GSD XM ISO 27001:2013 External Audit Awareness

Presentation on theme: "GSD XM ISO 27001:2013 External Audit Awareness"— Presentation transcript:

1 Documents for YIFAN Employees To Read External Audit Awareness provided by Shuying Gao

2 GSD XM ISO 27001:2013 External Audit Awareness
By Shuying, Gao Feb 19, 2016

3 Agenda ISO 27001:2013基本知识Basic Information
全球信息安全政策Global Information Security Policy ISO 27001:2013信息安全管理体系ISMS 目标指标及达成状况Objective Status 风险评估结果分享Risk Assessment Result Sharing 审核常见问题及回答Frequent Q&A

4 ISO27001:2013基本知识Basic Information
ISO是国际标准化组织（International Organization for Standardization）名称的英文缩写。该组织的成果是正式出版的国际标准，即ISO标准 2. GSD XM目前推行的管理体系标准是什么？ ISO27001:2013,信息安全管理体系（Information Security Management System） 3. GSD XM为何要推行以上管理体系标准? 客户的要求，全球化的要求，戴尔自身改进的需求 不断提升信息安全管理水平，满足客户需求 实施风险管控，增强投资者及利益相关方信心 提供安全的工作环境；树立良好社会形象

5 ISO27001:2013基本知识Basic Information
ISO/IEC is an internationally recognized best practice framework for an Information Security Management System (ISMS). What is it? It helps organizations identify the risks to their important information and put in place the appropriate controls to help reduce the risks The standard contains 10 sections requiring 7 main areas compliance Contains an Annex with 114 controls to reduce risks related to information security Why need it? Information security issues like hacking, virus infections, breach of critical customer data, leakage of company internal documentation Serious impact on daily operations, and potential threat to national security Loss of security may have bigger impact than trade loss

6 ISO27001:2013基本知识Basic Information
不执行体系会带来什么后果？What’s the impact if do not execute ISMS 直接损失Direct loss 减少产品市场份额 Reduce product marketing share 减少销售收入 Reduce incoming 间接损失Indirect loss 增加恢复成本 Increase recovery cost 客户抱怨 Customer complain 品牌和声誉损害 Brand and reputation damage 法律损失Legal loss 违背法律法规 Violate law and regulations 增加诉讼、罚款和诉讼费用 Increase litigation, fines and litigation cost

7 ISO27001:2013基本知识Basic Information
戴尔（中国）有限公司[五缘湾运营中心泗水路613号海沧大厦1#/金尚路2388号]认证情况 管理体系 第二阶段外审时间 认证机构 认证范围 ISO27001:2013 Feb 22~29, 2016 NSAI(National Standard Authority of Ireland) Activities applicable to end-to-end services and solutions, encompassing customer support, configuration services and deployment services for customers in China

8 ISO27001:2013基本知识Basic Information
信息安全管理体系管理者代表： Ernest Lee Ext: 信息安全管理体系执行Leader： Shuying Gao Ext: Dell’s commitment: Information security protect confidentiality, integrity and availability of Dell assets to ensure business continuity, minimize business impact, maximize return on investment and business opportunities.

9 ISO27001:2013基本知识Basic Information
Communication deliver management team’s requirement and strong support Committee team deliver ISMS requirement, knowledge sharing to team

10 Cybersecurity Consult Control Process Owners
ISO27001:2013 Teams Global PM Isern-Flecha, Ileana TS, Alan Lim China PM Shuying Gao Cybersecurity Consult Sze, Dickson Core Team Enterprise TS Pro- support TS Support Service Ops Client TS TAM GCC GFS GETS CS GSPPO-Part Planning GSPPO-DLP Jiang, Xinhua Yuan, Ricky Chen, Ada Jiang, Leo Zeng, Jolen Chen, Vicky Cai, Eden Chen, Joelle Zhang, Kosta Zhang, Rachel Zhong, Sally Control Process Owners Supporting team: Physical security: Y, Jason; Lin, Tina HR: Huang, Sophy; Du, Junli Facility: Shen, Candy; Liu, Li hua GP: Chen, Jerry; Chan, Audrey; Durai, Karthick; Tsoi, Haydee; Wu, Heidi Data Center: Wang, Toms; Lin, Henry Legal: Chen, Kylie; Chen, Happy

11 ISO27001:2013基本知识Basic Information
文 件 清 单 点 击 这 里 PAL (Process Asset Library) QMS (Quality Management System) Store ISMS documents Review/Approval Tracking record & change GSD XMN ISO 27001:2013 project documents Implementation evidence ISMS documentation list Link here Link here

