Start With A Great Information

Security Plan!
Tammy L. Clark, CISO, Georgia State
University
William Monahan, Lead Information Security
Administrator, Georgia State University
 Why ISO 17799?
• The ISO 17799:2005 standard lends itself well to
developing and defining information security program
initiatives in a higher education environment
• ISO/IEC 17799:2005 provides best practice
recommendations (133 controls) on information security
management for use by those who are responsible for
initiating, implementing or maintaining information
security management systems. Information security is
defined within the standard as the preservation of:
– Confidentiality (ensuring that information is accessible only to
those authorized to have access)
– Integrity (safeguarding the accuracy and completeness of
information and processing methods) and
– Availability (ensuring that authorized users have access to
information and associated assets when required).
 Georgia State University’s
Information Security Plan
• Two years ago, our CIO was tasked by the Board of Regents in
Georgia to submit an information security plan. We elected to
provide a plan that was both comprehensive and holistic, and we
chose to frame it around the ISO 17799 standard, as it advocates a
very strategic, risk management based approach
• Looking back, this was a very ambitious undertaking that first year,
since we only have three dedicated information security staff
resources, and examining all of the recommended controls in the
ISO 17799 was a very time consuming and (at times) difficult
process
• We then went a few steps further and made an assessment of the
current state of security in each domain area and defined
prioritized objectives to accomplish each year. Each year, we
modify our plan to reflect changing priorities and demands
• We are currently in the planning stages of integrating ITIL (IT
Infrastructure Library) and COBIT (Control Objectives for
Information and related Technology)
12 Domains of ISO 17799:2005
• Risk Assessments
• Security Policies
• Information Security Organization
• Asset Management
• Human Resources
• Physical and Environmental Security
• Communications and Operations Management
• Access Control
• Information Systems Acquisition, Development, and
Maintenance
• Information Security Incident Management
• Business Continuity Management
• Compliance
 Benefits of Using the ISO 17799
Framework
• It’s comprehensive and requires an in depth analysis of business
and IT processes. A great deal of time and effort will go into this
initially, but when all is said and done, you will have prioritized action
plans you can use to make immediate improvements.
• You will have a great opportunity to bridge the communication gap
that often exists between information technology and
business/academia. You can begin to erase the perception that
information security only affects information technology, as you
integrate your information security initiatives into business and
academic processes and initiatives.
• You can use this plan to clarify to upper management what
measures need to be taken at your campus to comply with university
policies and legislative requirements (HIPAA, GLBA, PCI, etc.) that
often require a very complex information security infrastructure.
• You can effectively demonstrate to your university leadership
constituency that instituting adequate preventative controls and
measures is necessary in order to prevent data leakages and
compromises of institutional assets.
Using ISO 17799:2005 to Develop
an Information Security Plan
• Overview of domains and objectives
• Ideas on assessing the current state of
security at your university
• Coming up with proposed action plan
items
• Building out a comprehensive appendix
with supporting documentation
• Integrating ITIL and COBIT objectives
(optional)
 Executive Summary
• State that senior level management support and
validation of your information security program is critical
to its success
• Amplify how accomplishing the roadmap objectives
you’re outlining in this plan will directly impact and
enable your university’s strategic goals—academic,
business, and information technology.
• Stress that this plan clearly demonstrates the need to
institute an evolving cycle of continuous improvements in
areas such as regulatory compliance, preservation of the
confidentiality and integrity of university data, and
availability of the critical business and information
technology infrastructure
 Opening Sections of Your Plan
• Scope:
– Applicability (Staff, faculty, students, affiliates,
third parties)
– Structure (ISO 17799:2005)
– Explanation of the format (14 domains)
– Annual validation process (continuous cycle
of improvement, review, and
acceptance/adoption)
• Terms and definitions
 Risk Assessment and Treatment
• Two major areas: Assessing Security Risks and
Treating Security Risks
• Risk assessments should identify, quantify and
prioritize risks against criteria for risk acceptance
and objectives relevant to the organization
• Assess the state of security by addressing
competencies or deficiencies
• Come up with proposed action items—policies,
procedures, initiatives to improve upon current
state of security
• Provide any references used to determine above
 Security Policy
• Information Security Policies
• Information Security policies provide direction
and support for information security iaw
university requirements and relevants laws and
regulations
• Assess the state of security by addressing
competencies or deficiencies
• Come up with proposed action items—policies,
procedures, initiatives to improve upon current
state of security
• Provide any references used to determine above
 Organization of Information
Security
• Two major areas: Internal organization and External
parties
• A robust information security infrastructure must be
developed that includes incident response activities,
security awareness education, security policies, third
party compliance with university policies and
requirements, and the deployment of effective security
solutions that deter the activities of unauthorized persons
• Assess the state of security by addressing competencies
or deficiencies
• Come up with proposed action items—policies,
procedures, initiatives to improve upon current state of
security
• Provide any references used to determine above
 Asset Management
• Two major areas: Responsibility for Assets and
Classification Guidelines
• Inventories and classification of assets helps ensure that
effective asset protection takes place, is an important
aspect of risk management, and may also be required
for other business purposes such as health, safety, and
federal regulations.
