Contents Pdf

Home

1. 64 21 IRC LEPOMOE S uu uuu u mires a FOR UBI VEU NUBE GL RUN URN asss Nancie t 64 4 2 64 5 Information Security Organtzation 64 5 1 Information Security Organization Definition 64 5 2 UO INU OC 65 5 3 Communication Route at Emergency 65 6 Rule and 65 6 1 Information 65 6 2 People Security Io be defined imn f t re 5 u u de Dess aede ia EA 66 Sec UEIEy aoi cet endete a 66 o oL Omice Buil and u uuu uuu nuy aqu etae dob reser eco 66 0 25 2 C abinet and DESK uy k kuyaaman oc be UY 66 0 25 35 Machine uu unas 66 6 4 Physical Information 67 Ou rater 67 6 4 2 Digital Archives DVD CD FD Tape 67 6 5 Cent PG SEOUEIDY uu aun umu puma naa Et End du otto Po Se ote Rodas 67 RM EE DIT arojedu Gr 67 63 2 3Laptop Mobi
2. 33 4 5 2 Document Revision Distribution Access and Keeping 34 FCC OPAC OMG OM 35 5 Manacement Respomsibilily uuu u ullu ls EVE SO UTI 35 241 ManasementCOnimniiWentf 35 5 2 Government Information Security Organtzation 23 5 3 Capacity Development L u I LUTTE 36 5 4 Management RevIew 36 Contoland Trealme RETE 36 Gas Or AL arcana E m aaa 36 6 2 Control and Treatment by Information Asset 37 Appendix Risk Check Instruction 38 SECTION 4 Government Information Security Management System Risk Check 39 SECTION 5 Government Information Security Rule 62 MR 63 2 Three Basic Rules to Secure Information 63 ooo a n 63 4 Normative References Terms and Deflinition
3. l gl m n 2 I F ri gt il anti virus protection and action 221 irformatica gathering BEEN Patch applibation WPS UPS for al servers ra 2 S a a 43 Risk Check Ee Asset Evaluation Check item Vu a hk u pner ea il backup Beck cat park EE NT CRED data access 2411 77 Archie protaction 7 j ex Id f en 8 182 Lus 185 pese HPE for sen iii uspandar until PAIS integrating GATS 44 Risk Chack Check item ee amp High _ 5 Mi 189 L j Define those who can enter the facili SS gt M Separate un office gt space And tha other common space Li titers Gt outsiders with an insider attendant Lies Record an entry and exit Gheck rez ull Comments on Gheeh Results MO l o Y Entry axit record
4. Security techniques Information security management systems Requirements 28 3 2 Terms and Definition The followings are the terms and their definitions specifically used in GISMS Government Information Security Management System GISMS It is ISMS for Royal Government of Cambodia in this manual ISMS is referred to ISO ISE 27001 Government Information Security Office GIS Office It is set up as a secretary at GCIO Committee and NiDA takes the role of GIS Office as part of its responsibility It is responsible for setting up the policy standards and guidelines of GISMS and is also responsible for all ISMS related topics in Royal Government of Cambodia This definition is a draft GCIO patronage will be settled in GCIO development project Chief Information Security Officer CISO It is assigned to one official by ministry Responsibilities are explicitly defined in GISMS Manual and Information Security Rule Book Information Security Manager IS Manager It is assigned by ministry Responsibilities are explicitly defined in GISMS Manual and Information Security Rule Book Risk Check Book It is a check book which identifies information assets evaluates information assets checks potential risks identifies risks and evaluates risks Government Information Security Rule Book GIS Rule Book It defines rule and procedures which secures each information asset It 15 defined by ministry whereas its sample is develope
5. eneryptan Mi 5 55 ing mails f on m cn 5 Download a web m executable only which has an electronic signature 41 Risk heck Chack item Asset Evaluation Check izem amp 8 em 3 3 Fr E c2 F Fae machines and printers i er ox Dispose printed matanals fazed materials with Cte Faring record racord of faxing sending receiving muaj sd 115 Us incu all laptop mobile PCs p 1171 slow tial Arti wrus protection Scan storage devces with anti virus software periedisathr 9 Hc ptem Execute a physical formatting of a storage or scrap rt physically 120 Persona ass Pt Personally owned PG strage devices and degital arch 7 Internal 2 Midde l tow 1 tow 1 esas 1 Gat a permission from TS manager to Lake ino persona asset ta from an office 1 Low T Lowe software explicitly allowed by 1S ma ager Apply patches according to 15 managers Encrypt la send e mail Report and take
6. 6 Control and Treatment 6 1 Types of Control There are four types mitigating risks transferring risks avoiding risks and knowingly and objectively accepting risks Mitigating risks is the major control to take against the revealed risks A PC is vulnerable against a virus intrusion for instance Anti virus software installation and activation is a control to be taken Transferring risks is the administratively possible way of control Assume a PC contains valuable information and it is vulnerable against a fire disaster Then the data back up in a remote place is a control of mitigating risks on the other hand enrolling a fire insurance and insuring the damage of lost data is a control of transferring risks 36 6 2 Avoiding risks is alternative to vanish source of risks The previous research collected lots of privacy information which is irrelevant to the main business and it is vulnerable to information leakage then disposing the information safely is a control of avoiding risks Knowingly and objectively accepting risks is the last option For example it is widely applied to protect a LAN by setting up a firewall whereas a web server for external users is set up out of a firewall It is accepted the web server might be attacked from outside although it needs some recovery efforts once an attack happens Accepting risks has to be very carefully managed and the top management review and authorization is always req
7. and or transmitting of portions or all of this publication may not be allowed without permission of NiDA SECTION 1 Government Information Security Management System Drafted by Yusuke Tanaka JICA Expert Edited by ICT Security Management Technical Team iSMTT 4 Government Information Security Management System The Project of Capacity Development on ICT Management at H E CHEA MANIT Deputy Secretary General Mr TANAKA YUSUKE JICA Expert November 2008 Government Information Security Management System GISMS Development Project Introduction GISMS Government Information Security Management System GISMS is for Royal Government of Cambodia to secure information used in its business operations to ensure the administration continuity in Royal Government of Cambodia and to minimize the risk of damage by preventing security incidents and reducing their potential impact GISMS has the following characteristics Based on the best practices of global standard ISO IEC27001 Accumulation of good practices and knowledge of information security Ease of adoption of ISO IEC27001 to any organization because of its applicability of tasks stipulated Continuous revision Process based PLAN Applicable regardless of organization s structure f Applicable regardless of organization s size and or nature e PDCA approach Plan Do Check Action Step by
8. 6 Execute an emergent anti virus protection ISO n a procedure if necessary b2 7 Record an analysis and an action ina report ISO Updated Information Security Event Report b2 8 File a report and keep for the defined period IS In charge n a 20 Records Information Security Event Report All information security events should be reported and handled appropriately by the in charge personnel Information Security Event Report Name Reported Record Number Department Name Contact Cell E mail Department Event Type Virus detection Reported Time Inappropriate settings installatia Undesirable unsavory e mail de Action Others O Event Time Situation Lessons Learned Name Department Recorded Time Lessons Learned 15 Three Basic Rule to Secure Information Rule 1 Always consider whether you acquire process or save confidential information Do NOT expose information against any risks of leakage falsification and inaccessibility Rule 2 Lock up an office entrance a cabinet and a desk drawer before walking away for any moment Rule 3 Activate an auto detection function of anti virus software Update a virus definition file at least weekly scan a storage device of your PC weekly and any external storage devices e g FD Memory Card Stick and HDD when to connect to your PC T Information Security Management Example Disciplinary Action Details o
