ISO 27000 Implementation Justin David G. Pineda Asia Pacific College Best Practice Implementation Proposal for Plato Airlines September 5, 2015 [1]
Table of Contents ISO 27000... 1 Project Overview... 1 Current State of the Organization... 1 Scope... 1 Purpose and Objectives... 2 General Objective... 2 Specific Objectives... 2 Benefits to the Stakeholders... 2 Project Team Structure... 2 Benchmark... 3 Best Practices... 3 Companies Implementing Best Practice... 3 How Implemented... 4 Implementation Challenges and Results... 5 Challenges... 5 Results... 5 Benefits... 5 Project Methodology... 7 Implementation Strategy... 7 Strategic Level... 7 Tactical Level... 7 Operational Level... 7 Success Measures... 8 Lessons Learned... 8 Work Breakdown Structure (WBS)... 9 Bibliography... 10 [2]
ISO 27000 Project Overview ISO 27000 is a standard used to centrally managed security controls that are implemented in an organization. It aims to routinely check controls that are needed by the organization to maintain their assets secured and baselines to follow in order to be at the same level of leading organizations. In summary, the following areas of the organization must be checked and if not yet implemented, plan, create and integrate the key areas for ISO 27000 certification: (Harris, 2013) 1. Creation of information security infrastructure 2. Asset classification and control 3. Personnel security 4. Physical and environmental security 5. Communications and operations management 6. Access control 7. System development and maintenance 8. Business continuity management 9. Compliance Current State of the Organization Plato Airlines is a low-cost airline established in 2001 based in Bangkok, Thailand. It is a local airline that has 20 Airbus 350-900 airplanes that travel in different parts of Thailand. The airlines has a total of 300 employees internally based in its main headquarters where the core departments such as Sales & Marketing, IT department, Legal, HR, Operations and Executive offices are found. In terms of handling their data, it is implemented in an ad-hoc manner. Each department has its own disparate policy on how data is handled. Overlapping policies and redundant tools are implemented and bought respectively have been observed by external auditors after their annual company audit. Their office is owned by the organization. However, physical security policies have not been enforced properly because the guards routinely change every 3 months. Lastly, IT infrastructure is both handled by local IT and outsourced by some third party providers. Scope The implementation of this project covers all layers of security in the organization such as: 1. Physical security (facilities) 2. Personnel security (guards, administrators) 3. Operational security (policies) 4. Network security (hardware devices) 5. Host security (computer security) 6. Application security (software) The implementation of a standardized security management system involves all departments of the company. [1]
Purpose and Objectives General Objective The main objective of this project is to align all processes of Plato Airlines to a standardized security practice such as ISO 27000 to ensure that assets are protected in the best possible way. Specific Objectives Specifically, the project aims to: Create a single company-wide security policy that the company will follow; Implement and improve processes recommended by ISO 27000; Periodically audit the company for compliance both by internal and external parties; Benefits to the Stakeholders Both the company and the customers will benefit from this project. For the company side, they will be able to secure all their company assets in a standardized manner leading to more efficient and effective execution of business processes. For the customer side, they will have a peace of mind that the business they are doing transactions are following best practices in securing their data especially their personal data. Project Team Structure Physical & Personnel Security Lead (Facilities & Guards) Executive Management Project Team Leader Operational Security Lead (Policies) IT Security Lead (Network, Host & Application) In this structure, the Executive Management, approves all requests made by the project leads. It gives proper budget and last say in the decision-making in the project. The Project Team Leader is a technical manager that oversees the 3 main security leads. The Project Team Leader ensures that the implementation of each lead is cohesive and consistent with one another. [2]
