• ISO 27001 & ISMS

Vijay Singh::Balaji institute of telecom & management,Pune (2008-10)

 Information Security
Information Security Definition:
• “preservation of confidentiality,
integrity and availability of
information; in addition, other properties,
such as authenticity, accountability, non-
repudiation, and reliability can also be
involved”
– Source: ISO/IEC 27001:2005
 Introduction -
ISO 27001 & ISMS
• ISO 27001 has been prepared to provide
a model for:
• Establishing
• Implementing
• Operating
• Monitoring
• Reviewing
• Maintaining
• and improving
an Information Security Management System
(ISMS)
Source: ISO/IEC 27001:2005
What is an ISMS?
• Information Security Management
System
– Strategic decision of an organization
• Design and implementation
– Needs and objectives
– Security requirements
– Processes employed
– Size and structure of the organization
• Scaled with ‘needs’ – simple situation
requires a simple ISMS solution

Source: ISO/IEC 27001:2005

International Organization
for Standardization (ISO)
Credible
 Established in 1947
 Published over 16,077 international standards
 ISO meetings attract some 30,000 experts a year
Decentralized
 Federation comprised of 156 national standards
bodies
 National member bodies manage development
work
Consensus-based
 ISO standards are consensus based
Source: ISO/IEC 27001:2005
 History Of ISO 270001
• Originally the standard was developed as
BS 7799 in1995 and just included the
controls.
• A second part, formalising the process for
creating an ISMS was added and known as
BS 7799 (Part 2)
• The first part was then adopted as an ISO
standard becoming ISO 17799. Part 2 was
then adopted as ISO Standard 27001 in
2005.

Source: ISO/IEC 27001:200

Decision To Adopt ISMS a
Strategic Decision
• Adoption of an ISMS should be a strategic
decision

• Design and implementation is influenced by

the organization’s needs and objectives,
security requirements, the processes
employed and the size and structure of the
organization

• Scale the system in accordance with your

needs, which may well change (simple
situation=simple ISMS solution; complex
situation=complex ISMS solution)

Source: ISO/IEC 27001:2005

Process Approach
• ISO 27001 has adopted a Process Approach,
which means an organization needs to identify
and manage many activities in order to
function effectively.
• Any activity using resources and managed in
order to enable the transformation of Inputs
into Outputs, can be considered to be a
Process.
• Inputs >>>>>>> Process >>>>>>>
outputs
• Often, outputs from one process provide inputs
into the next.

Source: ISO/IEC 27001:200

Process approach for ISMS encourages users to
emphasize the importance of:
a) Understanding an organization’s information
security requirements and the need to establish
POLICY and OBJECTIVES for information security
b) Implementing and operating CONTROLS to
manage an organization’s information security
risks in the context of the organization’s overall
business risks
c) Monitoring and reviewing the performance and
effectiveness of the ISMS, and
d) CONTINUAL IMPROVEMENT based on objective
measurement
Source: ISO/IEC 27001:200
 PDCA
• Plan, Do, Check, Act is to be applied to structure all
ISMS processes

• ISMS takes the information security requirements and

expectations of the interested parties and, through the
necessary actions and processes, produces information
security outcomes that meets those requirements and
expectations.
Model of an ISMS
 Growing Acceptance

ource: http://www.xisec.com/
Additional benefits of
implementing an
ISO 27001 system

• Provides the means for information

security corporate governance and
legal compliance
• Provides for a market differentiator
• Focus of staff responsibilities and
create security awareness
• Enforcement of policies and procedures
Source: ISO/IEC 27001:2005
SAS 70
Introduction-SAS 70
• SAS 70 is an acronym for Statement on Auditing
Standard 70.
• SAS 70 was developed by the American Institute
of Certified Public Accountants (AICPA) in 1988.
• It defines the standards an auditor must employ
in order to assess the contracted internal controls
of a service organization.
Continued ….
• SAS 70 reports are commissioned at
the request of either a service
organization (the company) or the
user organization (customers).
• At the end of the audit, the service
auditor issues an important report
called the "Service Auditor's Report".
 Types of SAS 70 Reports
Type 1
 Reports on controls placed in
operation (as of a point in
time)
 Looks at the design of controls-
not operating effectiveness
 Considered for information
purposes only
 Not considered a significant use
for purposes of reliance by user
auditors/organizations
 Most often performed only in
the first year a client has a SAS
70
Type 2
 Reports on controls placed in
operation and tests of operating
effectiveness (for a period of
time, generally not less than 6
months)
 Differentiating factor: Includes
Tests of Operating
Effectiveness
 More comprehensive
 Requires more internal and
external effort
 Identifies instances of non-
compliance
 More emphasis on evidential
matter 18
Advantages of SAS 70
Users of the SAS70
 Areas of Focus
• Operations • Technology
– Account Set-up and
administration
– Security Set-up • Information Systems
– Trade and FX Operations
Processing
– Pricing • Security (Physical & Logical)
– Dividend Processing • Application Systems
– Corporate Actions Implementation & Maintenance
– Confirmation/Affirmatio • Computer Operations
n/Settlement
– Custody Reconciliation
– Client Report
– Investment Income
– Portfolio Compliance
– Personal Trading

21
 SOX:Sarbanes Oxley Act
• The Sarbanes-Oxley Act of 2002 is legislation enacted
in response to the high-profile Enron and WorldCom
financial scandals to protect shareholders and the
general public from accounting errors and fraudulent
practices in the enterprise

• The act is administered by the Securities and

Exchange Commission (SEC), which sets deadlines for
compliance and publishes rules on requirements.

