ICT Compliance

PAMAPERSADA NUSANTARA

Sharing knowledge presentation

Improve ISMS as ICT Strategic partner to align with business objective

Proposed Improvement


Background

Current Condition: The Objective is to control and protect Enterprise information assets from integrity, availability and confidentiality aspect Only focus on risk

Impact

Unable to provide a best practice guide to generate effective and efficient procedure to align with the bussiness objective. Sometimes become a berrier and unable to satisfy business objective

Improve

To be more align with bussiness objective

Impact

CONFIDENCE IN ICT DIVISION WILL BE REDUCED



Conceptual viewin compliance management

Proposed Concept


Conceptual View

provide an overview to the top management anactual condition of the fulfillment to the related policies or regulation

Reduce business risk by deploying controlfrom existing framework

Improving business performance by adopting a set of practice reference from existingframework


Conceptual View

➢ Regulate and guide the business processesof the organization

➢ Regulate and guide the operation of IT in the organization, including all of the processes, and systems within it.

➢ Apply to the entire IT infrastructure of the organization.➢Focus on many areas of responsibility for IT managers and staff, including: IT organization Policy creation and communication System security Operations Change management Incident handling Monitoring Service, system, and application performance

➢ Are unique to each application that organization uses to run its business.➢ IT components that support administrativ controls.

➢Application controls focus on: Data Preparation procedure Accuracy, completeness, and authorization checks Data processing integrity Input/Output distribution Sensitive information transmission protection


Conceptual ViewClassification of technical control :

Manual controls require a person to enforce the control, whereas the IT system enforces automated controls

Controls

Operate

Behavior

Manual

Automated

Detective

Preventivepreventive technical controls prevent unwanted events from occurring. Detective technical controls cannot prevent unwanted events, but they can detect events and then notify a person or system to respond to them. Combine classification of technical Control :

Additional Controls

Additionalcontrol

Cumulative control

Compensating control


Developing common technical control :

1. Review each regulation.

2. Determine control requirements specific to each applicable regulation and standard. 3. Implement the appropriate controls.

4. Conduct an audit to determine compliance sufficiency.

Conceptual View


S

O

W

T

Strength :● 80 % Deployed policies● Supported tools are available (splunk,dlp,sikap, lansweeper, ms assesment planing toolkit etc)● Allocated resources are available● Top Management commitment

Weakness :● inadequate management direction● Uneffective status quo● Inadequate competencies● Obsolete framework● Inadequate framework scope

Oportunity :● There is an opportunity mommentto redevelop organizational functions

Threats :● Unsatisfied business partner ● Audit (External/internal)● Goverment Regulation (eg: wireless repeater policy)

Current Condition


Management concern :

* A direction how the institution should run

* Feedback according to proposed concept

* Strategy to handle status quo problem



Thanks



Sharing KnowledgeICT Governance & Compliance


Knowledge Sharing

References books & e-books :● CISA Review manual book 2013 (isaca store)● ISO 27002:2013 Gap analysis (http://www.itgovernance.co.uk/shop/c-198-disaster-recovery.aspx)● Governance, Risk Management & Compliance (http://en.wikipedia.org/wiki/Governance)● How to develop a Statement of Applicability according to ISO 27001:2013 (jesper e.siig, 2013)● Moving from iso/iec 27001:2005 to iso/iec 27001:2013 (bsi standard, 2013)● Mapping between the requirements of ISO/IEC 27001:2005 and ISO/IEC 27001:2013 (bsi standard,2013)● Aligning CobiT® 4.1,ITIL® V3 and ISO/IEC 27002 for Business Benefit (IT Governance institute)● Securing Sensitive Personal Data or Information (isaca,2013)● An Introduction to Information Security and ISO 27001 (2013) A Pocket Guide, Second Edition● Information security policy development for compliance (Barry L williams, 2003)● COBIT 4.1 Framework (ISACA)● Splunk® Enterprise™ Log Management Role Supporting ISO 27002 Framework (Splunk)● Panduan penyusunan pengelolaan IT Badan Usaha Milik Negara (PER-02/1VIBU/2013)●

