a.k sharma, stqc
TRANSCRIPT
-
8/12/2019 A.K Sharma, STQC
1/31
Mitigating Risks Through ISMS Framework
by
A K SHARMAAdditional Director
STQC, Department of IT Ministry of Commns. & IT
Govt. of India
-
8/12/2019 A.K Sharma, STQC
2/31
STQC- A Brief Overview
3/10/2014 Risk Mitigation Through ISMS Framework 2
-
8/12/2019 A.K Sharma, STQC
3/31
3
StandardisationTestingQualityCertification
Standardisation Testing & Quality Certification
Directorate
Department of Electronics and Information Technology
Govt. of India3/10/2014
Risk Miti ation Throu h ISMS Framework
-
8/12/2019 A.K Sharma, STQC
4/31
3/10/2014 Risk Mitigation Through ISMS Framework 4
Objective
To be a key enabler in making Indian IT organisations
achieve compliance with International Quality Standards and
compete globally
Q
-
8/12/2019 A.K Sharma, STQC
5/31
STQC IT Centres
STQC Core
FunctionsCertification
Training
Testing IT Services
Calibration
Calibration
Laboratories
STQC Certification
Cells
CETEs and IIQM
Test
Laboratories
STQC CORE Functions
3/10/2014 5Risk Miti ation Throu h ISMS Framework
-
8/12/2019 A.K Sharma, STQC
6/31
Bengaluru
Mohali
Solan
Delhi
Agartala
Guwahati
Pune
Goa
ThiruPuram
Mumbai
Kolkata
Hyderabad
Chennai
Jaipur
STQC HQs
Regional Test Labs
Test & Dev. Centres
Centre for Reliability
Regional Certification Cells
IT Services
Centre for Electronics Test Engg
Indian Institute for Quality Management
STQC NetworkCountrywide network comprisingSTQC HQs at New Delhi and 15subordinate units
3/10/2014 6Risk Miti ation Throu h ISMS Framework
-
8/12/2019 A.K Sharma, STQC
7/313/10/2014 Risk Miti ation Throu h ISMS Framework7
STQC Services for IT Sector
Standards
formulation
STQC
IT
Software Quality
evaluationInformation
Security
Quality Management
in IT Industry
IT Service
Management
Quality Assurance
Services for eGov
-
8/12/2019 A.K Sharma, STQC
8/31
Framework for Risk Mitigation
What Type of Framework ?
3/10/2014 Risk Mitigation Through ISMS Framework 8
-
8/12/2019 A.K Sharma, STQC
9/31
Framework Which is
Flexible to incorporate other best practices (IM, RM,BCM, SLM .)
Dynamic in keeping pace with changing technological
infrastructure
Effective enough to address Business needs
Covers Key issues related to People, Process,Technology
3/10/2014 Risk Mitigation Through ISMS Framework 9
-
8/12/2019 A.K Sharma, STQC
10/31
Why ISO/IEC 27001 Framework
Based on Risk Assessment & Treatment
Importance to Business Context
Emphasis on Management of TechnologyChange, Config
Effective Mix of HR, Tech, Legal and contractual issues
Demonstrable Compliance thru Third party Certification
3/10/2014 Risk Mitigation Through ISMS Framework 10
-
8/12/2019 A.K Sharma, STQC
11/31
3/10/2014 Risk Mitigation Through ISMS 11
What is needed?
