2008 Outsourcing to India: How to manage your outsourced services Staying in control of an outsourced project to India     Detect zero day anomalies to SLA Manage ISO27001 Risk management and assessment Contents Introduction ........................................................................................................................................ 3 Your biggest security concern is data assurance ................................................................................ 3 The problem in India and other in-sourcing countries ....................................................................... 3 The architecture ...................................................................................................................................... 5 Agree the ISO 27001 controls ............................................................................................................. 6 Riesgo risk management’s manifestation of your controls .............................................................. 16 Risk management.............................................................................................................................. 17 Risk assessment ................................................................................................................................ 17 The Audit report................................................................................................................................ 18 Controls versus procedures .................................................................................................................. 19 Example: Access control module .......................................................................................................... 20 Communication between the Internal Audit and the business ............................................................ 21 Audit trail .............................................................................................................................................. 22 Reference: www.aqa.org.uk ................................................................................................................. 23 Getting started ...................................................................................................................................... 24 Contact us ............................................................................................................................................. 24 Page 2 Introduction When outsourcing to India, apart from the legal agreements and Service level agreements, it is becoming more and more apparent that due diligence dictates a more hands on approach to managing the outsourced projects. One of the options you have is to locate your business or branch in India but to an extent this defeats the point of outsourcing if the monitoring cost will go up. Riesgo Risk management is a solution that sits in the outsourcing partner’s network and reports to you in real time compliance or non compliance to the ISO27001 controls. We also have a presence in India that can assist in carrying out due diligence investigations on any potential partner. Your biggest security concern is data assurance Your biggest security concern when outsourcing is data assurance, not only are you the data owner, meaning from a Data protection point of view, you will be culpable should any breaches occur, from a PCI DSS point of view you will equally be held responsible for the breaches. Insurance stipulation for outsourcing contracts now stipulate a requirement to have an audit function in the outsourced project; a reasonable level of security and audit control implies that you initially agree and are aware of the controls across the 3rd party’s infrastructure for the outsourced data and subsequently made aware of the deviations from the service level agreements. This new approach makes sense, take an instance of PCI DSS breach that results from a confidential project being inadequately controlled for access, the penalties for each transaction equates to roughly $2500, why wait till there are 10000 transactions that can equate to liquidation capable risks plus damage to brand as a result of DPA breaches. The problem in India and other in-sourcing countries There are more and more dishonest organisations in cropping up in India tarnishing the good reputation created by India’s pioneering outsourcing intellects, simply having an ISO27001 and an audited one for that matter does not equate to having a reasonable level of security anymore. ISO27001 compliance can be as useful as the paper it is written on, a typical example is, to have the document in place. If audited the company of course passes as all the Auditor will be on the look out for is a paper and that is it. They can choose to only implement that level of control and they will be within their right to do so. Page 3 Page 4 The architecture The architecture is specifically designed to allow seamless connection between the principal authorities and the appropriate business units expected to participate. By constructing controls with the appropriate entities and aligning the measures into their day to day activities, Riesgo is able to provide the adequate level of involvement for conformance. Page 5 Agree the ISO 27001 controls The first step is to agree the ISO27001 controls, there are several ISO 27001 controls, the key advantage of Riesgo Risk Management is that the controls ISO27001 modules SECURITY POLICY Information security policy document In Scope Controls Controls suggested by the standard Riesgo monitoring Is this control in or out Can Riesgo risk of scope management monitor Page Is there an Information Security Policy which states management commitment and sets out the organization's approach to managing information security? Does the policy