• Sarbanes-Oxley is not a set of business practices and

does not specify how a business should store records;
rather, it defines which records are to be stored and
for how long.
RISK THREAT &
VULNERABILITY
 Risk Threats and Vulnerability
Risk = Threat X Vulnerability

• Being “at risk" is being exposed to threats.

• Risks are subjective -- the potential to incur

consequences of harm or loss of target assets. A Risk
Factor is the likelihood of resources being attacked.

• Threats are dangerous actions that can cause harm.

The degree of threat depends on the attacker's Skills,
Knowledge, Resources, Authority, and Motives.

• Vulnerabilities are weaknesses in victims that allow a

threat to become effective.
Continued……..

• Risk is a function of the likelihood of a

given threat-source’s exercising a
particular potential

• Vulnerability, and the resulting impact of

that adverse event on the organization.
 Do Enterprise’s Internet Connection
deploying VPN’s not Vulnerable to
Threat??
• To secure the connection to the Internet and protect
internal networks, enterprises deploy a variety of
security devices, including firewalls, Virtual Private
Networks (VPNs), Intrusion Detection/Prevention (IDP),
anti-virus, and content monitoring.
• However, none of these Internet-related security
technologies protect the internal IP network from
attacksagainst the traditional voice network
connections created by unauthorized or non-secure
modems and poorlyconfigured voice systems.
 Unauthorized n unsecured Modems
An easy Cake for Attackers!!
• When an attacker accesses an
unauthorized or non-secure
modem, the IP network-based
security products cannot see
or detect the intrusion

• Typically, no record of the

attacker’s access is logged—except
perhaps a long call
recorded on the PBX—and even this
record exists only if the
accessed modem line routes
through the PBX. Logs on the
attacked system may record the
access—but they are
easily deleted by the attacker
 Unauthorized Remote
Access
• In order to provide their remote
users with access to the internal
network, most enterprises invest in
Internet-based VPNs and managed
Remote Access Servers (RAS).
• Unfortunately, users often set up
their own personal remote access
Backdoor remote access in
enterprize LAN
Unauthorized ISP Access
• Employee use of unauthorized modems for Internet
access is a more common and serious problem
• To reach the Internet from work, these users simply
install a modem on their work computer and dial a
local or 1-800 ISP
• Employee abuse of Internet access privileges is
quantified in the 2004 CSI/FBI Computer Crime and
Security Survey. Of the almost 500 respondents
(primarily financial institutions, large corporations and
government agencies),59% detected employee abuse
of Internet access privileges, for an estimated loss of
$10,601,055!!!!
 VoIP Vulnerabilities and
Threats
• VoIP is vulnerable to traditional IP
attacks—worms, viruses, and DoS—
and is only as secure as the weakest
link on the network
• Securing VoIP is also more complex
and arduous because it involves more
components and software than a
traditional circuit-switched voice
network
–Security Gap Left by Traditional Data Firewall
REVENUE ASSURANCE
A Competitive Edge
Introduction to-Revenue Assurance
• In this world of hybrid telecommunications
companies, even a simple phone call involves several
kinds of carriers.
• These multi level handoffs means that carriers have
to mediate & disputes more complicated combination
of revenues, billings & tariff data.
• More often,telcos stand helplessly as millions of
dollars of their revenues go uncounted.

Tata consultancy services

Continued……..

• Every telco consider 5% revenue

leakage as normal.
• Revenue assurance is one of the
simplest & easiest ways to stop
revenue leakage.

Tata consultancy services

 What is revenue assurance

• It is about billing all transactions for

all events without losing revenue to
fraud.

• It extends its functionality that

include collection of bad debts &
outstanding revenues.
Tata consultancy services
Why RA required?
1.Safeguard against loss of revenue:
Collecting revenues due to a company is one of
the easiest ways for a company to grow. It has
been found that telecom companies regularly
miss out billing 5% of their revenues.
2.Reducing customer churn:
RA strategies help in monitoring the causes of
customer dissatisfaction & controlling them
methodically & quite effectively.

Tata consultancy services

Continued………

3.Reducing customer churn:

RA atrategies help in monitoring the
causes of customer dissatisfaction &
controlling them methodically & quite
effectively.

4.Maintaining billing accuracy standard:

both under-billing & over billing is a cause
of worry for the company. While under
billing results in loss of revenue,over billing
results in loss of reputation.

Tata consultancy services

Causes of Revenue
Leakage
1.Lack of co-ordination among different units in
the same organisation.
2.Complexity in the product/service defination.
3.Mismatch between service(de-)activation on
network & billing (de-)activation.
4.Improper functioning of switch components.

Tata consultancy services

Continued…………..

5.Inaccuracy of switch/network transactions.

6.Rating complexity.

7.Bill production & bill delivery.

8. Business process weakness.

9.Data centre process weaknesses.

Tata consultancy services

Key factors to be
considered
1.Collective responsibility for RA-the root cause
for revenue leakage being the lack of co-
ordination .it is important to have a separate
team with clear responsibilty towards RA.
2.There should be a framework document for
the RA activities
3.The RA team should also consider the
external events related to the reliability
factors such as system failures.
4.Tracking & reporting as specified in the
framework document should be strickly
implemented.

Tata consultancy services

STATE OF ART IN RA-
for how to tackle the
problems

Tata consultancy services

ANY QUESTIONS ?