copyright maximus consulting (hong kong) ltd. talk 090421.pdf · iso 27001 a corporate approach in...

Copyright 2009 Maximus Consulting (Hong Kong) Limited

1

Copyright © Maximus Consulting (Hong Kong) Ltd.

The right of Maximus Consulting (Hong Kong) Ltd. to be identified as the authors of this presentation has been asserted by them in accordance the Copyright Ordinance (Cap. 568) 2001 under the law of Hong Kong SAR, PRC. Also they assert recognition of this right as authors in accordance with any international copyright laws or conventions.

This publication is Copyright © Maximus Consulting (Hong Kong) Ltd. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, or used in any way or form (including presentation of this material as a course, training seminar, lecture or tutorial) or by any means, electronic, mechanical, photocopying, recording or otherwise without the prior knowledge and written permission and consent of Maximus Consulting.

Maximus Consulting (Hong Kong) - Tel: +852 2802 3954 - Email: [email protected]

While every precaution has been taken in the preparation of this material, Maximus Consulting Hong Kong Ltd. accept no liability or assumes no responsibility for errors or omissions or for any loss or damage caused, arising directly or indirectly, in connection with the use, application and reliance on the information contained herein. Any personal opinions or views expressed in this workshop case study have been formed on the basis of information that was either made available to the authors or was freely publicly available.

ISO 27001 ISO 27001 A Corporate Approach in Developing ISMSA Corporate Approach in Developing ISMS

Speaker: Roger Chung

Chief Executive Officer

Maximus Consulting (Hong Kong) Ltd

Date: 21 April 2009


3

TodayToday’’s Agendas Agenda

� Preparing your Information Security Management

System (ISMS)

� Tips for ISMS Implementation

� Case Study: Data Loss Prevention


4

HACKED!

Hi Master (: Your System 0wned by Hackers!Hi Master (: Your System 0wned by Hackers!Hi Master (: Your System 0wned by Hackers!Hi Master (: Your System 0wned by Hackers!

xHackxHackxHackxHack 0wnz You0wnz You0wnz You0wnz You

HacKErABCHacKErABCHacKErABCHacKErABC HacKErXYZHacKErXYZHacKErXYZHacKErXYZ with me in Herewith me in Herewith me in Herewith me in Here

www.xxxhack.comwww.xxxhack.comwww.xxxhack.comwww.xxxhack.com or or or or www.xxxsecurity.comwww.xxxsecurity.comwww.xxxsecurity.comwww.xxxsecurity.com

WE WERE HERE....WE WERE HERE....WE WERE HERE....WE WERE HERE....

Hacked by Hacked by Hacked by Hacked by nOBoDynOBoDynOBoDynOBoDy ;);););)

Preparing your ISMSPreparing your ISMS


6

The basic questionThe basic question

ISMS documentation Conduct risk assessment

Find an experienced ISMS consultant Management support

What is the most important component in establishing your ISMS?


7

Establishing your ISMS in 9 stepsEstablishing your ISMS in 9 steps

� 9 steps to implement ISO 27001

� Initial approach (Why information security is important and why ISO 27001?)

� Management support

� Scoping

� Planning

� Communication

� Risk Assessment

� Control Selection

� Documentation

� Testing

Nine Steps to Success Nine Steps to Success –– An ISO 27001 Implementation OverviewAn ISO 27001 Implementation Overview

By Alan Calder, Director, IT Governance Ltd.By Alan Calder, Director, IT Governance Ltd.


8

Management support for ISMSManagement support for ISMS

� Management support is essential for ISMS

project

� ISMS project is a business project, not an IT

project

� The project should aligned with the business

model, strategy and goals

� Appropriate level of resources should be

allocated to the project


9

People Information Equipment

Network connections

Business processesServices

Physical location

Software

ScopingScoping


10

Scoping Scoping –– uunderstand your nderstand your rrequirementsequirements

� Driving force of ISMS? � Marketing, Corporate Governance, Regulatory compliance, etc.

� Scope of ISMS?

� Physical Location(s)?

� IDC, Back office, Warehouse, Showroom, etc.

� Business Unit(s)/ Department(s) / Number of people involved?