define security, its overall objectives and scope and the importance of security as an enabling mechanism? Does the policy contain a statement of management intent supporting the goals and principles of information security in line with business strategy objectives? Does the policy establish a framework for setting control objectives and controls, including the structure of risk assessment and risk management? Does the policy contain a brief explanation of the security policies, principles, standards, and compliance requirements of particular importance to the organization of compliance with legislative, regulatory, and contractual requirements? Does the policy contain a brief explanation of the security policies, principles, standards, and compliance requirements of particular importance to the YES or NO YES YES or NO YES YES or NO YES YES or NO YES YES or NO YES YES or NO YES 6 organization of security education, training, and awareness requirements? Does the policy contain a brief explanation of the security policies, principles, standards, and compliance requirements of particular importance to the organization of business continuity management? Does the policy contain a brief explanation of the security policies, principles, standards, and compliance requirements of particular importance to the organization of the consequences of information security policy violations? Does the policy define general and specific responsibilities for information security management, including reporting information security incidents? Is the Information Security policy communicated to all staff on a regular basis? YES or NO YES YES or NO YES YES or NO YES YES or NO YES or NO YES YES YES Review of the information security Does the information security policy have an owner who has approved management responsibility for the development, review, and evaluation of the security policy? Does the review include assessing opportunities for improvement of the organization’s information security policy and approach to managing information security in response to changes to the organizational environment, business circumstances, legal conditions, or technical environment? Does the review of the information security policy YES or NO YES or NO YES YES or NO YES Page YES or NO YES 7 take account of the results of management reviews? Does the input to the management review include information on feedback from interested parties? Does the input to the management review include information on results of independent reviews? Does the input to the management review include information on status of preventive and corrective actions? Does the input to the management review include information on results of previous management reviews? Does the input to the management review include information on process performance and information security policy compliance? Does the input to the management review include information on changes that could affect the organization’s approach to managing information security, including changes to the organizational environment, business circumstances, resource availability, contractual, regulatory, and legal conditions, or to the technical environment? Does the input to the management review include information on trends related to threats and vulnerabilities? Does the input to the management review include information on reported information security incidents? Does the input to the management review include information on recommendations provided by relevant authorities? Does the output from the management review include any decisions and actions related to improvement of the organization’s approach to YES or NO YES YES or NO YES YES or NO YES YES or NO YES YES or NO YES YES or NO YES YES or NO YES YES or NO YES YES or NO YES YES or NO YES Page 8 managing information security and its processes? Does the output from the management review include any decisions and actions related to improvement of control objectives and controls? Does the output from the management review include any decisions and actions related to improvement in the allocation of resources and/or responsibilities? Is a record of the management review maintained? Does Management approve the revised policy? YES or NO YES YES or NO YES YES or NO YES or NO YES YES ORGANIZATION OF INFORMATION SECURITY Does Management ensure that information security goals are identified, meet the organizational requirements, and are integrated in relevant processes? Does Management formulate, review, and approve information security policy? Does Management review the effectiveness of the implementation of the information security policy? Does Management provide clear direction and visible management support for security initiatives? Does Management provide the resources needed for information security? Does Management approve assignment of specific roles and responsibilities for information security across the organization? Does Management initiate plans and programs to maintain information security awareness? Does Management ensure that the implementation of YES or NO YES YES or NO YES or NO YES YES YES or NO YES YES or NO YES or NO YES YES YES or NO YES Page YES or NO YES 9 information security controls is co-ordinated across the organization? Does Management identify the needs for internal or external specialist information security advice, and review and coordinate results of the advice throughout the organization? Depending on the size of the organization, are such responsibilities handled by a dedicated management forum or an existing management body, such as the board of directors? Information security coordination Does information security coordination involve the cooperation and collaboration of managers, users, administrators, application designers, auditors and security personnel, and specialist skills in areas such