a.k sharma, stqc

8/12/2019 A.K Sharma, STQC

1/31

Mitigating Risks Through ISMS Framework

by

A K SHARMAAdditional Director

STQC, Department of IT Ministry of Commns. & IT

Govt. of India

[email protected]


2/31

STQC- A Brief Overview

3/10/2014 Risk Mitigation Through ISMS Framework 2


3/31

3

StandardisationTestingQualityCertification

Standardisation Testing & Quality Certification

Directorate

Department of Electronics and Information Technology

Govt. of India3/10/2014

Risk Miti ation Throu h ISMS Framework


4/31


Objective

To be a key enabler in making Indian IT organisations

achieve compliance with International Quality Standards and

compete globally

Q


5/31

STQC IT Centres

STQC Core

FunctionsCertification

Training

Testing IT Services

Calibration

Calibration

Laboratories

STQC Certification

Cells

CETEs and IIQM

Test

Laboratories

STQC CORE Functions

3/10/2014 5Risk Miti ation Throu h ISMS Framework


6/31

Bengaluru

Mohali

Solan

Delhi

Agartala

Guwahati

Pune

Goa

ThiruPuram

Mumbai

Kolkata

Hyderabad

Chennai

Jaipur

STQC HQs

Regional Test Labs

Test & Dev. Centres

Centre for Reliability

Regional Certification Cells

IT Services

Centre for Electronics Test Engg

Indian Institute for Quality Management

STQC NetworkCountrywide network comprisingSTQC HQs at New Delhi and 15subordinate units



7/313/10/2014 Risk Miti ation Throu h ISMS Framework7

STQC Services for IT Sector

Standards

formulation

STQC

IT

Software Quality

evaluationInformation

Security

Quality Management

in IT Industry

IT Service

Management

Quality Assurance

Services for eGov


8/31

Framework for Risk Mitigation

What Type of Framework ?



9/31

Framework Which is

Flexible to incorporate other best practices (IM, RM,BCM, SLM .)

Dynamic in keeping pace with changing technological

infrastructure

Effective enough to address Business needs

Covers Key issues related to People, Process,Technology



10/31

Why ISO/IEC 27001 Framework

Based on Risk Assessment & Treatment

Importance to Business Context

Emphasis on Management of TechnologyChange, Config

Effective Mix of HR, Tech, Legal and contractual issues

Demonstrable Compliance thru Third party Certification



11/31

3/10/2014 Risk Mitigation Through ISMS 11

What is needed?

Management concerns

Market reputation

Business continuity

Disaster recovery

Business loss

Loss of confidential data

Loss of customer confidence

Legal liability

Cost of security

Security Measures/Controls

Technical

Procedural

Physical

Logical

Personnel

Management


12/31


ISO 27001:2005: Addressing Management Concerns

A.5 Security Policy

A.6 Organizational Security

A.7 Asset classification & control

A.8 PersonnelSecurity

A.9 Physical &

environmentalsecurity

A.10 Communications &

operationsmanagement

A.11 Systems

development &maintenance

A.12 Access control

A.14 Business continuity

A.15 Compliance

A.13 Incident Management


13/31

ISO 27001: 2013 High Level Structure

Introduction

1. Scope

2. Normative references

3. Terms and definition

4. Context of the organization

4.1. Understanding the organisation and its context.

4.2. Understand the needs and expectations ofinterested parties.

4.3. Determining the scope of the ISMS.

4.4 ISMS management system

5. Leadership

5.1 Leadership and commitment

5.2 Policy

5.3 Organization roles, responsibilities and authorities6. Planning

6.1 Actions to address risks and opportunities

6.2 ISMS objectives and planning to achieve them

7. Support

7.1 resources

7.2 Competence

7.3 Awareness

7.4 Communication

7.5 Documented Information

7.5.1 General

7.5.2 Creating & Updating7.5.3 Control of documented information

8. Operation

8.1 Operational planning and control9. Performance evaluation

9.1 Monitoring, measurement,

analysis and evaluation

9.2 Internal Audit9.3 Management Review

10. Improvement

10.1 Non Compliance & Corrective action

10.2 Continual improvement

Risk Mitigation Through ISMS Framework 133/10/2014


14/31

6. Planning6.1 Actions to address risks andopportunities

When planning for the ISMS, the organization shall consider the issuesreferred to in 4.1 and the requirements referred to in 4.2 and determine the

risks and opportunities that need to be addressed to

assure the ISMS can achieve its intended outcome(s)

prevent, or reduce, undesired effects

achieve continual improvement.

The organization shall plan:

a) actions to address these risks and opportunities, and

b) how to

integrate and implement the actions into its ISMS processes

evaluate the effectiveness of these actions.



