O slideshow foi denunciado.
Utilizamos seu perfil e dados de atividades no LinkedIn para personalizar e exibir anúncios mais relevantes. Altere suas preferências de anúncios quando desejar.

Information Security Strategic Management

The right mindset to transform risk management into a business process and how to build a framework and strategically manage information security.

  • Entre para ver os comentários

Information Security Strategic Management

  1. 1. Information Security Strategic Management Marcelo Martins linkedin.com/in/marcelomartins
  2. 2. Agenda §  Overview §  Risk-based prioritization §  Roles and responsibilities §  Framework §  Monitoring and Measurement §  Challenges §  Resources §  Certification
  3. 3. Overview Information Security Management §  Continuous effort with reasonable costs to... §  Protect information assets §  Satisfy regulatory requirements §  Reduce risks and legal exposures §  Support business functions §  Usually, information security is seen as an impediment to conclude the work §  Compliance helps to boost security §  But compliance ≠ security
  4. 4. Overview §  Compliance isn’t security. Why? §  Depends on certification scope §  Physical environments §  Processes §  Depends on relationship with other business areas/ partners §  Depends on business threats §  Different regulation for different threats ¨  e.g.: PCI-DSS and HITECH
  5. 5. Overview §  Compliance isn’t security. Why? §  BS ISO/IEC 27001:2013 §  “This publication does not purport to include all the necessary provisions of a contract. Users are responsible for its correct application.” §  “Compliance with a British Standard cannot confer immunity from legal obligations.”
  6. 6. §  Additional reading §  Compliance isn’t security §  “According to the 2012 "HIMSS Analytics Report: Security of Patient Data," increasingly strict regulation and increased compliance from providers haven't slowed an increase in breaches over the past six years.” ¨  http://www.csoonline.com/article/704577/compliance-isn-t-security- but-companies-still-pretend-it-is-according-to-survey Overview
  7. 7. §  Additional reading §  Compliance isn’t security §  “Yet, respondents to the survey, which included CIOs, compliance officers and HIMs, expressed confidence that they are better prepared for attempted data theft -- in spite of evidence to the contrary -- because they are in better compliance with regulations like the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009.” §  “The results of that are predictable. The number of organizations reporting breaches went from 13 percent in 2008 to 19 percent in 2010 to 27 percent in the past year [2011].” Overview
  8. 8. §  Additional reading §  Compliance isn’t security §  “But, the survey did [find] some organizational flaws as well, specifically in confusion over who is really responsible for data security. The respondents' answers ranged through CIO, CSO, CEO, HIM and chief compliance officer.” Overview CSO: Chief Security Officer HIM: Health Information Management
  9. 9. Are we pessimist enough?
  10. 10. The Pessimist CSO §  The new hat: the Pessimist CSO §  You should assume that §  Your technology won’t help you §  Your users will go behind your back §  You are the next target
  11. 11. The Pessimist CSO §  Pessimism vs. optimism §  Abigail Hazlett, PhD. §  Social Psychology, Northwestern University Thesis: “Hoping for the Best or Preparing for the Worst? Regulatory Focus and Preferences for Optimism and Pessimism in Predicting Personal Outcomes” ¨  http://psychcentral.com/blog/archives/2011/03/17/pessimism-vs- optimism/
  12. 12. The Pessimist CSO §  Pessimism vs. optimism §  Abigail Hazlett, PhD. §  “To cope with this unpredictability some of us choose to think optimistically because it helps motivate us to try, try again. For others a pessimistic mindset performs the same function. By thinking about what might go wrong it helps protect us against when things do go wrong.” §  “In two initial studies optimists were found to have a ‘promotion focus’. In other words they preferred to think about how they could advance and grow. Pessimists, meanwhile, were more preoccupied with security and safety.”
  13. 13. The Pessimist CSO §  Pessimists Make Better Leaders §  Psychology Today: “Having realistic expectations may actually be a recipe for happiness” §  Wikipedia: “Pessimism is a state of mind in which one anticipates negative outcomes...” §  The Uses and Abuses of Optimism and Pessimism §  http://www.psychologytoday.com/articles/201110/the-uses-and- abuses-optimism-and-pessimism ¨  Ctrl+F: “And pessimism?”
  14. 14. The Pessimist CSO §  Pessimists Make Better Leaders §  The Uses and Abuses of Optimism and Pessimism §  “And pessimism? When is it useful? Surprisingly, it can be most helpful at the moments when we might seem to have the least to feel pessimistic about. When we've been successful before and have a realistic expectation of being successful again, we may be lulled into laziness and overconfidence. Pessimism can give us the push that we need to try our best. This phenomenon, known as "defensive pessimism," involves imagining all the things that might go wrong in the future. It spurs us to take action to head off the potential catastrophes we conjure and prevent them from happening. (…)”
  15. 15. The Pessimist CSO
  16. 16. The Pessimist CSO It’s just a matter of point of view
  17. 17. Agenda §  Overview §  Risk-based prioritization §  Roles and responsibilities §  Framework §  Monitoring and Measurement §  Challenges §  Resources §  Certification
  18. 18. Risk-based prioritization §  Risk/reward equation §  Estimate your reward §  Estimate the risks involved §  Determinate your risk appetite §  Define roles and responsibilities §  Build a Risk Assumption Model §  Make Risk Management a business process
  19. 19. Risk-based prioritization Risk Quantification Loss Expectancy Control Cost Exposure Factor
  20. 20. §  EF (Exposure Factor) §  EF is a percentage of the asset affected by a single occurrence of the incident and is used when the asset sustains damage. §  For example, in case of fire, it is possible to estimate that 90% of the asset will be destroyed. In this case, EF is 90% (0,9) §  SLE (Single Loss Expectancy) §  SLE is the expected loss in case of risk materialization with business impact §  Depending on the threat EF may not be taken into consideration SLE = Financial value of the asset x EF or SLE = Loss caused by the threat Risk-based prioritization
  21. 21. §  ARO (Annualized Rate of Occurrence) §  ARO is the number of occurrences of a security incident in a given period (usually defined as a year, as the name implies) §  ALE (Annualized Loss Expectancy) §  ALE amounts to loss caused by a single occurrence times the number of occurrences in a year period ARO = Number of occurrences / evaluated period ALE = SLE x ARO Risk-based prioritization
  22. 22. Risk-based prioritization §  BIA (Business Impact Analysis) §  Determinate critical processes §  Determinate the critical business processes, disruption impact and estimated unavailability, that shall reflect the Maximum Tolerable Downtime (MTD) for the mission of the Organization §  Identify necessary resources §  Necessary resources to restart operations, including environment, personnel, equipment, software, information, etc. §  Identify recovery priorities §  Resources shall be related to business processes and priority levels may be established for recovery
  23. 23. Risk-based prioritization Assets Process or system Business objective Billing e-Commerce Email
  24. 24. Risk-based prioritization Acceptable Risk Controlable Risk Unacceptable Risk
  25. 25. Risk-based prioritization There are known knowns; there are things we know that we know. There are known unknowns; that is to say, there are things that we now know we don't know. But there are also unknown unknowns – there are things we do not know we don’t know. (…) it is the latter category that tend to be the difficult ones. — Donald Rumsfeld United States Secretary of Defense,12.02.2002 It ain’t what you don’t know that gets you into trouble. It’s what you know for sure that just ain’t so. — Mark Twain
  26. 26. Risk-based prioritization Unknown unknowns Known unknowns Known knowns You know, but that just ain’t so Absolut truth Questions Knowledge
  27. 27. Risk-based prioritization Executive leadership Risk Assumption Model Department Business Unit Impact Likelihood Insignificant Minor Major Disastrous InsignificantUnlikelyLikelyAlmostCertain PII disclosed Rogue WiFi Website defacement Server unavailable Missing contractual clauses Example
  28. 28. Agenda §  Overview §  Risk-based prioritization §  Roles and responsibilities §  Framework §  Measurement §  Challenges §  Resources §  Certification
  29. 29. Roles and responsibilities §  Have the right mix of people on your team §  Members of the core security team §  Need to have a risk/reward frame of mind §  An exceptional set of skills §  Be good at risk assessments §  Understand the business and its processes §  Should be able to partner with the business, offer alternatives and speak to issues beyond those associated with security §  They are not easy to find §  It’s usually a matter of training them, and mentoring is often the best way to go about it §  Choosing the wrong people can cost a lot §  They can take an inordinate amount of time to do the work; §  Or at worst, cause you to redo their work
