Information Security Standard ISO/IEC 27000 e ISO/IEC 27001 Trabalho de Segurança da Informação MCI 2012/13 Docente: José Manuel de Magalhães Cruz Faculdade de Engenharia da Universidade do Porto Mestrado em Ciência da Informação Information Security Increased dependence of firms on Information Technologies and Systems + Web Evaluation + Proliferation of Information. • • • Access control to information is a fundamental requirement in organization systems; Establishing a security policy; The management of the risks of information security to ensure that the information is not denied or becomes unavailable, it will not be lost, destroyed or damaged, unauthorized disclosure or even stolen.Management of the risks of information security to ensure that the information is not denied or becomes unavailable, it will not be lost, destroyed or damaged, unauthorized disclosure or even stolen. Information Security Information Security Management Systems Information Security Information Security Ensuring the protection and preservation of existing information in any format; Risk analysis to identify all the risks that threaten the information, pointing solutions that eliminate, minimize or transfer risks. Beal (2005, p.71) defines Information Security as "the process of protecting information from threats to ensure the integrity, availability and confidentiality.“ CONFIDENTIALITY • • • • INTEGRITY AVAILABILITY AUTHENTICITY Threats are all situations that puts in question the Information Security Natural phenomenon Human Causes (theft and fraud) Technical defects (hardware and software failures) Purposeful attacks (hackers, virus disseminators, among others) Information Security Access Control Control the persons authorized to enter into certain location and logs the date and time of access, controlling and deciding which permissions each user has. Intrusion Detection Alert the administrators to potential intruders from entering the systems. These systems attempt to recognize a behavior / action intrusive. Encryption Art of encoding that enables reversible transformation of information in order to make it intelligible to third parties. Digital Signature Set of encrypted data associated with a document that guarantee its integrity and authenticity. Protection of Stored Data Antivirus software that is able to detect and remove malicious programs or files. Disaster Recovery Emergency plans to ensure the preservation of documents and own physical integrity of the employees of an organization in case of occurrence of natural disasters. Information Security Standard ISO/IEC 27000 e 27001 Standard ISO/IEC 27000: vocabulary and definitions Standard ISO/IEC 27001: requirements Good Management of Information Security Standard ISO/IEC 27000 It is a standard certification of management systems, in this case applies to the implementation of Systems Management for Information Security (ISMS). Contains terms and definitions used throughout the series defined to avoid different interpretations vocabulary clearly Includes patterns that define the requirements for an ISMS and certification of these systems and provide direct support and detailed guidance for the processes and requirements of the PDCA cycle Supports any sector organizations, to understand the fundamentals, principles and concepts that enable better management of their information assets Information Security Some terms defined in Standard Access control - ways to ensure that access to assets is permitted and restricted based on work and safety requirements; Responsibility - responsibility to an entity for their actions and decisions; Assets - anything that has value to the organization (information, software, the computer itself, services, people, etc.); Corrective action - action to eliminate the cause of a detected nonconformity or other undesirable situation; Authentication - provide assurance that one characteristic claimed by an entity is correct; Authenticity - property that tells us that an entity is really what it claims to be; Availability - the property of being accessible and usable by an authorized entity; Confidentiality - property that ensures that the information is not available or disclosed to unauthorized individuals, entities or processes; Information Security Information Security - preservation of confidentiality, integrity and information availability; Management System of Information Security - part of the overall management system, based on a business risk approach, to establish, implement, operate, monitor, review, maintain and improve information security; Integrity - the correctness to protect property assets; Risk-combination of the probability of an event and its consequences; Risk analysis - the systematic use of information to identify sources and to estimate the occurrence of a risk. Risk management - coordinated activities to direct and control an organization in relation to a particular risk; Threat - a potential cause of an undesired event, which may result in damage to a system or entity; Vulnerability - weakness or control of an asset, which can be exploited by threat. Information Security Security Management System Provides a model for the establishment, implementation, operation, monitoring, reviewing, maintaining and improving the protection of information assets The successful implementation of an ISMS depends on the analysis of requirements and appropriate controls to protect information assets The implementation has as main the result of reduced risks of SI The ISMS it’s able to be certified, must satisfy a set of requirements defined by ISO / IEC 27001. Some basic principles for a successful implementation of an ISMS: • Awareness of the need for information