Information Security Management Systems
Application of IT-solutions to support implementation of the main company business processes or to provide clients with direct services implies high requirements to their quality - availability, power, continuity and safe use. Implementation of various threats - from viral epidemic in the internal network to failure of power system city-wide - can cause failure of the company activities, lead to direct losses or cause injury to reputation. Mature Information Security Management System (ISMS) ensures efficient IS management including absence of unacceptable risks for organization connected to IT systems and maintenance of balance of risks and expenses of IS assurance taking into account requirements of business, legislation and regulations.
Open Technologies provides the whole range of services in construction, operation, development and certification of ISMS based on the best industry practice.
ISMS Structure
State-of-the-art ISMS is a process-oriented management system including organizational, documentary and hardware and software components. There are following approaches to ISMS: process, documentary and maturity ones.
ISMS processes are created according to requirements of ISO/IEC 27001:2005 the basis of which is Plan-Do-Check-Act management cycle. According to it the ISMS life cycle consists of four types of activities: Creation - Introduction and operation - Monitoring and analysis - Maintenance and improvement. ISMS documented processes ensure implementation of 27001 standard requirements.
ISMS documentation consists of policies, documented procedures, standards and records and is divided into two parts: ISMS management documentation and ISMS operation documentation.
ISMS mature model defines details of documentation under development and level of management process and ISMS operation automation. Assessment and planning are ensured by CobiT maturity model. The ISMS maturity enhancement Program includes content and terms for actions on improvement of IS management process and IS facilities operation management.
ISMS Structure
The ISMS construction consists of the following works:
- organization of project management, formation of project team of the customer and contractor;
- detection of ISMS activity field (AF);
- organization inspection in the ISMS AF;
- development and coordination of analytical report containing lists of the main business processes and evaluation of IS threats consequences for the business processes, process lists of management, IT-systems, information security subsystems (ISS), evaluation of the organization level of compliance to ISO 27001 and organization process maturity assessment;
- choice of initial and target ISMS maturity level, development and approval of ISMS maturity enhancement Program;
- choice and adaptation of risk assessment method used in the organization;
- risk assessment and processing during which the measures of Application A of standard 27001 are chosen and requirements of their implementation are formulated. First of all IS assurance technical facilities are chosen and risk processing cost estimation is provided;
- approval of risk assessment by senior management, organization and development of Applicability Act;
- development of organizational measures to ensure IS and IS management processes in the frames of ISMS;
- development and implementation of technical processes on introduction of information security subsystems supporting implementation of chosen measures including supplies of equipment, start-up, development of operational documentation and trainings for users;
- consultations during operation of constructed ISMS;
- organization of trainings for internal auditors and execution of internal ISMS audits, internal audit support;
- execution of works according to ISMS maturity enhancement program.
ISMS Certification
ISMS certification is provided by the decision of the organization senior management. It ensures the organization competitive advantages in case if the corresponding requirements are important at the target markets. ISMS Certification includes:
- choice of certifying body;
- organization of pre-certification audit;
- consulting services on implementation of corrective and preventive measures on elimination of defects discovered during pre-certification audit;
- organization of certification audit;
- consulting services on implementation of corrective and preventive measures on elimination of defects discovered during certification audit;
- ISMS support after certification audit.
ISMS Construction Methodology
Attraction of foreign auditors to ISMS audit is defined by use of original English versions of today's IS and IT management standards during ISMS construction.
The following sources are used:
- international standards ISO/IEC: 27001:2005, 27005:2008, 27002:2005;
- other international standards and recommendations: ISO/IEC TR 18044, BS 25999-1:2006, BS 25999-2:2007, PAS 77:2006, IT BIP 0071, 0072, 0073, 0074, NIST SP 800-53:2007;
- own Open Technologies developments: information security assurance concept for distributed organizations;
- quantitative and rating IS risk assessment method; unified ISMS process model;
- typical designs for construction of technical information security subsystems.
Information Security Subsystems Used in Construction of ISMS
The list of subsystems, content of every subsystem and their supplier are defined at the stage of development of implementation of technical projects based on results of risk assessment and processing and making decision on their processing by the organization senior management.
The general subsystem list includes:
- antivirus and antispam protection subsystem;
- intrusion detection and prevention subsystem;
- CDTN communication channels cryptographic protection subsystem;
- IS events monitoring, collection and correlation subsystem;
- subsystem of secure interaction with technological networks;
- subsystem of secure interaction with Internet;
- subsystem for limitation and control of access to ISC resources;
- subsystem for remote access to ISC resources;
- vulnerability analysis subsystem;
- subsystem for control of interconnection of peripheral equipment;
- IS facilities control subsystem.
The result of these works is operating ISMS of the target maturity level.