Security Management in Practice Lec 4 Dr.Muzammil Hussain GCET muzammil.h@gcet.edu.om Security Management in Practice Information Security Management System (Part 2) Security Management in Practice Control Objectives and Controls 11 Control Objectives and Controls that are typically accounted for (given in Annex A of ISO27001) Security Management in Practice Control Objectives and Controls A Control Objective is an assessment object that defines the risk categories for a Process or Sub-Process. Controls are the activities performed to achieve a control objective to mitigate the risks to the user entities. Security Management in Practice Why Do We Need ISO 27001 Annex A? Security Management in Practice Annex A. is about ensuring secure physical and environmental areas. The objective of this Annex is to prevent unauthorised physical access, damage and interference to the organisation's information and information processing facilities Security Management in Practice What is iso 27001 Annex A? Security Management in Practice it contains an essential instrument for managing information security risks: a list of security controls (or safeguards) that should be used to strengthen the security of information assets. Security Management in Practice Control Objectives and Controls 1. Security Policy • The documented policy helps communicate the organization’s information security goals. • It should be clearly written and understandable to its readers. • The policy helps management provide direction and support for information security throughout your organization. Security Management in Practice Control Objectives and Controls 2. Organization of Information Security • Outlines how management ensures implementation of information security within the organization. • It provides a forum for reviewing and approving security policies and assigning security roles and responsibilities. Security Management in Practice Control Objectives and Controls 3. Asset Management • Managing both physical and intellectual assets are important to maintaining appropriate protection. • It determines ownership, accountability and protection of information assets. Security Management in Practice Control Objectives and Controls 4. Human Resources Security • The assessing and assigning of employee security responsibilities and awareness enables more effective human resource management. • Security responsibilities should be determined during the recruitment of all personnel and throughout their employment. Security Management in Practice Control Objectives and Controls 5. Physical and Environmental Security • Securing physical areas and work environments within your organization contributes significantly toward information security management. • Anyone who deals with your physical premises, whether they are employees, suppliers or customers, play a key role in determining organizational security protection. Security Management in Practice Physical Controls Network Segregation Perimeter Security Computer Controls Work Area Separation Data Backups Cabling Control Zone Security Management in Practice Technical Controls System Access Network Architecture Network Access Encryption and protocols Auditing Security Management in Practice Control Objectives and Controls 6. Communications and Operations Management • Covers the secure delivery and management of the daily operations of information processing facilities and networks. Security Management in Practice Control Objectives and Controls 7. Access Control • Managing access levels of all employees helps to control information security in your organization. • Controlling levels of systems and network access can become a critical success factor when protecting data or information network systems. Security Management in Practice Control Objectives and Controls 8. Information Systems Acquisition, Development and Maintenance • Involves the secure development, maintenance and acceptance of business applications, products and services into the operational environment. Security Management in Practice Control Objectives and Controls 9. Incident Management • Facilitates the identification and management of information security events and weaknesses and allows for their appropriate and timely resolution and communication. Security Management in Practice Control Objectives and Controls 10. Business Continuity Management • Using controls against natural disasters, operational disruptions and potential security failures helps the continuity of business functions. Security Management in Practice Control Objectives and Controls 11. Compliance • To assist organizations with the identification and compliance with contractual obligations, legal and regulatory requirements. Security Management in Practice ISMS Certification • The ISO runs a number of certification schemes against its standards, including ISO 27001. • This enables an organisation to have its information assurance governance and management processes certified against ISO 27001. • To gain accreditation, the organisation’s ISMS (information security management system) has to undergo an external audit carried out by an accredited third-party organisation. • The auditors use standard processes to check the organisation’s ISMS policies, standards and procedures against the ISO 27001 requirement and then look for evidence that they are being used within the organisation. Security Management in Practice ISMS Certification • The findings from the audit are reported back to the organisation and certification is granted if successful. • After the initial certification, periodic follow-ups (reassessments) take place to ensure that the standards are still being met. • There is also an ISO standard (ISO 27006) that is used to guide the accredited certification bodies on the formal processes for certifying or registering other organisations’ information assurance management systems. Security Management in Practice Resources • BCS offer a Certificate in Information Security Management Principles: – http://certifications.bcs.org/category/15735 – http://certifications.bcs.org/upload/pdf/infosecismp-syllabus.pdf Security Management in Practice Recap • Understanding what threat, vulnerability, and threat can be for an organisation. • Assessing the risk likelihood and impact Security Management in Practice ISO 27001 has for the moment 11 Domains, 39 Control Objectives and 130+ Controls. Following is a list of the Domains and Control Objectives. 1. Security policy Information security policy Objective: To provide management direction and support for information security in accordance with business requirements and relevant laws and regulations. 2. Organization of information security Internal organization Objective: To manage information security within the organization. External parties Objective: To maintain the security of the organization’s information and information processing facilities that are accessed, processed, communicated to, or managed by external parties. 