- No category
ISO 27000 Information Security Standards Overview
advertisement
Overwiev of Information Security standards - ISO 27000 series of standards (27001, 27002, 27003, 27004, 27005) IT Governance CEN 667 1 Project proposal - week 2 • Goal of the projects are to find applicable measurement and metric methods to improve processes: – For 27000 series of standards 27001 and 27004 – – For ITIL – For Business Continuity and BS 25999 – For Disaster Recovery – – For Penetration testing – – For Operational and Security Incident management – For Risk Management – Secure method for visual authentication – – Mobile securty access with speach recognition – – Other agreed with lecturer • • Literature review on selected topic - between 500 and 1000 words Proposal / for improvements of choosen method, approach, techniqe, - up to 2000 words • List of references • Document prepared in two columns as it should Be prepared for the conference paper • Week report on updates 2 Lectures Schedule Week Topic Introduction to IT governance Week 1 Week 2 Week 3 Week 4 Week 5 Week 6 Week 7 Week 8 Week 9 Week 10 Week 11 Week 12 Week 13 Week 14 Week 15 Overwiev of Information Security standards - ISO 27000 series of standards (27001, 27002, 27003, 27004, 27005) Information Technology Service management ISO 20000-1 and ISO 20000-2 ITIL Business Continuity and BS 25999-1 and BS 25999-2 Disaster Recovery COBIT Project implementation (ISO 10006 and ISO 27003) Midterm Risk Managament (ISO 27005) Application and Network Security and security testing Specific Requirements and Controls Implementation (ISO 27002) Operational and Security Incident managament Perforamnce Measurement and Metrics (ISO 27004) Audit (ISO 19011) and Plan- Do-Check-Act impovement cyclus 3 Agenda – The ISO 27000 Framework • ISO/IEC 27001:2005 ISMS • ISO/IEC 27002:2005 Controls • ISO/IEC 27003:2010 implementation guidance • ISO/IEC 27004:2009 Measurement and Metrics • ISO/IEC 27005:2008 Risk Management – The ISMS Roadmap – A Controls Framework – Information Security Organization – Mission and Structure – Discussion/Questions/Lessons Learned 4 Information Security Governance – How can an organization make good decisions about information risk? – Risks identified, mitigated, accepted equals security – Information Security is a business requirement – CIA – Confidentiality, Integrity, Availability – PCI, HIPAA, SOX, State Privacy Regulations – Impact of loss of security on an organization is extreme • Damage to brand, share price • Direct costs • Unavailable critical business processes – Business awareness of impact is key 5 Cofidentality Integrity Availability C I A ensuring that information is accessible only to those authorized to have access Information integrity is the assurance that information is consistent, certified and can be reconciled. Ensuring that only authorized personel have access to information when they neede it Keep CIA, and this is a way 6 7 Mjerenje KPI 9 10 Other cases • Sources: • - Business continuity lessons from Buncefield, Continuity Central, Huddersfield, West Yorkshire, England, • - Jon William Toigo, Disater Recovery Planing: Preparing for Unthinkable, Third edition. Foreword xi 11 Buncefield fuel depot (Hemel Hempstead ) London, December 2005 1 2 3 5 4 12 Northgate Information Solutions Buncefield fuel depo 1 2 13 Next case... 14 2 1 3 Emergecny Response Team / Center for Port Authority Responsible for 3 airports, tunels, bridges, buses and trains meet at Marriot Hotel. 15 1 4 2 3 16 Planiranje i testiranje nastvka poslovanja Planiranje i testiranje nastvka poslovanja Leading data loss causes Hardware or System Malfunctions 44% Human Error 32% Software Corruption 14% Computer Viruses 7% Natural Disasters 3% Gartner 20 Sa BH informativnih portala Ljudi ne znaju šta im se dogodilo A policija traga Opet vijesti... Koliko je čest SPAM i koliko nas košta? Krađe lozinke i troškovi Velike štete Primjer iz telekomunikacijskog sektora Špijunjiranje – realna stvarnost Špijunjiranje – realna stvarnost Trend porasta Ove stvari se ne mogu desiti u BiH??? Ove stvari se ne mogu desiti u BiH??? Facts • Information security, is not Information Technology (IT) security. • It is security of information and informatio assets. • Information assets are: – Electronic Information – Non-electronic Information; – Environment / Infrastructure; – Hardware; Information security is to keep CIA – Software; Confidentiality, – Physical; Integrity, Availability – People; – Services. • Keep aseet CIA 47 Everyday media reports, reveal information of security Incidents As a result of unmanaged information security These cases leads to: •Resignations of important postions in institutions •Civil court cases •Assets lost •Reputation lost and public embarisment •End of business SUNDAY MORNING 10:00 O’clock You don’t want to be this guy: to read about information security incident in his organization on Sunday morning 48 What is the ISO 2700 Framework? • International Organization for Standardization • Governance - ISO 27001 – Establishing and Operating the ISMS – Plan, DO, Check, Act – Management commitment and involvement – Information Asset “Ownership” • Controls – ISO 27002 – Deterrent – Preventative – Detective – Corrective – Recovery – Compensating • Available for download as Intellectual Property 49 What is the ISO Framework cont. • • Implementation - ISO 27003 – – – – – – – Managament approval Defining scope Objective Scope Processes Assets Risk assesment Metrics – ISO 27004 – Key Performance Indicators – Chosing what to measure – Collecting data • Risk managament – ISO 27005 – – – – – – – – – – Risk analysis Risk identification Risk estmation Risk evaluation Risk reduction Risk retention Risk avoidance Risk transfer Risk acceptance Riks Communication 50 To keep direction of the business activities on the right track, measurement and correction is needed (6.1.1, 6.1.8, 61.2, 6.1.3) 27004:2009 6.1 INTERNAL ORGANIZATION 6.1.1 Management commitment to information security 6.1.2 Information security Co-ordination Destination 6.1.3 Allocation of information security Responsibilities 6.1.4 Authorization process for information processing facilities 6.1.5 Confidentiality agreements 6.1.6 Contact with authorities 6.1.7 Contact with special interest groups 6.1.8 Independent review of information security 6.2 EXTERNAL PARTIES 6.2.1 Identification of risks related to external parties 6.2.2 Addressing security when dealing with customers 6.2.3 Addressing security in third party agreements 3. An aircraft with constant control of path (autopilot) and managament of direction is able to reach destination 1. Side wind has inpact on an aircraft flight path Case: Flight Control 2. Path of an aircraft without constant managing of path will never reach the destination 51 What is the ISO Framework cont. • Risk managament – ISO 27005 – Risk analysis – Risk identification – Risk estmation – Risk evaluation – Risk reduction – Risk retention – Risk avoidance – Risk transfer – Risk acceptance – Riks Communication 52 What is ISO 27001? •A management process to evaluate, implement and maintain an Information Security Management System (ISMS). •An internationally recognized structured methodology dedicated to information security. •A comprehensive set of controls (ISO 27002) comprised of best practices in information security. •A standard that can be customized to address the level of risk (or vulnerability), that could cause negative business impact should it not be addressed. •Certification available 53 Content of standards (27001 and 27002) ISO 27001:2005 (System establishment) 4. Information security amanagement system 5. Managament responsibility 6. Internal ISMS audits 7. Managament review of the ISMS 8. ISMS improvement ISO 27002:2005 (17799:2005 standard which itself was formerly known as BS7799-1) 5. SECURITY POLICY 6. ORGANIZATION OF INFORMATION SECURITY 7. ASSET MANAGEMENT 8. HUMAN RESOURCES SECURITY 9. PHYSICAL AND ENVIRONMENTAL SECURITY 10. COMMUNICATIONS AND OPERATIONS MANAGEMENT 11. ACCESS CONTROL 12. INFORMATION SYSTEMS ACQUISITION, DEVELOPMENT AND MAINTENANCE 13. INFORMATION SECURITY INCIDENT MANAGEMENT 14. BUSINESS CONTINUITY MANAGEMENT 15. COMPLIANCE 54 Information Security Management System (ISMS) The Security Program Charge the ISGC (Mission Statement) Scope and Boundaries Define the ISMS Policy Identify a Risk Assessment methodology Develop criteria for accepting risks Identify Risks (Risk Assessment) Analyze and evaluate risks Develop Risk Treatment Plan Select Control Objectives and Controls Prepare a Statement of Applicability Plan Establish the ISMS Take corrective action to improve the ISMS Take preventative action based on the prioritized results of risk assessments in anticipation of potential problems Do Implement and Operate Controls & Measure ISO/IEC 270001 Roadmap Implement the Risk Treatment Plan Measure the effectiveness of controls Implement an Incident Response process Check Monitor Audit Review Act Maintain & Improve The ISMS Monitor and review procedures and controls Regular reviews of the effectiveness of the ISMS Review risk assessments at planned intervals taking into account changes in Organization, Business process, Technology, Threats, Regulatory environment Conduct Internal Audits at planned intervals Management review of ISMS 55 2. Common reasons to implement ISMS 1. 2. 3. 4. Strategic Client / partner confidence ISMS Roadmap Internal efficiency Training and 2nd time awareness Regulations PDCA circle Governing board Governing Risk approval Board assessment policy Gap analysis Proces aproved maping Project borders agreement Record collection Implementation Asset of controls, collection & Asset value Statement of procedures... applicability DO PLAN Monitoring and Auditing Improvements CHECK ACT 56 Establish the ISMS Plan Mission Statement Scope and Boundaries Define the ISMS Policy Identify a Risk Assessment methodology Develop criteria for accepting risks Identify Risks (Risk Assessment) Analyze and evaluate risks Develop Risk Treatment Plan Select Control Objectives and Controls Prepare a Statement of Applicability 57 Do Implement the ISMS Implement the Risk Treatment Plan Measure the effectiveness of controls Implement an Incident Response process 58 Check Monitor, Audit and Review Monitor and review procedures and