Transcript ISO 27001

5-1
5-2
05
Fraud Prevention and
Risk Management
McGraw-Hill/Irwin
Copyright © 2012 by The McGraw-Hill Companies, Inc. All rights reserved.
5-3
Fraud Prevention and Risk
Management Overview
 Fraud
prevention requires information security and good
internal control. Information security can’t be obtained simply
by studying and applying lists of security measures. Rather
security must be studied and applied as a management system
in the context of enterprise risk management.

This chapter focuses primarily on one the information
security management system (ISMS), which is an
organizational internal control process that ensures the following
3 objectives in relation to data and information within the
organization: integrity, confidentiality, and availability.
 Information
systems security is merely the application of
standard internal control principles to information resources.
5-4
ISMS Security Objectives:
Integrity involves accuracy and completeness.
 Accuracy
means inputting the correct data into the system and
then processing it as intended, without errors.
 Completeness ensures that no unauthorized additions,
removals, or modifications are made to data that has been
inputted into the system.
 Confidentiality
This concept involves ensuring that data
and information are made available only to authorized
persons.
 Availability This concept involves ensuring that data and
information are available when and where they are needed.
5-5
Key Concepts in ISMS
 Organizational
Embedding, Risk Management, and Internal
Control
 Prevention, Detection, and Response
 The ISMS Life Cycle and PDCA
 Risk Management and Threat and Vulnerability Analysis
5-6
PDCA
5-7
ISO 27000 Series
 ISO
27000 (vocabulary and definitions).
 ISO 27001 (ISMS requirements and implementation)
This defines the main standard applicable for certification of
ISMSs.
 ISO
27002 (code of security practices)
A code of best
practices in ISMS. Includes more than 5,000 detailed controls.
 ISO
27003 (implementation guidance) Guidelines for
implementing ISO 27000 series standards.
 ISO
27004 (security management metrics and
measurement) Information security management
measurement and metrics.
 ISO 27005 (information security risk management)
Guidelines relating to the risk management aspects of ISO
27001.
5-8
ISO 27001: Implementing ISMSs
Plan Phase
 Initiating
the project
 Defining the scope of the ISMS
 Establishing an ISMS policy,
 Performing a risk assessment,
 Selecting risk treatments,
 Selecting control objectives, and
 Producing a statement of applicability
5-9
Risk Treatment Strategies
5-10
Assets and Risk Assessment
 General
categories of assets at risk:
 Human
resources
 Information
 Documents
 Software
 Physical equipment
 Services
 Company image and reputation
 Each
asset should also be classified according to its
desired access security level:
 Unclassified,
Shared, Company only, Confidential
5-11
Active Threats
 Input
manipulation (most common source of fraud)
 Direct file alteration (bypass normal software)
 Program alteration (requires sophistication)
 Data theft (hard to detect and prove)
 Sabotage (disgruntled employees)
 Misappropriation of information system resources
5-12
ISO 27001: Implementing ISMSs
Do Phase
 Applying
the controls defined in the SOA
 Operating the ISMS
 Ensuring that all employees are properly trained and
competent to perform their security duties
 Mechanisms for compliance monitoring
 Mechanisms for incident detection and response
5-13
ISO 27001: Implementing ISMSs
Check and Act Phases
 The
check phase ensures that all the controls objectives
are being met and that all controls are in place and
working. Various check activities identified in ISO 27001
include intrusion detection, incident handling, learning from
outside sources, internal and external audits, self-policing
procedures, and management reviews
 The
act phase involves continually improving the entire
ISMS based on analysis of incident reports and the overall
efficiency and effectiveness of the ISMS processes.
5-14
IT Security Assurance Defined
 Information
security assurance (ISA) refers to some type
of evidence-based assertion that increases the certainty
that a security-related deliverable can withstand specified
security threats.
 Information security assurance is achieved for a target of
evaluation (TOE) by performing assurance activities that
satisfy a predefined security target or security protection
profile.
5-15
Key Definitions Relating to
Assurance
 Target
of evaluation (TOE) This is the information security
deliverable, the object for which assurances are made.
 Assurance
activities These activities depend on the method
of assessment. Various methods of assessment are discussed
later.
 Security
target (ST)
 Security
protection profile (SPP) Similar to a security
This is the set of security specifications
and requirements used to evaluate the target of evaluation.
target, this profile is much broader in scope. Unlike an ST, a SPP
does not apply to any one particular deliverable but represents
the security needs of a given individual or group of individuals.
5-16
Forms of Assurance
 Informal
or semiformal An internal project development
leader could simply write a letter to management indicating
that the product meets company security standards.
 Formal certification by an accredited certification body
Some ISO standards, such as ISO 27002, are designed so
that organizations can be certified against them.
 Self-certification Some organizations perform their own
internal certification process as part of their internal quality
assurance process. Self-certification can be against
internally developed standards or widely recognized
standards.
5-17
Degrees of Assurance
 ISO
15408 (Common Criteria) defines 7 levels of increasing
assurance (Evaluation Assurance Levels--EALs). The degree of
assurance is affected by assurance classes. ISO 15408
(Common Criteria) defines the following seven assurance
classes:
 1. Configuration management (CM)
 2. Delivery and operation
 3. Development
 4. Guidance documents
 5. Life cycle support
 6. Tests
 7. Vulnerability assessments
 Lower
level EALs focus on correctness. Higher levels,
effectiveness.
5-18
Assurance Methods and
Approaches
 An
assurance method is a recognized specification for
assurance activities that yields reproducible assurance results.
Assurance results are reproducible when different evaluators
working independently of each other are likely to obtain similar
assurance results.
 Assurance
Approaches are categories of assurance
methods.
 ISO
15443 classifies assurance approaches according to the
methods used to develop the deliverable, and the environment in
which the deliverable is deployed.
 Methods that assess the deliverable itself, that assess the
deliverable’s development process, that assess the
deliverable’s development environment
 Life cycle phases: design, integration, transition, operation
5-19
Some Well-know Assurance
Methods/Approaches








ISO 21827: Systems Security Engineering Capability Maturity Model
(SSE-CMM®) and Security Engineering
Baseline Protection Manual
Trusted Product Evaluation Program (TPEP) and the Trust Technology
Assessment Program (TTAP)
IEC 15408—Evaluation Criteria for IT Security (the Common Criteria)
Information Technology Security Evaluation Criteria
ISO/IEC 27000 Series
The Trusted Capability Maturity Model (TCMM)
ISO/IEC 13335—Management of Information and Communications
Technology Security (MICTS)

Certified Information Systems Security Professionals (CISSP)

Federal Information Processing Standard 140 (FIPS 140)
Control Objectives for Information and Related Technology (COBIT)

5-20
ISO/IEC 27002 Areas Applied to
ISMSs
 Security
Policy
 Organization of Information Security
 Asset Management
 Human Resources Security
 Physical and Environmental Security
 Communications and Operations Management
 Access Controls
 Information Systems Acquisition, Development and
Maintenance
 Information Security Incident Management
 Business Continuity Management
 Compliance
5-21
The Layered Approach to Access
Control