Latest Entries »

Dear all, due to my busy schedule I am not able to write anything new on my blog, so to keep my blog alive , I found few articles which are interesting to read.

Hopefully you all will enjoy reading these articles.

http://www.ranum.com/security/computer_security/editorials/dumb/?goback=.gde_1368287_member_201348582

Thanks to the author for writing such an interesting article.

Unforeseen threats never knock the door before their arrival; they just arrived and destroy everything that comes in the path. Establishing a secure business is not just about supply and demand. It is about the prevention and protection measures that you can put in place against cyber-crime, the consequences of an electronic attack, natural disaster, acts of terrorism and other events that would have a negative impact on your organization. In this paper our major focus on creating an effective and globally accepted business contingency plan, which is applicable on almost all type of business and their processes to handle any crises and smooth operation of their critical functions. This paper also focuses on need of BIA and discusses all the key aspect of BIA model for analyzing the impact of an unforeseen threat over a business critical function. In this paper we also try to provide a complete overview of existing business contingency and risk assessment model.
Please follow the below mention link to study the main paper.

Business Contingency Planning: A Road Map to Protect Company from Unforeseen Threats

Thanks to my Big B (Ankur Kumar Shrivastava) , I am the co-author of 6 published research papers now. So, in this section I am going to share all those publication.

These are basic research papers on their respective areas but I am sure it will help you in understanding the various areas of research and may give rise to a new idea for research.

Scope

Dear Friends welcome back. Thanks for all the positive responses and likes that motivates me to write better than my previous article. Today we will try to understand how to decide and write the scope of any audit or implementation of ISMS.

Scope describe the extent and boundaries of the audit or implementation in terms of factors such as physical locations, organizational units, activities and process to be audited, where relevant, the time-period covered by the audit. (According to ISO 27001:2005)

According to my understanding we can define the following format to write the scope of any audit or implementation:-

· Objective :- We will 1st define our objective (try to make it short and simple not more than two lines)

· Boundary or Requirement: – Over here we will set out boundaries (for example if the company where we have to implement ISMS have 12 deptts. but we only want to include 8 of them, then we will mention those 5 deptt. names here).

· Extent :- the last thing will be the extent to which we will go to achieve the above mentioned objective.

Now before going into any technicality let’s try to understand the scope with day to day activities. For example if I have to decide the scope of going to office, then it’s involves:-

1. Objective:-

a) Reaching office

2. Boundary:-

a) Reaching Office before 9:30am (Race against the time)

boss-yelling-at-employee

b) Stay Alive (tug of war @Mumbai Local) so to survive I always prefer slow local starting from my source station

mumbai-local-train

3. Extent

a) If I will be late then I can catch a fast local.

b) I can go by bus if due to some reason local is not available.

Many will feel that we can book a cab and reached office on time, but as I mentioned above that we are talking about my scope of reaching office on time, so my pocket doesn’t allow me to go to office by cab and hence I will prefer to be late as compare to booking a cab and then reaching office on time.

So, the boundary for me reaching office is the timeline (i.e., 9:30am) and the extent is that I have to reach office is the mode of transportation.

Now we will try to decide the scope of implementation of ISMS within an organization which deals in software development and who have offices across the country:-

1. Objective :- The objective will be implementation of ISMS within the organization

2. Boundary / Requirement: – We will define the boundary of our implementation. For example if we have 5 dept. within our organization i.e.,

a. IT Support

b. Development Team

c. Database Team

d. Network Team

e. Admin

Out of above mentioned 5 teams I don’t want my admin team to comply with ISMS so I can keep Admin team out of the boundary of my scope. So, our boundary within the organization will be IT Support, Development Team, Database Team and Network Team.

1

3. Extent: – We can define the extent as all the offices in country or if management wants to go with a particular region (for example Northern Region), then the extent of our implementation will be all the offices in northern region.

We shall always keep few things in mind while defining the scope:-

· It shall be short and precise

· Boundaries shall be well defined

· Extent shall be clearly defined

· There shall be a proper approval of defined scope from the senior management

Basics of ISMS

What is ISMS?

ISMS stand for Information Security Management System, as we can see it’s a combination of four words. So, before going in depth about ISMS we need to understand these words.

Information , according to Wikipedia “Information is a sequence of symbols that can be interpreted as a message”. Let’s try to make it simpler, information is a collection of data which will help us in taking decisions or identifying something. For e.g.: – If I give you 3 words i.e., “Mr. A”, “train” and “7:30 am”, what information you can derive from this. Let’s consider three situations which can be derived from these words:-

1. Mr. A has to catch a train at 7:30 am.

2. Mr. A missed 7:30am train.

3. Mr. A will not travel by 7:30 am train, etc.,

We can easily figure out, if I would share any one of the above possibilities instead of just mentioning 3 words then it will be easy to identify someone or make a decision.

Security means safeguarding information which is valuable. Always remember for any company people (which mean us are most important). That doesn’t mean that in ISMS we will talk only about securing us but it’s also involves securing people, process (both IT and Non-IT) and technology.

We can now define information security as safeguarding information which is valuable to any organization. There is triad of information security as shown in Fig.1 and define below:-

image

Figure 1

1. Confidentiality:- Only the legitimate user have access to information.

2. Integrity:- Only Legitimate user can make changes in any information.

3. Availability: – Information should be available for legitimate user when needed.

Management is the task of achieving any objective in the most effective and efficient way.

System is an approach to perform an overall activity or duty or solving a problem.

We can define ISMS as a management system to secure information from unauthorized disclosure or manipulation in most effective and efficient way so, as to achieve business objective or goal.