as insurance, legal issues, human resources, IT or risk management? Does information security coordination ensure that security activities are executed in compliance with the information security policy? Does information security coordination identify how to handle non-compliances? Does information security coordination approve methodologies and processes for information security, e.g. risk assessment, information classification? Does information security coordination identify significant threat changes and exposure of information and information processing facilities to threats? Does information security coordination assess the adequacy and co-ordinate the implementation of YES or NO YES YES or NO YES YES or NO YES or NO YES or NO YES YES YES YES or NO YES YES or NO YES or NO YES YES YES or NO YES YES or NO YES Page 10 information security controls? Does information security coordination effectively promote information security education, training and awareness throughout the organization? Does information security coordination evaluate information received from the monitoring and reviewing of information security incidents? Does information security coordination recommend appropriate actions in response to identified information security incidents? If the organization does not use a separate crossfunctional group, e.g. because such a group is not appropriate for the organization’s size, are the actions described above undertaken by another suitable management body or individual manager? Allocation of information security responsibilities Are information security responsibilities allocated in accordance with the information security policy? Are responsibilities for the protection of individual assets and for carrying out specific security processes clearly identified? Is this responsibility supplemented, where necessary, with more detailed guidance for specific sites and information processing facilities? Are local responsibilities for the protection of assets and for carrying out specific security processes, such as business continuity planning, clearly defined? YES or NO YES YES or NO YES YES or NO YES YES or NO YES YES or NO YES YES or NO YES YES or NO YES YES or NO YES Page 11 If individuals with allocated security responsibilities delegate security tasks to others do they remain responsible for ensuring any delegated tasks have been correctly performed? Are areas for which individuals are responsible clearly stated? Authorization process for information processing facilities Do new facilities have appropriate user management authorization, authorizing their purpose and use? Is authorization obtained from the manager responsible for maintaining the local information system security environment to ensure that all relevant security policies and requirements are met? Are hardware and software products are checked to ensure that they are compatible with other system components? Is authorisation obtained for the use of personal or privately owned information processing facilities and are controls identified and implemented to avoid any associated risks? Confidentiality agreements Do confidentiality agreements address the requirement to protect confidential information using legally enforceable terms? Do confidentiality agreements contain a definition of the information to be protected (e.g. confidential information)? Do confidentiality agreements specify the expected duration of an agreement, including YES or NO YES YES or NO YES YES or NO YES YES or NO YES YES or NO YES YES or NO YES YES or NO YES YES or NO YES YES or NO YES YES or NO YES Page 12 cases where confidentiality might need to be maintained indefinitely? Do confidentiality agreements define required actions when an agreement is terminated? Do confidentiality agreements contain responsibilities and actions of signatories to avoid unauthorized information disclosure (such as ‘need to know’)? Do confidentiality agreements include ownership of information, trade secrets and intellectual property, and how this relates to the protection of confidential information? Do confidentiality agreements specify the permitted use of confidential information, and rights of the signatory to use information? Do confidentiality agreements include the right to audit and monitor activities that involve confidential information? Do confidentiality agreements include a process for notification and reporting of unauthorized disclosure or confidential information breaches? Do confidentiality agreements contain the terms for information to be returned or destroyed at agreement cessation? Do confidentiality agreements specify the expected actions to be taken in case of a breach of this agreement? Do confidentiality agreements comply with all applicable laws and regulations for the jurisdiction to which it applies? Are the requirements for confidentiality agreements reviewed periodically and when changes occur that influence these requirements? Contact with authorities YES or NO YES or NO YES YES YES or NO YES YES or NO YES YES or NO YES YES or NO YES YES or NO YES YES or NO YES YES or NO YES YES or NO YES Page 13 Are there procedures in place that specify when and by whom authorities (e.g. law enforcement, fire department, supervisory authorities) should be contacted, and how identified information security incidents should be reported in a timely manner if it is suspected that laws may have been broken? If under attack from the Internet, is help available from external third parties (e.g. an Internet service provider or telecommunications operator) to take action against the attack source? Contact with special interest groups Is membership in special interest groups or forums considered as a means to improve knowledge about best practices and staying up to date with relevant security information? Is membership in special interest