ISO 27001

Information Security Management System (ISMS)

Information Assets

     Information is an asset – like other important business assets, has value to an organisation and consequently needs to be suitably protected.

What is Information?

 Current Business Plans Future Plans Intellectual Property (Patents, etc) Employee Records Customer Details Business Partners Records  Financial Records

What is Information Security?

 Information Security addresses – – –

Confidentiality Integrity ( I ) Availability ( C ) (A)

 – – – – Also involves

Authenticity Accountability Non-repudiation Reliability

Enterprise/Corporate IT Hardware Resources

Information Security Risks

• • • • • • The range of risks exists • • • System failures Denial of service (DOS) attacks Misuse of resources • Internet/email /telephone Damage of reputation Espionage Fraud Viruses/spy-ware etc Use of unlicensed software

Layered Security

Security Awareness/Culture

 Security is everyone’s responsibility  All levels of management accountable  Everyone should consider in their daily roles – Attitude (willing/aims/wants/targets) – Knowledge (what to do?) – Skill (how to do?)  Security is integrated into all operations  Security performance should be measured

Security Awareness Program Flow

Company Policy

Integrate

Security Awareness Program

Define

Feedback

Elicit

Activities

Implement

Employees

Benefits of pursuing certification

 Allows organizations to mitigate the risk of IS breaches  Allows organizations to mitigate the impact of IS breaches when they occur  In the event of a security breach, certification should reduce the penalty imposed by regulators  Allows organizations to demonstrate due diligence and due care – to shareholders, customers and business partners  Allows organizations to demonstrate legal, regulatory and contractual requirements – as opposed to taking a reactive proactive approach compliance to  Provides independent third-party validation of an organization’s ISMS

Structure of 27000 series

27005 Risk 27000 Fundamentals & Vocabulary Management 27001:ISMS 27002 Code of Practice for ISM 27003 Implementation Guidance 27004 Metrics & Measurement 27006 Guidelines on ISMS accreditation

What is ISO 27001?



ISO 27001 Part I

– Code of practice for Information Security Management (ISM) – Best practices, guidance, recommendations for • • • Confidentiality ( C ) Integrity ( I ) Availability ( A ) 

ISO 27001 Part II

– Specification for ISM

 – 8) All clauses should be applied,

NO exceptions

Annex (Control Objectives and Controls ) –

11 Security Domains

(A5  A 15) • Layers of security –

39 Control Objectives

• Statement of desired results or purpose –

133 Controls

• Policies, procedures, practices, software controls and organizational structure • To provide reasonable assurance that business objectives will be achieved and that undesired events will be prevented or detected and corrected • Exclusions in some controls are possible , if they can be justified???

Difference Between 27001:2000 and 27001:2005 Editions?

Annex A

2000 Edition (10 sections) Security Policy Security Organisation Asset Classification & Control Personnel Security Physical & Environmental Security Communications & Operations Management Access Control Systems Development & Maintenance Business Continuity Management 2005 Edition (11 sections) A5 - Security Policy A6 - Organising Information Security A7 - Asset Management A8 - Human Resources Security A9 - Physical & Environmental Security A10 - Communications & Operations Management A11- Access Control A12 - Information Systems Acquisition, Development and Maintenance A13 - Information Security Incident Management A14 - Business Continuity Management Compliance A15 - Compliance

ISO 27001 Implementation Steps

 Decide on the ISMS scope  Approach to risk assessment  Perform GAP Analysis  Selection of controls  Statement of Applicability  Reviewing and Managing the Risks  Ensure management commitment  ISMS internal audits  Measure effectiveness and performance  Update risk treatment plans, procedures and controls

Plan-Do-Check-Act (PDCA)

 The ISO 27001 adopts the “

Plan-Do Check-Act

” (PDCA) – Applied to structure all ISMS processes Plan Act Do Check

PDCA Model

Plan Do Check Act PDCA Model

Establish ISMS Implement and operate ISMS Monitor and review ISMS Maintain and improve ISMS Establish ISMS policy, objectives, processes and procedures relevant to managing risk and improving IS to deliver results in accordance with an organization’s overall policies and objectives Implement and operate ISMS policy, controls, processes and procedures Asses, and where applicable, measure process performance against ISMS policy, objectives and practical experience and report the results to management for review Take corrective actions, based on the results of the internal audit and management review or other relevant information, to achieve continual improvement of ISMS

ISO 27001 (Requirements) Standard Content

Introduction

–

Section 0



Scope

–

Section 1



Normative references

–

Section 2



Terms and definitions

–

Section 3



Plan

–

Section 4

to plan the establishment of your organization’s ISMS.



Do

–

Section 5

to implement, operate, and maintain your ISMS.



Check

–

Sections 6 and 7

to monitor, measure, audit, and review your ISMS.



Act

–

Section 8

to take corrective and preventive actions to improve your ISMS.



