Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Is awareness government
1. An Overview
by
Zaituni Mmari(Information Security Officer)
2. Four Questions
What’s it all about?
Why does it matter to the Government of Tanzania?
How does it work?
What do we have to do to the Government of
Tanzania?
3. What is Information Security?
The use of an ISMS (Information Security Management System) for the systematic
preservation, in the Government of Tanzania, of the
Availability
Confidentiality
Integrity
Of its information (and its information systems)Information risk
All information systems have vulnerabilities that can be exploited by threats in ways
that can have significant impacts on the government of TZ info system
effectiveness,value and long term survival have significant impacts on the government
of Tanzania effectiveness, profitability, value and long term survival. when exploited,
those threats will have an impact on the TZ government IS effectiveness and NOT directly
on the TZ gov effectiveness
Also involves
Authenticity
Accountability
Non-repudiation
Reliability
4. Why do we need to Implement an ISMS
to the Government of Tanzania?
We have valuable assets
Intellectual Property
Government valuable information
Data about staff, customers, suppliers
Organizational know-how
We have legal and regulatory compliance requirements
Data protection and privacy
Specific legislation
We are IT dependent
An IT failure (eg hardware, power failure, acts of
nature) is a institution failure
IT is not completely secure
IT is not inter-compatible
5. Why does information security matter to
the Government of Tanzania?
External threats
Viruses, worms, Trojans
100,000+ ‘in the wild’
Hackers – with automated attacks
Now big business (botnets, zero-day attacks)
Spam – 80%+ of all e-mail
Now big business (botnets, blended attacks)
Cyber-criminals – phishing, identify theft, grand larceny
Fraud, cyber terrorism
Competitors
Malcontents, activists
Anyone with a computer!
Internal threats
fraud, error, unauthorized or illegal
system use, data theft
6. How can ISO27001/ISO17799 standard
Help the Government of Tanzania?
A Standard is
“a document established by consensus and approved by a recognized body,
that provides for common and repeated use rules, guidelines or characteristics
for activities or their results, aimed at the achievement of the optimum degree
of order in a given context”
Two part ISMS standard
ISO 27001 (BS7799-2) specifies how to design an information security
management system (‘ISMS’)
How the ISMS should work, not what should be in it
ISO17799 (BS7799-1) is an international code of practice for information
security best practice that supports and fleshes out BS7799-2
What should be in the ISMS, not how it should work
History and future
BS7799 originated in UK, part 1 adopted by ISO
Revised every five years
Now ten years old
1300+ BS7799-2 certifications
Even more ISO17799 systems in place
No the ISO 27001 series from November 2005
7. Why the Government of Tanzania have to
use the standard?
Best practice specification and guidance
A MANAGEMENT SYSTEM
Technology agnostic
Non-technical
Non-jurisdictional
Systematic and comprehensive
Proven in many industries and organizations
Includes international best practice
Internationally understood
Capable of external certification
Commonly accepted best practice
100+ new BS7799-2 certifications
/month
ISO27001 and ISO9001
8. What is an ISMS?
A defined, documented management system (within a defined organization, the
‘scope’). It contains
A board approved, high level information security policy
Defines information security, the components and purpose of the ISMS, and
evidences to the business that management are committed to a defined and
systematic approach to information security
A corporate risk treatment plan
Describes how different types of risk are to be treated
An inventory of important information assets (data and systems) that fall within the
scope
An assessment of vulnerabilities, threats and risks (‘risk assessment’) to those assets
An ISMS Manual that contains a Statement of Applicability
identifies a set of controls (responses to/countermeasures for) that respond to
each of the identified risks
A comprehensive, inter-related suite of processes, policies, procedures & work
instructions
The ISMS must be
Systematically implemented and managed
Reviewed, audited and checked
Continuously improved
Certification
Valuable but not always essential
The final stage
Carried out by a third party certification body
Evidence as to the completeness and quality of the ISMS
9. ISO 27001 - a Closer Look
ISO 27001:2005 (BS7799-2:2005) is the current version
“Information security management systems – specification with
guidance for use”
“Specification” means “this is how it must be done”
Specification for
Establishing and managing the ISMS
Implementing and operating the ISMS
Monitoring and reviewing the ISMS
Maintaining and improving the ISMS
Control of documents
Management responsibility
Management review of the ISMS
ISMS Improvement
Control objectives and controls (Annex A)
