ICT Compliance
-
Upload
independent -
Category
Documents
-
view
0 -
download
0
Transcript of ICT Compliance
PAMAPERSADA NUSANTARA
Sharing knowledge presentation
Improve ISMS as ICT Strategic partner to align with business objective
Proposed Improvement
PAMAPERSADA NUSANTARA
Background
Current Condition: The Objective is to control and protect Enterprise information assets from integrity, availability and confidentiality aspect Only focus on risk
Impact
Unable to provide a best practice guide to generate effective and efficient procedure to align with the bussiness objective. Sometimes become a berrier and unable to satisfy business objective
Improve
To be more align with bussiness objective
Impact
CONFIDENCE IN ICT DIVISION WILL BE REDUCED
PAMAPERSADA NUSANTARA
Sharing knowledge presentation
Conceptual viewin compliance management
Proposed Concept
PAMAPERSADA NUSANTARA
Conceptual View
provide an overview to the top management anactual condition of the fulfillment to the related policies or regulation
Reduce business risk by deploying controlfrom existing framework
Improving business performance by adopting a set of practice reference from existingframework
PAMAPERSADA NUSANTARA
Conceptual View
➢ Regulate and guide the business processesof the organization
➢ Regulate and guide the operation of IT in the organization, including all of the processes, and systems within it.
➢ Apply to the entire IT infrastructure of the organization.➢Focus on many areas of responsibility for IT managers and staff, including: IT organization Policy creation and communication System security Operations Change management Incident handling Monitoring Service, system, and application performance
➢ Are unique to each application that organization uses to run its business.➢ IT components that support administrativ controls.
➢Application controls focus on: Data Preparation procedure Accuracy, completeness, and authorization checks Data processing integrity Input/Output distribution Sensitive information transmission protection
PAMAPERSADA NUSANTARA
Conceptual ViewClassification of technical control :
Manual controls require a person to enforce the control, whereas the IT system enforces automated controls
Controls
Operate
Behavior
Manual
Automated
Detective
Preventivepreventive technical controls prevent unwanted events from occurring. Detective technical controls cannot prevent unwanted events, but they can detect events and then notify a person or system to respond to them. Combine classification of technical Control :
Additional Controls
Additionalcontrol
Cumulative control
Compensating control
PAMAPERSADA NUSANTARA
Developing common technical control :
1. Review each regulation.
2. Determine control requirements specific to each applicable regulation and standard. 3. Implement the appropriate controls.
4. Conduct an audit to determine compliance sufficiency.
Conceptual View
PAMAPERSADA NUSANTARA
S
O
W
T
Strength :● 80 % Deployed policies● Supported tools are available (splunk,dlp,sikap, lansweeper, ms assesment planing toolkit etc)● Allocated resources are available● Top Management commitment
Weakness :● inadequate management direction● Uneffective status quo● Inadequate competencies● Obsolete framework● Inadequate framework scope
Oportunity :● There is an opportunity mommentto redevelop organizational functions
Threats :● Unsatisfied business partner ● Audit (External/internal)● Goverment Regulation (eg: wireless repeater policy)
Current Condition
PAMAPERSADA NUSANTARA
Management concern :
* A direction how the institution should run
* Feedback according to proposed concept
* Strategy to handle status quo problem
PAMAPERSADA NUSANTARA
Knowledge Sharing
References books & e-books :● CISA Review manual book 2013 (isaca store)● ISO 27002:2013 Gap analysis (http://www.itgovernance.co.uk/shop/c-198-disaster-recovery.aspx)● Governance, Risk Management & Compliance (http://en.wikipedia.org/wiki/Governance)● How to develop a Statement of Applicability according to ISO 27001:2013 (jesper e.siig, 2013)● Moving from iso/iec 27001:2005 to iso/iec 27001:2013 (bsi standard, 2013)● Mapping between the requirements of ISO/IEC 27001:2005 and ISO/IEC 27001:2013 (bsi standard,2013)● Aligning CobiT® 4.1,ITIL® V3 and ISO/IEC 27002 for Business Benefit (IT Governance institute)● Securing Sensitive Personal Data or Information (isaca,2013)● An Introduction to Information Security and ISO 27001 (2013) A Pocket Guide, Second Edition● Information security policy development for compliance (Barry L williams, 2003)● COBIT 4.1 Framework (ISACA)● Splunk® Enterprise™ Log Management Role Supporting ISO 27002 Framework (Splunk)● Panduan penyusunan pengelolaan IT Badan Usaha Milik Negara (PER-02/1VIBU/2013)●
