Interactive Workshop on ISMS - sig-switzerland.ch · Interactive Workshop on ISMS ... deterrence,...

Kanton Basel-Stadt

Interactive Workshop on ISMS

Pascal ReinigerChief Information Security Officer Kanton Basel-Stadt

Basel – Security Interest Group Switzerland 27.04.2017

Kanton Basel-Stadt Agenda

1. Intro

2. Workshop 1: Top Risks and Pain Points

3. What is “ISMS”?

4. Workshop 2: ISMS Maturity Levels

5. Building an ISMS Strategy

6. Workshop 3: Next Steps

27.04.2017 SIGS – ISMS Workshop | 2

Kanton Basel-Stadt ISO-RSM’s Goals for 2017

ISO = IT Steering and Organisation (across the canton BS)

RSM = Risk and Security Management

Goals 2017, e.g.:

1. Design and Implement ISMS at the Kanton BS

2. Redesign IT security processes

3. Implement Application Inventory


Kanton Basel-Stadt Cyber Risk

Definition Cyber Risk:

It is not a specific IT risk, but a group of risks which have a significant impact and have not yet been in the focus of attention because so far it has been unthinkable or technically not possible.

The Security Landscape has changed fundamentally because of the massive increase of technological connectivity.


Presenter

Presentation Notes

Strategy, policy, and standards regarding the security of and operations in cyberspace, and encompass[ing] the full range of threat reduction, vulnerability reduction, deterrence, international engagement, incident response, resiliency, and recovery policies and activities, including computer network operations, information assurance, law enforcement, diplomacy, military, and intelligence missions as they relate to the security and stability of the global information and communications infrastructure. Adapted from: CNSSI 4009, NIST SP 800-53 Rev 4, NIPP, DHS National Preparedness Goal; White House Cyberspace Policy Review, May 2009

Kanton Basel-Stadt Scope of ISMS and Cyber Security


Where do we start? What should we cover with the ISMS?

Kanton Basel-Stadt Paradigm Shift in IT SecurityAttacks are getting technically more advanced, persistent and complex (multilayered). The threat is increasing continuously. APT's include amongst other 1. Social Engineering aimed at individual employees (= Spearfishing) and 2. Internet of Things (IoT) to find new backdoors in the network.

The New IT Security Paradigm:► Prevention is not sufficient anymore (Firewall, Antivirus etc.) ► You Have to assume to already be hacked successfully!► Tools are needed, to find and stop intruders.► The protection must be centered around the data.


Kanton Basel-Stadt Vulnerabilities

http://techzoom.net/BugBounty/SecureSoftware

Blue: Total number of known vulnerabilities Red: Known vulnerabilities top 10 most important IT-providers (10 years)

Security vulnerabilities are increasing consistently. A ISMS is needed to manage, monitor and secure the systems, network and data


Kanton Basel-Stadt Penetration Tests: Discovered Vulnerabilities

0 10 20 30 40 50 60 70 80 90

Dienstleistungen

Pharma Industrie

Tourismus

Banken

Energie

Baugewerbe

Kommunikation

Behörden

Industrie

Versicherungen

Gesundheitswesen

Private

ISP

Wissenschaft

IT

Landwirtschaft

Schwachstellen/Host

125‘000 potential Vulnerabilities (Source: first-security.com)

AgricultureIT

ScienceISP

PrivateHealth

InsurancesIndustry

AuthoritiesCommunication

ConstructionEnergy

BankingTourism

PharmaceuticalsServices

Vulnerabilities / Host



1. Intro







Kanton Basel-Stadt WORKSHOP 1: Top Risks and Pain Points .


Threats and Problems(Where have you been under attack?)

Open / unknown

Real Pain Points

No Problemo

Inefficient Roles, Responsibilities, Processes

Maleware including Ransomware

Hacking, APT’s, Social Engineering, Phishing

Denial of Service Attacks (DOS/DDOS)

Missing Awareness

Insider Threat (Data Theft, Sabotage)

Missing Information and/or Monitoring

Other

Best Practice?


