Transcript Your Presentation Title Goes Here

Effektivt stöd för GRC med nya ISO Standarder
Anders Carlstedt, Editor ISO/IEC 27002, 27005 & 28008
Partner, Amentor
About Amentor
A Swedish GRC professional services
company, founded in 2004, servicing
leading multinationals and government
agencies
- Active members in ISACA and SIS &
ISO/IEC
- PCI/QSA accredited
- Provides ISO/IEC standards training and
certification for professionals,
e.g. Lead Auditor, Risk Manager
About Amentor
Om presentationen
”Effektivt stöd för GRC och säkerhetsåtgärder med nya ISO-standarder”
Områden
Bakgrund
• Governance:
– “The system by which organizations are directed and controlled.”
(Cadbury 1992 and OECD 1999)
– Corporate governance of IT
• “The system by which the current and future use of IT is directed and
controlled.
• Risk
– ”Effect of uncertainty on objectives”
• Compliance
– (Comply) ”act in accordance with a wish or command: we are
unable to comply with your request.”
Områden
Governance - 27014
• ISO/IEC 27014 - Governance of information security
– ”…provides guidance on concepts and principles for the governance of
information security, by which organisations can evaluate, direct, monitor
and communicate the information security related activities within the
organisation. ”
Governance – Cobit 5
Information Security Governance - 27014
Information Security Governance - 27014
Information Security Governance - 27014
“Evaluate” is the governance process that considers the current and
forecast achievement of security objectives based on current processes
and planned changes, and determines where any adjustments are
required to optimise the achievement of strategic objectives in future.
•To perform the “evaluate” process, the governing body should:
• ensure that business initiatives take into account information security
issues,
• respond to information security performance results, prioritize and
initiate required actions.
•To enable the “evaluate” process, executive management should:
• ensure that information security adequately supports and sustains the
business objectives,
• submit new information security projects with significant impact to
governing body.
Information Security Governance - 27014
“Direct” is the governance process, by which the governing body gives
direction about the information security objectives and strategy that need to
be implemented. Direction can include changes in resourcing levels,
allocation of resources, prioritisation of activities, and approvals of policies,
material risk acceptance and risk management plans.
•To perform the “direct” process, the governing body should:
– determine the organisation’s risk appetite,
– approve the information security strategy and policy,
– allocate adequate investment and resources.
– To enable the “direct” process, executive management should:
– develop and implement information security strategy and policy,
– align information security objectives with business objectives,
– promote a positive information security culture.
Information Security Governance - 27014
“Monitor” is the governance process that enables the governing body to
assess the achievement of strategic objectives.
•To perform the “monitor” process, the governing body should:
– assess the effectiveness of information security management activities,
– ensure conformance with internal and external requirements,
– consider the changing business, legal and regulatory environment and their
potential impact on information risk.
• To enable the “monitor” process, executive management should:
– select appropriate performance metrics from a business perspective,
– provide feedback on information security performance results to the
governing body including performance of action previously identified by
governing body and their impacts on the organisation,
– alert the governing body of new developments affecting information risks and
information security.
Information Security Governance - 27014
“Communicate” is the bi-directional governance process by which the
governing body and stakeholders exchange information about
information security, appropriate to their specific needs.
To perform the “communicate” process, the governing body should:
• report to external stakeholders that the organisation practices a level of
information security commensurate with the nature of its business,
• notify executive management of the results of any external reviews that have
identified information security issues, and request corrective actions,
• recognize regulatory obligations, stakeholders expectations, and business
needs with regard to information security.
•To enable the “communicate” process, executive management
should:
• advise the governing body of any matters that require its attention and,
possibly, decision,
• instruct relevant stakeholders on detailed actions to be taken in support of the
governing body’s directives and decisions.
Information Security Governance - 27014
“Assure” is the governance process by which the governing body
commissions independent and objective audits, reviews or certifications.
These will identify and validate the objectives and actions related to
carrying out governance activities and conducting operations in order to
attain the desired level of information security.
•To perform the “assure” process, the governing body should:
– commission independent and objective opinions of how it is complying
with its accountability for the desired level of information security.
•To enable the “assure” process, executive management should:
– support the audit, reviews or certifications commissioned by governing
body.