Management concerns
Market reputation
Business continuity
Disaster recovery
Business loss
Loss of confidential data
Loss of customer confidence
Legal liability
Cost of security
Security Measures/Controls
Technical
Procedural
Physical
Logical
Personnel
Management
-
8/12/2019 A.K Sharma, STQC
12/31
3/10/2014 Risk Mitigation Through ISMS Framework 12
ISO 27001:2005: Addressing Management Concerns
A.5 Security Policy
A.6 Organizational Security
A.7 Asset classification & control
A.8 PersonnelSecurity
A.9 Physical &
environmentalsecurity
A.10 Communications &
operationsmanagement
A.11 Systems
development &maintenance
A.12 Access control
A.14 Business continuity
A.15 Compliance
A.13 Incident Management
-
8/12/2019 A.K Sharma, STQC
13/31
ISO 27001: 2013 High Level Structure
Introduction
1. Scope
2. Normative references
3. Terms and definition
4. Context of the organization
4.1. Understanding the organisation and its context.
4.2. Understand the needs and expectations ofinterested parties.
4.3. Determining the scope of the ISMS.
4.4 ISMS management system
5. Leadership
5.1 Leadership and commitment
5.2 Policy
5.3 Organization roles, responsibilities and authorities6. Planning
6.1 Actions to address risks and opportunities
6.2 ISMS objectives and planning to achieve them
7. Support
7.1 resources
7.2 Competence
7.3 Awareness
7.4 Communication
7.5 Documented Information
7.5.1 General
7.5.2 Creating & Updating7.5.3 Control of documented information
8. Operation
8.1 Operational planning and control9. Performance evaluation
9.1 Monitoring, measurement,
analysis and evaluation
9.2 Internal Audit9.3 Management Review
10. Improvement
10.1 Non Compliance & Corrective action
10.2 Continual improvement
Risk Mitigation Through ISMS Framework 133/10/2014
-
8/12/2019 A.K Sharma, STQC
14/31
6. Planning6.1 Actions to address risks andopportunities
When planning for the ISMS, the organization shall consider the issuesreferred to in 4.1 and the requirements referred to in 4.2 and determine the
risks and opportunities that need to be addressed to
assure the ISMS can achieve its intended outcome(s)
prevent, or reduce, undesired effects
achieve continual improvement.
The organization shall plan:
a) actions to address these risks and opportunities, and
b) how to
integrate and implement the actions into its ISMS processes
evaluate the effectiveness of these actions.
Risk Mitigation Through ISMS Framework 143/10/2014
-
8/12/2019 A.K Sharma, STQC
15/31
8. Operations
8.2 Information Security Risk Assessment
8.3 Information Security Risk Treatment
3/10/2014 Risk Mitigation Through ISMS Framework 15
Risk Assessment- Building Block for ISMS
-
8/12/2019 A.K Sharma, STQC
16/31
Understand Business
Requirements
Documents &Management Inputs
Review CurrentIS Security
Environment
Status
Appraisal Training
Analyze Risks &Exposures
Training
Risk
Analysis
Training
Training
Implement &Operate ISMS ISMS
Certification
Certification
Policy
Review
Internal
Audit
Study Critical
Information Assets
Develop SecurityPolicy and Plan
Risk Assessment Building Block for ISMS
3/10/2014Risk Miti ation Throu h ISMS Framework
Technical
complianceNetwork
review
Technical
compliance
16
-
8/12/2019 A.K Sharma, STQC
17/31
3/10/2014 Risk Mitigation Through ISMS Framework 17
Risk Assessment Components and
their Relationship
Threats Vulnerabilities
Security
Controls
Security
RisksAssets
Security
Requirements
Asset Values
& Impacts
exploit
increase increase expose
increaseindicateMet by
Protect against
have
reduce
-
8/12/2019 A.K Sharma, STQC
18/31
RA/RTP in ISO/IEC 27001
Driven by ISO 31000: 2009
Risk Management Principles and Guidelines
Establishes Principles needed to manage risks effectively
3/10/2014 Risk Mitigation Through ISMS Framework 18
-
8/12/2019 A.K Sharma, STQC
19/31
Relationships between RM Principles, Framework
and Processes (from ISO 31000)
Risk Mitigation Through ISMS Framework 193/10/2014
PRINCIPLES
-
8/12/2019 A.K Sharma, STQC
20/31
a) Creates valueb) Integral part of organizational processes
c) Part of decision making
d) Explicitly addresses uncertainty
e) Systematic, structured and timely
f) Based on the best available informationg) Tailored
h) Takes human and cultural factors into account
i) Transparent and inclusive
j) Dynamic, iterative and responsive to change
k) Facilitates continual improvement andenhancement of the organization
PRINCIPLES
3/10/2014 20Risk Miti ation Throu h ISMS Framework
-
8/12/2019 A.K Sharma, STQC
21/31
Risk Mitigation Through ISMS Framework
Information security risk management process
Source : ISO/IEC 27005:20083/10/2014 21
Possible inputs for the risk assessment
-
8/12/2019 A.K Sharma, STQC
22/31
3/10/2014 Risk Mitigation Through ISMS Framework 22
Possible inputs for the risk assessment
process
List of known threats and vulnerabilities
History of natural/ un-natural disturbances in the
location(s) of operation
Past security incidents/ breach data Vulnerability assessment reports
Penetration test reports
Discussion with stake-holders.