References Links :http://www.teknologiinformasidankomunikasi.com/asal-usul/hubungan-yang-unik-antara-security-risk-dan-compliance/http://www.teknologiinformasidankomunikasi.com/it-governance/it-compliance/it-compliance-vs-is-compliance/http://www.bumn.go.id/wp-content/uploads/2013/01/PER02MBU2013.pdfhttp://manajemen-ti.com/manajemen-risiko/217-beragam-pendekatan-implementasi-grc.htmlhttp://aswilnazir.com/2012/06/11/apa-bedanya-it-compliance-dengan-it-governance/http://itilindo.com/2009/03/17/posisi-itil-dan-cobit/http://en.wikipedia.org/wiki/Governance,_risk_management,_and_compliancehttp://cobitindo.blogspot.com/http://sdppi.kominfo.go.id/artikel_c_3_p_93.htmhttp://searchsecurity.techtarget.com/tip/How-to-use-COBIT-for-compliancehttp://www.teknologiinformasidankomunikasi.com/ict/sejarah-it-governance/http://www.teknologiinformasidankomunikasi.com/it-governance/information-security/perbedaan-iso-17799-dan-iso-27000/http://www.itgovernance.co.uk/shop/p-1456-multiuser-site-licence-iso-iec-27001-2013-and-iso-iec-27002-2013.aspx#.UuJBOss-bcshttp://www.deltaprima.net/perubahan-standar-iso-27001-2005-menjadi-iso-27001-2013/http://www.deltaprima.net/konsultan-iso-27001-consultant/

http://www.itgovernance.co.uk/shop/c-198-disaster-recovery.aspx

http://en.wikipedia.org/wiki/Governance


History


ISMSInformation Security Management System

PT.Pamapersada Nusantara


Historical

About PAMA ISMS :➔ Was designed & built since 2006➔ The institution has been estabilished since 2007➔ Currently there are 2 Commitment letter signed, 6 Policy signed, 1 policy Draft, and 1 with no status➔ 10 procedures has been signed, 16 still draft and 17 form has been deployed to support its procedure➔ The institution was separated at 3 area : - People socialization & awareness (SUK)➔ - Policies & procedure devl (ABH)➔ - Technical Risk assessment (MUF)➔ Applying iso 27001:2005 as compliance framework guidance➔ Current fullfillment to ISO 27001 framework is as shown below :


Current Policies & Procedures


Sharing Knowledge


Sharing Knowledge(Governance Framework)

ISO 27001:2013 , COBIT 4.1 & ITIL V3


Sharing Knowledge


ISO 27001


ISO 27001

➢ Was designed to protect and preserve the confidentiality, integrity, and availability of information and to manage and control Enterprise information security Risk.ISO/IEC 27001 is derived from BS 7799 Part 2, published in 1999. BS 7799 Part 2 was revised by BSI in 2002, explicitly incorporating Deming’s Plan-Do-Check-Act cyclic process concept, and was adopted by ISO/IEC as ISO/IEC 27001 in 2005. It was extensively revised in 2013, bringing it into line with the other ISO certified management systems standards and dropping the PDCA concept.As standard Requirements in ISO 27000 Family Series :

About ISO 27001 :


ISO 27001 Implementation How To

The implementation phases are the following :

• The Plan PhaseThis phase serves to plan the basic organisation of information security, set objectives for information security and choose the appropriate security controls (the standard contains a catalogue of 133 possible controls)• The Do PhaseThis phase includes carrying out everything that was planned during the previous phase• The Check PhaseThe purpose of this phase is to monitor the functioning of the ISMS through various “channels”, and check whether the results meet the set objectives• The Act PhaseThe purpose of this phase is to improve everything that was identified as non-compliant in the previous phase



• The scope of the ISMS (Mandatory)• ISMS Policies (Mandatory)• Risk assessment & Gap analysis Document• Statement of applicability (Mandatory)

• Risk treatment plan (Mandatory)

• Internal Audit documents including gap analysis• Management Report Documents (Mandatory)

• Corrective action documents

Document Output :


Sharing Knowledge


ISO 27001:2013


About ISO 27001:2013

➔ ISO 27001:2013 is an information security standard that was published on the 25 September 2013➔ It cancels and replaces ISO 27001:2005➔There are 114 Controls under 14 Domain Group (before 133 with 11 Group)➔Existing controls deleted or merged, some new control added, and Some of retained controls have been re-worded➔ These changes reflect changes in technology that affect the survival of many businesses today (eg cloud computing).➔Developed to be more aligned with other management systems such as ISO 9001 & ISO 20000➔Replace asset base to be more flexible when integrated with other framework such as COBIT & ITIL


