As information technology increasingly falls within the scope of corporate governance, so management must increasingly focus on the management of risk to the achievement of its business objectives.

There are two fundamental components of effective management of risk in information and information technology: the first relates to an organization’s strategic deployment of information technology in order to achieve its corporate goals, the second relates to risks to those assets themselves. IT systems usually represent significant investments of financial and executive resources. The way in which they are planned, managed and measured should therefore be a key management accountability, as should the way in which risks associated with information assets themselves are managed.

Clearly, well managed information technology is a business enabler. Every deployment of information technology brings with it immediate risks to the organization and, therefore, every director or executive who deploys, or manager who makes any use of, information technology needs to understand these risks and the steps that should be taken to counter them.

ITIL has long provided an extensive collection of best practice IT management processes and guidance. In spite of an extensive range of practitioner-orientated certified qualifications, it is not possible for any organization to prove – to its management, let alone an external third party – that it has taken the risk-reduction step of implementing best practice.

More than that, ITIL is particularly weak where information security management is concerned – the ITIL book on information security really does no more than refer to a now very out-of-date version of ISO 17799, the information security code of practice.

The emergence of the international IT Service Management ISO 27001 and Information Security Management (ISO20000) standards changes all this. They make it possible for organizations that have successfully implemented an ITIL environment to be externally certificated as having information security and IT service management processes that meet an international standard; organizations that demonstrate – to customers and potential customers – the quality and security of their IT services and information security processes achieve significant competitive advantages.

Information Security Risk

The value of an independent information security standard may be more immediately obvious to the ITIL practitioner than an IT service management one. The proliferation of increasingly complex, sophisticated and global threats to information security, in combination with the compliance requirements of a flood of computer- and privacy-related regulation around the world, is driving organizations to take a more strategic view of information security. It has become clear that hardware-, software- or vendor-driven solutions to individual information security challenges are, on their own, dangerously inadequate. ISO/IEC 27001 (what was BS7799) helps organizations make the step to sytematically managing and controlling risk to their information assets.

IT Process Risk

IT must be managed systematically to support the organization in achieving its business objectives, or it will disrupt business processes and undermine business activity. IT management, of course, has its own processes – and many of these processes are common across organizations of all sizes and in many sectors. Processes deployed to manage the IT organization itself need both to be effective and to ensure that the IT organization delivers against business needs. IT service management is a concept that embraces the notion that the IT organization (known, in ISO/IEC 20000 as in ITIL, as the “service provider”) exists to deliver services to business users, in line with business needs, and to ensure the most cost-effective use of IT assets within that overall context. ITIL, the IT Infrastructure Library, emerged as a collection of best practices that could be used in various organizations. ISO/IEC 20000, the IT service management standard, provides a best-practice specification that sits on top of the ITIL.

Regulatory and Compliance Risk

All organizations are subject to a range of information-related national and international legislation and regulatory requirements. These range from broad corporate governance guidelines to the detailed requirements of specific regulations. UK organizations are subject to some, or all, of:

* Combined Code and Turnbull Guidance (UK)

* Basel2

* EU data protection, privacy regimes

* Sectoral regulation: FSA (1) , MiFID (2) , AML (3)

* Human Rights Act, Regulatation of Investigatory Powers Act

* Computer misuse regulation

Those organizations with US operations may also be subject to US regulations such as Sarbanes Oxley and SEC regulations, as well as sectoral regulation such as GLBA (4), HIPAA (5) and USA PATRIOT Act. Most organizations are possibly also subject to US state laws that appear to have wider applicability, including SB 1386 (California Information Practice Act) and OPPA (6) . Compliance depends as much on information security as on IT processes and services.

Many of these regulations have emerged only recently and most have not yet been adequately tested in the courts. There has been no co-ordinated national or international effort to ensure that many of these regulations – particularly those around personal privacy and data protection – are effectively co-ordinated. As a result, there are overlaps and conflicts between many of these regulations and, while this is of little importance to organizations trading exclusively within one jurisdiction, the reality is that many enterprises today are trading on an international basis, particularly if they have a website or are connected to the Internet.

