Exin Information Security Management Expert.pdf
This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA
Overview
Download & View Exin Information Security Management Expert.pdf as PDF for free.
More details
- Words: 6,327
- Pages: 26
Loading documents preview...
Guide Edition 201710
Copyright © EXIN Holding B.V. 2017. All rights reserved. EXIN® is a registered trademark. No part of this publication may be reproduced, stored, utilized or transmitted in any form or by any means, electronic, mechanical, or otherwise, without the prior written permission from EXIN.
Guide EXIN Information Security Management Expert based on ISO/IEC 27001 (ISMES.EN)
2
Content General Confidentiality Design of the exam Written section Oral section Procedure Appendix 1: Evaluation tools Appendix 2: Case study Smith Consultants Inc.
4 4 4 4 6 7 9 19
Guide EXIN Information Security Management Expert based on ISO/IEC 27001 (ISMES.EN)
3
General The Information Security Management Expert module based on ISO/IEC 27001 (ISMES) consists of a written and an oral exam section. This document describes the design of the written exam (practical project), the design and duration of the oral exam as well as the procedure of the entire exam. The document, moreover, contains the evaluation criteria and a case study which can be used for the practical project.
Confidentiality The examiners have a Non-Disclosure Agreement with EXIN. The information in the practical project, the presentation and the examination conversation will be confidential.
Design of the exam The Information Security Management Expert module based on ISO/IEC 27001 (ISMES) consists of two parts. The written section -the practical project- is the first part. The candidate will have to achieve a satisfactory rating (55% or more) for this part prior to taking the oral exam. The oral section is the second part.
Written section Practical project The written section comprises a practical project paper of approximately 6000 words and a management summary. Ideally, the entire practical project paper should be written for the ISMES module; for example, as the logical continuation of an ongoing project, or because of the needs of the organization for which the candidate works. The guidelines also apply to the introductory and final chapter. The content of the practical project has to be related to the professional context of the candidate. The core of the practical project could consist of an existing document (about one of the examination requirements), provided that the candidate is the author or co-author, and has had sufficient say with regard to the content. It should clearly state in the introductory chapter what the level of involvement of the candidate has been. The practical project paper contains an introductory chapter, a core and a final chapter. Some of the elements of the introductory chapter are: • the reason for realizing this particular document in the organization, and the related question and objective; • the role of the candidate in the realization of the document; • the role/status of the document within the organization.
Guide EXIN Information Security Management Expert based on ISO/IEC 27001 (ISMES.EN)
4
The core of the practical project paper deals with one of the ISMES examination requirements of one’s choice: • Security Awareness plan; • Risk analysis; • Change plan; • Information Security Management System (ISMS) plan; • Audit plan; • Quick scan; • Information Security policy. Some of the elements of the final chapter are: • well-thought out reflections on the various components of the process; this demonstrates the candidate’s performance; what the candidate encountered, what alternatives presented themselves, what choices were made, what could be improved upon next time, etc.; • a link to the introductory chapter, e.g. to the question and objective . If a candidate is not able to write a practical paper based on his/her work environment, the candidate can put in a request to the trainer to allow a practical paper based on the case study. The case study can be found in this Guide. Should the candidate choose to write a practical paper based on the case study, he or she needs to make clear the personal work experience and professional context that was applied when doing so. In the final chapter of the practical paper the candidate can indicate how his/her own experience has been an inspiration for the particular components dealt with, what relevant similarities/differences there are with his/her own professional context, what he/she has learned from the case study that is relevant to his/her own professional environment, etc. It is highly recommended that the candidate sends a plan for the project paper to EXIN in an early stage in order to have the minimum requirements checked. Along with the practical paper the candidate has to submit: 1. a management summary of the practical paper, which meets the following requirements: • the summary is two A4 sides at the most (600 words); • the summary is aimed at the management team; • the summary contains an introduction, a core, and a final chapter that contains the conclusions and recommendations. 2. a short curriculum vitae outlining that he/she has at least 2 years of work experience at a management level in the areas of at least 2 examination requirements. 3. the trainer will add an account of the relationship between the selected examination requirement and the practical project. Evaluation The practical project will be evaluated by two examiners. The evaluation tools that are used for this can be found as of page 9 of this Guide. The candidate can only take the oral exam when his or her practical project has received a satisfactory rating (55% or more). The examiners’ feedback to the practical project will be sent to the training institute two weeks before the oral exam.
Guide EXIN Information Security Management Expert based on ISO/IEC 27001 (ISMES.EN)
5
Depending on the chosen subject one of the below tables is used in the evaluation of the practical project. • Security awareness plan page 9 • Risk analysis page 1010 • Change plan page 111 • ISMS plan page 12 • Audit plan page 13 • Quick scan page 14 • Information Security policy page 15
Oral section I A presentation by the candidate The exam starts with a presentation by the candidate. He or she will do a presentation about the project he or she worked on. The presentation will simulate a situation in which the candidate gives a presentation to the management team with the purpose of persuading management, and to gain acceptance for certain proposals. The presentation will be evaluated on the basis of whether or not it was sufficiently geared toward the management team. The presentation lasts for a maximum of 15 minutes. An overview of the evaluation criteria can be found in the ISMES Guide (oral section). II An examination interview based on the presentation The second part of the exam consists of a conversation with the examiners about the presentation. The examiners will question the candidate in a critical way, as if they were members of the management team. The examiners could ask questions about the contents of the presentation. This conversation takes up (a maximum of) 15 minutes. III An examination interview about the other examination requirements In the third and last part of the exam, the examiners will ask questions about the examination requirements that were not the focus of the presentation, or in the conversation about the presentation. The examiners no longer play the part of the management team. What will be assessed is whether or not the candidate is capable to use the contents of ISMES outside their own professional context, if they can relate the project and the presentation, to their own professional context and recent developments in this specialty. Apart from that, the candidate’s ability to reflect on their own conduct in relation to the contents of the module, can be assessed. This means that the candidate also has to be able to step outside the way their company operates, and they should have an understanding of the topics listed in the examination requirements. This final examination interview lasts 25 minutes. IV Final conclusion Immediately following the exam, the examiners will reach mutual agreement and will come to a final decision, resulting in a final mark. This takes 25 minutes. After that, the examiners will notify the candidate verbally of the final mark, and will clarify their final decision. This takes 10 minutes. The entire exam will take a maximum total of 90 minutes.
Guide EXIN Information Security Management Expert based on ISO/IEC 27001 (ISMES.EN)
6
Procedure This chapter describes the procedure and rules that the examinee and the examiners have to follow with the ISMES oral exam. No later than eight weeks prior to the oral exam three copies of the practical project paper have to have been submitted to EXIN along with a management summary. The trainer will have added an account of the relationship between the selected examination requirement and the practical project. The candidate is to include and send a short CV to prove that he or she has had at least 2 years of work experience at management level in the areas of at least 2 examination requirements.
The examination session • • •
• • • •
During the presentation the candidate is required to use power point slides on a cd or from their own laptop. Immediately before the presentation, the examiners are provided with two sets of onesided prints of the slides (1 slide per page). The presentation starts with: o One slide with the title of the presentation. o One slide with the name of the candidate, his/her job title, the company and the type of company. The presentation is about the practical project, so it is not about the career history of the examinee, and not a description of the company for which the candidate works. During the presentation the examiners can only ask clarification questions. The entire oral exam is documented using recording equipment. It is not permitted to influence the examiners by disclosing business or private matters.
The following persons are present at the oral exam: • the candidate • two examiners The candidate’s trainer/supervisor can attend the oral exam as observer, when the candidate has given his or her approval. The exam session can be done via a web conference with video and audio facilities. In that case an EXIN accredited supervisor should be present at the candidate’s site.