• Assess the state of security by addressing competencies
or deficiencies
• Come up with proposed action items—policies,
procedures, initiatives to improve upon current state of
security
• Provide any references used to determine above
 Human Resources Security
• Three major areas: Prior to employment, During
employment, and Termination or change of employment
• Throughout the employment cycle (hiring, current status,
and termination/changes) information security
procedures must be implemented to reduce the risks of
human error fraud, and misuse of university resources
• Assess the state of security by addressing competencies
or deficiencies
• Come up with proposed action items—policies,
procedures, initiatives to improve upon current state of
security
• Provide any references used to determine above
 Physical and Environmental
Security
• Three major areas: Secure areas, Equipment security,
General controls
• Important business information processing facilities
should reside in secure areas with appropriate security
barriers and entry controls, and the protection applied
should be commensurate with risks
• Assess the state of security by addressing competencies
or deficiencies
• Come up with proposed action items—policies,
procedures, initiatives to improve upon current state of
security
• Provide any references used to determine above
 Communications and Operations
Management
• 10 major areas: Operational procedures and responsibilities, Third
party service delivery management, System planning and
acceptance, Protection against malicious and mobile code, Back-up,
Network security management, Media handling, Exchange of
information, Electronic commerce services, Monitoring
• Policies for the management and operation of all university
information processing facilities should be established, codified, and
communicated to all employees and third parties doing business
with the university in order to ensure correct and secure operation.
Capacity planning and back-up strategies are important, as is proper
handling of media disposal and storage.
• Assess the state of security by addressing competencies or
deficiencies
• Come up with proposed action items—policies, procedures,
initiatives to improve upon current state of security
• Provide any references used to determine above
 Access Control
• Eight major sections: Business requirement for access control; User
access management, User responsibilities, Network access control,
Operating system access control, Application and information
access control, Monitoring system access and use, Mobile
computing and telecommuting
• Access to university information and business processes should be
controlled on the basis of business and security requirements
according to university policies and procedures. Users must be
made aware of their responsibilities in this process and standard
and procedures developed and implemented to assist in mitigation
of risks.
• Assess the state of security by addressing competencies or
deficiencies
• Come up with proposed action items—policies, procedures,
initiatives to improve upon current state of security
• Provide any references used to determine above
 Information Systems Acquisition,
Development and Maintenance
• Six major sections: Security requirements of information systems,
Correct processing in applications, Cryptographic controls, Security
of system files, Security in development and support processes,
Technical vulnerability management
• Security reviews are necessary to ensure that controls and security
requirements become a part of the overall design process.
Cryptographic controls are necessary to assure confidentiality,
authenticity, and integrity of sensitive information at risk. Technical
vulnerability management systems should be implemented in an
effective, systematic, and repeatable way with measurements taken
to confirm effectiveness.
• Assess the state of security by addressing competencies or
deficiencies
• Come up with proposed action items—policies, procedures,
initiatives to improve upon current state of security
• Provide any references used to determine above
 Information Security Incident
Management
• Two major sections: Reporting information security events and
weaknesses and Management of information security incidents and
improvements
• Formal event reporting and escalation procedures should be in
place. All employees, contractors, third party users should be made
aware of the procedures for reporting different types of events and
weaknesses that might have an impact on the security of
organizational assets to the designated POC. Responsibilities and
procedures should be in place to handle information security events
weaknesses effectively once reported. A process of continuous
improvement should be instituted to monitor, respond, evaluate and
manage information security incidents.
• Assess the state of security by addressing competencies or
deficiencies
• Come up with proposed action items—policies, procedures,
initiatives to improve upon current state of security
• Provide any references used to determine above
 Business Continuity Management
• Information security aspects of business continuity management
• In order to prevent disruption to business activities, as well as
protect critical business processes from the effects of major failures
or disasters, the development of a comprehensive University
Disaster Recovery/Business Continuity Plan is necessary. The plan
should call for risk analyses to determine the impact of business
disruptions, identify priorities for testing, maintenance and activation,
as well as outline specific processes to follow in the event of
disruptions, including identification of the individuals or departments
responsible for execution of each component of the plan.
• Assess the state of security by addressing competencies or
deficiencies
• Come up with proposed action items—policies, procedures,
initiatives to improve upon current state of security
• Provide any references used to determine above
 Compliance
• Three major areas: Compliance with legal requirements,
Compliance with security policies and standards, and technical
compliance, System audit consideration
• Universities are obligated to protect information types defined under
FERPA, GLBA, HIPAA, Digital Millennium Act, CC 42CFR Part 73,
ECPA and various other state and federal statutes or guidelines. It
is also necessary to ensure compliance of information technology
systems with university policies and standards. It is desirable to
maximize the effectiveness of system audits and to minimize
business disruptions due to vulnerability and/or penetration tests
performed on university information technology resources.