security; • The allocation of responsibilities for information security; • Incorporate the commitment of management and the interests of all stakeholders; • Reinforce the values βof society; • Evaluate the risks to determine the appropriate controls to achieve acceptable levels of risk; • Active prevention and detection of incidents of information security; • Continuous reavaluationt of information security. Information Security Process Approach A process is the transformation of inputs into outputs that uses one set of interconnected or interacting activities In ISMS family of standards, the process approach is based on the exploitation of the PDCA cycle: • PLAN (Planning) - Establishment of policies, objectives, processes and procedures relevant to managing risk and improving information security. Plans according to the results of the organization's strategy. • DO (Do) - Implementation and operation of control policies, processes and procedures. • CHECK (Check) - Inspection of process performance compared with the policies and objectives of an ISMS. These results should be reported to management for review. • ACT (Acting) - Taking corrective and preventive actions, based on the results of the internal ISMS audits and other information from management or other relevant sources. Information Security Standard ISO/IEC 27001 Published in 2005 Designed to specify the requirements for the establishment, implementation, operation, monitoring, reviewing, maintaining and improving an ISMS. The certification is not a requirement of ISO / IEC 27001, is a decision of the organization. However, eighteen months after its publication more than 2000 organizations in over 50 countries have been certified and growth in this area has increased. The ISO / IEC 27001 is universal for all types of organizations and specifies requirements for the implementation of security controls customized according to the needs of an organization. Information Security Application The certification usually involves an audit process in two stages : Stage 1 - Review of key documentation and security policy of the organization, statement of applicability (SOA) and risk treatment plan (PTR). Phase 2 - Conduct an audit involving deep control of ISMS stated in SOA and the PTR as well as supporting documentation Renovation of the certificate involves some periodic reviews confirming that the ISMS continues to work as desired The ISO / IEC 27001 involves several components: The Management System of Information Security: • Establish, implement, operate, monitor, review, maintain and improve the ISMS; • Documentation Requirements; • Documents Control; • Records control. Information Security Responsibilities of the direction: Commitment of direction; Management and provision of resources; Training, awareness and competence. Internal audits that determine if an ISMS: Meets the standard Meets safety requirements identified It run as expected The entire procedure is documented in an audit and the auditors can not audit its own work, giving objectivity and impartiality. Critical analysis of the ISMS by direction: Entry: results of audits and reviews, status of preventive and corrective actions, vulnerabilities not properly contemplated in previous analyzes, findings, recommendations and changes; Output: opportunity to include improvements and changes, modification of the ISMS and resource needs. Improving the ISMS: Continuous improvement through the use of established policy, audit results, analysis of monitored events, corrective action (previous steps); Elimination of non-compliance through corrective and preventive actions. Information Security Perspective of reconciliation of ISO / IEC 27000 and 27001 There is no absolute security because you can not eliminate 100% of the risks and threats. However, there may be a control plane previously defined. The 27000 comes standard as a way to define some terms and definitions, while the standard 27001 has some requirements for future implementation of a Management System of Information Security The Management of Information Security should be performed taking into account some control measures suggested by both standards - the PDCA process model and process analysis / evaluation and treatment of risks. Information Security PDCA Process Model PLAN Establish ISMS Requirements and expectations of Information Security Act Maintaining and optimize the ISMS Do Implement and operate the ISMS Management System of Information Security Check Monitoring and Reviewing the ISMS This model is based on process control and verification of Systems Information Security. The result of the PDCA process is the correct management of the Information Systems Security, based on the expectations and needs of an organization. Information Security Analysis and risk assessment (π»ππππππ ∗ π½ππππππππππππππ ∗ ππ¦π©ππππ¬) πΉπππ€ = (πΊπππππππ π΄πππππππ) The management and evaluation of the risks are the key aspects of ISO 27001. As a result of the risk assessment should be made a list of identified risks, ranked in order of severity measures for later The results of the risk analysis should help to direct and determine the most appropriate control measures to manage these risks. The risk assessment should be made βtaking into account a costbenefit, compensates to reveal if a risk be minimized or transfered. In short, if a risk has a low probability of occurring and the cost of treatment is high, this does not make decisions. Information Security After the process of analysis and risk assessment, there are several options for its treatment: • Apply safety measures: choose the most appropriate measures to reduce the cost; • Accept the risk: knowing and consciously accept