Benchmark Best Practices ISO 27000 is a family of standards. Each part corresponds to a particular domain requirement in information security for an organization. Below is a list of the family standards: (ISO/IEC 27000:2014(E), 2014) ISO/IEC 27000, Information security management systems Overview and vocabulary ISO/IEC 27001, Information security management systems Requirements ISO/IEC 27002, Code of practice for information security controls ISO/IEC 27003, Information security management system implementation guidance ISO/IEC 27004, Information security management Measurement ISO/IEC 27005, Information security risk management ISO/IEC 27006, Requirements for bodies providing audit and certification of information security management systems ISO/IEC 27007, Guidelines for information security management systems auditing ISO/IEC TR 27008, Guidelines for auditors on information security controls ISO/IEC 27010, Information security management for inter-sector and inter-organizational communications ISO/IEC 27011, Information security management guidelines for telecommunications organizations based on ISO/IEC 27002 ISO/IEC 27013, Guidance on the integrated implementation of ISO/IEC 27001 and ISO/IEC 20000-1 ISO/IEC 27014, Governance of information security ISO/IEC TR 27015, Information security management guidelines for financial services ISO/IEC TR 27016, Information security management Organizational economics ISO27799:2008, Health informatics Information security management in health using ISO/IEC27002 Companies Implementing Best Practice The list of companies that implement ISO 27000 can be found here: http://www.17799central.com/cert.htm. Some of the companies include: (ISO 27000 Central, 2015) Country Company Certification # SPAIN ERICSSON ESPA A S.A. IS 53616 AUSTRALIA Macquarie Corporation IS 61344 GERMANY Siemens Business Solutions IS 61545 USA Federal Reserve Bank of New York IS 78808 [3]
How Implemented A detailed ISO 27000 implementation can be found in this website from ISACA: http://www.isaca.org/journal/archives/2011/volume-4/pages/planning-for-and-implementing-iso27001.aspx The summary of implementation phases are as follows: (Pelnekar, 2015) Phase 1 Identify Business Objectives Phase 2 Obtain Management Support Phase 3 Select the Proper Scope of Implementation Phase 4 Define a Method of Risk Assessment Phase 5 Prepare an Inventory of Information Assets to Protect, and Rank Assets According to Risk Classification Based on Risk Assessment Phase 6 Manage the Risks, and Create a Risk Treatment Plan Phase 7 Set Up Policies and Procedures to Control Risks Phase 8 Allocate Resources, and Train the Staff Phase 9 Monitor the Implementation of the ISMS Phase 10 Prepare for the Certification Audit Phase 11 Conduct Periodic Reassessment Audits [4]
Implementation Challenges and Results Challenges In every change in the company, it will surely be filled with both positive and negative reactions. For the conservatives, change is very hard to accept especially if things are doing well in their end. Since the process will be streamlined as a company-wide initiative, everything will be transparent and applied to all departments as well. Any change request will have to be approved by the management. Most departments do not think that the move to standardization is essential. Results Although initially a lot of department heads are reluctant to the change, they have felt the positive effects after the transition. All departments have already streamlined procedures that are consistently documented and followed. All assets are already accounted for both tangible and intangible. Proper implementation of policies have been observed and applauded. Benefits Here are some of the highlighted benefits of the ISO 27000 implementation: Domain Change Effects Asset Classification Routinely identify and classify and Control company assets. Policy Implement Mandatory Access Control (MAC) and assign sensitivity labels to assets especially company files, identified as intangible assets: Top Secret Secret Confidential Public A subject can only access the resources with the clearance he/she has. Apply the implementation of a US Law: Health Insurance Portability & Accountability Act of 1996 (HIPAA). Personnel Policy Physical Environmental Security Policy Security and Implement a No ID-No Entry policy in the entrance. No exceptions, No VIP s. A Temporary Pass is needed Everybody is required to submit for inspection of bags. Laptops must be registered upon entry for security purposes. HR must conduct a complete background check (verification of academic credentials, Police clearance) before employee onboarding. Offices that have critical data must be using badge system and fingerprint biometric operation for access control. [5] Assets are now properly classified and accounted for to its corresponding owner. Authorized access is now strictly enforced. Physical assets are ensured to be protected and availability is given a high priority.
