G4T9-ISO.27000.final-pres - Faculdade de Engenharia da

advertisement
Information Security
Standard ISO/IEC 27000 e
ISO/IEC 27001
Trabalho de Segurança da Informação MCI 2012/13
Docente: José Manuel de Magalhães Cruz
Faculdade de Engenharia da Universidade do Porto
Mestrado em Ciência da Informação
Information Security
Increased dependence of firms on Information Technologies and Systems
+
Web Evaluation
+
Proliferation of Information.
•
•
•
Access control to information is a fundamental requirement in organization systems;
Establishing a security policy;
The management of the risks of information security to ensure that the information is not
denied or becomes unavailable, it will not be lost, destroyed or damaged, unauthorized
disclosure or even stolen.Management of the risks of information security to ensure that
the information is not denied or becomes unavailable, it will not be lost, destroyed or
damaged, unauthorized disclosure or even stolen.
Information Security
Information Security Management Systems
Information Security
Information Security
Ensuring the protection and preservation of existing information in any
format;
Risk analysis to identify all the risks that threaten the information, pointing
solutions that eliminate, minimize or transfer risks.
Beal (2005, p.71) defines Information Security as "the process of protecting
information from threats to ensure the integrity, availability and
confidentiality.“
CONFIDENTIALITY
•
•
•
•
INTEGRITY
AVAILABILITY
AUTHENTICITY
Threats are all situations that puts in question the Information Security
Natural phenomenon
Human Causes (theft and fraud)
Technical defects (hardware and software failures)
Purposeful attacks (hackers, virus disseminators, among others)
Information Security
Access Control
Control the persons authorized to enter into certain location and logs the date and time of access,
controlling and deciding which permissions each user has.
Intrusion Detection
Alert the administrators to potential intruders from entering the systems. These systems attempt to
recognize a behavior / action intrusive.
Encryption
Art of encoding that enables reversible transformation of information in order to make it intelligible to
third parties.
Digital Signature
Set of encrypted data associated with a document that guarantee its integrity and authenticity.
Protection of Stored Data
Antivirus software that is able to detect and remove malicious programs or files.
Disaster Recovery
Emergency plans to ensure the preservation of documents and own physical integrity of the employees of
an organization in case of occurrence of natural disasters.
Information Security
Standard ISO/IEC 27000 e 27001
Standard ISO/IEC 27000: vocabulary and definitions
Standard ISO/IEC 27001: requirements
Good Management of
Information Security
Standard ISO/IEC 27000
It is a standard certification of management systems, in this case applies to the
implementation of Systems Management for Information Security (ISMS).
Contains terms and definitions used throughout the series
defined to avoid different interpretations
vocabulary clearly
Includes patterns that define the requirements for an ISMS and certification of these
systems and provide direct support and detailed guidance for the processes and
requirements of the PDCA cycle
Supports any sector organizations, to understand the fundamentals, principles and
concepts that enable better management of their information assets
Information Security
Some terms defined in Standard
Access control - ways to ensure that access to assets is permitted and restricted based on
work and safety requirements;
Responsibility - responsibility to an entity for their actions and decisions;
Assets - anything that has value to the organization (information, software, the computer
itself, services, people, etc.);
Corrective action - action to eliminate the cause of a detected nonconformity or other
undesirable situation;
Authentication - provide assurance that one characteristic claimed by an entity is correct;
Authenticity - property that tells us that an entity is really what it claims to be;
Availability - the property of being accessible and usable by an authorized entity;
Confidentiality - property that ensures that the information is not available or disclosed to
unauthorized individuals, entities or processes;
Information Security
Information Security - preservation of confidentiality, integrity and information availability;
Management System of Information Security - part of the overall management system, based on a
business risk approach, to establish, implement, operate, monitor, review, maintain and improve
information security;
Integrity - the correctness to protect property assets;
Risk-combination of the probability of an event and its consequences;
Risk analysis - the systematic use of information to identify sources and to estimate the occurrence of
a risk.
Risk management - coordinated activities to direct and control an organization in relation to a
particular risk;
Threat - a potential cause of an undesired event, which may result in damage to a system or entity;
Vulnerability - weakness or control of an asset, which can be exploited by threat.
