mark e.s. bernard risk management approach to security of internal and external services
DESCRIPTION
Risk Management Approach to Security of Internal and External ServicesTRANSCRIPT
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
Compiled by; Mark E.S. Bernard, ISO 27001 Lead Auditor, CISSP, CISM, SABSA-F2, CISA, CRISC, CGEIT
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
Under pinning contracts and Service Level Agreements
New agreements are fairly straight forward and its important for the information security
officer to work with procurement and/or contract management. Any existing Underpinning
Contracts (UC) and Service Level Agreements (SLA) must be revised during the OLA
design process. Everyone involved should be aware of any UC’s or OLA’s that apply to the
provision of a specific service.
Driven by the contractual, legal and regulatory requirements of the organization. The
Service Provider provides the following services in that context:
• Performance and Capacity Planning
• 24x7 Performance Monitoring
• Custom Infrastructure Design and Build
• Systems Security Management
• Procurement, License, Maintenance and Audit of Licenses
• Business Continuity, High Availability, and Disaster Recovery
• Problem and Incident Handling
• Secure Data Storage
• Production Deployment
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
In order to satisfy the
specific information
security requirements
for risk management
between the client,
internal departments
and external service
providers, vendors and
suppliers. The scope of
services needs to be
evaluated to empower
governance by
determining which
party is responsible for
specific risks and the
controls designed to
mitigate those risks.
For example
Operational Level
Agreements could be
established internally
between the business
unit or line of
business seeking ISO
27001 Registration
/Certification and
other internal
departments like IT,
HR and Facilities.
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
Similarly, Service
Level Agreements
could be established
between the business
unit or line of
business seeking ISO
27001 Registration
/Certification and
external parties like,
Cloud Computing
Services, Vendors and
Suppliers.
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
A Risk
Assessment is
necessary once all
assets have been
identified within
the scope of
service. These
assets are utilized
for the product or
service delivery
and the revenue
stream.
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
Risks associated with
strategic planning,
credit, market and
financial that are
considered open and
ongoing versus
mitigated and closed
can be added to the
Risk Registry. Within
the columns scale 1 – 5
impact a threshold can
be added for clarity.
These risk are for
internal report
purposes and probable
would not be shared or
reviewed with the
external party.
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
Risks associated
with compliance
to statutes,
regulations and
contractual
obligations that
are considered
open and ongoing
versus mitigated
and closed can be
added to the Risk
Registry. Within
the columns scale
1 – 5 impact a
threshold can be
added for clarity.
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
Risks associated with
operations are the
most common risks
that external parties
can positively or
negatively impact.
that are considered
open and ongoing
versus mitigated and
closed can be added
to the Risk Registry.
Within the columns
scale 1 – 5 impact a
threshold can be
added for clarity.
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
The Risk Assessment
workflow to assess
Service Providers will
require access to
internal resources and
normally a Service
Desk ticket is required.
Within many
organizations the
Service Desk plans a
critical role in the OLA
and SLA process by
flagging events,
incidents and problems
the negatively impact
service level
agreements.
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
Due to the close
integration of
internal
departments and
divisions there
are a number of
services which
are unique to
security. The
following service
catalogue
identifies seven
potential service.
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
It is necessary to
establish an
Operational Level
Agreement with
Service Management
Metrics, so that
conformity with
ISO/IEC 27001 can
be managed without
Corp IS becoming a
formal entity within
the scope of
registration/
certification. This is
in conformity with
ISO27k clause
A.10.2
Key A=Acceptable, M=Marginal, U=Unsatisfactory
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
It is necessary to
establish an Operational
Level Agreement with
Service Management
Metrics, so that
conformity with
ISO/IEC 27001 can be
managed without Corp
IS becoming a formal
entity within the scope
of registration/
certification. This is in
conformity with
ISO27k clause A.10.2
Key A=Acceptable, M=Marginal, U=Unsatisfactory
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
The Service Desk function facilitates a crucial function within Service Management
it helps to capture relevant data against Operational Level Agreement criteria to
facilitate monitoring by management and subsequent management decision making.
The creation of Service Desk Tickets, assignment and prioritization needs to be
closely mapped to Operational Level Objectives. The following provides some
examples of Service Desk ticket prioritization and OLA criteria.
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
Priority 1 - Indicates a deficiency with a TechSecure service, which has a critical
impact on our Customer’s business processes which needs to be immediately
corrected. Using a work around or manual process cannot reduce the impact.
All involved parties, including individuals in the Customer’s organization, are
expected to work continuously (24 X 7) until the incident is resolved or until the
Priority is reduced. During regular business hours, the following service levels apply:
•Incident is accepted within 15 minutes;
•Incident is updated within 1 hour with updates provided every hour until
resolution;
•Target Resolution time is 2 hours
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
Priority 2 - Indicates a deficiency with a TechSecure service, which has a critical
impact on our Customer’s business processes which needs to be immediately
corrected within the agreed upon SLA /OLA terms. A limited work around or
manual process is available. All involved parties, including individuals in the
Customer’s organization, are expected to work during regular business hours until
the incident is resolved or until the Priority is reduced. During regular business
hours, the following service levels apply:
• Incident is accepted within 30 minutes;
• Incident is updated within 90 minutes with updates provided every 90
minutes until resolution;
• Target Resolution time is 4 hours.
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
Priority 3 - Indicates a deficiency with a TechSecure service, which has a
critical impact on our Customer’s business processes which needs to be
immediately corrected within the SLA /OLA terms. Work is expected to continue
during regular business hours until the incident is resolved or until the Priority is
reduced. During regular business hours, the following service levels apply:
•Incident is accepted within 2 hours;
•Incident is updated within 4 hours with updates provided every 4 hours
until resolution;
•Target Resolution time is 1 business day.
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
Priority 4 - Indicates a deficiency with a TechSecure service, which has a
critical impact on our Customer’s business processes which needs to be
immediately corrected within the agreed upon SLA /OLA terms. Work is
expected to continue during business hours until the incident is resolved. During
regular business hours, the following service levels apply:
•Incident is accepted within 2 hours;
•Incident is updated within 1 business day with updates provided every
business day;
•Target Resolution time is 3 business days.
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
Priority 5 - Indicates a deficiency with a TechSecure service which cannot be
rectified without a patch, fix or update assistance from outside agencies such as
the software vendor. Work is expected to continue during business hours until
the incident is resolved. During regular business hours, the following service
levels apply:
•Incident is accepted within 2 hours;
•Incident is updated within 3 business day with updates provided weekly;
•Target Resolution time is 1-3 business days after fix, patch or resolution is
received or next available scheduled change window as required.
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
Service Reports must be provided on daily, weekly, monthly, quarterly and annually or at the
intervals agreed to within the SLA /OLA. These reports compare the agreed to service levels and
the service levels against factually results. The following is a sample of the monthly Services
Management Report:
•Production Environment Support during Published Hours of Service
•Monitoring and Support of Nightly Process Activity
•Test Infrastructure and Application Support during Published Hours of Service
•User Application Support
•Non-Business Hours on Call Response
•Information Security Threat, Vulnerability and Risk, Remediation
•Continuous Improvement Initiatives
•Fiscal Year 2013/14 Release Management
•Change Management
•Infrastructure and Application Support Services
•Accomplishments this Month
•Investigations and Resolutions
•Operations Support Services
•Accomplishments this Month
•Scheduled Service Interruptions
•Unscheduled Service Interruptions
•Business Continuity Plan
•Security Patch
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
For more information contact Skype; Mark_E_S_Bernard
Twitter; @MESB_TechSecure LinkedIn; http://ca.linkedin.com/in/markesbernard