need to be implemented to mitigate risk might cost the organization more than the asset value. Assets that can be recreated (such as templates, standard forms etc) without causing any impact to the business can to be eliminated from risk mitigation process. Different Methods of Handling Risks Risk Acceptance: To accept the risk and continue operating or to implement controls to lower the risk to an acceptable level. We need to give a high priority to the business requirements, while also looking at how to safeguard information. There are instances where we will require accepting certain risk and seeing to that the business requirements is met. AIG Internal Page 48 of 59

49 For example: Due to some testing purpose who need to move one of your servers to the DMZ zone for a particular period of time. Since this testing is mandatory, it can be considered as an acceptable risk for that period. But this should be agreed by the management and the asset owners. Risk Avoidance: To avoid the risk by eliminating the risk cause and / or consequence. If there is an old system (Windows 98 running some proprietary application), which cannot be patched for the current vulnerabilities and is of not much use to the organization can be eliminated by switching off the machine. Risk Limitation: To limit the risk by implementing controls that minimizes the adverse impact of a threat's on an asset. By implementing anti-virus server in the organization does not ensure that the assets will be protected from virus attacks. This is a method of minimizing the risk from known virus attacks. Risk Planning: To manage risk by developing a risk mitigation plan that prioritizes, implements and maintains control. We foresee some of the risks due to natural calamities. For the case of fire, it is recommended to have fire drills at regular intervals, have fire extinguishers placed at fire prone areas; marking fire exists and keeping those paths clear with no obstructions, have documented procedures and guidelines on operations of fire extinguishers and how to act during a fire. Research and Acknowledgement: To lower the risk of loss by acknowledging the vulnerability or flaw and researching controls to correct the vulnerability. As mentioned before, if you have a system that is outdated or having some proprietary applications, it might not be possible to patch the system for vulnerabilities, as the patch might affect the operation of the software. In such cases it is recommended to either run the application as it is and treat it as an acceptable risk or research to find if there are any alternative methods to patch the particular application. Risk Transfer: To transfer the risk by using other options to compensate for the loss, such as purchasing insurance. Risk can also be transferred by having annual maintenance contract with your vendors. In the means of annual maintenance contract (AMC's) or any other agreement of having spares at your location. AIG Internal Page 49 of 59

50 Statement of Applicability (SOA) SOA is a document that states all of the ISO controls. This requires identifying those that are applicable and give a justification for choosing that particular control. A justification also needs to be given for that control that has not been chosen for implementation. This SOA document will be provided to clients and external trusted authorities on demand, for them to identify the level of implementation of security practices in the organization. The headers of the SOA document can be as mentioned below. This is just an example Control Reference Description Implementation Justification A Fire Supplies Yes Have implemented UPS systems and also a dedicated generator for the entire building A Malicious Code Yes Have Implemented a centralized antivirus server that caters to the entire organization. Anti-virus policy document is also available. Some of these controls require policies to support the implementation. As mentioned above anti-virus policy is a policy that defines how anti-virus is deployed across the organization, what are the tools used and how is it monitored? Make sure all the policies are in place and we will also require documenting the operating procedures of all the assets in the organization. Business Continuity Plan & Disaster Recovery (BCP & DR) Business continuity planning and disaster recovery planning are vital activities. Prior to creation of the plan itself, it is essential to consider the potential impacts of disaster and to understand the underlying risks. I shall not go in depth details of preparing and implementing a DCR and DR as this is a vast subject by itself. AIG Internal Page 50 of 59

51 Process Business Impact Analysis Refer to BIA topic Audit This section we shall talk about how the audit is conducted, what are the various areas that we need to concentrate for both internal as well certification audits. The external audit procedure will vary and depend on the external auditors. The common method is as mentioned below: Pre-Assessment Audit (Adequacy Audit) This step is optional, but is highly recommended if you are doing the implementation for the first time. You can have a minimum of two months between the pre-assessment audit and the certification audit. This step will ensure if you are ready for the certification audit. AIG Internal Page 51 of 59

52 Document Review The first step in the certification audit process is the document review. Below are the documents generally audited: ISMS-2008 Essentials V 1.1 Policy documents Policy statement Risk assessment report Risk assessment procedure Mapping of threats to the assets Statement of applicability Mapping of risk assessment report to the statement of applicability BCP, BCP testing procedure and test results Technical audit reports (Vulnerability Assessment and Penetration Testing reports) Metrics if any Procedure and guideline documents On Floor Audit The auditor will look for physical security as he walks through the organization premises for auditing user awareness as well as individual departments within the scope. All departments with the scope should have their policy, procedure and guideline documents updated. Internal Audit An internal audit should be conducted before the start of the project. This will project the gaps and you will understand where you stand. Further conduct two more internal audits, one in the middle of the project and one just before the document review. Document you internal audit schedules for the next one year, as this is one of the documents that will be asked for during the document review. Following are some of the common areas for internal auditing. In additional you will require auditing your departments, depending on their policy and procedures. This will vary and depend on organizations. Desktop Audit Desktop audit is primarily done to check if users have any illegal contents on their desktops. Such as.mp3 files, video files,.jpeg,.jpg and.gif files that can have pornography materials. You can also audit their mailboxes by looking for mails with huge attachments, jokes been received and forwarded to other colleagues (all these must be mentioned as a violation in your organization policy). Users are very smart and so you should do a search for any.pst files (if using outlook mail client) to see if there are any personal files available. Usually users copy all illegal mails, AIG Internal Page 52 of 59