(P ibl ) Pitf ll i i k t
-
8/12/2019 A.K Sharma, STQC
23/31
3/10/2014 Risk Mitigation Through ISMS Framework 23
(Possible) Pitfalls in risk assessment
Unavailability of proper data as indicated in
earlier slide
Risk assessment tend to be voluminous task and
therefore given up in between
Risk assessment output matched with known andmanageable risks
All assets not covered in the risk assessment
Risk assessment output either too optimistic (All
risks within acceptable limits) or too pessimistic(most assets beyond acceptable risks).
Practical tips
-
8/12/2019 A.K Sharma, STQC
24/31
3/10/2014 Risk Mitigation Through ISMS Framework 24
Practical tips
Finalise the RA and RM Procedure
The procedure should be quite elaborative; should haveadequate granularity to ensure sufficient resolution in riskfor different asset values and their associated threats andvulnerabilities.
Train the concerned groups on this procedure
All asset owners to find risks. There may be a commonperson so as to ensure uniformity.
Risk assessment should be iterative exercise. For thoseassets found to have higher risk, it is desirable to have a
moderation session along with stakeholders and securityco-ordination group before the findings are presented tomanagement.
-
8/12/2019 A.K Sharma, STQC
25/31
3/10/2014 Risk Mitigation Through ISMS Framework 25
Summary
Risk Assessment is one of the most important task inevaluating the security requirements of the
organization
The Organization need to evolve a suitable Risk
Assessment strategy and define the Acceptable RiskLevels.
Risk assessment should cover all the assets covered
in the scope
Risk Assessment is not a once off exercise and has
to be periodically done.
-
8/12/2019 A.K Sharma, STQC
26/31
THANK YOU
-
8/12/2019 A.K Sharma, STQC
27/31
PROCESS FLOW DIAGRAM
3/10/2014 27Risk Mitigation Through ISMS Framework
-
8/12/2019 A.K Sharma, STQC
28/31
3/10/2014 Risk Mitigation Through ISMS Framework 28
Risk management
The process of identifying, controlling and
minimizing or eliminating security risks(that mayaffect information systems) for affordable cost.
RM includes RA and Risk Treatment.
Transfer void
ccept ReduceProbability
-
8/12/2019 A.K Sharma, STQC
29/31
EXTERNAL CONTEXT
The external context is theexternal environment inwhich theorganizationseeksto achieve itsobjectives.
The external context can include,
the social and cultural, political, legal,regulatory, financial, technological,economic, natural and competitive
environment, whether international, national,regional or local;
key drivers and trends having impact on theobjectives of the organization; and
relationships with, perceptions and values ofexternal stakeholders.
3/10/2014 29Risk Mitigation Through ISMS Framework
-
8/12/2019 A.K Sharma, STQC
30/31
EXTERNAL CONTEXT
The external contextis the externalenvironment inwhich theorganization seeksto achieve itsobjectives.
The external context can include,
the social and cultural, political, legal, regulatory,financial, technological, economic, natural andcompetitive environment, whether international,national, regional or local;
key drivers and trends having impact on theobjectives of the organization; and
relationships with, perceptions and values ofexternal stakeholders.
3/10/2014 30Risk Mitigation Through ISMS Framework
-
8/12/2019 A.K Sharma, STQC
31/31
RISK TREATMENT
5.5.1
c) removing the risk source;
d) changing the likelihood;
e) changing the consequences;
f) sharing the risk with another party orparties (including contracts and riskfinancing); and
g) retaining the risk by informed decision.
3/10/2014 31Risk Mitigation Through ISMS Framework