� Sales, Marketing, Finance, HR, Executives, etc.

� Business Process(es)?

� Financial reporting, payroll, ERP, mission critical IT

services, IT Infrastructure, Application development and

support, etc.


11

PlanningPlanning

� Plan-Do-Check-Act cycle

� Gap analysis

� Project management

� Project team

� Project plan

� Resources

PlanPlan

DoDo CheckCheck

ActAct


12

Information Security Management Committee (ISMC)(CEO, COO, IT Director, Head of Compliance)

Information Security Management Representative (ISMR)

[IT Manager, Security Officer]

Application Development andSupport Team Representative

System and Network TeamRepresentative

Business UserRepresentative

Security Advisor Internal Auditor

DC Operation and Facility Team Representative

Information Security Working Committee (ISWC)

Build your ISMS committeeBuild your ISMS committee

Tips Tips for ISMS Implementationfor ISMS Implementation


14

First, get to know the factFirst, get to know the fact

Insider Theft Hacking

Data on the Move Accidental Exposure

What is major type of security breach?


15

Types of security breaches in 2008 (US)Types of security breaches in 2008 (US)

� Insider Theft – 15.7%

� Hacking – 13.9%

� Data on the Move – 20.7%

� Accidental Exposure – 14.4%

Source: The Identity Theft Resource Center

http://www.idtheftcenter.org/artman2/publish/m_press/2008_Data_Breach_Totals_Soar.shtml

The bottom lines:

1. Insider theft, now at 15.7%, has more than doubled between 2007 and 2008.

2. Data on the move and accidental exposure, both human error categories,

account for 35.2% of those breaches that indicate cause.

3. Electronic breaches (82.3%) continue to outnumber paper breaches (17.7%).


16

What is your weakest link? What is your weakest link?

� No information security policies

� Unidentified or un-managed risks

� Lack of security awareness among staff

� Lack of technical control

enforcement


17

Requirements for risk assessment (1)Requirements for risk assessment (1)

� Asset identification� Identify the assets within the scope of the ISMS

� Identify the owners of these assets

� Threat, vulnerability and requirement identification� Identify the threats to those assets

� Identify the vulnerabilities that might be exploited by the threats

� Identify the impacts that losses of confidentiality, integrity and availability may have on the assets

� Asset valuation, impact assessment and risk assessment� Analyse and evaluate the risks


18

Requirements for Requirements for rrisk assessmentisk assessment (2)(2)

� Risk treatment

� Identify and evaluate options for the treatment of risks

� Select control objectives and controls for the treatment of risks

� Review and approval

� Obtain management approval of the proposed residual risks

� Obtain management authorization to implement and operate the ISMS

� Control selection

� Prepare a Statement of Applicability (SoA)

� Select controls from Annex A or other sources


19

If you donIf you donIf you donIf you don’’’’t attack the riskst attack the riskst attack the riskst attack the risksthe risks will attack you.the risks will attack you.the risks will attack you.the risks will attack you.

Case Study: Data Loss PreventionCase Study: Data Loss Prevention


21

Multi sources of security breachesMulti sources of security breaches


22

FOXY 再再再再洩洩洩洩警警警警方方方方機機機機密密密密60 文文文文件件件件披披披披露露露露毒毒毒毒案案案案資資資資料料料料及及及及個個個個人人人人私私私私隱隱隱隱

[蘋果日報2009年3月8日]近六十份警務處內部文件經 FOXY 流出，這是警隊十個月內第七次「與眾分享」保密檔案。文件披露了警方處理毒品的程序、涉案人士的姓名、地址及身份證號碼。立法會議員認為，警方屢次洩密，足以動搖市民對執法機關保障報案人安全的信心。有警務人員質疑，洩漏文件的可能是律師或者司法機構。但司法機構指該等資料並非法庭文件。

FOXY 再再再再洩洩洩洩警警警警方方方方機機機機密密密密60 文文文文件件件件披披披披露露露露毒毒毒毒案案案案資資資資料料料料及及及及個個個個人人人人私私私私隱隱隱隱

