ISMS-Information Security Management System-Σύστημα Διαχείρισης Πληροφοριακής Ασφάλειας
1 like252 views
This document discusses Information Security Management Systems (ISMS). It begins by defining an ISMS as a set of practices and policies for managing security risks to information systems in a systematic way. It then describes the purposes and benefits of implementing an ISMS, which include providing governance, optimizing security, providing transparency, and reducing organizational and personal liability. The document outlines the risk-based methodology for implementing an ISMS, which involves identifying assets, vulnerabilities, risks, and applying security controls. It also discusses some common ISMS standards and frameworks.
ISMS-Information Security Management System-Σύστημα Διαχείρισης Πληροφοριακής Ασφάλειας
- 1. Παπαδάκης Κωνσταντίνος Αναλυτής Επιχειρήσεων Κυβερνοχώρου και Σύμβουλος Κυβεροάμυνας/Κυβερνοασφάλειας Papadakis Konstantinos Cyber-Information Warfare Analyst & Cyber Defense/Security Consultant ISMS Information Security Management System “… If cybercrime was a country, it would have the 13th highest GDP in the world…
- 2. Description ☺ The purposes and benefits of the implementation of an ISMS Temet Nosce ☺ Methodologies of the evaluation of risks and the selection of security controls in a ISMS ☺ Some well-known ISMS standards and frameworks ☺ Circular process of implementation of an ISMS
- 3. Definition Temet Nosce An Information Management Security System (ISMS) is a set of practices and policies followed to manage security risks to information systems in a systematic way
- 4. Definition Analysis Temet Nosce It is an organizational approach to information security Information assets are described & secured Information security risks are managed and mitigated Security policies together with their ownerships and guarantees are in place Adherence to security measures is inspected periodically
- 5. ISMS & Information Security Temet Nosce Confidentiality Information Security C.I.A. Information is accessible to authorized users when required Information is accessible to those authorized to access it only Information is accurate and complete, and is not modified without authorization
- 6. Purposes and Benefits Temet Nosce Providing Governance Optimizing Security Providing Transparency Reducing Organizational & Personal Liability
- 7. Purposes and Benefits-Providing Governance Temet Nosce ➢ Let Tech Pros take care of Info Sec ✓ Technical aspects only. ➢ Not proper staff training ➢ Physical Disasters
- 8. Purposes and Benefits-Optimizing Security Temet Nosce ➢ Risks ✓ NO Uncovered areas. ✓ NO Overprotected areas. ➢ Security Controls ✓ Don’t disturb main business processes. ➢ Limited Resources
- 9. Purposes and Benefits-Providing Transparency Temet Nosce
- 10. Purposes and Benefits-Reducing Organizational & Personal Liability Temet Nosce ➢ Bad Thing can happen. ➢ Never fully protected. ➢ Organizational & Personal liability ➢ Leakage of sensitive customer data ➢ Big penalties if: ✓ NO ISMS in place ✓ NO Safeguards ✓ NO Infosec Officer ➢ If proper ISMS in place= Force Majeure
- 11. Methodology Temet Nosce Risks Evaluation Security Controls Risk Based Approach
- 12. Risk Based Approach-Step 1 Temet Nosce Identification of Assets STEP 1
- 13. Risk Based Approach-Step 2 Temet Nosce Identification of Assets STEP 1 STEP 2 Identification of Vulnerabilities Vulnerability is a weakness in an information system, system security procedures, internal controls or implementation that could be exploited or triggered by a threat source
- 14. Risk Based Approach-Step 3 Temet Nosce Identification of Assets STEP 1 STEP 2 Identification of Vulnerabilities STEP 3 Identification of Risks Risk is an uncertain event or condition that, if occurs, may have an impact on information assurance, business objectives or activities
- 15. Risk Based Approach-Step 3 Temet Nosce Identification of Assets STEP 1 STEP 2 Identification of Vulnerabilities STEP 3 Identification of Risks Threat is a potential circumstance or event that could result in harm to a target (a potential attack, accident or error)
- 16. Risk Based Approach-Step 4 Temet Nosce Identification of Assets STEP 1 STEP 2 Identification of Vulnerabilities STEP 3 Identification of Risks STEP 4 Applying Security Controls to address the highest risks Security Controls are safeguards or countermeasures to avoid, detect, counteract or minimize security risks to physical property, information, computer systems or other assets
- 17. Risk Based Approach-Step 4 Temet Nosce Identification of Assets STEP 1 STEP 2 Identification of Vulnerabilities STEP 3 Identification of Risks STEP 4 Applying Security Controls to address the highest risks
- 18. Risk Based Approach-Pros & Cons Temet Nosce When using the Risk Based approach, the result is very precise. • It is quite a big effort, especially for smaller organizations, to use this approach. • The methodology is quite complex, it may be difficult to find good information about risks and vulnerabilities, and it is costly to keep it updated on a regular basis.