12 ISO27001:2013基本知识Basic Information
文 件 清 单 点 击 这 里 工作流程发生变更 责任人发生变化，部门职责发生变化 系统变更等 为何需要及时变更ISO文件？ 实际操作和文件规定不符 避免过期的文件造成误操作 如何变更ISO文件？ 联系PAL负责人把需要变更文件从Active移动到Stage 更改文件内容，触发Reviewer和Approver批准 通知PAL负责人登记修改信息并把文件从Stage移回Active

13 全球信息安全政策Global Information Security Policy
Policy Link Owned by Dell Chief Security Officer (CSO) and formally reviewed annually Supported by content in Dell’s Ethics and Compliance mandatory training for all employees “Purpose: Information is one of Dell's most valuable assets and shall be protected. Information can be written, oral, stored electronically, or embedded in video. Information security protects the confidentiality, integrity, and availability of Dell's data and computing environment from a wide range of threats in order to ensure business continuity, minimize business impacts, and maximize return on investment and business opportunities. Scope: This Policy applies to: Information Technology resources storing or processing data owned or controlled by Dell, regardless of ownership or location.  This Information Security Policy is a Corporate Policy and applies to all Dell employees, employees of any Dell subsidiary, assigned workers, as well as to third parties performing services on Dell’s behalf (hereinafter collectively referred to as “You”). For employees, compliance with this Policy is an expectation of employment (subject to local legal requirements). For assigned workers and third parties who perform services on Dell’s behalf, compliance with this Policy is a condition of access to Dell facilities and resources, and of being permitted to perform services for Dell.” Also covers: Policy statements (obligations) Procedures and Training Asking Questions Reporting & Investigations Discipline and other Consequences Other topics

14 全球信息安全政策Global Information Security Policy
Policy Link Policy Statement 1. Dell people resources (i.e. employees, contractors, consultants, vendors, business partners, other third parties) shall maintain the confidentiality, integrity, and availability of company information. Information used to conduct Dell business shall be protected from unauthorized access, disclosure, modification, or deletion and shall be accessible when needed to support business operations. 1a. Third party Dell resources, either individuals or companies, shall be compliant with Dell Information Privacy and Security agreement (IPSA) terms and are subject to review by Dell Cybersecurity to support Dell’s Information Security Policy and Standards. 2. Dell computer systems and networks shall be designed, engineered, and operated in such a way that ensures the confidentiality, integrity, and availability requirements of the information they store, process, and/or transmit. 3. Information, unless it is classified by Dell as public information and, regardless of the form or format, is classified as confidential information. Data must fall under one of the data classification types as described in the Data Classification standard. Required access controls for confidential information shall be determined by the data owner based on commercial value, sensitivity, impact of loss or compromise, legal and contractual requirements, and Dell obligations of confidentiality to employees, business partners, external customers, and trading partners. 4. Dell Cybersecurity shall perform on-going risk reviews and assessments of Dell's information security posture worldwide as appropriate. These risk reviews and assessments will be used as an input to enterprise risk management practices. 5. This policy is supported by other, topic-specific information security policies. Those policies are supported, similarly, by information security standards and procedures.

15 (Vulnerability & threat)
ISO 27001:2013信息安全管理体系ISMS Planning Formulate IS strategy Determine system scope Define management responsibility Determine control objectives and control methods through risk assessment Maintenance Follow PDCA (Plan, Do, Check, Action) Once the ISMS system is established, the organization shall operate according to the requirements ISMS Framework Implement control Risk Management Risk Assessment (Refer ISO/IECTR13335) Risk Mitigation Risk Control (Vulnerability & threat) Risk Management

16 The Confidentiality, Integrity and Availability of assets
ISO 27001:2013信息安全管理体系ISMS Business needs Information Assets Business depends on the security of information assets Start from business needs Risk Management Information security direct goal Final goal of information security The Confidentiality, Integrity and Availability of assets

17 ISO 27001:2013信息安全管理体系ISMS ISMS Committee Team Supporting Team 1.CSTTS
Customer Support 1.CSTTS -Enterprise & Pro- support TS -Client support TS 2.GCC 3.TAM Deployment & Field Service 1.CS 2.GFS 3.GETS 4.GSPPO -Part planning -Service ops. 1.Cybersecurity 2.Data center 3.Facility 4.GP 5.HR 6.Legal 7.Physical security