Time frame The entire examination session lasts a maximum of 90 minutes; including communication of the result. The examination is structured as follows: • 15 minutes (maximum) for the presentation; • 15 minutes for discussing the presentation; • 25 minutes for the examination interview about the other exam requirements ; • 25 minutes evaluation meeting among the examiners; • 10 minutes for discussing the outcome with the candidate.
Guide EXIN Information Security Management Expert based on ISO/IEC 27001 (ISMES.EN)
7
Evaluation The examiners evaluate the three parts of the exam based on three evaluation tools (Table I, II and III). The examiners will fill in these evaluation tools during the oral exam. Once the exam is over the examinee will leave the room where the exam was taken. The examiners will discuss and determine the final mark. Afterwards the examiners will inform the examinee of their mark for this oral exam and justify the result.
Guide EXIN Information Security Management Expert based on ISO/IEC 27001 (ISMES.EN)
8
Appendix 1: Evaluation tools Security Awareness plan Name of candidate Candidate number Title of practical project
: : :
Subject that has to be included
Evaluation aspects
1. Introduction, background, principles
• • • •
2. Designs and plans
• • • • • • • •
3. Development
• • •
4. Execution 5. Evaluation and continuation
6. Language usage and design
• • • • • • • •
TOTAL
Reason Scope (reach) Specifying stakeholders Putting together steering group and project organization Setting tasks, responsibilities and authorities project members Determining scope, setting objectives (final situation, term) Determining slogan/logo Determining strategy Carrying out baseline measurement Setting communication objectives per target group Determining target groups and producing descriptions of the characteristics of the target groups Setting key messages (e.g. ‘correct use of password’, ‘switching off monitor’, etc.) Formulating project plan Choosing and producing communication means Testing the communication means developed Modifying communication means Developing scenario Communication of the vision Execution of the project plan Measuring the effects Transforming project activities into structural activities Correct language usage (spelling, grammar, style) Clear structure, appropriate layout
Score in points
Awarded
10
20
20
30 10
10 100
Guide EXIN Information Security Management Expert based on ISO/IEC 27001 (ISMES.EN)
9
Risk analysis Name of candidate Candidate number Title of practical project
: : :
Subject that has to be included
Evaluation aspects
1. Introduction, background, principles
• • • •
•
2. Process description 3. Execution
4. Language usage and design
• • • • • • • • •
TOTAL
Purpose Scope (reach) Change logbook (version management) Signature: o who are the authors; o who are the respondents; o who are the risk owners. Chosen working method for execution (e.g. workshops or interviews) Management summary Description of the completed process Which threats were outlined and how Results of the completed steps Final conclusion Measures to be taken Implementation plan (planning, prioritization, responsibilities) Correct language usage (spelling, grammar, style) Clear structure, appropriate layout
Score in points
Awarded
30
15
45
10 100
Guide EXIN Information Security Management Expert based on ISO/IEC 27001 (ISMES.EN)
10
Change plan Name of candidate Candidate number Title of practical project
: : :
Subject that has to be included
Evaluation aspects
1. Introduction, background, principles
• • • •
•
2. Preparation and organization
• • • • • • • • • • • •
3. Execution
4. Language usage and design
• • • • • •
TOTAL
Purpose Scope (reach) Change logbook (version management) Signature: o who are the authors; o who are the respondents; o who signs for approval. The phases that are distinguished in the change approach (e.g. AURRA, J.P. Kotter) The willingness to change Rewards and penalties Management summary Determining the imperative necessity Putting together the steering group Choosing key figures (management, expertise, reputation) The vision to which the project must lead, the leitmotiv (must be possible to be explained within 5 minutes) Determining the parts of the organization that are involved in the changes The role of the management The contribution of each organization function (department) Communicating the vision Coordinating education and training of staff with the implemented measures (knowledge, aids, expertise) Planning the short-term benefits Consolidating the benefits Institutionalizing the new approach Evaluation Correct language usage (spelling, grammar, style) Clear structure, appropriate layout
Score in points
Awarded
10
40
40
10 100
Guide EXIN Information Security Management Expert based on ISO/IEC 27001 (ISMES.EN)
11
ISMS plan Name of candidate Candidate number Title of practical project
: : :
Subject that has to be included
Evaluation aspects
1. Description ISMS
• Operational area • Purpose • Introduction • Complete ISMS description • Operation of the process • Results • Registrations • Description of organization • Tasks, authorities, responsibilities • Reporting An outlined description 1 steps: o policy o organization o training & awareness o sub-processes ISMS (for example: risk analysis method, Incident Handling) o Evaluation o Reporting 2 planning 3 evaluation 4 reporting • Correct language usage (spelling, grammar, style) • Clear structure, appropriate layout
2. ISMS process
3. Organization
4. Description of set-up
5. Language usage and design
TOTAL
Score in points
Awarded
20
10
15
45
10 100
Guide EXIN Information Security Management Expert based on ISO/IEC 27001 (ISMES.EN)
12
Audit plan Name of candidate Candidate number Title of practical project
: : :
Subject that has to be included
Evaluation aspects
1. Foreword, introduction, background, principles and the like 2. Basis of the plan
• • • • • • • • • • •
3. Execution
4. Language usage and design
• TOTAL
Introduction, operational area Purpose Focus References, standards Reporting Confidentiality Execution details Responsibilities Report details Confidentiality Correct language usage (spelling, grammar, style) Clear structure, appropriate layout
Score in points
Awarded
20
30
40
10 100
Guide EXIN Information Security Management Expert based on ISO/IEC 27001 (ISMES.EN)
13
Quick scan Name of candidate Candidate number Title of practical project
: : :
Subject that has to be included
Evaluation aspects
1. Introduction, background, principles
• • • •
• •
2. Process description 3. Execution
• • • • • •
4. Language usage and design
• •
TOTAL
Purpose Scope (reach) Change logbook (version management) Signature: o who are the authors; o who are the respondents; o who signs for approval. On which questionnaire is this quick scan based (e.g. Code of Practice ISO/IEC 27002) Chosen working method for execution (e.g. workshops or interviews) Management summary Description of the completed steps Results of the completed steps Final conclusion Dependent on the final conclusion: o Measures to be taken Implementation plan (planning, prioritization, responsibilities). Correct language usage (spelling, grammar, style) Clear structure, appropriate layout
Score in points
Awarded
30
30
30
10 100
Guide EXIN Information Security Management Expert based on ISO/IEC 27001 (ISMES.EN)
14
Information Security policy Name of candidate Candidate number Title of practical project
: : :
Subject that has to be included
Evaluation aspects
1. Foreword, introduction, background, principles and the like
• • • • • • • • • • • • • • • • • • • • •
2. Policy statements
3. Detail subjects
4. Execution
5. Language usage and design
• TOTAL
Motivation, importance, priority Purpose Introduction, operational area Gearing to target group level Completeness Realism Strategic level Organization Responsibilities Incident handling Information Security Continuity Sanctions Awareness, education & training Reporting, maintenance policy Departures from the policy Information back-up cycles Suppliers and information security Support in the execution, details Planning Approval, signature Correct language usage (spelling, grammar, style) Clear structure, appropriate layout
Score in points
Awarded
20
10
50
10 10 100
Guide EXIN Information Security Management Expert based on ISO/IEC 27001 (ISMES.EN)
15
Oral exam The examiners base their judgment on the demonstrated (work) experience at management level, the practical project, knowledge and understanding of the field of expertise and the ability of the examinee to reflect upon this. The examiners consider it important that the candidate shows what he or she has learnt during and prior to the ISMES module and what his or her view is on that field of expertise. This chapter describes the evaluation criteria that apply to the oral ISMES exam. I - Presentation In Table I the examiners record the score that you achieved for the presentation. This is the first part of the oral exam. The candidate… explains the subject sufficiently and within the set time frame. handles the details of the subject correctly. handles the subject at the appropriate level and for the appropriate target group. discusses the subject in a convincing manner and can justify his or her own viewpoints. sets out his or her own viewpoints in a comprehensible manner. Total (max. 100 points)
Score (points) max. Awarded 10 10 20 30 30 100
I
Table I: evaluation presentation
II - Examination interview resulting from presentation In Table II the examiners record the score you achieved for the examination interview resulting from the presentation. This is the second part of the exam. The candidate… gives essentially correct answers and motivation of answers. motivates and/or defends viewpoints in a professional manner. deals professionally with questions or comments from the examiners. shows a capacity to reflect upon his or her own actions in a work context. shows a capacity to reflect upon his or her own actions during a presentation and examination conversation. Total (max. 100 points)
Score (points) max. awarded 15 15 20 25 25 100
II
Table II: evaluation of the examination conversation resulting from the presentation
Guide EXIN Information Security Management Expert based on ISO/IEC 27001 (ISMES.EN)
16
III - Examination interview concerning other exam requirements In Table III the examiners record the score you achieved for the examination interview concerning the exam requirements that had not yet been dealt with in the previous two sections. This is the last part of the exam.
