Informacijska
sigurnost u
Centralnoj banci
Bosne i
Hercegovine
Čapljina, novembar 2012
dr. Kemal Hajdarević dipl.ing.el
Ured guvernera
Centralna banka Bosne i Hercegovine
Agenda
 Informacijska sigurnost – šta je i zbog čega?
 Ciljevi uvođenja ISMS-a i certificiranja za ISO 27001
 Implementacija - Information Security Management System (ISMS) u
CBBiH – mapa puta, ISO 27001 u Centralnim bankama
•
Procjena rizika, Upostavljanje kontrola, ISMS Audit
 Certifikacija, Održavanje
 Awareness
 Implementacija novih mehanizama – poboljšanja u provođenju kontrola
 Information Managament System (IMS)
• IT Help Desk
• Incident managament system
• Registar preventivni i korektivnih mjera
 Mjerenje
 ISMS metrike
 Alati za mjerenje
 Registar preventivni i korektivnih mjera
Ciljevi za implementaciju ISMS-a
•
Sigurnost informacija jedan od Strateških ciljeva CBBiH
•
Povjerenje klijenata / partnera
•
Interna efikasnost
•
Regulativa
Certifikacija
1. Pregled dokumentacije
2. Uvid u stvarno stanje
......2005............................2006.........................2007...............2008............2009......................2010....2011
Project plan and tendering Implementation and certification
BCP framework implementation ISMS implementation & maintanance (ISO 27001)‫ ‏‬Audit Check
US Treasury
consultants
Reputation
Economic stability
Risk management
(operational)‫‏‬
Business continuity
IT Disaster Recovery Plan (DRP)‫‏‬
Emergency Plan
Equipment failure...
Buildings / Offices
unavailable
6
Do sada certificirane centralne banke ili njihovi
servisi
1. Sjedinjene Američke Države - Federal Reserve 2005
4,5
4
3,5
3
2,5
2
1,5
1
0,5
0
2. Mađarska - Hungarian Banknote Printing Corporation 2006
3. Indonezija – Bank Indonesia 2008
4. Taivan - Bank of Taiwan 2008
5. Francuska - Banque de France 2009
Year Year Year Year Year Year Year Year
2005 2006 2007 2008 2009 2010 2011 2012
6. Slovenija - Banka Slovenije 2009
ISMS implementacije u centralnim bankama
7. Gana - Bank of Ghana 2009
8. Bosna i Hercegovina – Centralna banka Bosne i Hercegovine 2009
9. Austria - Oesterreichische Nationalbank 2010
10. Katar – Quatar National Bank 2010
11. Dominikanska Republika - Central Bank of the Dominican Republic 2012
12. India – Reserve Bank of India 2012
13. Jermenija – Narodna banka Jermenije 2012
 Međunarodni Monetarni Fond
7
 Svjetska Banka
4,5
4
3,5
3
2,5
2
1,5
1
0,5
0
Year
2005
Year
2006
Year
2007
Year
2008
Year
2009
Year
2010
Year
2011
Year
2012
ISMS implementacije u centralnim bankama
8
ISO 27000 serija standarda
ISO/IEC
ISO/IEC
ISO/IEC
ISO/IEC
ISO/IEC
27001:2005
27002:2005
27003:2010
27004:2009
27005:2008
ISMS
Controls
Implementation guidance
Measurement and Metrics
Risk Management
9
Implementacija
ISO 27001:2005 (System establishment)
4. Information security management system
5. Managament responsibility
ISO/IEC
6. Internal ISMS audits
7. Managament review of the ISMS
8. ISMS improvement
ISO/IEC 27003:2008 Managament approval
27001:2005
Defining scope
Objective
Scope
Processes
Assets
Risk assesment
ISO 27002:2005 (17799:2005 standard which itself was formerly known as BS7799-1)
5. SECURITY POLICY
6. ORGANIZATION OF INFORMATION SECURITY
7. ASSET MANAGEMENT
ISO/IEC 27001:2005
8. HUMAN RESOURCES SECURITY
9. PHYSICAL AND ENVIRONMENTAL SECURITY
10. COMMUNICATIONS AND OPERATIONS MANAGEMENT
11. ACCESS CONTROL
12. INFORMATION SYSTEMS ACQUISITION, DEVELOPMENT AND MAINTENANCE
13. INFORMATION SECURITY INCIDENT MANAGEMENT
14. BUSINESS CONTINUITY MANAGEMENT
15. COMPLIANCE
10
Implementacija - Information Security Management System (ISMS) u
CBBiH – mapa puta
CC – Company Culture
Trening i
osvještavanje
Vrhovna
poltitika
informacijske
sigurnosti
Odobrenje
Uprave
Procjena
rizika
GAP analiza
Monitoring
Prikupljanje
zapisa
Implementacija
Dogovaranje Prikupljanje podataka
kontrola,
Opsega projekta o inf. vrijednostima i
procedura...
vrednovanje
PLAN
DO
Statement of
applicability
i
Auditing
CHECK
Poboljšanja
ACT 11
Procjena i tretiranje rizikaISO/IEC 27005:2008
 Kvantitativni i kvalitativni način
 Tretiranje rizika





Electronic Information;
Non-electronic Information;
Environment / Infrastructure;
Hardware;
Software;
Physical;
People;
Services.
