Information Security Management System Lecture 4 PDF
Document Details
Uploaded by Deleted User
Nottingham Trent University
2025
Tags
Summary
This lecture provides a comprehensive overview of the information security management systems (ISMS). It covers key concepts, components, and considerations like scope, policy, risk assessment, and controls. The lecture further discusses different types of controls and the security plan. The document is presented as lecture notes for a course on information security.
Full Transcript
Information Security Lecture 4 – The Information Security Management System Outline Outline of an Information Security Management System. Overview of its constituent parts. Highlighting key areas of interest where this module is concerned. Introducing further concepts that we’ll look a...
Information Security Lecture 4 – The Information Security Management System Outline Outline of an Information Security Management System. Overview of its constituent parts. Highlighting key areas of interest where this module is concerned. Introducing further concepts that we’ll look at in more detail in the weeks to come. 8 January 2025 2 Information Assurance “The confidence that information systems will protect the information they carry and will function as they need to, when they need to, under the control of legitimate users” (UK Cabinet Office). An information system is not necessarily technical. It will be a series of policies, training programs, documentation and technical implementations for the entire organisation. 8 January 2025 3 The Information Security Management System “The information security management system preserves the confidentiality, integrity and availability of information by applying a risk management process and gives confidence to interested parties that risks are adequately managed. It is important that the information security management system is part of and integrated with the organization’s processes and overall management structure and that information security is considered in the design of processes, information systems, and controls.” Essentially the rule book of how to provide information assurance within the organisation. 8 January 2025 4 The Information Security Management System (ISMS) System Component Purpose/detail Context The basis for what needs to be done Scope Defining what is to be protected/supported Objectives The basis for evaluation of overall effectiveness Policy Assurance and directive to the organisation Planning Aligning objectives with components Managing programme Risk assessment (analysis) & treatment Analysis of what risks exist to which assets, which are acceptable and what controls are needed Statement of Applicability ‘Checklist’ –have likely controls been considered? Assurance processes Internal audit Management review Performance improvement Non-conformance Continual improvement 8 January 2025 5 Scope Ideally throughout every level of the organisation In practice, some of it will be limited to sensitive parts of the organisation – The balancing act of security vs usability 8 January 2025 6 Policy A high-level statement of the security goals for the organisation. Should be short and to the point – how likely is a policy document 100s of pages long to be implemented? 8 January 2025 7 Risk Analysis Process of identifying assets, vulnerabilities and likelihood of exploitation with regard to the CIA triangle. Combined with an analysis of impact if compromised. Identify if it is worth applying controls and if so, what? Key part of both IS management and this module. 8 January 2025 8 Risk analysis outcomes Asset register – a list of all points of concern and who has ownership. Risk register – a list of all identified risks and potential controls to be utilised in addressing them. 8 January 2025 9 Controls What will we put in place to mitigate lower levels of risk to acceptable levels. Can be broadly summarised as: – Technical Controls – Procedural Controls – Physical Controls – Some plans utilise managerial controls as well… Further classified as Preventative, Detective or Corrective controls. No way to completely remove risk – reduce to within the companies “risk appetite”. 8 January 2025 10 Technical Controls Using technology as a basis for minimising risks. Access Control. Encryption. Anti-virus software. Intrusion Detection Systems and Firewalls etc. 8 January 2025 11 Procedural/Administrative Controls Procedures and policies put in place to define behaviour within an organisation. Password use policies. Training programs Recruitment policies. Fair usage policies, BYOB guidance, away from desk etc. 8 January 2025 12 Physical Controls Structural security measures to deter or prevent access to assets. CCTV cameras. Alarm systems Staff cards. Biometrics etc. 8 January 2025 13 The Security Plan Should set out: Policy – goals of security effort. Current state – an overview of the current ISMS and of the security effort within the organisation. Requirements – recommended ways to meet security goals through risk assessments. Recommended controls – how will we address the vulnerabilities. Accountability – who is responsible for each stage of this process and assets. Timetable – produce a timescale for deployment. Incident Response Procedures – what happens if a breach occurs. Continuing attention – how often should reviews be done. 8 January 2025 14 Information Security Lifecycle 8 January 2025 15 Incident Response Regardless of how much risk is reduced, attacks will still happen. Staff require training to know how to identify a potential incident and what to do when they have see one. Reporting should also come from detective controls put in place and monitored by staff; i.e. network logs. Following an incident, response will normally include 5 phases: reporting, investigation, assessment, corrective action and review. 8 January 2025 16 Incident Response Planning Is there an incident response team (IRT) in place? This should come from a cross section of the organisation so there is sufficient breadth of knowledge to deal with the situation. Need to be clear on the plan for incident response – for example, how will evidence be recorded? Police and Criminal Evidence 1984 (PACE)? 8 January 2025 17 Business Continuity Planning Maintaining the continuity of business operations followed a significant incident/disaster. What are the key assets that have to be “online” in order to provide objectives? How long can the business operate without key assets and still be viable? These usually will be defined by a Business Impact Analysis done alongside the risk assessments. Exercises will often be implemented to test the plans “readiness”. 8 January 2025 18 Disaster Recovery Phase The period of time while getting back to maximum service level. What is the Recovery Time Objective (RTO) – i.e. how long can the organisation survive without the affected assets. What is the Recovery Point Objective (RPO) – i.e. the point in time when systems should be restored. Usually less than RTO – for slack. Might be impossible – disaster recovery plans may become permanent and normal operating procedure. 8 January 2025 19 Key Roles Chief Information Security Officer (CISO) – responsible for the day-to-day running of the information assurance policies. In some organisations this is at board level to ensure appropriate responsibility/accountability and to encourage a top-down corporate culture of assurance. Otherwise, must be someone at board level who takes ownership but not necessarily the CISO. Other roles spread across the organisation, with assurance activities written into every members role. 8 January 2025 20 Summary This session has provided an overview of the ISMS. Looked at what the ISMS contains and what should be present for appropriate compliance requirements. Standard component of a security plan from risk assessing asset vulnerabilities up to recoding and recovering from incidents. 8 January 2025 21