Exam requirement 1. Organization of the information security (formulating ISMS) 1.1 The candidate can substantiate the risk management process in relationship with the ISMS. 1.2 The candidate can define the roles for information security. 1.3 The candidate can set up and apply a reporting system for the management. 2. Information security policy 2.1 The candidate can participate in the process of establishing the information security policy. 2.2 The candidate can set up, present and disseminate an information security policy. 3. Risk analysis 3.1 The candidate can select and carry out a method based on an understanding of the various risk analysis methods. 3.2 The candidate can analyze the result of a risk analysis. 4. Organizational change and development regarding Information security 4.1 The candidate can, if the situation so requires, draft or modify a change plan. 4.2 The candidate can, if the situation so requires, draft, communicate, present and execute an awareness program. 4.3 The candidate can, if the situation so requires, implement the changes or guide this process. 5. Standards and norms 5.1 The candidate can, if the situation so requires, select and implement a relevant standard. 5.2 The candidate can, if the situation so requires, implement a standards framework or baseline construction. 6. Audit and certification 6.1 The candidate can organize the execution of audits. 6.2 The candidate can help with a management evaluation of the ISMS. Total
Oral Score
Max. points 20
10
10
40
10
10
100
III
Table III: evaluation other exam requirements
Guide EXIN Information Security Management Expert based on ISO/IEC 27001 (ISMES.EN)
17
IV - final evaluation ISMES After the exam the candidate will leave the room and the examiners will come to their final conclusion in consultation with one another. For this they use Table IV. They will give the candidate a definitive answer immediately afterwards and explain their final conclusion. Part Practical project Oral I Presentation II Examination conversation resulting from presentation III Examination conversation other examination requirements
Weighting 10%
Points per exam section W
20% 20%
I II
50%
III
100%
Weighting points per part
Total points achieved
Table IV: final evaluation ISMES
Guide EXIN Information Security Management Expert based on ISO/IEC 27001 (ISMES.EN)
18
Appendix 2: Case study Smith Consultants Inc. The case study is optional and belongs to the written section. Smith Consultants Inc. Forestville Company Profile Smith Consultants Inc.1 is a relatively small consultancy agency (approximately 180 staff) specializing in IT. The company was set up approximately 16 years ago. Their clients appreciate its ability to solve unconventional problems. They have, for example, carried out demonstration projects to show that open source software can be successfully used to realize complete office environments or complex security functionality, and that this software can be used to build on-line and mobile applications that allow organizations to connect easily with their customers. Clients include a number of government departments, a bank, insurance companies and engineering firms. Smith Consultants Inc. is divided into three divisions that carry out the various activities. The divisions are regarded as business units with their own profit/loss responsibilities. • Consultancy: Business consultants (25) – supply consultancy services for the interfaces of business and IT. Subjects include: business analysis, translating business processes to web applications, support in setting up functional requirements, identifying business information assets and their business owners etc. • ITC: IT consultants (60) – supply consultancy services in the area of IT, software design and development, project management etc. Examples include: converting functional specifications to technical specifications, configuring infrastructure components, capacity management, setting up configuration management, designing information security, Network Management, Service Management, etc. • SD: Software development (85): designing, developing and supplying software. When the occasion arises hardware components and software can also be supplied so that clients can receive complete solutions. In addition, for a small number of clients remote management services are carried out as well. Each division has its own administration staff who are responsible for human resource management (HRM), time administration and invoicing. Office management and first line application management are also locally available. The central organization (10) consists of the Management Board, legal affairs, facilities management (including IT), Internal Communication and public relations (PR), payroll administration, central personnel administration, help desk and Quality & Security (Q&S). Smith Consultants Inc. has an ISO 9001 quality certificate. This has been awarded for carrying out projects in the ITC division and for remote management and support in the SD division. During their certification process for ISO 9001 Bettina Smith (not related to Brad) was appointed quality controller (hence the ‘Q‘). Three months ago, security was added to her portfolio. 1)
any similarity with an existing organization or company is purely coincidental. This case is a complete work of fiction.
Guide EXIN Information Security Management Expert based on ISO/IEC 27001 (ISMES.EN)
19
Brad Smith CEO Bettina Smith, Controller HRM, Legal, Quality & Security PR, Facilities Mike Dunn mgr Consultancy
John Caser mgr ITC
Paul Dwyer mgr SD
Office mgr
Office mgr
Office mgr
admin
admin
admin
field mgr
field mgr
field mgr
field mgr
field mgr
consultants
consultants
consultants
consultants
consultants
Figure 1 : Organization Smith Consultants Inc. Office environments Smith Consultants/Consultancy is based in Forestville, Smith Consultants/ITC is based in Coleville, whilst Smith Consultants/SD has its offices in Rockville. The management and the central departments are based at the office in Forestville. Each office has a manned reception (only during office hours). In Coleville and Rockville the staff regularly work after hours. At night the offices are closed. Each branch has an alarm system that is connected to a local emergency center. Six months ago a report showed that the number of false alarms had risen; at present this has decreased somewhat again. The alarm systems are now 5 to 7 years old. It appears that these days people are increasingly forgetting to switch on the alarm systems in the evenings. IT environment Smith Consultants Inc. has a network with various brands of hubs bought by different staff over the years and when the price was low. There is relatively little network traffic between the branches. The connection between the branches consists of a rather slow and old broadband Internet connection. Each branch has file servers for storing reports and documents (the Y disk). Most staff have access to their own directory; a number of people (office management) also have access to joint directories. The Rockville office has an Internet connection with a Cisco firewall protection for which it has a maintenance contract. A router (placed four years ago) distributes the traffic between the internal network and the Internet.
Guide EXIN Information Security Management Expert based on ISO/IEC 27001 (ISMES.EN)
20
The Mail service and Web services used by Smith Consultants Inc. are external, Cloud based. The SD consultant who had determined the technical details at the time left two years ago. As the system has been working without any problems no one had given the documentation any thought. It is also not clear who is responsible for maintenance. The content of the corporate web pages is maintained by the people from the PR group.
