Building a comprehensive Information Security plan requires a detailed understanding of the business and the related requirements. An Information Security plan should ensure that the business requirements are captured and the related risks and controls are addressed in the plan.The plan shall provide “Defense in Depth” for the information
This article is going to focus on an overall information security management system. This is in line with industry best practices like ISO27001, COBIT, SSE-CMM and legislative requirements like HIPAA, SAS70 etc. To help organizations in kick starting the information security practices, I have developed the following checklist.
POLICY: I would love to work in this area, if I have a given a chance. This is the place where you are defining the practices. A policy reflects the management.s intention towards achieving information security and every policy has to be approved by an authority in a approving capacity. Policies shall include Information Security Policy and Acceptable Use Policy. In addition to policies you should develop the standards and operating procedures. Finally, you need to have the Roles and responsibilities defined to ensure that the policies and procedures are enforced by the responsible users.
USER ACKNOWLEDGEMENT: Now you have policies and procedures. This need to be understood by the employees, this can be achieved by training, and you need to take a proof of the same. A written, nowadays electronic, acknowledgement of their understanding and acceptance of the infosec policies need to be obtained. If you have third parties (Contractors, vendors etc..) accessing your information, the acknowledgement is applicable for them also.
CONFIDENTIALITY AGREEMENTS: OK, now its time to include legal clauses to your business in securing the information. Execute signed confidentiality agreements before disclosing any sensitive or proprietary information to outside users. It is a good practice to have NDA with the employees (recent surveys shows that internal threat materializes faster than outside threat)
PHYSICAL SECURITY: Protect you physical infrastructure. Identify the physical entry points to the organization and ensure that only authorised users are entering to the premises. Protect you paper documents those are spread across your table, printer and close you shelves before you leave the place. Lock/logoff your computers when unattended.
PROTECTION AGAINST MALICIOUS SOFTWARE: Deploy antivirus software across the enterprise. Hmmm. OK I would say plan a process/system to protect your information systems from malicious software attacks. The reason why I said the word .process. is that you have to regularly update the virus definitions files to sharpen your cop against the newly released viruses.
SOFTWARE PATCHES: You shall plan for a Patch Management system by which you can ensure that all the systems are patched with the latest security updates (please test the patches before deploying)
NETWORK SECURITY: Document your network perimeter (just like you have done with the physical perimeter). All connections connecting to your external networks should be documented, authorized by the management (Network Manager or above), and shall be protected by firewalls, IDS. (Think about the desktops with modems connected). Establish VPNs for extranet communication. Define an incident reponse plan and TEST it.
REMOTE ACCESS: Develop best practices for establishing remote access connectivity. Again, think about modems
PASSWORDS: Very very key in establishing a security framework. More on passwords is my next blog please wait till then .
DATA SECURITY: Ensure that only authenticated and authorized users have access to the data.
AUDITS: Audit everything related to Information Security. Do vulnerability assessments on your computers and network devices. Audit the process and policy flows. Audit for illegal software.s. Yes, you have to do the auditing regularly so best approach is to prepare a audit plan and allocate a audit committee.
BUSINESS CONTINUITY PLAN: Ensure that you have business continuity. Identify key business objects (people, process, material, place, etc.) Document a plan for continuing the business operation in case of an emergency. That shall include data backup and restore procedures, alternate facilities, replacement resources, etc.
IntroductionInformation Security is becoming more and more of important in the present and coming days of business. To meet the increasing demand of protecting the information there are a lot of standards, guidelines, regulations and legal requirements are developed. With this article, I am summarizing the requirements for an effective Information Security Management System.
The 10 Steps/Phases
- Assess the security posture
- Draft an Information Security Strategic Plan
- Review & create policies and standards
- Get management buy-in
- Prepare Information Security Plan
- Assign Information Security Responsibilities
- Form a cross functional management forum
- Implement an incident response team
- Security awareness program
- Include Security into the organizational process framework
Lets have the details below
Assess the Security posture
During this phase, various tools are used to assess the security status of your organizations computing applications, networks, servers and desktops. This will result in a report, which describes about the security posture of your environment.
To assess your security posture an organization can hire external parties, if they do not have expertise in-house. This phase will show the gap between the present status and the status you want to achieve.
Information Security Strategic Plan
.Well planned is half done. as the quote says. Anyways, this is an important step. The plan needs to have your thoughts on how to fix the weakness you have identified in the phase 1. This will enable the management to understand the requirements of Information Security and works as justification for the budget you might ask for.
Include all the stakeholders in the plan and ensure that the responsibilities for the security improvements are spread across all your organizational units
Finally, no plan means everything you present is ad-hoc and the management buy-in might be a difficult task
Policies and Procedures
Assess the policies, if any. The policies shall meet the regulatory and legal requirements of the law of the land. More than that, policies shall address the organizational goals, missions and to the most, the Management Commitment. A policy says what should be the end result is. Policies shall be supported/enforced by standards and procedures.
The policies shall be supported by standards. A standard is the rule, which says, what will be allowed to meet the organization goal. A procedure is a detailed step-by-step activity on how to do what is allowed.