Information Security
Security Management System
Provides a model for the establishment, implementation, operation, monitoring,
reviewing, maintaining and improving the protection of information assets
The successful implementation of an ISMS depends on the analysis of
requirements and appropriate controls to protect information assets
The implementation has as main the result of reduced risks of SI
The ISMS it’s able to be certified, must satisfy a set of requirements defined by ISO
/ IEC 27001.
Some basic principles for a successful implementation of an ISMS:
• Awareness of the need for information security;
• The allocation of responsibilities for information security;
• Incorporate the commitment of management and the interests of all
stakeholders;
• Reinforce the values ​of society;
• Evaluate the risks to determine the appropriate controls to achieve acceptable
levels of risk;
• Active prevention and detection of incidents of information security;
• Continuous reavaluationt of information security.
Information Security
Process Approach
A process is the transformation of inputs into outputs that uses one set of
interconnected or interacting activities
In ISMS family of standards, the process approach is based on the exploitation of the
PDCA cycle:
• PLAN (Planning) - Establishment of policies, objectives, processes and procedures
relevant to managing risk and improving information security. Plans according to the
results of the organization's strategy.
• DO (Do) - Implementation and operation of control policies, processes and
procedures.
• CHECK (Check) - Inspection of process performance compared with the policies and
objectives of an ISMS. These results should be reported to management for review.
• ACT (Acting) - Taking corrective and preventive actions, based on the results of the
internal ISMS audits and other information from management or other relevant
sources.
Information Security
Standard ISO/IEC 27001
Published in 2005
Designed to specify the requirements for the establishment,
implementation, operation, monitoring, reviewing, maintaining and
improving an ISMS.
The certification is not a requirement of ISO / IEC 27001, is a decision
of the organization.
However, eighteen months after its publication more than 2000
organizations in over 50 countries have been certified and growth in
this area has increased.
The ISO / IEC 27001 is universal for all types of organizations and
specifies requirements for the implementation of security controls
customized according to the needs of an organization.
Information Security
Application
The certification usually involves an audit process in two stages :
Stage 1 - Review of key documentation and security policy of the organization, statement
of applicability (SOA) and risk treatment plan (PTR).
Phase 2 - Conduct an audit involving deep control of ISMS stated in SOA and the PTR as
well as supporting documentation
Renovation of the certificate involves some periodic reviews confirming that the ISMS
continues to work as desired
The ISO / IEC 27001 involves several components:
The Management System of Information Security:
• Establish, implement, operate, monitor, review, maintain and improve the ISMS;
• Documentation Requirements;
• Documents Control;
• Records control.
Information Security
Responsibilities of the direction:
Commitment of direction;
Management and provision of resources;
Training, awareness and competence.
Internal audits that determine if an ISMS:
Meets the standard
Meets safety requirements identified
It run as expected
The entire procedure is documented in an audit and the auditors can not audit its own
work, giving objectivity and impartiality.
Critical analysis of the ISMS by direction:
Entry: results of audits and reviews, status of preventive and corrective actions,
vulnerabilities not properly contemplated in previous analyzes, findings,
recommendations and changes;
Output: opportunity to include improvements and changes, modification of the ISMS
and resource needs.
Improving the ISMS:
Continuous improvement through the use of established policy, audit results, analysis of
monitored events, corrective action (previous steps);
Elimination of non-compliance through corrective and preventive actions.
Information Security
Perspective of reconciliation of ISO / IEC 27000 and 27001
There is no absolute security because you can not eliminate 100% of
the risks and threats. However, there may be a control plane
previously defined.
The 27000 comes standard as a way to define some terms and
definitions, while the standard 27001 has some requirements for
future implementation of a Management System of Information
Security
The Management of Information Security should be performed taking
into account some control measures suggested by both standards - the
PDCA process model and process analysis / evaluation and treatment
of risks.
Information Security
PDCA Process Model
PLAN Establish
ISMS
Requirements and
expectations of Information
Security
Act Maintaining
and optimize
the ISMS
Do Implement
and operate
the ISMS
Management System of
Information Security
Check Monitoring
and
Reviewing
the ISMS
This model is based on process control and verification of Systems Information
Security.