  30. 30. Roles and responsibilities §  “Information security is rarely a part of general management expertise or education.” §  “(…) it may be useful to make an effort to educate senior management in the areas of regulatory compliance and the organization's dependence on its information assets. It may also be useful to document risks and potential impacts faced by the organization, making sure senior management is informed of the results and finds them acceptable.” ISACA CISM Review Manual 2009, Section 4.5
  31. 31. Roles and responsibilities §  Information Security Manager §  Board of Directors §  Executive Management §  Steering Committee §  IT Unit §  Business Unit Managers §  HR §  Legal
  32. 32. Roles and responsibilities §  Information Security Manager §  Develop the program §  A security strategy with senior management acceptance and support §  A security strategy intrinsically linked with business objectives §  Security policies that are complete and consistent with strategy §  Clear assignment of roles and responsibilities §  Information assets that have been identified and classified by criticality and sensitivity §  Tested functional, incident and emergency response capabilities §  Tested business continuity/disaster recovery plans §  Appropriate security approval in change management processes §  …
  33. 33. §  Information Security Manager §  Responsibilities §  Develop and manage the security program §  Educate and direct senior management §  Be familiarized with the standards (e.g.: ISO 27000 family) §  Have knowledge of risk management §  Take into consideration several different technologies §  Maintain relationship with other groups §  ISO/IEC 27001:2013 §  A.6.1.1 Information security roles and responsibilities ¨  All information security responsibilities shall be defined and allocated Roles and responsibilities
  34. 34. Information Security Management Incident Response activities Business Continuity Management Risk Management Roles and responsibilities
  35. 35. §  Information Security Manager §  Responsibilities §  The information security manager should clearly define the roles, responsibilities, scope and activities of the information security steering committee. -- ISACA CISM Manual 2009 Roles and responsibilities
  36. 36. Information Security Manager Steering Committee Senior Management Security Stakeholders Roles and responsibilities
  37. 37. Roles and responsibilities Strategy Policy Awareness Implement. Monitoring Compliance Information Security Manager writes and publishes Source: ISACA CISM Manual Information Security Manager conducts classes and publishes announcements Information Security Manager monitors industry practices and makes recommendations Information Security Manager is the point of escalation for issues that may require investigation Information Security Manager reviews critical configuration on a periodic basis, and maintains metrics on security configuration and logs of user activities Information Security Manager contributes to secure architecture, design and engineering strategy
  38. 38. Roles and responsibilities Executive Management (Information Security Management) External Stakeholders Assure Communicate Evaluate Direct Monitor Strategy, Policy Proposals Performance Governing Body Figure 2 – Governance process of information security Source: ISO/IEC 27014:2013
  39. 39. Roles and responsibilities §  IS Manager, managerial skills §  Budget and financial management §  Licensing (annuity) §  Training (budget surplus) §  Team management §  Project and program management §  Operation and services management §  Metrics implementation §  IT life cycle management
  40. 40. §  Board of Directors §  Responsibilities §  Knowledge of information assets and their criticality on the business (through Risk Analysis and Business Impact Analysis) §  Definition/validation of key assets that must be protected §  SOX: audit committee for financial controls §  Leadership through information security examples §  Integration and cooperation with business processes owners Roles and responsibilities
  41. 41. §  Executive Management §  Responsibilities §  Secure necessary funds for IS-related activities §  Determinate the level of involvement in information security (called tone at the top, is reflected in organization culture), and how risk management will permeate business processes, a non- official indicator §  Receives guidance from Information Security Manager §  ISO/IEC 27001:2013 ¨  A.5.1 Management direction for information security ¨  To provide management direction and support for information security in accordance with business requirements and relevant laws and regulations. Roles and responsibilities
  42. 42. §  Executive Management Tone at the top §  ISO/IEC 27001:2013 §  5.1 Leadership and commitment ¨  Top management shall demonstrate leadership and commitment with respect to the information security management system §  5.3 Organization roles, responsibilities and authorities ¨  Top management shall ensure that the responsibilities and authorities for roles relevant to information security are assigned and communicated. Roles and responsibilities
  43. 43. §  Executive Management §  ISO/IEC 27001:2013 §  A.5.1.1 Policies for information security ¨  A set of policies for information security shall be defined, approved by management, published and communicated to employees and relevant external parties. §  ISO/IEC 27005:2011 §  Section 6, page 9 ¨  The risk acceptance activity has to ensure residual risks are explicitly accepted by the managers of the organization. This is especially important in a situation where the implementation of controls is omitted or postponed, e.g. due to cost. Roles and responsibilities
  44. 44. §  Executive Management §  ISO/IEC 27014:2013 — Information technology — Security techniques — Governance of information security §  Section 5.3.3 Direct ¨  “Direct” is the governance process, by which the governing body gives direction about the information security objectives and strategy that need to be implemented. ¨  To accomplish the “Direct” process, the governing body should: ¨  determine the organisation’s risk appetite, ¨  approve the information security strategy and policy, ¨  allocate adequate investment and resources. ¨  To accomplish the “Direct” process, executive management should:, ¨  develop and implement information security strategy and policy, ¨  align information security objectives with business objectives, ¨  promote a positive information security culture. Roles and responsibilities
  45. 45. §  Steering Committee §  Responsibilities §  Make sure all stakeholders are involved §  Consensus when defining priorities and tackling risks §  Communication and alignment of security with business objectives §  Roles and responsibilities assigned by the Information Security Manager, to avoid extra topics Roles and responsibilities
  46. 46. §  Steering Committee §  ISO/IEC 27005:2011 §  Section 7.2.4, page 11 ¨  Risk acceptance criteria may differ according to how long the risk is expected to exist, e.g. the risk may be associated with a temporary or short term activity. Risk acceptance criteria should be set up considering the following: ¨  Business criteria ¨  Legal and regulatory aspects ¨  Operations ¨  Technology ¨  Finance ¨  Social and humanitarian factors Roles and responsibilities
  47. 47. §  Steering Committee §  ISO/IEC 27005:2011 §  B.1.1 The identification of primary assets ¨  To describe the scope more accurately, this activity consists in identifying the primary assets (business processes and activities, information). This identification is carried out by a mixed work group representative of the process (managers, information systems specialists and users). Roles and responsibilities
  48. 48. §  IT Unit §  Information Security Manager should develop a good relationship with IT §  Information Security Manager shall comply with IS standards but trying to achieve performance and efficiency (IT) §  There should be privilege segregation between IT and IS §  Usually, IT designs, implements and operates security controls (IT Security) Roles and responsibilities
  49. 49. §  Business Unit Managers §  Responsibilities §  Implement business operations according to information security requirements §  Escalate security incidents §  Shall be members of Steering Committee §  Make sure IS requirements were taken into consideration since the beginning of product development §  Relationship §  Information Security Manager should keep in touch with Business Unit Manager to make sure IS will be involved on product development Roles and responsibilities
  50. 50. §  Human Resources §  Responsibilities §  Run educational programmes §  Propagate security policies §  Relationship §  IS Manager should keep in touch with HR (and Legal) and get them involved in case of employee monitoring and resources abuse suspects §  ISO/IEC 27001:2013 §  A.7.2.2 Information security awareness, education and training ¨  Management shall require all employees and contractors to apply information security in accordance with the established policies and procedures of the organization. Roles and responsibilities
  51. 51. Roles and responsibilities §  Human Resources §  ISO/IEC 27001:2013 §  A.7 Human resources security ¨  A.7.1 Prior to employment ¨  A.7.2 During employment ¨  A.7.3 Termination or change of employment
  52. 52. §  Legal §  Shall be represented in Steering Committee §  Shall be contacted when there is compliance, liability, corporate responsibility or due diligence involved Roles and responsibilities
