• ISO 27001 & ISMS

Vijay Singh::Balaji institute of telecom & management,Pune (2008-10)

Information Security
Information Security Definition: • “preservation of confidentiality, integrity and availability of information; in addition, other properties, such as authenticity, accountability, nonrepudiation, and reliability can also be involved”
– Source: ISO/IEC 27001:2005

Introduction ISO 27001 & ISMS
• ISO 27001 has been prepared to provide a model for:
• • • • • • • Establishing Implementing Operating Monitoring Reviewing Maintaining and improving

an Information Security Management System (ISMS)

Source: ISO/IEC 27001:2005

What is an ISMS?
• Information Security Management System
– Strategic decision of an organization
• Design and implementation
– – – – Needs and objectives Security requirements Processes employed Size and structure of the organization

• Scaled with ‘needs’ – simple situation requires a simple ISMS solution

Source: ISO/IEC 27001:2005

International Organization for Standardization (ISO)
 Established in 1947  Published over 16,077 international standards  ISO meetings attract some 30,000 experts a year

 Federation comprised of 156 national standards bodies  National member bodies manage development work

 ISO standards are consensus based

Source: ISO/IEC 27001:2005

History Of ISO 270001
• Originally the standard was developed as BS 7799 in1995 and just included the controls. • A second part, formalising the process for creating an ISMS was added and known as BS 7799 (Part 2) • The first part was then adopted as an ISO standard becoming ISO 17799. Part 2 was then adopted as ISO Standard 27001 in 2005.

Source: ISO/IEC 27001:200

Decision To Adopt ISMS a Strategic Decision
• Adoption of an ISMS should be a strategic decision • Design and implementation is influenced by the organization’s needs and objectives, security requirements, the processes employed and the size and structure of the organization • Scale the system in accordance with your needs, which may well change (simple situation=simple ISMS solution; complex situation=complex ISMS solution)

Source: ISO/IEC 27001:2005

Process Approach
• ISO 27001 has adopted a Process Approach, which means an organization needs to identify and manage many activities in order to function effectively. • Any activity using resources and managed in order to enable the transformation of Inputs into Outputs, can be considered to be a Process. • Inputs >>>>>>> Process >>>>>>> outputs • Often, outputs from one process provide inputs into the next.

Source: ISO/IEC 27001:200

Process approach for ISMS encourages users to emphasize the importance of: a) Understanding an organization’s information security requirements and the need to establish POLICY and OBJECTIVES for information security b) Implementing and operating CONTROLS to manage an organization’s information security risks in the context of the organization’s overall business risks c) Monitoring and reviewing the performance and effectiveness of the ISMS, and d) CONTINUAL IMPROVEMENT based on objective measurement

Source: ISO/IEC 27001:200

• Plan, Do, Check, Act is to be applied to structure all ISMS processes

• ISMS takes the information security requirements and expectations of the interested parties and, through the necessary actions and processes, produces information security outcomes that meets those requirements and expectations.

Model of an ISMS

Growing Acceptance

ource: http://www.xisec.com/

Additional benefits of implementing an ISO 27001 system
• Provides the means for information security corporate governance and legal compliance • Provides for a market differentiator • Focus of staff responsibilities and create security awareness • Enforcement of policies and procedures

Source: ISO/IEC 27001:2005

SAS 70

Introduction-SAS 70
• SAS 70 is an acronym for Statement on Auditing Standard 70. • SAS 70 was developed by the American Institute of Certified Public Accountants (AICPA) in 1988. • It defines the standards an auditor must employ in order to assess the contracted internal controls of a service organization.

Continued ….
• SAS 70 reports are commissioned at the request of either a service organization (the company) or the user organization (customers). • At the end of the audit, the service auditor issues an important report called the "Service Auditor's Report".

Types of SAS 70 Reports
Type 1
 Reports on controls placed in operation (as of a point in time)  Looks at the design of controlsnot operating effectiveness  Considered for information purposes only  Not considered a significant use for purposes of reliance by user auditors/organizations  Most often performed only in the first year a client has a SAS 70

Type 2
 Reports on controls placed in operation and tests of operating effectiveness (for a period of time, generally not less than 6 months)  Differentiating factor: Includes Tests of Operating Effectiveness  More comprehensive  Requires more internal and external effort  Identifies instances of noncompliance  More emphasis on evidential matter


Advantages of SAS 70

Users of the SAS70

Areas of Focus
• Operations
– Account Set-up and administration – Security Set-up – Trade and FX Processing – Pricing – Dividend Processing – Corporate Actions – Confirmation/Affirmatio n/Settlement – Custody Reconciliation – Client Report – Investment Income – Portfolio Compliance – Personal Trading

• Technology
• Information Systems Operations • Security (Physical & Logical) • Application Systems Implementation & Maintenance • Computer Operations


SOX:Sarbanes Oxley Act
• The Sarbanes-Oxley Act of 2002 is legislation enacted in response to the high-profile Enron and WorldCom financial scandals to protect shareholders and the general public from accounting errors and fraudulent practices in the enterprise • The act is administered by the Securities and Exchange Commission (SEC), which sets deadlines for compliance and publishes rules on requirements. • Sarbanes-Oxley is not a set of business practices and does not specify how a business should store records; rather, it defines which records are to be stored and for how long.


