Information Security Strategic Management

by Marcelo Martins

Slide 1

Slide 1 text

Information Security Strategic Management Marcelo Martins exploitedbunker.com

Slide 2

Slide 2 text

Agenda §  Overview §  Risk-based prioritization §  Roles and responsibilities §  Framework §  Monitoring and Measurement §  Challenges §  Resources §  Certification

Slide 3

Slide 3 text

Overview Information Security Management §  Continuous effort with reasonable costs to... §  Protect information assets §  Satisfy regulatory requirements §  Reduce risks and legal exposures §  Support business functions §  Usually, information security is seen as an impediment to conclude the work §  Compliance helps to boost security §  But compliance ≠ security

Slide 4

Slide 4 text

Overview §  Compliance isn’t security. Why? §  Depends on certification scope §  Physical environments §  Processes §  Depends on relationship with other business areas/ partners §  Depends on business threats §  Different regulation for different threats ¨  e.g.: PCI-DSS and HITECH

Slide 5

Slide 5 text

Overview §  Compliance isn’t security. Why? §  BS ISO/IEC 27001:2013 §  “This publication does not purport to include all the necessary provisions of a contract. Users are responsible for its correct application.” §  “Compliance with a British Standard cannot confer immunity from legal obligations.”

Slide 6

Slide 6 text

§  Additional reading §  Compliance isn’t security §  “According to the 2012 "HIMSS Analytics Report: Security of Patient Data," increasingly strict regulation and increased compliance from providers haven't slowed an increase in breaches over the past six years.” ¨  http://www.csoonline.com/article/704577/compliance-isn-t-security- but-companies-still-pretend-it-is-according-to-survey Overview

Slide 7

Slide 7 text

§  Additional reading §  Compliance isn’t security §  “Yet, respondents to the survey, which included CIOs, compliance officers and HIMs, expressed confidence that they are better prepared for attempted data theft -- in spite of evidence to the contrary -- because they are in better compliance with regulations like the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009.” §  “The results of that are predictable. The number of organizations reporting breaches went from 13 percent in 2008 to 19 percent in 2010 to 27 percent in the past year [2011].” Overview

Slide 8

Slide 8 text

§  Additional reading §  Compliance isn’t security §  “But, the survey did [find] some organizational flaws as well, specifically in confusion over who is really responsible for data security. The respondents' answers ranged through CIO, CSO, CEO, HIM and chief compliance officer.” Overview CSO: Chief Security Officer HIM: Health Information Management

Slide 9

Slide 9 text

Are we pessimist enough?

Slide 10

Slide 10 text

The Pessimist CSO §  The new hat: the Pessimist CSO §  You should assume that §  Your technology won’t help you §  Your users will go behind your back §  You are the next target

Slide 11

Slide 11 text

The Pessimist CSO §  Pessimism vs. optimism §  Abigail Hazlett, PhD. §  Social Psychology, Northwestern University Thesis: “Hoping for the Best or Preparing for the Worst? Regulatory Focus and Preferences for Optimism and Pessimism in Predicting Personal Outcomes” ¨  http://psychcentral.com/blog/archives/2011/03/17/pessimism-vs- optimism/

Slide 12

Slide 12 text

The Pessimist CSO §  Pessimism vs. optimism §  Abigail Hazlett, PhD. §  “To cope with this unpredictability some of us choose to think optimistically because it helps motivate us to try, try again. For others a pessimistic mindset performs the same function. By thinking about what might go wrong it helps protect us against when things do go wrong.” §  “In two initial studies optimists were found to have a ‘promotion focus’. In other words they preferred to think about how they could advance and grow. Pessimists, meanwhile, were more preoccupied with security and safety.”

Slide 13

Slide 13 text

The Pessimist CSO §  Pessimists Make Better Leaders §  Psychology Today: “Having realistic expectations may actually be a recipe for happiness” §  Wikipedia: “Pessimism is a state of mind in which one anticipates negative outcomes...” §  The Uses and Abuses of Optimism and Pessimism §  http://www.psychologytoday.com/articles/201110/the-uses-and- abuses-optimism-and-pessimism ¨  Ctrl+F: “And pessimism?”

Slide 14

Slide 14 text

The Pessimist CSO §  Pessimists Make Better Leaders §  The Uses and Abuses of Optimism and Pessimism §  “And pessimism? When is it useful? Surprisingly, it can be most helpful at the moments when we might seem to have the least to feel pessimistic about. When we've been successful before and have a realistic expectation of being successful again, we may be lulled into laziness and overconfidence. Pessimism can give us the push that we need to try our best. This phenomenon, known as "defensive pessimism," involves imagining all the things that might go wrong in the future. It spurs us to take action to head off the potential catastrophes we conjure and prevent them from happening. (…)”

Slide 15

Slide 15 text

The Pessimist CSO

Slide 16

Slide 16 text

The Pessimist CSO It’s just a matter of point of view

Slide 17

Slide 17 text

Agenda §  Overview §  Risk-based prioritization §  Roles and responsibilities §  Framework §  Monitoring and Measurement §  Challenges §  Resources §  Certification

Slide 18

Slide 18 text

Risk-based prioritization §  Risk/reward equation §  Estimate your reward §  Estimate the risks involved §  Determinate your risk appetite §  Define roles and responsibilities §  Build a Risk Assumption Model §  Make Risk Management a business process

Slide 19

Slide 19 text

Risk-based prioritization Risk Quantification Loss Expectancy Control Cost Exposure Factor

Slide 20

Slide 20 text

§  EF (Exposure Factor) §  EF is a percentage of the asset affected by a single occurrence of the incident and is used when the asset sustains damage. §  For example, in case of fire, it is possible to estimate that 90% of the asset will be destroyed. In this case, EF is 90% (0,9) §  SLE (Single Loss Expectancy) §  SLE is the expected loss in case of risk materialization with business impact §  Depending on the threat EF may not be taken into consideration SLE = Financial value of the asset x EF or SLE = Loss caused by the threat Risk-based prioritization

Slide 21

Slide 21 text

§  ARO (Annualized Rate of Occurrence) §  ARO is the number of occurrences of a security incident in a given period (usually defined as a year, as the name implies) §  ALE (Annualized Loss Expectancy) §  ALE amounts to loss caused by a single occurrence times the number of occurrences in a year period ARO = Number of occurrences / evaluated period ALE = SLE x ARO Risk-based prioritization

Slide 22

Slide 22 text

Risk-based prioritization §  BIA (Business Impact Analysis) §  Determinate critical processes §  Determinate the critical business processes, disruption impact and estimated unavailability, that shall reflect the Maximum Tolerable Downtime (MTD) for the mission of the Organization §  Identify necessary resources §  Necessary resources to restart operations, including environment, personnel, equipment, software, information, etc. §  Identify recovery priorities §  Resources shall be related to business processes and priority levels may be established for recovery

Slide 23

Slide 23 text

Risk-based prioritization Assets Process or system Business objective Billing e-Commerce Email

Slide 24

Slide 24 text

Risk-based prioritization Acceptable Risk Controlable Risk Unacceptable Risk

Slide 25

Slide 25 text

Risk-based prioritization There are known knowns; there are things we know that we know. There are known unknowns; that is to say, there are things that we now know we don't know. But there are also unknown unknowns – there are things we do not know we don’t know. (…) it is the latter category that tend to be the difficult ones. — Donald Rumsfeld United States Secretary of Defense,12.02.2002 It ain’t what you don’t know that gets you into trouble. It’s what you know for sure that just ain’t so. — Mark Twain

