Information Security Management System Implementation & ISO 27001:2005 Certification

Information Security Management System Implementation &ISO 27001:2005Certification
Al Rajhi Bank
Done By:
AUTHOR NAME
ID No.
INSTRUCTOR
INSTRUCTOR NAME
Table of Contents
1 Introduction…………………………………………………..…………………………03
2 Consistency with organization business plan…………………………………………....04
3 Project stake Holder………………..…………………………………………………….05
4 Objective and Scope ……….….…………………………………………………………06
1 Project Tasks and Deliverables……………………………………..……............…..07
5 Project schedule...................................................................................................................11
2 Milestone......................................................................................................................11
3 Gantt Chart...................................................................................................................11
6 The Schedule Constraints……………………………………………...……………..…...11
7 Work Breakdown Structure (WBS)……………………………………………………….12
4 Coding (WBS)……………………………………………………………….….….....13
8 Project Budget……………………………………………………..…….……….….….....15
9 Budget constrains………………………………………………………..……….….….....15
10 Risk management………………………….…………………………………...….………15
5 Change Management…………………………………………..……..…….….15
6 Information management.........................…………………………….….……16
Project Quality Management……………………….……………………………….….….18
7 Documents control……………………….…………………………..……..…18
8 Process Monitoring……………………….…………………….………..……18
Conclusion……………………….…………………………………………………..……19
References………………………………………………………………….…………..…20
1 Introduction
Al Rajhi Bank finds its name in the list of twelve renowned banks of Saudi Arabia. The bank has an intricately built and varied it environment to. Match the growing set of needs and demands. Like all other fields, the financial service sector has also faced an increased penetration of information technology. This has led to an increased probability of multi-faced risks, both internal and external to the institution(s). In order to safeguard its data and other resources against such threats, Al-Rajih bank needs to develop and implement measures, making sure they comply with the ‘international best practice standard`.
Al Rajhi Bank`s information security management system is associated with the ISO 27001 international certification standard. This is the standardised benchmark against which organizations and institutions seek non-dependent certification of their systems, including the security management system. The certification and is standards are applicable to the entire working and framework of the systems, including phases of system designing, implementation, management, maintenance, and enforcement of processes and controls, so that they are coherent and regularly and systematically applied in an organization. Implementation of such standards makes space for efficient audits by external third parties. The ISO standards, at their core, ensure that the information management system being implemented or established at an organization is effective and efficient, without serious threats. In addition, the standards also leave room for continued improvement processes, ascertaining that principles with regards to the governance and control of information security and networking are followed.
The standards are applicable on all types of organizations, ranging from commercial enterprises, to government agencies and institutions to non-profit organizations. The standards detail the regulations as well the standards which are required in order to establish, implement, operate, monitor, review, maintain and continuously improve the recorded isms, in context of the organizations` overall risk management processes. Standards governing the security control implementation customised to the needs of the individual organization or institution are also stated.
Comprehending the pivotal importance of ISO 27001, Al Rajhi Bank is interested in obtaining a registered certification of the same, in order to gain competitive edge in the field, in its service offerings.
2 Consistency with organisation business plan
In the fast paced and highly technological world, all organizations need to secure data and information, as they are valuable assets. For this reason, information security systems are implemented, to secure information and data as per the specific organization`s requirements and needs. These needs and requirements are, in turn, determined by business environments or legal regulation. Though most organizations find it difficult to establish standardised criteria in order to define their requirements, it has been observed that the ISO 27001 certified information security is an essential tool in today`s business environment for information securitization as well as for ethical standing. For the same reason,
The reasons for implementation of ISO 27001 by an organization are many. The most fundamental and essential one of these is the growing business demand, as the standards ensure that data protection and information security processes are implemented correctly and followed at all stages and levels of a business activity.
ISO 27001 also specifies and highlights the prerequisites that must be fulfilled in order to effectively implement and operate an information security management system (ISMS). In Fig 1. a concise overview of the core deliverables required at each stage of the implementation process of an ISMS is presented. The stages and methods of implementation have been designed by the ISO 27001 team. Procedures identifying information assessment and management risks, in addition the development of information security policy will be derived from the ISO 27001:2005 international standard and best practices.
Information security management system

156210127635

Fig 1.
3 Project stakeholder
Stakeholders are defined by gray and Larson (2003: 572) as "individuals and organizations that are actively involved in the project, or whose interests may be positively or negatively affected as a result of project execution or completion. They may also exert influence over the project and its results". As in all projects, the current project also has a set of stakeholders that include:
* The ISMS manager(s)
* The information security steering committee
* The information security officer(s)
* The internal auditor(s)
* The application developer
* The system /application administrators
* Human resources
* Legal
* The physical security officer(s)
* Information owners
* It service desk
* ISMS users
* ISMS liaison/ representative(s)
* The security incident response team
* Customers
4 Objectives and scope
The fundamental purpose and objective of the project in question is to ensure a full implementation process, at all levels and stages, so that confirmation of all ISO 27001:2005 defined requirements is undertaken as well as applied to designated areas.
This objective will be attained in the following manner:
* Management of security-risks through cost effective procedures
* Ascertain that procedures are in line with the established laws and regulations.
* Align and make sure that the specific security objectives and goals of an organization are met.
* Implement the project as a process, in a level-layered manner
* Identify existing and implemented ISM processes and their compliance with the stated standards.
* Pen-down and formulate information security guideline and measures that are effective
The scope of the current project is:
* Information security governance and regulation.
* Information security services (security device management and security monitoring & incidents).
* Information security risk management.
* Al Rajhi online service (internet, application and records).
1 Project tasks and deliverables
Tasks

Deliverables

1 project initiation

* Conduct project initiation meeting punctually.
* Develop, edit and finalize project plan.
* Present project to the assigned team.

* Project plan.
* Project progress and status reports.
* Project management presentation(s).

2 isms implementation

2.1 identify the assets per isms scope

* It and functional mapping.
* Preparation of deliverables of each phase.
* Acceptance of phase deliverables by Al Rajhi bank.

* Inventory of the isms assets.

2.2 conduct a risk assessment per isms and develop a risk treatment plan

* Perform business impact analysis.
* Highlight and identify existing and non-existing security controls.
* Conduct threat analysis.
* Conduct vulnerability analysis.
* Recommendations for risk treatment.
* Prepare phase deliverables.
* Acceptance of phase deliverables by Al Rajhi Bank.

Risk assessment report.
Risk treatment recom...