Access Policy Control Critical servers must be in a closed and locked-facility with an HVAC system. All rooms must have a Fire Extinguisher that can handle Fire Class A, B & C. Laboratories must not have water as a fire suppression mechanism. FM-200 solution must be implemented. Separation of Duties (SOD) must strictly be enforced. Acceptable Use Policy (AUP) must be implemented listing all websites and categories allowed/not allowed to access in the Internet. Implement 802.1x or PNAC in the network level to have a MAC-Port access. Critical data must be sent securely via SSL to ensure confidentiality. Apply the implementation of a US Law: Computer Fraud and Abused Act of 1986 (CFAA). Only authorized devices are assured to be given access. [6]
Project Methodology There are 4 major steps in the implementation of this project: (Henning, 2009) 1. Project Initiation a. Leaders of each department submit a copy of the business processes. b. Project team leader consolidates processes and evaluates documents. c. A proposal for an ISO 27000 implementation is submitted with proper justification. d. Management approves the proposal and go-signal is given with budget for planning and implementation. 2. Project Planning a. Project team leader forms sub-teams composed of Physical and Personnel Security Lead, Operational Security Lead and IT Security Lead. b. Each Security Lead submits an action plan that caters all needs and improvements of their jurisdiction. c. All action plans must be submitted to the Project Leader. d. Project Leader evaluates and approves the action plans and submits it to the Executive Management. e. Executive Management approves the action plan for implementation. 3. Project Execution a. All Security Leads implement the tasks in their action plans. b. Project Leader checks the progress and performance of the tasks. c. Project Leader reports development to Executive Managements. 4. Monitoring and Controlling Project Elements a. After all tasks are done, continuous monitoring of processes are checked by Security Leaders. b. Reports are submitted by the Project Leader every quarter. c. Internal and external audit are done for continuous improvement. Implementation Strategy Strategic Level The whole organization must be aligned with ISO 27000 within the year. Tactical Level Managers must assess department assets and security direction to ensure processes must be aligned to ISO 27000. Operational Level All processes and procedures must be standardized and followed as prescribed by the Quality Assurance (QA) team. [7]
Success Measures Accreditation is only the beginning of making the organization more secured. Success can be summarized in each of the following security domains. 1. Physical Security Building facility is now equipped with proper preventive and detective tools like turnstiles and CCTV cameras. Authentication mechanisms are now deployed such as badge card system and biometrics. Security guards are consistent with their inspection of both ID and items brought inside the facility. 2. Operational Security All policies are clear and followed by the organization. Guidelines, although recommendatory in nature, are also followed. 3. Network Security Hardware security devices are deployed such as firewall, IDS, DLP etc. 4. Host Security All endpoint devices are installed with AV and personal firewall. 5. Application Security All company devices are encrypted making it more secured. Lessons Learned 1. Aligning your organization ISO 27000 is a very tedious and costly move especially if the organization has not followed any relevant standards in the past. 2. The positive effects will not be experienced immediately. The benefits may be experienced after transition or even months after transition. It is important to note that leaders must be patient. 3. Getting the accreditation is just the beginning. Continuing the started processes is a very big challenge. Executive Management must continue to support the initiatives of the Security Leaders to maintain the accreditation. Security Leaders on the other hand must continue their observation and review to make the organization updated at all times. [8]
Work Breakdown Structure (WBS) This work breakdown structure is patterned from SANS on IS0 27000. (Henning, 2009) 1.1 Define Scope of ISMS 1.2 ISMS Policy 1.3 Risk Assessment 1. Establish ISMS 1.4 Select Controls 1.5 Management Approval of Residual Risk 1.6 ISMS Authorization 1.7 Prepare SOA 2.1 Risk Treatment 2.2 Define Metrics 2. Implement ISMS 2.3 Implement Training Program 2.4 Manage ISMS ISO Project WBS 2.5 Implement Incidence Response Plan 3.1 Perform Monitoring 3.2 Review ISMS Effectiveness 3. Internal Audit 3.3 Conduct Internal Audit 3.4 Management Review of ISMS 3.5 Update Security Plans 3.6 Record Keeping 4.1 Implement Improvement 4.2 Corrective/Preventative Actions 4. External Audit 4.3 Communicate Actions 4.4 Improvement Metrics 4.5 Contract 3rd Party Auditor [9]
Bibliography Harris, S. (2013). CISSP Exam Guide 6th Ed. USA: McGraw Hill. Henning, D. (2009, July 22). Tackling ISO 27001: A Project to Build an ISMS. USA. ISO 27000 Central. (2015, 09 05). The ISO 27001 Certification Register. Retrieved from THE A-Z GUIDE FOR BS7799 AND ISO 27001 INFORMATION ISO 27000 CENTRAL: http://www.17799central.com/cert.htm ISO/IEC 27000:2014(E). (2014, 01 15). Information technology Security techniques Information security management systems Overview and vocabulary. USA. Pelnekar, C. (2015, 09 5). Planning for and Implementing ISO 27001. Retrieved from ISACA: http://www.isaca.org/journal/archives/2011/volume-4/pages/planning-for-and-implementing- ISO27001.aspx [10]