controls • Attempted and successful security breaches • Determine if actions to prevent breaches were successful Regular reviews of the effectiveness of the ISMS Review risk assessments at planned intervals taking into account changes in: • • • • • Organization Business process Technology Threats Regulatory environment Conduct Internal Audits at planned intervals Management review of ISMS 59 Act Maintain and Improve Take corrective action to improve the ISMS Take preventative action based on the prioritized results of risk assessments in anticipation of potential problems 60 Risk Management Process – Risk Assessment (awareness) • Asset discovery • Threat Identification • Vulnerability Identification • Control Analysis • Likelihood Determination • Impact analysis • Risk Determination 61 Risk Management Process – Risk Treatment Plan • Control Recommendations to mitigate risk • Evaluate/Accept Risk • Risk Mitigation Investments 62 Evaluating Information Risk • The likelihood of a given threat-source’s attempting to exercise a given vulnerability • The magnitude of the impact should a threat-source successfully exercise the vulnerability • The adequacy of planned or existing security controls for reducing or eliminating risk. 63 Risk Evaluation and Acceptance Criteria • NIST Special Publication 800-30 – Risk Management Guide • ISO 27005 • Information Risk evaluation and Acceptance defined – High (Executive Committee) – Medium (Info Security Governance Committee) – Low (Business Owner or CISO) 64 ISO 27002 Controls • • 11 Security Control “Clauses” 49 Control Categories – Control Objective – 133 total controls • Controls selected based on: – Assessment of Risk – Business objectives – Legal, regulatory, contractual obligations • Function of a control: to mitigate risk – – – – – – Deterrent Preventative Detective Corrective Recovery Compensating 65 Controls Rationalization • ISO 27002 becomes the overarching control framework • Regulatory requirements map to ISO • New requirements potentially satisfied with existing controls • Simplifies auditing and control testing • Example 66 5 Information Security Policy “Top Level” • 5.1 Information Security Policy – Objective: To provide management direction and support for information security in accordance with business requirements and relevant laws and regulations. Management should set a clear policy direction in line with business objectives and demonstrate support for, and commitment to, information security through the issue and maintenance of an information security policy across the organization. 67 5 Security Policy 5.1.1 Information security policy document Control An information security policy document should be approved by management, and published and communicated to all employees and relevant external parties. Implementation guidance The information security policy document should state management commitment and set out the organization’s approach to managing information security. The policy document should contain statements concerning: – – – – a) a definition of information security, its overall objectives and scope and the importance of security as an enabling mechanism for information sharing (see introduction); b) a statement of management intent, supporting the goals and principles of information security in line with the business strategy and objectives; c) a framework for setting control objectives and controls, including the structure of risk assessment and risk management; 68 5.1.1 (Continued) d) a brief explanation of the security policies, principles, standards, and compliance requirements of particular importance to the organization, including: 1) compliance with legislative, regulatory, and contractual requirements; 2) security education, training, and awareness requirements; 3) business continuity management; 4) consequences of information security policy violations; e) a definition of general and specific responsibilities for information security management, including reporting information security incidents; f) references to documentation which may support the policy, e.g. more detailed security policies and procedures for specific information systems or security rules users should comply with. This information security policy should be communicated throughout the organization to users in a form that is relevant, accessible and understandable to the intended reader. 69 6 Organization of information security 6.1 Internal organization Objective: To manage information security within the organization 6.2 External parties Objective: To maintain the security of the organization’s information and information processing facilities that are accessed, processed, communicated to, or managed by external parties. 70 Critical Roles and Responsibilities • Governance Committee and Chair • Data Owner (Business Owner) • Data Custodian • Privacy Officer • CISO • IT • Internal Audit • All employees 71 7 Asset Management 7.1 Responsibility for assets Objective: To achieve and maintain appropriate protection of organizational assets 7.2 Information classification Objective: To ensure that information receives an appropriate level of protection. 