References Links :http://www.teknologiinformasidankomunikasi.com/asal-usul/hubungan-yang-unik-antara-security-risk-dan-compliance/http://www.teknologiinformasidankomunikasi.com/it-governance/it-compliance/it-compliance-vs-is-compliance/http://www.bumn.go.id/wp-content/uploads/2013/01/PER02MBU2013.pdfhttp://manajemen-ti.com/manajemen-risiko/217-beragam-pendekatan-implementasi-grc.htmlhttp://aswilnazir.com/2012/06/11/apa-bedanya-it-compliance-dengan-it-governance/http://itilindo.com/2009/03/17/posisi-itil-dan-cobit/http://en.wikipedia.org/wiki/Governance,_risk_management,_and_compliancehttp://cobitindo.blogspot.com/http://sdppi.kominfo.go.id/artikel_c_3_p_93.htmhttp://searchsecurity.techtarget.com/tip/How-to-use-COBIT-for-compliancehttp://www.teknologiinformasidankomunikasi.com/ict/sejarah-it-governance/http://www.teknologiinformasidankomunikasi.com/it-governance/information-security/perbedaan-iso-17799-dan-iso-27000/http://www.itgovernance.co.uk/shop/p-1456-multiuser-site-licence-iso-iec-27001-2013-and-iso-iec-27002-2013.aspx#.UuJBOss-bcshttp://www.deltaprima.net/perubahan-standar-iso-27001-2005-menjadi-iso-27001-2013/http://www.deltaprima.net/konsultan-iso-27001-consultant/
PAMAPERSADA NUSANTARA
History
Sharing knowledge presentation
ISMSInformation Security Management System
PT.Pamapersada Nusantara
PAMAPERSADA NUSANTARA
Historical
About PAMA ISMS :➔ Was designed & built since 2006➔ The institution has been estabilished since 2007➔ Currently there are 2 Commitment letter signed, 6 Policy signed, 1 policy Draft, and 1 with no status➔ 10 procedures has been signed, 16 still draft and 17 form has been deployed to support its procedure➔ The institution was separated at 3 area : - People socialization & awareness (SUK)➔ - Policies & procedure devl (ABH)➔ - Technical Risk assessment (MUF)➔ Applying iso 27001:2005 as compliance framework guidance➔ Current fullfillment to ISO 27001 framework is as shown below :
PAMAPERSADA NUSANTARA
Sharing Knowledge
Sharing knowledge presentation
Sharing Knowledge(Governance Framework)
ISO 27001:2013 , COBIT 4.1 & ITIL V3
PAMAPERSADA NUSANTARA
ISO 27001
➢ Was designed to protect and preserve the confidentiality, integrity, and availability of information and to manage and control Enterprise information security Risk.ISO/IEC 27001 is derived from BS 7799 Part 2, published in 1999. BS 7799 Part 2 was revised by BSI in 2002, explicitly incorporating Deming’s Plan-Do-Check-Act cyclic process concept, and was adopted by ISO/IEC as ISO/IEC 27001 in 2005. It was extensively revised in 2013, bringing it into line with the other ISO certified management systems standards and dropping the PDCA concept.As standard Requirements in ISO 27000 Family Series :
About ISO 27001 :
PAMAPERSADA NUSANTARA
ISO 27001 Implementation How To
The implementation phases are the following :
• The Plan PhaseThis phase serves to plan the basic organisation of information security, set objectives for information security and choose the appropriate security controls (the standard contains a catalogue of 133 possible controls)• The Do PhaseThis phase includes carrying out everything that was planned during the previous phase• The Check PhaseThe purpose of this phase is to monitor the functioning of the ISMS through various “channels”, and check whether the results meet the set objectives• The Act PhaseThe purpose of this phase is to improve everything that was identified as non-compliant in the previous phase
PAMAPERSADA NUSANTARA
ISO 27001 Implementation How To
• The scope of the ISMS (Mandatory)• ISMS Policies (Mandatory)• Risk assessment & Gap analysis Document• Statement of applicability (Mandatory)
• Risk treatment plan (Mandatory)
• Internal Audit documents including gap analysis• Management Report Documents (Mandatory)
• Corrective action documents
Document Output :
PAMAPERSADA NUSANTARA
About ISO 27001:2013
➔ ISO 27001:2013 is an information security standard that was published on the 25 September 2013➔ It cancels and replaces ISO 27001:2005➔There are 114 Controls under 14 Domain Group (before 133 with 11 Group)➔Existing controls deleted or merged, some new control added, and Some of retained controls have been re-worded➔ These changes reflect changes in technology that affect the survival of many businesses today (eg cloud computing).➔Developed to be more aligned with other management systems such as ISO 9001 & ISO 20000➔Replace asset base to be more flexible when integrated with other framework such as COBIT & ITIL
PAMAPERSADA NUSANTARA
ISO 27001:2005 to 27001:2013
ISO 27001:2013 Annex A :• A.5: Information security policies• A.6: Information security organisation• A.7: Human resources security• A.8: Asset management• A.9: Access controls and managing user access• A.10: Cryptographic technology• A.11: Physical security• A.12: Operational security• A.13: Secure communications and data transfer• A.14: Secure acquisition, development, and support of information systems• A.15: Security for suppliers and third parties• A.16: Incident management• A.17: Business continuity/disaster recovery• A.18: ComplianceISO 27001:2005 Annex A :•A.5: Security policies•A.6: Organization of information security•A.7: Asset management•A.8: Human Resource security•A.9: Physical and environmental security•A.10: Communication and operation management•A.11: Access Control•A.12: Information system acquisition, development and maintenance•A.13: Information security incident management•A.14: Bussiness Continuity management•A.15: Compliance