Figure 2:Overview of IT infrastructure In Rockville there is a separate LAN (two Servers, five workstations and extra hubs for the laptops) for SD to experiment with new features/functionalities. Furthermore, there are three Linux servers for development and testing. There are also a number of workstations with Linux versions. The financial administration and the time administration are run centrally, using an Oracle database with Internet application front end (Oracle application server). Branch administration does not have access to these applications. Local information is transmitted to the central administration by email (Excel sheet in attachment, once per month), where it is converted into the correct format and imported into the databases. For remote use of intranet and webmail a user name and password are used. Plans are being made about a token may be used for this in the future. All staff have a fast Internet connection at home. Everyone receives $30,- per month as a contribution to the costs of the work related use of the Internet connection. A few employees have been given a written-off PC in order to be able to send e-mails. Office applications (all recent variants of MS-Office) run locally on the workstations and laptops. The consultants have been divided according to an expertise group (EG) structure. Each EG has a joint directory for the storage and distribution of reports and other documentation.
Guide EXIN Information Security Management Expert based on ISO/IEC 27001 (ISMES.EN)
21
Information security Up until now information security has not been dealt with in a consistent and structured manner. Some questions had been asked about intranet and security, but these soon faded away. The appointment of Bettina Smith has not yet had any effect, but she joined only three months ago. It is, however, expected that all sorts of procedures will soon be implemented. This could mean that the more technically grounded consultants and the people from SD may lose a number of their unofficially acquired privileges. The core of the security is formed by a username-password construction in order to gain access to the network. Based on the username, access is granted to files and applications. Access rights are assigned through Active Directory (AD). There are some staff who regularly change their password, but they are not yet forced to do so. A backup is made centrally of the database files. Backups of the Mail and Web content are managed by the external Cloud service provider. There is the possibility of saving the most important files on the network, but not everybody (euphemistically, for almost no one) does this. The documents that are used by the administration, however, are all on the network. There are too few filing cabinets in Forestville. The financial administration in particular complains about not being able to store their documents. They are also in charge of the contracts. Rockville is the only place that has a shredder, a large one, in which entire books can be destroyed. The machine was left to the office after a confidential project for the Ministry of Defense ended, as well as the safe in which the original CDs of most of the purchased software are now kept. Centrally a subscription to antivirus software has been arranged. This runs on the servers, workstations and on the laptops. Part of the login script is that the version of the anti-virus software is checked. If necessary this is updated to the latest version. Users of the workstations and laptops are able to switch off the virus scanner. This makes the PC start a lot faster. There are no licenses for cryptographic software. Operational processes The operational processes of Smith Consultants Inc. are approached in a rather simple manner. The company regards three processes as primary ones: • Consultancy and projects: supplying services according to agreed contracts in three forms (individual placement, time-and-material cost consultancy or projects and fixed price projects) • Sales: selling the services • Invoicing: sending invoices and receiving payments for the services supplied. All primary processes are present in each of the divisions. There is, however, some difference in opinion regarding which of the primary processes have the highest priority. The supply of services should not be unavailable for a long time. What's more, some clients consider their information as highly sensitive and of high competitive value. If necessary the sales process can be unavailable for a week but any longer would cause too many problems. This process particularly uses office automation functions. Fortunately, a great deal of information that is used in the sales process is available scattered over diaries and laptops. Invoicing is at its peak in the first week of the month. Any interruption to the invoicing process leads to an immediate loss of money. This is less important during the rest of the month.
Guide EXIN Information Security Management Expert based on ISO/IEC 27001 (ISMES.EN)
22
In addition, there are supporting processes such as: • Consolidated administration (hours and finance) • Legal matters – contracts • Central personnel administration • Payroll administration • Management of facilities, including IT facilities • Internal communication and PR • Etc. The management team (director, managers and controller) believe that all these processes can be unavailable for a longer period of time without risking the business. A solution, however, will need to be found for the salary payments. Responses from managers to the question: Is information security necessary? Response from Bettina Smith, Q&S manager Three months ago a financial audit was carried out by the accountant. This revealed that there may not be a qualified audit opinion next year, if the reliability of the automated information processing has not been improved by then. There has been considerable agitation among the management team, which has led to ‘Security’ being handed to me with the comments ‘Do something about it’ and ‘If it's going to cost money, let me know - but not too much mind you’. Smith Consultants Inc. has grown from four consultants who started a small business to the organization that it is now. As we always got more assignments than we could handle – the company regularly had to hire external help – the operation always had priority. In fact a ‘Wild West’ culture predominates: we shot at everything that moved with everything that we had, and it worked. It is for that reason that the infrastructure is in such a mess. We no longer know exactly which hardware and software are used in the company. License and asset management has never been considered. Whenever something is required, it is bought. That goes for the hardware, but also for the software. The decentralized structure paves the way for this. It costs a great deal of money, but at least you don't have to give it much thought. Fortunately, the SD experts know what they are doing. There have never been – as far as I know – any major problems. We have never been hacked and we have only had to disconnect the Internet once or twice for a while due to too many viruses. This resulted in only one or two days of lost email. Oh yes, I almost forgot, one of the consultants lost his laptop (had it stolen) a year ago. This was a nuisance as there were no backups. Fortunately, most of the information could be retrieved. I don't think that the client noticed anything. But I am not 100 per cent sure. And the company still doesn't make any backups now. Unfortunately, I don't know much about computer security myself. I have only just started doing this. There are not many crash courses in this area. I could do with some help in setting it up. I have many questions, such as: • Where do I start? • What is already in place? • How many measures do we need? And will this then be sufficient? • Who is responsible? • How can we get staff, for example, to regularly change their password? • What can I do to get the managers influence their staff?
Guide EXIN Information Security Management Expert based on ISO/IEC 27001 (ISMES.EN)
23
Response from Mike Dunn, mgr Consultancy Information security is a must. I had hoped to have heard from Bettina Smith by now. All our major clients are talking about cyber security due to the many high-profile cyber-attacks recently. There are also many legal and regulatory requirements for this area now. How does this affect our clients? And how should we deal with this? Can we also sell this as a service to our customers? In the form of risk management maybe? I will have a look to see if there is demand for this. I have some business contacts. Would information security make our work more difficult? My consultants are not IT specialists. It mustn't be too difficult. Otherwise anything else? Response from Paul Dwyer, mgr SD Information security is necessary I’m sure, but we don't have much time for it at the moment. After all, everything is going well. We have never been in the newspapers. We are clearly able to sort all this out ourselves. It all seems quite secure to me. What's more, would we then still be able to carry out our work? Would we actually have any access? Why is this necessary all of a sudden? Everything is going well, isn't it? We have never had any major problems. Apart from that laptop; that was stupid. You shouldn't leave that sort of thing on the back seat if a car. It was a nuisance that the client’s database was on it. Fortunately, we still had someone working at the clients site who was able to make a copy. It was a good thing that the client didn’t notice anything, otherwise we would have had to clear our desk there. Oh yes, that disk crash last year was bad news, especially when the backup turned out to be useless. We should test more often. I have no idea if this has ever been looked into. It was clever how that company managed to retrieve 72% of the data that was on the disk. It cost a bit, and took longer than we would have liked, but oh well, what can you do. See, it's not that bad really. I'm sure everyone has had to put up with their network failing, or with Windows crashing at some time.
Assignment with the case study Write a practical project paper for Smith Consultants Inc. based on one of the following components of ISMES: • Security Awareness plan • Risk analysis • Change plan • ISMS plan • Audit plan • Quick scan • Information Security policy
Guide EXIN Information Security Management Expert based on ISO/IEC 27001 (ISMES.EN)
24
Guide EXIN Information Security Management Expert based on ISO/IEC 27001 (ISMES.EN)
25
Contact EXIN www.exin.com
Copyright © EXIN Holding B.V. 2017. All rights reserved. EXIN® is a registered trademark. No part of this publication may be reproduced, stored, utilized or transmitted in any form or by any means, electronic, mechanical, or otherwise, without the prior written permission from EXIN.