Slide 26

Slide 26 text

Risk-based prioritization Unknown unknowns Known unknowns Known knowns You know, but that just ain’t so Absolut truth Questions Knowledge

Slide 27

Slide 27 text

Risk-based prioritization Executive leadership Risk Assumption Model Department Business Unit Impact Likelihood Insignificant Minor Major Disastrous Insignificant Unlikely Likely Almost Certain PII disclosed Rogue WiFi Website defacement Server unavailable Missing contractual clauses Example

Slide 28

Slide 28 text

Agenda §  Overview §  Risk-based prioritization §  Roles and responsibilities §  Framework §  Measurement §  Challenges §  Resources §  Certification

Slide 29

Slide 29 text

Roles and responsibilities §  Have the right mix of people on your team §  Members of the core security team §  Need to have a risk/reward frame of mind §  An exceptional set of skills §  Be good at risk assessments §  Understand the business and its processes §  Should be able to partner with the business, offer alternatives and speak to issues beyond those associated with security §  They are not easy to find §  It’s usually a matter of training them, and mentoring is often the best way to go about it §  Choosing the wrong people can cost a lot §  They can take an inordinate amount of time to do the work; §  Or at worst, cause you to redo their work

Slide 30

Slide 30 text

Roles and responsibilities §  “Information security is rarely a part of general management expertise or education.” §  “(…) it may be useful to make an effort to educate senior management in the areas of regulatory compliance and the organization's dependence on its information assets. It may also be useful to document risks and potential impacts faced by the organization, making sure senior management is informed of the results and finds them acceptable.” ISACA CISM Review Manual 2009, Section 4.5

Slide 31

Slide 31 text

Roles and responsibilities §  Information Security Manager §  Board of Directors §  Executive Management §  Steering Committee §  IT Unit §  Business Unit Managers §  HR §  Legal

Slide 32

Slide 32 text

Roles and responsibilities §  Information Security Manager §  Develop the program §  A security strategy with senior management acceptance and support §  A security strategy intrinsically linked with business objectives §  Security policies that are complete and consistent with strategy §  Clear assignment of roles and responsibilities §  Information assets that have been identified and classified by criticality and sensitivity §  Tested functional, incident and emergency response capabilities §  Tested business continuity/disaster recovery plans §  Appropriate security approval in change management processes §  …

Slide 33

Slide 33 text

§  Information Security Manager §  Responsibilities §  Develop and manage the security program §  Educate and direct senior management §  Be familiarized with the standards (e.g.: ISO 27000 family) §  Have knowledge of risk management §  Take into consideration several different technologies §  Maintain relationship with other groups §  ISO/IEC 27001:2013 §  A.6.1.1 Information security roles and responsibilities ¨  All information security responsibilities shall be defined and allocated Roles and responsibilities

Slide 34

Slide 34 text

Information Security Management Incident Response activities Business Continuity Management Risk Management Roles and responsibilities

Slide 35

Slide 35 text

§  Information Security Manager §  Responsibilities §  The information security manager should clearly define the roles, responsibilities, scope and activities of the information security steering committee. -- ISACA CISM Manual 2009 Roles and responsibilities

Slide 36

Slide 36 text

Information Security Manager Steering Committee Senior Management Security Stakeholders Roles and responsibilities

Slide 37

Slide 37 text

Roles and responsibilities Strategy Policy Awareness Implement. Monitoring Compliance Information Security Manager writes and publishes Source: ISACA CISM Manual Information Security Manager conducts classes and publishes announcements Information Security Manager monitors industry practices and makes recommendations Information Security Manager is the point of escalation for issues that may require investigation Information Security Manager reviews critical configuration on a periodic basis, and maintains metrics on security configuration and logs of user activities Information Security Manager contributes to secure architecture, design and engineering strategy

Slide 38

Slide 38 text

Roles and responsibilities Executive Management (Information Security Management) External Stakeholders Assure Communicate Evaluate Direct Monitor Strategy, Policy Proposals Performance Governing Body Figure 2 – Governance process of information security Source: ISO/IEC 27014:2013

Slide 39

Slide 39 text

Roles and responsibilities §  IS Manager, managerial skills §  Budget and financial management §  Licensing (annuity) §  Training (budget surplus) §  Team management §  Project and program management §  Operation and services management §  Metrics implementation §  IT life cycle management

Slide 40

Slide 40 text

§  Board of Directors §  Responsibilities §  Knowledge of information assets and their criticality on the business (through Risk Analysis and Business Impact Analysis) §  Definition/validation of key assets that must be protected §  SOX: audit committee for financial controls §  Leadership through information security examples §  Integration and cooperation with business processes owners Roles and responsibilities

Slide 41

Slide 41 text

§  Executive Management §  Responsibilities §  Secure necessary funds for IS-related activities §  Determinate the level of involvement in information security (called tone at the top, is reflected in organization culture), and how risk management will permeate business processes, a non- official indicator §  Receives guidance from Information Security Manager §  ISO/IEC 27001:2013 ¨  A.5.1 Management direction for information security ¨  To provide management direction and support for information security in accordance with business requirements and relevant laws and regulations. Roles and responsibilities

Slide 42

Slide 42 text

§  Executive Management Tone at the top §  ISO/IEC 27001:2013 §  5.1 Leadership and commitment ¨  Top management shall demonstrate leadership and commitment with respect to the information security management system §  5.3 Organization roles, responsibilities and authorities ¨  Top management shall ensure that the responsibilities and authorities for roles relevant to information security are assigned and communicated. Roles and responsibilities

Slide 43

Slide 43 text

§  Executive Management §  ISO/IEC 27001:2013 §  A.5.1.1 Policies for information security ¨  A set of policies for information security shall be defined, approved by management, published and communicated to employees and relevant external parties. §  ISO/IEC 27005:2011 §  Section 6, page 9 ¨  The risk acceptance activity has to ensure residual risks are explicitly accepted by the managers of the organization. This is especially important in a situation where the implementation of controls is omitted or postponed, e.g. due to cost. Roles and responsibilities

Slide 44

Slide 44 text

§  Executive Management §  ISO/IEC 27014:2013 — Information technology — Security techniques — Governance of information security §  Section 5.3.3 Direct ¨  “Direct” is the governance process, by which the governing body gives direction about the information security objectives and strategy that need to be implemented. ¨  To accomplish the “Direct” process, the governing body should: ¨  determine the organisation’s risk appetite, ¨  approve the information security strategy and policy, ¨  allocate adequate investment and resources. ¨  To accomplish the “Direct” process, executive management should:, ¨  develop and implement information security strategy and policy, ¨  align information security objectives with business objectives, ¨  promote a positive information security culture. Roles and responsibilities

Slide 45

Slide 45 text

§  Steering Committee §  Responsibilities §  Make sure all stakeholders are involved §  Consensus when defining priorities and tackling risks §  Communication and alignment of security with business objectives §  Roles and responsibilities assigned by the Information Security Manager, to avoid extra topics Roles and responsibilities