Risk Threats and Vulnerability
Risk = Threat X Vulnerability
• Being “at risk" is being exposed to threats. • Risks are subjective -- the potential to incur consequences of harm or loss of target assets. A Risk Factor is the likelihood of resources being attacked. • Threats are dangerous actions that can cause harm. The degree of threat depends on the attacker's Skills, Knowledge, Resources, Authority, and Motives. • Vulnerabilities are weaknesses in victims that allow a threat to become effective.

• Risk is a function of the likelihood of a given threat-source’s exercising a particular potential • Vulnerability, and the resulting impact of that adverse event on the organization.

Do Enterprise’s Internet Connection deploying VPN’s not Vulnerable to Threat??
• To secure the connection to the Internet and protect internal networks, enterprises deploy a variety of security devices, including firewalls, Virtual Private Networks (VPNs), Intrusion Detection/Prevention (IDP), anti-virus, and content monitoring. • However, none of these Internet-related security technologies protect the internal IP network from attacksagainst the traditional voice network connections created by unauthorized or non-secure modems and poorlyconfigured voice systems.

Unauthorized n unsecured Modems An easy Cake for Attackers!!
• When an attacker accesses an

unauthorized or non-secure modem, the IP network-based security products cannot see or detect the intrusion • Typically, no record of the attacker’s access is logged—except perhaps a long call recorded on the PBX—and even this record exists only if the accessed modem line routes through the PBX. Logs on the attacked system may record the access—but they are easily deleted by the attacker

Unauthorized Remote Access
• In order to provide their remote users with access to the internal network, most enterprises invest in Internet-based VPNs and managed Remote Access Servers (RAS). • Unfortunately, users often set up their own personal remote access

Backdoor remote access in enterprize LAN

Unauthorized ISP Access
• Employee use of unauthorized modems for Internet access is a more common and serious problem • To reach the Internet from work, these users simply install a modem on their work computer and dial a local or 1-800 ISP • Employee abuse of Internet access privileges is quantified in the 2004 CSI/FBI Computer Crime and Security Survey. Of the almost 500 respondents (primarily financial institutions, large corporations and government agencies),59% detected employee abuse of Internet access privileges, for an estimated loss of $10,601,055!!!!

VoIP Vulnerabilities and Threats
• VoIP is vulnerable to traditional IP attacks—worms, viruses, and DoS— and is only as secure as the weakest link on the network • Securing VoIP is also more complex and arduous because it involves more components and software than a traditional circuit-switched voice network

–Security Gap Left by Traditional Data Firewall


Introduction to-Revenue Assurance
• In this world of hybrid telecommunications companies, even a simple phone call involves several kinds of carriers. • These multi level handoffs means that carriers have to mediate & disputes more complicated combination of revenues, billings & tariff data. • More often,telcos stand helplessly as millions of dollars of their revenues go uncounted.

Tata consultancy services

Continued…….. • Every telco consider 5% revenue leakage as normal. • Revenue assurance is one of the simplest & easiest ways to stop revenue leakage.

Tata consultancy services

What is revenue assurance
• It is about billing all transactions for all events without losing revenue to fraud. • It extends its functionality that include collection of bad debts & outstanding revenues.
Tata consultancy services

Why RA required?
1.Safeguard against loss of revenue: Collecting revenues due to a company is one of the easiest ways for a company to grow. It has been found that telecom companies regularly miss out billing 5% of their revenues. 2.Reducing customer churn: RA strategies help in monitoring the causes of customer dissatisfaction & controlling them methodically & quite effectively.

Tata consultancy services

3.Reducing customer churn: RA atrategies help in monitoring the causes of customer dissatisfaction & controlling them methodically & quite effectively. 4.Maintaining billing accuracy standard: both under-billing & over billing is a cause of worry for the company. While under billing results in loss of revenue,over billing results in loss of reputation.
Tata consultancy services

Causes of Revenue Leakage
1.Lack of co-ordination among different units in the same organisation. 2.Complexity in the product/service defination. 3.Mismatch between service(de-)activation on network & billing (de-)activation. 4.Improper functioning of switch components.

Tata consultancy services

5.Inaccuracy of switch/network transactions. 6.Rating complexity. 7.Bill production & bill delivery. 8. Business process weakness. 9.Data centre process weaknesses.

Tata consultancy services

Key factors to be considered
1.Collective responsibility for RA-the root cause for revenue leakage being the lack of coordination .it is important to have a separate team with clear responsibilty towards RA. 2.There should be a framework document for the RA activities 3.The RA team should also consider the external events related to the reliability factors such as system failures. 4.Tracking & reporting as specified in the framework document should be strickly implemented.

Tata consultancy services

STATE OF ART IN RAfor how to tackle the problems

Tata consultancy services


Sign up to vote on this title
UsefulNot useful