Annex A ( Clauses A.5 to A.15

)

   

ISO 27001 PDCA Approach

Plan:

– Study requirements – Draft an IS Policy – Discuss in IS Forum (committee) – Finalize and approve the policy – Establish implementation procedure – Staff awareness/training

Do:

– Implement the policy

Check:

– Monitor, measure, & audit the process

Act:

– Improve the process

ISMS Scope

 Business security policy and plans  Current business operations requirements  Future business plans and requirements  Legislative requirements  Obligations and responsibilities with regard to security contained in SLAs  The business and IT risks and their management

A Sample List of IS Policies

 Overall ISMS policy  Access control policy  Email policy  Internet policy  Anti-virus policy  Information classification policy  Use of IT assets policy  Asset disposal policy

The C.I.A. triangle is made up of:

C

onfidentiality

I

ntegrity

A

vailability (Over time the list of characteristics has expanded, but these 3 remain central)

Confidentiality Integrity Availability

CIA +

Privacy Identification Authentication Authorization Accountability

Confidentiality

of information ensures that only those with sufficient privileges may access certain information.

To protect confidentiality of information, a number of measures may be used, including:     Information classification Secure document storage Application of general security policies Education of information custodians & end users

Integrity

is the quality or state of being whole, complete, & uncorrupted.

The integrity of information is threatened when it is exposed to corruption, damage, destruction, or other disruption of its authentic state.

Corruption can occur while information is being compiled, stored, or transmitted.

Availability

is making information accessible to user access without interference or obstruction in the required format.

A user in this definition may be either a person or another computer system.

Availability means availability to authorized users.

Privacy

Information is to be used only for purposes known to the data owner.

This does not focus on freedom from observation, but rather that information will be used only in ways known to the owner.

Information systems possess the characteristic of

identification

when they are able to recognize individual users.

Identification and authentication are essential to establishing the level of access or authorization that an individual is granted.

AAA

Authentication

occurs when a control provides proof that a user possesses the identity that he or she claims.

After the identity of a user is authenticated, a process called

authorization

provides assurance that the user (whether a person or a computer) has been specifically & explicitly authorized by the proper authority to access, update, or delete the contents of an information asset.

The characteristic of

accountability

exists when a control provides assurance that every activity undertaken can be attributed to a named person or automated process.

To review ... CIA +

Confidentiality Integrity Availability Privacy Identification Authentication Authorization Accountability

Think about your home computer.

How do you secure it?

How do you guarantee confidentiality, integrity, & availability?

NSTISSC Security Model

Two well-known approaches to management: Traditional management theory using principles of planning, organizing, staffing, directing, & controlling (POSDC).

Popular management theory using principles of management into planning, organizing, leading, & controlling (POLC).

Planning

is the process that develops, creates, & implements strategies for the accomplishment of objectives.

Three levels of planning: 1. Strategic 2. Tactical 3. Operational

In general, planning begins with the strategic plan for the whole organization.

To do this successfully, an organization must thoroughly define its goals & objectives.

Organization

: structuring of resources to support the accomplishment of objectives.

Organizing tasks requires determining:   What is to be done  In what order  By whom By which methods  When

Leadership

encourages the implementation of the planning and organizing functions, including supervising employee behavior, performance, attendance, & attitude.

Leadership generally addresses the direction and motivation of the human resource.

Control

is monitoring progress toward completion & making necessary adjustments to achieve the desired objectives.

Controlling function determines what must be monitored as well using specific control tools to gather and evaluate information.

Four categories of control tools: Information Financial Operational Behavioral

The Control Process

How to Solve Problems Step 1: Recognize & define the problem Step 2: Gather facts & make assumptions Step 3: Develop possible solutions Step 4: Analyze & compare possible solutions Step 5: Select, implement, & evaluate a solution

Feasibility Analyses Economic feasibility assesses costs & benefits of a solution Technological feasibility assesses an organization’s ability to acquire & manage a solution Behavioral feasibility assesses whether members of an organization will support a solution Operational feasibility assesses if an organization can integrate a solution

Extended characteristics of infosec or principles management (AKA, the 6 P’s) Planning Policy Programs Protection People Project Management

1. Planning

as part of InfoSec management is an extension of the basic planning model discussed earlier in this chapter.

Included in the InfoSec planning model are activities necessary to support the design, creation, and implementation of information security strategies as they exist within the IT planning environment.

Several types of InfoSec plans exist: Incident response Business continuity Disaster recovery Policy Personnel Technology rollout Risk management Security program, including education, training, & awareness

2. Policy

: set of organizational guidelines that dictates certain behavior within the organization.

In InfoSec, there are 3 general categories of policy: 1. General program policy (Enterprise Security Policy) 2. An issue-specific security policy (ISSP) 3. System-specific policies (SSSPs)

3. Programs

: specific entities managed in the information security domain.

One such entity: security education training & awareness (SETA) program.

Other programs that may emerge include the physical security program, complete with fire, physical access, gates, guards, & so on.

4. Protection

: Risk management activities, including risk assessment and control, as well as protection mechanisms, technologies, & tools.

Each of these mechanisms represents some aspect of the management of specific controls in the overall information security plan.

5. People

are the most critical link in the information security program.

It is imperative that managers continuously recognize the crucial role that people play.

Includes information security personnel and the security of personnel, as well as aspects of the SETA program.

6. Project management

discipline should be present throughout all elements of the information security program.

This involves:  Identifying and controlling the resources applied to the project  Measuring progress & adjusting the process as progress is made toward the goal

In summation: Communities of interest CIA+ Planning, Organizing, Leading, Controlling Principles of infosec management (the 6 P’s)