Slide 46

Slide 46 text

§  Steering Committee §  ISO/IEC 27005:2011 §  Section 7.2.4, page 11 ¨  Risk acceptance criteria may differ according to how long the risk is expected to exist, e.g. the risk may be associated with a temporary or short term activity. Risk acceptance criteria should be set up considering the following: ¨  Business criteria ¨  Legal and regulatory aspects ¨  Operations ¨  Technology ¨  Finance ¨  Social and humanitarian factors Roles and responsibilities

Slide 47

Slide 47 text

§  Steering Committee §  ISO/IEC 27005:2011 §  B.1.1 The identification of primary assets ¨  To describe the scope more accurately, this activity consists in identifying the primary assets (business processes and activities, information). This identification is carried out by a mixed work group representative of the process (managers, information systems specialists and users). Roles and responsibilities

Slide 48

Slide 48 text

§  IT Unit §  Information Security Manager should develop a good relationship with IT §  Information Security Manager shall comply with IS standards but trying to achieve performance and efficiency (IT) §  There should be privilege segregation between IT and IS §  Usually, IT designs, implements and operates security controls (IT Security) Roles and responsibilities

Slide 49

Slide 49 text

§  Business Unit Managers §  Responsibilities §  Implement business operations according to information security requirements §  Escalate security incidents §  Shall be members of Steering Committee §  Make sure IS requirements were taken into consideration since the beginning of product development §  Relationship §  Information Security Manager should keep in touch with Business Unit Manager to make sure IS will be involved on product development Roles and responsibilities

Slide 50

Slide 50 text

§  Human Resources §  Responsibilities §  Run educational programmes §  Propagate security policies §  Relationship §  IS Manager should keep in touch with HR (and Legal) and get them involved in case of employee monitoring and resources abuse suspects §  ISO/IEC 27001:2013 §  A.7.2.2 Information security awareness, education and training ¨  Management shall require all employees and contractors to apply information security in accordance with the established policies and procedures of the organization. Roles and responsibilities

Slide 51

Slide 51 text

Roles and responsibilities §  Human Resources §  ISO/IEC 27001:2013 §  A.7 Human resources security ¨  A.7.1 Prior to employment ¨  A.7.2 During employment ¨  A.7.3 Termination or change of employment

Slide 52

Slide 52 text

§  Legal §  Shall be represented in Steering Committee §  Shall be contacted when there is compliance, liability, corporate responsibility or due diligence involved Roles and responsibilities

Slide 53

Slide 53 text

§  ISO/IEC 27010:2015 - Information security management for inter-sector and inter-organizational communications §  Section 4.1, Introduction §  ISO/IEC 27002:2013 defines controls that cover the exchange of information between organizations on a bilateral basis, and also controls for the general distribution of publicly available information. However, in some circumstances there exists a need to share information within a community of organizations where the information is sensitive in some way and cannot be made publicly available other than to members of the community. Roles and responsibilities

Slide 54

Slide 54 text

Agenda §  Overview §  Risk-based prioritization §  Roles and responsibilities §  Framework §  Monitoring and Measurement §  Challenges §  Resources §  Certification

Slide 55

Slide 55 text

Agenda §  Framework §  What is a framework? §  Control categories §  European Union frameworks §  UK and US laws §  ISO 27000 family framework

Slide 56

Slide 56 text

Framework §  What is a framework? §  NIST Cybersecurity Framework §  Framework for Improving Critical Infrastructure Cybersecurity ¨  “(…) Cybersecurity Framework – a set of industry standards and best practices to help organizations manage cybersecurity risks.” ¨  “‘prioritized, flexible, repeatable, performance-based, and cost- effective approach’ to manage cybersecurity risk for those processes, information, and systems directly involved in the delivery of critical infrastructure services.” §  https://www.nist.gov/cyberframework

Slide 57

Slide 57 text

Framework Vulnerabilities Countermeasures Assets The elements of risk and their relationships according to ISO 15408:2005 Owners Attack Vectors Risks reduce to value to that increase impose that may be reduced by that may possess leading to may be aware of that exploit wish to minimise use give rise to based on (set of) Security Context wish to abuse and/or may damage Threat agents Threats

Slide 58

Slide 58 text

Framework §  Control categories §  Preventive §  Inhibits attempts to violate security policy and includes such controls as access control enforcement, encryption and authentication §  Detective §  Warn of violations or attempted violations of security policy and include such controls as audit trails, intrusion detection methods and checksums §  Corrective §  Remediate vulnerabilities. backup restore procedures are a corrective measure §  Compensatory §  Compensate for increased risk by adding controls steps that mitigate a risk; for example, adding a challenge response component to weak access controls can compensate for the deficiency §  Deterrent §  Provide warnings that can deter potential compromises; for example, warning banners on login screens or offering rewards for the arrest of hackers

Slide 59

Slide 59 text

Framework §  Threats and Vulnerabilities Taxonomy §  ENISA §  Threat Taxonomy: A tool for structuring threat information ¨  https://www.enisa.europa.eu/topics/threat-risk-management/threats-and-trends/ enisa-threat-landscape/etl2015/enisa-threat-taxonomy-a-tool-for-structuring- threat-information §  NIST §  SP 800-30 Revision 1, Guide for Conducting Risk Assessments ¨  http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-30r1.pdf §  CMU/SEI §  A Taxonomy of Operational Cyber Security Risks ¨  http://resources.sei.cmu.edu/asset_files/TechnicalNote/2010_004_001_15200.pdf §  ISO/IEC 27005:2011 §  Annex C (informative) §  NASA §  IT Threats and Vulnerabilities ¨  http://www.hq.nasa.gov/security/it_threats_vulnerabilities.htm

Slide 60

Slide 60 text

Framework §  European Union §  Cybersecurity Strategy Framework §  The Directive on security of network and information systems (NIS Directive) ¨  https://ec.europa.eu/digital-single-market/en/network-and- information-security-nis-directive §  ENISA ¨  http://www.enisa.europa.eu/ §  CERT-EU ¨  https://cert.europa.eu/cert/plainedition/en/cert_about.html §  Data Protection Framework §  ePrivacy Directive ¨  https://ec.europa.eu/digital-single-market/en/online-privacy §  General Data Protection Regulation ¨  http://ec.europa.eu/justice/data-protection/reform/index_en.htm

Slide 61

Slide 61 text

Framework §  ENISA - European Union Agency for Network and Information Security §  Information security and privacy standards for SMEs §  https://www.enisa.europa.eu/publications/standardisation-for-smes/ §  Governance framework for European standardisation §  https://www.enisa.europa.eu/publications/policy-industry-research §  Definition of Cybersecurity - Gaps and overlaps in standardisation §  https://www.enisa.europa.eu/publications/definition-of-cybersecurity §  Risk Management - Principles and Inventories for Risk Management / Risk Assessment methods and tools §  https://www.enisa.europa.eu/publications/risk-management- principles-and-inventories-for-risk-management-risk-assessment- methods-and-tools/

Slide 62

Slide 62 text

Framework §  UK Laws §  Telecommunications Regulations Act 1998 §  Data Protection Act 1998 §  Computer Misuse Act 1990 §  The Human Rights Act 1998 §  The Regulation of Investigatory Powers Act (RIPA) 2000 §  The Copyright, Designs and Patent Act 1998 §  The Freedom of Information Act 2000 (public sector) §  Privacy and Electronic Communications Regulations 2003 §  Terrorism Act 2006 §  US Laws §  Gramm-Leach-Bliley Act (GLBA) §  The Health Insurance Portability and Availability Act (HIPAA) §  The Californian Senate Bill 1386 §  Online Personal Protection Act §  Sarbanes-Oxley Act (SOX) §  Federal Information Security Management Act (FISMA) Laws affect the application of frameworks and standards