One point to remember is that information security is not all about IT security. It involves both the IT and Non-IT Security as well as can be implemented on soft and hard copy information.

What is ISO 27001?

Although every company is taking due care to safeguard all the information within their organization but there is not formulated set of procedure to do so before October 2005. In 2005, International Organization for Standardization and International Electrotechnical Commission published the ISO 27001 which is a part of ISO 27000 family of standards. Its full name is ISO/IEC 27001:2005 – Information technology — Security techniques — Information security management systems — Requirements. ISO 27001 require the management to perform the following activities:-

1. Thoroughly scrutinizing the organization’s information security risks, considering the threats, vulnerabilities, and impact

2. Designing and implementing a complete and lucid collection of information security controls to encounter risks.

3. To ensure the continual improvement in the system for enhancing information security.

ISO 27001 is a standard which talk about continual improvement with the help of the cycle mention in the Fig. 2

2

Figure 2

ISO 27001 has 11 Domains and 133 controls. All the controls are well explained in ISO 27002.

Who does ISO27001 apply to?

Any organization (small or big) can comply with ISO 27001 especially where there is a flow or storage of critical information either in soft copy or hard copy. The best part of ISO 27001 is that it’s not stringent like some of other security standards hence it’s not mandatory for any organization to comply with all the 133 controls. But it’s also doesn’t mean that you will select the controls depending about your feasibility and convenience. For any exclusion you have to justify it with proper reasoning.

ISO 27001 Benefits

1. An advantage over competitors.

2. A framework for complying with all the legal and regulatory requirements.

3. A continual improvement process, hence reducing security incident.

4. Pro-active process.

In this section I will talk about the effectiveness of Implemented control.  I will also discuss the procedure of conducting the Opening and Closing meeting as well as disclosing the findings of Audits Procedure in front of auditee.

In this section I will cover the implementation of ISMS. I will start this section with the Gap Analysis and then will cover all the 11 domains and 133 controls implementation of ISO 27001 in the best possible way. This part will also deal with the actual auditing procedure and guidelines.

This section of my blog will be dedicated to all the basic definition and process involve in ISMS implementation or Sustenance Activities. I will also be discussing about the basics of audit procedure. Standards related to Information Security and new methodology introduce in terms of ISMS compliance.

About the Author

Abhinav Kumar Srivastava has around one and half year of Information security consulting experience and overall three and half years experience in various sector. Abhinav is currently working with Paramount Computer Systems as an Associate Consultant – Abu Dhabi (UAE). Abhinav area of interest is ISMS, BCMS, Risk Assessment and GRC.

Abhinav possesses a Bachelor’s Degree in Computer Science Engineering and a post-graduation degree in Information Security from IIIT Allahabad. His Certifications include ISO27001 – LA, ISO22301 LA, ISO20000 – LA, BS25999 – LA, ISO9001 – LA and CCNA.

Abhinav love reading books and writing. His six research papers already published in International Conferences & Journals and few in the procedure of publications.

You can reach him anytime at er.abhinavshrivastava@hotmail.com.

Hello World!!

Hello friends!!!!!!

Welcome to ismsworld.wordpress.com! When I entered in the corporate world of Information Security , I came across so many situation when during a conversation on a project with my colleagues I realize the terminology they are using I am not at all aware about it. Those are really bad situations as you want to make an impact also but you have no idea what they are discussing about. So, you stay there numb and try to act as you know everything and you agree whatever they say. After that you Google it also but after spending hours, you will not come across anything. Now, when I knew something about our lovely ISMS, I decided to start this blog to support the fresher’s and professionals like us who at times missed out few thing due to work load or pressure or use of some big corporate jargon’s.

I am not an expert in this field; I will be sharing my experiences and my understanding of ISMS with you all. So, if you find something which can be done in a more effective and efficient way then what I mentioned on this blog then feels free to comment on that post. I want this process to be a two way learning process. Everyone is most welcome to post your queries and I will try to answer your queries ASAP.

At last I will like to thanks bunch of people and I will mention their names as I want to tell them that I love them all and without them I would have not be where I am today – Atin Bhaiya (Alias Kaka for been a great guide), Achlesha Bhabhi , Vidit Shrivastava (My biggest critic ), Bharti Rastogi, Bhumika Kaushal(My Motivator) , Naveen (Alias Chahca), Vivek Sharma(Alias Kali),  Anant Rai (Alias Zihadi – without his Zihad I would have not learned so much), Aadesh Bhaiya Ajay Nehra , Varsha, Seema, Prakhar, Dheeraj (Alias Nawab- Don’t wanna go in details about the details behind this nickname ) , Rashmi Singh; my extended family,  all my friends, my batch mates  (from BHS, SBCET, IIIT-A) and colleagues (from Tryst, MG, MIT, NII and Mahindra SSG).

I also wanna thanks to the entire Mahindra SSG team for their support . Especially to Shailesh Sir for providing me great opportunities to learn and guiding me for better understanding of ISMS. Farzana Mam for being a great Team Lead and the entire MISS team. I will not miss the opportunity to thanks KK Sir , Prashant Koranne Sir, Jaideep Sir and Daksha Mam for being a great teachers of Information Security for me. Purvesh Gada Sir for helping me and motivating me in developing this blog.

Lastly I want to thanks the three most important people of my life, who is always there to support me in all situations and always believe on me – Mom, Dad and Bhai (Ankur Kumar Shrivastava – My biggest Strength), Love you all.

Let’s begin our ISMS Journey. All our Welcome!!!!!!!!!