9. D Password Stolen lo UPS GISMS Document Architecture Top two documents will be proposed as the common documents among all government organizations in Cambodia The preliminary ones are drafted at this project and extended in the future As of 19 NOV Unified Policy and Manual Assessed by Organization Defined by Organization Sample Delivered 8 GISMS Policy Objective The objective of information security is to ensure the administration continuity in the government of Kingdom of Cambodia and to minimize the risk of damage by preventing security incidents and reducing their potential impact Policy The goal of ISMS Policy is to protect the information assets in the government of Cambodia against all internal external deliberate or accidental treats The security policy ensures that Information will be protected against any unauthorized access Confidentiality of information will be assured Integrity of information will be maintained Availability of information for administration processes will be maintained Legislative and regulatory requirements will met Information security training will be available for all government officials All actual or suspected information security breaches will be reported to the Information Security Manager and will be thoroughly investigated Procedures exist and support the policy including virus control treatments and passwo
10. Goode shipping record Keep records of cauriar service 5 High s High 3 High in Gere Cabinet lock up 198 EIE A M e 2 Internal n High sHgh Mide od Fax machinas and printers D Yes Yes D Yes Yes hysical in tration E Client PG hardware and software Desktop PC e Gonnect UPS for desktop PGs Lucr i us ie ET oles LO TT Security wire Wire all aptop mobila PCs physically to desks or store locked Pa gt PT Pd ma Ir mos i Er gt 45 241 Extended 242 Network and Server Risk Ghack Wile tremtmant Pt bs dehed and implemented in the future Po ces contd _ _ E 46 Risk Ghack 2TH 279 Physical irformation EIME 282 983 zad 285 286 mol Paper 2 Outsiders Get outsiders wrth ar insider attendan
11. Risks Assess Risks procedure consists of five steps Identify Information Assets Evaluate Information Assets Check Potential Risks Identify Risks and Evaluate risks The detailed procedure is defined in Risk Check Book Please refer to an instruction in Risk Check Book See Appendix 1 Risk Check Instruction Step 1 Identify Assets Identify assets Risk Check Book has 6 default assets 4 assets out of 6 such as Facility Paper Client PC and Network amp server assets are supposed to be defined by department for each to check by itself Step 2 Evaluate Assets Next step is to evaluate assets There are 3 elements of evaluation Confidentiality Integrity and Availability Select one class of each according to the criteria shown below Confidentiality evaluation lass valuation General Internal Confidential Description Open information assets which go to public nformation used only in a government business operation Confidential among limited authorized people Co hN5 C1 2 Integrity evaluation Class lt Description No impact on business continuity by falsification Operational cost impact by falsification Political impact by falsification 4 Middle High 3 Availability evaluation 7 jDescripton o 1 t Low ji Out of service allowed over twenty four hours 2 3 Midde 3 Out of service
12. desks or store at a locked facility 65 Anti virus protection Scan storage devices with anti virus software periodically 66 Disposal Execute a physical formatting of a storage or scrap it physically 68 Permission Get a permission from IS manager to take in out a personal asset to from an office M No 12 Risk Check Book Step4 Evaluate Risks Evaluate Threat and Vulnerability to apply the criteria Total Risk is automatically displayed 8 Risk evaluation Points Asset Threat Vulnerability Evaluation Points _ Description Allowed Risk Non allowed risk which needs controlled Vulnarability Total Risk I Middle Unauthorized access falsification malfunction 3 Middle 2 H Middle Unauthorized access falsification malfunction 3 Middle Middle Unauthorized access falsification malfunction 3 Middle Middle ee H I I I I automatic Middle Unauthorized access falsification malfunction 3 Middle Middle Unauthorized access falsification malfunction 3 Middle H Middle Middle Middle H 6 Threat evaluation Evaluation Description Low probability of the threat Middle probability of the threat High probability of the threat 16 Risk Check Book Step 5 Decide Controls All check items evaluated as High risks are requested to control them There a
13. drafted documents are authorized with the same procedures defined in 4 5 1 Document Structure and Authorization All other GISMS documents revision is defined by ministry in accordance with PDCA cycle defined in 4 3 Check and 4 4 Action GISMS Manual Risk Check Book and GIS Rule Book must have a revision history to assure which revision readers are referring Distribution Access and Keeping The confidentiality of GISMS documents varies by document which 15 defined as follows 1 GISMS Policy and GISMS Manual are classified as general which 34 means they can be got published and all Cambodian people can access and read them 2 Non assessed Risk Check Book contains no identified risks in a ministry and it is classified as general On the other hand After assessed Risk Check Book contains identified risks threats and vulnerability therefore it is classified as internal which requires the careful distribution access and keeping only in a government business operation 3 GIS Rule Book contains the internal business rule and procedure and it is classified as internal Copies of all revisions of after assessed Risk Check Book GIS Rule Book and defined records blank forms must be submitted to GIS Office and it keeps for five years All other GISMS documents distribution access and keeping are defined by ministry However it is requested to take carefully deal with handling documents which contain confidential
14. information e g server IP address personal privacy information 4 6 Record Control Records need to be managed for implementing rule and procedures Control of authorization revision distribution access and keeping of records blank form can be defined in GIS Rule Book Generally records are submitted by the designated officials and filed and reserved by Information Security Office Keep numbering those records uniquely identified The period of keeping of all records is defined as one year otherwise it is specifically defined Records often contain confidential information e g server IP address personal privacy information and it is requested to take carefully deal with handling 5 Management Responsibility 5 1 Management Commitment The top management of Royal Government of Cambodia is responsible for establishing implementing monitoring and maintaining ISMS to ensure the administration continuity of Royal Government of Cambodia and to minimize the risk of damage by preventing security incidents and reducing their potential impact under the declaration of GISMS Policy Management people are directly responsible for implementing ISMS and especially for ensuring staff compliance in their respective departments 5 2 Government Information Security Organization The Ministers of Royal Government of Cambodia shall assign Government Chief Information Officer GCIO for each ministry The top of Royal Government of Cambodia s
