Information Security Management System

1
Information Security Management System

• Relevance to Cert-RailS. S. Mathur,Director
  (Computerization and Information Systems)Railway
  Board

2
Why focus on Information Security?

• Increasing dependence on information as a
  resource
• Shift from paper-based to IT-based information
• Increasing need for access to information
• Customer expectations
• Legislation
• Right to Information Act
• Speed of change
• Security versus flexibility
• Security versus accessibility

3
Secure Information System

• Information availability should be controlled
• It should be available to all authorized persons
  when they need it
• It should be unavailable to unauthorized persons
• A continuous process to manage the information
  should be in place
• Information security involves
• Confidentiality
• Integrity
• Availability
• Traceability

4
Threats and Vulnerabilities

• Threats come from different sources
• Threats can be identified
• Vulnerabilities exist in the system
• Threats exploit Vulnerabilities

5
Risks of insecure systems

• Risks vary with the nature of information
• Risks can be assessed
• Risks depend on vulnerabilities and associated
  threats
• The degree to which the risk can be mitigated
  should be decided
• Know the risk
• Assess the cost of mitigation
• Live with the risk or mitigate it

6
Countering information security threats

• Identify the risks
• Identify their associated vulnerabilities
• Identify the associated threats
• Minimize the vulnerabilities
• Change procedures
• Add a security layer
• Reclassify information

7
The need for a formal system

• By the late 1980s, need for a code for
  information security was felt
• First addressed in the UK in 1989
• Resulted in the BS77991995 standard
• Current standards are ISO/IEC177992000 and
  BS77992002
• Future ISO27000 series of standards

8
Where does Cert-Rail fit in?

• The role of a Cert is to proactively look for new
  vulnerabilities and threats
• A pre-requisite is to know the existing
  vulnerabilities and threats
• Cert-Rails first steps
• Assigning Information Security roles and
  responsibilities in all units of Indian Railways
• Training staff in the area of Information
  Security
• Establishing Information Security Policies in all
  units

9
The Information Security Management System

• Set of formal procedures
• Adequate and proportionate security controls for
  protection of Information Assets
• Procedures to be followed by persons within the
  organization
• System to give confidence to customers and other
  stakeholders

10
PDCA (Plan-Do-Check-Act)

• An effective ISMS is based on the PDCA cycle
• Plan make an effective security policy
• Do implement the plan
• Check is the plan working?
• Act change the things that dont work
• An effective ISMS needs continuous effort

11
Plan establish the ISMS

• Assess threats, vulnerabilities and risks
• Establish security policy, objectives, targets,
  processes and procedures
• Aimed at managing risk and improving information
  security

12
Do implement and operate the ISMS

• Implement and operate
• Security policy
• Controls
• Processes and procedures

13
Check Monitor and review the ISMS

• Assess and where applicable measure process
  performance
• Against security policy and objectives
• Against practical experience
• Report results for management review

14
Act maintain and improve the ISMS

• Based on the results of the management review
• Take corrective action
• Take preventive action
• Aim to achieve continual improvement of the ISMS
• To take care of new threats, vulnerabilities and
  associated risks

15
The first step establishing a Security Policy

• All Cert-Rail members must establish a security
  policy
• Identify important information assets
• Fix ownership and responsibilities
• Identify threats to these assets
• Identify vulnerabilities that these threats may
  exploit

16
The Security Policy assessing risks

• Assess the impact of each possible adverse
  incident
• Assess the realistic likelihood of the occurrence
  of such incident
• Estimate the level of risk
• Determine whether the risk is acceptable or needs
  mitigation

17
Treatment of risks

• Accept the risk
• Avoid the risk
• Transfer the risk to other parties insurers,
  suppliers
• Apply appropriate controls

18
Contents of the Security Policy Organization

• Roles and responsibilities for
• Protection of individual information assets
• Identifying and managing risks
• Providing security awareness
• Reviewing information security incidents
• Providing business continuity
• Authorization process for
• New information facilities
• Access to information assets not covered by the
  existing procedures
• Reviewing security policy

19
Contents of the Security Policy Assets

• Assets covered within the scope of the policy
• Information assets Databases and data files,
  system documentation, operational / support
  procedures, archived information
• Software assets application software, system
  software, development tools
• Physical assets computer equipment,
  communication equipment, storage media, technical
  equipment, furniture
• Services lighting, heating, air-conditioning,
  power supply, housekeeping

20
Contents of the Security Policy Asset
Classification

• Assets should be classified based on the extent
  of sharing / restriction necessary
• Procedures for information assets should cover
• Copying
• Storage
• Transmission, by electronic means or voice
• Destruction
• Assets should be labeled, physically or
  electronically
• Information sensitivity is often time bound
• Classification system should be as simple as
  possible

21
Contents of the Security Policy Personnel

• Information Security should be part of job
  definition
• Personnel screening
• User training in information security
• Responding to security incidents
• Reporting incidents
• Reporting security weaknesses
• Reporting software malfunctions
• Learning from incidents

22
Contents of the Security Policy Physical Security

• Security perimeters, manned reception area
• Physical entry controls for secure areas
• Procedures for working in secure areas
• Isolated delivery / loading areas
• Equipment siting safety from
• Theft
• Fire, flood
• Dust, vibration, chemicals, rodents
• Secure disposal / reuse of equipment

23
Contents of the Security Policy Third Party
Access

• Third party access to information processing
  facilities should be controlled
• Physical access
• Logical access
• Type of access should be controlled
• Support staff will access system level /
  hardware level
• Application maintenance low level application
  access
• Trading partners exchange information, access
  databases

24
Contents of the Security Policy Operations
Management

• Documented operating procedures
• Operational change control
• Incident management procedures
• Contingency plans
• Audit trails
• Recovery mechanisms
• Segregation of duties
• Separation of development and operational
  facilities

25
Contents of the Security Policy Access Control

• System access control
• User registration
• Privilege management
• Review of access rights
• Application access control
• Network access control
• Monitoring system access and use
• Mobile computing

26
Contents of the Security Policy Application
Development and Maintenance

• Security requirements analysis
• Cryptographic controls
• Change control procedures
• Covert channels and Trojan code

27
Contents of the Security Policy Business
continuity management

• Business continuity and impact analysis
• Testing, maintaining and reassessing business
  continuity plans

28
Contents of the Security Policy Regulations

• Adherence to all existing legislations
• IT Act 2000
• Right to Information Act 2005
• Indian Railways Act
• Intellectual Property Rights
• Adherence to internal procedures
• Codal provisions
• Other local orders
• Audit provisions

29
Subsequent steps

• Implementation can start as soon as an acceptable
  draft security policy is in place
• In parallel, staff should be given specific
  responsibilities
• Training programs will be announced by Board from
  time to time
• Incident Response Teams to be set up in each unit
  when the Security Policy is established

30
Conclusion

• Information security shall become increasingly
  important for Indian Railways
• The time for preparation is now
• Suggestions are welcome

31
Thank you

• S S MathurDirector (Computerization and
  Information Systems)dmecis_at_rb.railnet.gov.in