Slide 63

Slide 63 text

Framework §  ISO/IEC 27001 §  Will support information security for the next decade §  Works in sync with ISO 9001, ISO 14001, ISO/IEC 20000-1 among others for a better integration of management systems §  Implements Plan-Do-Check-Act (PDCA) model §  Aligned with OECD recommendations for digital security risk management

Slide 64

Slide 64 text

Framework §  Organisation for Economic Co-operation and Development (OECD) §  Digital Security Risk Management for Economic and Social Prosperity (2015) §  http://www.oecd.org/sti/ieconomy/digital-security-risk- management.htm

Slide 65

Slide 65 text

Framework §  ISO/IEC 27001/2 §  A brief history 1995 BS7799-1 BS7799-2 2000 ISO/IEC 17799 2005 •  ISO/IEC 17799 •  ISO/IEC 27001 •  ISO/IEC 27002 2013 ISO/IEC 27001 ISO/IEC 27002 BS stands for British Standard

Slide 66

Slide 66 text

Framework §  ISO/IEC 27001/2 §  A brief history It was... It became... BS7799-1 ISO/IEC 27002 Code of practice BS7799-2 ISO/IEC 27001 Requirements BS7799-3 ISO/IEC 27003 Implementation Guide ISO/IEC 17799:2005 (cancelled by ISO/IEC 27002:2005)

Slide 67

Slide 67 text

Framework §  ISO - International Organization for Standardization §  www.iso.org §  (IOS in English, OIN in French for Organisation internationale de normalisation), our founders decided to give it the short form ISO. ISO is derived from the Greek isos, meaning equal. §  IEC - International Electrotechnical Commission §  www.iec.ch §  The IEC is one of three global sister organizations (IEC, ISO, ITU) that develop International Standards for the world. §  TR: Technical Report (ISO) §  An informative document containing information of a different kind from that normally published in a normative document

Slide 68

Slide 68 text

Framework Measurement (27004) ISMS (27001, 27002) Governance of IS (27014) Risk Mgmt. (27005) BCM (27031) Incident Mgmt. (27035) Implement. Guidance (27003)

Slide 69

Slide 69 text

Framework ISMS (27000, 27001, 27002, 27003, 27004, 27005, 27014, 27031, 27035) ISMS Audit Guidelines (27007) Certification Body Req. (27006) Guidelines for Auditors on IS Controls (27008)

Slide 70

Slide 70 text

Framework §  Business Continuity Management and Incident Management BCM Requirements (22301) BCM Guidelines (IT) (27031) Incident Mgmt. (27035) IT SMS Req. (20000-1) ISMS+IT SMS (27013) DRS (27462)

Slide 71

Slide 71 text

Framework ISO 27001 Incident Management ISO 20000-1 Incident Management Service and Security Incident Management Source: ISO/IEC 27013:2015 - Information technology -- Security techniques -- Guidance on the integrated implementation of ISO/IEC 27001 and ISO/IEC 20000-1

Slide 72

Slide 72 text

Framework Source: ISO/IEC 27000:2016 •  27000 – Overview and vocabulary Vocabulary standard •  27001 – Information security management systems - Requirements •  27006 – Requirements for bodies providing audit and certification of information security management systems •  27009 - Information technology -- Security techniques -- Sector-specific application of ISO/IEC 27001 -- Requirements Requirement standards •  27002 – Code of practice for information security controls •  27003 – Information security management system implementation guidance •  27004 – Information security management - Measurement •  27005 – Information security risk management •  27007 – Guidelines for information security management systems auditing •  TR 27008 – ISMS Controls Audit Guidelines •  27013 – Guidance on the integrated implementation of ISO/IEC 27001 and ISO/IEC 20000-1 •  27014 – Governance of information security •  TR 27016 – Information security management – Organizational economics Guideline standards

Slide 73

Slide 73 text

Framework Source: ISO/IEC 27000:2016 • 27010 – Information security management guidelines for inter-sector and inter- organizational communications • 27011 – Information security management guidelines for telecommunications organizations based on ISO/IEC 27002 • TR 27015 – Information security management guidelines for financial services • TS 27017 – Guidelines on information security controls for the use of cloud computing services based on ISO/IEC 27002 • 27018 - Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors • TR 27019 - Information technology -- Security techniques -- Information security management guidelines based on ISO/IEC 27002 for process control systems specific to the energy utility industry Sector-specific guideline standards • 2703x • 2704x Control-specific guideline standards

Slide 74

Slide 74 text

Framework §  Well-known ISO security standards ISO/IEC 27001:2013 Information technology -- Security techniques -- Information security management systems -- Requirements ISO/IEC 27002:2013 Information technology -- Security techniques -- Code of practice for information security controls ISO/IEC 27003:2010 Information technology -- Security techniques -- Information security management system implementation guidance ISO/IEC 27004:2016 Information technology -- Security techniques -- Information security management -- Monitoring, measurement, analysis and evaluation ISO/IEC 27005:2011 Information technology -- Security techniques -- Information security risk management ISO/IEC 27014:2013 Information technology -- Security techniques -- Governance of information security ISO/IEC 27031:2011 Information technology -- Security techniques -- Guidelines for information and communication technology readiness for business continuity ISO/IEC 27035-1:2016 Information technology -- Security techniques -- Information security incident management -- Part 1: Principles of incident management ISO/IEC 27035-2:2016 Information technology -- Security techniques -- Information security incident management -- Part 2: Guidelines to plan and prepare for incident response

Slide 75

Slide 75 text

Framework Risk Management ISO 31000:2009 Risk management -- Principles and guidelines ISO/TR 31004:2013 Risk management -- Guidance for the implementation of ISO 31000 IEC 31010:2009 Risk management -- Risk assessment techniques ISO Guide 73:2009 Risk management -- Vocabulary §  ISO 31000 §  “(…) ISO 31000 cannot be used for certification purposes, but does provide guidance for internal or external audit programmes.” -- iso.org

Slide 76

Slide 76 text

Framework Societal Security ISO/IEC 22301:2012 Societal security -- Business continuity management systems --- Requirements ISO/IEC 22313:2012 Societal security -- Business continuity management systems – Guidance ISO/TS 22318:2015 Societal security -- Business continuity management systems -- Guidelines for supply chain continuity ISO/IEC 22399:2007 Societal security - Guideline for incident preparedness and operational continuity management

Slide 77

Slide 77 text

Framework ISO/IEC 27009:2016 Information technology -- Security techniques -- Sector-specific application of ISO/IEC 27001 -- Requirements ISO/IEC 27015:2012 Information technology -- Security techniques -- Information security management guidelines for financial services ISO/IEC 27011:2016 Information technology -- Security techniques -- Code of practice for Information security controls based on ISO/IEC 27002 for telecommunications organizations ISO/IEC TR 27019:2013 Information technology -- Security techniques -- Information security management guidelines based on ISO/IEC 27002 for process control systems specific to the energy utility industry