PAMAPERSADA NUSANTARA
1.ISMS scope (as per clause 4.3) ( - )2.Information security policy (clause 5.2) ( + )3.Information security risk assessment process (clause 6.1.2) ( + )4.Information security risk treatment process (clause 6.1.3) ( - )5.Information security objectives (clause 6.2) ( + )6.Evidence of the competence of the people working in information security (clause 7.2) ( - )7.Other ISMS-related documents deemed necessary by the organization (clause 7.5.1b) ( + )8.Operational planning and control documents (clause 8.1) ( - )9.The results of the risk assessments (clause 8.2) ( + )10.The decisions regarding risk treatment (clause 8.3) ( - )11.Evidence of the monitoring and measurement of information security (clause 9.1) ( - )12.The ISMS internal audit program and the results of audits conducted (clause 9.2) ( - )13.Evidence of top management reviews of the ISMS (clause 9.3) ( - )14.Evidence of nonconformities identified and corrective actions arising (clause 10.1) ( - )15.Various others: Annex A, which is normative, mentions but does not fully specify further documentation including the rules for acceptable use of assets, access control policy, operating procedures, confidentiality/non-disclosure agreements, secure system engineering principles, information security policy for supplier relationships, information security incident response procedures, relevant laws/regulations/contractual obligations plus the associated compliance procedures and information security continuity procedures.
Mandatory requirements for ISO 27001:2013 Certification ISO 27001:2005 to 27001:2013
PAMAPERSADA NUSANTARA
Sharing knowledge presentation
COBITControl Objectives for Information and Related Technology
COBIT
PAMAPERSADA NUSANTARA
COBIT
➔Was developed since 1998 by IT Governance institute (www.itgi.org ) (ISACA)➔Was designed as an IT governance framework and supporting toolset that allows managers to bridge the gap between control requirements, technical issues and business risks.➔Enables clear policy development and good practice for IT control throughout organizations➔Emphasizes regulatory compliance, helps organizations to increase the value attained from IT➔Approach to process maturity (known as cobit maturity model)➔COBIT Framework integrated in 4 Domain : Plan and organise (PO)Acquire and Implement (AI)Deliver and Support (DS)Monitor and Evaluate (ME)
COBIT
PAMAPERSADA NUSANTARA
COBIT COMPONENTS
The COBIT components :
· Framework Organize IT governance objectives and good practices by IT domains and processes, and links them to business requirements · Process descriptionsA reference process model and common language for everyone in an organization. The processes map to responsibility areas of plan, build, run and monitor. · Control objectivesProvide a complete set of high-level requirements to be considered by management for effective control of each IT process. · Management guidelines: Help assign responsibility, agree on objectives, measure performance, and illustrate interrelationship with other processes.· Maturity models: Assess maturity and capability per process and helps to address gaps
PAMAPERSADA NUSANTARA
Sharing knowledge presentation
I.T.I.LInformation Technology Infrastructure Library
PAMAPERSADA NUSANTARA
ITIL
About ITIL :
ITIL was developed since 1990 by Office Of Governance Commerce the department of Government of the United Kingdom.Was built as a set of practices for IT service management (ITSM) that focuses on aligning IT services with the needs of business.ITIL is intended to underpin but not dictate the business processes of an organisation. In this context, OGC does not approve of the term ‘ITIL-compliant’.Having 5 core publication :1.ITIL Service Strategy2.ITIL Service Design3.ITIL Service Transition4.ITIL Service Operation5.ITIL Continual Service ImprovementLatest version is ITIL v3 (2007)
More detail about ITIL :http://www.axelos.com/Knowledge-Centre/White-Papers/
PAMAPERSADA NUSANTARA
Iso 27002:2013 COBIT v4.1 ITILv3
Strength Risk control IT Process control IT Services & Infrastructure
Bussiness objective Enterprise Information security management
Enterprise ICT Governances
Enterprise IT Services and Infrastructure management
Sertification Available Available Not Available
Provider ISO/IEC ISACA OGC
Developed since 1999 1998 1990
Framework Review
Framework :
PAMAPERSADA NUSANTARA
Sharing knowledge presentation
Aligning ISO27001:2013 & COBIT v.4.1A Management Briefing From ITGI and OGC
PAMAPERSADA NUSANTARA
Aligning ISO27001:2013 & COBIT v.4.1
