GSI Accreditation tool

Description

The tool covers the following:

1. Org chart – A list of all users and business units in the organisation and the security representatives and points of contact.

2. Partner Register – for the registration of Partners that Information Assets are shared with.

3. ISMS Forum – management of the ISMS forum, ISMS forum meeting setup and calendar, list of ISMS forum members, Agenda, minutes and reports.

4. IS Policy –(GSI/ISO27001) IS Policy creation, dissemination and mapping of Policy to procedures and Incidents as well as Audits.

5. IS Incident Management – Incident management register from all the business units.

6. Information Asset Register - A register of information Assets across the business units linked to the Audit non compliances and incidents registered against them.

7. Risk Register – information risk register

8. ISA – information sharing agreement requests, link to Partner with whom the information asset is shared with.

9. SAR Form – subject Access request form

10. SAR Dashboard – register of SARs from all business units

11. FOI Form – freedom of information for

12. FOI Dashboard – register of all freedom of information requests and responses

13. Audit – Internal & External Auditor accounts, Audit scheduling, Audit reports and non compliances

Reviews

Shared by: ben oguntala LLB Hons

Tags

GSI, government secure infrastructure

Stats

views:: 19
rating:: not rated
reviews:: 0
posted:: 7/9/2009
language:: English
pages:: 0