Guide EXIN Information Security Management Expert based on ISO/IEC 27001 (ISMES.EN)
2
Content General Confidentiality Design of the exam Written section Oral section Procedure Appendix 1: Evaluation tools Appendix 2: Case study Smith Consultants Inc.
4 4 4 4 6 7 9 19
Guide EXIN Information Security Management Expert based on ISO/IEC 27001 (ISMES.EN)
3
General The Information Security Management Expert module based on ISO/IEC 27001 (ISMES) consists of a written and an oral exam section. This document describes the design of the written exam (practical project), the design and duration of the oral exam as well as the procedure of the entire exam. The document, moreover, contains the evaluation criteria and a case study which can be used for the practical project.
Confidentiality The examiners have a Non-Disclosure Agreement with EXIN. The information in the practical project, the presentation and the examination conversation will be confidential.
Design of the exam The Information Security Management Expert module based on ISO/IEC 27001 (ISMES) consists of two parts. The written section -the practical project- is the first part. The candidate will have to achieve a satisfactory rating (55% or more) for this part prior to taking the oral exam. The oral section is the second part.
Written section Practical project The written section comprises a practical project paper of approximately 6000 words and a management summary. Ideally, the entire practical project paper should be written for the ISMES module; for example, as the logical continuation of an ongoing project, or because of the needs of the organization for which the candidate works. The guidelines also apply to the introductory and final chapter. The content of the practical project has to be related to the professional context of the candidate. The core of the practical project could consist of an existing document (about one of the examination requirements), provided that the candidate is the author or co-author, and has had sufficient say with regard to the content. It should clearly state in the introductory chapter what the level of involvement of the candidate has been. The practical project paper contains an introductory chapter, a core and a final chapter. Some of the elements of the introductory chapter are: • the reason for realizing this particular document in the organization, and the related question and objective; • the role of the candidate in the realization of the document; • the role/status of the document within the organization.
Guide EXIN Information Security Management Expert based on ISO/IEC 27001 (ISMES.EN)
4
The core of the practical project paper deals with one of the ISMES examination requirements of one’s choice: • Security Awareness plan; • Risk analysis; • Change plan; • Information Security Management System (ISMS) plan; • Audit plan; • Quick scan; • Information Security policy. Some of the elements of the final chapter are: • well-thought out reflections on the various components of the process; this demonstrates the candidate’s performance; what the candidate encountered, what alternatives presented themselves, what choices were made, what could be improved upon next time, etc.; • a link to the introductory chapter, e.g. to the question and objective . If a candidate is not able to write a practical paper based on his/her work environment, the candidate can put in a request to the trainer to allow a practical paper based on the case study. The case study can be found in this Guide. Should the candidate choose to write a practical paper based on the case study, he or she needs to make clear the personal work experience and professional context that was applied when doing so. In the final chapter of the practical paper the candidate can indicate how his/her own experience has been an inspiration for the particular components dealt with, what relevant similarities/differences there are with his/her own professional context, what he/she has learned from the case study that is relevant to his/her own professional environment, etc. It is highly recommended that the candidate sends a plan for the project paper to EXIN in an early stage in order to have the minimum requirements checked. Along with the practical paper the candidate has to submit: 1. a management summary of the practical paper, which meets the following requirements: • the summary is two A4 sides at the most (600 words); • the summary is aimed at the management team; • the summary contains an introduction, a core, and a final chapter that contains the conclusions and recommendations. 2. a short curriculum vitae outlining that he/she has at least 2 years of work experience at a management level in the areas of at least 2 examination requirements. 3. the trainer will add an account of the relationship between the selected examination requirement and the practical project. Evaluation The practical project will be evaluated by two examiners. The evaluation tools that are used for this can be found as of page 9 of this Guide. The candidate can only take the oral exam when his or her practical project has received a satisfactory rating (55% or more). The examiners’ feedback to the practical project will be sent to the training institute two weeks before the oral exam.
Guide EXIN Information Security Management Expert based on ISO/IEC 27001 (ISMES.EN)
5
Depending on the chosen subject one of the below tables is used in the evaluation of the practical project. • Security awareness plan page 9 • Risk analysis page 1010 • Change plan page 111 • ISMS plan page 12 • Audit plan page 13 • Quick scan page 14 • Information Security policy page 15
Oral section I A presentation by the candidate The exam starts with a presentation by the candidate. He or she will do a presentation about the project he or she worked on. The presentation will simulate a situation in which the candidate gives a presentation to the management team with the purpose of persuading management, and to gain acceptance for certain proposals. The presentation will be evaluated on the basis of whether or not it was sufficiently geared toward the management team. The presentation lasts for a maximum of 15 minutes. An overview of the evaluation criteria can be found in the ISMES Guide (oral section). II An examination interview based on the presentation The second part of the exam consists of a conversation with the examiners about the presentation. The examiners will question the candidate in a critical way, as if they were members of the management team. The examiners could ask questions about the contents of the presentation. This conversation takes up (a maximum of) 15 minutes. III An examination interview about the other examination requirements In the third and last part of the exam, the examiners will ask questions about the examination requirements that were not the focus of the presentation, or in the conversation about the presentation. The examiners no longer play the part of the management team. What will be assessed is whether or not the candidate is capable to use the contents of ISMES outside their own professional context, if they can relate the project and the presentation, to their own professional context and recent developments in this specialty. Apart from that, the candidate’s ability to reflect on their own conduct in relation to the contents of the module, can be assessed. This means that the candidate also has to be able to step outside the way their company operates, and they should have an understanding of the topics listed in the examination requirements. This final examination interview lasts 25 minutes. IV Final conclusion Immediately following the exam, the examiners will reach mutual agreement and will come to a final decision, resulting in a final mark. This takes 25 minutes. After that, the examiners will notify the candidate verbally of the final mark, and will clarify their final decision. This takes 10 minutes. The entire exam will take a maximum total of 90 minutes.
Guide EXIN Information Security Management Expert based on ISO/IEC 27001 (ISMES.EN)
6
Procedure This chapter describes the procedure and rules that the examinee and the examiners have to follow with the ISMES oral exam. No later than eight weeks prior to the oral exam three copies of the practical project paper have to have been submitted to EXIN along with a management summary. The trainer will have added an account of the relationship between the selected examination requirement and the practical project. The candidate is to include and send a short CV to prove that he or she has had at least 2 years of work experience at management level in the areas of at least 2 examination requirements.
The examination session • • •
• • • •
During the presentation the candidate is required to use power point slides on a cd or from their own laptop. Immediately before the presentation, the examiners are provided with two sets of onesided prints of the slides (1 slide per page). The presentation starts with: o One slide with the title of the presentation. o One slide with the name of the candidate, his/her job title, the company and the type of company. The presentation is about the practical project, so it is not about the career history of the examinee, and not a description of the company for which the candidate works. During the presentation the examiners can only ask clarification questions. The entire oral exam is documented using recording equipment. It is not permitted to influence the examiners by disclosing business or private matters.
The following persons are present at the oral exam: • the candidate • two examiners The candidate’s trainer/supervisor can attend the oral exam as observer, when the candidate has given his or her approval. The exam session can be done via a web conference with video and audio facilities. In that case an EXIN accredited supervisor should be present at the candidate’s site.