[蘋果日報2009年3月8日]近六十份警務處內部文件經 FOXY 流出，這是警隊十個月內第七次「與眾分享」保密檔案。文件披露了警方處理毒品的程序、涉案人士的姓名、地址及身份證號碼。立法會議員認為，警方屢次洩密，足以動搖市民對執法機關保障報案人安全的信心。有警務人員質疑，洩漏文件的可能是律師或者司法機構。但司法機構指該等資料並非法庭文件。

不不不不自自自自覺覺覺覺經經經經 FOXY 洩洩洩洩密密密密警警警警署署署署警警警警長長長長或或或或被被被被處處處處分分分分

[蘋果日報2009年3月10日]日前揭發經 FOXY 洩漏的警務處內部文件，其中多個檔案懷疑由上水警署的警務人員流出。大埔警區重案組人員追查發現，是一名曾駐守上水警署的警署警長將檔案資料帶回家中的電腦工作引致外洩，警隊對此非常重視，不排除稍後作出處分。

不不不不自自自自覺覺覺覺經經經經 FOXY 洩洩洩洩密密密密警警警警署署署署警警警警長長長長或或或或被被被被處處處處分分分分

[蘋果日報2009年3月10日]日前揭發經 FOXY 洩漏的警務處內部文件，其中多個檔案懷疑由上水警署的警務人員流出。大埔警區重案組人員追查發現，是一名曾駐守上水警署的警署警長將檔案資料帶回家中的電腦工作引致外洩，警隊對此非常重視，不排除稍後作出處分。

Security breaches are all aroundSecurity breaches are all around

聯聯聯聯合合合合醫醫醫醫護護護護再再再再失失失失「「「「手手手手指指指指」」」」洩洩洩洩 47 病病病病人人人人資資資資料料料料

[蘋果日報2009年3月25日]聯合醫院繼 07 年有醫護遺失存有 26 名病人資料的 USB 記憶體後，事隔一年半再爆出遺失病人資料醜聞。該院一名 26 歲女眼科醫生上周五遺失一隻儲存 47 名病人個人資料的 USB 記憶體（俗稱 USB 手指），事隔三日才向上級呈報，九龍東醫院聯網即時報警，對今次事件深表遺憾，向受影響病人致歉，並成立專責小組調查，若發現有人為錯誤，會作出適當處分。

聯聯聯聯合合合合醫醫醫醫護護護護再再再再失失失失「「「「手手手手指指指指」」」」洩洩洩洩 47 病病病病人人人人資資資資料料料料

[蘋果日報2009年3月25日]聯合醫院繼 07 年有醫護遺失存有 26 名病人資料的 USB 記憶體後，事隔一年半再爆出遺失病人資料醜聞。該院一名 26 歲女眼科醫生上周五遺失一隻儲存 47 名病人個人資料的 USB 記憶體（俗稱 USB 手指），事隔三日才向上級呈報，九龍東醫院聯網即時報警，對今次事件深表遺憾，向受影響病人致歉，並成立專責小組調查，若發現有人為錯誤，會作出適當處分。

聯聯聯聯合合合合再再再再失失失失載載載載病病病病人人人人資資資資料料料料 USB 手手手手指指指指第第第第三三三三次次次次出出出出事事事事涉涉涉涉事事事事女女女女醫醫醫醫生生生生疑疑疑疑違違違違反反反反守守守守則則則則

[蘋果日報2009年4月12日]聯合醫院曾發生兩次遺失存有病人資料的 USB 手指事件，但該院職員未吸取教訓，前日再有一名婦產科駐院女醫生遺失一具私人 USB 手指，內存有八名病人的姓名及身份證號碼等個人資料，且未有進行加密措施。醫院管理層對事件表示失望，指該名醫生涉違反資料保安守則，會成立小組進行調查，並向受影響病人致歉。

聯聯聯聯合合合合再再再再失失失失載載載載病病病病人人人人資資資資料料料料 USB 手手手手指指指指第第第第三三三三次次次次出出出出事事事事涉涉涉涉事事事事女女女女醫醫醫醫生生生生疑疑疑疑違違違違反反反反守守守守則則則則

[蘋果日報2009年4月12日]聯合醫院曾發生兩次遺失存有病人資料的 USB 手指事件，但該院職員未吸取教訓，前日再有一名婦產科駐院女醫生遺失一具私人 USB 手指，內存有八名病人的姓名及身份證號碼等個人資料，且未有進行加密措施。醫院管理層對事件表示失望，指該名醫生涉違反資料保安守則，會成立小組進行調查，並向受影響病人致歉。


23

Even more Even more ……....