Reduciranje rizika (Risk reduction)
Izbjegavanje rizika (Risk avoidance)
Transfer rizika (Risk transfer)
Zadržavanje rizika (Risk retention)
Prihvatanje ili tolerisanje rizika (Risk acceptnce)
 Prikupljanje informacija o informacijskim sredstvima
 Vrednovanje informacijskih sredstava
 Procjena uticaja i vjerovatnoće ranjivosti i prijetnji na
sigurnost (CIA) informacijskih sredstava i informacija
 Tretiranje rizika primjenom kontrola ISO 27001:2005
Very High
High
Medium
Low
Procjena i tretiranje rizikaISO/IEC 27005:2008


Electronic Information;
Kvantitativni i kvalitativni način Non-electronic Information;
Environment / Infrastructure;
Tretiranje rizika
Hardware;
Software;
 Reduciranje rizika (Risk reduction)
Physical;
 Izbjegavanje rizika (Risk avoidance) People;
Services.
 Transfer rizika (Risk transfer)
 Zadržavanje rizika (Risk retention)
 Prihvatanje ili tolerisanje rizika (Risk acceptnce)
Risk analysis
Risk identification
Risk estmation
Risk evaluation
Risk reduction
Risk retention
Risk avoidance
Risk transfer
Risk acceptance
Riks Communication
Very High
High
Medium
Low
Uspostavljanje kontrola
ISO/IEC 27002:2005
 Kontrola 133 +
CC – Company Culture
6. ORGANIZATION OF INFORMATION SECURITY
7. ASSET MANAGEMENT
8. HUMAN RESOURCES SECURITY
9. PHYSICAL AND ENVIRONMENTAL SECURITY
10. COMMUNICATIONS AND OPERATIONS MANAGEMENT
11. ACCESS CONTROL
12. INFORMATION SYSTEMS ACQUISITION, DEVELOPMENT AND MAINTENANCE
13. INFORMATION SECURITY INCIDENT MANAGEMENT
14. BUSINESS CONTINUITY MANAGEMENT
15. COMPLIANCE
Problems No, Challenges Yes in every implementation
System 1
System 3
System 2
System 4
sabots (wooden shoes)
500 years ago workers would throw their sabots (wooden shoes) into the wooden gears of the
textile looms to break the cogs, feeling the automated machines would render the human workers
obsolete [1]
In every new system there is possibility of intention that workers will execute similar
actions against new system as their predecessors 500 years.
Question: How to solve ths problem and probably many other?
15
[1] Hodson, Randy and Teresa A. Sullivan, The Social Organization of Work, Chap. 3.
Organizacija ISMS-a u CBBiH






Forum za sigurnost (Guverner i 3 Viceguvernera)
Koordinator za informacijsku sigurnost
Tim ISMS audiora (5 članova)
Tim za koordinaciju ISMS-a (direktori)
Tim za koordinaciju BCP-a (direktori)
Tim za administriranje ISMS-a (2 člana)
16
Information security – Information Security Management System (ISMS) u CBBiH
The Central Bank of Bosnia and Herzegovina operates an intranet based Information Security* Management
System (ISMS) which meets the requirements of ISO/IEC 27001 ('Information technology - Security
techniques - Information security management systems - Requirements').
* In this context, security relates to confidentiality, integrity, and availability.
17
Awareness eng. – informiranost, svijest
Poznat slučajevi koje trebamo uzeti u obzir
19
20
Mjerenje KPI
22
23
Sledeći slučajevi
 Sources:
 - Business continuity lessons from Buncefield, Continuity
Central, Huddersfield, West Yorkshire, England,
 - Jon William Toigo, Disater Recovery Planing: Preparing
for Unthinkable, Third edition. Foreword xi
24
Buncefield fuel depot (Hemel Hempstead ) London, December 2005
1
2
3
5
4
25
Northgate Information Solutions
Buncefield fuel depo
1
2
26
Next case...
27
2
1
3
Emergecny Response Team / Center for Port Authority
Responsible for 3 airports, tunels, bridges,
buses and trains meet at Marriot Hotel.
