Contact HotSkills
HotSkills
SEARCH
How to reach us: 800.507.4517 info@hotskills-inc.com

 

HotSkills launches Orange Parachute!
Orange Parachute specializes in ISO 27001 certification and information security program evaluation, design and implementation.
click here for more details

ISO 27001 Certification

International Financial Institution

Background

As an International Financial Institution (IFI) established to promote the health of world economy, this organization is governed and accountable to the governments of 184 countries that make up its near-global membership. Some of the key objectives of this organization are to promote international monetary co-operation and exchange stability and facilitate the expansion and balanced growth of international trade. It also provides temporary financial assistance to countries to help ease balance of payments adjustment.

The technology group is the organization's central function for providing information and technology services to the line business units. The overarching objective is to ensure that staff has the information and systems to do their jobs wherever they are - in their Washington headquarters, in representative offices, or while traveling. Over the last ten years, IT has been integrated into virtually all of the IFI's business functions. Significant investments have been made in the IT infrastructure and services to provide a robust and reliable foundation that has enabled the IFI's transformation goals of decentralization and integration. The majority of resources for increased demands in work program and new initiatives (capital investments) have been provided by on-site contractors working as full-time members of the organization using the staff augmentation model.

The IFI's senior management has very recently, after much research and analysis, taken an informed decision to significantly cut costs by off shoring majority of its application development and infrastructure management to take advantage of lower costs and use the 'follow the sun model' for continued support.

In lieu of these developments , the organization clearly understood the importance of information security while facilitating information sharing and also protecting against unauthorized access and disclosure that could compromise it's effectiveness in discharging its responsibilities.

The Information Security Officer felt the need for a methodology by which to develop and implement information security controls and effectively manage risks internally within the organization and externally for services provided by the contracted outsourced service provider. Various standards and references were examined, including ISO Standards, COBIT, business requirements, and other sources.

Challenges

The organization has been increasingly opening its network to provide connectivity for traveling staff and other financial institutions and governments to access its internal systems in addition to sharing development and management of key applications and infrastructure components with service providers. The organization, due to its intrinsic position as an IFI, was also exposed to increasing threats from the external environment from virus, hackers and malicious software. There was growing pressure from staff to have more flexibility in what software they can load on their PCs. As more information became easily available in digital form, the potential for unintended disclosure of official information had grown substantially. There were privacy concerns regarding email systems and business data. How should the organization manage the many trade-offs required to find the right balance of information security and client responsiveness? How should the security function be staffed and managed?

Objectives

The objective was to create an Information Security program that was defined, measured, and flexible enough to appropriately reflect business objectives. It needed to be integrated with the global corporate culture and enterprise risk methodologies. Implementing an ISO27001 based program and achieving certification was an objective intended to show industry leadership among IFIs. The goal was also to improve existing information security processes and implement controls based on a culture of risk assessments and acceptance. As a by product, the program would also help the organization talk the same language with the outsourced service providers who had already achieved maturity in their processes.

Needs

The program also needed to address the following needs:

  • Accelerate program maturity while maintaining flexibility
  • Build the Information Security Program based on international standards
  • Exhibit due diligence
  • Improve communication with the IFI's business
  • Improve contract management with outsourced vendors and manage information security risks in the contract arrangement
  • Provide proof of activities and management
  • Create a structure for growth
  • Empower span of control and accountability

All these needs had to be addressed without adding additional employees and be integrated with the major outsourcing effort.

Actions Taken

Upon examination of the potential methodologies, it was determined that the ISO 27002 Information Security Code of Practice provided the best fit for the IFI. By leveraging ISO 27002, it was possible to build a flexible, business friendly and risk based Information Security Program and also certify to ISO27001. Due to the fact that ISO 27002 is the only internationally accepted Information Security standard, it brought immediate credibility to the foundation of the effort. The fact that the outsourced service provider was also certified to ISO27001 proved a catalyst to the effort.

The IFI decided to engage an expert third party, HotSkills, Inc after a comprehensive RFP process involving other major industry players. This decision was made on the unparalleled experience of the HotSkills staff, and their proven ability to provide certifiable solutions. The HotSkills Principal Consultant assigned to the task had previously worked through several successful certification efforts, including another IFI having presence in over 90 countries. The certified scope was the largest in the United States at that time.

The first major step involved an assessment of the security program and its maturity. This assessment reviewed what program elements were in place, and rated their maturity level. The assessment focused on the current information security program including policies, risk management practices, management commitment, existing governance models and other applicable information security controls. This maturity level was rated on a scale of one to five, and was based on the CMM model developed by Carnegie Mellon University. Completion of the assessment resulted in the production of an "Information Security Roadmap" which provided senior management a quick snapshot of the strong and weak areas and enabled them to re-adjust work priorities and allocate essential resources. Four major control gaps were noted including inconsistencies in the application of existing information security policies across various business processes. It was determined that these existing processes and documentation were in need of revision and "repackaging" in order to fully develop and implement an Information Security Management System (ISMS).

