01.04.2014 Information Security

advertisement
ISO 27001
Information Security Management
System (ISMS)
Information Assets
Information is an asset
– like other important business assets, has value to an
organisation and consequently needs to be suitably protected.
What is Information?
 Current Business Plans
 Future Plans
 Intellectual Property (Patents, etc)
 Employee Records
 Customer Details
 Business Partners Records
 Financial Records
What is Information Security?
 Information Security addresses
– Confidentiality
– Integrity ( I )
– Availability

Also involves
–
–
–
–
Authenticity
Accountability
Non-repudiation
Reliability
(C)
(A)
Enterprise/Corporate IT Hardware Resources
Information Security Risks
• The range of risks exists
• System failures
• Denial of service (DOS) attacks
• Misuse of resources
•
•
•
•
•
• Internet/email /telephone
Damage of reputation
Espionage
Fraud
Viruses/spy-ware etc
Use of unlicensed software
Layered Security
Security Awareness/Culture
 Security is everyone’s responsibility
 All levels of management accountable
 Everyone should consider in their daily roles
– Attitude (willing/aims/wants/targets)
– Knowledge (what to do?)
– Skill (how to do?)
 Security is integrated into all operations
 Security performance should be measured
Security Awareness Program
Flow
Company Policy
Security Awareness Program
Integrate
Define
Feedback
Activities
Elicit
Implement
Employees
Benefits
of
pursuing
certification
 Allows organizations to mitigate the risk of IS breaches
 Allows organizations to mitigate the impact of IS breaches when




they occur
In the event of a security breach, certification should reduce the
penalty imposed by regulators
Allows organizations to demonstrate due diligence and due care
– to shareholders, customers and business partners
Allows organizations to demonstrate proactive compliance to
legal, regulatory and contractual requirements
– as opposed to taking a reactive approach
Provides independent third-party validation of an organization’s
ISMS
Structure of 27000 series
27000 Fundamentals & Vocabulary
27001:ISMS
27005
Risk
Management
27002 Code of Practice for ISM
27003 Implementation Guidance
27004 Metrics & Measurement
27006 Guidelines on ISMS accreditation
What is ISO 27001?
 ISO 27001 Part I
– Code of practice for Information Security
Management (ISM)
– Best practices, guidance, recommendations for
• Confidentiality ( C )
• Integrity
(I)
• Availability
(A)
 ISO 27001 Part II
– Specification for ISM
ISO
27001
Overview
– All clauses should be applied, NO exceptions
 Mandatory Clauses (4  8)
 Annex (Control Objectives and Controls )
– 11 Security Domains (A5  A 15)
• Layers of security
– 39 Control Objectives
• Statement of desired results or purpose
– 133 Controls
• Policies, procedures, practices, software controls and organizational
structure
• To provide reasonable assurance that business objectives will be
achieved and that undesired events will be prevented or detected and
corrected
• Exclusions in some controls are possible, if they can be justified???
Difference Between 27001:2000 and
27001:2005 Editions?
Annex A
2000 Edition (10 sections)
2005 Edition (11 sections)
Security Policy
A5 - Security Policy
Security Organisation
A6 - Organising Information Security
Asset Classification & Control
A7 - Asset Management
Personnel Security
A8 - Human Resources Security
Physical & Environmental Security
A9 - Physical & Environmental Security
Communications & Operations
Management
A10 - Communications & Operations
Management
Access Control
A11- Access Control
Systems Development & Maintenance
A12 - Information Systems Acquisition,
Development and Maintenance
A13 - Information Security Incident
Management
Business Continuity Management
A14 - Business Continuity Management
Compliance
A15 - Compliance
ISO 27001 Implementation Steps
 Decide on the ISMS scope
 Approach to risk assessment
 Perform GAP Analysis
 Selection of controls
 Statement of Applicability
 Reviewing and Managing the Risks
 Ensure management commitment
 ISMS internal audits
 Measure effectiveness and performance
 Update risk treatment plans, procedures and
controls
Plan-Do-Check-Act (PDCA)
 The ISO 27001 adopts the “Plan-Do-
Check-Act” (PDCA)
– Applied to structure all ISMS processes
Plan
Act
Do
Check
PDCA Model
PDCA Model
Plan
Establish ISMS
Establish ISMS policy, objectives, processes and procedures
relevant to managing risk and improving IS to deliver results in
accordance with an organization’s overall policies and
objectives
Do
Implement and
operate ISMS
Implement and operate ISMS policy, controls, processes and
procedures
Check
Monitor and
review ISMS
Asses, and where applicable, measure process performance
against ISMS policy, objectives and practical experience and
report the results to management for review
Act
Maintain and
improve ISMS
Take corrective actions, based on the results of the internal
audit and management review or other relevant information, to
achieve continual improvement of ISMS
ISO 27001 (Requirements) Standard
Content
Introduction