  53. 53. §  ISO/IEC 27010:2015 - Information security management for inter-sector and inter-organizational communications §  Section 4.1, Introduction §  ISO/IEC 27002:2013 defines controls that cover the exchange of information between organizations on a bilateral basis, and also controls for the general distribution of publicly available information. However, in some circumstances there exists a need to share information within a community of organizations where the information is sensitive in some way and cannot be made publicly available other than to members of the community. Roles and responsibilities
  54. 54. Agenda §  Overview §  Risk-based prioritization §  Roles and responsibilities §  Framework §  Monitoring and Measurement §  Challenges §  Resources §  Certification
  55. 55. Agenda §  Framework §  What is a framework? §  Control categories §  European Union frameworks §  UK and US laws §  ISO 27000 family framework
  56. 56. Framework §  What is a framework? §  NIST Cybersecurity Framework §  Framework for Improving Critical Infrastructure Cybersecurity ¨  “(…) Cybersecurity Framework – a set of industry standards and best practices to help organizations manage cybersecurity risks.” ¨  “‘prioritized, flexible, repeatable, performance-based, and cost- effective approach’ to manage cybersecurity risk for those processes, information, and systems directly involved in the delivery of critical infrastructure services.” §  https://www.nist.gov/cyberframework
  57. 57. Framework Vulnerabilities Countermeasures Assets The elements of risk and their relationships according to ISO 15408:2005 Owners Attack Vectors Risks reduce to value to that increase impose that may be reduced by that may possess leading to may be aware of that exploit wish to minimise use give rise to based on (set of) Security Context wish to abuse and/or may damage Threat agents Threats
  58. 58. Framework §  Control categories §  Preventive §  Inhibits attempts to violate security policy and includes such controls as access control enforcement, encryption and authentication §  Detective §  Warn of violations or attempted violations of security policy and include such controls as audit trails, intrusion detection methods and checksums §  Corrective §  Remediate vulnerabilities. backup restore procedures are a corrective measure §  Compensatory §  Compensate for increased risk by adding controls steps that mitigate a risk; for example, adding a challenge response component to weak access controls can compensate for the deficiency §  Deterrent §  Provide warnings that can deter potential compromises; for example, warning banners on login screens or offering rewards for the arrest of hackers
  59. 59. Framework §  Threats and Vulnerabilities Taxonomy §  ENISA §  Threat Taxonomy: A tool for structuring threat information ¨  https://www.enisa.europa.eu/topics/threat-risk-management/threats-and-trends/ enisa-threat-landscape/etl2015/enisa-threat-taxonomy-a-tool-for-structuring- threat-information §  NIST §  SP 800-30 Revision 1, Guide for Conducting Risk Assessments ¨  http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-30r1.pdf §  CMU/SEI §  A Taxonomy of Operational Cyber Security Risks ¨  http://resources.sei.cmu.edu/asset_files/TechnicalNote/2010_004_001_15200.pdf §  ISO/IEC 27005:2011 §  Annex C (informative) §  NASA §  IT Threats and Vulnerabilities ¨  http://www.hq.nasa.gov/security/it_threats_vulnerabilities.htm
  60. 60. Framework §  European Union §  Cybersecurity Strategy Framework §  The Directive on security of network and information systems (NIS Directive) ¨  https://ec.europa.eu/digital-single-market/en/network-and- information-security-nis-directive §  ENISA ¨  http://www.enisa.europa.eu/ §  CERT-EU ¨  https://cert.europa.eu/cert/plainedition/en/cert_about.html §  Data Protection Framework §  ePrivacy Directive ¨  https://ec.europa.eu/digital-single-market/en/online-privacy §  General Data Protection Regulation ¨  http://ec.europa.eu/justice/data-protection/reform/index_en.htm
  61. 61. Framework §  ENISA - European Union Agency for Network and Information Security §  Information security and privacy standards for SMEs §  https://www.enisa.europa.eu/publications/standardisation-for-smes/ §  Governance framework for European standardisation §  https://www.enisa.europa.eu/publications/policy-industry-research §  Definition of Cybersecurity - Gaps and overlaps in standardisation §  https://www.enisa.europa.eu/publications/definition-of-cybersecurity §  Risk Management - Principles and Inventories for Risk Management / Risk Assessment methods and tools §  https://www.enisa.europa.eu/publications/risk-management- principles-and-inventories-for-risk-management-risk-assessment- methods-and-tools/
  62. 62. Framework §  UK Laws §  Telecommunications Regulations Act 1998 §  Data Protection Act 1998 §  Computer Misuse Act 1990 §  The Human Rights Act 1998 §  The Regulation of Investigatory Powers Act (RIPA) 2000 §  The Copyright, Designs and Patent Act 1998 §  The Freedom of Information Act 2000 (public sector) §  Privacy and Electronic Communications Regulations 2003 §  Terrorism Act 2006 §  US Laws §  Gramm-Leach-Bliley Act (GLBA) §  The Health Insurance Portability and Availability Act (HIPAA) §  The Californian Senate Bill 1386 §  Online Personal Protection Act §  Sarbanes-Oxley Act (SOX) §  Federal Information Security Management Act (FISMA) Laws affect the application of frameworks and standards
  63. 63. Framework §  ISO/IEC 27001 §  Will support information security for the next decade §  Works in sync with ISO 9001, ISO 14001, ISO/IEC 20000-1 among others for a better integration of management systems §  Implements Plan-Do-Check-Act (PDCA) model §  Aligned with OECD recommendations for digital security risk management
  64. 64. Framework §  Organisation for Economic Co-operation and Development (OECD) §  Digital Security Risk Management for Economic and Social Prosperity (2015) §  http://www.oecd.org/sti/ieconomy/digital-security-risk- management.htm
  65. 65. Framework §  ISO/IEC 27001/2 §  A brief history 1995 BS7799-1 BS7799-2 2000 ISO/IEC 17799 2005 •  ISO/IEC 17799 •  ISO/IEC 27001 •  ISO/IEC 27002 2013 ISO/IEC 27001 ISO/IEC 27002 BS stands for British Standard
  66. 66. Framework §  ISO/IEC 27001/2 §  A brief history It was... It became... BS7799-1 ISO/IEC 27002 Code of practice BS7799-2 ISO/IEC 27001 Requirements BS7799-3 ISO/IEC 27003 Implementation Guide ISO/IEC 17799:2005 (cancelled by ISO/IEC 27002:2005)
  67. 67. Framework §  ISO - International Organization for Standardization §  www.iso.org §  (IOS in English, OIN in French for Organisation internationale de normalisation), our founders decided to give it the short form ISO. ISO is derived from the Greek isos, meaning equal. §  IEC - International Electrotechnical Commission §  www.iec.ch §  The IEC is one of three global sister organizations (IEC, ISO, ITU) that develop International Standards for the world. §  TR: Technical Report (ISO) §  An informative document containing information of a different kind from that normally published in a normative document
  68. 68. Framework Measurement (27004) ISMS (27001, 27002) Governance of IS (27014) Risk Mgmt. (27005) BCM (27031) Incident Mgmt. (27035) Implement. Guidance (27003)
  69. 69. Framework ISMS (27000, 27001, 27002, 27003, 27004, 27005, 27014, 27031, 27035) ISMS Audit Guidelines (27007) Certification Body Req. (27006) Guidelines for Auditors on IS Controls (27008)
  70. 70. Framework §  Business Continuity Management and Incident Management BCM Requirements (22301) BCM Guidelines (IT) (27031) Incident Mgmt. (27035) IT SMS Req. (20000-1) ISMS+IT SMS (27013) DRS (27462)
  71. 71. Framework ISO 27001 Incident Management ISO 20000-1 Incident Management Service and Security Incident Management Source: ISO/IEC 27013:2015 - Information technology -- Security techniques -- Guidance on the integrated implementation of ISO/IEC 27001 and ISO/IEC 20000-1
  72. 72. Framework Source: ISO/IEC 27000:2016 •  27000 – Overview and vocabulary Vocabulary standard •  27001 – Information security management systems - Requirements •  27006 – Requirements for bodies providing audit and certification of information security management systems •  27009 - Information technology -- Security techniques -- Sector-specific application of ISO/IEC 27001 -- Requirements Requirement standards •  27002 – Code of practice for information security controls •  27003 – Information security management system implementation guidance •  27004 – Information security management - Measurement •  27005 – Information security risk management •  27007 – Guidelines for information security management systems auditing •  TR 27008 – ISMS Controls Audit Guidelines •  27013 – Guidance on the integrated implementation of ISO/IEC 27001 and ISO/IEC 20000-1 •  27014 – Governance of information security •  TR 27016 – Information security management – Organizational economics Guideline standards
  73. 73. Framework Source: ISO/IEC 27000:2016 • 27010 – Information security management guidelines for inter-sector and inter- organizational communications • 27011 – Information security management guidelines for telecommunications organizations based on ISO/IEC 27002 • TR 27015 – Information security management guidelines for financial services • TS 27017 – Guidelines on information security controls for the use of cloud computing services based on ISO/IEC 27002 • 27018 - Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors • TR 27019 - Information technology -- Security techniques -- Information security management guidelines based on ISO/IEC 27002 for process control systems specific to the energy utility industry Sector-specific guideline standards • 2703x • 2704x Control-specific guideline standards