72 7 Asset Management 7.1 Responsibility for assets Objective: To achieve and maintain appropriate protection of organizational assets. All assets should be accounted for and have a nominated owner. Owners should be identified for all assets and the responsibility for the maintenance of appropriate controls should be assigned. The implementation of specific controls may be delegated by the owner as appropriate but the owner remains responsible for the proper protection of the assets. 73 7 Asset Management 7.1.2 Ownership of assets Control: All information and assets associated with information processing facilities should be “owned” by a designated part of the organization. Implementation guidance The asset owner should be responsible for: a) ensuring that information and assets associated with information processing facilities are appropriately classified; b) defining and periodically reviewing access restrictions and classifications, taking into account applicable access control policies. The term ‘owner’ identifies an individual or entity that has approved management responsibility for controlling the production, development, maintenance, use and security of the assets. 74 7 Asset Management 7.2 Information classification Objective: To ensure that information receives an appropriate level of protection. Information should be classified to indicate the need, priorities, and expected degree of protection when handling the information. Information has varying degrees of sensitivity and criticality. Some items may require an additional level of protection or special handling. An information classification scheme should be used to define an appropriate set of protection levels and communicate the need for special handling measures. 75 8 Human Resources Security 8.1 Prior to employment Objective: To ensure that employees, contractors and third party users understand their responsibilities, and are suitable for the roles they are considered for, and to reduce the risk of theft, fraud or misuse of facilities. 8.2 During employment Objective: To ensure that all employees, contractors and third party users are aware of information security threats and concerns, their responsibilities and liabilities, and are equipped to support organizational security policy in the course of their normal work, and to reduce the risk of human error. 8.3 Termination or change of employment Objective: To ensure that employees, contractors and third party users exit an organization or change employment in an orderly manner. 76 9 Physical and Environmental Security 9.1 Secure areas Objective: To prevent unauthorized physical access, damage and interference to the organization’s premises and information. 9.2 Equipment security Objective: To prevent loss, damage, theft or compromise of assets and interruption to the organization’s activities 77 10 Communications and operations management 10.1 Operational procedures and responsibilities Objective: To ensure the correct and secure operation of information processing facilities. 10.2 Third party service delivery management Objective: To implement and maintain the appropriate level of information security and service delivery in line with third party service delivery agreements. 10.3 System planning and acceptance Objective: To minimize the risk of systems failures. 78 10 Communications and operations management (cont.) 10.4 Protection against malicious and mobile code Objective: To protect the integrity of software and information. 10.5 Back-up Objective: To maintain the integrity and availability of information and information processing facilities. 10.6 Network security management Objective: To ensure the protection of information in networks and the protection of the supporting infrastructure 10.7 Media handling Objective: To prevent unauthorized disclosure, modification, removal or destruction of assets, and interruption to business activities. 79 10 Communications and operations management (cont.) 10.8 Exchange of information Objective: To maintain the security of information and software exchanged within an organization and with any external entity. 10.9 Electronic commerce services Objective: To ensure the security of electronic commerce services, and their secure use. 10.10 Monitoring Objective: To detect unauthorized information processing activities. 80 11 Access Control 11.1 Business requirement for access control Objective: To control access to information. 11.2 User access management Objective: To ensure authorized user access and to prevent unauthorized access to information systems. 11.3 User responsibilities Objective: To prevent unauthorized user access, and compromise or theft of information and information processing facilities. 11.4 Network access control Objective: To prevent unauthorized access to networked services. 81 11 Access Control (Cont.) 11.5 Operating system access control Objective: To prevent unauthorized access to operating systems. 11.6 Application and information access control Objective: To prevent unauthorized access to information held in application systems. 11.7 Mobile computing and teleworking Objective: To ensure information security when using mobile computing and teleworking facilities. 