28
1
4
2
3
29
Planiranje i testiranje nastvka poslovanja
Planiranje i testiranje nastvka poslovanja
Planiranje i testiranje nastvka poslovanja
Vodeći razlozi gubitka podataka
 Hardware or System Malfunctions 44%
 Human Error 32%
 Software Corruption 14%
 Computer Viruses 7%
 Natural Disasters 3%
Gartner
33
Činjenice
33% informatičkih zloupotreba / napada
od internih zaposlenika
28% informatičkih napada od otpuštenih
zaposlenika i partnera
Milijarde $ se godišnje izgubi zbog
zloupotrebe informacijske sigurnosti
Vijesti iz regiona
Sa BH informativnih portala
Ljudi ne znaju šta im se dogodilo
A policija traga
Opet vijesti...
Koliko je čest SPAM i koliko nas košta?
Krađe lozinke i troškovi
Velike štete
Primjer iz telekomunikacijskog sektora
Špijunjiranje – realna stvarnost
Špijunjiranje – realna stvarnost
Špijunjiranje – realna stvarnost
Trend porasta
Ove stvari se ne mogu desiti u BiH???
Ove stvari se ne mogu desiti u BiH???
Ove stvari se ne mogu desiti u BiH???
Ove stvari se ne mogu desiti u BiH???
07_Sloj_linka_podataka.pdf
Proces povećanja svjesnosti o važnosti zaštite informacija
1. Podizanje svijesti
o problemu
1.
5. Promjena
navika
5.
2.
2. Shvatanje
problema i
način zaštite
3. Promjena
percepcije i stava o
problemu
4.
3.
4. Promjena
ponašanja
Svjesnost o saznanju i prihvatanja
bitnosti informacione sigurnosti u
organizaciji
Izloženi ste riziku
Elementi informacione sigurnosti
 Svi službenici imaju
odgovornost
za
sigurnost informacija
i
informacijskih
sredstava
Awareness eng. – informiranost, svijest
Rođen 14. marta 1879. godine
1. Jedina stvar koja ometa moje učenje je moje školovanje.
2. Nauka je sjajna stvar, ako od nje ne morate zarađivati za
život.
3. Intelektualci rješavaju probleme, geniji ih sprječavaju.
4. Osoba koja nikada nije napravila pogrešku, nikad nije
pokušala nešto novo.
5. Obrazovanje je ono što ostane nakon što zaboravimo
sve što smo u školi naučili.
6. Tajna kreativnosti je znati dobro sakriti svoje izvore.
7. Morate naučiti pravila igre, a onda morate igrati bolje od
svih ostalih.
Osvještavanje – Awarenss –
Namjera - Alat (Word, Adobe)
Osvještavanje – Awarenss – Namjera, Alat (Power Point, Adobe Captivate)
Primjer - Nastavak poslovanja
73
......2005............................2006.........................2007...............2008............2009......................2010....2011
Project plan and tendering Implementation and certification
BCP framework implementation ISMS implementation & maintanance (ISO 27001)‫ ‏‬Audit Check
US Treasury
consultants
Reputation
Economic stability
Risk management
(operational)‫‏‬
Business continuity
IT Disaster Recovery Plan (DRP)‫‏‬
Emergency Plan
Equipment failure...
Buildings / Offices
unavailable
74
3.1.4 BC and DR definitions
What is Busines Continuity Plan? (BS 25999-1 and -2) and ISO 27001:2005 in section 14.
Business Continuity Plan (BCP) represents overall plan of activities
necessary to preserve operations / functions of company in case that
activities are disrupted by any kind of incident or disaster.
Normal business operations can be jeopardized by a disaster.
Definition for Disaster (Websters dictionary):
A calamitous event, especially one occurring suddenly and causing great loss
of life, damage, or hardship, as a flood, airplane crash, or business failure.
75
Planiranje i testiranje nastavka poslovanja
14 Business continuity management
14.1 Information security aspects of business continuity management
14.1.1 Including information security in the business continuity
management process
14.1.2 Business continuity and risk assessment
14.1.3 Developing and implementing continuity plans including information
security
14.1.4 Business continuity planning framework
14.1.5 Testing, maintaining and re-assessing business continuity plans
Planiranje i testiranje nastavka poslovanja
ISO 27004:2009
Mjerenje KPI
Servisno orijentisana arhitektura - SoA za mjerenje KPIova
79
Arhitektura
80
Infrastruktura
81
ARIS MashZone
82
83
84
85
86
Registar korektivnih i preventivnih akcija
87
Manage information security and Life will never be the same88
Hvala
?
89
Download

Informacijska sigurnost u Centralnoj banci Bosne i Hercegovine