Management Systems

A management system is a formal, organized approach used by an organization to manage one or more components of their business, including quality, the environment and occupational health and safety, information security and IT service management. Most organizations – particularly younger, less mature ones, have some form of management system in place, even if they’re not aware of it. More developed organizations use formal management systems which they have certified by a third party for conformance to a management system standard. Organizations that use formal management systems today include corporations, medium- and small-sized businesses, government agencies, and non-governmental organizations (NGOs).

Standards and Certifications

Formal standards provide a specification against which aspects of an organization’s management sytsem can be independently audited by an accredited certification body and, if the management system is found to conform to the specification, the organization can be issued with a formal certificate confirming this. Organizations that are certificated to ISO 9000 will already be familiar with the certification process.

Integrated Management Systems

Organizations can choose to certify their management systems to more than one standard. This enables them to integrate the processes that are common – management review, corrective and preventative action, control of documents and records, and internal quality audits – to each of the standards in which they are interested. There is already an alignment of clauses in ISO 9000, ISO 14001 (the environmental management system standard) and OHSAS 18001 (the health and safety management standard) that supports this integration, and which enables organizations to benefit from lower cost initial audits, fewer surveillance visits and which, most importantly, allows organizations to ‘join up’ their management systems.

The emergence of these international standards now enables organizations to develop an integrated IT management system that is capable of multiple certification and of external, third party audit, while drawing simultaneously on the deeper best-practice contained in ITIL. This is a huge step forward for the ITIL world.

Sources:

(1)Financial Services Authority

(2)Markets in Financial Instruments Directive

(3)Anti-money laundering regulations

(4)Gramm-Leach-Bliley Act

(5)Health Insurance Portability and Accountability Act

(6)Online Personal Privacy Act

Article Source:

http://EzineArticles.com/?expert=Alan_Calder

Compliance

It is possible to have excellent security and not be compliant, and it is also possible to pass a compliance audit and have a very poor organization security. The illusion that compliance equals security has led organizations to excessively spend on compliance at the detriment of security.

There are five principles in balancing compliance with security

o Base your security program on a security framework

o Leverage compliance budgets for information security controls

o Automate policy compliance and auditing

o Be prepared to manage change in threats and regulations

o Create an effective awareness and training program

Different organizations, information security professionals and consulting companies approach security program in different ways. Many organizations follow the ISO 17799 approach (International Organization for Standardization) and a few follow the COBIT standards (Control Objectives for Information and Related Technology) which are both great starting points. But there is another approach called the Sherwood applied Business Security Architecture (SABSA).

The SABSA model uses different roles that work with the following perspective:

o Business owner – Contextual

o Architecture – Conceptual

o Designer – Logical

o Builder – Physical

o Tradesman – Component

o Facilities Manager – Operational

SABSA model slices an enterprise into six different layers so that security can be more focused, it is more business oriented. Although the model is theoretical and academic in nature, once an organization has its security building blocks in place it can evolve past the ISO model and implement the SABSA.

6.1 Complying with BS7799/ISO 17799

Developing and implementing considerations from Business and Technical Perspective consists of:

Part 1

o Code of practice for information security management

Part 2

o Specification for information management systems

Why Implement:

o Helps realise the security policy

o Builds a level of business confidence

o Easy and flexible architecture

o Common standard

o Position of strength

o Ability to leverage business benefits

o Develop best practice

o Introduce bench mark standards

o Recognised international standards

The standard was developed from the following legislation:

o Data Protection Act 1984

o Data Protection Act 1988

o Data Protection Act 1998

o Computer Misuse Act 1990

o Copyright Designs and Patents Act 1988

o Human Rights Act 2000

o Regulatory Investigatory Powers Act 2000 (RIP Bill)

BS7799 Contents of Part 1

o Scope

o Terms and definitions

o Security policy

o Security organisation

o Asset classification and control

o Personnel security

o Physical and environmental security

o Communications and operations management

o Access control

o Systems development and maintenance

o Business continuity management

o Compliance

BS7799 Contents of Part 2

o Scope

o Terms and definitions

o Information security management system requirements

o Detailed controls

1. Security policy

2. Security organisation

3. Asset classification and control

4. Personnel security

5. Physical and environmental security

6. Communications and environmental security

7. Communications and operations management

8. Access control

9. System development and maintenance

10. Business continuity management

11. Compliance

Critical Success Factors

o Policies, Objectives and Activities that reflect business objectives

o Appropriate resources

o Consistency with culture

o Visible support and commitment from management

o Clear understanding of the security requirements and risk

o Effective marketing of security to all employees

o Distribution of information to all partners, suppliers, employees and contractors

