INFORMATION SECURITY AWARENESS SESSION

PROCESS DRIVEN IMPLEMENTATION

By
Wajahat Raja
Fakhre Alam
1
Agenda
1. Roles
2. Document Control Process
3. IS Change Management Process
4. IS Incident Management Process
5. Asset Management Process
6. Access Control Process
7. Backup and Restore Process
8. Security Awareness Process
9. Risk Assessment Process
10. Business Continuity Process
11. IS Internal Audit Process
12. Management Review Process
13. Q&A
2
Roles
3
Document Control Process
Process owner: Khalid Al Zain
This role will be in charge of maintaining ITD
documentation and maintaining the Document
Control Procedure. It is envisaged they will carry
out the following duties:
Ensuring every individual has the version requested
(older versions will be maintained).
He will be there to make sure only the latest version is
published and that relevant people are informed
regarding changes.
This role will report to the CISO and will get advice
regarding changes from the ISOs.
4
Document Control Process
Process Owner: Khalid Al Zain
5
Procedure
1. Document Identification
2. Document Structure
3. Documents Preparation, Review and Approval
4. Issuance of Controlled Documents (Level 1 & 2)
5. Templates/Formats and Records (Level 3)
6. Documents of External Origin (level 4)
7. Amending Documents (Level 1, 2 and 3)
8. Document Review
9. Color Coding Scheme
Document Control Process
Process owner: Khalid Al Zain
This role will be in charge of
maintaining ITD documentation and
maintaining the Document Control
Procedure. It is envisaged they will
carry out the following duties:
Ensuring every individual has the version
requested (older versions will be
maintained).
He will be there to make sure only the
latest version is published and that
relevant people are informed regarding
changes.
This role will report to the CISO and will
get advice regarding changes from the
ISOs.
6
Levels
Colour
Denomination
Extreme WHITE
Critical RED
High AMBER
Medium BLUE
Low GREEN
Document Control Process
Documentation
Master list of Documentation (MLD)
Procedure for Control of Documents (PCD)
Procedure for Control of Records (PCR)
Data Classification Standard
Data handling Standard
Document update request Form
7
Process based Documentation at Sharepoint Portal
8
Change Management Process
Process owner: Abdullah Al Kharashi
The process of initiating and implementing
changes to the ITD Systems, Documentation
and Network infrastructure
9
Change Management Process
Process owner: Abdullah Al Kharashi
10
Change Management Process
Process owner: Abdullah Al Kharashi
Roles and Responsibilities
The CAB will be there to review changes to the organizations assets and
their configuration.
CAB is one mechanism for prioritizing and implementing proposed
changes. Any proposed change will be sent to the CAB for advice.
The CAB will be setup at two levels: division level and department level.
At the Division Level the CAB will consist of all Team leads and the
Division Manager will be the Decision Maker.
At the Department Level the CAB will consist of the Information Security
Steering Committee members and the head ISO. Having a CAB also
satisfies one of the requirements for ISO 20000 (ITSM).
11
Change Management Process
Documentation
Change Control Procedure
Database Access and Modification Procedure
Change Request Form
12
Incident Management Process
Process owner: Riyad Al Samari
13
The IT Security Incident Management Team will include a
selected and well trained group of people. Their role within this
capacity will be as follows:
To promptly and correctly handle any security incident related to IT
All security incidents will be quickly contained, investigated and
recovered from.
They must be people that can drop what they are doing or re-delegate
their duties and have the authority to make decisions and take actions.
The incident will be escalated to Safety and Security Committee in case
the incident is not related to ITD.
Incident Management Process
Documentation
Security Incident Response Plan
Incident Reporting Form
Root cause Analysis Report
Incident response management
Incident management Report
Incident Response Team
14
Standards Clause Reference
Control 13.1.1 Reporting Information Security Events
Control 13.1.2 Reporting Security Weaknesses
Incident Management Process
1. Breach of Security Policies such as access control, internet usage, password
violation, Email usage, etc
2. Mail Spamming, Virus attack, Hacking, etc.
3. Non-IT Incidents: Unsupervised visitor movement, Information leakage,
Bringing unauthorized Media
4. Laptop stolen , USB lost
5. Privileged user abnormal Behavior
6. Security events listed as errors in applications, systems , databases ,etc, in
monitoring tools.
7. Confidential Information Asset corruption
8. Confidential Information Asset stolen
9. Event types, from a system-wide event such breaches related to user
logging on, to an attempt by a particular user to read a specific file.
10. Both successful and unsuccessful attempts to perform an action.
11. Services Halting
15
Incident Management Process
Types of Security Incidents
1. Virus Problem
2. Genuine Microsoft
3. Windows is not genuine
4. PC is not working
5. Windows firewall disabled
6. Scan problem for email
7. Antivirus downgrade
8. Server not working
9. Restart
10. Intranet permission
11. Portal authorization
12. Software corrupted
16
Incident Management Process
Risks related to security Incidents
1. Lose of Reputation
2. Lose of Confidentially, integrity and
availability
3. Lose of Money
4. Lose of Moral
5. Lose of Job
6. Misleading Statistics
17
Asset Management Process
Process owner :
The ISMS Implementation Committee will be in
charge of maintaining the Risk Register, IT Asset
Register and tracking the life of IT assets from
procurement to disposal. They will get their input
fromProcurement.
