CTO Information Security guide

www.riesgoriskmanagement.com info@riesgoriskmanagement.com GSI /Information Security compliance guide 2 Contents Executive summary to CTO ..................................................................................................................... 3 Introduction ............................................................................................................................................ 4 Logging on ............................................................................................................................................... 5 Using the system ..................................................................................................................................... 9 IS Policy ................................................................................................................................................. 10 Uploading a procedure ......................................................................................................................... 11 Raising a subject access request ........................................................................................................... 12 Managing SARs...................................................................................................................................... 14 Admin checks .................................................................................................................................... 15 Querying a SAR.................................................................................................................................. 17 Validity checks................................................................................................................................... 18 Allocation of SAR to an officer .......................................................................................................... 19 Response to a SAR............................................................................................................................. 20 Information Asset ................................................................................................................................. 22 Incident management ........................................................................................................................... 25 Managing Security incidents ................................................................................................................. 27 Risk register........................................................................................................................................... 29 Auditors................................................................................................................................................. 31 Contact details ...................................................................................................................................... 34 www.riesgoriskmanagement.com info@riesgoriskmanagement.com 3 Executive summary to CTO As far as GSI Accreditation goes, a CTO’s responsibility is to ensure that his or her organisation is equipped with the right tool to comply with the requirements of GSI accreditation. With Riesgo Risk Management tool – GSI accreditation module, a CTO will have a dashboard report on all the modules of the GSI accreditation and be aware periodically the status of his or her organisation. The tool was designed by Consultants that have helped turned around Government Departments with no GSI compliance experience to “above adequate” audit assessment by the Audit commission. One of the key features of the tool is its inherent ability to interlink specific modules for example, GSI accreditation requires the maintenance of an Information Asset Register, (the tool has an Information Asset Register) we have linked this Information Asset with Partners with whom they are shared with, it is also linked to Incident and Risk Register as well as Audit non compliance. The idea is to ensure that any risk associated with an Asset is immediately raised with the Information Security team and with the Asset Owner for a resolution. Very few tools in the market today have the capability to provide the level of assurance out of the box provided by Riesgo Risk Management GSI Accreditation tool. The key benefits provided by the tool include: Link to all Security points of contact across each business unit including 3rd parties and outsourced partnerships Information Asset register Incident & risk register ISMS forum management GSI/ISO27001 Policy management Information Security Audits – internal and external Auditors CTO and Senior management reporting Data Protection request logging and tracking dashboard - For more information please email Ben Oguntala Technical Director, Riesgo Risk Management. www.riesgoriskmanagement.com info@riesgoriskmanagement.com 4 Introduction Riesgo Risk Management is a tool for the management of GSI accreditation and Information Security Management in accordance ISO27001. It is also useful in the completion of the annual PISR (Policy status implementation review) which is required annually for GSI accreditation review. It has the following functions: 1. Org chart – A list of all users and business units in the organisation and the security representatives and points of contact. 