ISO 27001Information Security Management

System (ISMS)

Information AssetsInformation is an asset

– like other important business assets, has value to an organisation and consequently needs to be suitably protected.

What is Information? Current Business Plans Future Plans Intellectual Property (Patents, etc) Employee Records Customer Details Business Partners Records Financial Records

What is Information Security? Information Security addresses

– Confidentiality ( C )– Integrity ( I )– Availability (A)

Also involves– Authenticity– Accountability– Non-repudiation– Reliability

Enterprise/Corporate IT Hardware Resources

Information Security Risks• The range of risks exists

• System failures• Denial of service (DOS) attacks• Misuse of resources

• Internet/email /telephone

• Damage of reputation• Espionage• Fraud• Viruses/spy-ware etc• Use of unlicensed software

Layered Security

Security Awareness/Culture Security is everyone’s responsibility All levels of management accountable Everyone should consider in their daily roles

– Attitude (willing/aims/wants/targets)– Knowledge (what to do?)– Skill (how to do?)

Security is integrated into all operations Security performance should be measured

Security Awareness Program Flow

Define

ImplementElicit

Integrate

Employees

Security Awareness Program

Feedback Activities

Company Policy

Benefits of pursuing certification Allows organizations to mitigate the risk of IS breaches Allows organizations to mitigate the impact of IS breaches when

they occur In the event of a security breach, certification should reduce the

penalty imposed by regulators Allows organizations to demonstrate due diligence and due care

– to shareholders, customers and business partners Allows organizations to demonstrate proactive compliance to

legal, regulatory and contractual requirements– as opposed to taking a reactive approach

Provides independent third-party validation of an organization’s ISMS

Structure of 27000 series

27000 Fundamentals & Vocabulary

27001:ISMS

27003 Implementation Guidance

27002 Code of Practice for ISM

27004 Metrics & Measurement

27005

Risk Management

27006 Guidelines on ISMS accreditation

What is ISO 27001? ISO 27001 Part I

– Code of practice for Information Security Management (ISM)

– Best practices, guidance, recommendations for• Confidentiality ( C )• Integrity ( I ) • Availability ( A )

ISO 27001 Part II

– Specification for ISM

ISO 27001 Overview Mandatory Clauses (4 8)– All clauses should be applied, NO exceptions

Annex (Control Objectives and Controls )– 11 Security Domains (A5 A 15)

• Layers of security– 39 Control Objectives

• Statement of desired results or purpose– 133 Controls

• Policies, procedures, practices, software controls and organizational structure

• To provide reasonable assurance that business objectives will be achieved and that undesired events will be prevented or detected and corrected

• Exclusions in some controls are possible, if they can be justified???

Difference Between 27001:2000 and 27001:2005 Editions? Annex A

2000 Edition (10 sections) 2005 Edition (11 sections)Security Policy A5 - Security Policy

Security Organisation A6 - Organising Information Security

Asset Classification & Control A7 - Asset Management

Personnel Security A8 - Human Resources Security

Physical & Environmental Security A9 - Physical & Environmental Security

Communications & Operations Management

A10 - Communications & Operations Management

Access Control A11- Access Control

Systems Development & Maintenance A12 - Information Systems Acquisition, Development and Maintenance

A13 - Information Security Incident Management

Business Continuity Management A14 - Business Continuity Management

Compliance A15 - Compliance

ISO 27001 Implementation Steps Decide on the ISMS scope Approach to risk assessment Perform GAP Analysis Selection of controls Statement of Applicability Reviewing and Managing the Risks Ensure management commitment ISMS internal audits Measure effectiveness and performance Update risk treatment plans, procedures and

controls

Plan-Do-Check-Act (PDCA)

The ISO 27001 adopts the “Plan-Do-Check-Act” (PDCA)– Applied to structure all ISMS processes

Plan

Do

Check

Act

PDCA ModelPDCA Model

Plan Establish ISMS

Establish ISMS policy, objectives, processes and procedures relevant to managing risk and improving IS to deliver results in accordance with an organization’s overall policies and objectives

DoImplement and operate ISMS

Implement and operate ISMS policy, controls, processes and procedures

CheckMonitor and review ISMS

Asses, and where applicable, measure process performance against ISMS policy, objectives and practical experience and report the results to management for review

ActMaintain and improve ISMS

Take corrective actions, based on the results of the internal audit and management review or other relevant information, to achieve continual improvement of ISMS

ISO 27001 (Requirements) Standard Content Introduction

– Section 0 Scope

– Section 1 Normative references

– Section 2 Terms and definitions

– Section 3 Plan

– Section 4 to plan the establishment of your organization’s ISMS. Do

– Section 5 to implement, operate, and maintain your ISMS. Check

– Sections 6 and 7 to monitor, measure, audit, and review your ISMS. Act

– Section 8 to take corrective and preventive actions to improve your ISMS. Annex A (Clauses A.5 to A.15)

ISO 27001 PDCA Approach Plan:

– Study requirements– Draft an IS Policy– Discuss in IS Forum (committee)– Finalize and approve the policy– Establish implementation procedure– Staff awareness/training

Do:– Implement the policy

Check:– Monitor, measure, & audit the process

Act:– Improve the process

ISMS Scope Business security policy and plans Current business operations requirements Future business plans and requirements Legislative requirements Obligations and responsibilities with regard

to security contained in SLAs The business and IT risks and their

management

A Sample List of IS Policies Overall ISMS policy Access control policy Email policy Internet policy Anti-virus policy Information classification policy Use of IT assets policy Asset disposal policy

The C.I.A. triangle is made up of:

Confidentiality

Integrity

Availability

(Over time the list of characteristics has expanded, but these 3 remain central)

CIA +

Confidentiality

Integrity

Availability

Privacy

Identification

Authentication

Authorization

Accountability

Confidentiality of information ensures that only those with sufficient privileges may

access certain information.

