ISOIEC 27001 Information Security Management Systems presented by Sam Weissfelner

1
ISO/IEC 27001Information SecurityManagement
Systemspresented by Sam Weissfelner

• Adding Value To Your Business

2
The CSA Group
1
3
About QMI

• Established in 1984
• Largest registrar in North America
• Technical expertise recognized globally
• Offices throughout the world
• Offer training services
• Our purpose is to help businesses get better

. . . What does this mean to you?
2
4
ADVANCING BUSINESS EXCELLENCE
We act with integrity to advance business
excellence, employing our knowledge, experience
and client focus to make standards work 3
5
Extensive Knowledge

• QMI is a Premiere Registrar that is
  Highly-Respected
• Direct link to one of the Worlds Leading
  Standard Bodies, CSA
• Participation on prestigious technical committees
  that write standards such as ISO 9001
• Involved with many accreditation and oversight
  bodies
• Brand is recognized around the World

4
6
International Organization for Standardization
(ISO)

• Credible
• Established in 1947
• Published over 16,077 international standards
• ISO meetings attract some 30,000 experts a year
• Decentralized
• Federation comprised of 156 national standards
  bodies
• National member bodies manage development work
• Consensus-based
• ISO standards are consensus based

7
Management systems

• Management systems are just thatsystems to
  manage a particular area or areas within an
  organization
• For instance, often companies have many
  management systems (e.g. quality, health
  safety, environment, finance, and, most recently,
  security of their IS system)

8
Management systems

• In 1987, ISO 9001, a quality management system
  (QMS), was first published to provide a standard
  for managing the quality of an organizations
  product (based on manufacturing, initially, with
  service being factored into the revisions issued
  in 1994 and then again in 2000)
• In 1996, ISO 14001, an environmental management
  system (EMS) was born, with a revision in 2004
• There are over 10,000 standards, but the most
  well-known ones are the management system
  standards, of which, ISO 27001, is one

9
What is an ISMS?

• Information Security Management System
• Strategic decision of an organization
• Design and implementation
• Needs and objectives
• Security requirements
• Processes employed
• Size and structure of the organization
• Scaled with needs simple situation requires a
  simple ISMS solution

10
Strategic Decision

• Adoption of an ISMS should be a strategic
  decision
• Design and implementation is influenced by the
  organizations needs and objectives, security
  requirements, the processes employed and the size
  and structure of the organization
• Scale the system in accordance with your needs,
  which may well change (simple situationsimple
  ISMS solution complex situationcomplex ISMS
  solution)

11
Introduction ISO 27001 ISMS

• ISO 27001 has been prepared to provide a model
  for
• Establishing
• Implementing
• Operating
• Monitoring
• Reviewing
• Maintaining
• and improving
• an Information Security Management System (ISMS)

12
Process Approach

• ISO 27001 has adopted a Process Approach, which
  means an organization needs to identify and
  manage many activities in order to function
  effectively
• Any activity using resources and managed in order
  to enable the transformation of Inputs into
  Outputs, can be considered to be a Process
• Inputs gtgtgtgtgtgtgt Process gtgtgtgtgtgtgt outputs
• Often, outputs from one process provide inputs
  into the next

13
Process Approach contd

• Process approach for ISMS encourages users to
  emphasize the importance of
• a) understanding an organizations information
  security requirements and the need to establish
  POLICY and OBJECTIVES for information security
• b) implementing and operating CONTROLS to manage
  an organizations information security risks in
  the context of the organizations overall
  business risks
• c) monitoring and reviewing the performance and
  effectiveness of the ISMS, and
• d) CONTINUAL IMPROVEMENT based on objective
  measurement

14
PDCA

• Plan, Do, Check, Act is to be applied to
  structure all ISMS processes
• Figure 1 on the next slide illustrates how an
  ISMS takes the information security requirements
  and expectations of the interested parties and,
  through the necessary actions and processes,
  produces information security outcomes that meets
  those requirements and expectations

15
Model of an ISMS
16
Management System Comparisons
EMS is defined as Part of an organizations
management system used to develop and implement
its environmental policy and manage its
environmental aspects ISO 140012004
QMS is defined as Management system to direct
and control an organization with regard to
quality ISO 90012000
ISMS is defined as That part of the overall
management system, based on a business risk
approach, to establish, implement, operate,
monitor, review, maintain and improve information
security ISO 270012005
17
Management System Comparisons
ISO 27001 Information Security Management
System ISO/IEC JTC 1, Information Technology,
subcommittee SC 27, IT Security techniques
Voluntary Standard MandatoryRequirements Focus
on Performance,Systems Documentation
ISO 14001 Environmental Management System TC
207 Voluntary Standard MandatoryRequirem
ents Focus on Performance,Systems
Documentation
ISO 9001 Quality Management System TC 176
Voluntary Standard MandatoryRequirements
Focus on Performance,Systems
Documentation
18
Business Case for an ISMS