  74. 74. Framework §  Well-known ISO security standards ISO/IEC 27001:2013 Information technology -- Security techniques -- Information security management systems -- Requirements ISO/IEC 27002:2013 Information technology -- Security techniques -- Code of practice for information security controls ISO/IEC 27003:2010 Information technology -- Security techniques -- Information security management system implementation guidance ISO/IEC 27004:2016 Information technology -- Security techniques -- Information security management -- Monitoring, measurement, analysis and evaluation ISO/IEC 27005:2011 Information technology -- Security techniques -- Information security risk management ISO/IEC 27014:2013 Information technology -- Security techniques -- Governance of information security ISO/IEC 27031:2011 Information technology -- Security techniques -- Guidelines for information and communication technology readiness for business continuity ISO/IEC 27035-1:2016 Information technology -- Security techniques -- Information security incident management -- Part 1: Principles of incident management ISO/IEC 27035-2:2016 Information technology -- Security techniques -- Information security incident management -- Part 2: Guidelines to plan and prepare for incident response
  75. 75. Framework Risk Management ISO 31000:2009 Risk management -- Principles and guidelines ISO/TR 31004:2013 Risk management -- Guidance for the implementation of ISO 31000 IEC 31010:2009 Risk management -- Risk assessment techniques ISO Guide 73:2009 Risk management --Vocabulary §  ISO 31000 §  “(…) ISO 31000 cannot be used for certification purposes, but does provide guidance for internal or external audit programmes.” -- iso.org
  76. 76. Framework Societal Security ISO/IEC 22301:2012 Societal security -- Business continuity management systems --- Requirements ISO/IEC 22313:2012 Societal security -- Business continuity management systems – Guidance ISO/TS 22318:2015 Societal security -- Business continuity management systems -- Guidelines for supply chain continuity ISO/IEC 22399:2007 Societal security - Guideline for incident preparedness and operational continuity management
  77. 77. Framework ISO/IEC 27009:2016 Information technology -- Security techniques -- Sector-specific application of ISO/IEC 27001 -- Requirements ISO/IEC 27015:2012 Information technology -- Security techniques -- Information security management guidelines for financial services ISO/IEC 27011:2016 Information technology -- Security techniques -- Code of practice for Information security controls based on ISO/IEC 27002 for telecommunications organizations ISO/IEC TR 27019:2013 Information technology -- Security techniques -- Information security management guidelines based on ISO/IEC 27002 for process control systems specific to the energy utility industry
  78. 78. Framework ISO/IEC 27016:2014 Information technology -- Security techniques -- Information security management -- Organizational economics ISO/IEC 27017:2015 Information technology -- Security techniques -- Code of practice for information security controls based on ISO/ IEC 27002 for cloud services ISO/IEC 27018:2014 Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors ISO 27799:2016 Health informatics -- Information security management in health using ISO/IEC 27002
  79. 79. Framework ISO/IEC 27032:2012 Guidelines for Cybersecurity, preserving the confidentiality, integrity and availability of information in Cyberspace ISO/IEC 27033-1:2015 Information technology -- Security techniques -- Network security -- Part 1: Overview and concepts ISO/IEC 27033-2:2012 Information technology -- Security techniques -- Network security -- Part 2: Guidelines for the design and implementation of network security ISO/IEC 27033-3:2010 Information technology -- Security techniques -- Network security -- Part 3: Reference networking scenarios -- Threats, design techniques and control issues ISO/IEC 27033-4:2014 Information technology -- Security techniques -- Network security -- Part 4: Securing communications between networks using security gateways
  80. 80. Framework ISO/IEC 27033-5:2013 Information technology -- Security techniques -- Network security -- Part 5: Securing communications across networks usingVirtual Private Networks (VPNs) ISO/IEC 27033-6:2016 Information technology -- Security techniques -- Network security -- Part 6: Securing wireless IP network access ISO/IEC 27034-1:2011 Information technology -- Security techniques -- Application security -- Part 1: Overview and concepts ISO/IEC 27034-2:2015 Information technology -- Security techniques -- Application security -- Part 2: Organization normative framework ISO/IEC 27034-6:2016 Information technology -- Security techniques -- Application security -- Part 6: Case studies
  81. 81. Framework ISO/IEC 27036-1:2014 Information technology -- Security techniques -- Information security for supplier relationships -- Part 1: Overview and concepts ISO/IEC 27036-2:2014 Information technology -- Security techniques -- Information security for supplier relationships -- Part 2: Requirements ISO/IEC 27036-3:2013 Information technology -- Security techniques -- Information security for supplier relationships -- Part 3: Guidelines for information and communication technology supply chain security ISO/IEC 27036-4:2016 Information technology -- Security techniques -- Information security for supplier relationships -- Part 4: Guidelines for security of cloud services
  82. 82. Framework ISO/IEC 27037:2012 Information technology -- Security techniques -- Guidelines for identification, collection, acquisition and preservation of digital evidence ISO/IEC 27038:2014 Information technology -- Security techniques -- Specification for digital redaction ISO/IEC 27039:2015 Information technology -- Security techniques -- Selection, deployment and operations of intrusion detection and prevention systems (IDPS) ISO/IEC 27040:2015 Information technology -- Security techniques -- Storage security
  83. 83. Framework ISO/IEC 27041:2015 Information technology -- Security techniques -- Guidance on assuring suitability and adequacy of incident investigative method ISO/IEC 27042:2015 Information technology -- Security techniques -- Guidelines for the analysis and interpretation of digital evidence ISO/IEC 27043:2015 Information technology -- Security techniques -- Incident investigation principles and processes ISO/IEC 27050-1:2016 Information technology -- Security techniques -- Electronic discovery -- Part 1: Overview and concepts
  84. 84. Framework PWI NP WD CD DIS FDIS IS PWI Preliminary Work Item Stage where initial feasibility is assessed NP New Proposal Stage where formal scoping takes place WD Working Draft The developmental phase CD Committee Draft The quality control stage FCD Final Committee Draft Ready for final approval DIS Draft International Standard International bodies vote formally on a Standard, submitting comments FDIS Final Distribution International Standard Standard is ready to publish IS International Standard The Standard is published ISO Deliverables: http://www.iso.org/iso/home/standards_development/deliverables-all.htm
  85. 85. Framework ISO/IEC 27034-3 DIS Information technology -- Application security -- Part 3:Application security management process ISO/IEC 27034-5 DIS Information technology -- Security techniques -- Application security -- Part 5: Protocols and application security controls data structure ISO/IEC 27034-7 DIS Information technology -- Security techniques -- Application security -- Part 7:Application security assurance prediction model §  Under development
  86. 86. Framework §  ISO/IEC 27007:2011 — Information technology — Security techniques — Guidelines for information security management systems auditing §  5.4.2.1 Defining the objectives, scope and criteria for an individual audit (Practical help – Examples of audit criteria) §  4) measurement of the effectiveness of the implemented controls, and that these measurements have been applied as defined to measure control effectiveness (see ISO/IEC 27004); §  Annex A §  Optional additional standards can be used to guide the auditee or auditor. These are listed as “Relevant Standards” in the tables below. Auditors are reminded to base nonconformities solely on the audit criteria and the requirements of ISO/IEC 27001.
  87. 87. Framework §  Technical committee: development of standards §  ISO/IEC JTC 1/SC 27 IT Security techniques §  http://www.iso.org/iso/home/standards_development/ list_of_iso_technical_committees/iso_technical_committee.htm? commid=45306
  88. 88. Agenda §  Overview §  Risk-based prioritization §  Roles and responsibilities §  Framework §  Monitoring and Measurement §  Challenges §  Resources §  Certification
  89. 89. Monitoring and Measurement §  Why do we measure performance? §  NIST SP 800-55 Revision 1, Performance Measurement Guide for Information Security §  Information security measures are used to facilitate decision making and improve performance and accountability through the collection, analysis, and reporting of relevant performance-related data. The purpose of measuring performance is to monitor the status of measured activities and facilitate improvement in those activities by applying corrective actions based on observed measurements.
