Introduction to Swedish Civil Contingencies Agency (MSB) - - PowerPoint PPT Presentation

Methodilogical support Prepare Analyze Assignments References

Introduction to Swedish Civil Contingencies Agency (MSB) methodological support for introducing Information Security Management Systems (ISMS).

Carina Bengtsson, Daniel Bosk and Lennart Franked1

Department of Informationsystem and Technologies (IST), Mid Sweden University, Sundsvall.

May 14, 2018

1Detta verk är tillgängliggjort under licensen Creative Commons

Erkännande-DelaLika 2.5 Sverige (CC BY-SA 2.5 SE). För att se en sammanfattning och kopia av licenstexten besök URL

1

Methodilogical support Prepare Analyze Assignments References

Overview

1

MSB:s methodological support MSB Methodological support

2

Prepare Introduction Committed Management Project planning

3

Analyze Organisational analysis Risk analysis

4

Examination

2

Methodilogical support Prepare Analyze Assignments References

Overview

1

MSB:s methodological support MSB Methodological support

2

Prepare Introduction Committed Management Project planning

3

Analyze Organisational analysis Risk analysis

4

Examination

3

Methodilogical support Prepare Analyze Assignments References

MSB

Swedish Civil Contingencies Agency (MSB). “MSB is responsible for issues concerning civil protection, public safety, emergency management and civil defence, as long as no other authority has responsibility[msbse]. .”

4

Methodilogical support Prepare Analyze Assignments References

Why do we as a society need this?

Information is central in today’s society. Accommodates the need for both the individual and the society. Necessary to avoid disturbances in our information systems.

5

Methodilogical support Prepare Analyze Assignments References

Tieto-breakdown I

Lindkvist [Lin12] gives the following summary: Friday afternoon Tieto notices a disruption in their IT-systems. 350 pharmacies lost contact with their IT-systems. Many larger organisations are also affected, amongst

• ther a larger logistical company.

Sunday afternoon Tieto is reporting hardware malfunction, and start the necessary steps to fix the malfunction. Monday morning The logistical company are unable to handle its

• peration, and cannot reach its employees. The

vehicle inspection agency are unable to access their IT-system. Since they were handling over 20 000 vehicle inspections a day, it might result to a driving ban for some vehicles, since they cannot report approved inspections. Nacka municipality, have to

6

Methodilogical support Prepare Analyze Assignments References

Tieto-breakdown II

resort to Facebook and Twitter for communicating within the municipality. Monday afternoon Social office in Nacka and Sollentuna are unable to pay child support. Stockholm City absence reporting system for the schools are down. Wednesday lunch All the pharmacies have gotten access to their IT-systems again. 11 days The logistical company can start using their IT-system. The organisation where still recovering from the disruption, two months after.

7

Methodilogical support Prepare Analyze Assignments References

Informationssäkerhet.se

MSB ran a project called SVISA: ’Stöd för Verksamheters InformationsSäkerhetsArbete’. Resulted in informationssäkerhet.se. Is meant to give practical advice for systematically incorporate information security into an organisation.

8

Methodilogical support Prepare Analyze Assignments References

Methodological support

Support for how to conduct work within information security in an organisation. Explains how to build an information security management system. Should be seen as a “smorgasbord”:

Pick the parts that are related to the organisation. Apply them in an order that is suitable.

Information security is a complex field:

It is required that it is integrated in the entire organisation: From the top management to the lowest operative level.

9

Methodilogical support Prepare Analyze Assignments References

Methodological overview

Figure: Overview over the methodological support.

10

Methodilogical support Prepare Analyze Assignments References

Overview

1

MSB:s methodological support MSB Methodological support

2

Prepare Introduction Committed Management Project planning

3

Analyze Organisational analysis Risk analysis

4

Examination

11

Methodilogical support Prepare Analyze Assignments References

What is information security?

Occurs together with other processes and organisations. Information security in an organisation does not have a value by itself. It needs to be integrated into the organisation to be effective.

12

Methodilogical support Prepare Analyze Assignments References

What is information security?

Ability to preserve the requirements and expectations that exist on information in an organisation. Amongst other to protect towards disruptions, such as what happened to Tieto.

13

Methodilogical support Prepare Analyze Assignments References

Demands and expectations on information

Confidentiality The information should only be accessible to an authorized entity. Availability The information must be accessible when it is needed. Integrity The information is exact and complete.

14

Methodilogical support Prepare Analyze Assignments References

Demands and expectations on information

Traceability Who have taken part of, or changed the information? Non Repudiation It should not be possible to deny an act. Authentication Establish an entities identity. Authorization To give an authenticated entity certain permissions. These will be covered later in the course.

