By Wajahat Raja Fakhre Alam 1 Agenda 1. Roles 2. Document Control Process 3. IS Change Management Process 4. IS Incident Management Process 5. Asset Management Process 6. Access Control Process 7. Backup and Restore Process 8. Security Awareness Process 9. Risk Assessment Process 10. Business Continuity Process 11. IS Internal Audit Process 12. Management Review Process 13. Q&A 2 Roles 3 Document Control Process Process owner: Khalid Al Zain This role will be in charge of maintaining ITD documentation and maintaining the Document Control Procedure. It is envisaged they will carry out the following duties: Ensuring every individual has the version requested (older versions will be maintained). He will be there to make sure only the latest version is published and that relevant people are informed regarding changes. This role will report to the CISO and will get advice regarding changes from the ISOs. 4 Document Control Process Process Owner: Khalid Al Zain 5 Procedure 1. Document Identification 2. Document Structure 3. Documents Preparation, Review and Approval 4. Issuance of Controlled Documents (Level 1 & 2) 5. Templates/Formats and Records (Level 3) 6. Documents of External Origin (level 4) 7. Amending Documents (Level 1, 2 and 3) 8. Document Review 9. Color Coding Scheme Document Control Process Process owner: Khalid Al Zain This role will be in charge of maintaining ITD documentation and maintaining the Document Control Procedure. It is envisaged they will carry out the following duties: Ensuring every individual has the version requested (older versions will be maintained). He will be there to make sure only the latest version is published and that relevant people are informed regarding changes. This role will report to the CISO and will get advice regarding changes from the ISOs. 6 Levels Colour Denomination Extreme WHITE Critical RED High AMBER Medium BLUE Low GREEN Document Control Process Documentation Master list of Documentation (MLD) Procedure for Control of Documents (PCD) Procedure for Control of Records (PCR) Data Classification Standard Data handling Standard Document update request Form 7 Process based Documentation at Sharepoint Portal 8 Change Management Process Process owner: Abdullah Al Kharashi The process of initiating and implementing changes to the ITD Systems, Documentation and Network infrastructure 9 Change Management Process Process owner: Abdullah Al Kharashi 10 Change Management Process Process owner: Abdullah Al Kharashi Roles and Responsibilities The CAB will be there to review changes to the organizations assets and their configuration. CAB is one mechanism for prioritizing and implementing proposed changes. Any proposed change will be sent to the CAB for advice. The CAB will be setup at two levels: division level and department level. At the Division Level the CAB will consist of all Team leads and the Division Manager will be the Decision Maker. At the Department Level the CAB will consist of the Information Security Steering Committee members and the head ISO. Having a CAB also satisfies one of the requirements for ISO 20000 (ITSM). 11 Change Management Process Documentation Change Control Procedure Database Access and Modification Procedure Change Request Form 12 Incident Management Process Process owner: Riyad Al Samari 13 The IT Security Incident Management Team will include a selected and well trained group of people. Their role within this capacity will be as follows: To promptly and correctly handle any security incident related to IT All security incidents will be quickly contained, investigated and recovered from. They must be people that can drop what they are doing or re-delegate their duties and have the authority to make decisions and take actions. The incident will be escalated to Safety and Security Committee in case the incident is not related to ITD. Incident Management Process Documentation Security Incident Response Plan Incident Reporting Form Root cause Analysis Report Incident response management Incident management Report Incident Response Team 14 Standards Clause Reference Control 13.1.1 Reporting Information Security Events Control 13.1.2 Reporting Security Weaknesses Incident Management Process 1. Breach of Security Policies such as access control, internet usage, password violation, Email usage, etc 2. Mail Spamming, Virus attack, Hacking, etc. 3. Non-IT Incidents: Unsupervised visitor movement, Information leakage, Bringing unauthorized Media 4. Laptop stolen , USB lost 5. Privileged user abnormal Behavior 6. Security events listed as errors in applications, systems , databases ,etc, in monitoring tools. 7. Confidential Information Asset corruption 8. Confidential Information Asset stolen 9. Event types, from a system-wide event such breaches related to user logging on, to an attempt by a particular user to read a specific file. 10. Both successful and unsuccessful attempts to perform an action. 11. Services Halting 15 Incident Management Process Types of Security Incidents 1. Virus Problem 2. Genuine Microsoft 3. Windows is not genuine 4. PC is not working 5. Windows firewall disabled 6. Scan problem for email 7. Antivirus downgrade 8. Server not working 9. Restart 10. Intranet permission 11. Portal authorization 12. Software corrupted 16 Incident Management Process Risks related to security Incidents 1. Lose of Reputation 2. Lose of Confidentially, integrity and availability 3. Lose of Money 4. Lose of Moral 5. Lose of Job 6. Misleading Statistics 17 Asset Management Process Process owner : The ISMS Implementation Committee will be in charge of maintaining the Risk Register, IT Asset Register and tracking the life of IT assets from procurement to disposal. They will get their input fromProcurement. They will maintain the IT asset identification Ownership Location Classification Type of Assets Asset categorization and classification will be added to the IT Asset Register to maintain the compliance requirements of ISO 27001. 