  90. 90. Monitoring and Measurement §  Why do we measure performance? §  NIST SP 800-55 Revision 1, Performance Measurement Guide for Information Security §  Information security measures must yield quantifiable information for comparison purposes, apply formulas for analysis, and track changes using the same points of reference. Percentages or averages are most common. Absolute numbers are sometimes useful, depending on the activity that is being measured.
  91. 91. Monitoring and Measurement §  Measurement is important to §  Increase accountability §  Demonstrate compliance with laws, rules and regulation §  Provide quantifiable inputs for resource allocation decisions §  Demonstrate and improve the effectiveness of information security investments §  Maximize the effectiveness of the framework and its resources
  92. 92. §  Attributes of good measurement §  Manageable §  Ready to be collected, stored, compiled and analyzed §  Meaningful §  Shall make sense for the receiver and be relevant to the objectives §  Actionable §  Shall point in the right direction §  Unambiguous §  Confuse information is useless §  Reliable §  Wrong target is worse than no target at all §  Timely §  Shall be available when needed Monitoring and Measurement
  93. 93. §  Additional reading §  CMU/SEI - The ROI of Security §  Stephanie Losi §  http://resources.sei.cmu.edu/asset_files/Newsletter/ 2007_102_001_413946.pdf §  ENISA: Introduction to Return on Security Investment §  http://www.enisa.europa.eu/activities/cert/other-work/ introduction-to-return-on-security-investment Monitoring and Measurement
  94. 94. §  ISO/IEC 27001:2013 §  9.1 Monitoring, measurement, analysis and evaluation §  The organization shall determine: ¨  a) what needs to be monitored and measured, including information security processes and controls; ¨  b) the methods for monitoring, measurement, analysis and evaluation, as applicable, to ensure valid results; ¨  NOTE The methods selected should produce comparable and reproducible results to be considered valid. Monitoring and Measurement Requirement
  95. 95. §  ISO/IEC 27004:2009 — Information technology — Security techniques — Information security management — Measurement §  Section 0.1 General §  The Information Security Measurement Programme will assist management in identifying and evaluating noncompliant and ineffective ISMS processes and controls and prioritizing actions associated with improvement or changing these processes and/or controls. §  It may also assist the organization in demonstrating ISO/IEC 27001 compliance and provide additional evidence for management review and information security risk management processes. Monitoring and Measurement
  96. 96. §  ISO/IEC 27001:2013 §  6.2 Information security objectives and planning to achieve them §  The organization shall establish information security objectives at relevant functions and levels. The information security objectives shall: ¨  b) be measurable (if practicable); §  9.1 Monitoring, measurement, analysis and evaluation §  The organization shall evaluate the information security performance and the effectiveness of the information security management system. Monitoring and Measurement Requirement
  97. 97. §  ISO/IEC 27004:2009 §  Section 6.1 Management Responsibilities, Overview §  Management is responsible for establishing the Information Security Measurement Programme, involving relevant stakeholders (see 7.5.8) in the measurement activities, accepting measurement results as an input into management review and using measurement result in improvement activities within the ISMS. Monitoring and Measurement Management responsibilities
  98. 98. §  Measuring Organizational Awareness §  ISO/IEC 27004:2009, Section 6.3 Measurement training, awareness, and competence §  Management should ensure that: ¨  a) The stakeholders (see 7.5.8) are trained adequately for achieving their roles and responsibilities in the implemented Information Security Measurement Programme, and appropriately qualified to perform their roles and responsibilities; and ¨  b) The stakeholders understand that their duties include making suggestions for improvements in the implemented Information Security Measurement Programme. Monitoring and Measurement Management responsibilities
  99. 99. §  ISO/IEC 27014:2013 — Information technology — Security techniques — Governance of information security §  Section 5.3.4 Monitor §  “Monitor” is the governance process that enables the governing body to assess the achievement of strategic objectives. §  To accomplish the “Monitor” process, the governing body should: ¨  assess the effectiveness of information security management activities, §  To accomplish the “Monitor” process, executive management should: ¨  select appropriate performance metrics from a business perspective, ¨  provide feedback on information security performance results to the governing body including performance of action previously identified by governing body and their impacts on the organisation Monitoring and Measurement Responsibilities
  100. 100. Monitoring and Measurement Source: ISO/IEC 27014:2013 Executive Management (Information Security Management) External Stakeholders Assure Communicate Evaluate Direct Monitor Strategy, Policy Proposals Performance Governing Body Figure 2 – Governance process of information security
  101. 101. §  ISO/IEC 27001:2013 §  6 Planning §  6.1 Actions to address risks and opportunities ¨  When planning for the information security management system, the organization shall consider the issues referred to in 4.1 and the requirements referred to in 4.2 and determine the risks and opportunities that need to be addressed to: ¨  6.1.1 General ¨  e) how to ¨  1) integrate and implement the actions into its information security management system processes; and ¨  2) evaluate the effectiveness of these actions. Monitoring and Measurement Process Input
  102. 102. §  ISO/IEC 27001:2013 §  9.3 Management review §  Top management shall review the organization’s information security management system at planned intervals to ensure its continuing suitability, adequacy and effectiveness. §  The management review shall include consideration of: §  c) feedback on the information security performance, including trends in: ¨  2) monitoring and measurement results; §  e) results of risk assessment and status of risk treatment plan; Monitoring and Measurement Process Output
  103. 103. §  ISO/IEC 27001:2013 §  9.3 Management review §  The management review shall include consideration of: §  f) opportunities for continual improvement. ¨  The outputs of the management review shall include decisions related to continual improvement opportunities and any needs for changes to the information security management system. ¨  The organization shall retain documented information as evidence of the results of management reviews. Monitoring and Measurement Process Output
  104. 104. §  ISO/IEC 27004:2009 §  Section 10 Information Security Measurement Programme Evaluation and Improvement, Overview §  Management should specify the frequency of such evaluation, plan periodic revisions and establish the mechanisms for making such revisions possible (see clause 7.2 of ISO/IEC 27001:2005). Monitoring and Measurement Improvement
  105. 105. §  Measuring Information Security Risk and Loss §  The technical vulnerability management approach poses the following questions: §  How many technical or operational vulnerabilities exist? §  How many have been resolved? §  What is the average time to resolve them? §  How many recurred? §  How many systems (critical or otherwise) are impacted by them? §  How many have the potential for external exploit? §  How many have the potential for gross compromise (e.g., remote privileged code execution, unauthorized administrative access, bulk exposure of sensitive printed information)? Monitoring and Measurement
  106. 106. §  Measuring Information Security Risk and Loss §  The risk management approach is concerned with the following questions: §  How many high-, medium- and low-risk issues are unresolved? What is the aggregate annual loss expectancy (ALE)? §  How many were resolved during the reporting period? If available, what is the aggregate ALE that has been eliminated? §  How many were completely eliminated vs. partially mitigated vs. transferred? §  How many were accepted because no mitigation nor compensation method was tenable? §  How many remain open because of inaction or lack of cooperation? Monitoring and Measurement
  107. 107. §  Measuring Information Security Risk and Loss §  The loss prevention approach is concerned with the following questions: §  Were there loss events during the reporting period? What is the aggregate loss including investigation, recovery, data reconstruction and customer relationship management? §  How many events were preventable (i.e., risk or vulnerability identified prior to the loss event)? §  What was the average amount of time taken to identify loss incidents? To initiate incident response procedures? To isolate incidents from other systems? To contain event losses? Monitoring and Measurement
  108. 108. Monitoring and Measurement §  Measuring Information Security Risk and Loss §  Qualitative measures §  Do risk management activities occur as scheduled? §  Have incident response and business continuity plans been tested? §  Are asset inventories, custodianships, valuations and risk analyses up to date? §  Is there consensus among information security stakeholders as to acceptable levels of risk to the organization? §  Do executive management oversight and review activities occur as planned?
