COBIT & BS7799 Overview
Download
Report
Transcript COBIT & BS7799 Overview
International Security
Management Standards
BS ISO/IEC 17799:2005
BS ISO/IEC 27001:2005
First edition – ISO/IEC 17799:2000
Second edition ISO/IEC 17799:2005
ISO/IEC 17799 takes the form of guidance notes and
recommendations, which has been produced following
consultation with leading companies.
ISO/IEC 27001:2005 provides requirements for
Information Security Management and is relevant to
those responsible for initiating, implementing or
maintaining security in their organization.
Organizations
ISO – International Organization for
Standardization
IEC – International electrotechnical
Commission
BSI – British Standards Institute
BS7799-Part2:2002
BS 7799:Part 2 has been updated and was released as
ISO/IEC 27001:2005 on October 15th 2005.
The new international version of the standard clarifies and
strengthens the requirements of the original British
standard, and includes changes to the following areas:
risk assessment,
contractual obligations,
scope,
management decisions,
measuring the effectiveness of selected controls.
Information Security Management System
- Key Principles based on BS 7799
Corporate
Information Security Policy
Information Security Management
Policies / Standards framework
Existing
Processes
people
Processes
Technical
Control
Information Security Risk
Technology
Education &
awareness
ISMS Implementation
ISMS Implementation
Improve ISMS
Establish the context
- Identify improvements in
the ISMS and implement
them
-Define Information Security policy
and objectives
-ISMS scope and policy
-Security Organization
-Risk identification and assessment
- Identify risks
- Analyse risks
- Evaluate
- Take appropriate
Corrective and preventive
actions
- Communicate and consult
(management,stakeholders,
users etc.)
Monitor The Progress
Create Monitoring Rules
Monitor and review ISMS
POLICY
Manage the risk
- Identify and evaluate options for
managing the risks
- Select controls and objectives for
the treatment and management of
risk
- Implement selected controls
- Statement of applicability
• The standard for Information Security Management
System (ISMS), BS 7799 (now ISO/IEC
27001:2005), has fast become one of the world's
established standards for information security
• An Information Security Management System
(ISMS) is a systematic approach to managing
sensitive company information and information
entrusted to companies by third parties so that it
remains secure.
• It encompasses people, processes and IT systems.
What is an Information Security
Management System (ISMS)?
An Information Security Management
System (ISMS) is a systematic approach to
managing sensitive company information
and information entrusted to companies by
third parties so that it remains secure. It
encompasses people, processes and IT
systems.
What is BS 7799?
BS 7799 is a standard setting out the
requirements for an Information Security
Management System. It helps identify,
manage and minimize the range of threats
to which information is regularly subjected.
BS 7799 is organized into 10 sections:
1. Security policy
2. Organization of assets and resources
3. Asset classification and control
4. Personnel security
5. Physical and environmental security
6. Communications and operations management
7. Access control
8. Systems development and maintenance
9. Business continuity management
10. Compliance
ISO27001:2005
The present standard has :
- 11 Domains
- 39 Control Objectives
- 133 Controls
ISO 27001:2005
The 11 domains are:
1.
2.
3.
4.
5.
6.
Security Policy
Organization of Information Security
Asset Management
Human Resources Security
Physical and Environmental Security
Communications and Operations
Management
7. Access Control
8. Information systems acquisition,
development and maintenance
9. Information security Incident Management
10.Business Continuity Management
11.Compliance
Domain, control obj. & controls – Example
5 Physical and Environmental Security
5.1 Secure Areas
5.1.1
5.1.2
5.1.3
5.1.4
5.1.5
5.1.6
Physical Security Perimeter
Physical Entry Controls
Security Offices, rooms and facilities
Protecting against external and environmental threats
Working in Secure Areas
Public Access, delivery and loading areas
5.2 Equipment Security
5.2.1 Equipment siting and protection
5.2.2
5.2.3
5.2.4
5.2.5
5.2.6
5.2.7
Supporting Utilities
Cabling Security
Equipment Maintenance
Security equipment off-premises
Secure disposal or reuse of equipment
Removal of property
Domain, control obj. & controls - Example
11 Compliance
11.1 Compliance with legal requirements
6 controls
11.2 Compliance with security standards and
technical compliance
- 2 controls
11.3 Information Systems Audit Considerations
2 controls
. Formulation of security requirements and
objectives; To ensure that security risks are cost
effectively managed;
TTo ensure compliance with laws and
regulations;
As a process framework for the implementation and
management of controls to ensure that the specific
security objectives of an organization are met;
• IIdentification and clarification of existing
information security management processes;
To be used by management to determine the status of
information security management activities;
To be used by internal and external auditors to
determine the degree of compliance with the policies,
directives and standards adopted by an organization;
To provide relevant information about information
security policies, directives, standards and procedures
to trading partners;
To provide relevant information about information
security to customers.
Laws and Regulations
Regulatory requirements
Establishment
Organization
Responsibilities
Correlation to financial,
operational and IT audit
functions
Laws and Regulations
Steps to determine compliance with
external requirements:
Identify external requirements
Document pertinent laws and regulations
Assess whether management and the IS function
have considered the relevant external
requirements
Review internal IS department documents that
address adherence to applicable laws
Determine adherence to established procedures
ISACA Standards and
Guidelines for IS Auditing
ISACA IS Auditing
Standards
ISACA IS Auditing
Guidelines
ISACA Code of Professional
Ethics
ISACA Standards and
Guidelines for IS Auditing
Objectives of ISACA IS Auditing
Standards
• Inform management and other interested
parties of the profession’s expectations
concerning the work of audit practitioners
• Inform information system auditors of the
minimum level of acceptable performance
required to meet professional responsibilities
set out in the ISACA Code of Professional
Ethics
ISACA Standards and
Guidelines for IS Auditing
Framework for the ISACA’s
Information Systems Auditing
Standards:
Standards
Guidelines
Procedures
ISACA Standards and
Guidelines for IS Auditing
ISACA Standards and
Guidelines for IS Auditing
• Audit charter
•
Independence
•
Professional Ethics and Standards
•
Competence
ISACA Standards and
Guidelines for IS Auditing
ISACA Standards and Guidelines
for IS Auditing Continued...
•Planning
•Performance of audit work
•Reporting
•Follow-up activities
ISACA Standards and
Guidelines for IS Auditing
• Audit charter
Responsibility, authority and
accountability
ISACA Standards and
Guidelines for IS Auditing
•
Independence
Professional independence
Organizational relationship
ISACA Standards and
Guidelines for IS Auditing
• Professional Ethics and
Standards
Code of Professional Ethics
Due professional care
ISACA Standards and
Guidelines for IS Auditing
• Competence
Skills and knowledge
Continuing professional education
ISACA Standards and
Guidelines for IS Auditing
• Planning
Audit planning
ISACA Standards and
Guidelines for IS Auditing
•
Performance of audit work
Supervision
Evidence
ISACA Standards and
Guidelines for IS Auditing
• Reporting
Report content and form
ISACA Standards and
Guidelines for IS Auditing
• Follow-up Activities
Review previous conclusions and
recommendations
Review previous relevant findings
Determine whether appropriate actions
have been implemented in a timely
basis
ISACA Standards and
Guidelines for IS Auditing
Use of ISACA Guidelines
•
Consider the guidelines in determining how
to implement the standards
•
Use professional judgment in applying
these guidelines
•
Be able to justify any departure