ISO 27001 - ISACA Puerto Rico · Relationship between ISO 31000, ISO 27001 and ISO 27005 ......

ISO 27001Risk Management Approach

Cristóbal López, CISA, CRISC, CISSP, PMP

[email protected]

@clopezdb

mailto:[email protected]

Agenda ISO/IEC 27001 and 27002: Evolution

The ISO 2700x Family (31 Standards)

What is ISO27001

What is ISO27005

What is ISO31000

Relationship between ISO 31000, ISO 27001 and ISO 27005

How using ISO/IEC 27001 can bring ROI Benefits (Why?)

Are You Extremely Confident About Your Level of

Resilience Against Cyber Hacking?

Initial Assessment

Risk Management

Lessons Learned so Far and Conclusions

ISO/IEC 27001 and 27002: Evolution

Source: British Standards Institution (BSI) “ISO/IEC 27001:2013 Executive Overview 01/30/2014”



ISO

27020:2010

Dentistry --

Brackets and

tubes for use in

orthodontics

http://www.iso.org/iso/rss.xml?csnumber=43959&rss=detail

What is ISO 27001? ISO 27001 is an international standard that outlines demands

for an Information Security Management System (ISMS). Since

organizations are all different an ISMS is always tailored to

handle the organizations specific security needs.

ISO 27001 was released as the first standard in the ISO 27000-

series of standards for information security. ISO 27001:2005 It

was first published in October 2005 and was revised in

October 2013 to better accommodate the changing

information security challenges. The current version is called

ISO 27001:2013.

Source: Neupart http://www.neupart.com/resources/iso-27001.aspx, 12/8/2014

http://www.neupart.com/resources/iso-27001.aspx

What is ISO 27001?

ISO 27001 is related to ISO 27002 which describes a

"code of practice" (basically an instruction manual)

surrounding what security measures an organization

can choose to introduce. 27002 was formerly known

as ISO 17799 which was based on the British standard

BS 7799-1. The current version is ISO 27002:2013.

October 1st, 2015 is the deadline for transitioning

from the ISO/IEC 27001:2005 to the ISO/IEC

27001:2013 Information Security Management System

standard.

Source: Neupart http://www.neupart.com/resources/iso-27001.aspx, 12/8/2014

http://www.neupart.com/resources/iso-27001.aspx

What is ISO 27005?

A threat based risk management

guidance

Considered best practice

Well aligned with other risk

frameworks

A method to comply with ISO 27001

risk management requirements

Source: Neupart IT Risk Management best practice using ISO 27001 & 27005, October, 2014

What is ISO 31000?

ISO 31000 is a family of standards relating to risk

management codified by the International

Organization for Standardization. The purpose of

ISO 31000:2009 is to provide principles and

generic guidelines on risk management. ISO 31000

seeks to provide a universally recognized

paradigm for practitioners and companies

employing risk management processes to replace

the myriad of existing standards, methodologies

and paradigms that differed between industries,

subject matters and regions.

Source: Wikipedia, http://en.wikipedia.org/wiki/ISO_31000

http://en.wikipedia.org/wiki/Risk_management

http://en.wikipedia.org/wiki/International_Organization_for_Standardization

Relationship between ISO 31000, ISO

27001 and ISO 27005

Enterprise Risk

Management (ISO

31000)

Information

Security Risk

Management (ISO

27005)

ISMS Requirements

(ISO 27001)


How using ISO/IEC 27001 can bring ROI


Are You Extremely Confident About Your Level

of Resilience Against Cyber Hacking?

A BSI survey of IT decision-makers found cyber security a

growing concern, with 56% of UK businesses more

concerned than 12 months ago.

More than two-thirds attributed this to hackers becoming

more skilled and better at targeting businesses.

While 98% of organizations have taken measures to

minimize risks to their information security, only 12% are

extremely confident about the security measures their

organizations have in place to defend organizations have

in place to defend against these attacks.

Source: ComputerWeekly.com http://www.computerweekly.com/news/2240235493/BSI-urges-UK-businesses-to-bolster-cyber-Security, November, 2014

http://www.computerweekly.com/news/2240235493/BSI-urges-UK-businesses-to-bolster-cyber-Security

Are You Extremely Confident About Your Level

of Resilience Against Cyber Hacking?