2. Partner Register – for the registration of Partners that Information Assets are shared with. 3. ISMS Forum – management of the ISMS forum, ISMS forum meeting setup and calendar, list of ISMS forum members, Agenda, minutes and reports. 4. IS Policy – IS Policy creation, dissemination and mapping of Policy to procedures and Incidents as well as Audits. Each policy has an automatic review date tracking mechanism to ensure it is always up to date. 5. IS Incident Management – Incident management register from all the business units. 6. Information Asset Register - A register of information Assets across the business units linked to the Audit non compliances and incidents registered against them. 7. Risk Register – information Security risk register linked to Information Asset and Business units 8. ISA – information sharing agreement requests, link to Partner with whom the information asset is shared with. 9. SAR Form – subject Access request form 10. SAR Dashboard – register of SARs from all business units 11. FOI Form – freedom of information for 12. FOI Dashboard – register of all freedom of information requests and responses 13. Audit – Internal & External Auditor accounts, Audit scheduling, Audit reports and non compliances www.riesgoriskmanagement.com info@riesgoriskmanagement.com 5 Step by Step guide www.riesgoriskmanagement.com info@riesgoriskmanagement.com 6 Logging on 1. You will be sent an email from the system informing you that your account has been set up. 2. The account will remain inactive until you activate the account 3. 4. Click on the activation URL, the screen below appears 5. 6. Enter a password of your choice and then confirm the password 7. Click Activate 8. 9. The system will present with the logo screen to re-authenticate www.riesgoriskmanagement.com info@riesgoriskmanagement.com 7 10. 11. The system will automatically send you an email alert to confirm the change of your credentials 12. Click on login URL to log on 13. 14. Enter your credentials as stated in the email alert sent to you www.riesgoriskmanagement.com info@riesgoriskmanagement.com 8 15. 16. Click login 17. The landing page will be displayed after successful log in. a. If you password is forgotten you can click on “forgot password” b. You will be presented with the forgot password screen c. d. Enter your email and click “submit”. i. The password associated with the account will be emailed to the email address. 18. www.riesgoriskmanagement.com info@riesgoriskmanagement.com 9 Using the system Once logged in you will be able to carry out the following activities: IS policy  view national or Group IS Polices, local policies and procedures IS incident management o View Incidents o Raise an Incident o Manage incidents Asset register o View information Asset register o Add information Asset o Register partner that Asset is being shared with ISA form o Raise an information sharing agreement o Select asset to be shared o Select partner for the asset to be shared with SAR form o Raise a Subject Access request SAR dashboard o View subject Access requests o Respond to Subject Access requests o View archive of SAR Audit o View when the Internal or External Auditor will be Auditing o Confirm an audit o View Audit non compliance Reports o View reports according to modules - - - - - www.riesgoriskmanagement.com info@riesgoriskmanagement.com 10 IS Policy Policy manager has selected two policies as applicable to Eaton namely Data Protection and Incident Management. He has selected Ben Oguntala and Alonso Esperanza as the respective responsibility. o o if you are the responsibility for the policy, you will be able to add the procedure to support the policy in the examples below, the Policy manager has assigned  Ben Oguntala as the responsibility for Data Protection  Alonso Esperenza as the responsibility for Incident management policy In the picture below, Alonso has logged in and under IS Policy he can see the link under procedure to “upload”. www.riesgoriskmanagement.com info@riesgoriskmanagement.com 11 Uploading a procedure Select upload Policy details appears - Enter the details of the document to be added and click submit - Procedure now appears under the incident management - Viewing the procedure document www.riesgoriskmanagement.com info@riesgoriskmanagement.com 12 Raising a subject access request select subject access request the SAR form appears Eaton procedural guide for SAR will be uploaded into the SAR guide - Once completed a confirmation that the SAR has been successful www.riesgoriskmanagement.com info@riesgoriskmanagement.com 13 The entry is automatically loaded onto the SAR dashboard - Notification of the SAR is sent to the Data protection Officer and SAR team www.riesgoriskmanagement.com info@riesgoriskmanagement.com 14 Managing SARs SAR dashboard - Show archive in work log Dashboard showing live SARs Work log - Viewing SARs – - Click on The SAR ID and the details of the form completed by the subject will be revealed. www.riesgoriskmanagement.com info@riesgoriskmanagement.com 15 - The management will see uploaded files as proof of ID Admin checks SAR and Data protection Manager as well as ISM can carry out the management of SAR Click on Admin check Admin check window appears During the Admin check the options are o Reject  Reject the request and provide details in the message as per the grounds of rejection o Pass  Comment entered regarding what was checked and passed o Query  Query and comments sent to the subject, this may to