Ebsl Technologies It Operations Internal Presentation
1 likeโข588 views
The document presents a training session on IT operations hosted by EBSl Technologies, covering essential principles and frameworks such as ISO 27001/2, COBIT, and ITIL for information security management. It emphasizes a structured approach to risk assessment and management to protect organizational interests and achieves alignment between IT and business goals. Key takeaways include the importance of establishing a Risk Assessment Methodology (RAM) and the need for metrics to measure security effectiveness.
Ebsl Technologies It Operations Internal Presentation
- 1. EBSL IT Operations EBSL Technologies Int'l www.ebsltechnologies.com internal consultant training Presented by Jon CRG Shende FBCS CITP Director IT Services Part 1 June 19th 2008
- 2. Welcome to EBSL Technologies Int'l EBSL Our following sessions will review principles of IT Operations This will include : โข Technical and management concepts within IT (e.g. standards & preserving the C.I.A triad) โข Frameworks โข Planning for and Managing Risk with Disaster Recovery โข An Interactive Workshop in Management Consulting โข Metrics from 6 Sigma and Integrity Selling for your client facing duties. 2
- 3. Frameworks Overview EBSL ISO 27001:2005 & BS 17799 โ ISO 27002:2005 CoBIT - Control Objectives for Information and Related Technology ITIL - IT Infrastructure Library CMMi - Capability Maturity Model Integration Firms need to be cognizant of framework overload Organizations need to set implementation goals for frameworks with adequate project management resources Proceed cautiously with any framework roll-out as the of-chance of an incorrect categorization of control objectives and/or application can defeat the purpose of a framework implementation & ROI assessment 3
- 4. ISO 27001:2005 - basic overview EBSL ISO -International Organization for Standardization โข ISO 27001/2 are management system standards that are applicable to all industry sectors โข ISO 27001 is a formal specification which defines specific requirements for establishing an Information Security Management System(ISMS).It is not a technical standard & emphasizes prevention โข It is a management system that should guide in an organizational balance of all aspects of security - physical,technical, procedural, and employee following a Plan-Do-Check-Act, Process Approach โข A Process Approach emphasizes user understanding of an organizationโs information security requirements and can help define and establish information security policies and objectives. 4
- 5. Summarizing ISO 27001 EBSL โข It defines an information management framework which sets; directions, aims, objectives and defines a management approved policy which holds management commitment โข It's processes methodically identify security requirements by assessing security risks. The results of these assessments help guide the prioritizing of metrics to manage risks and the appropriate management action. This guides the selection and implementation of controls(policies, practices, procedures, organizational structures, software/hardware functions) and mechanisms. โข Controls implemented subjectively should follow the identification of security requirements. Their aim, to ensure that risks are reduced to an acceptable level while meeting an organization's security objectives. 5
- 6. ISO 27001/2 - basic overview 2 EBSL ISO 27002 โข Follows on the guideline of ISO27001's ISMS โข Can be regarded as a comprehensive collection of good security processes โข It is a standard code of practice which define techniques one can implement to secure data โข Both ISO 27001 & 27002 employs specific control statements which satisfy control objectives. We can group controls into six categories โข Detect, Protect, Deter, React, Avoid & Recover โข Per CoBIT โControl objectives provide a complete set of high level requirements to be considered by managementโ 6
- 7. ISO 27001/2 generic controls EBSL Control . Control Objectives Detect Identification of the occurrence of security event/s, then implement protective, reactive or recovery safeguard mitigation Protect Safeguarding vulnerable information assets and/or assets with exposures to adverse security events Deter Mitigate the possibility of undesirable events being attempted React Minimize the impact of a security event with an adequate response to ensure business continuity Avoid Eliminate known vulnerabilities via patches,software updates, signature updates and take steps to avoid new issues. Recover After an event ensure that confidentiality,integrity and 7 availability of all information assets are restored to their
- 8. Controls EBSL โข Controls when properly implemented allow management to make well- informed risk management decisions. โข This leads to properly secured IT systems responsible for storing, processing, or transmitting organizational data โข Risk Management decisions justify IT related expenses via a cost/benefit analysis as well as assist management in supporting a system from it's documented risk management performance review which should be auditable โข Tying it together - for any one organization an integrated GRC mindset needs to sit in front of operations i.e. Governance, Risk Management and Compliance rather than being seen as three distinct entities 8
- 9. ISO 27001 questions EBSL Q. How does the ISO 27001/2 Series benefit our clients ? โข It provides a uniform an effective information security management process for an organization โข Proper implementation provides protection of organizational interests and that of their affiliates (subsidiaries, partners, vendors, customers) โข It is the aim of senior management to ensure an organization's IT goals align with it's business goals. โข By implementing the metrics within 27001/2 senior management can ensure that IT investments delivers value. Performance is accurately measured and resources allocated in a manner to ensure effective risk mitigation 9
- 10. ISO 27001 questions EBSL Q. What is an ISMS ? โข The Information Security Management System(ISMS) specifies requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an organization's documented ISMS. โข It should maintain an overview of the organization's overall business risks and specify requirements for the implementation of security controls. Controls should be customized to the needs of the whole or part of the organization. 10
- 11. Why a Risk Assessment Methodology(RAM)? EBSL Assuring information security is a portion of the larger subject of Risk Mitigation & Management. The most important takeaway from ISO 27001 should be establishing a risk assessment methodology (RAM) โข A RAM enables an IT Manager to secure data in a manner that enables security Implementing a RAM ensures controls necessary to protect the business are โข defined and implemented RAM Provides metrics: results that are repeatable and comparable which โข can measure controls effectiveness 11
- 12. Why a Risk Assessment Methodology(RAM)? EBSL A RAM ensures that controls implemented will not be overly complex,over-reaching or costly but rather tailored to organizational needs. ISO 27001/2 emphasizes the importance of controls which when implemented, impacts an organization's security statically. Controls need to be reassessed and at times either retired or improved as necessary A risk assessment methodology when properly implemented will ensure that an organization has the means to protect it's business functions at all times. 12
- 13. Risk Relationships EBSL Source SQUARE Process Nancy R. Mead, Software Engineering Institute 13 https://buildsecurityin.us-cert.gov/bsi/articles/best-practices/requirements/232- BSI.html
- 14. Importance of Risk Management EBSL Organizations should โข Establish and use a risk assessment methodology that takes into consideration all legal and regulatory responsibilities in addition to information security โข Implement a framework for Conducting Risk Assessments โข Quantify it's risks and either accept individual risks, or prioritize the implementation of security controls to mitigate (or not ) these risks in order of severity by developing a Risk Treatment Plan (RTP) which either โข Accepts, Avoids or Transfers Risk; or Implement pertinent security controls. 14
- 15. Where do we go? EBSL โข Q1. How secure is the client if there are no metrics to measure security ? โข Q2. Is a system secure if it has never been breached ? โข Q3. The aim of a business is to realize a return on investment ( ROI); should ROI be more important than Risk Reduction Factor ? โข Q4. How secure are e-business partners? โข Q5. Are all the assets of an organization identified, listed and have proper ownership ? โข Q6 Does the organization have a reactive or proactive stance ? 15
- 16. EBSL End of Part 1 Questions ? 16