Not exhaustive
10. What is a ‘Control’?
A vulnerability gives rise to a threat
A threat might have an impact (financial, operational) if it materialises
A risk is a threat that has a likelihood of materialising and an impact
Risks are at different levels (eg high/catastrophic, medium/affordable,
low/insignificant
A control is a response to or countermeasure for a risk
(a threat ≠ a risk)
Controls reduce risk, they don’t eliminate them
Controls should only be implemented in response to a specific, identified risks
A combination of technology, behaviour and procedure
Eg: anti-virus control:
Software installed on gateway and desktops
Procedure for ensuring regular updates
Trained to not open unexpected attachments
Cost of control ≤ cost of impact
Every asset has multiple risks
Every risk has a control
Some controls apply to many risks
ISO17799 has best practice guidance on control selection
11. ISO17799 – a Closer Look
ISO/IEC 17799:2005 is the current version
“Information technology – Security Techniques - Code of
practice for information security management”
“establishes guidelines and general principles for initiating,
implementing, maintaining, and improving information
security management in an organization. The objectives
outlined provide general guidance on the commonly accepted
goals of information security management”
“The control objectives and controls in ISO/IEC 17799:2005 are
intended to be implemented to meet the requirements
identified by a risk assessment. [It] is intended
as a common basis and practical guideline for
developing the Government of Tanzania security standards and
effective security management practices, and to
help build confidence in inter-organizational
activities.”
12. ISO 17799:2005 - Contents
11 Chapters, 132 controls
Best practice control objectives and controls for:
security policy;
organization of information security;
asset management;
human resources security;
physical and environmental security;
communications and operations management;
access control;
information systems acquisition, development and maintenance;
information security incident management;
business continuity management;
compliance
Not exhaustive
13. How do we create an ISMS?
PLAN
• PDCA Identify assets, scope, carry out risk
assessment, create policies,
processes
ACT
DO
Implement the defined and agreed
processes
CHECK No action required for accepted
PLAN risks
CHECK
DO Assess performance against defined
policies
ACT
Take corrective and preventive
action to continually improve the
operation of the ISMS
15. Documentation Structure
Four tiers
Setting the policy - strategic, high level,
Document type (required 1: Policy relatively unchanging – Board approved ISMS
authorization) (Board) manual, SoA, risk treatment plan all reflect
Detail in ISMS Manual 2.2 principles and demonstrate board accountability
Implementing the policy – setting out
2: Procedures business requirements, procedures and
processes – change infrequently but have
(Executive) multiple overlaps and impacts on
operational activity and business behaviours
Making the policy work - detailed,
step-by-step descriptions of how to 3: Work Instructions
perform individual tasks – subject (Operational)
to regular review and improvement
Records of what happened 4: Records
– minutes, logs, reports,
etc – information about (All users and usages)
how the ISMS is performing
16. Sequential mini-projects
Design and implement the ISMS area-by-area
Divisional, geographic, functional
OR
Control-by-control (priority determined by a high level strategic risk
assessment)
Standard PDCA approach always applies
Identify scope of the mini-project (plan)
Identify assets within the scope (plan)
Allow for multiple scopes applying to the same assets
Risk assessment for those assets (plan)
Identify appropriate control(s) and gain approval (plan)
Ensure overlaps are identified and allowed for
Cross linkages are already in the templates
Implement chosen control (including training) (do)
Monitor, review and audit control operation (check)
Identify and implement improvements (act)
17. Massively parallel approach
Designed to get the whole organization to project completion quickly and
completely
All procedures tackled simultaneously
All work instructions tackled simultaneously and in parallel
Implementation of procedures and work instructions happens as soon as each
is complete
Monitor, audit and review cycle starts immediately each work instruction is
implemented
This approach works best in organizations that already have an ISMS that
needs to be documented and brought into line with international best
practice
Only possible using the ITG toolkit, because the
templates all exist and all cross-linkages and
dependencies have been identified and included.
Requires experienced project management, a
committed project team and focused top management
support
18. Some concerns?
Procedure for procedure’s sake
Leads to robust, improvable processes that make the business work better
Restrictive on staff
Yes, but it also clarifies what is acceptable and what isn’t, so that everyone is ‘on the
same page’
Just another management system
It’s an extension to existing management systems (and is integrated into them)
Removes IT uncertainty, improves internal efficiencies, improves customer service
Who really cares?
Our users
Regulators and the law
Our business partners
You – because it makes your working environment more
efficient with fewer interruptions
19. Summary of benefits
Recognized accreditation
Assurance to our customers that their data is safe with us
Assurance to our employees, partners and suppliers that their data
is safe with us
Information security policy that fits the business needs
Reduced outages, stoppages and other information security
frustrations
Aligned with government goals
Security spend proportionate to value at risk
Everyone responsible, not just IT department
Formalisation of policies and procedures that
are already in place
20. Next steps
Management owns information security, approves the policy
Departments are responsible for their own assets and processes, risks and
counter-measures
You are all responsible for key parts of the information and IT infrastructure
Information asset and process inventory
Identification, by asset and process, of vulnerabilities, threats, impacts and
risks
Finalization of draft procedures to tie in with policy and Statement of
Applicability
Commencement of work instruction drafting
Should be carried out by individual asset owners/system administrators
Timetable
Start date
Finish date
Other issues
“ Information is an asset which, like other important business assets, has value to the Government of Tanzania and consequently needs protection. Information security management systems protect information from a wide range of threats in order to ensure business continuity, minimize business damage and maximize return on investments and business opportunities. Information can exist in many forms. It can be printed or written on paper, stored electronically, transmitted by post or using electronic means, shown on films, or spoken in conversation. Whatever form the information takes, or means by which it is shared or stored, it should always be appropriately protected. Information security is the preservation of: a) availability: ensuring that authorized users have access to information and associated assets when required b) confidentiality: ensuring that information is accessible only to those authorized to have access; c) integrity: safeguarding the accuracy and completeness of information and processing methods” The word ‘systematic’ is fundamental to an ISMS – the range of threats, vulnerabilities and risks is such that it is only possible to be sure that there are no loopholes if the subject has been tackled comprehensively and very systematically – and this is made possible by the toolkit approach that you have taken.