groups or forums considered as a means to ensure the understanding of the information security environment is current and complete? Is membership in special interest groups or forums considered as a means to receive early warnings of alerts, advisories, and patches pertaining to attacks and vulnerabilities? Is membership in special interest groups or forums considered as a means to gain access to specialist information security advice? Is membership in special interest groups or forums considered as a means to share and exchange information about new technologies, products, threats, or vulnerabilities? YES or NO YES YES or NO YES YES or NO YES or NO YES or NO YES YES YES YES or NO YES YES or NO YES YES or NO YES YES or NO YES Page 14 Is membership in special interest groups or forums considered as a means to provide suitable liaison points when dealing with information security incidents? Independent review of information security Is an independent review of information security initiated by management to ensure the continuing suitability, adequacy, and effectiveness of the organization’s approach to managing information security? Does the review include assessing opportunities for improvement and the need for changes to the approach to security, including the policy and control objectives? Is the review carried out by individuals independent of the area under review, e.g. the internal audit function, an independent manager or a third party organization specializing in such reviews? Do the individuals carrying out these reviews have the appropriate skills and experience? Are the results of the independent review recorded and reported to the management who initiated the review? Are records of the review maintained? If the independent review identifies that the organization’s approach and implementation to managing information security is inadequate or not compliant with the direction for information security stated in the information security policy document, does Management consider corrective actions? YES or NO YES YES or NO YES YES or NO YES YES or NO YES YES or NO YES YES or NO YES YES or NO YES or NO YES YES Page 15 Riesgo risk management’s manifestation of your controls Once you set and agree the controls for each of the ISO27001 controls, Riesgo Risk management will manifest them into its functions and sets them as baselines, each control is monitored and reported for violation of the Service level agreement. As the controls are linked to the dashboard, deviation from the SLA would trigger warning alerts to you directly via email. Page 16 Risk management As each of your assets are impacted by projects in India, you will have the risk management frame worked induced, you, as a stakeholder will be able to approve changes and stay in control of the level of security provided for the platforms. You will be able to the see the risk index and residual risks associated with each asset as well as their location, this structure provides you with the same level you would have had if the data was processed onshore. Risk assessment The risk assessment section of the risk management allows a direct interaction between the IS depart and assets owners regardless their geographical location. Page 17 The Audit report The audit report can be included in the internal communication to the business units concerned in order to address the non compliance. Page 18 Controls versus procedures Riesgo risk management is designed to provide a mapping between the ISO controls and activities of your outsourcing partner and the information can be feedback into the compliance department. Auditors can utilise this data to see the transactions carried out, the internal auditor will have the capability to review if the business unit’s activities adequately meet the objective, if not, Riesgo Risk management provides messaging capability for the internal audit to inform the business unit that the process or procedure does not meet the control objectives. Information security policy Information security policy + Click here to enlarge _ Click here to collapse Information security policy document Review of the information security Click to see details   X X Details key questions (controls) Is there an Information Security Policy which states management commitment and sets out the organization's approach to managing information security? Does the policy define security, its overall objectives and scope and the importance of security as an enabling mechanism? Does the policy contain a statement of management intent supporting the goals and principles of information security in line with business strategy objectives? Does the policy establish a framework for setting control objectives and controls, including the structure of risk assessment and risk management? Does the policy contain a brief explanation of the security policies, principles, standards, and compliance requirements of particular importance to the organization of compliance with legislative, regulatory, and contractual requirements? Does the policy contain a brief explanation of the security policies, principles, standards, and compliance requirements of particular importance to the organization of security education, training, and awareness requirements? Does the policy contain a brief explanation of the security policies, principles, standards, and compliance requirements of particular importance to the organization of business continuity management? Does the policy contain a brief explanation of the security policies, principles, standards, and compliance requirements of particular importance to the organization of the consequences of information security policy violations? Rating 5 1 3 3 OK Evidential link OK OK OK OK ISMS policy v2 ISMS policy v2 ISMS policy v2 ISMS policy v2 3 3 3 OK OK OK ISMS policy v2 ISMS policy v2 ISMS policy v2 3 Does the policy define general and specific responsibilities for information security management, including reporting information security incidents? Is the Information Security policy communicated to all staff on a regular basis? 