The result of the PDCA process is the correct management of the Information
Systems Security, based on the expectations and needs of an organization.
Information Security
Analysis and risk assessment
(𝑻𝒉𝒓𝒆𝒂𝒕𝒔 ∗ π‘½π’–π’π’π’†π’“π’‚π’ƒπ’Šπ’π’Šπ’•π’Šπ’†π’” ∗ 𝐈𝐦𝐩𝐚𝐜𝐭𝐬)
π‘Ήπ’Šπ’”π€ =
(π‘Ίπ’†π’„π’–π’“π’Šπ’•π’š 𝑴𝒆𝒂𝒔𝒖𝒓𝒆𝒔)
The management and evaluation of the risks are the key aspects of
ISO 27001. As a result of the risk assessment should be made a list of
identified risks, ranked in order of severity measures for later
The results of the risk analysis should help to direct and determine the
most appropriate control measures to manage these risks.
The risk assessment should be made ​taking into account a costbenefit, compensates to reveal if a risk be minimized or transfered. In
short, if a risk has a low probability of occurring and the cost of
treatment is high, this does not make decisions.
Information Security
After the process of analysis and risk assessment, there are several options
for its treatment:
• Apply safety measures: choose the most appropriate measures to reduce
the cost;
• Accept the risk: knowing and consciously accept the risk, knowing that this
attentive to the security policy of the organization;
• Avoid the risk: Do not allow actions that may even cause the occurrence of
risks;
• Transfer the risk: transfer risks to other parts, eg insurance or suppliers.
These measures are defined by ISO / IEC 27002, which supports the
development of security plans and guides the best way to Management of
Information Security.
Information Security
Family Series ISO / IEC 27000
Standard ISO 27002 - Code of Practice
From 2007 is the new name of ISO 17799. This standard is a best practice guide that describes
the control objectives and controls recommended for SI.
ISO 27003 - Implementation Guide
Discusses some guidelines for the implementation of ISMS and contains information about
using PDCA and requirements of its different phases, that means, will provide a processoriented approach to successfully implementing an ISMS in accordance with ISO / IEC 27001.
ISO 27004 - Metrics and Measurement
Specifies metrics and measurement techniques applicable to determine the effectiveness of
the ISMS, the control objectives and controls used to implement and manage Information
Security. These metrics are used primarily to measure the components of phase "CHECK" PDCA
cycle.
ISO 27005 - Guidelines for Risk Management
Establishes guidelines for the management of risk in SI, providing directions for
implementation, monitoring and continuous improvement of the control systems. It is applied
to all types of organizations designed to manage risks that could compromise the security of
your information.
ISO 27006 - Guidelines for Disaster Recovery Services
Specifies requirements and provides guidance for bodies providing audit and certification of an
ISMS.
Information Security
Some practical cases of implementation of ISO / IEC 27001
The ISO 27001 has already a high number of certifications distributed by various
countries:
Japão
Reino Unido
Índia
Taiwan
China
Alemanha
República Checa
Coreia
Estados Unidos da América
Itália
Espanha
Hungria
Malásia
Polónia
Tailândia
Grécia
Irlanda
Áustria
Turquia
França
Hong Kong
Austrália
Singapura
Croácia
Eslovénia
México
Eslováquia
Brasil
4152
573
546
461
393
228
112
107
105
82
72
71
66
61
59
50
48
42
35
34
32
30
29
27
26
25
25
24
Holanda
Arábia Saudita
Emirados Árabes Unidos
Bulgária
Irão
Portugal
Argentina
Filipinas
Indonésia
Paquistão
Colômbia
Federação Russa
Vietname
Islândia
Kuwait
Canadá
Noruega
Suécia
Suíça
Bahrain
Peru
Chile
Egipto
Omã
Qatar
Sri Lanka
África do Sul
República dominicana
Marrocos
24
24
19
18
18
18
17
16
15
15
14
14
14
13
11
10
10
10
9
8
7
5
5
5
5
5
5
4
4
Bélgica
Gibraltar
Lituânia
Macau
Albânia
Bósnia Herzegovina
Chipre
Equador
Nova Jérsia
Cazaquistão
Luxemburgo
Macedónia
Malta
Mauritânia
Ucrânia
Arménia
Bangladesh
Bielorrússia
Bolívia
Dinamarca
Estónia
Quirguistão
Líbano
Moldávia
Nova Zelândia
Sudão
Uruguai
Iémen
Total
3
3
3
3
3
2
2
2
2
2
2
2
2
2
2
1
1
1
1
1
1
1
1
1
1
1
1
1
7940
Information Security
Certification Process of an ISMS
The first phase of the process involves the organizations, the fact that they
are prepared for certification of its ISMS.
