Best Practice Standards Adoption: A Status Report · Planning, delivery and measurement of...
Transcript of Best Practice Standards Adoption: A Status Report · Planning, delivery and measurement of...
SECURE :: ASSURE :: ENABLE :: EMPOWER :: MANAGE
Best Practice Standards Adoption:
A Status Report
A presentation by Adedoyin Odunfa. (CEO, Digital Jewels)
At the occasion of the Q1 2015 InformationValueChain Breakfast Forum, hosted by Digital Jewels Ltd. March 12 2015. Landmark 60th Session
SECURE :: ASSURE :: ENABLE :: EMPOWER :: MANAGE
Outline
• Unbundling the standards universe
• Adoption Snapshot
• A Suggested Approach
• Pitfalls to Avoid
• CSF’s to imbibe
• Conclusion: Some Cold Truths
SECURE :: ASSURE :: ENABLE :: EMPOWER :: MANAGE
Overview and Summary of IT Standards - CBN
Strategic IT Alignment Translation of business vision and strategies into multi-year IT investments and operating plans as well as impacts of Information Technology on the Enterprise’s performance measurement
IT Governance Framework for initiation, endorsement, sponsorship, approval and evaluation of IT decisions.
Architecture & Information Management
Guidance for the creation and execution of the strategic IT architecture framework.
Solutions Delivery Framework for the development of software application solutions and their subsequent transition into the production environment.
Service Management & Operations
Planning, delivery and measurement of day-to-day operational service.
Information & Technology Security
Security and protection of enterprise information and related assets.
Workforce & Resource Management
Management of IT skills, knowledge and financial resources
SECURE :: ASSURE :: ENABLE :: EMPOWER :: MANAGE
Re-Prioritised Industry IT Standards
IT Standards Prioritisation from the CBN IT Standards Blueprint
SECURE :: ASSURE :: ENABLE :: EMPOWER :: MANAGE 5
Priority 1 Standards:
• Service Management
• Interfaces
• IT Security
• Application Reporting
Priority 2 Standards:
• IT Governance
• Strategic Alignment
• Project Management
• Work & Resource
Management
Priority 3 Standards:
• Data Centre
• Business Continuity Management
• Enterprise Architecture
• Health, Safety and Environment
• Management
SECURE :: ASSURE :: ENABLE :: EMPOWER :: MANAGE
SECURE :: ASSURE :: ENABLE :: EMPOWER :: MANAGE
Unbundling the Standards & Framework Forest
Standards with Certification
PCIDSS v3
ISO27001: 2013
ISO20000: 2011
ISO22301: 2011
BS OHSAS (18000) - ISO 45001
Data Centre Tier 3/4
ISO 15504: 2013
Standards yet to be Certifiable
ISO8583
ISO20022
ISO38500: 2015
Frameworks/
Methodologies
COBIT 5
PRINCE2
PMBoK
TOGAF
CMMi
SFIA
XBRL
SECURE :: ASSURE :: ENABLE :: EMPOWER :: MANAGE
Associated Standards/ Frameworks
• PCIDSS
• ISO27001
• ISO22301
• ISO31000
Information Security
• ISO22301
• BS OHSAS 18000
• ISO27001
• Data Centre Tiers
Business Continuity
• ITIL
• COBIT
• ISO20000
• CMMI
ITSM
• COBIT
• CMMI
• ISO15504
• ISO38500
• TOGAF
IT Governance
• PRINCE2
• PMP
• ISO 21500
• COBIT
• SFIAProject/Change /People Management
SECURE :: ASSURE :: ENABLE :: EMPOWER :: MANAGE
Mapping ISO27001 with PCIDSS
PCIDSS REQUIREMENTS
ISO 27001 ANNEX A CONTROL OBJECTIVES
A.5
A.6 A.7 A.8 A.9 A.10 A.11 A.12 A.13 A.14 A.15 A.16 A.17 A.18
1 ● ● ● ● ● ●
2 ● ●
3 ● ● ● ● ●
4 ● ●
5 ● ● ● ●
6 ● ● ● ● ● ●
7 ●
8 ●
9 ● ● ● ● ● ●
10 ● ● ● ●
11 ● ● ● ● ● ●
12 ● ● ● ● ● ● ● ● ● ● ●
Most PCIDSS controls are focused around four (4) ISO27001:2013 controls andcontrol objectives highlighted i.e. Access Control, Cryptography, Operations Securityand Communication Security.
Mapping/Overlap of ISO27001 to ISO22301
10
ISO 27001, A.17 Business Continuity Management ISO 22301:2012
A.17.1 Information security aspects of business continuity managementObjective: Information Security shall be embedded in the organization’s business continuity management system.
A.1
7.1
.1
Planning information securitycontinuity
ControlThe organization shall determine its requirements for informationsecurity and the continuity of information security management inadverse situations, e.g. during a crisis or disaster.