18 ISO 27001:2013信息安全管理体系 PLAN ACT CHECK PLAN DO ACT CHECK 6.Planning
6.1Actions to address Risks and Responsibilities 6.2Information security objectives and planning to achieve them 7.Support Cover resource, competence, awareness, communications, document information 8.Operations 8.1Operational planning and control 8.2Information security risk assessment 8.3Information security risk treat 10. Improvement 10.1Nonconformity and corrective action 10.2Continual Improvement 9.Performance Evaluation 9.1Monitoring, measurement, analysis and evaluation 9.2Internal audit 9.3Management review PLAN ACT CHECK

19 ISO 27001:2013信息安全管理体系ISMS 全球安全工作场所政策Global Secure Workplace Policy
- 最佳安全实践Security Best Practices Lock Down Information Lock Down Dell systems Maintain Good Habit Speak Up Dell Office Space-Clear desk Dell Office Space- Secure Disposal Conference Rooms, Shared Desks and Common Areas Home office Working in a Public Space or while Traveling Use Dell assets, , Internet and social media safely Global Policy全球政策 Regular secure workplace audit 定期安全工作环境审核 Champion for encouragement NC (Non-compliance) for CAPA (Corrective action, preventative action) Plan to initiate audit from Nov 戴尔办公区域-安 全处理 Dell Secure Workplace Standard 戴尔安全工作场所标准 Dell Secure Workplace Checklist戴 尔安全工厂场所检查表 Job aid for a secured workplace安 全工作场所工作辅助 锁定信息 锁定戴尔系统 会议室,公共办公桌, 公用区和安全区 养成好习惯 家庭办公区 大声讲出来 公共空间或旅行 途中办公

20 Secure Work Environment
ISO 27001:2013信息安全管理体系 Secure Work Environment 安全工作 小贴士 Secure Work Tips 公司内部文件资料以及电脑包和手机钱包等贵重物品收纳到柜子中或随身携带，不要放置或粘贴在桌上，并且柜子随时保持上锁 工牌随身佩戴于胸前或者腰间的显著位置 暂时离开位置时，及时将电脑锁定屏幕 即使(短时间)离开会议室要随身携带电脑和文件 打印的文件随时取走，不要留在打印机旁 确保安装公司要求的Data Protection和McAfee安全软件 Microsoft软件有Titus Data Labeling控件，并清楚各个分级的使用方法 紧急联系电话：公司内部 ; 公安局报警电话-110; 火警报警电话-119

21 ISO 27001:2013信息安全管理体系ISMS

22 ISO 27001:2013信息安全管理体系ISMS

23 Data Classification Link
ISO 27001:2013信息安全管理体系ISMS Data Classification Link

24 ISO 27001:2013信息安全管理体系ISMS 损害 价值 传播 保护

25 风险评估结果分享Risk Assessment Result Sharing
Risk Assessment conducted in 3 phases: Initial risk assessment conducted on May-2015 workshop based on the identified assets. 12 threats/vulnerabilities from 4 categories of asset with high risk factor identified and treatment plan recommended. 11 threats/vulnerabilities to be mitigated and 1 accepted. 8 of the 11 has been closed. Remaining 3 to be closed by end of April. Additional risk assessment conducted during the office tour on May 4 risk items identified and all have been remediated and closed. Additional “Activities-based” assessment conducted as part of the stage-1 audit finding. 1 threat category found with high potential risk factor – sending unsecured mail to external parties. Treatment plan has been recommended and implementation for some relevant teams.

26 与信息安全有关的法律法规清单Legal Requirement
GSD XM ISMS符合法律法规要求

27 目标指标及达成状况Objective Status

28 审核常见问题及回答Frequent Q&A
戴尔的信息安全方针是什么? 谁是GSD XM信息安全管理系统的管理者代表? 你们部门的ISO 27001代表是谁? 你们部门有哪些信息安全相关的潜在风险? 你们部门有哪些适用的法律法规？是否符合法规要求? GS XM ISMS的目标是什么? 你们部门ISMS目标的(Metrics)是什么?是否针对未达标的Metrics进行分析并采取相应的措施？ 内外部紧急联络电话是多少?