82 12 Information systems acquisition, development and maintenance • 12.1 Security requirements of information systems • Objective: To ensure that security is an integral part of information systems. • 12.2 Correct processing in applications • Objective: To prevent errors, loss, unauthorized modification or misuse of information in applications. 12.3 Cryptographic controls • Objective: To protect the confidentiality, authenticity or integrity of information by cryptographic means. 83 12 Information systems acquisition, development and maintenance (Cont.) 12.4 Security of system files Objective: To ensure the security of system files. 12.5 Security in development and support processes Objective: To maintain the security of application system software and information. 12.6 Technical Vulnerability Management Objective: To reduce risks resulting from exploitation of published technical vulnerabilities. 84 13 Information security incident management 13.1 Reporting information security events and weaknesses Objective: To ensure information security events and weaknesses associated with information systems are communicated in a manner allowing timely corrective action to be taken. 13.2 Management of information security incidents and improvements Objective: To ensure a consistent and effective approach is applied to the management of information security incidents. 85 14 Business continuity management 14.1 Information security aspects of business continuity management Objective: To counteract interruptions to business activities and to protect critical business processes from the effects of major failures of information systems or disasters and to ensure their timely resumption. 86 15 Compliance 15.1 Compliance with legal requirements Objective: To avoid breaches of any law, statutory, regulatory or contractual obligations, and of any security requirements. 15.2 Compliance with security policies and standards, and technical compliance Objective: To ensure compliance of systems with organizational security policies and standards. 15.3 Information systems audit considerations Objective: To maximize the effectiveness of and to minimize interference to/from the information systems audit process. 87 Information Security Organization and Structure • It’s all about ability to execute • Muti-disciplinary approach involving collaboration and cooperation • Organization segregation of control execution from control requirements and approvals • Control executors accountable for control execution • Oversight responsibility – where does Information Security report? 88 Business Governance Internal Audit Information Security Program Information Risk Mgt Control Implementation Security Policy Risk Assessments Security Assurance Monitoring and Response Vulnerability Mgt Identity Mgt External Compliance Access Administration Patching Anti-virus Baseline Configurations Firewall rules Application Security Stds Policy Controls Compliance PCI,SOX,HIPAA,PII Information Security IT 89 Information Security Functions • Chief Information Security Officer CISO • Information Security Office • • • • • Compliance Management Identity Management Security Configuration Management Risk Assessment Security Education, Awareness and Training (SETA) Information Security Office (ISO) • Security Operations • • • SOC/NOC Coordination Incident Response Security Integrated Process Team Management • Compliance • • Security Operations Center (SOC) PII, HIPPA, and PCI compliance policy Controls compliance program Information Security Compliance (ISC) 90 Information Security Office (ISO) • Enterprise Security Mgt • • • • Security Architecture System Accreditation Access and Identity Management Physical Security requirements • Risk Management • • • • Security Assurance Application Vulnerability Mgt Risk Assessment execution 3rd Party Risk Management • Security Education, Awareness and Training • Disaster Recovery/BCP 91 Security Operations Center (SOC) • Security Monitoring • • • • • • Incident Response • • • • Monitoring and alerting Intrusion Detection Policy violations Anti-Virus monitoring Log Analysis Incident Response Plan Incident Response Team Mgt Management reporting Security Engineering • • • • • Vulnerability/Penetration testing Vulnerability remediation Policy violation remediation Network Integrity mgt Technology control effectiveness 92 Information Security Compliance (ISC) • Security Policies and Compliance • PCI, HIPAA, SOX, Privacy • ISO 27001/ISO 27002 • IT Operational Controls Compliance • Vulnerability Management • Baseline Configuration • Policy/Standards/Process Compliance • Audit/Assessment Mgt • Compliance evidence • Management Response • Remediation Mgt • Document Mgt 93 Discussion • Lessons Learned • Going Forward • Your Experience? – Governance – ISO – Other security frameworks 94
0
advertisement
Download
advertisement
Add this document to collection(s)
You can add this document to your study collection(s)
Sign in Available only to authorized usersAdd this document to saved
You can add this document to your saved list
Sign in Available only to authorized users