A.1
7.1
.2
Implementing informationsecurity continuity
ControlThe organization shall establish, document, implement and maintainprocesses, procedures and controls to ensure the requiredlevel of continuity for information security during an adverse situation.
A.1
7.1
.3
Verify, review and evaluate informationSecuritycontinuity
ControlThe organization shall verify the established and implementedinformation security continuity controls at regular intervals inorder to ensure that they are valid and effective during adversesituations.
6.1 Actions to address risks
and opportunities
8.1 Operational Planning and
Control
9.1 Monitoring,
measurement, analysis and evaluation
SECURE :: ASSURE :: ENABLE :: EMPOWER :: MANAGE15/03/2015
Standards’ Overlap: ISO 20000 vs. ISO 27001
Incident ManagementChange Management
Availability ManagementContinuity ManagementCapacity Management
ISO 20000 ISO 27001
SECURE :: ASSURE :: ENABLE :: EMPOWER :: MANAGE15/03/2015 CONFIDENTIAL12
Standards’ Overlap: ISO 20000 vs. ISO 27001ISO 20000 ISO 27001
Service Management System Clauses Information Security Management System Clauses
4.5 Establish & improve SMS 4.2 Establishing and managing the ISMS
4.3 Document Management 4.3 Document requirements
4.1.1 Management Commitment 5.1 Management commitment
4.1.2 Security Management Policy A.5 Security Policy
4.5.4.3 Management Review 7 Management review of ISMS
4.4 Resource management 5.2 Resources Management
4.4.1 Provision of Resources 5.2.1 Provision of Resources
4.5.4.2 Internet Audit 6 Internal ISMS Audit
6.2 Service ReportingA.13.1 Reporting information security events and weaknesses
4.5.5 Maintain & improve the SMS 8 ISMS Improvement
6.5 Capacity Manangement A.10.3.1 Capacity management
6.6.1 Information Security Policy A.5.1 Information Security Policy
4.2.1 Establish the ISMS
6.2.2 Security Controls A - Control objectives and controls
6.6.3 Information Security Changes and Incidents A.13 Information Security Incident Management
9.2 Change management A.10.1.2 Change Management
A.12.5.1 Change Control Procedures
> Mentioned in 4.5.5 8.2 Corrective Action
> Mentioned in 4.5.5 8.3 Preventive Action
6.3 Service continuity & Availability Manangement A 14 Business Continuity Management
6.6.1 Information Security Policy A.5.1 Information Security Policy
9.1 Configuration Management A.7 Asset Management
SECURE :: ASSURE :: ENABLE :: EMPOWER :: MANAGE
ISO/IEC 20000 Processes ITIL® Processes
5. Design & Transition of new or changed services
6. Service Delivery Processes
•Service level management
•Service reporting
•Information security management
•Budgeting & accounting for services
•Capacity management
•Service continuity & availability management
•Service Level Management
•(Method & Technique in CSI)
•Information Security Management
•Financial Management for IT Services
•Capacity Management
•IT Service Continuity Management
•Availability Management
7. Relationship Processes
•Business relationship management
•Supplier management
•Business Relationship management
•Supplier Management
8. Resolution Processes
•Incident and service request management
•Problem management
•Incident Management
•Request Fulfilment
•Problem Management
9. Control Processes
•Configuration management
•Change management
•Release and deployment management
•Service Asset & Configuration Management
•Change Management
•Release and Deployment Management
Mapping ISO 20000 and ITIL Processes
SECURE :: ASSURE :: ENABLE :: EMPOWER :: MANAGE14
Standards’ Overlap: COBIT vs. ITIL
SECURE :: ASSURE :: ENABLE :: EMPOWER :: MANAGE15/03/2015
Standards’ Overlap: COBIT vs. ITIL vs. ISO 20000
SECURE :: ASSURE :: ENABLE :: EMPOWER :: MANAGE
Keeping it up!
PCIDSS ISO Standards
Annual Recertification
On-going Vigilance
Year
0: I
nit
ial C
erti
fica
tio
n
Year
1: S
urv
eilla
nce
Au
dit
Year
2: S
urv
eilla
nce
Au
dit
Year
3: R
ecer
tifi
cati
on
A
ud
it
CMMI
3 Year Assessment
Lifecycle
On-going Process
Improvement
SECURE :: ASSURE :: ENABLE :: EMPOWER :: MANAGE
An Integrated Approach: PAS 99
• World’s first specification for integrated management systems
• Streamlines operational activities, aligns all common standard requirements and cuts the cost of separate audits and administration.
• Benefits– Less Duplication –
– Lower Operating Costs.
– Simplification.
– More Easily Updated.
SECURE :: ASSURE :: ENABLE :: EMPOWER :: MANAGE
Where are we as a Nation?