  109. 109. §  Measuring Support of Organizational Objectives §  Qualitative measures may be revised by Steering Committee §  Is there documented correlation between key organizational milestones and the objectives of the information security management program? §  How many information security objectives were successfully completed in support of organizational goals? §  Were there organizational goals that were not fulfilled because information security objectives were not met? §  How strong is consensus among business units, executive management and other information security stakeholders that program objectives are complete and appropriate? Monitoring and Measurement
  110. 110. §  Measuring Compliance §  Anything less than 100% compliance is unacceptable when piloting passenger jets or operating nuclear power plants since impacts are likely to be catastrophic and unacceptable §  For any activity that is not life or organization-threatening, the cost of compliance efforts must be weighted against the benefits and potential impacts Monitoring and Measurement
  111. 111. §  Measuring Effectiveness of Technical Security Architecture §  Quantitative Metrics §  Probe and attack attempts repelled by network access control devices; qualify by asset or resource targeted source geography and attack type §  Probe and attack attempts detected by intrusion detection systems (IDS) on internal networks; qualify by internal vs. external source, resource targeted and attack type §  Number and type of actual compromises; qualify by attack severity, attack type, impact severity and source of attack §  Statistics on viruses, worms and other malware identified and neutralized; qualify by impact potential, severity of larger Internet outbreaks and malware vector §  Amount of downtime attributable to security flaws and unpatched systems §  Number of messages processed sessions examined and kilobytes (KB) of data examined by IDS Monitoring and Measurement
  112. 112. §  Measuring Effectiveness of Technical Security Architecture §  Qualitative Metrics §  Individual technical mechanisms have been tested to verify control objectives and policy enforcement. §  The security architecture is constructed of appropriate controls in a layered fashion. §  Control mechanisms are properly configured and monitored in real-time, self-protection implemented and information security personnel alerted to faults. §  All critical systems stream events to information security personnel or to event analysis automation tools for real-time threat detection. Monitoring and Measurement
  113. 113. §  Support material §  ETSI GS ISI §  http://www.etsi.org/technologies-clusters/technologies/ information-security-indicators §  001-1: Information Security Indicators (ISI); Indicators (INC); Part 1: A full set of operational indicators for organizations to use to benchmark their security posture ¨  http://www.etsi.org/deliver/etsi_gs/ISI/001_099/00101/01.01.02_60/ gs_ISI00101v010102p.pdf §  001-2: Information Security Indicators (ISI); Indicators (INC); Part 2: Guide to select operational indicators based on the full set given in part 1 ¨  http://www.etsi.org/deliver/etsi_gs/ISI/001_099/00102/01.01.02_60/ gs_ISI00102v010102p.pdf Monitoring and Measurement
  114. 114. Agenda §  Overview §  Risk-based prioritization §  Roles and responsibilities §  Framework §  Monitoring and Measurement §  Challenges §  Resources §  Certification
  115. 115. Challenges §  Inadequate Management Support §  No compulsory requirement to address information security and therefore, often view it as a marginally important issue that adds cost with little value §  These views often reflect misunderstanding of the organization's dependence on information systems, the threat and risk environment, or the impact that the organization faces or may be unknowingly experiencing §  There are always cultural and organization challenges in any job function and he path is not cleared for the information security manager simply by virtue of gaining senior management support Source: ISACA CISM Review Manual
  116. 116. §  Inadequate Management Support §  Strategies §  Utilize resources, such as industry statistics, organizational impact and dependency analyses, and reviews of common threats to the organization's specific information processing systems. §  In addition, management may require guidance in what is expected of them and approaches that industry peers are taking to address information security. Even if initial education does not result in immediate strengthening of support, ongoing education should still be conducted to develop awareness of security needs. Source: ISACA CISM Review Manual Challenges
  117. 117. §  Inadequate Funding §  Management not recognizing the value of security investments §  Security being viewed as a low-value cost centre §  Management not conceptually understanding where existing money is going §  The organizational need for a security investment not being understood §  The need for more awareness of industry trends in security investment Source: ISACA CISM Review Manual Challenges
  118. 118. §  Inadequate Funding §  Strategies §  Leveraging the budgets of other organizational units (e.g., product development, internal audit, information systems) to implement needed security program components §  Improving the efficiency of existing information security program components §  Working with the information security steering committee to reprioritize security resource assignments and providing senior management with analysis of what security components will become underresourced and the risk implications Source: ISACA CISM Review Manual Challenges
  119. 119. Agenda §  Overview §  Risk-based prioritization §  Roles and responsibilities §  Framework §  Monitoring and Measurement §  Challenges §  Resources §  Certification
  120. 120. Resources Policies Standards Procedures Guidelines
  121. 121. Resources §  Policies §  A policy that is not understood or accepted is not likely to be followed §  Most people are willing to live within the boundaries if they know what they are §  Policies and their related standards must be openly published and made readily accessible to the impacted community and their managers.
  122. 122. Resources §  Standards §  Standards set the allowable boundaries and requirements for people, processes and technology §  To be relevant, standards must be set at the strategic, management and operational levels §  Standards may need to be changed in response to changing threats, new technologies, additional regulatory requirements or when baselines no longer provide adequate levels of protection
  123. 123. Resources §  Procedures §  It is essential that all important processes throughout the enterprise are documented in procedures reviewed to ensure compliance with standards §  Procedures must be clear and unambiguous, and terms must be exact. For example, the words "must," "shall" and "will" shall be used for any task that is mandatory §  The words "should" must be used to mean a preferred action that is not mandatory. The term "may" or "can" must only be used to denote a purely discretionary action
  124. 124. Resources §  Guidelines §  Guidelines should contain information that will be helpful in executing the procedures §  This can include dependencies, suggestions and examples, narrative clarifying the procedures, background information that may be useful, tools that can be used, etc.
  125. 125. Resources §  Awareness and Education §  Who is the intended audience (senior management, business managers, IT staff, users)? §  What is the intended message (policies, procedures, recent events)? §  What is the intended result (improved policy compliance, behavioral change, better practices)? §  What communication method will be used (computer- based training [CBT], all-hands meeting, intranet, newsletters, etc.)? §  What is the organizational structure and culture?
  126. 126. Agenda §  Overview §  Risk-based prioritization §  Roles and responsibilities §  Framework §  Monitoring and Measurement §  Challenges §  Resources §  Certification
  127. 127. Certification §  Management Systems §  ISO 9001:2015 §  QMS (Quality) §  ISO 14001:2015 §  EMS (Environment) §  ISO/IEC 20000-1:2011 §  IT SMS (IT Services) §  ISO/IEC 27001:2013 §  ISMS (Information Security) §  ISO 22301:2012 §  BCMS (Business Continuity) §  ISO 50001:2011 §  EnMS (Energy) Complete list: http://www.iso.org/iso/home/standards/management-standards/mss-list.htm
  128. 128. Certification §  ISO/IEC 27001 certification benefits §  Allows senior management to demonstrate due diligence §  Encourages §  Efficient management of security costs §  Compliance with laws and regulation §  Interoperability with partners due to a common set of guidance §  Increases IS awareness among employees, customers, vendors, etc. §  Increases the alignment between IS and business §  Provides a process framework for IS implementation §  Helps to determinate IS status and compliance level with standards and policies
  129. 129. Certification §  ISO/IEC 27001:2013 §  Cost of certification may vary due to §  The size of the Organization and the physical/logical scope of certification §  Current maturity level of ISMS §  The gap between current state and desired state of controls §  Internal capacity to develop the ISMS and close identified gaps §  How quickly the certificate is necessary
  130. 130. Certification §  ISO/IEC 27001:2013 §  There are now 114 controls in 14 groups and 35 control objectives; the 2005 standard had 133 controls in 11 groups §  A.5: Information security policies (2 controls) §  A.6: Organization of information security (7 controls) §  A.7: HR security (6 controls that are applied before, during, or after employment) §  A.8: Asset management (10 controls) §  A.9: Access control (14 controls) §  A.10: Cryptography (2 controls) §  A.11: Physical and environmental security (15 controls) §  A.12: Operations security (14 controls) §  A.13: Communications security (7 controls) §  A.14: System acquisition, development and maintenance (13 controls) §  A.15: Supplier relationships (5 controls) §  A.16: Information security incident management (7 controls) §  A.17: Information security aspects of business continuity mgmt. (4 controls) §  A.18: Compliance; with internal requirements, such as policies, and with external requirements, such as laws (8 controls)
  131. 131. Certification §  ISO/IEC 27001:2013 §  Proposed phases of implementation §  Phase 1: Scope definition, Risk assessment, Risk Treatment Plan, Gap assessment, Remediation plan for implementation in Phase 2, Statement of Applicability, selection of the ISO certification body §  Phase 2: Gap resolution, ISMS development, risk management committee, incident response, ISMS internal audit §  Phase 3: Independent tests of the ISMS against the requirements specified in ISO/IEC 27001 (certification) §  Phase 4: Follow-up reviews and period audits
  132. 132. Certification §  Project (ISO/IEC 27003:2010) §  Scope (ISO/IEC 27001:2013 4.3) §  Risk assessment methodology (ISO/IEC 27001:2013 6.1.2) §  ISO/IEC 27005:2011 §  Statement of Applicability (ISO/IEC 27001:2013 6.1.3(d)) §  ISO/IEC 27001:2013 Annex A §  Security Policy (ISO/IEC 27001:2013 A.5) §  Metrics (ISO/IEC 27001:2013 9.1(a) and 9.1(b)) §  ISO/IEC 27004:2016 §  Incident Management (ISO/IEC 27001:2013 A.16) §  ISO/IEC 27035-1:2016 and ISO/IEC 27035-2:2016 §  Continuity Management (ISO/IEC 27001:2013 A.17) §  ISO/IEC 27031:2011 §  ... §  Audit (Guidelines: ISO/IEC 27007:2011)
  133. 133. Certification §  ISO/IEC 27001:2013 §  Section 4.4 Information security management system §  The organization shall establish, implement, maintain and continually improve an information security management system, in accordance with the requirements of this International Standard.