the risk, knowing that this attentive to the security policy of the organization; • Avoid the risk: Do not allow actions that may even cause the occurrence of risks; • Transfer the risk: transfer risks to other parts, eg insurance or suppliers. These measures are defined by ISO / IEC 27002, which supports the development of security plans and guides the best way to Management of Information Security. Information Security Family Series ISO / IEC 27000 Standard ISO 27002 - Code of Practice From 2007 is the new name of ISO 17799. This standard is a best practice guide that describes the control objectives and controls recommended for SI. ISO 27003 - Implementation Guide Discusses some guidelines for the implementation of ISMS and contains information about using PDCA and requirements of its different phases, that means, will provide a processoriented approach to successfully implementing an ISMS in accordance with ISO / IEC 27001. ISO 27004 - Metrics and Measurement Specifies metrics and measurement techniques applicable to determine the effectiveness of the ISMS, the control objectives and controls used to implement and manage Information Security. These metrics are used primarily to measure the components of phase "CHECK" PDCA cycle. ISO 27005 - Guidelines for Risk Management Establishes guidelines for the management of risk in SI, providing directions for implementation, monitoring and continuous improvement of the control systems. It is applied to all types of organizations designed to manage risks that could compromise the security of your information. ISO 27006 - Guidelines for Disaster Recovery Services Specifies requirements and provides guidance for bodies providing audit and certification of an ISMS. Information Security Some practical cases of implementation of ISO / IEC 27001 The ISO 27001 has already a high number of certifications distributed by various countries: Japão Reino Unido Índia Taiwan China Alemanha República Checa Coreia Estados Unidos da América Itália Espanha Hungria Malásia Polónia Tailândia Grécia Irlanda Áustria Turquia França Hong Kong Austrália Singapura Croácia Eslovénia México Eslováquia Brasil 4152 573 546 461 393 228 112 107 105 82 72 71 66 61 59 50 48 42 35 34 32 30 29 27 26 25 25 24 Holanda Arábia Saudita Emirados Árabes Unidos Bulgária Irão Portugal Argentina Filipinas Indonésia Paquistão Colômbia Federação Russa Vietname Islândia Kuwait Canadá Noruega Suécia Suíça Bahrain Peru Chile Egipto Omã Qatar Sri Lanka África do Sul República dominicana Marrocos 24 24 19 18 18 18 17 16 15 15 14 14 14 13 11 10 10 10 9 8 7 5 5 5 5 5 5 4 4 Bélgica Gibraltar Lituânia Macau Albânia Bósnia Herzegovina Chipre Equador Nova Jérsia Cazaquistão Luxemburgo Macedónia Malta Mauritânia Ucrânia Arménia Bangladesh Bielorrússia Bolívia Dinamarca Estónia Quirguistão Líbano Moldávia Nova Zelândia Sudão Uruguai Iémen Total 3 3 3 3 3 2 2 2 2 2 2 2 2 2 2 1 1 1 1 1 1 1 1 1 1 1 1 1 7940 Information Security Certification Process of an ISMS The first phase of the process involves the organizations, the fact that they are prepared for certification of its ISMS. The second phase involves an audit of the organization's ISMS, involving accredited certification bodies. The certificate provided a duration for three years, so the third phase of the process is monitored by the certification bodies. Certification Bodies Information Security Organizations with ISMS Certificates in Portugal Nome da Organização Número da Certificação Entidade Certificadora Norma de Certificação ARENA MEDIA 83889CC2-2010-AIS-IBE-UKAS DNV ISO/IEC 27001:2005 Bureau Veritas Certiifcation ISO/IEC 27001:2005 Caixa Económica de Cabo Verde Departamento de Jogos da Santa Casa da Misericórdia de Lisboa (DJSCML) IS 524281 ISO/IEC 27001:2005 ENAME S.A. GB11/82769 SGS United Kingdom Ltd ISO/IEC 27001:2005 HAVAS SPORT & ENTERTAINMENT 83889CC6-2010-AIS-IBE-UKAS DNV ISO/IEC 27001:2005 INSTITUTO DE INFORMÁTICA, I.P. 3896769 Bureau Veritas Certiifcation ISO/IEC 27001:2005 INTEGRITY S.A. GB12/85456 SGS United Kingdom Ltd ISO/IEC 27001:2005 LATTITUDE 83889CC3-2010-AIS-IBE-UKAS DNV ISO/IEC 27001:2005 Maksen Consulting, S.A. PT001307 Bureau Veritas Certiifcation ISO/IEC 27001:2005 MEDIA CONTACTS 83889CC9-2010-AIS-IBE-UKAS DNV ISO/IEC 27001:2005 MOBEXT 83889CC10-2010-AIS-IBE-UKAS DNV ISO/IEC 27001:2005 MPG 83889CC13-2010-AIS-IBE-UKAS DNV ISO/IEC 27001:2005 ONE TO ONE 83889CC8-2010-AIS-IBE-UKAS DNV ISO/IEC 27001:2005 Ponto.C – Desenvolvimento de Sistemas de Informação, Lda. Portugalmail SA GB11/83230 SGS United Kingdom Ltd ISO/IEC 27001:2005 12/86073 SGS United Kingdom Ltd ISO/IEC 27001:2005 TV Cabo Portugal 202194 Bureau Veritas Certiifcation ISO/IEC 27001:2005 VORTAL – COMÉRCIO ELECTRÓNICO CONSULTADORIA E MULTIMEDIA SA IS 515264 ZON TV CABO PORTUGAL, SA 202194 ISO/IEC 27001:2005 Bureau Veritas Certiifcation ISO/IEC 27001:2005 Information Security Conclusions • Understand what are the control mechanisms to threats. • Studying the ISO 27000 and 27001 is to understand the assumptions related to Information Security. • This theme is quite relevant today, since it talks a lot about hackers and crackers against digital platforms, trying to gain access to confidential information. • Information is an asset with great value for organizations and needs to be properly protected in order to maintain its confidentiality, availability, integrity and authenticity. • We analyze the standards and identify clearly enough what characterizes each of them. • The standard ISO 27000 gives us some terms and definitions and ISO 27001 standard adopts a process approach for establishing, implementation, operation, monitoring, reviewing, maintaining and improving a Management System of Information Security.