Time frame The entire examination session lasts a maximum of 90 minutes; including communication of the result. The examination is structured as follows: • 15 minutes (maximum) for the presentation; • 15 minutes for discussing the presentation; • 25 minutes for the examination interview about the other exam requirements ; • 25 minutes evaluation meeting among the examiners; • 10 minutes for discussing the outcome with the candidate.
Guide EXIN Information Security Management Expert based on ISO/IEC 27001 (ISMES.EN)
7
Evaluation The examiners evaluate the three parts of the exam based on three evaluation tools (Table I, II and III). The examiners will fill in these evaluation tools during the oral exam. Once the exam is over the examinee will leave the room where the exam was taken. The examiners will discuss and determine the final mark. Afterwards the examiners will inform the examinee of their mark for this oral exam and justify the result.
Guide EXIN Information Security Management Expert based on ISO/IEC 27001 (ISMES.EN)
8
Appendix 1: Evaluation tools Security Awareness plan Name of candidate Candidate number Title of practical project
: : :
Subject that has to be included
Evaluation aspects
1. Introduction, background, principles
• • • •
2. Designs and plans
• • • • • • • •
3. Development
• • •
4. Execution 5. Evaluation and continuation
6. Language usage and design
• • • • • • • •
TOTAL
Reason Scope (reach) Specifying stakeholders Putting together steering group and project organization Setting tasks, responsibilities and authorities project members Determining scope, setting objectives (final situation, term) Determining slogan/logo Determining strategy Carrying out baseline measurement Setting communication objectives per target group Determining target groups and producing descriptions of the characteristics of the target groups Setting key messages (e.g. ‘correct use of password’, ‘switching off monitor’, etc.) Formulating project plan Choosing and producing communication means Testing the communication means developed Modifying communication means Developing scenario Communication of the vision Execution of the project plan Measuring the effects Transforming project activities into structural activities Correct language usage (spelling, grammar, style) Clear structure, appropriate layout
Score in points
Awarded
10
20
20
30 10
10 100
Guide EXIN Information Security Management Expert based on ISO/IEC 27001 (ISMES.EN)
9
Risk analysis Name of candidate Candidate number Title of practical project
: : :
Subject that has to be included
Evaluation aspects
1. Introduction, background, principles
• • • •
•
2. Process description 3. Execution
4. Language usage and design
• • • • • • • • •
TOTAL
Purpose Scope (reach) Change logbook (version management) Signature: o who are the authors; o who are the respondents; o who are the risk owners. Chosen working method for execution (e.g. workshops or interviews) Management summary Description of the completed process Which threats were outlined and how Results of the completed steps Final conclusion Measures to be taken Implementation plan (planning, prioritization, responsibilities) Correct language usage (spelling, grammar, style) Clear structure, appropriate layout
Score in points
Awarded
30
15
45
10 100
Guide EXIN Information Security Management Expert based on ISO/IEC 27001 (ISMES.EN)
10
Change plan Name of candidate Candidate number Title of practical project
: : :
Subject that has to be included
Evaluation aspects
1. Introduction, background, principles
• • • •
•
2. Preparation and organization
• • • • • • • • • • • •
3. Execution
4. Language usage and design
• • • • • •
TOTAL
Purpose Scope (reach) Change logbook (version management) Signature: o who are the authors; o who are the respondents; o who signs for approval. The phases that are distinguished in the change approach (e.g. AURRA, J.P. Kotter) The willingness to change Rewards and penalties Management summary Determining the imperative necessity Putting together the steering group Choosing key figures (management, expertise, reputation) The vision to which the project must lead, the leitmotiv (must be possible to be explained within 5 minutes) Determining the parts of the organization that are involved in the changes The role of the management The contribution of each organization function (department) Communicating the vision Coordinating education and training of staff with the implemented measures (knowledge, aids, expertise) Planning the short-term benefits Consolidating the benefits Institutionalizing the new approach Evaluation Correct language usage (spelling, grammar, style) Clear structure, appropriate layout
Score in points
Awarded
10
40
40
10 100
Guide EXIN Information Security Management Expert based on ISO/IEC 27001 (ISMES.EN)
11
ISMS plan Name of candidate Candidate number Title of practical project
: : :
Subject that has to be included
Evaluation aspects
1. Description ISMS
• Operational area • Purpose • Introduction • Complete ISMS description • Operation of the process • Results • Registrations • Description of organization • Tasks, authorities, responsibilities • Reporting An outlined description 1 steps: o policy o organization o training & awareness o sub-processes ISMS (for example: risk analysis method, Incident Handling) o Evaluation o Reporting 2 planning 3 evaluation 4 reporting • Correct language usage (spelling, grammar, style) • Clear structure, appropriate layout
2. ISMS process
3. Organization
4. Description of set-up
5. Language usage and design
TOTAL
Score in points
Awarded
20
10
15
45
10 100
Guide EXIN Information Security Management Expert based on ISO/IEC 27001 (ISMES.EN)
12
Audit plan Name of candidate Candidate number Title of practical project
: : :
Subject that has to be included
Evaluation aspects
1. Foreword, introduction, background, principles and the like 2. Basis of the plan
• • • • • • • • • • •
3. Execution
4. Language usage and design
• TOTAL
Introduction, operational area Purpose Focus References, standards Reporting Confidentiality Execution details Responsibilities Report details Confidentiality Correct language usage (spelling, grammar, style) Clear structure, appropriate layout
Score in points
Awarded
20
30
40
10 100
Guide EXIN Information Security Management Expert based on ISO/IEC 27001 (ISMES.EN)
13
Quick scan Name of candidate Candidate number Title of practical project
: : :
Subject that has to be included
Evaluation aspects
1. Introduction, background, principles
• • • •
• •
2. Process description 3. Execution
• • • • • •
4. Language usage and design
• •
TOTAL
Purpose Scope (reach) Change logbook (version management) Signature: o who are the authors; o who are the respondents; o who signs for approval. On which questionnaire is this quick scan based (e.g. Code of Practice ISO/IEC 27002) Chosen working method for execution (e.g. workshops or interviews) Management summary Description of the completed steps Results of the completed steps Final conclusion Dependent on the final conclusion: o Measures to be taken Implementation plan (planning, prioritization, responsibilities). Correct language usage (spelling, grammar, style) Clear structure, appropriate layout
Score in points
Awarded
30
30
30
10 100
Guide EXIN Information Security Management Expert based on ISO/IEC 27001 (ISMES.EN)
14
Information Security policy Name of candidate Candidate number Title of practical project
: : :
Subject that has to be included
Evaluation aspects
1. Foreword, introduction, background, principles and the like
• • • • • • • • • • • • • • • • • • • • •
2. Policy statements
3. Detail subjects
4. Execution
5. Language usage and design
• TOTAL
Motivation, importance, priority Purpose Introduction, operational area Gearing to target group level Completeness Realism Strategic level Organization Responsibilities Incident handling Information Security Continuity Sanctions Awareness, education & training Reporting, maintenance policy Departures from the policy Information back-up cycles Suppliers and information security Support in the execution, details Planning Approval, signature Correct language usage (spelling, grammar, style) Clear structure, appropriate layout
Score in points
Awarded
20
10
50
10 10 100
Guide EXIN Information Security Management Expert based on ISO/IEC 27001 (ISMES.EN)
15
Oral exam The examiners base their judgment on the demonstrated (work) experience at management level, the practical project, knowledge and understanding of the field of expertise and the ability of the examinee to reflect upon this. The examiners consider it important that the candidate shows what he or she has learnt during and prior to the ISMES module and what his or her view is on that field of expertise. This chapter describes the evaluation criteria that apply to the oral ISMES exam. I - Presentation In Table I the examiners record the score that you achieved for the presentation. This is the first part of the oral exam. The candidate… explains the subject sufficiently and within the set time frame. handles the details of the subject correctly. handles the subject at the appropriate level and for the appropriate target group. discusses the subject in a convincing manner and can justify his or her own viewpoints. sets out his or her own viewpoints in a comprehensible manner. Total (max. 100 points)
Score (points) max. Awarded 10 10 20 30 30 100
I
Table I: evaluation presentation
II - Examination interview resulting from presentation In Table II the examiners record the score you achieved for the examination interview resulting from the presentation. This is the second part of the exam. The candidate… gives essentially correct answers and motivation of answers. motivates and/or defends viewpoints in a professional manner. deals professionally with questions or comments from the examiners. shows a capacity to reflect upon his or her own actions in a work context. shows a capacity to reflect upon his or her own actions during a presentation and examination conversation. Total (max. 100 points)
Score (points) max. awarded 15 15 20 25 25 100
II
Table II: evaluation of the examination conversation resulting from the presentation
Guide EXIN Information Security Management Expert based on ISO/IEC 27001 (ISMES.EN)
16
III - Examination interview concerning other exam requirements In Table III the examiners record the score you achieved for the examination interview concerning the exam requirements that had not yet been dealt with in the previous two sections. This is the last part of the exam.