15. specific threats Threat evaluation Class 12 2 22 3 Hgh 13 Class Evaluation Description 7 d Low enough to secure against athreat_ 2 Fair 2 Controlled but opportunities to improve 3 Midde 35 Controlled proportionally but needed to improve IVA 4 High Non controlled against a threat m The total risk evaluation is determined by the following calculation 8 Risk evaluation Points Asset Threat Vulnerability 7 Evaluation Points Description 1 RI 1 2to6 _ Allowed Risk Non allowed risk which needs controlled Step 5 Decide Controls All check items evaluated as High risks are requested to control them Generally they need to implement rules and procedures to mitigate risks Therefore it leads to develop Government Information Security Rule Book After deciding controls and making treatments to risk items e g define rules and procedures in GIS Rule Book evaluate risks again and make sure all check items get evaluated as Low 4 1 4 Develop a Government Information Security Rule Book GIS Rule Book is defined by ministry Based on the results of a risk assessment the major treatment is to define rule and procedures to mitigate revealed risks GIS Rule Book must contain the following five components Scope defined at Scetion 4 1 2 Define the Scope of ISMS Informatio
16. you feel difficult to evaluate Step 2 22 Risk Check sheet automatically display the total evaluation of an asset at column J Review the result and check with the criteria listed in Evaluation Table sheet Revise confidentiality integrity and availability evaluation if you feel a total asset value is different from actual gt e a ee ee wi Read column L and choose just yes no at column jo I You can select one from a pull down menu in each field at column Read the description of each threat at column Q for assistance to decide threat evaluation Use a default value if you feel difficult to evaluate Review the result and check with the criteria listed in Evaluation Table sheet Revise threat and vulnerability evaluation if you feel a total risk value is different from actual Go to Step 5 if the total risk is High Consider the consistency of ISMS if the total risk is Low and make an arrangement if any e g update the existing rulebook or update the control reference at column V D U Us Step 5 3 Decide the applicability of implementing the rule and procedures in the sample information security rulebook Decide the alternatives if not applicable and the rule and procedures which is applicable and can be implemented to the organization __ You can select one from a pull down menu in ea
17. Classification a Hiring Resigning procedure 1 Information Security Management System Personal profiling related to information Physical Inf i Security i 9 Security Operation i i NA General Administration related I to information security Key Success Factor Newok i number is referred IS CD enhancement Process and Timeline Project Organization Lead Timeline described on full time basis XXX XXX Staff A XXX Staff B C 39 24 SECTION 2 Government Information Security Management System Policy Kingdom of Cambodia Government Information Security Management System Policy Objective The objective of information security is to ensure the administration continuity in the government of Kingdom of Cambodia and to minimize the risk of damage by preventing security incidents and reducing their potential impact Policy goal of ISMS Policy is to protect the information assets in the government of Cambodia against all internal external deliberate or accidental treats security policy ensures that nformation will be protected against any unauthorized access Confidentiality of information will be assured ntegrity of information will be maintained Availability of information for administration processes will be maintained Legislative and regulatory requirements will met nformation security trai
18. Contents SECTION 1 Government Information Security Management System SECTION 2 Government Information Security Management System Policy 23 SECTION 3 Government Information Security Management System Manual 27 Wy AA 28 ren 28 3 Normative References Terms and Definition 28 ou NOD CCU aG 28 2 2 Terms ANG BIEN esences eiue neei AEEKO 29 4 Government Information Security Management System GISMS 20 NE Esc ERN Tm m 20 4 1 1 Walkthrough GISMS Policy and GISMS 20 4 1 2 Define the Scope l S Sea Sena px ob deae evo xs 20 4 1 3 Assess IRIS EEUU Um 30 4 1 4 Develop a Government Information Security Rule Book 3l 4 1 5 Define the Scope of the ISMS in GIS Rule BooKk 32 TT 32 4 2 Do Implement and Operate 32 4 3 Check Monitor and 24 44440008088 32 4 4 Action Maintain and 33 452 Document Bore PNE NOTAE 33 4 5 1 Document Structure and Authortlzation
19. Type Check Gheck Comments on Check Results Enterprise D j dL j j R a C ee 2171 fie building aie Dafina those who can enter the facility room a eg 218 Imolament an appropriate key system fer an entrance of the facility room j s sparate an office space and tha other accessibles common spas Lan Get outsiders with an insider attendant 422 a a Lm ES s 125 eee 325 ee HC H E 328 Faung record Kee 1 Wo a ree EN ES SN Yas E 338 Digtal Archers DVDs GDs tDs Tapes eee EE EN y 339 Protection _____ 1 peu _ a meda Tape FO CD DVD physically 1 3411 Ghent PG hardware and softerare E 442 Desktop PE n 2 nternat 5 High 343 re CENE Assign one main user gt minimum ta all PCs 1 344 2 Im l User ID and password robust password and change ong periodica ly L345 Prohibit share user D and p
20. a sample rule book Obtain approvals 4 3 Check Monitor and Review 4 4 Action Maintain and Improve 4 5 Document Control 4 6 Record Control 5 Management Responsibility 6 Controls and Treatment 10 Risk Check Book Risk Check Book is applied to all government ministries when to assess their ISMS scope It contains Assets evaluation Risks evaluation and Controls Identify Start Risks Assets Assets Risks Risks Control Evaluation Evaluation Treatment Risk Check Book Y Measurement IS Rule Book Control and Treatment are also called Measure 11 10 Risk Check Book Step1 Identify Assets Risk Check Book is applied to all government ministries when to assess their in scope information assets First of all Identify assets Risk Check Book has 6 default assets 4 assets out of 6 Facility Paper Client PC and Network amp server assets are supposed to be defined by department for each to check by itself Just copy and insert a group of rows e g 50 68 is a group of rows for Client PC out whose assets they are lt is useful to prepare an office map for the later assessment Assets ee Evaluation L1 L2 L3 Description Attributes Location Manag charge of Assets Confidentiali Integrity Availability Total Check Lich gC BNiDA CISO J np C j 2 50 Client PC hardware and softw
21. allowed up to twenty four hours 5 High 5 service allowed up to four hours The total evaluation of an asset determines the total points of 3 elements Review and revise confidentiality integrity and availability evaluation if you feel a total asset value is different from actual 4 Asset evaluation Points Confidentiality Integrity Availability Evaluation Points Description j Assets to Impact moderately on an operation 2 Middle 710 12 Assets to impact enormously on an operation 13 15 Assets to impact enormously on an governing Step 3 Check Assets Check assets Just select Yes or No for each check item 30 Sample check items of Desktop PC Assign one main user at minimum to all PCs Use a robust password and change one periodically Prohibit share user ID and password with several people Clear a display screen by setting screen saver function with password Scan a local storage with anti virus software periodically Use an automatic virus detection function usually Update a virus definition file periodically Keep records of scanning and updating virus definitions Connect UPS for all desktop PCs Execute a physical formatting of a storage or scrap it physically SA RN AS UN Step 4 Evaluate Risks Evaluate Threat and Vulnerability to apply the criteria Each check item has an example of threat in a comment column to easily identify the
22. appropriate ackions mias addressing mails na min Download a web B browser executable only which has electronig signature 42 Risk Check Asse Assat Evaluation Check item LI Description Location Manager in charge of Assets Total rneck Tape 0 0 Check iter e ML 141 umma LAH and 2 Intermal_1a Made 1 1 Low 132 j a Disconnect an intarnal network from an external network 133 POT Reo o Record a network access Il Na O 124 ee Audit detect Urade UOTE I IN 1 12811 5 Contant UPS for al network devices eee Ee eer a e 137 j E i i 133 5 sical protection 140 Hee ser defintion Oefnn thone who can onter the server room 1 T er and password Ose a robust password and change periodically bo iz ser shang IFrohibit share user ID and password with several people val _ manus Document an operation manual and Inssen human erro waf aconse control PH 146 PO Data back nene ur i Data recovery Recerd 1 z