• Assess the state of security by addressing competencies or
deficiencies
• Come up with proposed action items—policies, procedures,
initiatives to improve upon current state of security
• Provide any references used to determine above
 (Sample) Appendices Items
• Sensitive Services
• Information security documentation
• Information security technical control matrix
• Credit card merchants
• Examples of outsourced contracts to 3rd parties
• HIPAA compliance
• Sample risk assessment report
• Email servers requiring periodic security reviews
• Proposed Action Item Matrix
• CSIRT membership
 ITIL Integration
• Information security is an integral part of all business processes and
serves as a support structure and success enabler of key business
objectives
• ITIL and ISO 17799:2005 are compatible in that both seek to
establish an effective risk management approach that promotes
continuous information security planning, development of policies to
support initiatives, risk analyses, controls and operational measures,
compliance, metrics, and audits
• While ISO 17799:2005 identifies the best practices and elements
that should be developed to manage an effective and robust
information security program, ITIL devises formal processes that
translate to customer requirements, business and IT processes, and
thus provide a common ‘language’ between the business customer,
the IT provider, and the Information Security program initiatives and
controls,
 ITIL Information Security Model
• Key components of the ITIL process-based Information Security
approach are:
– Understanding of customer requirements and business needs—provide
security awareness to customer
– Service level agreements--internal and external information security
requirements
– Planning—Strategic, Tactical and Operational
– Controls—information security management framework
– Implementations—asset classification & control, security staffing
requirements, physical security, secure computer & network
management, systems access control and user access management
– Evaluations—information security risk analyses, reviews and audits
– Maintenance—continuous cycles of modifications and improvements
– Reporting—reports and metrics
 COBIT Integration
• COBIT provides a framework for IT governance,
providing management tools such as metrics
and maturity modeling to complement a control
framework
• COBIT can be integrated into ISO 17799:2005 to
assist with communicating management aims
and direction, compliance, refining information
classification, access controls, information
security program infrastructure, human
resources (job definitions and staffing),
operational procedures and responsibilities
COBIT Information Security Model
• Four broad areas that contain specific
objectives overlay the processes and
domains outlined in ISO 17799:2005 and
ITIL:
– Plan and Organize
– Acquire and Implement
– Deliver and Support
– Monitor and Evaluate
 Final Considerations
• The reason we chose to develop our campus information security plan under ISO
17799:2005 and are now in the planning stages of integrating ITIL and COBIT is
because we believe that an effective information security program integrates
business/academic processes and initiatives with IT and information security
objectives
• The frameworks discussed allow your information security staffs to speak a ‘common’
language with the functional/business executives at your institution, which ultimately
promotes a dialogue that leads to increased understanding and better definition of
risks and vulnerabilities.
• While we advocate that ISO 17799:2005 strongly lends itself for adoption by higher
education institutions in its comprehensive approach to designing a robust
information security program, we advise “picking and choosing” from the ITIL and
COBIT frameworks to enhance your understanding and fine tune specific areas of
your plan, especially in developing continuous cycles of measurements and
improvements.
• Developing a comprehensive plan, with actionable information security objectives that
are tied and aligned with both technology and business goals and processes, can
assist you in making the case for funding and staffing resources because information
security will be seen as a critical success factor to your institution and it also provides
a way for you to effectively communicate with your business and academic leaders
and really get their attention!
 Resources
• ISO 17799:2005:
http://www.iso.org/iso/en/CatalogueDetailPage.CatalogueDetail?CS
NUMBER=39612&ICS1=35&ICS2=40&ICS3
• ISO/IEC 17799 – Wikipedia: http://en.wikipedia.org/wiki/ISO_17799
• OGC-ITIL website: http://www.itil.co.uk/
• ITIL – Wikipedia: http://en.wikipedia.org/wiki/ITIL
• ISACA – COBIT:
http://www.isaca.org/Template.cfm?Section=COBIT6&Template=/Ta
ggedPage/TaggedPageDisplay.cfm&TPLID=55&ContentID=7981
• COBIT – Wikipedia: http://en.wikipedia.org/wiki/COBIT
• Georgia State University Information Systems Use Policies:
http://www2.gsu.edu/~wwwccs/doc/uccs/policy/pol/archpolicy.htm
 Questions?

Copyright Tammy L. Clark, October 2006. This work is the intellectual property of the author. Permission is granted for
this material to be shared for non-commercial, educational purposes, provided that this copyright statement
appears on the reproduced materials and notice is given that the copying is by permission of the author. To
disseminate otherwise or to republish requires written permission from the author.