18 Asset Management Process Documentation Asset management Form Asset management guideline Asset Mgmt Standard and Guideline 19 Access Control Process Process owner: Sultan Al Ghanem The Access Control applies to all employees, non- employees, consultants of SIDF ITD. It also applies to all users that have been granted the access of the SIDF ITD physical premises and information technology resources. Access should only be granted to legitimate users, to the levels at which they have legitimate authority. Access is a privilege, not a right. Access is granted based on individual business need and departmental policy. 20 Access Control Process Documentation Access Control policy Access Control Standard Computer Room Access Procedure Access Control Guideline Database Access and Modification Procedure Internet Access Request Form Access Acknowledgement Form 21 Backup and Restore Process Process owner: The Information Security Policy requires that Backup of critical data, which can and may used to restore operations at the time of disaster, will be taken. 22 Backup and Restore Process Documentation Backup and Restore Standard User Server File Restoration Procedure On-Off site Backup procedure Backup, Storage and Retention procedure DBAdmin Request Form 23 Business Continuity Process Process Owner: The Information Security Steering Committee is familiar with the goals of the SIDF and the commitments to the customers of SIDF. BCP Crisis Management Team will manage the continuous IT operation, in case of any catastrophic disaster at SIDF main building or ITD on 3 rd floor. The Information Security Steering Committee will be responsible for ensuring that the core business processes of SIDF keep running even in case of a disaster. They will identify core assets and services that need to be made available to the customers and this advice will be taken up by the Disaster Recovery Team which will provide the infrastructure for those core services to ensure their continual running: Disaster Recovery Team: The Disaster Recovery Team(DR) will be responsible for the recovery of all systems at the DR site. They will get advice regarding what services need to be supported in order to keep the SIDF core processes active from the Information Security Steering Committee. All activities following a disaster like shifting operations to DR site (Fail Over); rebuild the data centre and return production to SIDF again (Fail Back) will be DR teams responsibility. The teamwill consist of technical personnel working on SIDFs IT infrastructure. 24 Business Continuity Process Documentation BC and DR Plan Disaster Recovery Procedure Test Records Logs 25 Security Awareness Process Process owner: Marwan Al Saleem Keep the process live and updated Scheduled trainings Align awareness with currents risks, threats and security objectives Design campaigns Suggest new techniques, products , methods to make users aware Work closely with CISO and ISOs to plan the awareness schedule 26 Security Awareness Process Documentation Security Awareness Plan Accredited Trainings and in House Trainings Exclusive Awareness sessions Meetings/Discussions Signs Posters Wall Papers E-mailers News Floor plans Sharepoint based Documentation Walk In- Fines Security Hand Book 27 Risk Assessment Process Process owner: Harun Raseed Bhaijee 28 Risk Assessment Process Documentation Procedure for Security Risk Assessment 29 Internal Audit Process Process owner: Harun Rasheed Bhaijee ISMS Internal Audit team under The ISMS Implementation Committee will be in-charge of conducting the ISMS Internal Audit, Reporting, Surveillance visits and observing the compliance status. They will get input fromInternal Audit. Audit Schedule and plan Following the audit procedure Follow up of corrective and preventive actions (CAPA) Recommendations, Findings and Observations Continual improvement 30 31 Internal Audit Flow Internal Audit Procedure Audit Planning Internal Audit Procedure Audit Report CAP Report NC Report Checklists Firewall check list Active Directory Check List File Server Check List Router Check List Physical Security Check List 32 Internal Audit Check List Documentation Management Review Process Process owner: Fahad Al Mawash Management reviews shall be done annually and shall include all business Units. On completion of the review all recommendations are transmitted to the ISMS Steering Committee . Where revisions are approved they shall be incorporated into the manual under the normal document control procedure and shall be issued to site. 33 Management Review Process Inputs and Output (Inputs) Corrective actions reports Incident reports Nonconformance reports Security Training records Audit results Customer complaints Follow-up actions from previous reviews Information Security changes Preventive action reports 34 Inputs and Output (Inputs) Investigation and inspection records Objectives and targets Assessment to effectiveness Review of Policy and scope Roles and Responsibilities Regulatory Requirements Near Miss and Violation Reports Management Review Process Outputs Improvement of the ISMS ISMS effectiveness Improvement of customer requirements Customer satisfaction Future needs and strategies Specific corrective actions for individual managers Actions plans and target dates 35 Management Review Process Documentation 36 Outputs Management Review Report Minutes of the Management Review Meeting 37