Slide 78

Slide 78 text

Framework ISO/IEC 27016:2014 Information technology -- Security techniques -- Information security management -- Organizational economics ISO/IEC 27017:2015 Information technology -- Security techniques -- Code of practice for information security controls based on ISO/ IEC 27002 for cloud services ISO/IEC 27018:2014 Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors ISO 27799:2016 Health informatics -- Information security management in health using ISO/IEC 27002

Slide 79

Slide 79 text

Framework ISO/IEC 27032:2012 Guidelines for Cybersecurity, preserving the confidentiality, integrity and availability of information in Cyberspace ISO/IEC 27033-1:2015 Information technology -- Security techniques -- Network security -- Part 1: Overview and concepts ISO/IEC 27033-2:2012 Information technology -- Security techniques -- Network security -- Part 2: Guidelines for the design and implementation of network security ISO/IEC 27033-3:2010 Information technology -- Security techniques -- Network security -- Part 3: Reference networking scenarios -- Threats, design techniques and control issues ISO/IEC 27033-4:2014 Information technology -- Security techniques -- Network security -- Part 4: Securing communications between networks using security gateways

Slide 80

Slide 80 text

Framework ISO/IEC 27033-5:2013 Information technology -- Security techniques -- Network security -- Part 5: Securing communications across networks using Virtual Private Networks (VPNs) ISO/IEC 27033-6:2016 Information technology -- Security techniques -- Network security -- Part 6: Securing wireless IP network access ISO/IEC 27034-1:2011 Information technology -- Security techniques -- Application security -- Part 1: Overview and concepts ISO/IEC 27034-2:2015 Information technology -- Security techniques -- Application security -- Part 2: Organization normative framework ISO/IEC 27034-6:2016 Information technology -- Security techniques -- Application security -- Part 6: Case studies

Slide 81

Slide 81 text

Framework ISO/IEC 27036-1:2014 Information technology -- Security techniques -- Information security for supplier relationships -- Part 1: Overview and concepts ISO/IEC 27036-2:2014 Information technology -- Security techniques -- Information security for supplier relationships -- Part 2: Requirements ISO/IEC 27036-3:2013 Information technology -- Security techniques -- Information security for supplier relationships -- Part 3: Guidelines for information and communication technology supply chain security ISO/IEC 27036-4:2016 Information technology -- Security techniques -- Information security for supplier relationships -- Part 4: Guidelines for security of cloud services

Slide 82

Slide 82 text

Framework ISO/IEC 27037:2012 Information technology -- Security techniques -- Guidelines for identification, collection, acquisition and preservation of digital evidence ISO/IEC 27038:2014 Information technology -- Security techniques -- Specification for digital redaction ISO/IEC 27039:2015 Information technology -- Security techniques -- Selection, deployment and operations of intrusion detection and prevention systems (IDPS) ISO/IEC 27040:2015 Information technology -- Security techniques -- Storage security

Slide 83

Slide 83 text

Framework ISO/IEC 27041:2015 Information technology -- Security techniques -- Guidance on assuring suitability and adequacy of incident investigative method ISO/IEC 27042:2015 Information technology -- Security techniques -- Guidelines for the analysis and interpretation of digital evidence ISO/IEC 27043:2015 Information technology -- Security techniques -- Incident investigation principles and processes ISO/IEC 27050-1:2016 Information technology -- Security techniques -- Electronic discovery -- Part 1: Overview and concepts

Slide 84

Slide 84 text

Framework PWI NP WD CD DIS FDIS IS PWI Preliminary Work Item Stage where initial feasibility is assessed NP New Proposal Stage where formal scoping takes place WD Working Draft The developmental phase CD Committee Draft The quality control stage FCD Final Committee Draft Ready for final approval DIS Draft International Standard International bodies vote formally on a Standard, submitting comments FDIS Final Distribution International Standard Standard is ready to publish IS International Standard The Standard is published ISO Deliverables: http://www.iso.org/iso/home/standards_development/deliverables-all.htm

Slide 85

Slide 85 text

No content

Slide 86

Slide 86 text

Framework ISO/IEC 27034-3 DIS Information technology -- Application security -- Part 3: Application security management process ISO/IEC 27034-5 DIS Information technology -- Security techniques -- Application security -- Part 5: Protocols and application security controls data structure ISO/IEC 27034-7 DIS Information technology -- Security techniques -- Application security -- Part 7: Application security assurance prediction model §  Under development

Slide 87

Slide 87 text

Framework §  ISO/IEC 27007:2011 — Information technology — Security techniques — Guidelines for information security management systems auditing §  5.4.2.1 Defining the objectives, scope and criteria for an individual audit (Practical help – Examples of audit criteria) §  4) measurement of the effectiveness of the implemented controls, and that these measurements have been applied as defined to measure control effectiveness (see ISO/IEC 27004); §  Annex A §  Optional additional standards can be used to guide the auditee or auditor. These are listed as “Relevant Standards” in the tables below. Auditors are reminded to base nonconformities solely on the audit criteria and the requirements of ISO/IEC 27001.

Slide 88

Slide 88 text

Framework §  Technical committee: development of standards §  ISO/IEC JTC 1/SC 27 IT Security techniques §  http://www.iso.org/iso/home/standards_development/ list_of_iso_technical_committees/iso_technical_committee.htm? commid=45306

Slide 89

Slide 89 text

Agenda §  Overview §  Risk-based prioritization §  Roles and responsibilities §  Framework §  Monitoring and Measurement §  Challenges §  Resources §  Certification

Slide 90

Slide 90 text

Monitoring and Measurement §  Why do we measure performance? §  NIST SP 800-55 Revision 1, Performance Measurement Guide for Information Security §  Information security measures are used to facilitate decision making and improve performance and accountability through the collection, analysis, and reporting of relevant performance-related data. The purpose of measuring performance is to monitor the status of measured activities and facilitate improvement in those activities by applying corrective actions based on observed measurements.

Slide 91

Slide 91 text

Monitoring and Measurement §  Why do we measure performance? §  NIST SP 800-55 Revision 1, Performance Measurement Guide for Information Security §  Information security measures must yield quantifiable information for comparison purposes, apply formulas for analysis, and track changes using the same points of reference. Percentages or averages are most common. Absolute numbers are sometimes useful, depending on the activity that is being measured.

Slide 92

Slide 92 text

Monitoring and Measurement §  Measurement is important to §  Increase accountability §  Demonstrate compliance with laws, rules and regulation §  Provide quantifiable inputs for resource allocation decisions §  Demonstrate and improve the effectiveness of information security investments §  Maximize the effectiveness of the framework and its resources

Slide 93

Slide 93 text

§  Attributes of good measurement §  Manageable §  Ready to be collected, stored, compiled and analyzed §  Meaningful §  Shall make sense for the receiver and be relevant to the objectives §  Actionable §  Shall point in the right direction §  Unambiguous §  Confuse information is useless §  Reliable §  Wrong target is worse than no target at all §  Timely §  Shall be available when needed Monitoring and Measurement

Slide 94

Slide 94 text

§  Additional reading §  CMU/SEI - The ROI of Security §  Stephanie Losi §  http://resources.sei.cmu.edu/asset_files/Newsletter/ 2007_102_001_413946.pdf §  ENISA: Introduction to Return on Security Investment §  http://www.enisa.europa.eu/activities/cert/other-work/ introduction-to-return-on-security-investment Monitoring and Measurement