ISO 27001 as Parent Framework :● When enterprise need to reduce risk that come from spesific process.(eg: reduce a risk in network control, software licensing control)
COBIT v4.1 as Parent Framework :● When enterprise need to improve spesific process related to manage the risk (eg : use cobit to provide a guide for BRS / IS Project development)
How to use :
PAMAPERSADA NUSANTARA
(Aligning ISO 27001:2013 and COBIT v4.1)
Improve Develop &execute
Treatment planPerform an auditPerform
Risk assessmentReview & Redeploy
Policies
Define & Set upISO27001:2013Scope ofimplementation
• Risk assessment document including analysis, current control, gap,residual, accepted risk, etc.• SoA document
• Matrix documents current policies against required policies (iso 27001:2013)
• Audit Documents including finding etc
• Treatment plan documents including allocated resource• PICA
• Scope documents • Management response according to audit finding documents
Ensure Process continuity
Identify maturityModel perIT process
PerformProcess analysis
AssessAppropriateprocedure
Assess IT process
Under definedAt SoA
Define SoA as businessobjectives
• Matrix document from IT process vs procedure
• RACI matrix• Control objectives documents
• Process analysis documents including maturity model, gap to control objective etc
• Capability Maturity documents including chart
• Bussiness objectives
Execute ISO 27001:2013 As Parent Framework
PAMAPERSADA NUSANTARA
(Aligning COBIT v4.1 and ISO 27001:2013 )
Monitoringprocess maturity
Define effective,Efficient and
Secure Businessprocess
Deploy processAnd update
relateddocument
PerformRisk assessment
Assess currentProcess andAppropriate
control
Translate & defineBusiness ObjectiveBase on mgtdirection
• Risk assessment document including analysis, current control, gap,residual, accepted risk, etc.
• RICA Matrix
• Appropriate procedure
• Updated document
• SOP• BRS• BSD, etc
• BRS • Process maturity level matriix
Ensure Process continuity
ExecuteTreatment plan
Perform an auditat related risk
DevelopTreatment planTo reduce risk
Perform riskAnalysis includingGap, residual and
Accepted risk
Define related risk
• Treatment plan documents including allocated resource
• Risk assessment documents
• Audit result documents
• PICA• Bussiness objectives
Execute COBIT v4.1 As Parent Framework
PAMAPERSADA NUSANTARA
Reduce the risk of fraud
Protect organization and customer assets
Prevent disclosure of organization and customer secrets
Comply with regulations
Improve business awareness
Improve efficiency
Improve accuracy
Why Control as a core in Compliance :
Conceptual View
PAMAPERSADA NUSANTARA
ISO 27001 Implementation How To
The Plan phaseThe Plan phase consists of the following steps :• Determining the scope of the ISMS• Writing an ISMS Policy• Identifying the methodology for risk assessment and determining the criteria for risk acceptance• Identification of assets, vulnerabilities and threats• Evaluating the size of risks• Identification and assessment of risk treatment options• Selection of controls for risk treatment• Obtaining management approval for residual risks• Obtaining management approval for implementation of the ISMS• Writing a Statement of applicability that lists all applicable controls, states which of them have already been implemented, and those which are not applicableThe Do PhaseThis phase consists of the following activities:· Writing a risk treatment plan – describes who, how, when and with what budget applicable controls should be implemented · Implementing the risk treatment plan · Implementing applicable security controls · Determining how to measure the effectiveness of controls · Carrying out awareness programs and training of employees · Management of the normal operation of the ISMS · Management of ISMS resources · Implementation of procedures for detecting and managing security incidents
PAMAPERSADA NUSANTARA
The Check PhaseThis phase includes the following:· Implementation of procedures and other controls for monitoring and reviewing in order to establish any violation, incorrect data processing, whether the security activities are carried out as expected, etc. · Regular reviews of the effectiveness of the ISMS · Measuring the effectiveness of controls · Reviewing risk assessment at regular intervals · Internal audits at planned intervals · Management reviews to ensure that the ISMS is functioning and to identify opportunities for improvement · Updating security plans in order to take account of other monitoring and reviewing activities · Keeping records of activities and incidents that may affect the effectiveness of the ISMS
The Act PhaseThis phase includes the following:· Implementation of identified improvements in the ISMS · Taking corrective and preventive action; applying own and others’ security experiences · Communicating activities and improvements to all stakeholders · Ensuring that improvements achieve the desired objectives
ISO 27001 Implementation How To