23. are _ j j me Desktop PC 2 Internal_ 3 Middle Network SG Office Appli Enterprise 25 2 2 Khrishna 62 Laptop mobile All desktop PC check items must be applied 2 Internal 3 Middle mg poppe ruso 64 Storage devices Portable HDDs Memory sticks Memory cards 3 Middle 1 1 67 Personal asset Personally owned PC storage devices and digital archiV2 Internal 3 Middle j ees l 12 Risk Check Book Step2 Evaluate Assets Next step is to evaluate assets There are 3 elements of evaluation Confidentiality Integrity and Availability Select one class of each according to Just select one from the pull down menu Use a default value if you feel difficult to RH Te 11213 Attributes Location Manager in charge of AgSets ConfidentiallIntegrity _ Availability Basic Check List_ L JNIDA CISO jJ j j jO upo Gardvare pesa ss a s A 52 IT pepe Ec for jenes j C information assets whch qe et 1 86 2 internal 2 information used only ina government business operation 3 i c3 Confidential 5 Confidential among limited au
24. assword with several people s 345 screen by setting screen saver function with password ION 347 an n local storage with anti virus software periodically 348 l Use am automatic virus detection function usually 1D Yes EA ree Scan storage devices with ant wrus software penodically Enecutea B physical formatting cf a storage or scrap it physical 1 Get a permission fram 15 manager te take in out personal assat to from an office I oe NS M te es j ERE See Install software septicitly allowed by 15 manager Software configuration Configure software according to managers instruction Dye MA Pateh application Apply patches accorcing to 15 managers request 1 No encryption Encrypt to send e mail 1 Miss addressmg malg and take appropriate actions when mi i i jen the integrity of document and deliver one PD 367 fes ee ecce aeu 4 Web downloading 2 s web browser executable only which has electronic mgnature 48 Risk Check an fire ace and the other accessibla common space _ Get gutziderz with an insider attendant D o Fig re
25. be applied _ 2 Internal_ 3 Middle aaa j y 64 Storage devices Portable HDDs Memory sticks Memory cards 3 Middle 11 1 111 ooo oo o po 67 Personal asset Personally owned PC storage devices and digital archi 2 Internal 3 Middle 6 j l Risk Check Book Step3 Check Assets Check assets Justlselect Yes each check item 5 Check results Class Evaluation Description 20 0 Yes NA_ 0 Correct operation G G Risk implication Check item Check Type Check item Check results 52 Assignment Assign main user at minimum to all PCs 53 User ID and password Use a robust password and change one periodically 54 User ID sharing Prohibit share user ID and password with several people 55 Cleared screen Clear a display screen by setting screen saver function with password b56 Anti virus protection Scan a local storage with anti virus software periodically 57 Anti virus protection Use an automatic virus detection function usually 58 Anti virus protection Update a virus definition file periodically 59 Anti virus protection Keep records of scanning and updating virus definitions 60JUPS Connect UPS for all desktop PCs N 61 Disposal Execute a physical formatting of a storage or scrap it physically 1 No 63 Security wire Wire all laptop mobile PCs physically to
26. be followed later We re Here Deployment lp Organization GISMS 3 0 and more Acryption Application Software Peo Scope Extension Information Assets GISMS 1 0 Deployment Succeeding the GISMS 1 0 implementation at it is recommended to deploy the said GISMS 1 0 to all other ministries as part of GCIO Government Chief Information Officer Activities i Benefits Deliverables Enhanced IS Capacity a Raise RGC officials awareness of IS i 1 ISMS b Secured client PC 7 Virus i 16 Legislation Norm Key Success Factor The number is referred to IS Start GCIO committee officially and deploy i CD enhancement i GISMS 1 0 with top down approach b Group ministries by three to distribute the deployment efforts Deployment to ministries Prioritized Grp The 2nd Group The 3rd Group with the same class of IT utilization is the easiest Non motivated ministries Mid Class of High Class of Low Class of should be involved after the success of other ministries Application to High class IT Utilization IT Utilization IT Utilization 0 ministries will need additional efforts to fit in the more complex assessment and 0 dI DD DIN atl Process and Timeline i Project Organization GIS Office at least with 3 managers and staffs supports Min 3 members GCIO for information secu
27. ch field at column Wand Y Cd Use a default value if you do not change the controls and the rule and procedures the sample IS handbook Step 6 2 Risk Check sheet automatically display the total evaluation of a risk at column AA Review the result and check with the criteria listed in Evaluation Table sheet Revise threat and vulnerability valuation if you feel a total risk value is different from actual Step 6 3 Make sure it is preferable to get each total risk classified as Low Decide take additional actions to lessen risks or describe a residual risk statement to accept 38 SECTION 4 Government Information Security Management System Risk Check Drafted by Yusuke Tanaka JICA Expert Edited by ICT Security Management Technical Team iSMTT 39 Risk Check 2 x A Ei ele 5 mim ja i 48 40 Risk hack Assets Asset Evaluation a 2 Lal Description Attributas Manager in charge of Agsets i Er IOheck Uheek m E EI El n zr Ira n m m td Pi me E a
28. cord Protection Disposal Ens s main usar at minimum te all PGs EN Antrinis protection UPS Fatch Mail 49 29 T 2 lateral hh MS o Fei j mesma I 5 0 Es ien LE _ ____ _________ T i gt Sher PC asd 50
29. d by NiDA and the sample is highly recommended to apply as the minimum level as required to secure information 4 Government Information Security Management System GISMS GISMS takes the plan do check and action PDCA cycle as ISO27001 defines This chapter defines these processes of GISMS It also defines document control and record control 4 1 Plan Establish Plan process consists of 5 sub processes walkthrough policy and manual define the scope of GISMS assessing risks develop GIS manual and obtain approvals 4 1 1 Walkthrough GISMS Policy and GISMS Manual First of all read GISMS Policy which declares the objective and policy of Kingdom of Cambodia GISMS Walkthrough GISMS Manual this document which is applied to all government organizations of Kingdom of Cambodia and which defines the unified rules to mobilize GISMS 4 1 2 Define the Scope of the ISMS When a ministry starts developing ISMS it needs to define the scope for one cycle of PDCA It is generally applicable to define the scope by physical facilities such as a land boundary building It is also possible to define the 20 scope by information system network to effectively decide controls and treatments against threats It needs careful to scope by organization chart because it sometimes makes difficult to implement The initial version of GISMS focuses only on Client PC as the minimum subset of fully scoped ISMS developed in the future 4 1 3 Assess
30. e two steps of approvals one is approved by the top management of ministry and the other is done by GIS office Once all steps from section 4 1 1 to 4 1 4 are completed and the risk check book and GIS rule book which includes CISO and IS manager assignment are fully documented those planning process and documents shall be reviewed and approved by GIS Office first in order to assure the compliance with GISMS The very exceptional case allows accepting a risk as a residual risk although it exceeds the accepted level in the automated risk evaluation in Risk Check Book It needs a well organized reasons and decision making to get an approval of GIS Office The approval of the top management of ministry is a MUST to implement fully and effectively at the ministry 4 2 Do Implement and Operate The first thing to do when implementing ISMS at a ministry is to establish ISO Then CISO assigns some of ISO members to prepare for and conduct an information security training The ISMS is a management system therefore it is recommended higher ranked people get training first get familiar with ISMS and lead their officials to implement ISMS 4 3 Check Monitor and Review It needs a long way to go that ISMS is rooted in an organization Continuous efforts and improvements are required In order to grasp the objective status and to discuss any improvements the 32 4 4 4 5 measurement must be installed which are defined in GIS R
