Transcript ISO17799 Maturity - Best IT Documents

ISO17799 Maturity
Secure Business –Need Security Infrastructures…
Confidentiality relates to the protection of
sensitive data from unauthorized use and
distribution.
Examples include:
Securing corporate data
Securing personnel (payroll, health)
information
Confidentiality
Secure Business –Need Security Infrastructures…
Confidentiality relates
to the protection of
sensitive data from
unauthorized use and
distribution.
Integrity
Examples include:
Examples include:
Securing corporate
data
Securing personnel
(payroll, health)
information
Integrity relates to
maintaining the quality and
validity of data.
Confidentiality
Ensuring that the
transactional systems
aren’t modified by an
unauthorized party
Secure Business –Need Security Infrastructures…
Confidentiality relates
to the protection of
sensitive data from
unauthorized use and
distribution.
Integrity relates to
maintaining the quality
and validity of data.
Integrity
Examples include:
Securing corporate
data
Securing personnel
(payroll, health)
information
Confidentiality
Availability
Examples include:
Ensuring that the
transactional
systems aren’t
modified by an
unauthorized party
Availability relates to
ensuring that data is
accessible.
Examples include:
Ensuring that
processing can take
place 24 hours a day
What Is Information Security?
Key facets of an information security
program include:
People – organization,
responsibility, accountability, and
leadership
Process – policies, procedures, and
practices
Technology – scalable technical
support for automation, integration,
and enabling of information
security operations.
What Is Information Security?
Ultimately, information security is the method by which
an organization ensures that it has control over its
systems and data, thereby protecting its investment in
information technology and its ability to maintain
business operations.
What Is Information Security?
Effective control requires executive sponsorship.
Everyone must know and agree to their responsibilities for
maintaining effective controls.
Liability may depend on “due care”.
If you’re going to be plugged
in, you accept responsibility.
Trust can’t be enforced.
-- Policy can.
…Having An Enterprise View
Corporate information protection is based on a multi-layered approach. The structure limits the exposure of any one
security breach, however today, the Internet cuts across traditional layers and an unauthorized user could quickly exploit a
weak layer.
Security Program
Internet Security
Protects the data that is
visible to the Internet
from Web pages and via
corporate
communications. If
breach, corporate image
and/or communications
can be compromised.
Internet
Perimeter
Network
Host
Perimeter Security
First layer of physical protection
(Voice & Data). If breached, access
to data is possible.
Application
Electronic Commerce
E-Commerce Security
Protects the data while
communicating across the
organization and outside the
organization. If breach, all
corporate layers of security
can be compromised.
Security Program
Overall foundation to protect environment
and set policy for other security layers.
Includes monitoring, detection and response.
Data
Network Security
First Internal layer of protection.
If breached, loss control of data
movement is possible and/or data
modification.
Host Security
Protects computer, application and data.
If breached, data could be altered
and/or deleted.
Application Security
Protects application and data. If breached,
data could be altered and/or deleted.
Where did ISO17799 Originate?
Began as UK Department of Trade and Industry
(DTI) Code of Practice
Facilitated trade in trusted environments
Led to British Standard 7799 (BS7799)
Adopted as ISO17799 in December 2000
What is ISO17799?
 A comprehensive set of controls comprising best
practices
 in information security
 Controls-based policy
 Measurable
 Certifiable
 Risk-management based
 Internationally recognized
What is ISO17799?
10-Section Standard
•
•
•
•
•
•
•
•
•
•
Security Policy
Organizational Security
Asset Classification & Control
Personnel Security
Physical and Environmental Security
Computer & Operations Management
Access Control
System Development and Maintenance
Business Continuity Planning
Compliance
What is ISO17799?
Security Policy
• To provide management direction and support for information
security.
» Policy - program
What is ISO17799?
Security Organization
• To manage information security both in and out of the
organization.
» Infrastructure – leadership
» Third party access – contracts
» Outsourcing - SLAs
What is ISO17799?
Asset Classification & Control
• To maintain appropriate protection of corporate assets and to
ensure that information assets receive an appropriate level of
protection.
» Accountability – ownership
» Information classification - appropriateness
What is ISO17799?
Personnel Security
• To reduce risk of human error, maintain awareness, and
minimize damage from incidents.
» Job resourcing – background
» User training – awareness
» Incident response – procedures
What is ISO17799?
Physical and Environmental Security
• To prevent unauthorized access, damage and interference to
business premises and information.
» Secure areas – physical control
» Equipment security – individual
» General controls – common sense
What is ISO17799?
Computer & Operations Management
• To ensure the correct and secure operations of information
systems.
»
»
»
»
»
»
»
Procedures / responsibilities – who & how
Planning & acceptance – capacity
Malicious software – virus
Housekeeping – backup
Network management – segregation of duties
Media handling – disposal
Information exchange – agreements
What is ISO17799?
Access Control
• To control access to information.
»
»
»
»
»
»
»
»
»
Policy – existence
User access management – authorization
User registration – maintenance
User responsibilities – awareness
Network access – interfaces
Operating system access – foundation
Application access – segregation
Monitoring – detection
Mobile access – ubiquitousness
What is ISO17799?
System Development and Maintenance
• To ensure that security is built into information systems
»
»
»
»
»
Security in applications – integrity
Cryptographic controls – confidentiality
Input / Output Controls
Security of system files – foundation
Security in development – change control
What is ISO17799?
Business Continuity Planning
• To counteract interruptions to business activities and to
protect critical business processes from the effects of major
failures or disasters.
»
»
»
»
»
Management process – not tech!
Impact analysis – risk assessment
Continuity plans - existence
Planning framework - consistency
Test, test, test! - update
What is ISO17799?
Compliance
• To avoid breaches of compliance with law & policy and
maximize effectiveness of system audits.
» Legal requirements – money
» Reviews – policy and technology
» System audit – impact
How Will Organizations Benefit?
Standardization – efficiency & automation
Competitive advantage
Risk management – not security for the sake of security
Cost-effectiveness
Move from reactive to proactive
Accepted framework for policy
How Will Organizations Benefit?
1)
2)
3)
4)
Driver for process improvement
Meet business partner requirements
Maintain regulatory compliance
Measure the effectiveness of information security
efforts
5) (ROI!)