The second phase involves an audit of the organization's ISMS, involving
accredited certification bodies. The certificate provided a duration for
three years, so the third phase of the process is monitored by the
certification bodies.
Certification Bodies
Information Security
Organizations with ISMS Certificates in Portugal
Nome da Organização
Número da Certificação
Entidade Certificadora
Norma de Certificação
ARENA MEDIA
83889CC2-2010-AIS-IBE-UKAS
DNV
ISO/IEC 27001:2005
Bureau Veritas Certiifcation
ISO/IEC 27001:2005
Caixa Económica de Cabo Verde
Departamento de Jogos da Santa Casa da Misericórdia
de Lisboa (DJSCML)
IS 524281
ISO/IEC 27001:2005
ENAME S.A.
GB11/82769
SGS United Kingdom Ltd
ISO/IEC 27001:2005
HAVAS SPORT & ENTERTAINMENT
83889CC6-2010-AIS-IBE-UKAS
DNV
ISO/IEC 27001:2005
INSTITUTO DE INFORMÁTICA, I.P.
3896769
Bureau Veritas Certiifcation
ISO/IEC 27001:2005
INTEGRITY S.A.
GB12/85456
SGS United Kingdom Ltd
ISO/IEC 27001:2005
LATTITUDE
83889CC3-2010-AIS-IBE-UKAS
DNV
ISO/IEC 27001:2005
Maksen Consulting, S.A.
PT001307
Bureau Veritas Certiifcation
ISO/IEC 27001:2005
MEDIA CONTACTS
83889CC9-2010-AIS-IBE-UKAS
DNV
ISO/IEC 27001:2005
MOBEXT
83889CC10-2010-AIS-IBE-UKAS
DNV
ISO/IEC 27001:2005
MPG
83889CC13-2010-AIS-IBE-UKAS
DNV
ISO/IEC 27001:2005
ONE TO ONE
83889CC8-2010-AIS-IBE-UKAS
DNV
ISO/IEC 27001:2005
Ponto.C – Desenvolvimento de Sistemas de
Informação, Lda.
Portugalmail SA
GB11/83230
SGS United Kingdom Ltd
ISO/IEC 27001:2005
12/86073
SGS United Kingdom Ltd
ISO/IEC 27001:2005
TV Cabo Portugal
202194
Bureau Veritas Certiifcation
ISO/IEC 27001:2005
VORTAL – COMÉRCIO ELECTRÓNICO CONSULTADORIA
E MULTIMEDIA SA
IS 515264
ZON TV CABO PORTUGAL, SA
202194
ISO/IEC 27001:2005
Bureau Veritas Certiifcation
ISO/IEC 27001:2005
Information Security
Conclusions
• Understand what are the control mechanisms to threats.
• Studying the ISO 27000 and 27001 is to understand the assumptions related to
Information Security.
• This theme is quite relevant today, since it talks a lot about hackers and crackers
against digital platforms, trying to gain access to confidential information.
• Information is an asset with great value for organizations and needs to be
properly protected in order to maintain its confidentiality, availability, integrity
and authenticity.
• We analyze the standards and identify clearly enough what characterizes each of
them.
• The standard ISO 27000 gives us some terms and definitions and ISO 27001
standard adopts a process approach for establishing, implementation, operation,
monitoring, reviewing, maintaining and improving a Management System of
Information Security.
Download