2009年8月27日星期四

Challenges on Information Security

I was invited to be one of the speakers to give a talk about the implementation of information security management system, for the seminar entitled “Embracing the Challenges of Emerging Information Security Threats” organized by Hong Kong Quality Assurance Agency (HKQAA) and supported by Hong Kong Society for Quality (HKSQ) on 27th August 2009. The summaries of different speeches were shared below.

The first speaker was Mr. You Cheng Hwee (Managing Director, Maximus Consulting Pte Ltd.) and his topic was “2009 Information Security Trend and Protect Yourself using ISO/IEC 27001 ISMS”.


Mr. You shared the independent information security reports and presented the trend of different threats (such as Virus, Insider Abuse, Laptop Theft, Unauthorized Access, Bots, Financial Fraud and DNS) from 1999 to 2008. He said new threats like Bots* and DNS** are emerging.

{* A bot (short for "robot") is a program that operates as an agent for a user or another program to simulate a human activity.
** The Domain Name System (DNS) is a hierarchical naming system for computers, services, or any resource connected to the Internet or a private network.}

He emphasized the importance of internal audits for compliance verification, which indicates “human” factor in managing security is one of critical success factors.
Information security management is more than just technology and proper protection by formalized mechanism is required. He pointed out the risk management would let you know what the things you wish to know. Then he summarized four critical success factors when considering ISMS as follows:
i) Understand the ISO 27001 standards
ii) Understand your business objectives
iii) Choose your ISMS framework and risk management methodology
iv) Select your ISMS implementation scope

I, Lotto Lai, was the second speaker (Quality Manager in HKSTP and the Chairman of HKSQ) and my topic entitled “A Case Study of ISO/IEC 27001 implementation in IC Design & IP Servicing Centre of HKSTP”. After introduced the background of ISMS, five control objectives groups were discussed as Policy, Process & Procedure, Organization Structure, Software Systems, and Hard ware Systems. The objectives of IC Design Centre and IP Servicing Centre were then outlined as follows:
i) To support IC development in a protected environment
ii) To facilitate the use of and license of Semiconductor Intellectual Properties through the Centres

Five steps for ISO 27001 implementation were listed as:
1st Step – Perform Information Asset Evaluation (based on Confidentiality, Integrity & Availability)
2nd Step – Perform Risk Priority Assessment (based on Severity, Occurrence and Detectability)
3rd Step – Perform Risk Treatment Plan (based on the result of risk assessment)
4th Step – Develop Supplementary ISMS Manual (based on PDCA)
5th Step – Record Statement of Applicability (SOA)

In my conclusion, I stated that ISMS framework created value on our new business model “Secure Virtual IP Chamber” in which operational model has been changed from physical service to virtual service and it caused world-class IP companies willing to sign agreement with HKSTP.
Lastly, I summarized the execution tactic of information security management system (ISMS) into one word “SECURE”. It means:
“S” – Standardization
“E” – Effectiveness
“C” – Clearance
“U” – Unique Identification
“R” – Recovery
“E” - Efficiency

The third speaker was Mr. Ronald Pong (Consultant, Technology & Special Project, CNLINK Networks Limited) and his topic was “ISO 27001 in IDC Environment”
In the beginning, Mr. Pong introduced the IDC* security adopted nowadays in the business world

{* Internet data centers (IDCs) provide businesses with a range of solutions for systems deployment and operation. It generally includes redundant or backup power supplies, redundant data communications connections, environmental controls (e.g., air conditioning, fire suppression) and security devices, etc.}


Mr. Pong shared problems he encountered such as Security Management mapping with IT operation management and which required to fulfill different compliance criteria. He said IDC provided co-location service, virtual hosting, facility management, netheath & security, as well as, SOC.

Mr. Pong elaborated the risks they faced as follows:
i) Distributed denial-of-service attack (DDoS attack): it involves saturating the target (victim) machine with external communications requests, such that it cannot respond to legitimate traffic, or responds so slowly as to be rendered effectively unavailable.
ii) Botnet: It is often associated with malicious code/software but it can also refer to the network of computers using distributed computing software.
iii) Hacking (it breaks into computers, usually by gaining access to administrative controls)
iv) Economic Espionage (the theft or misappropriation of a trade secret a federal crime)
v) Crime
(and more, every thing can happen in IDC)

Mr. Pong continued that knowledge/understanding and appropriate documentation were the requirements to make IT operation management effective. The key word for security management and incidence response strategy is “Compliance”. In order to organize your IT security management, using framework of ISMS (such as ISO 27001) was recommended to make people understand what they should do.

The last speaker was Mr. Philip Chan (Auditor, HKQAA) and his topic entitled “Security Incident Zero-day Attack”. He explained security incident and zero-day attack as follows:
Security Incident – “Any real or suspected adverse event in relation to the security of computer systems or computer networks.”
Zero-day Attack – “The day a new vulnerability is made known. In some case, a “zero-day” exploits is referred to an exploit for which no patch is available yet.”


The following photo briefed the concept.


Then Mr. Chan mentioned three risk management theories.
Theory 1 is Control Type
- Preventive
- Detective
- Corrective
Theory 2 is Defense-in-Depth
- Determine
- Detective
- Delay
- Response
Theory 3 is risk management like AS/NZS 4360.

In the next section, Mr. Chan carried on different Six Sigma methodologies employed for information security especially on zero-day attack such as DMAIC, SIPOC, Process Flow, FMEA, Tree Diagram, Force Field Analysis, Critical Path Analysis, Value Stream Mapping, etc.

Lastly, the most important items of ISO 27001 (ISMS) were summarized as his conclusive remarks:
- Process Approach
- Risk Based Approach
- Security Policy
- Asset Management
- Communications & Operations Management
- Access Control
- Information Security Incident Management
- Business Continuity Management
- Compliance

沒有留言:

發佈留言