نظام مدیریت امنيت اطالعات

Size: px

Start display at page:

Download "نظام مدیریت امنيت اطالعات"

Maximilian Barrett
6 years ago
Views:

1 چالش هاي پياده سازي و اخذ گواهينامه ي نظام مدیریت امنيت اطالعات ISMS Implementation and Certification CHALLENGES

2 Presenter Hossein Teimoori ISMS Lead Auditor ISMS Lead Tutor (IRCA Approved) +200 Audits 2/49

3 Content ISMS Definitions ISMS Standards ISMS History ISO Structure ISMS Implementation process Certification Implementation Process Certification cycle + Tips 3/49

4 تعاريف Definitions

Information 5 Information is an asset that, like other important business assets, is essential to an organization s business and consequently needs to be

5 Information 5 Information is an asset that, like other important business assets, is essential to an organization s business and consequently needs to be suitably protected. یک دارایی سازمانی است )ماموریت( آن ضروری بوده که مانند سایر دارایی های مهم سازمان برای کسب و در منتيجه می بایستی به نحو مناسبی محافظت شود. کار و 5/49

6 Information Formats روی کاغذ Printed or written on paper ذخیره شده بصورت الکترونیکی Stored electronically قابل انتقال بوسیله ی پست یا Transmitted by post or electronic means ابزارهای الکترونیکی Shown on corporate videos Verbal - spoken in conversations قابل پخش بصورت فیلم های ویدئویی قابل صحبت شدن Whatever form the information takes, or means by which it is shared or stored, it should always be appropriately protected. Source: ISO 27002:2007 6/49

7 Information Lifecycle 7 ایجاد Creation استفاده Use امحا Destruction 7/49

8 Info. Assets Types 8 1. Information: databases and data files, contracts and agreements, system documentation, research information, user manuals, training material, operational or support procedures, business continuity plans, fallback arrangements, audit trails, and archived information; داراییهای اطالعاتی: بانک های اطالعاتی قراردادها و توافقنامه ها مستندات سيستمی اطالعات پژوهش ها راهنماهای استفاده مواد آموزشی روشهای اجرایی طرح های تداوم حيات سازمانی اطالعات آرشيو شده 1. Software assets: application software, system software, development tools, and utilities;... داراییهای نرم افزاری: نرم افزارهای سيستمی کاربردی 2. Physical assets: computer equipment, communications equipment, removable media and other equipment; داراییهای فیزیکی: تجهيزات کامپيوتری و ارتباطی وسایل ارتباطی و سایر تجهيزات 1. Source(ISO page 19) 8/49

9 Info. Assets Types 9 4) Services: computing and communications services, general utilities, e.g. heating, lighting power, and air-conditioning; داراییهای خدماتی: سرویس های ارتباطی و محاسباتی تجهيزات عمومی مانند سيستم گرمایش نور تهویه هوا... 5) People, and their qualifications, skills, and experience; داراییهای انسانی: و شایستگی ها مهارت ها و تجربيات آنها 6) Intangibles, such as reputation and image of the organization. داراییهای نا ملموس: مانند شهرت و وجهه سازمان 1. Source(ISO page 19) 9/49

10 Information Security 1 0 Confidentiality: the property that information is not made available or disclosed to unauthorized individuals, entities, or processes محرمانگی : ویژگی عدم دسترسی افراد غيرمجاز به اطالعات یکپارچگی : assets Integrity : the property of safeguarding the accuracy and completeness of ویژگی صحت و تماميت اطالعات Availability : the property of being accessible and usable upon demand by an authorized entity دسترس پذیری: ویژگی امکان دسترسی و استفاده از اطالعات در صورت درخواست یک موجودیت مجاز CIA 10/49

11 Info. Sec. Management System سیستم مدیریت امنيت اطالعات PDCA Cycle 11/49

12 مدل فرایندی مدیریت Mng Process Model 1 2 Continual improvement of the management system بهبود مداوم سيستم مدیریت Interested Parties Plan برنامه ریزی ذینفعان Establish استقرار Interested Parties ذینفعان I.S. rrequirements & expectations Implement & operate پياده سازی و اجرا الزامات و انتظارات Do اجرا Monitor & review پایش و بازنگری Check چک Maintain & improve نگهداری و بهبود Managed information Security امنيت اطالعات مدیریت شده Act اقدام 12/49