SECURE :: ASSURE :: ENABLE :: EMPOWER :: MANAGE
22
18
4
3
2
5
15
4
1 1
2
PCIDSS (PAYMENT CARD INDUSTRY DATA
SECURITY STANDARD)
ISO27001 ( INFORMATION SECURITY MGT
SYSTEM)
ISO22301 (BUSINESS
CONTINUITY MGT SYSTEM)
IS020000 ( IT SERVICE
MANAGEMENT)
IT IL ( IT INFRASTRUCTURE
LIBRARY)
COBIT 5 (CONTROL
OBJECTIVES FOR INFORMATION &
RELATED TECHNOLOGY)
NO
OF
CER
TIFI
ED C
OM
PAN
IES
STANDARD IN FOCUS
GLOBAL BEST PRACTISE STANDARD CERTIFICATION STATUS (NIGERIA) AS AT FEB. 2015
Certified In progress
SECURE :: ASSURE :: ENABLE :: EMPOWER :: MANAGE
9
2
1 1
0
5
4
2
1 1
ISO27001 ISO22301 ISO20000 ITIL COBIT 5
GLOBAL BEST PRACTISE STANDARD CERTIFICATION STATUS (BANKS ONLY) AS AT FEB. 2015
Total Certified Total In progress
SECURE :: ASSURE :: ENABLE :: EMPOWER :: MANAGE
SECURE :: ASSURE :: ENABLE :: EMPOWER :: MANAGE
Data Centre Tiers
SECURE :: ASSURE :: ENABLE :: EMPOWER :: MANAGE
SECURE :: ASSURE :: ENABLE :: EMPOWER :: MANAGE
DEBUNKING THE MYTHS…
SECURE :: ASSURE :: ENABLE :: EMPOWER :: MANAGE
1. A PIECE OF CAKE!!!
SECURE :: ASSURE :: ENABLE :: EMPOWER :: MANAGE2. A QUICK FIX
SECURE :: ASSURE :: ENABLE :: EMPOWER :: MANAGE3. “STANDARD IN A BOX”
SECURE :: ASSURE :: ENABLE :: EMPOWER :: MANAGE
4. NOTHING MAJOR…
SECURE :: ASSURE :: ENABLE :: EMPOWER :: MANAGE
PITFALLS TO AVOID
SECURE :: ASSURE :: ENABLE :: EMPOWER :: MANAGENO CLOUT!
SECURE :: ASSURE :: ENABLE :: EMPOWER :: MANAGEOVER-PROMISING & UNDER-DELIVERING
SECURE :: ASSURE :: ENABLE :: EMPOWER :: MANAGE
SHORT CUTS….
SECURE :: ASSURE :: ENABLE :: EMPOWER :: MANAGE
SECURE :: ASSURE :: ENABLE :: EMPOWER :: MANAGELOOSING FOCUS
SECURE :: ASSURE :: ENABLE :: EMPOWER :: MANAGE100% COMPLAINCE
SECURE :: ASSURE :: ENABLE :: EMPOWER :: MANAGE
CRITICAL SUCCESS FACTORS
SECURE :: ASSURE :: ENABLE :: EMPOWER :: MANAGE
SECURE :: ASSURE :: ENABLE :: EMPOWER :: MANAGESCOPE CORRECTLY
SECURE :: ASSURE :: ENABLE :: EMPOWER :: MANAGE
SECURE :: ASSURE :: ENABLE :: EMPOWER :: MANAGETECHNOLOGY HELPS
SECURE :: ASSURE :: ENABLE :: EMPOWER :: MANAGEKNOW THE STANDARD
Management
Systems
ISO 20000-1:2011 Service Management
ISO 22301Business Continuity
Management
ISO 27001-2013InformationSecurityManagement
System
ISO 38500IT Governance
ISO 15504 Process Assessment
SECURE :: ASSURE :: ENABLE :: EMPOWER :: MANAGE
SECURE :: ASSURE :: ENABLE :: EMPOWER :: MANAGE
SECURE :: ASSURE :: ENABLE :: EMPOWER :: MANAGE
SECURE :: ASSURE :: ENABLE :: EMPOWER :: MANAGEChoose the Right Partners: trusted partners
SECURE :: ASSURE :: ENABLE :: EMPOWER :: MANAGE
Demonstrable capability to support you…
1st 1SO27001 & PCIDSS QSA Professional Services Firm in AfricaDelivering Certification Projects since 2011
•Largest Market Share
SECURE :: ASSURE :: ENABLE :: EMPOWER :: MANAGE
Some Cold Truths
• Compliance Vs Performance
• Not going away
• Leaders or Laggards
• Not only the Regulator
SECURE :: ASSURE :: ENABLE :: EMPOWER :: MANAGE
IVC Breakfast Forum’s...Free Knowledge Sharing, Information Exchange, Business Networking Sessions.
60th session & still counting...
Celebrates
SECURE :: ASSURE :: ENABLE :: EMPOWER :: MANAGE
Thank You
for your time & attention
www.digitaljewels.net