3. Asset management Responsibility for assets Objective: To achieve and maintain appropriate protection of organizational assets. Information classification Objective: To ensure that information receives an appropriate level of protection. Security Management in Practice 4. Human resources security Prior to employment Objective: To ensure that employees, contractors and third party users understand their responsibilities, and are suitable for the roles they are considered for, and to reduce the risk of theft, fraud or misuse of facilities. During employment Objective: To ensure that all employees, contractors and third party users are aware of information security threats and concerns, their responsibilities and liabilities, and are equipped to support organizational security policy in the course of their normal work, and to reduce the risk of human error. Termination or change of employment Objective: To ensure that employees, contractors and third party users exit an organization or change employment in an orderly manner. 5. Physical and environmental security Secure areas Objective: To prevent unauthorized physical access, damage and interference to the organization’s premises and information. Equipment security Objective: To prevent loss, damage, theft or compromise of assets and interruption to the organization’s activities. Security Management in Practice 6. Communications and operations management Operational procedures and responsibilities Objective: To ensure the correct and secure operation of information processing facilities. Third party service delivery management Objective: To implement and maintain the appropriate level of information security and service delivery in line with third party service delivery agreements. System planning and acceptance Objective: To minimize the risk of systems failures. Protection against malicious and mobile code Objective: To protect the integrity of software and information. Back-up Objective: To maintain the integrity and availability of information and information processing facilities. Network security management Objective: To ensure the protection of information in networks and the protection of the supporting infrastructure. Media handling Objective: To prevent unauthorized disclosure, modification, removal or destruction of assets, and interruption to business activities. Exchange of information Objective: To maintain the security of information and software exchanged within an organization and with any external entity. Electronic commerce services Objective: To ensure the security of electronic commerce services, and their secure use. Monitoring Objective: To detect unauthorized information processing activities. Security Management in Practice 7. Access control Business requirement for access control Objective: To control access to information. User access management Objective: To ensure authorized user access and to prevent unauthorized access to information systems. User responsibilities Objective: To prevent unauthorized user access, and compromise or theft of information and information processing facilities. Network access control Objective: To prevent unauthorized access to networked services. Operating system access control Objective: To prevent unauthorized access to operating systems. Application and information access control Objective: To prevent unauthorized access to information held in application systems. Mobile computing and teleworking Objective: To ensure information security when using mobile computing and teleworking facilities. Security Management in Practice 8. Information systems acquisition, development and maintenance Security requirements of information systems Objective: To ensure that security is an integral part of information systems. Correct processing in applications Objective: To prevent errors, loss, unauthorized modification or misuse of information in applications. Cryptographic controls Objective: To protect the confidentiality, authenticity or integrity of information by cryptographic means. Security of system files Objective: To ensure the security of system files. Security in development and support processes Objective: To maintain the security of application system software and information. Technical Vulnerability Management Objective: To reduce risks resulting from exploitation of published technical vulnerabilities. Security Management in Practice 9. Information security incident management Reporting information security events and weaknesses Objective: To ensure information security events and weaknesses associated with information systems are communicated in a manner allowing timely corrective action to be taken. Management of information security incidents and improvements Objective: To ensure a consistent and effective approach is applied to the management of information security incidents. Security Management in Practice 10. Business continuity management Information security aspects of business continuity management Objective: To counteract interruptions to business activities and to protect critical business processes from the effects of major failures of information systems or disasters and to ensure their timely resumption. 11. Compliance Compliance with legal requirements Objective: To avoid breaches of any law, statutory, regulatory or contractual obligations, and of any security requirements. Compliance with security policies and standards, and technical compliance Objective: To ensure compliance of systems with organizational security policies and standards. Information systems audit considerations Objective: To maximize the effectiveness of and to minimize interference to/from the information systems audit process. Ten (10) Security Strategies Security Strategies Description Least Privilege This principle means the any object (e.g., user, administrator, program, system) should have only the necessary security privilege required to perform its assigned tasks. Defense in Depth This principle recommends that multiple layers of security defense be implemented. They should back each other up. Choke Point Forces everyone to use a narrow channel, which you can monitor and control. A firewall is good example. Weakest Link This principle suggests that attackers seek out weakest link in your security. As a result, you need to be aware of these weak links and take steps to eliminate them. Fail-Safe Stance In the event your system fails, it should fail in a position that denies access to resources. Universal Participation To achieve maximum effectiveness, security systems should require participation of all personnel. Diversity of Defense This principle suggests that security effectiveness is also dependent on the implementation of similar products from different vendors. (This includes Circuit Diversity) Simplicity This principle suggests that by implementing simple things it is easier to manage. Security through Obsolesce This principle suggests that by implementing old technology no one will have the knowledge to compromise the system. Security through Obscurity This principle recommends the hiding of things as a form of protection.