15

Methodilogical support Prepare Analyze Assignments References

What is information security?

Figure: Structure of information security.

16

Methodilogical support Prepare Analyze Assignments References

Structure

Figure: To work with information security

17

Methodilogical support Prepare Analyze Assignments References

The security isn’t stronger than the weakest link

Strong password, written down on a post-it next to where it should be used. High grade lock on a regular glass door. The conditions must be there, in order to be able to work safely.

18

Methodilogical support Prepare Analyze Assignments References

Why protect the information?

Non-mandatory

“Good for business” Reputation: Who will let a company handle their information, if the company is known for treating their data carelessly. Financial: Strong reputation is better for the economy, and the cost of dealing with security incidents will be less. Internal efficiency: No loss of information or disruptions in the work. Quality: This will hopefully lead to a increase in work quality.

19

Methodilogical support Prepare Analyze Assignments References

Why protect the information?

Mandatory

Personal Data Act 1998:204 adds restrictions on how an

• rganisation manages personal data.

Public Access to Information and Secrecy Act 2009:40 Says that certain information must be available for the public, while other information should not be. The Archives Act 1990:782 says that the government needs to archive all public documents. MSBFS 2016:1 applies to governmental agency and their work with information security.

20

Methodilogical support Prepare Analyze Assignments References

MSBFS 2016:1

Due to increased electronic information exchange in the society, there is now demands put on how governmental agency work with information security. The code of statutes came into effect 1th of February 2010.

21

Methodilogical support Prepare Analyze Assignments References

MSBFS 2016:1

1 § Denna författning innehåller föreskrifter som ansluter till bestämmelserna om statliga myndigheters informationssäkerhet i 19§ förordningen (2015:1052) om krisberedskap och bevakningsansvariga myndigheters åtgärder vid höjd beredskap.

22

Methodilogical support Prepare Analyze Assignments References

MSBFS 2016:1

5 § Varje myndighet ska bedriva ett systematiskt och riskbaserat informationssäkerhetsarbete med stöd av ett ledningssystem för informationssäkerhet. I detta arbete ska standarderna ISO/IEC 27001:2014 och ISO/IEC 27002:2014 beaktas. Tillräckliga resurser ska tilldelas för informationssäkerhetsarbetet samt löpande och regelbunden information lämnas till myndighetsledningen. Detta innebär bland annat att en myndighet måste:

1 upprätta en informationssäkerhetspolicy och andra styrande

dokument som behövs för myndighetens informationssäkerhet,

2 utse en eller flera personer som leder och samordnar arbetet

med informationssäkerhet,

3 klassificera sin information med utgångspunkt i krav på

konfidentialitet, riktighet och tillgänglighet,

4 utifrån risk- och sårbarhetsanalyser och inträffade incidenter

avgöra hur risker ska hanteras, samt besl uta om åtgärder för myndighetens informationssäkerhet,

5 dokumentera granskningar och säkerhetsåtgärder av större 23

Methodilogical support Prepare Analyze Assignments References

MSBFS 2016:1

10 § Myndigheten ska ha rutiner för att identifiera, rapportera, bedöma, hantera och dokumentera incidenter som kan påverka säkerheten i den informationshantering som myndigheten ansvarar för eller i tjänster som myndigheten tillhandahåller åt en annan

• rganisation. Myndigheten ska ha rutiner för att lära av sådana

inträffade incidenter och utförda åtgärder.

24

Methodilogical support Prepare Analyze Assignments References

ISO 27000

This is not just for governmental agencies. Any organisation can certify themselves for ISO27000 MSB:s methodological support is adapted to the international standards.

25

Methodilogical support Prepare Analyze Assignments References

Management System

Everyone have a “system” to manage an organisation. A formalized system that is used to make the work more efficient in regards to set goals. It should include routines and delegation of responsibilities for how the organisation should be managed. It must exist clear goals and guidelines for how they should be achieved. Covers amongst other, organisational structures, governance documents etc.

26

Methodilogical support Prepare Analyze Assignments References

Information Security Management System (ISMS)

Should be integrated with the other management systems! Refers to how to regulate the work with information security. Also how to regulate work routines, methods . . . Governance documents have an important role to play in ISMS.

27

Methodilogical support Prepare Analyze Assignments References

Apply ISMS

Not only establish, but also implement, pursue, monitor, audit, maintain and improve

28

Methodilogical support Prepare Analyze Assignments References

Governance documents

Plan of action, policies, guidelines, . . . Policy: What do we want to achieve? One extensive, or multiple smaller ones. The governance documents should be integrated into the

• rganisations current structure.

29

Methodilogical support Prepare Analyze Assignments References

Information security in different levels

Figure: Different levels where information security can be conducted.