56% of ISO 27001 certified organizations said they

were aware of the risk, compared with just 12% of

uncertified organizations.

52% of organizations that had implemented ISO

27001 said they were “extremely confident”

about their level of resilience against the latest

methods of cyber hacking.

The research reveals that businesses that can

identify threats are more aware of them

Source: ComputerWeekly.com http://www.computerweekly.com/news/2240235493/BSI-urges-UK-businesses-to-bolster-cyber-Security, November, 2014

http://www.computerweekly.com/news/2240235493/BSI-urges-UK-businesses-to-bolster-cyber-Security

Initial Assessment

Source: British Standard Industry (BSI) ISO/IEC 27001 Information Security Management System

– Self-assessment questionnaire (http://www.bsigroup.com/LocalFiles/en-GB/iso-iec-

27001/resources/BSI-ISOIEC27001-Assessment-Checklist-UK-EN.pdf)

0 Introduction

1 Scope

2 Normative references

3 Terms and definitions

Initial Assessment




4 Context of the organization

4.1 Understanding the organization and its context

4.3 Determining the scope of the information

security management system

4.4 Information security management system

5 Leadership

5.1 Leadership and commitment

5.2 Policy

5.3 Organizational roles, responsibilities and

authorities

Create

Requirements

and tasks

Initial Assessment




6 Planning

6.1 Actions to address risks and

opportunities

6.1.1 General

6.1.2 Information security risk assessment

6.1.3 Information security risk treatment

6.2 Information security objectives and

planning to achieve them

Initial Assessment




6 Planning (cont.)

6.2 Information security objectives and planning to achieve them

7 Support

7.1 Resources

7.2 Competence

7.3 Awareness

7.4 Communication

7.5 Documented information

7.5.1 General

7.5.2 Creating and updating

7.5.3 Control of documented information

Initial Assessment




8 Operation

8.1 Operational planning and control

8.2 Information security risk assessment

8.3 Information security risk treatment

9 Performance evaluation

9.1 Monitoring, measurement, analysis and evaluation

9.2 Internal audit

9.3 Management review

10 Improvement

10.1 Nonconformity and corrective action

10.2 Continual improvement

6:Planning6.1 Actions to address risks

and opportunities6.1.1 General Identifying business critical functions All business critical functions,

related processes, systems and owners must be identified and

documented.

Risk Management Our information security risk management

processes comply with ISO 27005

Risk management planning

Management must ensure that risk management has been planned and

implemented in the organization.

Risk management must be planned so that both risks and opportunities

are considered.

Risk management activities must be planned in an annual cycle.

Business Impact Assessment

Consequences of IT system incidents must continually be assessed.

Impact assessment must be updated every year.

Identifying business critical functions: All business critical

functions, related processes, systems and owners must be

identified and documented.

Information Security Policy (NIST 800-

53, Gartner, SANS Templates)

Information Security Program (NIST-

SP800-18)

Risk Management Program (NIST-SP800-30,

NIST-SP800-39, NIST-SP800-100, COBIT 5, IT

Risk ISACA)

Risk Assessment Procedure (NIST-SP800-30, NIST-

SP800-100)

Identifying business critical functions: All business critical

functions, related processes, systems and owners must be

identified and documented.

Tom Scholtz, Gartner, March 2008

Stakeholder

Concern Risk

Assessment

(One Time)

Periodic

Risk

Assessm

ent (6

Months

– 1

year)

Vulnerability Assessment, Probability Assessment

Units and Processes

General Support Units

ITGC Domains

Business critical functions, Processes, Systems

TOP MANAGEMENT

IS New Dev. Chg MgmtOperations Control Env

IS Unit ComplianceBC Unit

SD Unit IT Operations

IT Procurement

Unit 1 Unit 2 Unit 3

Pandemic

Risk

Assessment

Corporate

Line of

Business

Compliance Risk Assessment

Interview and questionnaire

Self assessment questionnaire

Interview questionnaire and self assessment questionnaire



Maturity Risk

Assessment New Product

Done: Identifying business critical functions: All

business critical functions, related processes, systems

and owners must be identified and documented.