31. experiences Capacity category and level are defined in Information Security Skill Map Survey of IPA Mar 2004 33 21 NiDA Information Security Capacity Category and Level Capacity category and level are defined as below There are 16 categories and 102 sub categories 12 PKI Public Key Infrastructure Usage Certificate and Authentication Certificate Revocation Trust Model Contract Model Key Description and Encoding Norms Certificate Repository Certificate Authorities Establishment and Operation Legal Scheme PKI Elemental Technology PKI Service 8 Secured Programming Techniques Web Application Database Application Common XML Extensible Markup Language PHP HypertextPreprocessor JAVA Perl VB ASP C C UNIX Compiler VM Virtual Machine Windows 9 Security Operation Secured Operation at Normal Time Abnormal Handling 13 Cryptography Information Source for Operation Public Key Cryptography Common Key Cryptography Hashing Algorithm Cryptic Random Number Key Management Zero 10 Security Protocol Knowledge Proof Other Cryptosystem Cipher Breaking Application Layer Transport Layer Network Layer Data Link Strength Evaluation Layer 14 Electronic Signature 11 Authentication Usage Elemental Technology Mechanism Benefits Password Authentication Biometric Authentication Authentication Device Authentication Protocol Web Authentication System Authentication Single Sig
32. f Disciplinary Action taken in May 2007 TO All XYZ Company People in Japan Business ethics are critical for our company s success because they build trust and transparency Trust and transparency in turn build the right i i our Suppliers our stakeholders and the communities in whic ughout the world However unfortu ed here and there within the co Considering insufficient working regulations in Royal Government of Cambodia GIS Rule Book at the first stage takes no disciplinary actions Dismissal on grounds Improper fraudulen t claims related to time report 16 Information Security Management Example Software Installation Block To All XYZ Company People in Japan Microsoft is expect f its Internet Explorer This control requires client a technical implementation and GIS Rule Book at the first stage only defines a recommended rule to get an approval from IS Manager will be distribu October 25th 24 Information Security Management Example USB Memory Usage Prohibition To All XYZ Company People in Japan Below are the list o related glob Commi curity violations and This control requires a technical implementation and GIS Rule Book at the first stage defines a rule to put a strap with a small external device Business use of USE rule However the security administrator may permit such use as project pol
33. hall establish Government Chief Information Officer Committee GCIO Committee Government Information Security Office GIS Office is set up as a secretary at GCIO Committee and NiDA takes the role of GIS Office as part of its 35 responsibility This clause is a draft GCIO patronage will be settled in GCIO development project The top management of each government organization shall assign Chief Information Security Officer CISO and he she establishes Information Security Office IS Office 5 3 Capacity Development Information security capacities are defined as follows and they are enhanced by the management of GIS Office as a center of excellence Information Security Capacity Categories 1 Information Security Management System 2 Network Infrastructure Security 3 Application Security 4 05 Security 5 Firewall 6 Intrusion Detection 7 Virus 8 Secured Programming Techniques 9 Security Operation 10 Security Protocol 11 Authentication 12 PKI Public Key Infrastructure 13 Encryption 14 Electronic Signature 15 Unauthorized Access 16 Legislation Norms 5 4 Management Review GCIO is required to review all processes of ISMS of all government organizations and GIS Office is authorized to request all government organizations to report their ISMS status CISO and IS Office at each government organization is required to operate the equivalent review which fulfills the requirements of GIS Office and of 4 3 Check Monitor and Review
34. icy if one of the following conditions is met 1 If the USB memory has a password protection 2 If the USB memory has a biometric authentication function fingerprint authentication etc 3 If files are always encrypted or password protected when saved in USB memory 25 17 Information Security Management Example Web Site Access Block To All XYZ Company People in Japan As of December 30 2007 access to specific non business websites from the office LAN was blocked IT department has b investigate re et access logs to This control requires S dtes a technical implementation and GIS Rule Book at the first stage only defines a rule not to access web sites with inappropriate materials youtube ce Company resources access are for business use although limited personal use IS accepi co stiU IN Policy 57 Excessive personal use is not allowed Your good sense is expected for the appropriate use of the Company resources Failure to comply with XYZ Company policies will be reported and disciplinary action may be taken 26 Action Plan 2 18 Next Step This project covers only Client PC at NiDA Call this project as GISMS 1 0 Then Deployment to other ministries is its repeating actions Extend the coverage of information assets such as Server Network Encryption Application Software Development and People Matters Business Continuity Plan is another set of actions to
35. k items are drafted by GIS Office reviewed and authorized by GCIO Committee tentative name until officially established Risk Check Book blank form contains the default risk evaluation values and controls to be taken They are assessed and updated by ministry Put the name of ministry on the document after assessed 33 4 5 2 GISMS Document Architecture Top two documents will be proposed as the common documents among all government organizations in Cambodia The preliminary ones are drafted at this project and extended in the future As of 5 NOV Unified Policy and Manual EUN y Organization Defined by Organization Sample Delivered 11 4 GIS Rule Book This is defined by ministry A sample GIS Rule Book which is defined based on the default risk evaluation values of Risk Check Book blank form is drafted by GIS Office It has to be authorized by the top of ministry Put the name of ministry on the document Other supplementary documents are defined and utilized by ministry Document Revision Distribution Access and Keeping Revision GISMS Policy shall be declared by the top of Royal Government of Cambodia Hence its revision procedure is defined by the other rules specified in RGC This needs to be specifically determined in a decree system in the future GISMS Manual and Risk Check Book are revised yearly by GIS Office on the basis of comments requests from ministries implementing ISMS The
36. le PC p e ht f ettet feed 69 6 5 3 Storage Devices Portable Hard Disk Memory Stick 71 Memory Floppy DISK ua ia 71 Personal PRO ay una uu 71 652202 SOLOW ARS sia ba E ua qa 71 c 73 Bos WV COUT OW D uyu punta 75 6 6 Network and Server Security To be fully defined in a future 76 OOl and uyasapa qis 76 06 2 Server M 76 6 7 Application Software Security be defined in a 77 Je Iintopmation Seouritysr uyu uuu ukana paskana 77 7 1 Information Security Training Execution 77 7 25 Promissory Letter SUDIISSIOIa x otro u u usa a aS 77 oe Measure 77 9 Breach To be defined in a future ayauya wiku 78 10 Records c 78 SECTION 6 The Statement of Promise For Government Information Security 60 Note rights are reserved to National Information Communications Technology Development Authority NiDA The material in this publication is copyrighted Copying