30

Methodilogical support Prepare Analyze Assignments References

Purpose with ISMS

Figure: To convert requirements to an active protection.

31

Methodilogical support Prepare Analyze Assignments References

ISO 27001

MSB’s methodological support, describes how to build an ISMS, based on ISO 27001. ISO 27001 is a continuous process that strives towards constant improvements on how to work and use different security solutions in regards to information security. It is important to adapt this after the organisation, but this does not mean that parts can be skipped.

32

Methodilogical support Prepare Analyze Assignments References

PDCA

Plan Plan, analyze and design. Do Establish. Check Follow up. Act Improve. Then start over again.

33

Methodilogical support Prepare Analyze Assignments References

ISO 27002 – What should be done?

Security Policy. Organising the information security. Managing assets. Human resource and security. Physical and environmental security. Control communication and management. Access control. Acquisition, development and maintenance of information systems. Managing information security incidents. Continuity planning for the organisations. Compliance.

34

Methodilogical support Prepare Analyze Assignments References

ISO 27002 – What should be done?

All of this is covered in different chapters in ISO 27002. We will cover parts of this during the next lecture.

35

Methodilogical support Prepare Analyze Assignments References

Committed management

How to succeed? Support is needed from the top management. Since the work with information security should cover the entire organisation, it is vital that the top management is fully committed. Those that have been appointed to work with information security, needs to have the mandate to be able to do their work.

36

Methodilogical support Prepare Analyze Assignments References

Create commitment

The top management have the overall responsibility for the

• rganisation – This involves information security and security

incidents. Important to make the management understand the importance of information security.

37

Methodilogical support Prepare Analyze Assignments References

Motivation

What positive effects might come with strong information security? What is the price of not protecting the information?

Leaked company secrets. Inaccessible infrastructure.

Show incidents. Laws and other regulations?

38

Methodilogical support Prepare Analyze Assignments References

Project planning

MSB recommends that an ISMS should start in project form and then go over to become a process.

Figure: Establish and implement an ISMS.

39

Methodilogical support Prepare Analyze Assignments References

Project plan

The foundation of the project. Defines the extent of the ISMS. An agreement that is good for both the project leader and the management. Can contain:

Background and need, purpose, goal, extent och demarcation, connections and contact surfaces, time plan, and budget.

40

Methodilogical support Prepare Analyze Assignments References

Organising the project

Important with wide knowledge: to represent the entire

• rganisation.

Important with the correct qualifications: leading projects, and information security. Important with mandates! The organisation should be active and engaged, so that the competence is not gone once the project is over.

41

Methodilogical support Prepare Analyze Assignments References

A short checklist

Have the management made a decision to implement ISMS? Have the management appointed someone to coordinate the

• rganisations work with information security?

Have the management ensured that there is a strategy to communicate the work with ISMS internally? Have the management made a decision regarding the budget and resources?

42

Methodilogical support Prepare Analyze Assignments References

Overview

1

MSB:s methodological support MSB Methodological support

2

Prepare Introduction Committed Management Project planning

3

Analyze Organisational analysis Risk analysis

4

Examination

43

Methodilogical support Prepare Analyze Assignments References

What should be protected?

What information assets do we have, and are they worth protecting? What does it mean to protect them?

44

Methodilogical support Prepare Analyze Assignments References

Organisational analysis

The purpose of the organisational analysis is to identify the informational assets available, and find how much they are worth protecting. Should lead to a structured list over

what informational assets there are, what requirements and expectations they have, and the worth of each asset.

45

Methodilogical support Prepare Analyze Assignments References

Example of informational assets

Employees: qualifications and experiences. Data: databases, agreement, documentation, samples, routines. Access to software: application software, system software, development software. Services: data- and communication systems, supply systems. Immaterial: reputation, profile. Physical: computer equipment, movable media.

46

Methodilogical support Prepare Analyze Assignments References

Dividing informational assets

Primary Refers to the main information, such as blue prints, logs or contracts. Secondary Refers to resources that are required to access the primary informational assets. What will happen if you do not have your program that is required to read the closed proprietary format that the information is stored with?

47

Methodilogical support Prepare Analyze Assignments References

Finding the informational assets

Previous process mappings? Department wise? IT-system? Project? Processes? By function?

48

Methodilogical support Prepare Analyze Assignments References

Requirements on the informational assets

In order to be able to classify, the requirements needs to be known. Necessary to be able to objectively measure the need for protection.

My information is the most important!

What information is necessary for the organisation?

49

Methodilogical support Prepare Analyze Assignments References

Legal requirements

Agreement, laws and regulations. Personal Data Act, The Archives Act, Public Access to Information and Secrecy Act MSBFS 2016:1, Security Act.

