Report: Information Security Management System (ISMS) based on ISO 27000 Training Course, May 11-19, 2015, Indonesia

Class Photo of APO Participants

Class Photo of APO Participants

The training aimed to enable participants from various APO member countries to understand, apply and monitor the implementation of standards, and requirements of an information security management system (ISMS) based on ISO 27000. The five-day training is a project of the Asian Productivity Organization (APO) and was implemented by the National Productivity Organization (NPO) of Indonesia.

Based on the presentation of the course’s resource experts, many businesses and governments around the world experienced information security violations such as data breaches. These resulted to huge losses in terms of finances, properties, services, reputations, and opportunities. These events highlight the need for organizations to set up policies and procedures to help manage threats that may pose risks to the confidentiality, integrity and availability of their information. These policies and procedures, and the controls to implement them largely make up the ISMS.

OBJECTIVES FOR PARTICIPATION

G. Widwidan, Court of Appeals

I joined the training to gain knowledge of how ISMS / ISO 27000 is implemented in general, and in government facilities in particular. In the process I hoped to gain an understanding of the challenges faced by the implementers, including the best practices for setting up and maintaining an ISMS.

L. Franco, DAP

As management audit analyst under Internal Audit Services Unit of DAP, it is our concern to protect all assets of the organization including information assets from losses of any kind. In line with this, my attending the training sponsored by NPO Indonesia further strengthened my knowledge and exposed me to the current best practices on ISMS applied by other APO member countries.

PROFILE OF PARTICIPANTS

There were 18 trainees from APO member countries: most hold IT or Information System-related responsibilities. There were 2 of us from the Philippines: Messrs. Luis Jose Malay Franco, Management Audit Analyst III from the Development Academy of the Philippines (DAP) and me Gregory Silverio Widwidan, IT Officer / EA III from the Management Information Systems Division of the Court of Appeals.

Mr. Sidharth Sharma from India was the first resource expert to facilitate the technical sessions. He was later joined by his fellow experts Messrs. Nazim and Lizuan, both from Malaysia. In steadily holding the course throughout, Mr. Muhammad Idhaim from APO-Tokyo was ably assisted by the Indonesian NPO Staff.

SCOPE, CONTENT AND METHODOLOGY

The topics discussed were mainly on the nature and benefits of ISMS, and the new structure, domains, controls and control-objectives of ISO 27001:2013

The resource speakers/experts methods of training involved lectures, video presentations, and discussion of articles. We the trainees participated in on-topic video games broadcasted to the class, written tests, country presentations, and group works.

During the country presentations, we first personally introduced ourselves; our work responsibilities; the core operations of our respective organizations; our experiences related to information security. We also covered the state of micro, small and medium enterprises including the challenges to information security in our respective countries.

For our site-visit, we traveled to a telecommunications company. We interacted with company representatives who presented accounts on how they were able to attain and maintain their ISO 27001 certification.

In the final team presentations, we were grouped by country to conduct an ISMS scoping analysis. We started the process by determining the intended outcomes for ISMS, the external and internal issues affecting the outcome, and the stakeholders and their requirements. And from these, we formed the scope by defining the ISMS boundary and its applicability.

OUTCOMES AND EVALUATION

G. Widwidan, Court of Appeals

The resource speakers focused on the structure, domains, relevant controls and related policies of ISO 27001 as a reference for ISMS – a management system for preserving confidentiality, integrity and availability of information. They directed attention to vital areas of the specification and provided tips on how information security auditors will evaluate these. Document preparation for certification purposes were also given emphasis.

The resource speakers are well versed on the topic. They used a variety of methods to connect to the participants. One speaker gained attention by opening up with discussions on recent information security incidents that cost huge for companies. Another speaker handled seemingly “dry” subjects by punctuating his lectures with jokes on specific topics or on his related experiences. Another speaker directed trainees to interact in topic-oriented interactive video games. These methods helped hold the participants’ attention and in driving specific points on the subject.

One of the resource speakers emphasized the approach of starting small in implementing ISMS, and the use of ISO 27001 as a template for defining iS plans, not necessarily for certification. Another expert reassured trainees that ISO 27001 can really easily be understood, contrary to what he opines, in humor, as the tendency of some consultants who try to present the ISO matter as something very difficult.

One of our objectives is to learn how ISMS is implemented in the government sector. The site visit to Telekom-Indonesia , the state-owned telecommunications firm, helped address this. Company staff presented the history of ISO 27001 in their company; the triggering events that pushed for adoption e.g. large loss due to a security incident; their challenges e.g. employee discipline; the organizational support to ISMS they needed to set up, among others. They mentioned that ISO 27001 is required by the Ministry of Industries. Later, the course’s experts from Malaysia also informed us that ISO 27001 is also mandated in government entities in their country.

Our interactions with other participants in group work, presentations, discussions, or informal talks also proved fruitful. We came to know of their organization’s information security status and implementations. We also formed friendships.