1. Intro







Kanton Basel-Stadt Definitions of Cyber Security

Cyber Security according to Wikipedia:Cyber Security = Computer Security = IT Security

Cyber Security according to ISACA: The protection of information assets by addressing threats to information processed, stored and transported by internetworked information systems.

Cyber Security according to ITgovernance.co.uk: Protection of systems, networks and data in the cyber space.

A holistic understanding is needed to protect againstclassical and new emerging threats!


Presenter

Presentation Notes


Kanton Basel-Stadt Lines of Defence under the new ParadigmPrevention: Keep Hackers and Malware from entering the network.

Detection: RecognizeEntrudors and their activitiesafter a successful breach.

Reaction: Isolate systemsand or hardwareand repair theaftermath of an incident.


Kanton Basel-Stadt Definitions of ISMS

Information Security Management System (Wikipedia): Framework of processes and regulations within an organization to ensure the long term definition, monitoring, control and improvement of information security.

ISMS according to ISO 27002: An ISMS is a systematic approach to managing sensitive company information so that it remains secure. It includes people, processes and IT systems by applying a risk management process.It can help small, medium and large businesses in any sector keep information assets secure.


Presenter

Presentation Notes


Kanton Basel-Stadt

Info

.Sec

.Arc

hite

ctur

e(N

etw

ork,

Fire

wal

ls e

tc.)

Laws, Regulations, Directives, International Agreementse.g. data privacy laws, EU Data Security Directive etc.

Strategies and PoliciesIT Strategy, IT Governance, eGovernance etc.

Ris

kM

anag

emen

t

Build an ISMS

IT Technological Implemetationof Security REquirements in network, HW/SW/DB etc.

Info.Security Audits by Data Privacy OfficialsInternal Audit (FinanzKontrolle), Suppliers etc. AND CISO (ausstehend)

Info

.Sec

. Reg

ulat

ions

and

Con

cept

sN

etw

ork

Secu

rity

Polic

y, e

Mai

lpol

icy

etc.

Standard Processese.g. Change Management, Implementation of HW/SW etc. (Internal Control System!)

Info

.Sec

. Sta

ndar

ds(IS

O27

001/

2, C

OBI

T, B

SI, I

TIL

etc.

)

ISM

S To

olto

impl

emen

tand

man

age

ISM

S

and

prod

uceSe

curit

y R

epor

ting

Info

rmat

ion

Secu

rity

Awar

enes

s

Iden

tity

+ Ac

cess

Mgm

tfo

rcen

tral

Man

agem

ent o

fide

ntiti

esan

dau

thor

izat

ions

Info

.Sec

.Pr

oces

ses

and

Form

se.

g. R

isk

Anal

ysis

, Ap

plic

atio

nfo

rexc

eptio

net

c.



1. Intro







Kanton Basel-Stadt WORKSHOP 2: ISMS Maturity Levels .


ISMS Dimensions Open / unknown

In Focus Completed with Tool

Policies and Regulations

Roles, Responsibilities, Processes, Forms and (ISMS) Data ManagementAwareness

Inventory, Monitoring, SIEM/IDS/IPS

Risk Management

Security Audits

Security Reporting

Other

Best Practice?

Kanton Basel-Stadt WORKSHOP 2: ISMS Maturity Levels .


ISMS Dimensions Open / unknown

In Focus Completed with Tool




Risk Management

Security Audits

Security Reporting

Other

Best Practice?


1. Intro







Kanton Basel-Stadt Building a Cyber Security and ISMS Strategy

1. Find out where you stand regarding cyber risks and based on that your need for cyber security and ISMS (to protect against cyber risks).