外洩上網時間： 08 年 5 月涉及部門：入境處內容：一名入境主任涉違規將機密資料帶回家輸入電腦，文件載有入境處監視黑名單者資料、旅客投訴等

外洩上網時間： 08 年 5 月涉及部門：入境處內容：一名入境主任涉違規將機密資料帶回家輸入電腦，文件載有入境處監視黑名單者資料、旅客投訴等

外洩上網時間： 08 年 5 月涉及部門：警務處內容： 16 警區共兩頁的總督察及警長的手機名冊流出，另有 4 頁警察審問疑犯，包括盤問走私香煙犯、紅油走私犯及妓女等的指引

外洩上網時間： 08 年 5 月涉及部門：警務處內容： 16 警區共兩頁的總督察及警長的手機名冊流出，另有 4 頁警察審問疑犯，包括盤問走私香煙犯、紅油走私犯及妓女等的指引外洩上網時間： 08 年 5 月涉及部門：警務處

內容：多份警方機密檔案，包括描述 3 名警員多次去旺角可疑的士高放蛇買毒品的經過、黃大仙車內盜竊案疑犯駕駛汽車的資料等

外洩上網時間： 08 年 5 月涉及部門：警務處內容：多份警方機密檔案，包括描述 3 名警員多次去旺角可疑的士高放蛇買毒品的經過、黃大仙車內盜竊案疑犯駕駛汽車的資料等

外洩上網時間： 08 年 5 月涉及部門：警務處內容： 3 個檔案包括各區負責街頭騙案的警官名單和電話，其中兩份是商業罪案調查科向法院申請搜查令的文件，清楚寫明搜查原因、地址，甚至投訴人的姓氏和公司資料

外洩上網時間： 08 年 5 月涉及部門：警務處內容： 3 個檔案包括各區負責街頭騙案的警官名單和電話，其中兩份是商業罪案調查科向法院申請搜查令的文件，清楚寫明搜查原因、地址，甚至投訴人的姓氏和公司資料外洩上網時間： 08 年 6 月涉及部門：海關

內容：海關人員的案件口供紀錄，包括疑犯的身份證號碼及案件詳情

外洩上網時間： 08 年 6 月涉及部門：海關內容：海關人員的案件口供紀錄，包括疑犯的身份證號碼及案件詳情

外洩上網時間： 08 年 7 月涉及部門：入境處內容： 11 份懷疑屬一名曾駐守深圳灣口岸的入境主任的檔案流出，包括調查偽證個案報告，披露旅客個人資料及調查細節

外洩上網時間： 08 年 7 月涉及部門：入境處內容： 11 份懷疑屬一名曾駐守深圳灣口岸的入境主任的檔案流出，包括調查偽證個案報告，披露旅客個人資料及調查細節

外洩上網時間： 08 年 8 月涉及部門：警務處內容：多份 07 年機密文件，包括協助警方拘捕「大耳窿」的證人的個人資料如姓名、電話、住址及工作地點




外洩上網時間： 08 年 9 月涉及部門：警務處內容：西九龍警區多份文件外洩，內容包括衝鋒隊員接獲炸彈恐嚇、持槍行劫等嚴重案件的處理程序

外洩上網時間： 08 年 9 月涉及部門：警務處內容：西九龍警區多份文件外洩，內容包括衝鋒隊員接獲炸彈恐嚇、持槍行劫等嚴重案件的處理程序

外洩上網時間： 09 年 2 月涉及部門：消防處內容： 60 多份、涉及逾 20 名消防員考核報告，披露有關消防員的月薪及職級等個人資料，其中更包括去年救人殉職的英雄蕭永方

外洩上網時間： 09 年 2 月涉及部門：消防處內容： 60 多份、涉及逾 20 名消防員考核報告，披露有關消防員的月薪及職級等個人資料，其中更包括去年救人殉職的英雄蕭永方