37. n Security Organization Rule and Procedures Information Security Training and Measurement for Check and Action A sample GIS Rule Book for a 31 ministry is obliged to use which is issued by GIS office whose role will be described in Chapter 5 Management Responsibility The following three steps explain the tips to develop GIS Rule Book 4 1 5 Define the Scope of the ISMS in GIS Rule Book The scope of ISMS defined at Section 4 1 2 is documented in GIS Rule Book where it is recommended to clarify the information assets and their related physical locations organizations officials as their example can be shown in a sample rule book 4 1 5 1 Identify the non applicable rule procedure in a sample rule book The rules and procedures depend on the information assets and their confidentiality in scope of each ministry They do not need to be defined unless the targeted information assets exist in the scope 4 1 5 2 Modify rules and procedures in a sample rule book They need to define more secured if the information dealt in a ministry is more confidential according to the results of a risk assessment They need to add to be defined if a sample rule book does not contain the in scoped information assets In the latter case it 15 recommended to discuss with GIS Office before starting to define rules and procedures in order to decide who defines the standard of newly in scoped information assets of RGC 4 1 6 Obtain approvals There ar
38. n on 15 Unauthorized Access Remote Unauthorized Access Denial of Service Tapping Surveiling Information Collection Classical Unauthorized Access 16 Legislation Norms Standard and Guideline Law and Act International Standard International Guideline Capacity category and level are defined in Information Security Skill Map Survey of IPA Mar 2004 34 Key Take Away Five points we should know in GISMS 1 documents include GISMS Policy GISMS Manual Risk Check Book and GIS Rule Book a GISMS Policy declares the top management commitment of implementing GISMS b GISMS Manual defines the unified approach of GISMS for all ministries concerned c Risk Check Book enables all ministries to assess their risks in the same criteria d GIS Rule Book implements GISMS at each ministry 2 Top management commitment Top management commitment is indispensable to root ISMS in each ministry 3 All officials involvement All officials are strongly expected to set their mindset to keep information security rules and procedures and do information security related work in their daily operation 4 Technology utilization Technology optimizes the information security risk mitigation and partly lessens officials hand work efforts This will be challenged in the next cycle of ISMS 5 Continuous improvement All managers and above are obliged to supervise the implementation of ISMS at their department group completely with con
39. nagement System 5 Firewall Management Techniques Risk Analysis Techniques Information Firewall Installation and Operation NAT Network Address Security Policy Information Security Audit Relevant Knowledge Translation Network Access Control 2 Network Infrastructure Security 6 Intrusion Detection Network Design Techniques Network Access Protocol Intrusion Detection System Installation and Operation Intrusion VPN Virtual Private Network Wireless LAN Detection System Function Detection Algorithm Detection Subject Intrusion Detection System 3 Application Securit Threats against Web Server Security Measures of Web Server 7 Virus Communication Route Policy after Infection Policy for Prevention Virus Attack Detection and Cleansing Infection Virus Types Operation of Web Server Web Application Design Web Browser Security Basic Knowledge of Web Related Protocol 4 OS Securit Log Control Patch Application Control Service Control File System Control Account Control Level Description Level 0 No knowledge no experience Level 1 Understanding a basic knowledge being able to acquire detailed technical contents through experience Level 2 Putting an acquired knowledge into practice under supervision being able to explain a detailed technical content referring to an experience 3 Putting knowledge into practice autonomously being able to use and advise technical know hows referring to various
40. ndispensable and mandatory business PDCA Plan Do Check Action cycles can gradually enhance information security step by step Government unified ISMS can keep the better level of information security by researching private and public sectors in Cambodia and by considering the global trends with the minimum power Royal Government of Cambodia Assuring confidentiality Maintaining integrity Risk Evidence RGC is being increasingly exposed to the cyber attacks of outsiders as it utilizes IT and internet more as identified the notably high ratio of virus infection reaching 35 6 Risks and Measures Example There exist present and clear dangers of information security and it needs to react proactively Measure Risk lt 15 Three Elements lt Protection gt Vulnerability Threats Information Leakage estroying Media isposing EE Room Entry Exit Control Normal FD CDs Sigo ss E CIS Confidentiality Software Patch File sharing Software Usage Anti Virus Software Security Hole Entry Simple Password Passaic Oe Access Control Access Logging Integrity Encryption Digital Signature Fingerprint Firewall DMZ Hacking of Server Unauthorized Acce Plain Text Communication Information Security Sniffing Service Disabled Laptop PC Left in a car Theft Denial of Wiring Laptop PC Availability 5 ut o Data Backup amp Recovery Procedure
41. ning will be available for all government officials All actual or suspected information security breaches will be reported to the Information Security Manager and will be thoroughly investigated Procedures exist and support the policy including virus control treatments and passwords Administrative requirements for availability of information and systems will be met The Information Security Manager is responsible for maintaining the policy and providing support and advice during its implementation managers are directly responsible for implementing the policy and ensuring staff compliance in their respective departments Compliance with the Information Security Policy is mandatory Title Secretary General Date Liter 20 08 26 SECTION 3 Government Information Security Management System Manual Drafted by Yusuke Tanaka JICA Expert Edited by ICT Security Management Technical Team iSMTT 27 1 Introduction The Government Information Security Management System Manual GISMS Manual is defined that Royal Government of Cambodia establishes implements checks and takes actions as a body of Government Information Security Management System under the Government Information Security Management System Policy GISMS Policy declared by its Prime Minister the chief of the government 2 Scope GISMS Manual covers all thirty one government organizations stated as follows The Office of the Council of Mini
42. r maintaining the current scope of ISMS One official is in charge of virus infection handling and he she has to develop the tech skills Survey Cambodian It may apply any technical controls Pan such as an automatic virus detection file update from server thru network x have additional trainings including emergency drills Monitoring and Auditing i A Solve an illegal software problem GISMS 2 0 Extension IS Office Coordinator by division group IS Manager IS Manager IS In charge IS In charge 30 The next PDCA cycle as GISMS 2 0 is recommended to target on Server and Network Server and Network i Benefits Deliverables a System administrater manual i b Secured Server Technical controlls planned for secured server Key Success Factor i a Successful PAIS go live is a pre requisite b Divide an operational control and a technical Information Classification i i 2 Network Infrastructure Security 3 Application Security 4 OS Security 5 Firewall 6 Intrusion Detection 9 Security Operation ERE RITU OS i control in the early stage in planning 10 Security Protocol i Implement the operational control to obtain benefits quickly i number is referred to NiDA IS i c Skillful resource allocation i CD enhancement Process and Timeline Two groups are in maintaining server and network