53 jokes and mails with pictures of huge attachments to a personal folder and offload the same from the mail client, especially when there is an audit happening in the organization. User Awareness Audit User awareness audits are conducted to check the level of awareness in the employees. Whatever technical solutions have be implemented, unless the user awareness is not strong, it will be biggest threat to the organization. While you conduct an audit on the user awareness, ask questions about the following: Organization policy statement Policy Internet usage policy What is meant by tailgating..?? What do you do when you see someone tailgating??? What do you do when you see someone not in their seat and the machine has not been locked??? What do they do when they sight a person who within the organization premises without a valid organization ID card??? Who are the ISO (Information Security Officer) and CISO (Chief Information Security Officer) of the organization??? Have you been through the corporate user awareness program on Information Security??? If no, why??? Technical Audit: I would suggest that vulnerability assessment and penetration testing to be conducted by external vendors. We should not build the network and test it ourselves. It would be like cooking, tasting and certifying that the food is good by the same person. Keep in mind to inform the vendors that these testing will be done only during a predetermined schedule and also no vulnerabilities will be exploited. Exploiting vulnerabilities might bring the targeted services and you will be held responsible for the same. If you have a method of logging and monitoring your internet traffic, keep an eye on it and see if there is any access to illegal sites. AIG Internal Page 53 of 59

54 Social Engineering Social engineering is a method of extracting information from people (in this case the employee) to intrude into your premises or network. Social Engineering tests can be conducted by making telephone calls, sending s etc. Get a list of selected users from various departments like finance, development, operations, admin, HR, your CEO s assistant and never forget to include the front office executive. Hand over these names along with the contact number to an external consultant. Request the consultant to make calls and ask them for information pertaining to their departments. This can be done by your team too, but sometime people recognize voice and the pattern in which an individual speak. Suppose you call the personal assistant of the CEO and request for an appointment. The PA should do be disclosing information like the CEO is not in town and he/she is in US / board meeting etc. The intruder can also ask for the mobile number of the CEO since he/she is not in office. This is basically giving out information which is not really required to go out of the office. Another method of conducting this audit would be to host a server somewhere outside your network and send a link to selected users via and ask them to click on the link to download a critical patch from some vendor (maybe Microsoft). The link to should point to the server outside your network and once the user clicks on the link it should give out a page of Information Security breach and its impact. Social Engineering is an art and human beings comment cause of the following reasons Scarcity: Manipulates employees by building a sense of urgency Authority: Scams the worker based on the premise of power. As an example: "Hi, is this the help desk? I work for the senior VP and he needs his password reset in a hurry!" Liking: Preys on the fact that we tend to do more for people we like even if that means bending the rules. Consistency: People like balance and order. As an example, when people ask how we are, we tend to respond, "Good!" Social validation: Based on the idea that if one person does it, others will, too. As an example: Have you ever seen a bartender's tip jar that's full of dollars? It may make you think that if everyone else is tipping, so should you! Reciprocation: If someone gives you a token or small gift, you feel pressured to give something in return the above points are an extract from the internet just to give you an AIG Internal Page 54 of 59

55 idea of how an attack can be performed. Try this at your organization and see how much information can be extracted. Physical Security Apart from walking around and viewing the infrastructure, try to check some of the locations where you can get some confidential information. Try going to one of your common printer location, I am certain in most of the organizations the user would have fired the print, but would have never collected the same. You will find a pile of documents near the printers. Also try some of the dustbins. Check to see if critical departments have paper shredders at their department location. Some of the organizations have the habit of piling up the documents to be shredded and the office boy does it once every day during COB (Close of business). Now you need to check if the office boy actually shreds the papers or is some is carried away. Some of the crucial points to check on physical security are: Fire Exits signs Fire extinguishers maintenance labels Placement of fire extinguishers UPS placement and maintenance Generators for the building or the organization Distance between data and power cables Logging of access to data center/server room Entry and exit points Physical security placements. Check the inward and outward registers of visitors and materials This is just a short list. But as you walk along the premises, I am sure of your finding many of these sorts. Post Audit Check Asset tags Make sure all your assets is been labeled as per your policy Mechanism to assess and improve user awareness among employees There should be a mechanism, at least maintain records for the user awareness training conducted AIG Internal Page 55 of 59

56 Mechanism (procedure) to record the security incidents and their solutions There should be a process to record security incidents found and reported by users, action taken for those incidents and learning from those incidents need to be documented. Mechanism to store the logs of servers and other monitoring tools for further reference Log retention need to defined and practiced Back-up and restore procedures to be in place. Test of restoring data has to be practiced and documented. BCP needs to be documented. Any test done to check the BCP need to be documented with test results. DR site should be defined and documented All cabling (power & data) should be adequately protected License management should be demonstrated License management using some tools or recorded in an excel file should be produced. Audits will be conducted to check if the installation of software is same as mentioned in the license management document. Audit reports of VA, PT and other audits conducted in the organization should be adequately documented, measured and improvements should be projected for auditing Patch management and anti-virus management is recommended to be centralized and a dedicated person be assigned to monitor this area. A random audit should be conducted to check if any of the machines has been omitted by the system of any anti-virus or patch updates AIG Internal Page 56 of 59

57 ISO Certification Process AIG Internal Page 57 of 59