The second major step involved the design and development of the actual ISMS. A well defined Domain (or Scope) Definition was created, and a Risk Assessment was performed against the domain. Utilizing a risk management approach that was consistent with the culture of the organization and existing corporate risk management methodologies, an effective measure of risks was obtained. These were categorized into Raw Risk, Treated Risk, Accepted Risk, and Residual Risk. The assessment enabled business process owners and outsourced service providers to prioritize efforts on strengthening controls in the areas of high risks.

Based on the Risk Assessment, program elements and requirements were identified, defined, organized, and documented. A "framework" was developed, which included an Information Security Charter, Standards, Requirements and Processes. The framework took into consideration existing management structures. Care was taken to re-use and enhance existing processes as much as possible. HotSkills' facilitated discussions with business process owners which enabled them to suggest improvements to existing processes.

The IFI's Information Security Policy was examined, revised and translated into specific standards. This revision empowered the ISMS, and provided the appropriate span of control to the Information Security Officer, especially with outsourced service providers.

The IFI is currently in the process of implementing the ISMS, which is the third major step. The methodology being utilized in the development of the ISMS will allow for the creation of a three year Information Security Program that is designed to allow for the certification of the IFI's core financial applications and processes, while having impact throughout the entire technology group. Because of the critical steps involved, including the participation of key stakeholders and third parties during the process, implementation has had no major issues.

Certification is the fourth, and last of the major steps that will be undertaken. It has been determined that the scope of registration/certification would be centered on the core financial applications and processes of the IFI. These applications process strictly confidential information that is considered extremely sensitive.

Finally, a registrar will be selected, and the Certification Audit conducted. The IFI has determined to leverage HotSkills to serve as an Ombudsman during the actual Certification Audit.

Results

In addition to the direct benefit provided to the IFI, many other areas of the business were able to derive benefit.

How the needs were met:

Accelerate program maturity while maintaining flexibility
The program was able to show maturity through a documented program, a risk management culture, proof of activities, and their implementation into the IFI's environment.

Build the Information Security Program based on international standards
The Information Security Management System was built upon the concepts of ISO 27001. Control Objectives were derived from ISO 27002, GLBA, Sarbanes Oxley internal controls as well as other legal, regulatory, and business requirements.

Exhibit due diligence
Though the IFI does not have a need to comply with local laws and regulations, through the structure of the ISMS, it was possible to demonstrate due diligence by already complying with legal and regulatory requirements. This placed the organization in a position where it could easily comply with any future legal and regulatory requirements should there be a need. The ISMS was also ready to deal with internal and external auditors, reducing the required preparation time and ensuring consistent communication.

Improve communication with the IFI's business
The ISMS helped improve communication with the business departments. This communication channel was clearly lacking prior to the development of the ISMS. Clearly defined communication channels and responsibilities allowed for timely communication when and where required. Effective communication and awareness also helped end users to understand the balance between information security and business requirements.

Improve contract management with outsourced service providers and manage information security risks in the contract arrangement
Third Party requirements were derived from the ISMS, and were available for inclusion in outsourcing contracts and measurement of service providers. The IFI's staff assumed the role of contract managers by establishing accountability, managing risks and monitoring and reviewing service quality which resulted in reduction of time, cost and errors and better service provisioning. The structure of the ISMS also allowed for the "how do we do this?" or "what are we doing about this?" questions to be answered very easily.

Provide proof of activities and management
By documenting program requirements and tracking activities, it was possible to develop an accurate system of measurements that reflected the management of the Information Security Program. This proof was shown through the creation of records, communication to required or involved parties, and continuous improvement.

Create a structure for growth
By creating an Information Security Program (as defined by the ISMS), it was possible to identify the services that were provided to the organization. The ISMS, while formal, was flexible enough to allow for the addition of new components, or the revision of existing components very rapidly. This allowed for new initiatives to be identified, analyzed, and incorporated in a short period of time - consistent with the existing program.

Empower span of control and accountability
Through the development of the ISMS, it was possible to empower the ISMS. This empowerment ensured that span of control was appropriate to the layer of the organization. The CIO and the Managing Director, represented by the Policy Group maintain organizational and strategic control, and the Information Security Officer maintains tactical and operational control. Change can be affected rapidly when needed, accountability established, oversight exists and is informed.

info@hotskills-inc.com
(800) 507-4517
 © Hotskills 2005-2008 All Rights Reserved. Privacy Policy 4801 Nicollet Ave S, Suite A
Minneapolis, MN 55419
Site Map Services Industries About Us Contact