2. Assess that status of your ISMS

3. Build Top Management Awareness including reports on:- Show scale of actual attacks- Show organizational readiness compared with benchmark- List approved and funded projects to improve situations- List remaining shortcomings

4. Get ressources for indepth analysis (time, people, funds)


Kanton Basel-Stadt Building a Cyber Security and ISMS Strategy

5. Reach out to ISMS stakeholders, e.g. top management, internal audit, legal, data privacy, business development etc.

6. Define the targeted maturity level for each ISMS dimension which you want to achieve.

7. Prioritize and plan projects based on quick wins. Start small, show benefits and gain followers.


Kanton Basel-Stadt Evaluate Regulations, Standards, Concepts

IT Security Framework (Regulations)

What parts of the IT security framework is missing regulations or it is outdated, e.g.

Law, (Supplier) Contracts

IT Strategy,

I T Security Strategy, IT Security Policy

IT Security Baseline, IT Security Concepts

IT User Regulations / Directives27.04.2017 SIGS – ISMS Workshop | 22

Kanton Basel-Stadt Evaluate Business Alignment


Check Standard IT Services against individual business requirements. Align SLA’s from business with IT’s systems, organization, resources and processes.

Kanton Basel-Stadt Evaluate IT Security Architecture

Assessment of Quality andUsability of «Border Patrol»- Firewall- Intrusion Prevention System- Email Security - Security Zones

etc.

Backup and Recoveryfuntionalities: based on SLAs? Tested? Task forcetrained and stand by? Qualified deputies? etc.

Antivirus and Malware Protection: State of theart? (sandboxing etc.)

Prevention Detection Reaction

Inventory of hardware, systems and software

Data classification andprotection: holisticapproach?

SIEM (Security Information andEvent Management): State of the art?


Presenter

Presentation Notes

Datensicherheit: Aktuell keine durchgehende Klassifizierung und Schutzmechanismen. Noch kein Projekt geplant. BR 105 und ISHB vorhanden ??

Kanton Basel-Stadt Evaluate Awareness

The incline in connectivity dies improve organizations, but also makes them a lot more vulnerable. Humans are becoming a critical factor:

Phishing attacks: About 60% of all e-Mails are spam mails (Kapersky Lab, Q1 2015 report )

50% of users open e-Mails and click on phishing links (Verizon Study 2015)

95% of all security incidents involve humans (IBM 2014 Cyber Security Intelligence Index report)

Is there an information security awareness program?

How aware are your employees? Is this being tested?


Kanton Basel-Stadt Evaluate Staff

Benchmarks on IT Security Staff

1 information security staff per 1000 users; 3 - 5 information security staff per 100 IT staff; 6 - 8.5 information security staff per 100 IT staff; 1.5 - 2 information security staff per 100 IT staff; 3 – 4 information security staff per 100 IT staff; 1.75 information security staff per internal IT auditor; 1 information security staff per 5000 networked devices; 5% - 8% of overall IT budget allocated to information security; 10% of overall IT budget allocated to information security; 3% - 11% of overall IT budget allocated to information security(Source: K. Aubuchon 2010, InfoSecIsland.com)


Kanton Basel-Stadt Evaluate Risk Management


Flip-chart

Integrate Risk Mgmt in daily processes, e.g. exception requests, audit report, change mgmt, reporting etc.Share the information on a need to know basis.

Kanton Basel-Stadt Evaluate Audits

Who is doing what kinds of audits, based on what standards, mandate, what is the scope, where is the information, can we use it for ISMS?

Do we have an official madate (law) to perform audits ourselves?

Do we have the required knowledge, experience, tools, budget to perform or outsource audits?

With whom should we coordinate audits and share results?

How can we use the data from the audit results for our risk management and security reporting?


Kanton Basel-Stadt Evaluate IT Security Reporting

Who do we need to report to? What do they want to see and are able to understand?

What data is located where? Do we have it?

Can we use undisputable objective known data, e.g. number of change requests (normal, emergency, failed), security patches, systems with missing security updates, incidents, security projects, critical employees passing awareness training, results of phishing tests, results of audits (CISO, internal audit, suppliers, external security consultants) etc.

How often should we report, how do we show actions for security gaps, can we break down reporting and allocate parts?