5 5 OK OK OK ISMS policy v2 ISMS policy v2 ISMS policy v2 View detailed data Page 19 Example: Access control module The example below shows the ICT department who are responsible for Access control have complied with most of the controls except Teleworking and Application and information access controls. This result will be appended with the communication to the department with suggested controls that commensurate the requirement. Access control + ACCESS CONTROL Click here to enlarge Business Requirement for access control Access Control Policy An access control policy shall be established, documented, and reviewed based on business and security requirements for access. Is there an Access Control Policy for the organization? Is the policy supported by procedures to define the security requirements of individual business applications? Is the policy supported by procedures to identify all information related to the business applications and the risks faced? 3 ok Access policy ok 5 ok Access policy Access policy 3 ok Access policy Is the policy supported by procedures to define the process for dissemination of information based on classification levels? 4 ok Is the policy supported by procedures to identify the information classification policies of different systems and networks? 3 ok Is the policy supported by procedures to define relevant legislation regarding protecting access to data or services? Is the policy supported by procedures to define standard user access profiles based on roles within the organization? Is the policy supported by procedures to identify or make reference to all recognized connection types? Is the policy supported by procedures to define segregation of duties requirements? Does the policy define the requirements for a formal access authorization process? Does the policy define the requirements for a regular review of access levels? Is the policy supported by procedures for access removal? Access policy Access policy 4 ok Access policy 2 ok 4 ok Access policy Access policy 4 ok Access policy 5 ok 4 ok 2 ok Access policy Access policy Access policy •Business Requirement for access control •Access Control Policy • User Access Management •User Registration •Privilege Management •User Password Management •User Responsibilities •Password Use •Unattended User Equipment •Clear Desk and Clear Screen Policy • Network Access Control •Policy on use of Network Services •User Authentication for External Connections •Equipment Identification in Networks •Remote Diagnostic and Configuration •Port Protection •Segregation in Networks • Network Connection Control •Network Routing Control •Operating System Access Control •Secure Log-On Procedures • User Identification and Authentication •Password Management System • Use of System Utilities •Session Timeout •Limitation of Connection Time •Application and Information Access Control •Information Access Restriction •Sensitive System Isolation •Mobile Computing and Teleworking •Mobile Computing and Communications •Teleworking                            X X X X X X X X X X X X X X X X X X X X X X X X X X X Page 20 Communication between the Internal Audit and the business Internal audit has the tool to be able to communicate to the ISMS forum as well as to the Divisions in the organisation, ISMS forum, access to Asset lists, asset registers and risk registers. Page 21 Audit trail An audit trail is provided as evidence of when activities are carried out and can be used as part of the Audit report to highlight processes that need to be improved. The Inclusion of the dashboard indicator in the Audit report provides useful information in the Executive report and provides a snapshot of where the key issues exist. Page 22 Reference: www.aqa.org.uk Riesgo risk management is currently being used by www.aqa.org.uk and it has provided the internal audit and Information security department a wealth of information to use in the risk management lifecycle process. Page 23 Getting started To get started we invite you to participate in our pilot that will allow you to see how the process works for the first two modules, the license fee is £150 and lasts for 2 months: The pilot will allow you to perform the following activities:               Create an organisation Create an IS manager Create an ISMS forum Send invitation and log on credentials to your ISMS forum members Create a Departmental Point of contact Create an IS policy in review (Draft policy) Send the draft policy for review Your ISMS forum members will be able to log on and review, feedback and approve IS manager will be able to promote the IS Policy in review to live The document will have a review frequency set and date for next review automatically set Notification emails will be sent to all your ISMS members and Departmental point of contact ISMS manager will be able to disseminate the Policy to the organisation. Auditor will be able to log on and see all the transcript to support the controls Auditor will be able to provide feedback to the ISMS forum directly. In following these steps with our approved templates, your organisation would have demonstrated compliance with IS security policy document and Information security organisation. You will also be able to print out a number of the reports that can be used to demonstrate the activities carried or export to other tools as part of compliance. Contact us Sandra Milena Villa Ocampo Riesgo Risk Management | No. 14, 100 Westminster bridge road, London SE1 7XA, England, United Kingdom Email - info@riesgoriskmanagement.com Telephone - 07812 039 867 website – www.riesgoriskmanagement.com Page 24 Page 25