43. rds Administrative requirements for availability of information and systems will be met The Information Security Manager is responsible for maintaining the policy and providing support and advice during its implementa Signature Z A All managers are directly responsible for implementing the policy Secretary Geaeral and ensuring staff compliance in their respective departments Compliance with the Information Security Policy is mandatory The Information Security Manager is responsible for maintaining the policy providing support and advice during its implementation All managers are directly responsible for implementing the policy and ensuring staff compliance in their respective departments Compliance with the Information Security Policy is mandatory Date Signature Title Secretary General Date GISMS Manual Contents Government Information Security Management System GISMS Manual is defined only one among all ministries of Royal Government of Cambodia The initial version of GISMS manual is focused on Plan Establish ISMS pink shaded part Introduction N Gover Plan Establish Walkthrough ISMS Policy and ISMS Manual Define the Scope and Boundaries of the ISMS Assess Risks Define an Information Security Rule Book Define the Scope of the ISMS of IS Rule Book Identify the non applicable rule procedure in a sample rule book Modify rules and procedures in
44. re four types mitigating risks transferring risks avoiding risks and Knowingly and objectively accepting risks Generally they needs to implement rules and procedures to mitigate risks Therefore it leads to develop Government Information Security Rule Book See the next section After deciding controls and making treatments to risk items e g define rules and procedures in GIS Rule Book evaluate risks again and make sure all check items get evaluated as Low Risk Evaluation after Control Control Contents References Threat Vulnarability Total Risk 22 72 2222 2211 mplement Rule and Procedures mplement Rule and Procedures mplement Rule and Procedures 60J Implement Rules 61fImplement Rules 1 1 1 GISRuleBook 14 14 4 G66 Implement Rules GIS Rule Book 17 c jN oj N 68Nmplement Rules 13 Government Information Security GIS Rule Book Contents GIS Rule Book is defined by ministry The following introduces NiDA GIS Rule Book It is the specific rule which needs to be done internally and it will be added in the future to get more secured environment It can be copied and modified for each ministry GIS Rule Book The initial version of Information Security Rule Book is focused on client PC security pink shaded part Introduction 9 Client PC Sec
45. rity matters GIS Office NiDA officials are Secratory at mainly appointed to 2 group of Committee uc 0 Establish GCIOs of minitsrieg Committee i lect the 15 depl x GCIO comitee GIS Office GIS Office delivers Implemenjiig i consulting and audit Monitoring and Ministry A Ministry B services to ministries Auditing GCIO GCIO Ministry CISO JICA Expert Support Plan to develop ISMS CISO 29 19 GISMS 1 0 Continuous Improvement GISMS 1 0 at NiDA needs to be continuously improved as described formerly Client PC Information Classification Peope jJ na Physical Information J a Root GISMS 1 0 in b Let NiDA to be a front runner of ISMS in RGG and lead ISMS deployment i c NiDA officials in charge of GIS Office can get i more familiar with GISMS and more comfortable to deploy to other ministries Top management commitment esp solving an illegal software problem b An additional external party survey to optimize Enhanced IS Capacity 1 Information Security Management System 7 Virus 9 Security Operation number is referred to IS aay Network 7 thesecuritylevel enhancement Process and Timeline i Project Organization Two IS Office i Lead officials need to be assigned fo
46. s at NiDA and they are Allocate budget and to tech control a Eam mer ge ee Implement URS tech control 2 1 JICA Expert Support Not yet confirmed 20 IS Office Coordinator assigned to enhance server and network security network connected to PAIS has the priority due to its affects 31 NiDA Information Security Capacity Development Enhancement NiDA is to enhance information security capacity according to the defined actions 4E gr S Develop Develop I imtormation Securty Management System Level H Application Securty reao Level Level Levelt ie teen Levelt Level s inwsion Deteston teri teen Levels tel O 8 Secured Programming Tecniques Levi ever Levero Levelo Levero ttt tet tot 19 Leo Level ien eet eet recu oe sese en tna teen sar te ini ene are defined in Information Security Skill Map Survey of IPA Mar 2004 NiDA Information Security Capacity Category and Level Capacity category and level are defined as below There are 16 categories and 102 sub categories Information Security Ma
47. siest way of doing this is simply to log on to the LAN for the automatic update process to run If you cannot log on for some reason contact Information Security Office for advice on obtaining and installing anti virus updates a6 Always virus scan any files downloaded to your computer from any source FD CD DVD USB hard disks and memory sticks network files e mail attachments or files from the Internet Virus scans must be set to happen automatically It is also required to initiate scheduled scans at least weekly a7 Report any information security events such as virus infections promptly to Information Security Office in order to minimize the damage a8 Respond immediately to any virus warning message on your computer or if you suspect a virus e g by unusual file activity by contacting Information Security Office Do not forward any files or upload data onto the network if you suspect your PC might be infected 19 14 Procedure This page is cited from Government Information Security Rule Book Virus Detection Handling b2 1 Detect an information security event such as Official n a virus detection 2 2 Physically off line from a network Official n a immediately b2 3 Inform ISO immediately when the event Official Information Security Event happens Report b2 4 Analyze the effects of an event and take an ISO n a appropriate action b2 5 Terminate any network application services if 150 n a necessary b2
48. step and spiral evolution PDCA Established 72 ul GISMS Development Scope The scope is carefully focused to realize PDCA cycle under the severe time constraint The Client PC is selected due to its vulnerability and the ability to raise all officials awareness through practical activities NiDA Client PC exmation Classification Server 718 Development L h N dl Organization Information Assets 1 GISMS Development Project Schedule It is scheduled to quickly realize PDCA cycle of ISMS is set up a workshop with other ministries to share the ISMS development experience and to raise the awareness necessity of ISMS 14Sep 21 T 7 wo dud owe 1 58 Emm Establish the ISM Info Training GISMS Development Do at NiDA ia TE Te Discussion to Apply Request to Other Ministries Attendance Cam Draft Roadmap ern Xd Finalization CD Plan Finalize the pl Government Information Security Management System GISMS GISMS Government Information Security Management System in Brief Objective Benefit To continuously secure information of To help ensure the governance continuity of Bisle of Royal Government of Insufficient Cambodia IS Management ee Lea Characteristic e GISMS is based 15027001 the global standard Top Down approach gets GISMS the most effective as the i