They will maintain the IT asset identification
Ownership
Location
Classification
Type of Assets
Asset categorization and classification will be added
to the IT Asset Register to maintain the compliance
requirements of ISO 27001.
18
Asset Management Process
Documentation
Asset management Form
Asset management guideline
Asset Mgmt Standard and Guideline
19
Access Control Process
Process owner: Sultan Al Ghanem
The Access Control applies to all employees, non-
employees, consultants of SIDF ITD.
It also applies to all users that have been granted
the access of the SIDF ITD physical premises and
information technology resources.
Access should only be granted to legitimate users,
to the levels at which they have legitimate
authority.
Access is a privilege, not a right. Access is granted
based on individual business need and
departmental policy.
20
Access Control Process
Documentation
Access Control policy
Access Control Standard
Computer Room Access Procedure
Access Control Guideline
Database Access and Modification Procedure
Internet Access Request Form
Access Acknowledgement Form
21
Backup and Restore Process
Process owner:
The Information Security Policy requires
that Backup of critical data, which can and
may used to restore operations at the time
of disaster, will be taken.
22
Backup and Restore Process
Documentation
Backup and Restore Standard
User Server File Restoration Procedure
On-Off site Backup procedure
Backup, Storage and Retention procedure
DBAdmin Request Form
23
Business Continuity Process
Process Owner:
The Information Security Steering Committee is familiar with the goals of the
SIDF and the commitments to the customers of SIDF.
BCP Crisis Management Team will manage the continuous IT operation, in
case of any catastrophic disaster at SIDF main building or ITD on 3
rd
floor.
The Information Security Steering Committee will be responsible for
ensuring that the core business processes of SIDF keep running even in case
of a disaster.
They will identify core assets and services that need to be made available to
the customers and this advice will be taken up by the Disaster Recovery
Team which will provide the infrastructure for those core services to ensure
their continual running:
Disaster Recovery Team: The Disaster Recovery Team(DR) will be responsible for
the recovery of all systems at the DR site. They will get advice regarding what
services need to be supported in order to keep the SIDF core processes active
from the Information Security Steering Committee. All activities following a
disaster like shifting operations to DR site (Fail Over); rebuild the data centre and
return production to SIDF again (Fail Back) will be DR teams responsibility. The
teamwill consist of technical personnel working on SIDFs IT infrastructure.
24
Business Continuity Process
Documentation
BC and DR Plan
Disaster Recovery Procedure
Test
Records
Logs
25
Security Awareness Process
Process owner: Marwan Al Saleem
Keep the process live and updated
Scheduled trainings
Align awareness with currents risks, threats and
security objectives
Design campaigns
Suggest new techniques, products , methods to make
users aware
Work closely with CISO and ISOs to plan the
awareness schedule
26
Security Awareness Process
Documentation
Security Awareness Plan
Accredited Trainings and in House Trainings
Exclusive Awareness sessions
Meetings/Discussions
Signs
Posters
Wall Papers
E-mailers
News
Floor plans
Sharepoint based Documentation
Walk In- Fines
Security Hand Book
27
Risk Assessment Process
Process owner: Harun Raseed Bhaijee
28
Risk Assessment Process
Documentation
Procedure for Security Risk Assessment
29
Internal Audit Process
Process owner: Harun Rasheed Bhaijee
ISMS Internal Audit team under The ISMS Implementation
Committee will be in-charge of conducting the ISMS Internal
Audit, Reporting, Surveillance visits and observing the
compliance status. They will get input fromInternal Audit.
Audit Schedule and plan
Following the audit procedure
Follow up of corrective and preventive actions (CAPA)
Recommendations, Findings and Observations
Continual improvement
30
31
Internal Audit Flow
Internal Audit Procedure
Audit Planning
Internal Audit Procedure
Audit Report
CAP Report
NC Report
Checklists
Firewall check list
Active Directory Check List
File Server Check List
Router Check List
Physical Security Check List
32
Internal Audit Check List
Documentation
Management Review Process
Process owner: Fahad Al Mawash
Management reviews shall be done annually
and shall include all business Units.
On completion of the review all
recommendations are transmitted to the ISMS
Steering Committee .
Where revisions are approved they shall be
incorporated into the manual under the normal
document control procedure and shall be
issued to site.
33
Management Review Process
Inputs and Output (Inputs)
Corrective actions reports
Incident reports
Nonconformance reports
Security Training records
Audit results
Customer complaints
Follow-up actions from
previous reviews
Information Security
changes
Preventive action reports
34
Inputs and Output (Inputs)
Investigation and inspection records
Objectives and targets
Assessment to effectiveness
Review of Policy and scope
Roles and Responsibilities
Regulatory Requirements
Near Miss and Violation Reports
Management Review Process
Outputs
Improvement of the ISMS
ISMS effectiveness
Improvement of customer requirements
Customer satisfaction
Future needs and strategies
Specific corrective actions for individual managers
Actions plans and target dates
35
Management Review Process
Documentation
36
Outputs
Management Review Report
Minutes of the Management Review Meeting
37