13 PDCA Cycle s ROLE 13 Improve Process through PDCA Cycle Plan Do Results Act ISMS Check Improvement Objective Measure/Monitor Results Against Objectives - Improve Process and Change ISMS as Needed to Achieve and Sustain Desired Results 13/49 Baseline Performance

14 ISMS Standards استانداردها

15 27000 Series Title عنوان مفاهيم و واژگان ISO27000 Vocabulary & Fundamentals الزامات ISO27001 Requirements ISO27002 Code of Practice (Already known as ISO17799) راهنمای عملکرد )قبال با عنوان ISO17799 شناخته می شد( راهنمای پياده سازی ISO27003 Implementation guidance شاخص ها و اندازه گيری کنترل ها ISO27004 Metrics & measurement راهنمای مدیریت ریسک ISO27005 Guidelines for Risk Management الزامات ارزیابی و صدور گواهينامه ISO27006 Assessment and certification راهنمای مميزی ISO27007 Guidelines for auditing ISMS ISMS ISO27008 Guidance on auditing information security controls راهنمای مميزی کنترل ها 15/49

16 ISMS-related Standards Title عنوان ISO/IEC TR Guideline for management of IT security راهنمای مدیریت امنيت IT راهنمای مميزی سيستم های مدیریتی ISO19011 Guideline for auditing Mng Systems ISO17021 Requirements for assessment and certification bodies الزامات نهادهای ارزیابی و صدور گواهينامه 16/49

17 ISO History

18 ISO27001 تاریخچه History Time 1993 Industry working group was initiated and code of practice issued 1995 BS was formalized 1998 BS was formalized 1999 BS & BS were published 2000 ISO17799:2000 superseded BS7799-1: BS7799-2:2002 superseded BS7799-2: ISO27001:2005 superseded BS7799-2:2002 ISO17799:2005 superseded ISO17799: ISO27006:2007 is formalized ISO17799:2005 was renamed ISO ISO27005:2008 is formalized 18/49

19 ISO STRUCTURE

20 Control Objectives & Controls OECD Principles. Correspondence to 9k & 14k Annex A. Annex B. Annex C ISO27001: ISMS سيستم مدیریت امنيت اطالعات 4 Intro مقدمه Scope دامنه Norm. Refer. استاندارد های مرجع Terms & Defin. تعاریف و واژگان Management Responsibility مسئوليت مدیریت Internal Audit مميزی داخلی Management Review of ISMS بازنگری مدیریت ISMS Improvement بهبود 8 P A D C 20/49

21 A.8 امنيت منابع انسانی A.9 امنيت فيزیکی و محيطی A.10 مدیریت ارتباطات و عمليات A.11 کنترل دسترسی ها A.12 خرید نگهداری بهبود سيستمهای اطالعاتی و ISO Annex A 2 1 خط مشی امنیت 5.A ساختار امنيت اطالعات 6.A مدیریت دارایی ها 7.A مدیریت رویدادهای امنيت اطالعاتی 13.A مدیریت تداوم حيات سازمانی 14.A انطباق 15.A 21/49

22 ISO Annex A /// ISO /49

23 ISO27001 Objectives

24 Risk Management 2 4 Safeguards اقدامات کنترلی Risks ریسک ها Residual Risks ریسکهای باقی مانده 24/49

25 Continual Improvement /49

26 ISMS IMPLEMENTATION Process Exercise: Identifying relevant controls

27 Implementation Process 27/49

28 Implementation Process 28/49

29 ISMS CERTIFICATION

30 Certification The value of certification is that is established by an impartial and competent assessment by a third-party. (Clause 4.1.2) 30/49

31 Mng Sys Certification Bodies ISO IAF Accreditation Bodies UKAS RvA ANAB Dakks NACI Certification Bodies DNV BSI UL TUV NIS Clients Google Shell HP IBM NIOC 31/49

32 Initial Audit ISO Certification Process Contract Pre Audit Surveillance Audit 2 Stage 1 Audit Surveillance Audit 1 Stage 2 Audit Certification/ Registration 32/49