49. sters Ministry of Agriculture Forestry and Fisheries Ministry of Commerce Ministry of Culture and Fine Arts Ministry of Economy and Finance Ministry of Education Youth and Sports Ministry of Environment Ministry of Foreign Affairs and International Cooperation Ministry of Health 10 Ministry of Industry Mines and Energy Il Ministry of Information 12 Ministry of Interior 13 Ministry of Justice 14 Ministry of Labor and Vocational Training 15 Ministry of Land Management Urban Planning amp Construction 16 Ministry of National Defense 1 7 Ministry of Parliamentary Affairs and Inspection 18 Ministry of Planning 19 Ministry of Post and Telecommunication 20 Ministry of Public Works and Transport 2 Ministry of Religions and Cults 22 Ministry of Rural Development 23 Ministry of Social Affairs Veteran and Youth Rehabilitation 24 Ministry of Tourism 25 Ministry of Water Resources and Meteorology 26 Ministry of Women Affairs 27 Municipality of Phnom Penh 28 Secretariat of Public Service 29 Secretariat of Civil Aviation 30 National Information Communications Technology Development Authority NiDA and 3 Permanent Mission of the Kingdom of Cambodia to the United Nations 1 3 Normative References Terms and Definition 3 1 Normative References The following referred documents are indispensable for the application of this document ISO ISE 27001 2005 Information technology
50. t hack tam ical Check Type Ham Ohack reauits Comments Check Results Ee ee er 2 a EXT User definition those who anter the QNes NA 0 0 0 0 0 0 0 yY Key system appropriate key system for entrance of the facility roam Dispose pointed materigis fared materials with care Keep record of faxing sanding racaning information eathin each paper document Save confidential paper documents in safe against unauthodred Use paper shredder whan disposing confide ntials 285 PG hardware and saftwara 28 280 protection Anti virua protection io 1 iad ex fer a Eu Po Install soflware raplicithy allowed by IS manager Configure softwara according tp 5 managers instruction Apply patches according to IS manages reque LL 47 Risk Evaluation Check item m EE Description Attributes Location Manager in charge of Arteta Ganfidentiallintagrty Availability Total
51. thorized people mm 59 t CE eR 6 ttow T impact on business continuity by falsification 62 2 3 Middle 3 Operational cost impact by falsification 631 Ifs 15 impact by falsification lt j PF _ 65 ES Class Evalustien S Lew tT Out of service allowed over twenty four hours JF Midde of service allowed up to twentyfourhous 5 Hish J of service allowed up tofourhours 11 Risk Check Book Step2 Evaluate Assets Then the spreadsheet automatically display the total evaluation of an asset according to the total points of 3 elements Review and revise confidentiality integrity and availability evaluation if you feel a total asset value is different from actual Assets 1 Asset Evaluation M 8 L1 L2 L3 Description Attributes Location Manager in charge of Assets ConfidentiallIntegrity Total Basic Check Liste L 2NIDA CISO 50 Client PC hardware and software 51 52 53 s4 12 Class Evaluation Points Description 55 Assets to impact moderately on an operation 56 Assets to impact enormously operation 57 As3 3 High 3 13115 Assets to impact enormously an governing 00 58 ee ie 62 Laptop mobile PC All desktop PC check items must
52. tinuous improvement 35 22 Appendix 36 Image of Vulnerable Servers Spreading Out Viruses Assume vulnerable DNS server hacked by unauthorized users from internet a 13 LAN user gets financial damage 12 They buy goods paying by fraud credit card information 11 The 1 DNS Server E information is sold has security to other parties holes i 10 Malware sends 2 DNS Server the information to hacked by Site 3 DNS cache 9 Malware sends table falsified the information to their sites 7 Malware 4 LAN user 5 DNS 6 Malicious successfully 8 Malware search access to designates site sends hiding unless cookies with credit Internet wrong IP malware in anti virus card id password address HTML software DNS Spoofing detects Or 23 GISMS 3 0 Extension XXX PKI Features Information Classification 1 Information Security XXX system _ b User manual i i 7 Virus es security Key Success Factor i The number is referred to IS i CD enhancement Process and Timeline i Project Organization Lead Timeline described on full time basis XXX XXX Staff A Staff B C XXX 38 GISMS X X Extension XXX People Matters i Benefits Deliverables i Enhanced IS Capacity Information
53. uired Control and Treatment by Information Asset Most of controls and treatments is a type of mitigating risks Major controls and treatments are seen in Risk Check Book and a sample GIS Rule Book respectively New controls and treatments are preferably in placement by ministry and they must be clearly reported at the time of GIS Office approval 37 Appendix 1 Risk Check Instruction Risk Check Book Instruction Risk Check Book is used in a plan phase of ISMS Follow the instruction below step by step 2 7 7 757 72 ee Step 1 1 Walkthrough the assets listed at column C in Risk Check sheet It defines six types of asset Information People Facility Paper Client hardware and software and Network and server Information and People assets are supposed to be defined at ministry level in accordance with the usual governance NR Facility Paper Client hardware and software Network and server assets are supposed to be defined by department for each to check by itself You can copy amp paste an asset by row in order to check by department However an asset has multiple check items to identify risks Be careful to copy a group of rows to include all items Evaluate assets Step 2 1 Evaluate confidentiality integrity and availability to apply the criteria described in Evaluation Table sheet You can select one from a pull down menu in each field at column and I Use a default value if
54. ule Book An internal audit to survey on the effectiveness of implemented ISMS is also requested to find issues to achieve the level of risks in the planning process and or to review the accepted level of risks The results of risk evaluation must be updated in Risk Check Book The frequency of Check and Action must be defined in GIS Rule Book however it has to be at least once a year or more Action Maintain and Improve The results of the measurement and the internal audit lead to decide actions to improve the effectiveness of ISMS and optimize the accepted level of risks Those actions are not only enhancements of rule and procedure but also treatments to install new software hardware to protect a network system The actions may contain to abolish some rule and procedure to match with the change of a ministry role and business operation Document Control This section defines GISMS document structure authorization revision distribution access and keeping 4 5 1 Document Structure and Authorization GISMS has four major documents 1 GISMS Policy 2 GISMS Manual These are drafted by GIS Office reviewed by GCIO Committee tentative name until officially established and authorized by GCIO Chairman tentative name until officially established GISMS Policy shall be declared by the top of Royal Government of Cambodia The initial version 1 0 is tentatively defined by NiDA with an assistance of JICA 3 Risk Check Book The chec
55. urity Three Basic Rules to Secure Information 5 1 Desktop PC Scope 5 2 Laptop Mobile PC Normative References Terms and Definition 5 3 Storage Devices Portable Hard Disk 4 1 Normative References Memory Stick Memory Card 4 2 Terms and Definition Floppy Disk Information Security Organization 5 4 Personal Properties 5 1 Information Security Organization Definition 9 9 Software 5 2 ISO Member List 5 6 E mail 5 3 Communication Route at Emergency 9 7 Web Browsing Rule and Procedures 6 1 Information Classification To be fully defined in a future 6 2 People Security To be defined in a future 6 6 1 LAN and Internet 6 3 Facility Security 6 6 2 Server Common 6 3 1 Office Building and Room 6 7 Application Software Security 6 3 2 Cabinet and Desk To be defined in a future 6 3 3 Fax Machine and Printer 7 Information Security Training 6 4 Physical Information Security 7 1 Information Security Training Execution 6 4 1 Paper 7 2 Promissory Letter Submission 6 4 2 Digital Archives DVD CD FD Tape 8 Measurement 9 Breach To be defined in a future 10 Records List 18 Client PC Security Rule Desktop This page is cited from Government Information Security Rule Book Desktop PC Virus Protection a5 Viruses are a major threat to NiDA and client PCs are particularly vulnerable if their anti virus software is not kept up to date The virus definition file MUST be updated at least weekly The ea

Contents

Contents

Download Pdf Manuals

Related Search

Related Contents