外洩上網時間： 09 年 2 月涉及部門：警務處內容：一份警務處會面紀錄，內容是天水圍警署一名警員，向聚賭疑犯錄取口供的資料

外洩上網時間： 09 年 2 月涉及部門：警務處內容：一份警務處會面紀錄，內容是天水圍警署一名警員，向聚賭疑犯錄取口供的資料

外洩上網時間： 09 年 3 月涉及部門：警務處內容：近 60 份警務處內部文件，包括警長處理毒品紀錄、被捕人身份等

外洩上網時間： 09 年 3 月涉及部門：警務處內容：近 60 份警務處內部文件，包括警長處理毒品紀錄、被捕人身份等


24

After the incidentAfter the incident……

Fire the staff who caused the incident Conceal the incident whatever possible

Implement sophisticated technical controls Perform IS incident management

What should be done when the incident occurred?


25

Information Security Incident Management (A.13)Information Security Incident Management (A.13)

� What is the impact of the incident?� Very high (Major), High, Medium or Low

� What are corrective actions for the incident?� Perform actions to minimize the impact of the incident

� Recover the affected systems as soon as possible

� What is the root cause of the incident?� Identify the cause of the incident

� Accidental, staff ignorance, inappropriate policies, lack of audit and compliance checking, lack of technical controls, etc

� What are preventive actions to reduce the recurrence of similar incidents?� Administrative and technical controls

� Training and communication with staff, define clear disciplinary actions, etc

� Restrict USB drives usage, encrypt USB drives, centralized management solution for USB, etc


26

Before the incidentBefore the incident……

Define a fit-for-purpose policies Block all USB drives

Proper training and communication Strict disciplinary action against breaches

How to prevent information leakage through USB drives?


27

Controls and CommunicationsControls and Communications

� You need administrative controls� To define what and how to protect your information assets

� E.g. information security policies, acceptable use policy, information security incident management procedures, disciplinary actions

� You need technical controls� To enforce strict policies on system

� E.g. password policies, encryption on traffic, web filtering, prohibition of USB drives

� You need training and communication with staff� To get staff buy-in and increase the effectiveness of

controls� E.g. security awareness training, handling of confidential

information, protection of personal data, responsibility to report incidents


28

Information security costs you less onInformation security costs you less onInformation security costs you less onInformation security costs you less onprevention rather than correction.prevention rather than correction.prevention rather than correction.prevention rather than correction.


29

� Total Commitment

� Commitment from senior management

� Effective security marketing to managers and employees

� Customized Security Practice

� Security policy, objectives and activities that reflects

business objectives

� Consistent with organization culture

� Good understanding of security requirements and security

risks

Critical Success FactorCritical Success Factorss for ISMSfor ISMS


30

Critical Success FactorCritical Success Factorss for ISMSfor ISMS

� Training

� Regular security education and awareness program

� Distribution and communication of security policies to employees and vendors

� Changing Mindset

� Giving true assessment of information security

� Keeping security awareness in day-to-day operation

� Reporting all security incidents

� Taking the security responsibilities


31

Not every change is an improvement;

but every improvement is a change.

ISMS is a change management projectISMS is a change management project

Almost everyone dislikes changeAlmost everyone dislikes change…………


32

SummarySummary

� Management support is essential for ISMS project

� ISMS project should aligned with the business model, strategy and goals

� Scoping – Identify the coverage of ISMS

� Planning – Follow the Plan-Do-Check-Act cycle, build your ISMS committee

� Risk assessment – Identify your weakest link

� Data Loss Prevention

� ISMS helps you to analyse the root cause of incidents and manage the risks in a cost effective manner

ISMS is a management system to manage allISMS is a management system to manage all

information security issues of your organizationinformation security issues of your organization


33

Information security is not a luxury;Information security is not a luxury;Information security is not a luxury;Information security is not a luxury;

It is a necessity.It is a necessity.It is a necessity.It is a necessity.

copyright maximus consulting (hong kong) ltd. talk 090421.pdf · iso 27001 a corporate approach in...

Documents