33 Overview of ISO/IEC Stage 1 Certification Cycle N Ready 4 Stage 2? Y Sanctions Re- Certification Stage 2 NCs N Y Certification Surveillance 1 Y Y NCs N Surveillance 1 NCs N Y Y NC Closing Process Rest of Certification Cycle

34 ISMS Implementation & Certification CHALLENGES + Tips

35 ISMS Implementation & Certification CHALLENGES 3 5 Common Implementation Challenges Wrong scoping Wrong estimation of time and costs Change Fear/resistance Intra-Organizational Competitions Problematic steering Common CERTIFICATION Challenges (NC Root-Causes) Lack of Management commitment Ignorance of external parties issues Inappropriate Risk Assessment Lack of proactive approach 35/49

36 ISMS Implementation & Certification CHALLENGES 1 Wrong SCOPING Tips: - Use Gap Analysis - Prioritize - Initial Scope can be extended later SCOPE 36/49

37 ISMS Implementation & Certification CHALLENGES 2 Wrong Time & Cost Estimation Tips: - Benchmark - Initial Study / Gap Analysis - Prepare for worst scenario 37/49

38 ISMS Implementation & Certification CHALLENGES 3 Fear/resistance to CHANGE Reasons 1- Misunderstanding about the need for change 2- Fear of the unknown 3-Lack of competence 4-Connected to the old way 5-Low trust 6-Temporary fad 7-Not being consulted 8-Poor communication 38/49

39 ISMS Implementation & Certification CHALLENGES 3 Reactions Fear/resistance to CHANGE to Change 39/49

ISMS Implementation & Certification CHALLENGES 3 Fear/resistance to CHANGE Technology barriers Change of IT systems Change of process Lack of motivation of involved employees Lack of transparency

40 ISMS Implementation & Certification CHALLENGES 3 Fear/resistance to CHANGE Technology barriers Change of IT systems Change of process Lack of motivation of involved employees Lack of transparency because of Lack of change know how Lack of commitment of higher Shortage of resources Complexity is underestimated Corporate culture Changing mindsets and attitudes Key barriers to successful change IBM Survey 8% 12% 15% 16% 18% 20% 32% 33% 35% 49% 58% 40/49

ISMS Implementation & Certification CHALLENGES 3 Fear/resistance to CHANGE Monetary and non-monetary incentives Efficient organization structure Adjustment of performance measures Efficient training

41 ISMS Implementation & Certification CHALLENGES 3 Fear/resistance to CHANGE Monetary and non-monetary incentives Efficient organization structure Adjustment of performance measures Efficient training programs Change supported by culture Change agents (pioneers of change) Corporate culture that motivates and Honest and timely communication Employee involvement Top management sponsorship Key ingredients for successful change IBM Survey 19% 33% 36% 38% 48% 55% 65% 70% 72% 92% 41/49

42 ISMS Implementation & Certification CHALLENGES 3 Change Fear/resistance to CHANGE Management Steps 42/49

43 ISMS Implementation & Certification CHALLENGES 4 Problematic Intra-Org Competitions Tips: - Know about Conflict Management - Identify in advance and Manage during the implementation phase 43/49

44 ISMS Implementation & Certification CHALLENGES 5 Inappropriate Steering Tips: - Use a experienced & qualified consultant - Get enough trainings 44/49

45 ISMS Implementation & Certification CHALLENGES 6 Lack of Management commitment Tips: - Not to show off - Long Term Look (Think of more than 1 contract) 45/49

46 ISMS Implementation & Certification CHALLENGES 7 Ignorance of External Parties Issues Tips: - Define and Follow SLAs/OLAs before RA 46/49

47 ISMS Implementation & Certification CHALLENGES 8 Inappropriate RISK ASSESSMENT Tips: - Solid Procedure - Cross Functional Team - Owner 47/49

48 ISMS Implementation & Certification CHALLENGES 9 Loss of Initial Driver Tips: - Act Flexibly and as needed 48/49

49 با تشكر با 49/49

بسم اهلل الر حمن الر حيم

بسم اهلل الر حمن الر حيم شبکه های کامپیوتری Computer Networks زهره فتوحی z.fotouhi@khuisf.ac.ir کتاب درسی Textbook: Computer Networks A.S. Tanenbaum ویرایش چهارم ویرایش پنجم و... ترجمه : آقای احسان ملکیان