Why re-invent the wheel? This is the key reason for using an international standard such as BS7799. If this is a 17799 implementation, remove the reference to external certifications and make the point that 100s of organizations are successfully implementing 17799 best practice systems right now. More importantly, the range of information security threats and the level of information-related regulation is now such that ISO27001 is likely to be taken up by as many organizations as tool up ISO9001 after it became an international standard in the 1990s. Designed to be integrated into ISO 9001 systems, an ISO27001 ISMS will become a basic requirement for doing business in the digital age
An ‘asset’ is anything that is valuable to us and which somebody else therefore wants…. Information security is achieved by implementing an appropriate set of controls, which could be policies, procedures, organizational structures, hardware architectures, and software functions. These controls need to be established to ensure that the specific security objectives of the organization are met. Improvement has to be continuous, because the bad guys are continuously evolving new ways to attacking us.
There are many threats – not all are real risks to the Government of Tanzania, whether because they are so unlikely, or the damage they do is so minor, etc We don’t implement controls willy-nilly – not only must the risk have a significant impact on the business, but the cost of implementing the control that reduces that risk to an acceptable level should not exceed the cost of the impact if the risk materialises. It is important to get across that controls REDUCE risk, they don’t eliminate them – it would not be commercial to try and eliminate all risks, so the objective is to reduce them to an acceptable level. It’s because of the range of the risks and the number and value of the assets that a systematic approach is required – to ensure that there are no gaps between controls or between assets…
This pyramid shows the four tiers of the ISMS documentation, as set out in section 2.2 of the ISMS manual – it is designed so that document authorization is kept at the most appropriate level – the board is accountable for information security and, therefore, for the policy and framework of information security – it approves the first version and any subsequent amendments (which should be infrequent). For instance, the board sets a policy that appropriate steps must be taken to protect the Government of Tanzania from viruses – but, at this level, it would be inappropriate to set out what those steps should be, both because the board should be delegating implementation of this principle and because these steps are likely to be amended as the organization seeks ways to improve its processes. The executive, working through an information security forum, is responsible for implementing the policy, which it does through a set of procedures – and this toolkit contains most of what you will need in this regard, and the tailoring to suit your own requirements will be quick and straightforward. Procedures describe operational responsibilities and relationships – who is responsible for doing which bit and when. For instance, there will be a procedure that requires anti-virus software at the gateway, and on individual machines, with specific update frequency, that sets out a requirement for appropriate staff training, and which identifies the key steps in responding to a virus attack. Procedures are owned by specific individuals or functions, as specified in each, and that person is responsible for keeping it current and for having it authorized by whoever he reports to. Working instructions are very detailed – they set out the step-by-step instructions for carrying out each of the tasks required by the procedures – for eg, the anti-virus work instructions will deal with how the anti-virus software is to be installed, on which machines, following what specific steps, in a way that ensures that any person could repeatedly perform the same task to the same standard. They are drawn up by the owners of individual information assets or systems and are subject to approval by that person’s line manager. With changes in hardware, software and working practices – usually as part of a process of continuous improvement – these working instructions are subject to continuous change, often in only minor ways. This documentation structure enables those changes to be made quickly and easily. Records describe what happened – for instance, they include log files.
There are two broad approaches to an ISMS project. Both are catered for by this toolkit. You only want to adopt one of them – so you need this slide or the next one, but not both. The first is to implement the ISMS on a mini-project basis – which means either on a subset of the organization basis or by subset of the ISMS. Whichever you choose, you need to have a clear rationale for the choice. If you are tackling it control-by-control, you should carry out a high-level risk assessment to determine the areas in which your risk (eg, from virus attack) is greatest and prioritize your project on that basis. The PDCA principle also applies when you proceed on a min-project basis. A key reason for choosing the ITG toolkit is that it enables you to proceed with a step-by-step approach, knowing that cross-linkages are already included in the documentation, so that your risk of missing these critical cross-overs is substantially reduced.
This massively parallel approach will bring fast completion of the project. It requires effective project management and commitment from all the information asset owners to take part in the process and deliver their part of it quickly and completely. Management and the board support the process and it is seen to have a high level of importance.
This slide is for dealing with staff concerns – some typical concerns are included here, but you should modify the template to reflect what your internal feedback indicates are your internal issues, and the answers that you put up should reflect your considered and honest management response to those concerns.
