Transcript COBIT & BS7799 Overview

International Security
Management Standards
BS ISO/IEC 17799:2005
BS ISO/IEC 27001:2005
First edition – ISO/IEC 17799:2000
Second edition ISO/IEC 17799:2005
ISO/IEC 17799 takes the form of guidance notes and
recommendations, which has been produced following
consultation with leading companies.
ISO/IEC 27001:2005 provides requirements for
Information Security Management and is relevant to
those responsible for initiating, implementing or
maintaining security in their organization.
Organizations
 ISO – International Organization for
Standardization
 IEC – International electrotechnical
Commission
 BSI – British Standards Institute
BS7799-Part2:2002
 BS 7799:Part 2 has been updated and was released as
ISO/IEC 27001:2005 on October 15th 2005.
 The new international version of the standard clarifies and
strengthens the requirements of the original British
standard, and includes changes to the following areas:





risk assessment,
contractual obligations,
scope,
management decisions,
measuring the effectiveness of selected controls.
Information Security Management System
- Key Principles based on BS 7799
Corporate
Information Security Policy
Information Security Management
Policies / Standards framework
Existing
Processes
people
Processes
Technical
Control
Information Security Risk
Technology
Education &
awareness
ISMS Implementation
ISMS Implementation
Improve ISMS
Establish the context
- Identify improvements in
the ISMS and implement
them
-Define Information Security policy
and objectives
-ISMS scope and policy
-Security Organization
-Risk identification and assessment
- Identify risks
- Analyse risks
- Evaluate
- Take appropriate
Corrective and preventive
actions
- Communicate and consult
(management,stakeholders,
users etc.)
Monitor The Progress
Create Monitoring Rules
Monitor and review ISMS
POLICY
Manage the risk
- Identify and evaluate options for
managing the risks
- Select controls and objectives for
the treatment and management of
risk
- Implement selected controls
- Statement of applicability
• The standard for Information Security Management
System (ISMS), BS 7799 (now ISO/IEC
27001:2005), has fast become one of the world's
established standards for information security
• An Information Security Management System
(ISMS) is a systematic approach to managing
sensitive company information and information
entrusted to companies by third parties so that it
remains secure.
• It encompasses people, processes and IT systems.
What is an Information Security
Management System (ISMS)?
 An Information Security Management
System (ISMS) is a systematic approach to
managing sensitive company information
and information entrusted to companies by
third parties so that it remains secure. It
encompasses people, processes and IT
systems.
What is BS 7799?
 BS 7799 is a standard setting out the
requirements for an Information Security
Management System. It helps identify,
manage and minimize the range of threats
to which information is regularly subjected.
BS 7799 is organized into 10 sections:
1. Security policy
2. Organization of assets and resources
3. Asset classification and control
4. Personnel security
5. Physical and environmental security
6. Communications and operations management
7. Access control
8. Systems development and maintenance
9. Business continuity management
10. Compliance
ISO27001:2005
The present standard has :
- 11 Domains
- 39 Control Objectives
- 133 Controls
ISO 27001:2005
The 11 domains are:
1.
2.
3.
4.
5.
6.
Security Policy
Organization of Information Security
Asset Management
Human Resources Security
Physical and Environmental Security
Communications and Operations
Management
7. Access Control
8. Information systems acquisition,
development and maintenance
9. Information security Incident Management
10.Business Continuity Management
11.Compliance
Domain, control obj. & controls – Example
5 Physical and Environmental Security
 5.1 Secure Areas







5.1.1
5.1.2
5.1.3
5.1.4
5.1.5
5.1.6
Physical Security Perimeter
Physical Entry Controls
Security Offices, rooms and facilities
Protecting against external and environmental threats
Working in Secure Areas
Public Access, delivery and loading areas
5.2 Equipment Security
5.2.1 Equipment siting and protection
5.2.2
5.2.3
5.2.4
5.2.5
5.2.6
5.2.7
Supporting Utilities
Cabling Security
Equipment Maintenance
Security equipment off-premises
Secure disposal or reuse of equipment
Removal of property
Domain, control obj. & controls - Example
11 Compliance



11.1 Compliance with legal requirements
6 controls
11.2 Compliance with security standards and
technical compliance
- 2 controls
11.3 Information Systems Audit Considerations
 2 controls
. Formulation of security requirements and
objectives; To ensure that security risks are cost
effectively managed;
TTo ensure compliance with laws and
regulations;
As a process framework for the implementation and
management of controls to ensure that the specific
security objectives of an organization are met;
• IIdentification and clarification of existing
information security management processes;
 To be used by management to determine the status of
information security management activities;
 To be used by internal and external auditors to
determine the degree of compliance with the policies,
directives and standards adopted by an organization;
 To provide relevant information about information
security policies, directives, standards and procedures
to trading partners;
 To provide relevant information about information
security to customers.
Laws and Regulations
Regulatory requirements




Establishment
Organization
Responsibilities
Correlation to financial,
operational and IT audit
functions
Laws and Regulations
 Steps to determine compliance with
external requirements:
 Identify external requirements
 Document pertinent laws and regulations
 Assess whether management and the IS function
have considered the relevant external
requirements
 Review internal IS department documents that
address adherence to applicable laws
 Determine adherence to established procedures
ISACA Standards and
Guidelines for IS Auditing
ISACA IS Auditing
Standards
ISACA IS Auditing
Guidelines
ISACA Code of Professional
Ethics
ISACA Standards and
Guidelines for IS Auditing
Objectives of ISACA IS Auditing
Standards
• Inform management and other interested
parties of the profession’s expectations
concerning the work of audit practitioners
• Inform information system auditors of the
minimum level of acceptable performance
required to meet professional responsibilities
set out in the ISACA Code of Professional
Ethics
ISACA Standards and
Guidelines for IS Auditing
Framework for the ISACA’s
Information Systems Auditing
Standards:
Standards
Guidelines
Procedures
ISACA Standards and
Guidelines for IS Auditing
ISACA Standards and
Guidelines for IS Auditing
• Audit charter
•
Independence
•
Professional Ethics and Standards
•
Competence
ISACA Standards and
Guidelines for IS Auditing
 ISACA Standards and Guidelines
for IS Auditing Continued...
•Planning
•Performance of audit work
•Reporting
•Follow-up activities
ISACA Standards and
Guidelines for IS Auditing
• Audit charter
Responsibility, authority and
accountability
ISACA Standards and
Guidelines for IS Auditing
•
Independence
 Professional independence
 Organizational relationship
ISACA Standards and
Guidelines for IS Auditing
• Professional Ethics and
Standards
Code of Professional Ethics
Due professional care
ISACA Standards and
Guidelines for IS Auditing
• Competence
Skills and knowledge
Continuing professional education
ISACA Standards and
Guidelines for IS Auditing
• Planning
Audit planning
ISACA Standards and
Guidelines for IS Auditing
•
Performance of audit work
Supervision
Evidence
ISACA Standards and
Guidelines for IS Auditing
• Reporting
Report content and form
ISACA Standards and
Guidelines for IS Auditing
• Follow-up Activities
 Review previous conclusions and
recommendations
 Review previous relevant findings
 Determine whether appropriate actions
have been implemented in a timely
basis
ISACA Standards and
Guidelines for IS Auditing
Use of ISACA Guidelines
•
Consider the guidelines in determining how
to implement the standards
•
Use professional judgment in applying
these guidelines
•
Be able to justify any departure