Overall, I came out of the training with a much healthier appreciation of ISO 27001 and the feasibility of implementing ISMS in government as a means of protecting the integrity, availability or confidentiality of information. The resource speakers made me, as an IT practitioner (and probably others as well) to realize that ISO 27001 is almost a complete reference for creating a specific IT work-plan information security. The ISO’s listed control-objectives and controls covers a wide ground to constitute a framework for identifying concrete and specific IT measures for securing information, whether or not the measures are for ISO certification. Non-IT members can also work on the administrative and physical controls to implement.

The NPO staff of Indonesia did an excellent job in holding the training. We were well attended. There were no problems with our accommodations. They were proactive in physically arranging the seating of participants to facilitate trainees getting acquainted, and also to ease the flow of discussions.

L. Franco, DAP

It was a revelation during the training to learn that ISMS need not be implemented in a grand and large scale. It was learned that it makes good sense to start ISMS in small but progressive approach making management buy-in easier and with less resistance. Since all organizations have resource limitations, a cost-benefit analysis must also be made prior to implementing an ISMS.

As shared by more experienced ISMS implementers in the group (Malaysia, India, Iran), it was more common observation that the task of overcoming the “human element” (resistance to change) makes the implementation of ISMS a challenge in any organization. Since the effectiveness of the system primarily relies on the personal attitude and acceptance/compliance of all employees, there must be a complete buy-in not only by management but also all the other members of the organization. People by nature, they said, resist most forms of control measures and in some instances, even involve people occupying higher positions/levels within the organization’s hierarchy who sometimes view these as unnecessary, inconvenient or worse as an affront to their lofty positions.

In this regard, they also advised that a delicate assessment of the culture of the organization must first be made before attempting to implement any ISMS activity. They even made mention of their experience with personnel already used to some of the daily routine information security practices required, but somehow, surprisingly balk to the concept of ISMS once this is put forward and labelled by the organization in a formal way.

For the most part, the RPs, namely, Mr. Siddhart Shamar, Mr. Nazim and Mr. Luzuan had the topic of ISMS well covered. It also helped that both Mr. Nazim and Mr. Shamar satisfactorily answered all the inquirieis or questions of the participants and were generous in sharing with the group their personal knowledge and experiences in implementing ISMS.

Since the exposure of the participants of the training ranged form the uninitiated to the more experienced members, it is in this context that Mr. Shamar’s use of computer games as a learning tool that made the learning easier. It has to be mentioned that Mr. Shamar interestingly employed the use of computer games to gauge the level of understanding by the participants after his lectures. This made the learning process more effective, enjoyable and at the same time fun for all the participants.

RECOMMENDATIONS AND ACTION STEPS

G. Widiwdan, Court of Appeals

Based on the learnings from the training, I recommended to the executive group of MISD (to which I am a member) here in the Court of Appeals that an information security risk & control assessment of the work processes and measures undertaken by MISD be conducted. This assessment will specifically use the domains, controls and control objectives in Annex A of ISO 27001:2013 as reference. The purpose of this assessment is to determine the extent of MISD’s efforts in helping secure information i.e. preserving information confidentiality, integrity and availability. We will use the results to define our plans for implementing further measures in this respect (this includes a regular information security review using the ISO as guide). As we go through the assessment using the ISO 27001 standard, I will be comprehensively re-echoing my learnings to the MiSD exec-com so that the members can have a practical grounding of the concepts. We also hope that this activity and its results can be used by other groups to conduct their own assessments.

Our government should also look into implementing ISMS based on ISO 27001, or similar, in light of recent cyber-security attacks on government by external entities, a number of them may be of national concern, e.g. “Naikom”. The implementation of ISMS in government organizations can help manage threats to the integrity, availability and confidentiality of government information. DAP may also be in a position to help start policy initiatives on ISMS in government (similar to those in Indonesia and Malaysia) given its continuing efforts on ISMS:ISO 27001 trainings.

L. Franco, DAP

Since the various participants have different levels of exposure to ISMS, it was agreed upon by the group to form Facebook Group account to serve as portal for communicating and exchanging with one another their respective experiences, challenges, and possibly share helpful tips as with regards to their individual implementation of ISMS in their respective organizations.

Since DAP is an institution of learning, any future activities related to ISMS should be aligned towards the direction of Intellectual Property Protection. Plagiarism is a growing concern within the academic sector worldwide and has caused reputational damage to some learning institutions. This risk is further complicated by the continuing advancement in technology where information is easily accessible to anyone through the internet.

Given that the DAP is already implementing selected security control procedures already identified in the ISMS, the following activities may be initiated:

1. Revisit and if necessary conduct a reorientation/reiteration on these existing information safety measures to create, refresh and sustain awareness of its importance int he Academy.

2. Orient the various concerned units responsible for the physical (security agency, engineering), administrative (HR, accounting, facilities), technical (IT group, corporate affairs group), and all other groups facing information security risks about the benefits of ISMS.

3. Collectively as a group identify and choose from among the other viable control procedures options immediately implementable without necessarily requiring any capital outlay.

SUBMITTED BY

GREGORY WIDWIDAN
IT Officer / Executive Assistant III
Court of Appeals

LUIS JOSE FRANCO
Management Audit Analyst III
DAP-Internal Audit Services

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s