15/31

8. Operations

8.2 Information Security Risk Assessment

8.3 Information Security Risk Treatment


Risk Assessment- Building Block for ISMS


16/31

Understand Business

Requirements

Documents &Management Inputs

Review CurrentIS Security

Environment

Status

Appraisal Training

Analyze Risks &Exposures

Training

Risk

Analysis

Training

Training

Implement &Operate ISMS ISMS

Certification

Certification

Policy

Review

Internal

Audit

Study Critical

Information Assets

Develop SecurityPolicy and Plan

Risk Assessment Building Block for ISMS

3/10/2014Risk Miti ation Throu h ISMS Framework

Technical

complianceNetwork

review

Technical

compliance

16


17/31


Risk Assessment Components and

their Relationship

Threats Vulnerabilities

Security

Controls

Security

RisksAssets

Security

Requirements

Asset Values

& Impacts

exploit

increase increase expose

increaseindicateMet by

Protect against

have

reduce


18/31

RA/RTP in ISO/IEC 27001

Driven by ISO 31000: 2009

Risk Management Principles and Guidelines

Establishes Principles needed to manage risks effectively



19/31

Relationships between RM Principles, Framework

and Processes (from ISO 31000)


PRINCIPLES


20/31

a) Creates valueb) Integral part of organizational processes

c) Part of decision making

d) Explicitly addresses uncertainty

e) Systematic, structured and timely

f) Based on the best available informationg) Tailored

h) Takes human and cultural factors into account

i) Transparent and inclusive

j) Dynamic, iterative and responsive to change

k) Facilitates continual improvement andenhancement of the organization

PRINCIPLES



21/31

Risk Mitigation Through ISMS Framework

Information security risk management process

Source : ISO/IEC 27005:20083/10/2014 21

Possible inputs for the risk assessment


22/31


Possible inputs for the risk assessment

process

List of known threats and vulnerabilities

History of natural/ un-natural disturbances in the

location(s) of operation

Past security incidents/ breach data Vulnerability assessment reports

Penetration test reports

Discussion with stake-holders.

(P ibl ) Pitf ll i i k t


23/31


(Possible) Pitfalls in risk assessment

Unavailability of proper data as indicated in

earlier slide

Risk assessment tend to be voluminous task and

therefore given up in between

Risk assessment output matched with known andmanageable risks

All assets not covered in the risk assessment

Risk assessment output either too optimistic (All

risks within acceptable limits) or too pessimistic(most assets beyond acceptable risks).

Practical tips


24/31


Practical tips

Finalise the RA and RM Procedure

The procedure should be quite elaborative; should haveadequate granularity to ensure sufficient resolution in riskfor different asset values and their associated threats andvulnerabilities.

Train the concerned groups on this procedure

All asset owners to find risks. There may be a commonperson so as to ensure uniformity.

Risk assessment should be iterative exercise. For thoseassets found to have higher risk, it is desirable to have a

moderation session along with stakeholders and securityco-ordination group before the findings are presented tomanagement.


25/31


Summary

Risk Assessment is one of the most important task inevaluating the security requirements of the

organization

The Organization need to evolve a suitable Risk

Assessment strategy and define the Acceptable RiskLevels.

Risk assessment should cover all the assets covered

in the scope

Risk Assessment is not a once off exercise and has

to be periodically done.


26/31

THANK YOU


27/31

PROCESS FLOW DIAGRAM

3/10/2014 27Risk Mitigation Through ISMS Framework


28/31


Risk management

The process of identifying, controlling and

minimizing or eliminating security risks(that mayaffect information systems) for affordable cost.

RM includes RA and Risk Treatment.

Transfer void

ccept ReduceProbability


29/31

EXTERNAL CONTEXT

The external context is theexternal environment inwhich theorganizationseeksto achieve itsobjectives.

The external context can include,

the social and cultural, political, legal,regulatory, financial, technological,economic, natural and competitive

environment, whether international, national,regional or local;

key drivers and trends having impact on theobjectives of the organization; and

relationships with, perceptions and values ofexternal stakeholders.



30/31

EXTERNAL CONTEXT

The external contextis the externalenvironment inwhich theorganization seeksto achieve itsobjectives.

The external context can include,

the social and cultural, political, legal, regulatory,financial, technological, economic, natural andcompetitive environment, whether international,national, regional or local;

key drivers and trends having impact on theobjectives of the organization; and

relationships with, perceptions and values ofexternal stakeholders.



31/31

RISK TREATMENT

5.5.1

c) removing the risk source;

d) changing the likelihood;

e) changing the consequences;

f) sharing the risk with another party orparties (including contracts and riskfinancing); and

g) retaining the risk by informed decision.