- 19. Baseline Approach Temet Nosce The Baseline Approach means the implementation of security controls without performing detailed risk calculations ➢ In an organization with a typical risk profile and a typical information system, risks can be calculated just once. ➢ Based on that, technical controls for information systems are derived. ➢ This is a fast process and it means less effort for the system
- 20. Combining Approaches Temet Nosce ➢ The Baseline Approach, because it is a quick solution, implemented first. ➢ Detailed Risk Assessments are carried out either only for the information systems that need high security or for the systems of the whole organization.
- 21. Standards & Frameworks Temet Nosce
- 22. International Standards: ISO/IEC 27000 series Temet Nosce ➢ These standards cover well the organizational aspects of information security management. ➢ Provide good guidance for transparent auditing ➢ Several national standards refer to them, especially in case of risk management. ➢ Not very detailed. ➢ Not technical enough to guide system administrators in defining security controls
- 23. International Standards: ISO/IEC 27001 Compulsory National Standard Temet Nosce ➢ Internationally recognized ISMS standard with a formal certification scheme. It can help provide a competitive advantage. ➢ Resource consuming
- 24. National Standards Temet Nosce ➢ US NIST Standards are well known as they separate the federal and national systems ➢ US NIST Standards provide better level of granularity than that of ISO/IEC standards but not as good as BSI Grundschutz ➢ BSI Grundschutz defines more than 3.000 controls and thus it is a very good handbook for more technically oriented people.
- 25. Organizational Frameworks Temet Nosce ➢ Organizations can develop their own frameworks tailored to their needs. ➢ Military organizations often have their own classified cyber security frameworks as the risk profile is different from that of civilian organizations
- 26. Implementation of ISMS Temet Nosce PLAN DO CORRECT (ACT) CHECK Establish the ISMS Policy Implement the ISMS Policy Assess and measure the effectiveness of the plan and its implementation Take corrective measures and change the system or the controls
- 27. Implementation of ISMS-NIST SP 800-37 Temet Nosce
- 28. Summary Temet Nosce ISMS is a formal system that helps to manage security risks to information systems. It includes Risk Management, selection and implementation of Security Controls and, after, assessment of Residual Risks. ISMS is NOT an IT discipline. It IS a discipline of management, because it deals with organizational risks. Most of ISMS implementations that have no management support are unsuccessful. Since a lot of controls are IT-related it is often the IT personnel that are driving the process. IT people usually have a good feeling of the best-practise security controls for different technologies. However, organizations and risks are different. The implementation of those best practices without the use of ISMS does not usually help provide optimal information security Security breaches can happen even if an organization has implemented an effective ISMS at an optimal security level. However, if the organization is able to demonstrate that the ISMS was properly implemented, the liabilities can be limited.
- 37. Temet Nosce If information is the key asset that is needed in your business, then ISMS helps to protect your business case ISMS delivered via ISO standards, is compatible with others in the market Company management is always involved in the security and always has access to information
- 38. Temet Nosce Your partners view you as more reliable, credible, and trustworthy ISMS certification opens doors to new business (for example better competitive position in the EU market) Information and data sources are utilized more efficiently
- 39. Temet Nosce ISMS makes your investments into information security more efficient ISMS brings the importance of information security to your employees and makes them more involved in your business ISMS changes the culture in your company (brings responsibility and accountability)
- 40. Temet Nosce This presentation is based on NATOs Course: JADL ADL 343 “Information Security Management System”
- 41. Know Thyself