o Providing appropriate training and education

o Key performance indicators

Selecting Controls

o Identify business objectives

o Identify business strategy

o Identify security strategy

o Identify and implement controls

Key controls

1. Information security policy document

2. Allocation of security responsibilities

3. Information security education and training

4. Reporting of security incidents

5. Virus controls

6. Business continuity planning

7. Control of proprietary software copying

8. Safeguarding of company records

9. Compliance with data protection legislation

10. Compliance with the security policy

Certification requirements for BS7799 /ISO 17799

Organisation shall establish and maintain a document ISMS

Management framework

1. Risk management approach

2. Identify control objectives and controls

3. Documented evidence:

- evidence of the actions undertaken

- a summary of the management frame work

- the procedures adopted to implement the controls

- the procedures covering the management and operation of the ISMS

In 2005 International Organization for Standardization released a specification, ISO 17799 in 2005 which establishes guidelines and general principles for initiating, implementing, maintaining and improving information security in an organization. They intended to be implemented to meet the requirements identified by a risk assessment.

Management framework

o Define the policy

o Define the scope of the information security management system

1. Characteristics of the organisation

2. Location

3. Assets

4. Technology

o Undertake risk assessment

1. Threats

2. Vulnerabilities

3. Impacts

4. Degree of risk

o Manage the risks

o Select control objectives & controls

o Prepare statement of applicability

1. Selected control objectives and rationale

2. Exclusion of controls and rationale

6.2 Applying BS7799/ISO17799

o A Practical Approach

o Gap Analysis

o Action Planning

o Risk Assessment and Treatment

o Developing an improvement programme

o Effective Statement of Applicability

o Planning and Costing a BS7799/ISO17799 project

o ISMS (Information Security Management System)

o Audit

How to do BS7799/ISO17799 Projects

Who to Interview

Security Management ——–Sec Policy/Organisation

Security Management ———–Asset Classification and Control

Typically HR ——————— Personnel Security

Site Security/IT manager——- Physical and Environmental Security

Business Manager/IT Manager————— Communications and Operations Management

System Administration Staff—————- Access Control

Development Staff————– System development

Business Continuity Manager———- Business Continuity Management

Internal Audit/Legal————– Compliance

Appropriate staff/line Management———– Business/Info Process

A Good Gap Analysis

o Clearly defined scope

o Clear findings against each control (good areas as well as gaps)

o The ISMS

o Clear practical and appropriate recommendations leading to compliance

o All recommendations reinforced and supported by findings

Finalising Resources

Resourcing:

o Match actions with in-house resources and confirm availability

o Identify availability shortfalls

o Identify where specialist support is needed

o Obtain necessary approvals for SIP

Ensure the group have access to the full Gap Analysis Report for guidance

Establish the ISMS through the creation of the Information Security Forum

6.3 Risk Assessment and BS7799/ISO17799

o Define a systematic approach to risk assessment

o Identify the risk

o Assess the risk

o Select control objectives and controls for the treatment of risk

o Identify and evaluate options for the treatment of risk

Generic Steps

o Identify assets

o Identify asset dependencies

o Business Impact Assessment (Asset Valuation)

o Threat Assessment

o Determine levels of risk (Risk Assessment)

o Countermeasures Selection

o Map to BS7799/ISO17799

o Risk Treatment

Document Management

BS7799/ISO17799 section 4.3 calls for

o Distribution /Availability to staff as required

o Version/ Change control

o Documents to be dated (Including previous versions)

o By implications, uniquely identifiable and fully controlled

ISO 9001 compliance is an advantage

Appropriate change control is needed for intranet solution

10 Tips for Success

1. Ensure senior management involvement

2. Recommend a realistic and useful scope

3. Develop a good risk assessment

4. Promote Active Risk management

5. Interpret the controls for the scope

6. Ensure early Security Forum creation

7. Ensure maximum use of the Statement of Applicability

8. Get internal third parties to sign up

9. Get audits underway to raise assurance

10. Take staff awareness seriously

Article Source:

http://EzineArticles.com/?expert=Emmanuel_Sodipo