To protect confidentiality of information, a number of measures may be used, including:

Information classification Secure document storage

Application of general security policies Education of information custodians

& end users

Integrity is the quality or state of being whole, complete, & uncorrupted.

The integrity of information is threatenedwhen it is exposed

to corruption, damage, destruction,or other disruption of its authentic state.

Corruption can occurwhile information is being

compiled, stored, or transmitted.

Availability is making informationaccessible to user access

without interference or obstructionin the required format.

A user in this definition may be eithera person

or another computer system.

Availability meansavailability to authorized users.

Privacy

Information is to be usedonly

for purposes known to the data owner.

This does not focuson freedom from observation,

but ratherthat information will be used

onlyin ways known to the owner.

Information systems possessthe characteristic of identification

when they are ableto recognize individual users.

Identification and authenticationare essential to establishing

the level of access or authorizationthat an individual is granted.

AAA

Authentication occurswhen a control provides proof

that a user possessesthe identity that he or she claims.

After the identity of a useris authenticated,

a process called authorizationprovides assurance that the user(whether a person or a computer)

has been specifically & explicitly authorizedby the proper authority

to access, update, or deletethe contents of an information asset.

The characteristic of accountabilityexists when a controlprovides assurance

that every activity undertakencan be attributed

to a named person or automated process.

To review ... CIA +

Confidentiality

Integrity

Availability

Privacy

Identification

Authentication

Authorization

Accountability

Think about your home computer.

How do you secure it?

How do you guaranteeconfidentiality, integrity, & availability?

NSTISSC Security Model

Two well-known approaches to management:

Traditional management theory

using principles ofplanning, organizing, staffing, directing,

& controlling (POSDC).

Popular management theoryusing principles of

management into planning, organizing, leading, & controlling (POLC).

Planning is the process thatdevelops, creates, & implements

strategiesfor the accomplishment of objectives.

Three levels of planning:

1. Strategic2. Tactical

3. Operational

In general,planning begins

with the strategic planfor the whole organization.

To do this successfully,an organization must thoroughly define

its goals & objectives.

Organization:structuring of resources

to supportthe accomplishment of objectives.

Organizing tasks requires determining:

What is to be done In what order

By whom By which methods

When

Leadership encouragesthe implementation

of the planning and organizing functions,including supervising

employee behavior, performance, attendance, & attitude.

Leadership generally addressesthe direction and motivation

of the human resource.

Control is monitoring progresstoward completion

& making necessary adjustmentsto achieve the desired objectives.

Controlling function determineswhat must be monitored as well

using specific control toolsto gather and evaluate information.

Four categories of control tools:

Information

Financial

Operational

Behavioral

The Control Process

How to Solve Problems

Step 1:Recognize & define the problem

Step 2:Gather facts & make assumptions

Step 3: Develop possible solutions

Step 4:Analyze & compare possible solutions

Step 5:Select, implement, & evaluate a solution

Feasibility Analyses

Economic feasibility assessescosts & benefits of a solution

Technological feasibility assessesan organization’s ability

to acquire & manage a solution

Behavioral feasibility assesseswhether members of an organization

will support a solution

Operational feasibility assessesif an organization can integrate a solution

Extended characteristicsor principles

of infosec management (AKA, the 6 P’s)

Planning

Policy

Programs

Protection

People

Project Management

1. Planningas part of InfoSec management

is an extensionof the basic planning model

discussed earlier in this chapter.

Included in the InfoSec planning modelare activities necessary to support

the design, creation, and implementation of information security strategies

as they existwithin the IT planning environment.

Several types of InfoSec plans exist:

Incident response

Business continuity

Disaster recovery

Policy

Personnel

Technology rollout

Risk management

Security program,including education, training, & awareness

2. Policy:set of organizational guidelinesthat dictates certain behavior

within the organization.

In InfoSec, there are3 general categories of policy:

1. General program policy

(Enterprise Security Policy)

2. An issue-specific security policy (ISSP)

3. System-specific policies (SSSPs)

3. Programs:specific entities managed

in the information security domain.

One such entity:security education training & awareness

(SETA)program.

Other programs that may emerge includethe physical security program,

complete with fire, physical access,gates, guards, & so on.

4. Protection:

Risk management activities,including risk assessment and control,

as well as protection mechanisms, technologies, & tools.

Each of these mechanismsrepresents some aspect

of the management of specific controlsin the overall information security plan.

5. Peopleare the most critical link

in the information security program.

It is imperativethat managers continuously recognize

the crucial role that people play.

Includes information security personnel and the security of personnel, as well as

aspects of the SETA program.

6. Project management disciplineshould be present throughout

all elementsof the information security program.

This involves:

Identifying and controllingthe resources applied to the project

Measuring progress& adjusting the process

as progress is made toward the goal

In summation:

Communities of interest

CIA+

Planning, Organizing, Leading, Controlling

Principles of infosec management(the 6 P’s)