Slide 95

Slide 95 text

§  ISO/IEC 27001:2013 §  9.1 Monitoring, measurement, analysis and evaluation §  The organization shall determine: ¨  a) what needs to be monitored and measured, including information security processes and controls; ¨  b) the methods for monitoring, measurement, analysis and evaluation, as applicable, to ensure valid results; ¨  NOTE The methods selected should produce comparable and reproducible results to be considered valid. Monitoring and Measurement Requirement

Slide 96

Slide 96 text

§  ISO/IEC 27004:2009 — Information technology — Security techniques — Information security management — Measurement §  Section 0.1 General §  The Information Security Measurement Programme will assist management in identifying and evaluating noncompliant and ineffective ISMS processes and controls and prioritizing actions associated with improvement or changing these processes and/or controls. §  It may also assist the organization in demonstrating ISO/IEC 27001 compliance and provide additional evidence for management review and information security risk management processes. Monitoring and Measurement

Slide 97

Slide 97 text

§  ISO/IEC 27001:2013 §  6.2 Information security objectives and planning to achieve them §  The organization shall establish information security objectives at relevant functions and levels. The information security objectives shall: ¨  b) be measurable (if practicable); §  9.1 Monitoring, measurement, analysis and evaluation §  The organization shall evaluate the information security performance and the effectiveness of the information security management system. Monitoring and Measurement Requirement

Slide 98

Slide 98 text

§  ISO/IEC 27004:2009 §  Section 6.1 Management Responsibilities, Overview §  Management is responsible for establishing the Information Security Measurement Programme, involving relevant stakeholders (see 7.5.8) in the measurement activities, accepting measurement results as an input into management review and using measurement result in improvement activities within the ISMS. Monitoring and Measurement Management responsibilities

Slide 99

Slide 99 text

§  Measuring Organizational Awareness §  ISO/IEC 27004:2009, Section 6.3 Measurement training, awareness, and competence §  Management should ensure that: ¨  a) The stakeholders (see 7.5.8) are trained adequately for achieving their roles and responsibilities in the implemented Information Security Measurement Programme, and appropriately qualified to perform their roles and responsibilities; and ¨  b) The stakeholders understand that their duties include making suggestions for improvements in the implemented Information Security Measurement Programme. Monitoring and Measurement Management responsibilities

Slide 100

Slide 100 text

§  ISO/IEC 27014:2013 — Information technology — Security techniques — Governance of information security §  Section 5.3.4 Monitor §  “Monitor” is the governance process that enables the governing body to assess the achievement of strategic objectives. §  To accomplish the “Monitor” process, the governing body should: ¨  assess the effectiveness of information security management activities, §  To accomplish the “Monitor” process, executive management should: ¨  select appropriate performance metrics from a business perspective, ¨  provide feedback on information security performance results to the governing body including performance of action previously identified by governing body and their impacts on the organisation Monitoring and Measurement Responsibilities

Slide 101

Slide 101 text

Monitoring and Measurement Source: ISO/IEC 27014:2013 Executive Management (Information Security Management) External Stakeholders Assure Communicate Evaluate Direct Monitor Strategy, Policy Proposals Performance Governing Body Figure 2 – Governance process of information security

Slide 102

Slide 102 text

§  ISO/IEC 27001:2013 §  6 Planning §  6.1 Actions to address risks and opportunities ¨  When planning for the information security management system, the organization shall consider the issues referred to in 4.1 and the requirements referred to in 4.2 and determine the risks and opportunities that need to be addressed to: ¨  6.1.1 General ¨  e) how to ¨  1) integrate and implement the actions into its information security management system processes; and ¨  2) evaluate the effectiveness of these actions. Monitoring and Measurement Process Input

Slide 103

Slide 103 text

§  ISO/IEC 27001:2013 §  9.3 Management review §  Top management shall review the organization’s information security management system at planned intervals to ensure its continuing suitability, adequacy and effectiveness. §  The management review shall include consideration of: §  c) feedback on the information security performance, including trends in: ¨  2) monitoring and measurement results; §  e) results of risk assessment and status of risk treatment plan; Monitoring and Measurement Process Output

Slide 104

Slide 104 text

§  ISO/IEC 27001:2013 §  9.3 Management review §  The management review shall include consideration of: §  f) opportunities for continual improvement. ¨  The outputs of the management review shall include decisions related to continual improvement opportunities and any needs for changes to the information security management system. ¨  The organization shall retain documented information as evidence of the results of management reviews. Monitoring and Measurement Process Output

Slide 105

Slide 105 text

§  ISO/IEC 27004:2009 §  Section 10 Information Security Measurement Programme Evaluation and Improvement, Overview §  Management should specify the frequency of such evaluation, plan periodic revisions and establish the mechanisms for making such revisions possible (see clause 7.2 of ISO/IEC 27001:2005). Monitoring and Measurement Improvement

Slide 106

Slide 106 text

§  Measuring Information Security Risk and Loss §  The technical vulnerability management approach poses the following questions: §  How many technical or operational vulnerabilities exist? §  How many have been resolved? §  What is the average time to resolve them? §  How many recurred? §  How many systems (critical or otherwise) are impacted by them? §  How many have the potential for external exploit? §  How many have the potential for gross compromise (e.g., remote privileged code execution, unauthorized administrative access, bulk exposure of sensitive printed information)? Monitoring and Measurement

Slide 107

Slide 107 text

§  Measuring Information Security Risk and Loss §  The risk management approach is concerned with the following questions: §  How many high-, medium- and low-risk issues are unresolved? What is the aggregate annual loss expectancy (ALE)? §  How many were resolved during the reporting period? If available, what is the aggregate ALE that has been eliminated? §  How many were completely eliminated vs. partially mitigated vs. transferred? §  How many were accepted because no mitigation nor compensation method was tenable? §  How many remain open because of inaction or lack of cooperation? Monitoring and Measurement

Slide 108

Slide 108 text

§  Measuring Information Security Risk and Loss §  The loss prevention approach is concerned with the following questions: §  Were there loss events during the reporting period? What is the aggregate loss including investigation, recovery, data reconstruction and customer relationship management? §  How many events were preventable (i.e., risk or vulnerability identified prior to the loss event)? §  What was the average amount of time taken to identify loss incidents? To initiate incident response procedures? To isolate incidents from other systems? To contain event losses? Monitoring and Measurement

Slide 109

Slide 109 text

Monitoring and Measurement §  Measuring Information Security Risk and Loss §  Qualitative measures §  Do risk management activities occur as scheduled? §  Have incident response and business continuity plans been tested? §  Are asset inventories, custodianships, valuations and risk analyses up to date? §  Is there consensus among information security stakeholders as to acceptable levels of risk to the organization? §  Do executive management oversight and review activities occur as planned?