19
Business Case for ISMS

• Recent Breaches
• Winners/HomeSense Up to 4 Million - customer
  information Dec 2006
• CIBC 470,000 customer information Dec 2006
• Boeing - 382 Current and Former Employees - Dec
  2006
• UCLA 800,000 people Dec 2006
• Starbucks 40,000 current and former employees
  Nov 2006
• Ontario Science Centre customer name on
  Notebook Nov 2006
• GE 50,000 employee names Oct 2006
• BC Government 250,000 BC residents Oct 2006
• Wells Fargo Numbers not disclosed Oct 2006

20
Business Case for ISMS

• Study Shows - Most common source of data leaks
• Lost or stolen laptops, Personal Digital
  Assistants or memory sticks/thumb drives - 45 of
  all incidents studied
• Records lost by third-party business partners or
  outsourcing companies 29
• Misplaced or stolen back up file 26
• Lost or stolen paper records 13
• Usage of malware (spyware) programs - 10
• U.S. Companies that reported a breach.
• Ponemon Data Breach Study October 2006 (US)

21
Business Case for ISMS

• Study Shows - Poor Protection
• 72 of the breaches occurred because the
  information was not properly protected, while
• 14 occurred because of malicious or insider
  attacks
• 14 other
• U.S. Companies that reported a breach.
• Ponemon Data Breach Study October 2006 (US)

22
Business Case for ISMS

• Study Shows Breaches Have High-Costs
• Data breach losses cost U.S. companies an average
  of 182 per compromised record in 2006 compared
  to 138 per record in 2005,  an increase of 31
• Approximately 128 of the cost per compromised
  record is related to indirect fallout, such as
  higher than normal customer turnover
• Each company surveyed parted with an average 4.7
  million in payouts and lost business in total
• Ponemon Data Breach Study October 2006 (US)

23
Business Case for ISMS

• Study Shows Breaches have High Operational
  Costs
• Expenses related to notifying customers, business
  partners and regulators were an average of
  660,000 per company
• U.S. companies paid almost 300,000 on average to
  investigate data leaks
• Costs related to setting up customer hotlines,
  offering credit monitoring services were just
  over 1.24 million on average
• U.S. companies lost an average of 98 per record
  in business in the 2006 study compared to 75 per
  record lost in 2005
• Ponemon Data Breach Study October 2006 (US)

24
Business Case for ISMS

• Canadian Comparison - Security Statistics
• 67 of Canadian organizations engage both
  business and IT decision-makers in addressing
  information security issues vs. 52 world wide
• 37 of respondents report having an overall
  security strategy in place
• 48 of organizations have increased security
  budgets in 2006
• 21 of respondents indicated that their IT
  security budgets were separate from the overall
  IT budget
• 43 of respondents were not at all or only
  somewhat confident in their outsourcers security
  and just 20 were very confident
• 61 of Canadian respondents have limited or no
  security training for their employees
• 33 of Canadian companies report that their
  physical and IT security functions report to the
  same executive vs. 40 globally
• 2006 Global State of Information Security (GSIS)
  survey September 2006

25
Sources of Information
Security Threats

• Computer-assisted fraud
• Espionage (Industrial)
• Sabotage
• Vandalism
• Fire or Flood
• Employees
• Hacking, Worms, Viruses
• Addition of new technology
• NOTE Source ISO/IEC 177992005 Section 0.2

26
Information as an Asset

• Information is
• An asset that, like other important business
  assets, is essential to an organizations
  business and consequently needs to be suitably
  protected.
• Source ISO/IEC 179992005 Section 0.1
• Asset Definition
• anything that has value to the organization
• Source ISO/IEC 270012005, 3.1

27
Information Security

• Information Security Definition
• preservation of confidentiality, integrity and
  availability of information in addition, other
  properties, such as authenticity, accountability,
  non-repudiation, and reliability can also be
  involved
• Source ISO/IEC 270012005

28
Confidentiality, Integrity, Availability
29
Privacy Risks and Threats
30
Summary
Business Case for ISMS

• Loss of business
• Loss of brand equity
• Need for breach notifications (costly)
• Loss of productivity and increase call centre
  operations (greater number of complaints)
• Cost to repair and add additional controls
• Litigation
• Fines
• Violation of contractual requirements and the
  potential loss of customer contracts

31
Business Case for
ISO/IEC 27001

• The goal of ISO 27001 is to
• Provide the standard for Information Security
  Management Systems
• Consists of 11 control sections, 39 control
  objectives, and 133 controls
• Provide the base for third-party recognition
• ISO 27001 Registrations/Certifications
  demonstrate conformance to the standard

32
Annex A

• Application of controls in Annex A is mandatory.
  Reasons for selection exclusions must be
  explained in the Statement of Applicability
  (4.2.1j )
• A. 5 Security policy
• A. 6 Organization of information security
• A. 7 Asset management
• A. 8 Human resources security
• A. 9 Physical and environmental security
• A.10 Communications and operations management
• A.11 Access control
• A.12 Information systems acquisition,
  development and maintenance
• A.13 Information security incident management
• A.14 Business continuity management
• A.15 Compliance

33
Additional benefits of
implementing an ISO 27001 system

• Provides the means for information security
  corporate governance and legal compliance
• Provides for a market differentiator
• Focus of staff responsibilities and create
  security awareness
• Enforcement of policies and procedures

34
Thank You!To contact QMI clientservices_at_qmi.c
om(800) 465-3717www.qmi.com
35
Question Answer Session