Exam requirement 1. Organization of the information security (formulating ISMS) 1.1 The candidate can substantiate the risk management process in relationship with the ISMS. 1.2 The candidate can define the roles for information security. 1.3 The candidate can set up and apply a reporting system for the management. 2. Information security policy 2.1 The candidate can participate in the process of establishing the information security policy. 2.2 The candidate can set up, present and disseminate an information security policy. 3. Risk analysis 3.1 The candidate can select and carry out a method based on an understanding of the various risk analysis methods. 3.2 The candidate can analyze the result of a risk analysis. 4. Organizational change and development regarding Information security 4.1 The candidate can, if the situation so requires, draft or modify a change plan. 4.2 The candidate can, if the situation so requires, draft, communicate, present and execute an awareness program. 4.3 The candidate can, if the situation so requires, implement the changes or guide this process. 5. Standards and norms 5.1 The candidate can, if the situation so requires, select and implement a relevant standard. 5.2 The candidate can, if the situation so requires, implement a standards framework or baseline construction. 6. Audit and certification 6.1 The candidate can organize the execution of audits. 6.2 The candidate can help with a management evaluation of the ISMS. Total
Oral Score
Max. points 20
10
10
40
10
10
100
III
Table III: evaluation other exam requirements
Guide EXIN Information Security Management Expert based on ISO/IEC 27001 (ISMES.EN)
17
IV - final evaluation ISMES After the exam the candidate will leave the room and the examiners will come to their final conclusion in consultation with one another. For this they use Table IV. They will give the candidate a definitive answer immediately afterwards and explain their final conclusion. Part Practical project Oral I Presentation II Examination conversation resulting from presentation III Examination conversation other examination requirements
Weighting 10%
Points per exam section W
20% 20%
I II
50%
III
100%
Weighting points per part
Total points achieved
Table IV: final evaluation ISMES
Guide EXIN Information Security Management Expert based on ISO/IEC 27001 (ISMES.EN)
18
Appendix 2: Case study Smith Consultants Inc. The case study is optional and belongs to the written section. Smith Consultants Inc. Forestville Company Profile Smith Consultants Inc.1 is a relatively small consultancy agency (approximately 180 staff) specializing in IT. The company was set up approximately 16 years ago. Their clients appreciate its ability to solve unconventional problems. They have, for example, carried out demonstration projects to show that open source software can be successfully used to realize complete office environments or complex security functionality, and that this software can be used to build on-line and mobile applications that allow organizations to connect easily with their customers. Clients include a number of government departments, a bank, insurance companies and engineering firms. Smith Consultants Inc. is divided into three divisions that carry out the various activities. The divisions are regarded as business units with their own profit/loss responsibilities. • Consultancy: Business consultants (25) – supply consultancy services for the interfaces of business and IT. Subjects include: business analysis, translating business processes to web applications, support in setting up functional requirements, identifying business information assets and their business owners etc. • ITC: IT consultants (60) – supply consultancy services in the area of IT, software design and development, project management etc. Examples include: converting functional specifications to technical specifications, configuring infrastructure components, capacity management, setting up configuration management, designing information security, Network Management, Service Management, etc. • SD: Software development (85): designing, developing and supplying software. When the occasion arises hardware components and software can also be supplied so that clients can receive complete solutions. In addition, for a small number of clients remote management services are carried out as well. Each division has its own administration staff who are responsible for human resource management (HRM), time administration and invoicing. Office management and first line application management are also locally available. The central organization (10) consists of the Management Board, legal affairs, facilities management (including IT), Internal Communication and public relations (PR), payroll administration, central personnel administration, help desk and Quality & Security (Q&S). Smith Consultants Inc. has an ISO 9001 quality certificate. This has been awarded for carrying out projects in the ITC division and for remote management and support in the SD division. During their certification process for ISO 9001 Bettina Smith (not related to Brad) was appointed quality controller (hence the ‘Q‘). Three months ago, security was added to her portfolio. 1)
any similarity with an existing organization or company is purely coincidental. This case is a complete work of fiction.
Guide EXIN Information Security Management Expert based on ISO/IEC 27001 (ISMES.EN)
19
Brad Smith CEO Bettina Smith, Controller HRM, Legal, Quality & Security PR, Facilities Mike Dunn mgr Consultancy
John Caser mgr ITC
Paul Dwyer mgr SD
Office mgr
Office mgr
Office mgr
admin
admin
admin
field mgr
field mgr
field mgr
field mgr
field mgr
consultants
consultants
consultants
consultants
consultants
Figure 1 : Organization Smith Consultants Inc. Office environments Smith Consultants/Consultancy is based in Forestville, Smith Consultants/ITC is based in Coleville, whilst Smith Consultants/SD has its offices in Rockville. The management and the central departments are based at the office in Forestville. Each office has a manned reception (only during office hours). In Coleville and Rockville the staff regularly work after hours. At night the offices are closed. Each branch has an alarm system that is connected to a local emergency center. Six months ago a report showed that the number of false alarms had risen; at present this has decreased somewhat again. The alarm systems are now 5 to 7 years old. It appears that these days people are increasingly forgetting to switch on the alarm systems in the evenings. IT environment Smith Consultants Inc. has a network with various brands of hubs bought by different staff over the years and when the price was low. There is relatively little network traffic between the branches. The connection between the branches consists of a rather slow and old broadband Internet connection. Each branch has file servers for storing reports and documents (the Y disk). Most staff have access to their own directory; a number of people (office management) also have access to joint directories. The Rockville office has an Internet connection with a Cisco firewall protection for which it has a maintenance contract. A router (placed four years ago) distributes the traffic between the internal network and the Internet.
Guide EXIN Information Security Management Expert based on ISO/IEC 27001 (ISMES.EN)
20
The Mail service and Web services used by Smith Consultants Inc. are external, Cloud based. The SD consultant who had determined the technical details at the time left two years ago. As the system has been working without any problems no one had given the documentation any thought. It is also not clear who is responsible for maintenance. The content of the corporate web pages is maintained by the people from the PR group.