27001:2005 to 27001:2013


27002:2015 / Annex A framework


ISO 27001:2005 to 27001:2013

ISO 27001:2013 Annex A :• A.5: Information security policies• A.6: Information security organisation• A.7: Human resources security• A.8: Asset management• A.9: Access controls and managing user access• A.10: Cryptographic technology• A.11: Physical security• A.12: Operational security• A.13: Secure communications and data transfer• A.14: Secure acquisition, development, and support of information systems• A.15: Security for suppliers and third parties• A.16: Incident management• A.17: Business continuity/disaster recovery• A.18: ComplianceISO 27001:2005 Annex A :•A.5: Security policies•A.6: Organization of information security•A.7: Asset management•A.8: Human Resource security•A.9: Physical and environmental security•A.10: Communication and operation management•A.11: Access Control•A.12: Information system acquisition, development and maintenance•A.13: Information security incident management•A.14: Bussiness Continuity management•A.15: Compliance


1.ISMS scope (as per clause 4.3) ( - )2.Information security policy (clause 5.2) ( + )3.Information security risk assessment process (clause 6.1.2) ( + )4.Information security risk treatment process (clause 6.1.3) ( - )5.Information security objectives (clause 6.2) ( + )6.Evidence of the competence of the people working in information security (clause 7.2) ( - )7.Other ISMS-related documents deemed necessary by the organization (clause 7.5.1b) ( + )8.Operational planning and control documents (clause 8.1) ( - )9.The results of the risk assessments (clause 8.2) ( + )10.The decisions regarding risk treatment (clause 8.3) ( - )11.Evidence of the monitoring and measurement of information security (clause 9.1) ( - )12.The ISMS internal audit program and the results of audits conducted (clause 9.2) ( - )13.Evidence of top management reviews of the ISMS (clause 9.3) ( - )14.Evidence of nonconformities identified and corrective actions arising (clause 10.1) ( - )15.Various others: Annex A, which is normative, mentions but does not fully specify further documentation including the rules for acceptable use of assets, access control policy, operating procedures, confidentiality/non-disclosure agreements, secure system engineering principles, information security policy for supplier relationships, information security incident response procedures, relevant laws/regulations/contractual obligations plus the associated compliance procedures and information security continuity procedures.

Mandatory requirements for ISO 27001:2013 Certification ISO 27001:2005 to 27001:2013



COBITControl Objectives for Information and Related Technology

COBIT


COBIT

➔Was developed since 1998 by IT Governance institute (www.itgi.org ) (ISACA)➔Was designed as an IT governance framework and supporting toolset that allows managers to bridge the gap between control requirements, technical issues and business risks.➔Enables clear policy development and good practice for IT control throughout organizations➔Emphasizes regulatory compliance, helps organizations to increase the value attained from IT➔Approach to process maturity (known as cobit maturity model)➔COBIT Framework integrated in 4 Domain : Plan and organise (PO)Acquire and Implement (AI)Deliver and Support (DS)Monitor and Evaluate (ME)

COBIT

http://www.itgi.org/


COBIT


COBIT COMPONENTS

The COBIT components :

· Framework Organize IT governance objectives and good practices by IT domains and processes, and links them to business requirements · Process descriptionsA reference process model and common language for everyone in an organization. The processes map to responsibility areas of plan, build, run and monitor. · Control objectivesProvide a complete set of high-level requirements to be considered by management for effective control of each IT process. · Management guidelines: Help assign responsibility, agree on objectives, measure performance, and illustrate interrelationship with other processes.· Maturity models: Assess maturity and capability per process and helps to address gaps


COBIT v4.1 Framework


Cobit Process DescriptionResponsibility assignment metrix (RACI)


Cobit Control Objectives


Cobit Maturity Model

Cobit maturity chart



I.T.I.LInformation Technology Infrastructure Library


ITIL

About ITIL :

ITIL was developed since 1990 by Office Of Governance Commerce the department of Government of the United Kingdom.Was built as a set of practices for IT service management (ITSM) that focuses on aligning IT services with the needs of business.ITIL is intended to underpin but not dictate the business processes of an organisation. In this context, OGC does not approve of the term ‘ITIL-compliant’.Having 5 core publication :1.ITIL Service Strategy2.ITIL Service Design3.ITIL Service Transition4.ITIL Service Operation5.ITIL Continual Service ImprovementLatest version is ITIL v3 (2007)

More detail about ITIL :http://www.axelos.com/Knowledge-Centre/White-Papers/


Iso 27002:2013 COBIT v4.1 ITILv3

Strength Risk control IT Process control IT Services & Infrastructure

Bussiness objective Enterprise Information security management

Enterprise ICT Governances

Enterprise IT Services and Infrastructure management

Sertification Available Available Not Available

Provider ISO/IEC ISACA OGC

Developed since 1999 1998 1990

Framework Review

Framework :