  134. 134. •  Continual monitoring and reviewing of risks •  Maintain and improve the Information Security Risk Management Process •  Implementation of risk treatment plan •  Establishing the context •  Risk assessment •  Developing risk treatment plan •  Risk acceptance Plan Do CheckAct Certification ISO/IEC 27005:2011 — Information technology — Security techniques — Information security risk management
  135. 135. Certification ISO/IEC 27003:2010 Overview, Figure 1 – ISMS project phases Obtaining management approval for initiating an ISMS project Defining ISMS scope, boundaries and ISMS policy Conducting information security requirements analysis Conducting risk assessment and planning risk treatment Design the ISMS5 6 7 8 9 Management approval for initiating ISMS Project The ISMS Scope and boundaries ISMS Policy Information security requirements Information assets Results from information security assessment Written notice of management approval for implementing the ISMS Risk treatment plan SoA, including the control objectives and the selected controls Final ISMS project implementation plan Timeline
  136. 136. Certification ISO/IEC 27003:2010 Overview, Figure 1 – ISMS project phases Obtaining management approval for initiating an ISMS project Defining ISMS scope, boundaries and ISMS policy Conducting information security requirements analysis Conducting risk assessment and planning risk treatment Design the ISMS5 6 7 8 9 Management approval for initiating ISMS Project The ISMS Scope and boundaries ISMS Policy Information security requirements Information assets Results from information security assessment Written notice of management approval for implementing the ISMS Risk treatment plan SoA, including the control objectives and the selected controls Final ISMS project implementation plan Timeline
  137. 137. Certification §  ISO/IEC 27003:2010 §  Section 5.1 Overview of obtaining management approval for initiating an ISMS project §  NOTE The output from Clause 5 (Documented management commitment to plan and implement an ISMS) and one of the outputs of Clause 7 (Document summarization of the information security status) are not requirements of ISO/IEC 27001:2005. However, the outputs from these activities are recommended input to other activities described in this document. ISO/IEC 27003:2010 (latest version) references ISO/IEC 27001:2005 (superseded)
  138. 138. Certification ISO/IEC 27003:2010 Overview, Figure 1 – ISMS project phases Obtaining management approval for initiating an ISMS project Defining ISMS scope, boundaries and ISMS policy Conducting information security requirements analysis Conducting risk assessment and planning risk treatment Design the ISMS5 6 7 8 9 Management approval for initiating ISMS Project The ISMS Scope and boundaries ISMS Policy Information security requirements Information assets Results from information security assessment Written notice of management approval for implementing the ISMS Risk treatment plan SoA, including the control objectives and the selected controls Final ISMS project implementation plan Timeline
  139. 139. Certification §  ISO/IEC 27001:2013 §  Section 4.3 Determining the scope of the information security management system §  The organization shall determine the boundaries and applicability of the information security management system to establish its scope. (…) §  The scope shall be available as documented information.
  140. 140. Certification ISO/IEC 27003:2010 Overview, Figure 1 – ISMS project phases Obtaining management approval for initiating an ISMS project Defining ISMS scope, boundaries and ISMS policy Conducting information security requirements analysis Conducting risk assessment and planning risk treatment Design the ISMS5 6 7 8 9 Management approval for initiating ISMS Project The ISMS Scope and boundaries ISMS Policy Information security requirements Information assets Results from information security assessment Written notice of management approval for implementing the ISMS Risk treatment plan SoA, including the control objectives and the selected controls Final ISMS project implementation plan Timeline
  141. 141. Certification §  ISO/IEC 27001:2013 §  Section 5.2 Policy §  Top management shall establish an information security policy that: §  a) is appropriate to the purpose of the organization; §  b) includes information security objectives (see 6.2) or provides the framework for setting information security objectives; (…) §  e) be available as documented information;
  142. 142. Certification ISO/IEC 27003:2010 Overview, Figure 1 – ISMS project phases Obtaining management approval for initiating an ISMS project Defining ISMS scope, boundaries and ISMS policy Conducting information security requirements analysis Conducting risk assessment and planning risk treatment Design the ISMS5 6 7 8 9 Management approval for initiating ISMS Project The ISMS Scope and boundaries ISMS Policy Information security requirements Information assets Results from information security assessment Written notice of management approval for implementing the ISMS Risk treatment plan SoA, including the control objectives and the selected controls Final ISMS project implementation plan Timeline
  143. 143. Certification §  ISO/IEC 27005:2011 — Information technology — Security techniques — Information security risk management §  B.1.1 The identification of primary assets Primary assets are of two types: §  1 - Business processes (or sub-processes) and activities, for example ¨  Processes whose loss or degradation make it impossible to carry out the mission of the organization ¨  Processes that contain secret processes or processes involving proprietary technology ¨  Processes that, if modified, can greatly affect the accomplishment of the organization's mission ¨  Processes that are necessary for the organization to comply with contractual, legal or regulatory requirements
  144. 144. Certification §  ISO/IEC 27005:2011 — Information technology — Security techniques — Information security risk management §  B.1.1 The identification of primary assets §  2 – Information More generally, primary information mainly comprises: ¨  Vital information for the exercise of the organization's mission or business ¨  Personal information, as can be defined specifically in the sense of the national laws regarding privacy ¨  Strategic information required for achieving objectives determined by the strategic orientations ¨  High-cost information whose gathering, storage, processing and transmission require a long time and/or involve a high acquisition cost
  145. 145. Certification ISO/IEC 27003:2010 Overview, Figure 1 – ISMS project phases Obtaining management approval for initiating an ISMS project Defining ISMS scope, boundaries and ISMS policy Conducting information security requirements analysis Conducting risk assessment and planning risk treatment Design the ISMS5 6 7 8 9 Management approval for initiating ISMS Project The ISMS Scope and boundaries ISMS Policy Information security requirements Information assets Results from information security assessment Written notice of management approval for implementing the ISMS Risk treatment plan SoA, including the control objectives and the selected controls Final ISMS project implementation plan Timeline
  146. 146. •  Continual monitoring and reviewing of risks •  Maintain and improve the Information Security Risk Management Process •  Implementation of risk treatment plan •  Establishing the context •  Risk assessment •  Developing risk treatment plan •  Risk acceptance Plan Do CheckAct Certification ISO/IEC 27005:2011 — Information technology — Security techniques — Information security risk management
  147. 147. Certification §  ISO/IEC 27007:2011 — Information technology — Security techniques — Guidelines for information security management systems auditing §  ISO/IEC 27001 does not state which risk assessment approach should be employed and any approach is acceptable as long as it meets the requirements in ISO/ IEC 27001. §  ISO/IEC 27005 provides guidance on risk assessment and risk management. The auditor should be aware that there are quantitative and qualitative methods, or any combination of the two, for risk assessment, and that it is up to the organization to decide which approach to use.