Kanton Basel-Stadt

Info

.Sec

.Arc

hite

ctur

e(N

etw

ork,

Fire

wal

ls e

tc.)

Laws, Regulations, Directives, International Agreementse.g. data privacy laws, EU Data Security Directive etc.

Strategies and PoliciesIT Strategy, IT Governance, eGovernance etc.

Ris

kM

anag

emen

t

BYO* ISMS

IT Technological Implemetationof Security REquirements in network, HW/SW/DB etc.

Info.Security Audits by Data Privacy OfficialsInternal Audit (FinanzKontrolle), Suppliers etc. AND CISO (ausstehend)

Info

.Sec

. Reg

ulat

ions

and

Con

cept

sN

etw

ork

Secu

rity

Polic

y, e

Mai

lpol

icy

etc.

Standard Processese.g. Change Management, Implementation of HW/SW etc. (Internal Control System!)

Info

.Sec

. Sta

ndar

ds(IS

O27

001/

2, C

OBI

T, B

SI, I

TIL

etc.

)

ISM

S To

olto

impl

emen

tand

man

age

ISM

S

and

prod

uceSe

curit

y R

epor

ting

Info

rmat

ion

Secu

rity

Awar

enes

s

Iden

tity

+ Ac

cess

Mgm

tfo

rcen

tral

Man

agem

ent o

fide

ntiti

esan

dau

thor

izat

ions

Info

.Sec

.Pr

oces

ses

and

Form

se.

g. R

isk

Anal

ysis

, Ap

plic

atio

nfo

rexc

eptio

net

c.


* Bui

ldYo

urO

wn

ISM

S H

ouse


1. Intro





6. Workshop 3: Next Steps / ISMS Needs


Kanton Basel-Stadt WORKSHOP 3: Next Steps / ISMS Needs .


ISMS Dimensions Guidelines References

ConsultingAdaptation

ExperianceExchange

Tool




Risk Management

Security Audits

Security Reporting

Other

SIGS ??? !

Kanton Basel-Stadt Thank you for your attention!

Questions?

Pascal ReinigerLeiter kantonale Fachstelle Informationssicherheit (CISO)Finanzdepartement – Informatiksteuerung und Organisation (ISO)Kanton Basel-Stadt

[email protected]



1. Intro





6. Workshop 3: Next Steps / ISMS Needs

7. Anhang27.04.2017 SIGS – ISMS Workshop | 36

Kanton Basel-Stadt Cyber Security: Improve Preventive Measurements

- Update and complete policies and regulations

- Update Firewall and Malware Protection to state of the art

- Upgrade IT work force (specialists, numbers, training etc.)

- Introduce an systematic security awareness program

- Analyse and plan improvements in your architecture (e.g. separated network zones, data classification and holistic protection (cradle to grave) etc.

Prepare for Discussions on Costs. Focus on Functionality! Move discussions away form probability to damage!


Kanton Basel-Stadt Cyber Security:Improve Detection Capabilities

- List current protocols and if/what is monitored

- Identify and integrate critical information

- Evaluate modern state of the art detection tools (artificial intelligence and automated)

- Implement a systematic and regular process to check and update users and their authorizations.

- Systematic and regular vulnerability scans and penetration tests

Choose smart benchmarks (people + costs)Choose automated monitoring to free ressources


Kanton Basel-Stadt Cyber Security:Improve Reaction Capabilities

- Check and Update your SLA’s based on a risk assessment

- Audit your Backup and Recovery Possibilities

- Regularly test your business continuity plans and recovery processes.

- Make a long tem audit plan and coordinate across audit functions

Let data owner decide based on price tagIf it is not tested, it doesn’t work.


Interactive Workshop on ISMS - sig-switzerland.ch · Interactive Workshop on ISMS ... deterrence,...

Documents

Transcript of Interactive Workshop on ISMS - sig-switzerland.ch · Interactive Workshop on ISMS ... deterrence,...