Aligning ISO27001:2013 & COBIT v.4.1A Management Briefing From ITGI and OGC


Aligning ISO27001:2013 & COBIT v.4.1

ISO 27001 as Parent Framework :● When enterprise need to reduce risk that come from spesific process.(eg: reduce a risk in network control, software licensing control)

COBIT v4.1 as Parent Framework :● When enterprise need to improve spesific process related to manage the risk (eg : use cobit to provide a guide for BRS / IS Project development)

How to use :


(Aligning ISO 27001:2013 and COBIT v4.1)

Improve Develop &execute

Treatment planPerform an auditPerform

Risk assessmentReview & Redeploy

Policies

Define & Set upISO27001:2013Scope ofimplementation

• Risk assessment document including analysis, current control, gap,residual, accepted risk, etc.• SoA document

• Matrix documents current policies against required policies (iso 27001:2013)

• Audit Documents including finding etc

• Treatment plan documents including allocated resource• PICA

• Scope documents • Management response according to audit finding documents

Ensure Process continuity

Identify maturityModel perIT process

PerformProcess analysis

AssessAppropriateprocedure

Assess IT process

Under definedAt SoA

Define SoA as businessobjectives

• Matrix document from IT process vs procedure

• RACI matrix• Control objectives documents

• Process analysis documents including maturity model, gap to control objective etc

• Capability Maturity documents including chart

• Bussiness objectives

Execute ISO 27001:2013 As Parent Framework


(Aligning COBIT v4.1 and ISO 27001:2013 )

Monitoringprocess maturity

Define effective,Efficient and

Secure Businessprocess

Deploy processAnd update

relateddocument

PerformRisk assessment

Assess currentProcess andAppropriate

control

Translate & defineBusiness ObjectiveBase on mgtdirection

• Risk assessment document including analysis, current control, gap,residual, accepted risk, etc.

• RICA Matrix

• Appropriate procedure

• Updated document

• SOP• BRS• BSD, etc

• BRS • Process maturity level matriix

Ensure Process continuity

ExecuteTreatment plan

Perform an auditat related risk

DevelopTreatment planTo reduce risk

Perform riskAnalysis includingGap, residual and

Accepted risk

Define related risk

• Treatment plan documents including allocated resource

• Risk assessment documents

• Audit result documents

• PICA• Bussiness objectives

Execute COBIT v4.1 As Parent Framework


Reduce the risk of fraud

Protect organization and customer assets

Prevent disclosure of organization and customer secrets

Comply with regulations

Improve business awareness

Improve efficiency

Improve accuracy

Why Control as a core in Compliance :

Conceptual View



The Plan phaseThe Plan phase consists of the following steps :• Determining the scope of the ISMS• Writing an ISMS Policy• Identifying the methodology for risk assessment and determining the criteria for risk acceptance• Identification of assets, vulnerabilities and threats• Evaluating the size of risks• Identification and assessment of risk treatment options• Selection of controls for risk treatment• Obtaining management approval for residual risks• Obtaining management approval for implementation of the ISMS• Writing a Statement of applicability that lists all applicable controls, states which of them have already been implemented, and those which are not applicableThe Do PhaseThis phase consists of the following activities:· Writing a risk treatment plan – describes who, how, when and with what budget applicable controls should be implemented · Implementing the risk treatment plan · Implementing applicable security controls · Determining how to measure the effectiveness of controls · Carrying out awareness programs and training of employees · Management of the normal operation of the ISMS · Management of ISMS resources · Implementation of procedures for detecting and managing security incidents


The Check PhaseThis phase includes the following:· Implementation of procedures and other controls for monitoring and reviewing in order to establish any violation, incorrect data processing, whether the security activities are carried out as expected, etc. · Regular reviews of the effectiveness of the ISMS · Measuring the effectiveness of controls · Reviewing risk assessment at regular intervals · Internal audits at planned intervals · Management reviews to ensure that the ISMS is functioning and to identify opportunities for improvement · Updating security plans in order to take account of other monitoring and reviewing activities · Keeping records of activities and incidents that may affect the effectiveness of the ISMS

The Act PhaseThis phase includes the following:· Implementation of identified improvements in the ISMS · Taking corrective and preventive action; applying own and others’ security experiences · Communicating activities and improvements to all stakeholders · Ensuring that improvements achieve the desired objectives



Mapping Framework to role requirements

ICT Compliance

Documents

Transcript of ICT Compliance