Slide 110

Slide 110 text

§  Measuring Support of Organizational Objectives §  Qualitative measures may be revised by Steering Committee §  Is there documented correlation between key organizational milestones and the objectives of the information security management program? §  How many information security objectives were successfully completed in support of organizational goals? §  Were there organizational goals that were not fulfilled because information security objectives were not met? §  How strong is consensus among business units, executive management and other information security stakeholders that program objectives are complete and appropriate? Monitoring and Measurement

Slide 111

Slide 111 text

§  Measuring Compliance §  Anything less than 100% compliance is unacceptable when piloting passenger jets or operating nuclear power plants since impacts are likely to be catastrophic and unacceptable §  For any activity that is not life or organization-threatening, the cost of compliance efforts must be weighted against the benefits and potential impacts Monitoring and Measurement

Slide 112

Slide 112 text

§  Measuring Effectiveness of Technical Security Architecture §  Quantitative Metrics §  Probe and attack attempts repelled by network access control devices; qualify by asset or resource targeted source geography and attack type §  Probe and attack attempts detected by intrusion detection systems (IDS) on internal networks; qualify by internal vs. external source, resource targeted and attack type §  Number and type of actual compromises; qualify by attack severity, attack type, impact severity and source of attack §  Statistics on viruses, worms and other malware identified and neutralized; qualify by impact potential, severity of larger Internet outbreaks and malware vector §  Amount of downtime attributable to security flaws and unpatched systems §  Number of messages processed sessions examined and kilobytes (KB) of data examined by IDS Monitoring and Measurement

Slide 113

Slide 113 text

§  Measuring Effectiveness of Technical Security Architecture §  Qualitative Metrics §  Individual technical mechanisms have been tested to verify control objectives and policy enforcement. §  The security architecture is constructed of appropriate controls in a layered fashion. §  Control mechanisms are properly configured and monitored in real-time, self-protection implemented and information security personnel alerted to faults. §  All critical systems stream events to information security personnel or to event analysis automation tools for real-time threat detection. Monitoring and Measurement

Slide 114

Slide 114 text

§  Support material §  ETSI GS ISI §  http://www.etsi.org/technologies-clusters/technologies/ information-security-indicators §  001-1: Information Security Indicators (ISI); Indicators (INC); Part 1: A full set of operational indicators for organizations to use to benchmark their security posture ¨  http://www.etsi.org/deliver/etsi_gs/ISI/001_099/00101/01.01.02_60/ gs_ISI00101v010102p.pdf §  001-2: Information Security Indicators (ISI); Indicators (INC); Part 2: Guide to select operational indicators based on the full set given in part 1 ¨  http://www.etsi.org/deliver/etsi_gs/ISI/001_099/00102/01.01.02_60/ gs_ISI00102v010102p.pdf Monitoring and Measurement

Slide 115

Slide 115 text

Agenda §  Overview §  Risk-based prioritization §  Roles and responsibilities §  Framework §  Monitoring and Measurement §  Challenges §  Resources §  Certification

Slide 116

Slide 116 text

Challenges §  Inadequate Management Support §  No compulsory requirement to address information security and therefore, often view it as a marginally important issue that adds cost with little value §  These views often reflect misunderstanding of the organization's dependence on information systems, the threat and risk environment, or the impact that the organization faces or may be unknowingly experiencing §  There are always cultural and organization challenges in any job function and he path is not cleared for the information security manager simply by virtue of gaining senior management support Source: ISACA CISM Review Manual

Slide 117

Slide 117 text

§  Inadequate Management Support §  Strategies §  Utilize resources, such as industry statistics, organizational impact and dependency analyses, and reviews of common threats to the organization's specific information processing systems. §  In addition, management may require guidance in what is expected of them and approaches that industry peers are taking to address information security. Even if initial education does not result in immediate strengthening of support, ongoing education should still be conducted to develop awareness of security needs. Source: ISACA CISM Review Manual Challenges

Slide 118

Slide 118 text

§  Inadequate Funding §  Management not recognizing the value of security investments §  Security being viewed as a low-value cost centre §  Management not conceptually understanding where existing money is going §  The organizational need for a security investment not being understood §  The need for more awareness of industry trends in security investment Source: ISACA CISM Review Manual Challenges

Slide 119

Slide 119 text

§  Inadequate Funding §  Strategies §  Leveraging the budgets of other organizational units (e.g., product development, internal audit, information systems) to implement needed security program components §  Improving the efficiency of existing information security program components §  Working with the information security steering committee to reprioritize security resource assignments and providing senior management with analysis of what security components will become underresourced and the risk implications Source: ISACA CISM Review Manual Challenges

Slide 120

Slide 120 text

Agenda §  Overview §  Risk-based prioritization §  Roles and responsibilities §  Framework §  Monitoring and Measurement §  Challenges §  Resources §  Certification

Slide 121

Slide 121 text

Resources Policies Standards Procedures Guidelines

Slide 122

Slide 122 text

Resources §  Policies §  A policy that is not understood or accepted is not likely to be followed §  Most people are willing to live within the boundaries if they know what they are §  Policies and their related standards must be openly published and made readily accessible to the impacted community and their managers.

Slide 123

Slide 123 text

Resources §  Standards §  Standards set the allowable boundaries and requirements for people, processes and technology §  To be relevant, standards must be set at the strategic, management and operational levels §  Standards may need to be changed in response to changing threats, new technologies, additional regulatory requirements or when baselines no longer provide adequate levels of protection

Slide 124

Slide 124 text

Resources §  Procedures §  It is essential that all important processes throughout the enterprise are documented in procedures reviewed to ensure compliance with standards §  Procedures must be clear and unambiguous, and terms must be exact. For example, the words "must," "shall" and "will" shall be used for any task that is mandatory §  The words "should" must be used to mean a preferred action that is not mandatory. The term "may" or "can" must only be used to denote a purely discretionary action

Slide 125

Slide 125 text

Resources §  Guidelines §  Guidelines should contain information that will be helpful in executing the procedures §  This can include dependencies, suggestions and examples, narrative clarifying the procedures, background information that may be useful, tools that can be used, etc.

Slide 126

Slide 126 text

Resources §  Awareness and Education §  Who is the intended audience (senior management, business managers, IT staff, users)? §  What is the intended message (policies, procedures, recent events)? §  What is the intended result (improved policy compliance, behavioral change, better practices)? §  What communication method will be used (computer- based training [CBT], all-hands meeting, intranet, newsletters, etc.)? §  What is the organizational structure and culture?

Slide 127

Slide 127 text

Agenda §  Overview §  Risk-based prioritization §  Roles and responsibilities §  Framework §  Monitoring and Measurement §  Challenges §  Resources §  Certification

Slide 128

Slide 128 text

Certification §  Management Systems §  ISO 9001:2015 §  QMS (Quality) §  ISO 14001:2015 §  EMS (Environment) §  ISO/IEC 20000-1:2011 §  IT SMS (IT Services) §  ISO/IEC 27001:2013 §  ISMS (Information Security) §  ISO 22301:2012 §  BCMS (Business Continuity) §  ISO 50001:2011 §  EnMS (Energy) Complete list: http://www.iso.org/iso/home/standards/management-standards/mss-list.htm

Slide 129

Slide 129 text

Certification §  ISO/IEC 27001 certification benefits §  Allows senior management to demonstrate due diligence §  Encourages §  Efficient management of security costs §  Compliance with laws and regulation §  Interoperability with partners due to a common set of guidance §  Increases IS awareness among employees, customers, vendors, etc. §  Increases the alignment between IS and business §  Provides a process framework for IS implementation §  Helps to determinate IS status and compliance level with standards and policies

Slide 130

Slide 130 text

Certification §  ISO/IEC 27001:2013 §  Cost of certification may vary due to §  The size of the Organization and the physical/logical scope of certification §  Current maturity level of ISMS §  The gap between current state and desired state of controls §  Internal capacity to develop the ISMS and close identified gaps §  How quickly the certificate is necessary