50

Methodilogical support Prepare Analyze Assignments References

Internal requirements

Requirements that the organisation have to reach its goals. For example: Vision, Business concept, policies, values.

51

Methodilogical support Prepare Analyze Assignments References

Classifying information

Method to evaluate how much an informational asset is worth protecting. To be able to create a suitable protection. Evaluate each asset based on:

Availability, Integrity, Confidentiality.

Each perspective have a number of security levels.

52

Methodilogical support Prepare Analyze Assignments References

MSB:s suggestion on a classification model

Figure: MSB:s suggestion on a classification model with levels: Severe, Considerable, Moderate, Negligible.

53

Methodilogical support Prepare Analyze Assignments References

Classifying information

All assets are classified using all the identified requirements based on all the different perspectives. The information owner should be the one classifying the information. It is good to adapt the model based on the organisation.

54

Methodilogical support Prepare Analyze Assignments References

University’s adaptation of a classification model.

Figure: University’s adaptation of a classification model from the confidentiality perspective.

55

Methodilogical support Prepare Analyze Assignments References

University’s adaptation of a classification model

Figure: University’s adaptation of a classification model from the availability perspective.

56

Methodilogical support Prepare Analyze Assignments References

University’s adaptation of a classification model

Figure: University’s adaptation of a classification model from the integrity perspective.

57

Methodilogical support Prepare Analyze Assignments References

Example of the result from the university

Figure: Part of the result from the university.

58

Methodilogical support Prepare Analyze Assignments References

Risk analysis

Necessary for demarcation: What informational assets should we do a risk analysis on? What informational assets are not critical enough for a risk analysis?

59

Methodilogical support Prepare Analyze Assignments References

Risk analysis

Used to adapt the protection based on the assets of the

• rganisation.

Generate a list over

existing threats, consequences of the threats, and suggestions for risk management.

60

Methodilogical support Prepare Analyze Assignments References

Identify threats

Use brain storming to find potential threats. Include all the suggestions! Be specific: Intensional or unintentional information leakage. Example:

An employee intentionally sabotages a system. An employee accidentally trips on a network cable. Software bug. Fire, flooding.

61

Methodilogical support Prepare Analyze Assignments References

Risk matrix

Figure: A risk matrix.

62

Methodilogical support Prepare Analyze Assignments References

Risk matrix

Assess the probability and the consequence of each individual threat, and place them in the matrix. The focus on consequences should be consequences for the

• rganisation.

Gives a visual result, easily understandable and gives a good

• verview of how to prioritize security measures.

63

Methodilogical support Prepare Analyze Assignments References

Risk matrix

Consequences

How severe is the consequence for the organisation of the threat happens? Clarify who will be a affected: Organisation through a side effect of consequences in the society? Makes it easier to give examples for the different consequence

• levels. For example: loss of reputation, higher cost, . . . .

Severe – Considerable – Moderate – Negligible

64

Methodilogical support Prepare Analyze Assignments References

Risk matrix

Probability

What is the probability that the threat occur? Makes it easier to give examples for the different levels: Years, weeks, days? Very rarely – Rare – Regularly – Often

65

Methodilogical support Prepare Analyze Assignments References

Risk management

Decide whether the identified threats should be rectified or be accepted:

Accept, eliminate, transfer, rectify.

What measures should be taken?

66

Methodilogical support Prepare Analyze Assignments References

Possible measures

Administrative security:

Governance documents, Educational measures.

Physical security:

Access control, Locked cabinets.

IT-security:

Firewalls, Encryption, The course will cover more possible measures.

67

Methodilogical support Prepare Analyze Assignments References

University example

Classified research material with large commercial interest: K3, R2 and T2.

(a) Threat assessment (b) Risks Figure: Threat assessment and assessed risk.

68

Methodilogical support Prepare Analyze Assignments References

University example

Figure: Measures to address the threat.

69

Methodilogical support Prepare Analyze Assignments References

Finally—when should the risk analysis be done?

Yearly. With organisational change. When planning a new organisation.

70

Methodilogical support Prepare Analyze Assignments References

Overview

1

MSB:s methodological support MSB Methodological support

2

Prepare Introduction Committed Management Project planning

3

Analyze Organisational analysis Risk analysis

4

Examination

71

Methodilogical support Prepare Analyze Assignments References

Examination

M1 Information Security Management System. M2 Organisational and risk analysis. S3 Organisational and risk analyses.

72

Methodilogical support Prepare Analyze Assignments References

References I

[Lin12] Ida Lindkvist. Tietohaveriet – dag för dag. Feb. 2012. URL: https://computersweden.idg.se/2.2683/1. 434018/tietohaveriet---dag-for-dag.

73