  148. 148. Certification ISO/IEC 27003:2010 Overview, Figure 1 – ISMS project phases Obtaining management approval for initiating an ISMS project Defining ISMS scope, boundaries and ISMS policy Conducting information security requirements analysis Conducting risk assessment and planning risk treatment Design the ISMS5 6 7 8 9 Management approval for initiating ISMS Project The ISMS Scope and boundaries ISMS Policy Information security requirements Information assets Results from information security assessment Written notice of management approval for implementing the ISMS Risk treatment plan SoA, including the control objectives and the selected controls Final ISMS project implementation plan Timeline
  149. 149. Certification Risk treatment options Risk modification Implement controls Risk avoidance Cancel the operation Risk sharing Buy insurance Risk retention “I’m feeling lucky”
  150. 150. CertificationReduceRisk •  There is no “zero risk”. •  To cancel the operation avoids the risk but may not be the best option. •  The objective is to make money with adequate risks. TransferRisk •  Insurance won’t transfer risk. It will only transfer risk of financial losses. •  Health insurance won’t transfer death risk. Life insurance? Not a chance. •  Control cost is the cost of insurance. AcceptRisk •  May not be so bad. Depends on factors and costs. •  A soccer coach knows there is about 50/50 chance of winning the match, even managing the stronger team. •  Risk is inherent to business.
  151. 151. Certification Risk treatment options Risk modification Risk avoidance Risk sharing Risk retention Residual risk ISO/IEC 27005:2011 - The risk treatment activity
  152. 152. Certification ISO/IEC 27003:2010 Overview, Figure 1 – ISMS project phases Obtaining management approval for initiating an ISMS project Defining ISMS scope, boundaries and ISMS policy Conducting information security requirements analysis Conducting risk assessment and planning risk treatment Design the ISMS5 6 7 8 9 Management approval for initiating ISMS Project The ISMS Scope and boundaries ISMS Policy Information security requirements Information assets Results from information security assessment Written notice of management approval for implementing the ISMS Risk treatment plan SoA, including the control objectives and the selected controls Final ISMS project implementation plan Timeline
  153. 153. Certification §  ISO/IEC 27001:2013 §  Section 6.1.3 Information security risk treatment §  The organization shall define and apply an information security risk treatment process to: (…) §  d) produce a Statement of Applicability that contains the necessary controls (see 6.1.3 b) and c)) and justification for inclusions, whether they are implemented or not, and the justification for exclusions of controls from Annex A; (…) §  The organization shall retain documented information about the information security risk treatment process. §  NOTE The information security risk assessment and treatment process in this International Standard aligns with the principles and generic guidelines provided in ISO 31000[5].
  154. 154. Certification §  Statement of Applicability (SoA) §  Example Clause No Control Applicable (Y/N) Reason for selection / justification for exclusion Control objective Current status of control A.5 Information security policies A.5.1 Management direction for information security A.5.1.1 Policies for information security         A.5.1.2 Review of the policies for information security         ... ...
  155. 155. Certification §  Audit and Certification §  ISO/IEC 27003:2010 §  Annex C - Information about Internal Auditing ¨  In an ISMS audit, auditing results should be determined based on evidence. Therefore, some suitable length of time during the ISMS operations should be allocated to collecting suitable evidence.
  156. 156. Certification §  Audit and Certification §  ISO/IEC 27007:2011 §  6.2.3.1 Determining the feasibility of the audit ¨  Before the audit commences, the auditee should be asked whether any ISMS records are unavailable for review by the audit team, e.g. because they contain confidential or sensitive information. ¨  The person responsible for managing the audit programme should determine whether the ISMS can be adequately audited in the absence of these records. ¨  If the conclusion is that it is not possible to adequately audit the ISMS without reviewing the identified records, the person should advise the auditee that the audit cannot take place until appropriate access arrangements are granted and an alternative could be proposed to or by the auditee.
  157. 157. Certification §  Audit and Certification §  ISO/IEC 27007:2011 – Annex A: Practice Guidance for ISMS Auditing §  Annex A - A.1 ISMS scope, policy and risk assessment approach (ISO/IEC 27001 4.1 & 4.2.1a) to c)) §  Audit evidence includes: ¨  Scope of the ISMS (4.3.1 b)); ¨  Organization chart; ¨  Organization strategy; ¨  Business policy statement, business processes and activities; ¨  Documentation of roles and responsibilities; ¨  Network configuration; ¨  Sites information, including a list of branches, business, offices and facilities, and their floor layouts; ¨  Interfaces and dependencies that the business activities carried out in the scope of the ISMS have with those outside the scope; ¨  Relevant laws, regulations and contracts; ¨  Primary assets information; ¨  ISMS policy document. { ISO/IEC 27007:2011 (latest version) references ISO/IEC 27001:2005 (superseded)
  158. 158. Certification §  Audit and Certification §  ISO/IEC 27007:2011 §  Annex A - A.2 Risk identification, analysis and evaluation, and risk treatment option identification and evaluation (ISO/IEC 27001 4.2.1d)~f)) §  Audit evidence includes: ¨  Inventory of assets; ¨  Documents for the risk assessment methodology; ¨  Risk assessment reports. { ISO/IEC 27007:2011 (latest version) references ISO/IEC 27001:2005 (superseded)
  159. 159. Certification §  Audit and Certification §  ISO/IEC 27007:2011 §  Annex A - A.4 Implementation and operation of the ISMS (4.2.2) §  Audit evidence includes: ¨  Risk treatment plan and progress records on the plan projects; ¨  Documented procedures and records for control effectiveness measurements.{ ISO/IEC 27007:2011 (latest version) references ISO/IEC 27001:2005 (superseded)
  160. 160. Certification §  Certification Body Requirements §  Analyse the requirements from §  ISO/IEC 27006:2015 - Information technology -- Security techniques -- Requirements for bodies providing audit and certification of information security management systems §  ISO/IEC 17021:2015 - Conformity assessment -- Requirements for bodies providing audit and certification of management systems -- Part 1: Requirements §  ISO: Certification… §  “ISO does not perform certification” §  http://www.iso.org/iso/home/standards/certification.htm §  IAF §  UKAS ¨  https://www.ukas.com/search-accredited-organisations/ §  ANAB ¨  http://anab.org/accredited-organizations/ §  INMETRO ¨  http://www.inmetro.gov.br/organismos/index.asp
  161. 161. References §  NIST Special Publications (SP) §  http://csrc.nist.gov/publications/PubsSPs.html §  800-30 Rev. 1 - Guide for Conducting Risk Assessments (referenced by ISO/IEC 27005:2011) §  800-55 Rev. 1 - Performance Measurement Guide for Information Security (referenced by ISO/IEC 27004:2009) §  800-12, An Introduction to Computer Security: The NIST Handbook (referenced by ISO/IEC 27005:2011)
  162. 162. References §  Cloud Security §  NIST SP: http://csrc.nist.gov/publications/PubsSPs.html §  800-146 - Cloud Computing Synopsis and Recommendations §  800-145 - The NIST Definition of Cloud Computing §  800-144 - Guidelines on Security and Privacy in Public Cloud Computing §  800-125 - Guide to Security for Full Virtualization Technologies §  Cloud Security Alliance: Security Guidance §  https://cloudsecurityalliance.org/guidance/ §  ENISA Cloud Computing Risk Assessment §  http://www.enisa.europa.eu/activities/risk-management/files/ deliverables/cloud-computing-risk-assessment
  163. 163. Conclusion §  The primary objectives §  Align information security objectives with business objectives §  Define roles and responsibilities §  Integrate controls in a framework §  Structure policies, standards, procedures e guidelines §  Implement ISMS according to the compliance framework of ISO/IEC 27001 §  Define an ISMS measurement programme §  Improve the ISMS according to measurement results
  164. 164. Conclusion §  Organizations must be cyber threat driven not compliance driven §  Many organizations still continue to be compliance driven as the major driver for their security practices and safeguards §  Many organizations do the minimum necessary to meet regulatory or other industry compliance requirements §  Several of the financial institutions breached in the last couple of years were PCI compliant, yet they were still breached

×