Processes

Accounting (O: Marilia González)

Customer Support (O: Luis Gómez

Service Delivery (O: Gil Lozano

Finance (O: Ramiro Díaz)

Business Systems

ERP System (O: Larry Rodríguez)

Dynamics AOS (O: Jesús Rivera)

IT Services

ERP (O: Rodrigo López)

Our email service (O: Raquel

Medio)

Service Providers

Amazon EC2 – Cloud Infrastructure as a Service

(O: Mauricio Jiménez)

Database Systems

ERP DB (O: Matthew Ortiz)

Finance DB (O: Daniel Matis)

Virtual Servers

APP-SERVER2 (O: Phillip Free)

Logical Servers

SQL-SERVER1 (O: José Jiménez)

Data Centers

Mayagüez Datacenter (O: Raúl Pineda)


and opportunities6.1.1 General

Identifying business critical functions All business critical functions, related

processes, systems and owners must be identified and documented.

Risk Management Our information security risk management processes

comply with ISO 27005

Risk management planning

Management must ensure that risk management has been planned and

implemented in the organization.

Risk management must be planned so that both risks and opportunities are

considered.

Risk management activities must be planned in an annual cycle.


Consequences of IT system incidents must continually be assessed.

Impact assessment must be updated every year.


ISO 27005: Estimate the business

impact from breaches on CIA (confidentiality, integrity, availability)

Financial terms

Revenue, cash flow, costs, liabilities

Non-financial terms:

Image, non-compliance,

competitiveness, service level


Business Impact Assessment: Accounting High Level Business Impact Assessment

Consider the following for the Business Impact Assessment for the Accounting

Process:

Reduced revenue or cash flow,

Increased cost or penalties,

Damage to reputation or service level,

Non-compliance or statutory violations

Breach of Confidentiality Breach of Integrity Breach of Availability

Very Low Very Low Very Low

X Low Low Low

Medium Medium Medium

High High X High

Very High X Very High Very High

Only if substantial amounts of

information are revealed to

unauthorized persons, it will have

an unacceptable business impact.

Any loss of information or

its integrity will have an

unacceptable business

impact.

An availability loss lasting

more than one hour will have

an unacceptable business

impact..


Business Impact Assessment: Accounting

Detailed Business Impact Assessment

Estimate the business impact of breaches of confidentiality,

integrity and availability

Business Impact Breach of

Confidentiality

Breach of Integrity Breach of Availability

Reduced revenue or

cash flow

Very Low Very High High

Increased cost or

penalties

Medium High Very High

Damage to reputation

or service level

Low Very High High

Non-compliance or

statutory violations

Very Low Very High High



and opportunities6.1.1 General (cont.)

Risk Analysis

Detailed risk assessment must be carried out within the

organization in all areas warranted by the general risk

assessment.

A detailed risk assessment must be carried out for the

organization.

A general risk assessment must be carried out for the

company.

The company must prepare a detailed risk analysis for

all business critical systems.

The company must prepare a detailed risk analysis

for all business critical systems

Information Security Policy (NIST 800-53,

Gartner, SANS Templates)

Information Security Program (NIST-SP800-18)

Risk Management Program (NIST-SP800-30, NIST-

SP800-39, NIST-SP800-100, COBIT 5, IT Risk ISACA)

Threat Catalog

Assets to Threats relationship document

Stakeholder

Concern Risk

Assessment

(One Time)

Periodic

Risk

Assessm

ent (6

Months

– 1

year)

Vulnerability Assessment, Probability Assessment

Units and Processes

General Support Units

ITGC Domains

TOP MANAGEMENT

IS New Dev. Chg MgmtOperations Control Env

IS Unit ComplianceBC Unit

SD Unit IT Operations

IT Procurement

Unit 1 Unit 2 Unit 3

Pandemic

Risk

Assessment

Corporate

Line of

Business

Compliance Risk Assessment


Self assessment questionnaire

Interview questionnaire and self assessment questionnaire



Maturity Risk

Assessment New Product

Business critical functions, Processes, Systems

Threat Catalog


Category Threat

Asset damage or loss Fire damage

Water damage

Electromagnetic damage

Damage from natural event

IT operations disruption or integrity

loss

Service delivery failure

Maintenance or operations error

Malicious code attack

User error

Asset misuse or disclosure Information theft

Deliberate misuse

Deliberate disclosure

Work disruption or personnel loss Personnel turnover

Loss of personnel

Relate Threats to Asset Types


Assets Asset Type Applicable Threats

Accounting Process Personnel turnover, Loss of personnel, Work disruption, Facilities