Figure 2:Overview of IT infrastructure In Rockville there is a separate LAN (two Servers, five workstations and extra hubs for the laptops) for SD to experiment with new features/functionalities. Furthermore, there are three Linux servers for development and testing. There are also a number of workstations with Linux versions. The financial administration and the time administration are run centrally, using an Oracle database with Internet application front end (Oracle application server). Branch administration does not have access to these applications. Local information is transmitted to the central administration by email (Excel sheet in attachment, once per month), where it is converted into the correct format and imported into the databases. For remote use of intranet and webmail a user name and password are used. Plans are being made about a token may be used for this in the future. All staff have a fast Internet connection at home. Everyone receives $30,- per month as a contribution to the costs of the work related use of the Internet connection. A few employees have been given a written-off PC in order to be able to send e-mails. Office applications (all recent variants of MS-Office) run locally on the workstations and laptops. The consultants have been divided according to an expertise group (EG) structure. Each EG has a joint directory for the storage and distribution of reports and other documentation.
Guide EXIN Information Security Management Expert based on ISO/IEC 27001 (ISMES.EN)
21
Information security Up until now information security has not been dealt with in a consistent and structured manner. Some questions had been asked about intranet and security, but these soon faded away. The appointment of Bettina Smith has not yet had any effect, but she joined only three months ago. It is, however, expected that all sorts of procedures will soon be implemented. This could mean that the more technically grounded consultants and the people from SD may lose a number of their unofficially acquired privileges. The core of the security is formed by a username-password construction in order to gain access to the network. Based on the username, access is granted to files and applications. Access rights are assigned through Active Directory (AD). There are some staff who regularly change their password, but they are not yet forced to do so. A backup is made centrally of the database files. Backups of the Mail and Web content are managed by the external Cloud service provider. There is the possibility of saving the most important files on the network, but not everybody (euphemistically, for almost no one) does this. The documents that are used by the administration, however, are all on the network. There are too few filing cabinets in Forestville. The financial administration in particular complains about not being able to store their documents. They are also in charge of the contracts. Rockville is the only place that has a shredder, a large one, in which entire books can be destroyed. The machine was left to the office after a confidential project for the Ministry of Defense ended, as well as the safe in which the original CDs of most of the purchased software are now kept. Centrally a subscription to antivirus software has been arranged. This runs on the servers, workstations and on the laptops. Part of the login script is that the version of the anti-virus software is checked. If necessary this is updated to the latest version. Users of the workstations and laptops are able to switch off the virus scanner. This makes the PC start a lot faster. There are no licenses for cryptographic software. Operational processes The operational processes of Smith Consultants Inc. are approached in a rather simple manner. The company regards three processes as primary ones: • Consultancy and projects: supplying services according to agreed contracts in three forms (individual placement, time-and-material cost consultancy or projects and fixed price projects) • Sales: selling the services • Invoicing: sending invoices and receiving payments for the services supplied. All primary processes are present in each of the divisions. There is, however, some difference in opinion regarding which of the primary processes have the highest priority. The supply of services should not be unavailable for a long time. What's more, some clients consider their information as highly sensitive and of high competitive value. If necessary the sales process can be unavailable for a week but any longer would cause too many problems. This process particularly uses office automation functions. Fortunately, a great deal of information that is used in the sales process is available scattered over diaries and laptops. Invoicing is at its peak in the first week of the month. Any interruption to the invoicing process leads to an immediate loss of money. This is less important during the rest of the month.
Guide EXIN Information Security Management Expert based on ISO/IEC 27001 (ISMES.EN)
22
In addition, there are supporting processes such as: • Consolidated administration (hours and finance) • Legal matters – contracts • Central personnel administration • Payroll administration • Management of facilities, including IT facilities • Internal communication and PR • Etc. The management team (director, managers and controller) believe that all these processes can be unavailable for a longer period of time without risking the business. A solution, however, will need to be found for the salary payments. Responses from managers to the question: Is information security necessary? Response from Bettina Smith, Q&S manager Three months ago a financial audit was carried out by the accountant. This revealed that there may not be a qualified audit opinion next year, if the reliability of the automated information processing has not been improved by then. There has been considerable agitation among the management team, which has led to ‘Security’ being handed to me with the comments ‘Do something about it’ and ‘If it's going to cost money, let me know - but not too much mind you’. Smith Consultants Inc. has grown from four consultants who started a small business to the organization that it is now. As we always got more assignments than we could handle – the company regularly had to hire external help – the operation always had priority. In fact a ‘Wild West’ culture predominates: we shot at everything that moved with everything that we had, and it worked. It is for that reason that the infrastructure is in such a mess. We no longer know exactly which hardware and software are used in the company. License and asset management has never been considered. Whenever something is required, it is bought. That goes for the hardware, but also for the software. The decentralized structure paves the way for this. It costs a great deal of money, but at least you don't have to give it much thought. Fortunately, the SD experts know what they are doing. There have never been – as far as I know – any major problems. We have never been hacked and we have only had to disconnect the Internet once or twice for a while due to too many viruses. This resulted in only one or two days of lost email. Oh yes, I almost forgot, one of the consultants lost his laptop (had it stolen) a year ago. This was a nuisance as there were no backups. Fortunately, most of the information could be retrieved. I don't think that the client noticed anything. But I am not 100 per cent sure. And the company still doesn't make any backups now. Unfortunately, I don't know much about computer security myself. I have only just started doing this. There are not many crash courses in this area. I could do with some help in setting it up. I have many questions, such as: • Where do I start? • What is already in place? • How many measures do we need? And will this then be sufficient? • Who is responsible? • How can we get staff, for example, to regularly change their password? • What can I do to get the managers influence their staff?
Guide EXIN Information Security Management Expert based on ISO/IEC 27001 (ISMES.EN)
23
Response from Mike Dunn, mgr Consultancy Information security is a must. I had hoped to have heard from Bettina Smith by now. All our major clients are talking about cyber security due to the many high-profile cyber-attacks recently. There are also many legal and regulatory requirements for this area now. How does this affect our clients? And how should we deal with this? Can we also sell this as a service to our customers? In the form of risk management maybe? I will have a look to see if there is demand for this. I have some business contacts. Would information security make our work more difficult? My consultants are not IT specialists. It mustn't be too difficult. Otherwise anything else? Response from Paul Dwyer, mgr SD Information security is necessary I’m sure, but we don't have much time for it at the moment. After all, everything is going well. We have never been in the newspapers. We are clearly able to sort all this out ourselves. It all seems quite secure to me. What's more, would we then still be able to carry out our work? Would we actually have any access? Why is this necessary all of a sudden? Everything is going well, isn't it? We have never had any major problems. Apart from that laptop; that was stupid. You shouldn't leave that sort of thing on the back seat if a car. It was a nuisance that the client’s database was on it. Fortunately, we still had someone working at the clients site who was able to make a copy. It was a good thing that the client didn’t notice anything, otherwise we would have had to clear our desk there. Oh yes, that disk crash last year was bad news, especially when the backup turned out to be useless. We should test more often. I have no idea if this has ever been looked into. It was clever how that company managed to retrieve 72% of the data that was on the disk. It cost a bit, and took longer than we would have liked, but oh well, what can you do. See, it's not that bad really. I'm sure everyone has had to put up with their network failing, or with Windows crashing at some time.
Assignment with the case study Write a practical project paper for Smith Consultants Inc. based on one of the following components of ISMES: • Security Awareness plan • Risk analysis • Change plan • ISMS plan • Audit plan • Quick scan • Information Security policy
Guide EXIN Information Security Management Expert based on ISO/IEC 27001 (ISMES.EN)
24
Guide EXIN Information Security Management Expert based on ISO/IEC 27001 (ISMES.EN)
25
Contact EXIN www.exin.com
Related Documents
Exin Information Security Management Expert.pdf
January 2021 1
Exin Information Security Management Expert
March 2021 0
More Documents from "Preethi Gopalan"
Tafj Commands Cob
January 2021 3
Tcib
January 2021 4
Exin Information Security Management Expert
March 2021 0