– Section 0
Scope
– Section 1
Normative references
– Section 2
Terms and definitions
– Section 3
Plan
– Section 4 to plan the establishment of your organization’s ISMS.
Do
– Section 5 to implement, operate, and maintain your ISMS.
Check
– Sections 6 and 7 to monitor, measure, audit, and review your ISMS.
Act
– Section 8 to take corrective and preventive actions to improve your ISMS.
Annex A (Clauses A.5 to A.15)
ISO 27001 PDCA Approach
 Plan:
– Study requirements
– Draft an IS Policy
– Discuss in IS Forum (committee)
– Finalize and approve the policy
– Establish implementation procedure
– Staff awareness/training
 Do:
– Implement the policy
 Check:
– Monitor, measure, & audit the process
 Act:
– Improve the process
ISMS Scope
 Business security policy and plans
 Current business operations requirements
 Future business plans and requirements
 Legislative requirements
 Obligations and responsibilities with regard
to security contained in SLAs
 The business and IT risks and their
management
A Sample List of IS Policies
 Overall ISMS policy
 Access control policy
 Email policy
 Internet policy
 Anti-virus policy
 Information classification policy
 Use of IT assets policy
 Asset disposal policy
The C.I.A. triangle is made up of:
Confidentiality
Integrity
Availability
(Over time the list of characteristics has expanded, but
these 3 remain central)
CIA +
Confidentiality
Privacy
Integrity
Identification
Availability
Authentication
Authorization
Accountability
Confidentiality of information ensures that only
those with sufficient privileges may access certain
information.
To protect confidentiality of information, a number of
measures may be used, including:
 Information classification
 Secure document storage
 Application of general security policies
 Education of information custodians
& end users
Integrity is the quality or state of being whole,
complete, & uncorrupted.
The integrity of information is threatened
when it is exposed
to corruption, damage, destruction,
or other disruption of its authentic state.
Corruption can occur
while information is being
compiled, stored, or transmitted.
Availability is making information
accessible to user access
without interference or obstruction
in the required format.
A user in this definition may be either
a person
or another computer system.
Availability means
availability to authorized users.
Privacy
Information is to be used
only
for purposes known to the data owner.
This does not focus
on freedom from observation,
but rather
that information will be used
only
in ways known to the owner.
Information systems possess
the characteristic of identification
when they are able
to recognize individual users.
Identification and authentication
are essential to establishing
the level of access or authorization
that an individual is granted.
AAA
Authentication occurs
when a control provides proof
that a user possesses
the identity that he or she claims.
After the identity of a user
is authenticated,
a process called authorization
provides assurance that the user
(whether a person or a computer)
has been specifically & explicitly authorized
by the proper authority
to access, update, or delete
the contents of an information asset.
The characteristic of accountability
exists when a control
provides assurance
that every activity undertaken
can be attributed
to a named person or automated process.
To review ... CIA +
Confidentiality
Privacy
Integrity
Identification
Availability
Authentication
Authorization
Accountability
Think about your home computer.
How do you secure it?
How do you guarantee
confidentiality, integrity, & availability?
NSTISSC Security Model
Two well-known approaches to management:
Traditional management theory
using principles of
planning, organizing, staffing, directing, &
controlling (POSDC).
Popular management theory
using principles of
management into planning, organizing, leading,
& controlling (POLC).
Planning is the process that
develops, creates, & implements
strategies
for the accomplishment of objectives.
Three levels of planning:
1. Strategic
2. Tactical
3. Operational
In general,
planning begins
with the strategic plan
for the whole organization.
To do this successfully,
an organization must thoroughly define
its goals & objectives.
Organization:
structuring of resources
to support
the accomplishment of objectives.
Organizing tasks requires determining:
 What is to be done
 In what order
 By whom
 By which methods
 When
Leadership encourages
the implementation
of the planning and organizing functions,
including supervising
employee behavior, performance, attendance,
& attitude.
Leadership generally addresses
the direction and motivation
of the human resource.
Control is monitoring progress
toward completion
& making necessary adjustments
to achieve the desired objectives.
Controlling function determines
what must be monitored as well
using specific control tools
to gather and evaluate information.
Four categories of control tools:
Information
Financial
Operational
Behavioral
The Control Process
How to Solve Problems
Step 1:
Recognize & define the problem
Step 2:
Gather facts & make assumptions
Step 3: Develop possible solutions
Step 4:
Analyze & compare possible solutions
Step 5:
Select, implement, & evaluate a solution
Feasibility Analyses
Economic feasibility assesses
costs & benefits of a solution
Technological feasibility assesses
an organization’s ability
to acquire & manage a solution
Behavioral feasibility assesses
whether members of an organization
will support a solution
Operational feasibility assesses
if an organization can integrate a solution
Extended characteristics
or principles
of infosec management (AKA, the 6 P’s)
Planning
Policy
Programs
Protection
People
Project Management
1. Planning
as part of InfoSec management
is an extension
of the basic planning model
discussed earlier in this chapter.
Included in the InfoSec planning model
are activities necessary to support
the design, creation, and implementation
of information security strategies
as they exist
within the IT planning environment.
Several types of InfoSec plans exist:
Incident response
Business continuity
Disaster recovery
Policy
Personnel
Technology rollout
Risk management
Security program,
including education, training, & awareness
2. Policy:
set of organizational guidelines
that dictates certain behavior
within the organization.
In InfoSec, there are
3 general categories of policy:
1. General program policy
(Enterprise Security Policy)
2. An issue-specific security policy (ISSP)
3. System-specific policies (SSSPs)
3. Programs:
specific entities managed
in the information security domain.
One such entity:
security education training & awareness
(SETA)
program.
Other programs that may emerge include
the physical security program,
complete with fire, physical access,
gates, guards, & so on.
4. Protection:
Risk management activities,
including risk assessment and control,
as well as protection mechanisms,
technologies, & tools.
Each of these mechanisms
represents some aspect
of the management of specific controls
in the overall information security plan.
5. People
are the most critical link
in the information security program.
It is imperative
that managers continuously recognize
the crucial role that people play.
Includes information security personnel and the
security of personnel, as well as aspects of the
SETA program.
6. Project management discipline
should be present throughout
all elements
of the information security program.
This involves:
 Identifying and controlling
the resources applied to the project
 Measuring progress
& adjusting the process
as progress is made toward the goal
In summation:
Communities of interest
CIA+
Planning, Organizing, Leading, Controlling
Principles of infosec management
(the 6 P’s)
Download