contamination

ERP IT Service Service Delivery Failure

ERP System Business

System

User error, Maintenance or operations error, Malicious code attack,

Cyberterror attack, Capacity error, Software error, Information theft,

Deliberate misuse, Deliberate disclosure, Information leakage

ERP DB Database

System

Information theft, Deliberate misuse, Deliberate disclosure, Information

leakage

APP-SERVER2 Virtual Server Maintenance or operations error, Malicious code attack, Cyberterror

attack, Capacity error, Software error

SQL-SERVER1 Logical Server Maintenance or operations error, Malicious code attack, Cyberterror

attack, Capacity error, Software error

Mayagüez

Data Center

Data Center Fire damage, Water damage, Electromagnetic damage, Damage from

natural event, Major accidental damage, Deliberate destruction,

Environmental control failure, Power supply error, Facilities contamination

Amazon EC2 –

Cloud

Infrastructure

as a Service

Service

Provider

Service provider failure

Idea: Virtual

Servers

cannot burn

(at least not

like a data

center does)

Risk Management


Risk Management


Effect

on

C,I,A

Different from Likelihood, you need

to consider the preventive measures

(controls applied, residual likelihood)

and then estimate the incident

likelihood

What have you done to not

being impacted too much

(consider the reactive controls

applied, residual) and then

estimate the consequence

You reduce the likelihood

implementing more

preventive measures

You reduce the consequence

or impact implementing

more corrective measures

Vulnerability Assessment for ERP DB Estimate the maturity and implementation level of controls for the threats listed below

Take the following threats into account:

User error,

Maintenance or operations error,

Malicious code attack,

Cyberterror attack,

Capacity error,

Preventive

Administrative

Controls

Preventive

Technical Controls

Corrective

Administrative

Controls

Corrective

Technical Controls

Optimized xVery Effective Optimized Very Effective

Managed Effective Managed xEffective

xDefined Implemented xDefined Implemented

Repeatable Partially

Implemented

xRepeatable Partially

Implemented

Ad Hoc Absent Ad Hoc Absent

Administrative controls aimed at this

threat or its potential consequences are

based on a formal delegation of

responsibilities and has been consistently

documented through policies, rules and

procedures.

Administrative controls aimed at this

threat or its potential consequences

are based on an informal but defined

delegation of responsibilities as well as

an established practice based on

experience

Multi-layer systematic technical or physical controls

have been implemented to protect against the

threat or its potential consequences. The controls

are based on recognized best practice and have

been professionally evaluated and proven very

effective

Software error,

Information theft,

Deliberate misuse,

Deliberate disclosure,

Information leakage

Systematic technical or physical controls have

been implemented to protect against the

threat or its potential consequences. The

controls are based on recognized best

practice and have been professionally

evaluated and proven effective

Source: Neupart IT Risk

Management best practice

using ISO 27001 & 27005,

October, 2014

Vulnerability Assessment for ERP DB Estimate the maturity and implementation level of controls for the threats

listed below

Take the following

threats into account

Preventive

Administrative

Controls

Preventive

Technical Controls

Corrective

Administrative

Controls

Corrective Technical

Controls

User error Defined Very Effective Repeatable Effective

Maintenance or

operations error

Repeatable Effective Ad Hoc Very Effective

Malicious code attack Managed Very Effective Defined Implemented

Cyberterror attack Managed Effective Ad Hoc Very Effective

Capacity error Repeatable Very Effective Defined Implemented

Software error Defined Effective Ad Hoc Very Effective

Information theft Optimized Effective Defined Implemented

Deliberate misuse Repeatable Very Effective Ad Hoc Effective

Deliberate disclosure Optimized Very Effective Repeatable Very Effective

Information leakage Defined Effective Defined Implemented


Assets: Dependency Hierarchy

FinanceBusiness Process

ERPIT Service

Finance DBDatabase

Dynamics AOSBusiness System

SAN 01Data Storage

Server 02Virtual Server

HP DL380Hardware unit

Server 01Virtual Server

HP DL380Hardware unit

Data Center

MayagüezDataCenter Source: Neupart IT Risk Management best practice using ISO 27001 & 27005, October, 2014