be extract further clarification of the request www.riesgoriskmanagement.com info@riesgoriskmanagement.com 16 - www.riesgoriskmanagement.com info@riesgoriskmanagement.com 17 Querying a SAR You can query a SAR either electronically or manually. If the subject has an email, the query will be sent to the subject electronically, however if the subject does not have an email, the SAR team can this update the details of what was queried on the form. - SAR query alert to subject with an email address www.riesgoriskmanagement.com info@riesgoriskmanagement.com 18 - Validity checks Can be carried out by clicking on the “click” under validity check for the SARID Options like in the Admin check include o Reject o Pass o Query An accompanying message can be added and if the subject has an email and there is a query or rejection, they will be notified. - - A reject implies that the organisation has reviewed the request and happy to reject the request www.riesgoriskmanagement.com info@riesgoriskmanagement.com 19 Once a rejection is issued the subject will be notified of the rejection and the comments made in the message will be conveyed to the customer The request will then be moved off the dashboard into the archive Allocation of SAR to an officer Click on allocate officer under Officer Once the officer is selected, the system updates the details and sendsthe alert. www.riesgoriskmanagement.com info@riesgoriskmanagement.com 20 Response to a SAR Response can only be active when the Admin and validity checks have been done The management team all have the capability to respond to a request along with SAR team The aim is to reduce any bottleneck or absenteeism - In the previous example, the officer that the request was allocated to was Tim Mcgraw Tim Mcgraw receives an email notifications - www.riesgoriskmanagement.com info@riesgoriskmanagement.com 21 Officer receives an alert and that a SAR has been allocated to him he can then log in and - click on SAR dashboard Tim Mcgraw can respond only to the SAR that were allocated to him - Tim Mcgraw can respond to the SAR and the subject is emailed and the SAR moved to archive The activity log will show what happened to the request from start to finish www.riesgoriskmanagement.com info@riesgoriskmanagement.com 22 Information Asset register Each business unit will have the capability to create and maintain its own Information Asset register, the central Security Unit will be able to view and risk assess all Information Assets. To register an information Asset click on Asset Management and then Add new, the form below appears - Select department (if your desired department is not available, your ISM will be able to create one for you. Enter Asset name of your choice Select format Select asset owner (this must be someone within your departmental org chart www.riesgoriskmanagement.com info@riesgoriskmanagement.com 23 - Confirmation of Asset being registered - Above Alonso has registered an Asset for HQ - Above Tim has registered an asset for the Testing Department www.riesgoriskmanagement.com info@riesgoriskmanagement.com 24 Each department manages its own Asset register, however the ISM will see the asset for all Departments - www.riesgoriskmanagement.com info@riesgoriskmanagement.com 25 Incident management Each user will have the capability to raise an incident Each incident will be assigned an ID - Adding an incident Each incident is related to a policy area and incident type and if an asset is related, if there are any other documents related to the incident, this can also be added. Complete the information and click submit www.riesgoriskmanagement.com info@riesgoriskmanagement.com 26 Enter the details and click submit. www.riesgoriskmanagement.com info@riesgoriskmanagement.com 27 Managing Security incidents When an incident is registered, the ISM is alerted to this immediately via email The incident can be edited or more details added to it from the register  Click on the Incident ID and you will be able to see the details When an incident is registered there are several steps that need to be taken 1. assign to an officer 2. escalate to senior management 3. www.riesgoriskmanagement.com info@riesgoriskmanagement.com 28 Allocating an incident to an officer to investigate or resolve, select “Allocate to Officer” www.riesgoriskmanagement.com info@riesgoriskmanagement.com 29 Risk register Each risk is associated with an Information Asset Resolution of the incident www.riesgoriskmanagement.com info@riesgoriskmanagement.com 30 Once resolved the incident to moved from the register into archive. www.riesgoriskmanagement.com info@riesgoriskmanagement.com 31 Auditors ISM can create an Account for External Auditors The Auditors will be linked into the tool and allowed to capture the evidence required for the Audit, as external Auditors only have access for the period of the Audit, their account will cease to exist outside the dates. Auditor is challenged to change password www.riesgoriskmanagement.com info@riesgoriskmanagement.com 32 Non compliance for each asset is tracked and lodged against the ISM or asset owner for resolution www.riesgoriskmanagement.com info@riesgoriskmanagement.com 33 www.riesgoriskmanagement.com info@riesgoriskmanagement.com 34 Contact details Ben Oguntala Technical Director Riesgo Risk Management info@riesgoriskmanagement.com www.riesgoriskmanagement.com 07812039867 www.riesgoriskmanagement.com info@riesgoriskmanagement.com