Public Domain

5/18/2009 GSI /Information Security compliance guide 2 Contents Introduction ............................................................................................................................................ 3 Logging on ............................................................................................................................................... 4 Using the system ..................................................................................................................................... 7 IS Policy ................................................................................................................................................... 8 Uploading a procedure ........................................................................................................................... 9 Raising a subject access request ........................................................................................................... 10 Managing SARs...................................................................................................................................... 12 Admin checks .................................................................................................................................... 13 Querying a SAR.................................................................................................................................. 15 Validity checks................................................................................................................................... 16 Allocation of SAR to an officer .......................................................................................................... 17 Response to a SAR............................................................................................................................. 18 Information Asset ................................................................................................................................. 21 Incident management ........................................................................................................................... 24 Managing Security incidents ................................................................................................................. 26 Risk register........................................................................................................................................... 28 Auditors................................................................................................................................................. 30 Contact details .................................................................................................................................. 33 www.riesgoriskmanagement.com info@riesgoriskmanagement.com 3 Introduction Riesgo Risk Management is a tool for the management of GSI accreditation and Information Security Management in accordance ISO27001. It has the following functions: 1. Org chart – A list of all users and business units in the organisation and the security representatives and points of contact. 2. Partner Register – for the registration of Partners that Information Assets are shared with. 3. ISMS Forum – management of the ISMS forum, ISMS forum meeting setup and calendar, list of ISMS forum members, Agenda, minutes and reports. 4. IS Policy – IS Policy creation, dissemination and mapping of Policy to procedures and Incidents as well as Audits. 5. IS Incident Management – Incident management register from all the business units. 6. Information Asset Register - A register of information Assets across the business units linked to the Audit non compliances and incidents registered against them. 7. Risk Register – information risk register 8. ISA – information sharing agreement requests, link to Partner with whom the information asset is shared with. 9. SAR Form – subject Access request form 10. SAR Dashboard – register of SARs from all business units 11. FOI Form – freedom of information for 12. FOI Dashboard – register of all freedom of information requests and responses 13. Audit – Internal & External Auditor accounts, Audit scheduling, Audit reports and non compliances www.riesgoriskmanagement.com info@riesgoriskmanagement.com 4 Logging on 1. You will be sent an email from the system informing you that your account has been set up. 2. The account will remain inactive until you activate the account 3. 4. Click on the activation URL, the screen below appears 5. 6. Enter a password of your choice and then confirm the password 7. Click Activate 8. 9. The system will present with the logo screen to re-authenticate www.riesgoriskmanagement.com info@riesgoriskmanagement.com 5 10. 11. The system will automatically send you an email alert to confirm the change of your credentials 12. Click on login URL to log on 13. 14. Enter your credentials as stated in the email alert sent to you www.riesgoriskmanagement.com info@riesgoriskmanagement.com 6 15. 16. Click login 17. The landing page will be displayed after successful log in. a. If you password is forgotten you can click on “forgot password” b. You will be presented with the forgot password screen c. d. Enter your email and click “submit”. i. The password associated with the account will be emailed to the email address. 18. www.riesgoriskmanagement.com info@riesgoriskmanagement.com 7 Using the system Once logged in you will be able to carry out the following activities: IS policy  view national or Group IS Polices, local policies and procedures IS incident management o View Incidents o Raise an Incident o Manage incidents Asset register o View information Asset register o Add information Asset o Register partner that Asset is being shared with ISA form o Raise an information sharing agreement o Select asset to be shared o Select partner for the asset to be shared with SAR form o Raise a Subject Access request SAR dashboard o View subject Access requests o Respond to Subject Access requests o View archive of SAR Audit o View when the Internal or External Auditor will be Auditing o Confirm an audit o View Audit non compliance Reports o View reports according to modules - - - - - www.riesgoriskmanagement.com info@riesgoriskmanagement.com 8 IS Policy Policy manager has selected two policies as applicable to Eaton namely Data Protection and Incident Management. He has selected Ben Oguntala and Alonso Esperanza as the respective responsibility. o o if you are the responsibility for the policy, you will be able to add the procedure to support the policy in the examples below, the Policy manager has assigned  Ben Oguntala as the responsibility for Data Protection  Alonso Esperenza as the responsibility for Incident management policy In the picture below, Alonso has logged in and under IS Policy he can see the link under procedure to “upload”. www.riesgoriskmanagement.com info@riesgoriskmanagement.com 9 Uploading a procedure Select upload Policy details appears - Enter the details of the document to be added and click submit - Procedure now appears under the incident management - Viewing the procedure document www.riesgoriskmanagement.com info@riesgoriskmanagement.com 10 Raising a subject access request select subject access request the SAR form appears Eaton procedural guide for SAR will be uploaded into the SAR guide - Once completed a confirmation that the SAR has been successful www.riesgoriskmanagement.com info@riesgoriskmanagement.com 11 The entry is automatically loaded onto the SAR dashboard - Notification of the SAR is sent to the Data protection Officer and SAR team www.riesgoriskmanagement.com info@riesgoriskmanagement.com 12 Managing SARs SAR dashboard - Show archive in work log Dashboard showing live SARs Work log - Viewing SARs – - Click on The SAR ID and the details of the form completed by the subject will be revealed. www.riesgoriskmanagement.com info@riesgoriskmanagement.com 13 - The management will see uploaded files as proof of ID Admin checks SAR and Data protection Manager as well as ISM can carry out the management of SAR Click on Admin check Admin check window appears During the Admin check the options are o Reject  Reject the request and provide details in the message as per the grounds of rejection o Pass  Comment entered regarding what was checked and passed o Query  Query and comments sent to the subject, this may to be extract further clarification of the request www.riesgoriskmanagement.com info@riesgoriskmanagement.com 14 - www.riesgoriskmanagement.com info@riesgoriskmanagement.com 15 Querying a SAR You can query a SAR either electronically or manually. If the subject has an email, the query will be sent to the subject electronically, however if the subject does not have an email, the SAR team can this update the details of what was queried on the form. - SAR query alert to subject with an email address www.riesgoriskmanagement.com info@riesgoriskmanagement.com 16 - Validity checks Can be carried out by clicking on the “click” under validity check for the SARID Options like in the Admin check include o Reject o Pass o Query An accompanying message can be added and if the subject has an email and there is a query or rejection, they will be notified. - - A reject implies that the organisation has reviewed the request and happy to reject the request www.riesgoriskmanagement.com info@riesgoriskmanagement.com 17 Once a rejection is issued the subject will be notified of the rejection and the comments made in the message will be conveyed to the customer The request will then be moved off the dashboard into the archive Allocation of SAR to an officer Click on allocate officer under Officer Once the officer is selected, the system updates the details and sendsthe alert. www.riesgoriskmanagement.com info@riesgoriskmanagement.com 18 Response to a SAR Response can only be active when the Admin and validity checks have been done The management team all have the capability to respond to a request along with SAR team The aim is to reduce any bottleneck or absenteeism - In the previous example, the officer that the request was allocated to was Tim Mcgraw Tim Mcgraw receives an email notifications - www.riesgoriskmanagement.com info@riesgoriskmanagement.com 19 Officer receives an alert and that a SAR has been allocated to him he can then log in and - click on SAR dashboard Tim Mcgraw can respond only to the SAR that were allocated to him - Tim Mcgraw can respond to the SAR and the subject is emailed and the SAR moved to archive The activity log will show what happened to the request from start to finish www.riesgoriskmanagement.com info@riesgoriskmanagement.com 20 www.riesgoriskmanagement.com info@riesgoriskmanagement.com 21 Information Asset To register an information Asset click on Asset Management and then Add new, the form below appears - Select department (if your desired department is not available, your ISM will be able to create one for you. Enter Asset name of your choice Select format Select asset owner (this must be someone within your departmental org chart www.riesgoriskmanagement.com info@riesgoriskmanagement.com 22 - Confirmation of Asset being registered - Above Alonso has registered an Asset for HQ - Above Tim has registered an asset for the Testing Department www.riesgoriskmanagement.com info@riesgoriskmanagement.com 23 Each department manages its own Asset register, however the ISM will see the asset for all Departments - www.riesgoriskmanagement.com info@riesgoriskmanagement.com 24 Incident management Each user will have the capability to raise an incident Each incident will be assigned an ID - Adding an incident Each incident is related to a policy area and incident type and if an asset is related, if there are any other documents related to the incident, this can also be added. Complete the information and click submit www.riesgoriskmanagement.com info@riesgoriskmanagement.com 25 Enter the details and click submit. www.riesgoriskmanagement.com info@riesgoriskmanagement.com 26 Managing Security incidents When an incident is registered, the ISM is alerted to this immediately via email The incident can be edited or more details added to it from the register  Click on the Incident ID and you will be able to see the details When an incident is registered there are several steps that need to be taken 1. assign to an officer 2. escalate to senior management 3. www.riesgoriskmanagement.com info@riesgoriskmanagement.com 27 Allocating an incident to an officer to investigate or resolve, select “Allocate to Officer” www.riesgoriskmanagement.com info@riesgoriskmanagement.com 28 Risk register Each risk is associated with an Information Asset Resolution of the incident www.riesgoriskmanagement.com info@riesgoriskmanagement.com 29 Once resolved the incident to moved from the register into archive. www.riesgoriskmanagement.com info@riesgoriskmanagement.com 30 Auditors ISM can create an Account for External Auditors The Auditors will be linked into the tool and allowed to capture the evidence required for the Audit, as external Auditors only have access for the period of the Audit, their account will cease to exist outside the dates. Auditor is challenged to change password www.riesgoriskmanagement.com info@riesgoriskmanagement.com 31 Non compliance for each asset is tracked and lodged against the ISM or asset owner for resolution www.riesgoriskmanagement.com info@riesgoriskmanagement.com 32 www.riesgoriskmanagement.com info@riesgoriskmanagement.com 33 Contact details Ben Oguntala Technical Director Riesgo Risk Management info@riesgoriskmanagement.com www.riesgoriskmanagement.com 07812039867 www.riesgoriskmanagement.com info@riesgoriskmanagement.com