Business Processes & IT ServicesInclude only your most

important business

processes and their

primary supporting

systems


6:Planning6.1 Actions to address risks and

opportunities6.1.3 Information security risk

treatmentRisk treatment

Based on the risk assessment, appropriate information security controls must

be implemented

The chosen information security control being implemented should be

compared to the control listed in Annex A of the standard to ensure that no

necessary controls have been omitted

A Statement of Applicability must be prepared based on the information

security controls that have been selected

The Statement of Applicability should include the justification for including or

excluding controls

We treat risks using the four options of ISO 27005:

Accept risks

Reduce risk by implementing controls

Share risks

Avoid risks

ISO 31000 Enterprise Risk Management


ISO 27001: Not only downside risks

6.1 Actions to address risks and opportunities

Quote ISO 31000: “Organizations of all types and

sizes face internal and external factors and

influencesthat make it uncertain whether and

when they will achieve their objectives. The

effect this uncertainty has on an organization’s

objectives is “risk”.


Treating Risks


Treatment Overview: Accounting Assets

Assets Asset

Type

C I A CR Treat Status

Accounting Process 27 44 44 41 Not treated Not treated

ERP IT Service 27 44 44 41 Not treated Not treated

ERP DB Database

System

27 44 44 41 Not treated Not treated


Treatment Overview: Accounting

Assets Asset

Type


Accounting Process 27 44 44 41 Reduce Risk Not treated


ERP DB Database

System


“The risk level for the linked asset is unacceptable. It has been

determined that the best option is to reduce the risk of the

asset. This can be accomplished by the implementation of new

security products, a change in the usage of the asset,

increased network security, authorization management,

additional physical and environmental security and outsourcing

of the asset to a partner with a higher level of security etc. After

the successful completion of this task, the risk assessment of

the asset should be updated, so that it reflects the new level.”


Business Impact Assessment: Accounting High Level Business Impact Assessment

Consider the following for the Business Impact Assessment for the Accounting

Process:

Reduced revenue or cash flow,

Increased cost or penalties,

Damage to reputation or service level,

Non-compliance or statutory violations

Breach of Confidentiality Breach of Integrity Breach of Availability

Very Low Very Low Very Low

Low X Low Low

Medium Medium X Medium

High High High

X Very High Very High Very High

Any confidentiality loss

will have an unacceptable

business impact

Only if substantial amounts of

information are lost or

erroneous, it will have an

unacceptable business impact

An availability loss lasting

between one and 3 days may

have an unacceptable

business impact


Treatment Overview: Accounting

Assets Asset

Type


Accounting Process 45 17 27 37 Reduce Risk Risk Increased!


ERP DB Database

System


Risk Increased!


Statement of Applicability linked to Risk

Treatment

SoA = Statement of Applicability

ISO 27001

Select treatment options

Determine controls

Check controls with Annex A

Justify exclusions AND inclusions

Clearly worded that you must determine all

necessary controls – e.g. regulations


Lessons Learned so Far and Conclusions We don’t know what to do with the exceptions (legacy

systems that do not support password parameters) will ISO

certification entity will allow space for exceptions? What

is the procedure for it?

This also applies to segregation for environments, there

are a lot of applications and not all have test

environments

We are executing a security program and we are managing

risks, Why not push harder to get certified?

It’s becoming more critical for service companies to be

certified in ISO 27001 to separate from the competence

Lessons Learned so Far and Conclusions Be careful with the treat catalog, you probably need to

consider treats that are not in there and update your

treat catalog. Remember not all treats apply to all assets

and processes.

If you comply with ISO 27001:2005, you also comply with

27001:2013 since its a simplification to help you achieve

the certification.

On February 24, 2014 The Information Technology Services

Department (ITS) from the University of Qatar, stated in a

press communicate informing that they achieved the ISO

27001: “The ITS department plans to pursue compliance

with the Qatar Government Information Assurance (GIA)

policy whose features are considered to have more

specific and stringent controls than the international

standard”.

Thank You

ISO 27001Risk Management Approach

Cristóbal López, CISA, CRISC, CISSP, PMP

[email protected]

Twitter: @clopezdb

mailto:[email protected]

ISO 27001 - ISACA Puerto Rico · Relationship between ISO 31000, ISO 27001 and ISO 27005 ......

Documents

Transcript of ISO 27001 - ISACA Puerto Rico · Relationship between ISO 31000, ISO 27001 and ISO 27005 ......