How to gain and maintain ISO 27001 certification
GÉANT SIG ISM 1st Workshop, 2015-05-12, imperial.ac.uk
Urpo Kaila, Head of Security CSC – IT Center for Science ltd. [email protected], [email protected]
Public
Agenda
! Introduction ! Scope and objectives of security ! ISO/ IEC 27001:2013 ! How CSC gained the certification ! Learning from the certification experience ! Ideas for cooperation
2
3
About CSC ! CSC offers IT services for research, higher
education, culture, and government ! CSC provides scientific software and databases
and Finland’s supercomputing environment that researchers can use via the Funet network
! CSC - IT Center for Science Ltd. is a government owned, non-profit company administered by the Ministry of Education and Culture
270 Employees
CSC Services • Computing Services • Research Information Management
Services
• Funet Network Services • Education Management and Student
Administration Services • Identity and Access Management
Services • Datacenter and Capacity Services
(IaaS) • Training Services
• Consultation and Tailored Solutions
• Ministry of Education and Culture • Other ministries and state
administration
• Higher education institutions • Research institutions
• Companies
About myself ! Industry background
– Previously IT Manager – Later Presales manager/ Technical director in an IT security company
! At CSC since 2003 – Previously manager for Internal IT, Datacenters – Information Security Manager – In charge of risk management, information security, operational
security, incidents, security agreements, physical security, cyber security
! Security Officer for the EUDAT project – A Collaborative Data Infrastructure for European researchers to
preserve, find, access, and process data in a trusted environment 5
! Store and exchange data with colleagues and team
! Synchronize multiple versions of data ! Ensure automatic desktop
synchronization of large files
B2DROP is a secure and trusted data exchange service for researchers and scientists to keep their research data synchronized and up-to-date and to exchange with other researchers. An ideal solution to:
Example of EUDAT Services: B2DROP
e-Science Data Factory
A pan European Consortium
a network of collaborating, cooperating centres, combining the richness of numerous community-specific data repositories with the permanence and persistence of some of Europe’s largest scientific data centres
Scope and objectives for security ! Technical approach to security
– Firewalls, vulnerabilities, intrusions, malware,…
! Security management approach – Business objectives, availability, processes, governance
! Narrow but deep scope: Incidents, IT risks,
technology ! Broader scope: people, processes ,business risks,
stakeholders, management 8
What is information security all about? ! Information security is about protecting assets
(systems, data, services and reputation) against risks with security controls
! Assets can be protected to prevail their – Confidentiality – Integrity – Availability
! Information Security: – a building block of quality – implemented by security controls – management accountable but responsibility of all staff
Security vs. usability
10
Usability • The perceived
benefit and quality of a service/product
Security • The direct
or indirect benefits and cost of security controls
Should be in a reasonable balance based on risk management
ISO/ IEC 27001:2013 ! “Cuddle name”: ‘ISO27k’ ! Background: BS7799 ! Update of the standard :2005 - :2013 ! Is the international standard for information
security management systems ! Organisations can apply for certification
covering a scope of it’s activities by an accredited certification body
11
Other standards and best practices ! COBIT ! National security standards
– IT-Grundschutzhandbuch
! ISO/IEC 15408 (Common criteria) ! SCI (Security for Collaborating Infrastructures) ! SANS Best Practices ! TERENA Best Practices ! Industry related regulation (for operators, e.g.) ! Skills oriented certifications: CISSP, GCIH, GCED,
CISM,… 12
ISO 27001 practicalities ! The big global players Google, MS, and
Amazon has also achieved the certification for some of their core functions
! Successful certification requires – Documented management support – An approved Statement of Applicability – Systematic management reviews of your
information security management system (ISMS) – ISMS should be known, in use and documented 13
Why ISO 27001? ! The standard can provide a comprehensive
guidance for your ISMS ! A systematic framework and checklist to
motivate all stakeholders - managament, administrators, all staff, customers, providers – to information security
! A clear indication to all stakeholders of a serious effort to implement comprehensive ISMS
14
ISO27001 Pros and Cons ! ISO 27001 will not guarantee good information security
! True. Also possible to create a compliant but a counter productive ISMS and achieve certification
! ISO 27001 will require excess bureacracy – Depends. It is up to you to define how to comply with
the standard ! Certification is expensive
– Depends. You don’t have to use expensive consultants to create your ISMS. The audits are not that expensive but not free either.
15
ISO27001 Pros and Cons (Contd.) ! Security should not be a management concern
! Wrong.