29 审核常见问题及回答样本Frequent Q&A
常问问题 答案 1.戴尔的信息安全政策是什么? 全球信息安全政策– PPT第11页 1.我们需要维护公司信息的保密性、完整性和可获得性。通过控制授权 访问控制权限、不透露、修改或删除权限保护公司信息，支持业务运营 1a.第三方戴尔资源，不管个人还是公司，应该符合戴尔信息隐私和安全 协议(IPSA), 戴尔网络安全部门支持信息安全政策和标准的检验 2.戴尔计算机系统和网络在信息的存储、处理、传输过程中，应该从保密 性、完整性和可获得性方面进行设计、管理 3.只要被定义成机密类别的信息，必须按照数据分类标准进行管理，要求 有访问控制 PPT第19、20页 4.戴尔网络安全部门应该进行持续的风险评估和检验 5.此政策也有其他信息安全政策支持，有信息安全标准和流程支持 2.谁是GSD XM ISO27001信息安全系统的管理者代表? Lee, Ernest是管理者代表 3.谁是GSD XM ISO27001的中国区执行Leader？谁是你们部门的ISO27001信息安全代表？ Gao, Shuying是中国区执行Leader CSTTS-Enterprise&Pro-support-Jiang, Xinhua; Yuan, Ricky; CSTTS-Client Support-Jiang Leo; GCC-Chen, Vicky; TAM-Zeng, Jolen; CS-Zhang, Kosta; GFS-Cai, Eden; GETS-Chen, Joelle; GSPPO-Part planning-Zhang, Rachel; GSPPO-Service ops-Zhong, Sally 4.你们部门有哪些信息安全相关的潜在风险? 1.客户PII信息保护与管理 2.禁止使用U disk/2nd HD/2nd OS/其它未被授权的外部Removable storage 3.未授权软件安装 4.BCP plan 5.包括敏感信息的邮件 6.服务器公共存储 通过降低\转移\接受风险,使风险得到管控 常问问题 答案 5.安全工作小贴士 PPT第17页 1.公司内部文件资料以及电脑包和手机钱包等贵重物品收纳到柜子中或随 身携带，不要放置或粘贴在桌上，并且柜子随时保持上锁 2.工牌随身佩戴于胸前或者腰间的显著位置 3.暂时离开位置时，及时将电脑锁定屏幕 4.即使(短时间)离开会议室要随身携带电脑和文件 5.打印的文件随时取走，不要留在打印机旁 6.确保安装公司要求的Data Protection和McAfee安全软件 7.Microsoft软件有TitusDataLabeling控件，并清楚各个分级的使用方法 6.有哪些适用的法律法规？是否符合法规要求？ 《消费者权益保护法》,《中华人民共和国著作权法》，《中华人民共和国专利法》，《中华人民共和国刑法》，《计算机软件保护条例》，《中华人民共和国知识产权海关保护条例》等，符合法律法规要求。 7.GSD XM ISO27001的最主要目标是什么？ 执行ISMS，符合ISO27001:2013标准，获得ISO27001:2013认证 8.你们部门ISO27001信息安全相关的目标是什么 积极参与并执行ISMS,获得ISO/IEC27001:2013认证.积极参与公司强制性伦理道德培训,和ISMS awareness培训保护隐私,日常行为符合公司要求.配合访问权限/密码控制,参与安全工作环境审计,确保信息保密,安全工作.参与BCP计划,确保异常发生时,能提供帮助使业务持续运行。 9.紧急联络方式是什么？ 内部：保安 ;遇到涉嫌盗窃,保密信息泄露,戴尔笔记本或其他戴尔设备丢失等，立即向戴尔全球安全中心报告网址： 外部：公安局报警电话-110; 火警报警电话-119 10.碰到问题怎么办？ 联系各部门经理或各部门代表Jiang, Xinhua/Yuan, Ricky,

30 准备stage 2 external audit主要的Challenges
项目管理中的信息安全管理 文 件 清 单 点 击 这 里 需要根据流程规定建立项目管理中的信息安全风险管控机制 在所有GSD XM认证范围内的组织内进行 状态：已执行 供应商信息安全管理 根据供应商信息安全管理流程展开审计 一年内完成所有Scope范围内供应商的审计并通报结果 状态：已执行 IT BCP Plan 需要有IT的BCP plan和测试结果作为evidence 状态：已有相关Evidence

31 怎么准备Stage2 External Audit?
培训 文 件 清 单 点 击 这 里 所有需要 auditee参加stage 2 external audit awareness training 阅读相关规定/文件/流程 所有需要 auditee必须阅读ISO27001:2013标准 阅读manual, annex control manual, risk assessment及GSD XM的 流程 准备Evidence和Presentation deck Section leader组织会议收集evidence 尽量避免在audit过程中找不到控制点，找不到文件和相关 证据的风险

32 Q & A Thank you!

33 GSD Organization File GSD Organization