Policies shall have the following characteristics
- Focused on business, not in technology
- Represents the best interest of the organization
- Helps every one to attain their goals and shall represent the common benefit
- Legal and regulatory requirements are addressed
- Policy should come from the top management
- A policy should be enforceable
- Last, but not the least, the policy should sounds like common sense
This stage is crucial for a successful implementation of ISMS. Till this phase, we have done the analysis and now it is the time to implement the plan. To ensure the acceptance by the end users, it has to be pushed from the management. So you need to convince the management about the importance of Information Security and how it will benefit the organization
- Talk business benefits, than technical advantages
- Get there involvement in deciding the most critical weaknesses according to the business
- Give an overall idea about the resource requirements including people, process and technology
- Budget . you decide
Annual Plan . Information Security
So you got management support and now its time for writing an implementation plan. Write a annual Information Security Plan. This shall include the
- Approach to protect the weaknesses identified
- Writing of standards, procedures and guidelines
- Review of your existing security posture periodically
- Management review meetings
- Auditing plan
- Corrective and preventive action plans
- Costs or budget
Now it is time for forming teams to implement Information Security. Assign the responsibility to a single employee, normally the CISO or ISO, for our reference we will use CISO as the responsible person for the implementation of the ISMS. Let the CISO form a team of specialized experts. Now this team has to work with the cross-functional groups and the responsibilities shall be assigned to those groups. This will ensure a minimum staffing in the Information Security team and will ensure the participation from the other teams such as HR, Sales, Business Development, Marketing and the core business function.
The Information Security team should oversee the implementation than actually implementing it. Another team of auditing shall be formed and regular audits shall be performed to identify the improvement opportunities.
Another approach is to outsource both the functions. You think which is the best strategy for your organization.
Form a cross-functional management forum
Further to the discussion about the above phase form a management forum, where there is representations from all the departments of the organization. Information Security is the responsibility of everyone in the organization. Make all leaders to propagate the concept of information security to their respective teams.
This will also help you to solve inter-team conflicts related to information security and will have a platform to discuss the issues
Incident Response program
An incident response program is the platform where the security incidents should get reported. This will help you identify what are the incidents frequently occurring and what are the criticality and what measures to be incorporated to improve the organizations security posture.
A team shall be organized to analyze the type of incidents, root cause, corrective action and preventive action.
Reducing the number of incidents and the freshness of the incidents will show whether you are in the right track. During this process address the following
Prepare a plan, policy and specific procedures for responding to incidents
.Security is as strong as your weakest link.. This phrase is used by many of the security professionals and I am supporting it. So who is the weakest link? It is human beings to my experience. Lets a your employee has a strong password and if he tell this to someone then the password lost the strength.
Educate everyone in your organization, your contractors and others whom you think important for your information security.
Use various methods like corporate presentations, role-play, induction training etc. You should have innovative ways to perform this activity.
Integrate to organizational process framework
Now integrate this to your organizational process framework like CMMi, PCMM, and ISO9001 etc. This will help the employee to have one single process framework. Otherwise, there will be a lot of resistance from the employees when you perform an audit or ask the teams to send a separate report for information security.
Information Security is a business requirement. An organization should follow a process-based security than a product-based security
Information Security Standards
Information Security is a business requirement in today.s corporate world. These requirements are driven either by business need or by regulations. Many organizations find it difficult to derive a framework for defining the requirements. Publicly accepted, known Information Security Standards comes handy at this stage. There are many standards available and ISO27001 is an ISO accredited standard for Information Security Management.
What is ISO27001?
ISO 27001 is derived from the well-known BS7799 Standard. In 2005, BSI published the new version of BS7799 standard and is also adopted by ISO as ISO 27001 standard.
Why should you implement?
There are several reasons why an organization should implement ISO27001 standard and the primary one will be the business demand. Every one, who is dealing with you, need to keep there information secure. The ISO27001 certification confirms that there are certain level of protection is in place so as to protect the information / data handled.
ISO 27001 also works as a framework from where one can start the information security management initiative in your organization.
Steps involved in implementing ISO27001
There are different ways of implementing ISO27001 and exact steps may not be able to reproduce for another organization. The below given steps are from a high-level overview perspective. Details need to be defined for every organization and it will be unique for them.
- Define the scope of implementation
- Define the Corporate Information Security Policy / Statement
- Identification of Information Assets and classify them
- Define a Risk Assessment and management methodology and Identify the risks associated with each asset
- Map the ISO27001 controls which is applicable for mitigating the risks identified
- Document the Statement of applicability using the selected controls
- Define the associated policies, standards and procedures
- Communicate the policies and procedures to the entire organizations
- Implement the identified controls and document it.
- Perform Security Awareness training for the organization.
- Conduct periodic internal audits
- Engage a third party to do audits
- Proactively close the gaps identified during the audits
- Maintain matrices of the security practice to ensure continuous improvement
- Perform certification audit.
- Post certification tasks
The post certification is important for any organization. Unlike other certifications, ISO27001 requires you to undergo periodic surveillance audits and show continuous improvement on Information Security Management.
This requires organizations to perform continuous improvement in terms of security management. Perform periodic audits, report audit reports and close all the findings. This becomes a never ending cycle and continuous improvement need to be captured using matrices
This post is just a highlevel overview of implementing ISO 27001.