! ISO 27001 is just about creating policies nobody reads. ! Wrong, the policies and guidelines must be known and
in use to achieve certification
! After achieving certification everything is forgotten ! Wrong. Maintaining certification is often harder than
achieving it – requires continuous improvement
! We are so good that we don’t need standards… ! The ad hoc way is more efficient and secure… 16
The structure of the standard ! Ten high level clauses and Annex A ! New controls in the 2013 version:
A.6.1.5 Information security in project management A.12.6.2 Restrictions on software installation A.14.2.1 Secure development policy A.14.2.5 Secure system engineering principles A.14.2.6 Secure development environment A.14.2.8 System security testing A.15.1.1 Information security policy for supplier relationships A.15.1.3 Information and communication technology supply chain A.16.1.4 Assessment of and decision on information security events A.16.1.5 Response to information security incidents A.17.2.1 Availability of information processing facilities 17
Annex A A.5: Information security policies (2 controls) A.6: Organization of information security (7 controls) A.7: Human resource security – (6 controls) A.8: Asset management (10 controls) A.9: Access control (14 controls) A.10: Cryptography (2 controls) A.11: Physical and environmental security (15 controls) A.12: Operations security (14 controls) A.13: Communications security (7 controls) A.14: System acquisition, development and maintenance (13 controls) A.15: Supplier relationships (5 controls) A.16: Information security incident management (7 controls) A.17: Business continuity management (4 controls) A.18: Compliance; (8 controls) 18
The Audit (1/2) ! Must be preceded by
– Approval of SOA – Internal audits/reviews – (Pre-audit)
! During audit – A systematic enquiry if SOA is compliant with the standard and
implanted comprehensively – Management and staff are interviewed – Auditors gather systematically evidence to verify compliance with the
standard – Verifying skills and security culture also a crucial part of the audit
19
The Audit (2/2)! ! After audit
– Non- compliances þ – Reporting fixes of non-compliances ý – Obtaining certification status ý – Surveillance audits (once p.a.) ý – Re-audits (every third year) ý – Enlarging audit scope?
20
How CSC gained the certification (1/2) ! Attended training on BS7799 in 2004 ! Frustration with insufficient commitment and the
ad hoc approach on security ! Saw risks with over focusing on technical
implementations and with emotional reactions to security hype
! Frustration with non-coherent national security standards
! Began to motivate management to apply for ISO 27001 certification 21
How CSC gained the certification (2/2) ! CSC gained ISO27001 certification for Datacenter Kajaani
on summer 2013 ! Certification scope enlarged to cover all data centers 2014 ! Certification scope enlarged to cover all ICT platforms ! Certification for compliance with the 2013 version of the
standard ! Surveillance certification 2015 with no non-conformities ! New services to be included in next phase
22
23
Learning from the certification experience ! The decision to strive for ISO 27001
certification included some risks but has shown to be very beneficial for CSC
! The certification process helped us to: – Implement a comprehensive ISMS – Motivate management and all staff – Improve security culture and management
! Now the ISO 27001 certifications status is a part of CSC communication package 24
Learning from… (contd.) ! Successful certification requires an active,
experienced and goal oriented manager – Sometimes you must use the word must…
! Certification also requires sensitivity and good listening skills
! At least one sponsor in the management board is necessary
! Certification improved risk management and management commitment a lot 25
Learning from… (contd.) ! The most challenging requirements were in operations
and in developments ! The very core in CSC ISMS is the internal production
catalogue with defined owners ,admins, BCP’s, DRP’s, classifications and review cycles
! The certification has improved a lot trust to CSC services and to CSC as an organisation – NOW we suddenly have very security conscious customers
suggesting huge contract fines for security breaches
! The certification made CSC management look professional and good, also most staff seems to feel that it was a good idea 26
Maintaining certification status ! Often harder than obtaining certification ! After the first phase, people tend to forget to
update guidelines and procedures, new services and people do not always comply
! Good security training and constant awareness campaigns help to keep people motivated
! Regular management reviews must be continued – invest in risk management
! Try to streamline and make your ISMS more agile 27
Would ISO 27001 certification be something for my organisation?
! Start with studying the standard and related literature – The standard requires professional interpretation
! Do an initial gap-analysis in writing ! Sketch an draft version of your SOA
– (contact me for improved templates) ! Do you have or will you get management support? ! Would it help your stakeholders? ! Are you ready to become a less liked person on your organisation at
least for some time (3-10 years)… ! Meet peer organisations on the same path
28
Ideas for further cooperation ! CSC has a long and rewarding history in cooperation
on security – TF-CSIRT, FIRST, (ISC)2, SANS, … – Currently a joint project with Finnish universities for security
compliance and peer audits
! I look forward to share and jointly develop best ISMS practices with our European peer organisations – Cooperatin on service level, on organisational
level and between infrastrucures (GÉANT/EUDAT/..) – Peer reviews? – Liaison with SCI?
! Upcoming EU research project for piloting ISMS… 29
Thank you for your attention! This has of course been a high-level overview, the devil lies in the details. Any comments, criticism and questions are welcome. Lets keep in touch:
• [email protected] • +358-9-457 2253 • LinkedIn (unique name) • Twitter: @utsirp
30
Top Related