Information Security Governance - 27014
• Principle 1: Establish organisation-wide information security
• Principle 2: Adopt a risk-based approach
• Principle 3: Set the direction of investment decisions
• Principle 4: Ensure conformance with internal and external
requirements
• Principle 5: Foster a security-positive environment
• Principle 6: Review performance in relation to business
outcomes
Områden
Risk - 27005
• ISO/IEC 27005 - Riskhantering för informationssäkerhet
– ”…innehåller en beskrivning av processen för riskhantering för
informationssäkerhet och de aktiviteter som den omfattar.”
Risk - 27005
• En allmän översikt av processen för riskhantering för
informationssäkerhet redovisas i avsnitt 6.
– Fastställande av kontext i avsnitt 7,
– Riskbedömning i avsnitt 8,
– Riskbehandling i avsnitt 9,
– Riskacceptans i avsnitt 10,
– Riskkommunikation i avsnitt 11,
– Övervakning och granskning av risker i avsnitt 12.
Risk - 27005
Risk - 27005
Risk – 31000 vs. 27005
Risk 27005
Risk - 27005
• Ytterligare information om aktiviteter för hantering av
informationssäkerhetsrisker presenteras i bilagorna.
– Fastställandet av kontext stöds av bilaga A (Fastställande av omfattning
och begränsningar för processen för riskhantering för
informationssäkerhet).
– Identifiering och värdering av tillgångar samt bedömning av påverkan
diskuteras i bilaga B (Exempel på identifiering av tillgångar), bilaga C
(Exempel på typiska hot) och bilaga D (Sårbarheter och metoder för
bedömning av sårbarhet).
– Exempel på förhållningssätt för bedömning av
informationssäkerhetsrisker presenteras i bilaga E.
– Begränsningar för reducering av risk presenteras i bilaga F.
– Skillnader i definitioner mellan SS-ISO/IEC 27005:27008 och SSISO/IEC 27005:2012 redovisas i Annex G!
Områden
Compliance - 27008
• ISO/IEC 27008 - Vägledning om säkerhetsåtgärder för revisorer
– ”…ger vägledning om granskning av införande och drift av
säkerhetsåtgärder, inklusive granskning av teknisk efterlevnad avseende
säkerhetsåtgärder i systemmiljö, mot etablerade
informationssäkerhetsstandarder inom en organisation.”
Compliance - 27008
• Struktur och innehåll:
– …en beskrivning av granskningsprocessen för säkerhetsåtgärder,
inklusive granskning av teknisk efterlevnad.
– Bakgrundsinformation återfinns i avsnitt 5.
– Avsnitt 6 erbjuder en översikt över granskningar av säkerhetsåtgärder.
– Granskningsmetoderna presenteras i avsnitt 7
– Granskningsaktiviteterna i avsnitt 8.
– Granskning av teknisk efterlevnad återfinns bilaga A
– Stöd avseende inledande informationsinsamling återfinns i bilaga B.
Compliance - 27008
Compliance - 27008
Compliance - 27008
Områden
Sammanfattning
Key Security Governance Responsibilities
Corporate Governance
 Shareholder value from security investments
 Minimize and manage risks
Information
Security Governance
 Plan and execute strategy to deliver business
security and shareholder value
 Minimize and manage risks
Information
Security Management
 Deliver ISMS
 Deliver security solutions
 Operate security capabilities
Sammanfattning
Functional
leadership
Enterprise perspective
Less responsive
to end users
No BU ownership
Scale
economies
Users control
priorities
Control of
standards
No BU cost control
Does not meet
everyone’s needs
BU ownership
Critical mass
of skills
Responsiveness
to needs
Potentially more costly
Variable security
competencies
Wheel reinvention
No synergy
Pooled experience
Synergy
Centralized
Decentralized
Sammanfattning
•
Hårdare krav på effektiv företagsstyrning och intern kontroll
•
Genom att integrera de nya ”Governance” kraven med företagets
existerande ledningssystem skapar organisationen en flexibel
plattform och är redo för nya anpassningar i framtiden.
•
Kommande ISO/IEC 27014 ”ISG ”kommer att tydligöra kopplingen
mellan IT Governance – Information Security Governance – och
Ledningsystem för Informationssäkerhet (”ISMS”)
•
ISO/IEC 27005 ger tydlig vägledning och stöd för hanteringen av
informationssäkerhetsrisker
•
ISO/IEC 27008 ger handledning både för kravställning inför
eventuell upphandling av, och inför/under/efter genomförande av
revisioner
Tack för mig
[email protected]