Slide 131

Slide 131 text

Certification §  ISO/IEC 27001:2013 §  There are now 114 controls in 14 groups and 35 control objectives; the 2005 standard had 133 controls in 11 groups §  A.5: Information security policies (2 controls) §  A.6: Organization of information security (7 controls) §  A.7: HR security (6 controls that are applied before, during, or after employment) §  A.8: Asset management (10 controls) §  A.9: Access control (14 controls) §  A.10: Cryptography (2 controls) §  A.11: Physical and environmental security (15 controls) §  A.12: Operations security (14 controls) §  A.13: Communications security (7 controls) §  A.14: System acquisition, development and maintenance (13 controls) §  A.15: Supplier relationships (5 controls) §  A.16: Information security incident management (7 controls) §  A.17: Information security aspects of business continuity mgmt. (4 controls) §  A.18: Compliance; with internal requirements, such as policies, and with external requirements, such as laws (8 controls)

Slide 132

Slide 132 text

Certification §  ISO/IEC 27001:2013 §  Proposed phases of implementation §  Phase 1: Scope definition, Risk assessment, Risk Treatment Plan, Gap assessment, Remediation plan for implementation in Phase 2, Statement of Applicability, selection of the ISO certification body §  Phase 2: Gap resolution, ISMS development, risk management committee, incident response, ISMS internal audit §  Phase 3: Independent tests of the ISMS against the requirements specified in ISO/IEC 27001 (certification) §  Phase 4: Follow-up reviews and period audits

Slide 133

Slide 133 text

Certification §  Project (ISO/IEC 27003:2010) §  Scope (ISO/IEC 27001:2013 4.3) §  Risk assessment methodology (ISO/IEC 27001:2013 6.1.2) §  ISO/IEC 27005:2011 §  Statement of Applicability (ISO/IEC 27001:2013 6.1.3(d)) §  ISO/IEC 27001:2013 Annex A §  Security Policy (ISO/IEC 27001:2013 A.5) §  Metrics (ISO/IEC 27001:2013 9.1(a) and 9.1(b)) §  ISO/IEC 27004:2016 §  Incident Management (ISO/IEC 27001:2013 A.16) §  ISO/IEC 27035-1:2016 and ISO/IEC 27035-2:2016 §  Continuity Management (ISO/IEC 27001:2013 A.17) §  ISO/IEC 27031:2011 §  ... §  Audit (Guidelines: ISO/IEC 27007:2011)

Slide 134

Slide 134 text

Certification §  ISO/IEC 27001:2013 §  Section 4.4 Information security management system §  The organization shall establish, implement, maintain and continually improve an information security management system, in accordance with the requirements of this International Standard.

Slide 135

Slide 135 text

•  Continual monitoring and reviewing of risks •  Maintain and improve the Information Security Risk Management Process •  Implementation of risk treatment plan •  Establishing the context •  Risk assessment •  Developing risk treatment plan •  Risk acceptance Plan Do Check Act Certification ISO/IEC 27005:2011 — Information technology — Security techniques — Information security risk management

Slide 136

Slide 136 text

Certification ISO/IEC 27003:2010 Overview, Figure 1 – ISMS project phases Obtaining management approval for initiating an ISMS project Defining ISMS scope, boundaries and ISMS policy Conducting information security requirements analysis Conducting risk assessment and planning risk treatment Design the ISMS 5 6 7 8 9 Management approval for initiating ISMS Project The ISMS Scope and boundaries ISMS Policy Information security requirements Information assets Results from information security assessment Written notice of management approval for implementing the ISMS Risk treatment plan SoA, including the control objectives and the selected controls Final ISMS project implementation plan Timeline

Slide 137

Slide 137 text

Slide 138

Slide 138 text

Certification §  ISO/IEC 27003:2010 §  Section 5.1 Overview of obtaining management approval for initiating an ISMS project §  NOTE The output from Clause 5 (Documented management commitment to plan and implement an ISMS) and one of the outputs of Clause 7 (Document summarization of the information security status) are not requirements of ISO/IEC 27001:2005. However, the outputs from these activities are recommended input to other activities described in this document. ISO/IEC 27003:2010 (latest version) references ISO/IEC 27001:2005 (superseded)

Slide 139

Slide 139 text

Slide 140

Slide 140 text

Certification §  ISO/IEC 27001:2013 §  Section 4.3 Determining the scope of the information security management system §  The organization shall determine the boundaries and applicability of the information security management system to establish its scope. (…) §  The scope shall be available as documented information.

Slide 141

Slide 141 text

Slide 142

Slide 142 text

Certification §  ISO/IEC 27001:2013 §  Section 5.2 Policy §  Top management shall establish an information security policy that: §  a) is appropriate to the purpose of the organization; §  b) includes information security objectives (see 6.2) or provides the framework for setting information security objectives; (…) §  e) be available as documented information;

Slide 143

Slide 143 text

Slide 144

Slide 144 text

Certification §  ISO/IEC 27005:2011 — Information technology — Security techniques — Information security risk management §  B.1.1 The identification of primary assets Primary assets are of two types: §  1 - Business processes (or sub-processes) and activities, for example ¨  Processes whose loss or degradation make it impossible to carry out the mission of the organization ¨  Processes that contain secret processes or processes involving proprietary technology ¨  Processes that, if modified, can greatly affect the accomplishment of the organization's mission ¨  Processes that are necessary for the organization to comply with contractual, legal or regulatory requirements

Slide 145

Slide 145 text

Certification §  ISO/IEC 27005:2011 — Information technology — Security techniques — Information security risk management §  B.1.1 The identification of primary assets §  2 – Information More generally, primary information mainly comprises: ¨  Vital information for the exercise of the organization's mission or business ¨  Personal information, as can be defined specifically in the sense of the national laws regarding privacy ¨  Strategic information required for achieving objectives determined by the strategic orientations ¨  High-cost information whose gathering, storage, processing and transmission require a long time and/or involve a high acquisition cost

Slide 146

Slide 146 text

Slide 147

Slide 147 text

Slide 148

Slide 148 text

Certification §  ISO/IEC 27007:2011 — Information technology — Security techniques — Guidelines for information security management systems auditing §  ISO/IEC 27001 does not state which risk assessment approach should be employed and any approach is acceptable as long as it meets the requirements in ISO/ IEC 27001. §  ISO/IEC 27005 provides guidance on risk assessment and risk management. The auditor should be aware that there are quantitative and qualitative methods, or any combination of the two, for risk assessment, and that it is up to the organization to decide which approach to use.

Slide 149

Slide 149 text

Slide 150

Slide 150 text

Certification Risk treatment options Risk modification Implement controls Risk avoidance Cancel the operation Risk sharing Buy insurance Risk retention “I’m feeling lucky”

Slide 151

Slide 151 text

Certification Reduce Risk •  There is no “zero risk”. •  To cancel the operation avoids the risk but may not be the best option. •  The objective is to make money with adequate risks. Transfer Risk •  Insurance won’t transfer risk. It will only transfer risk of financial losses. •  Health insurance won’t transfer death risk. Life insurance? Not a chance. •  Control cost is the cost of insurance. Accept Risk •  May not be so bad. Depends on factors and costs. •  A soccer coach knows there is about 50/50 chance of winning the match, even managing the stronger team. •  Risk is inherent to business.

Slide 152

Slide 152 text

Certification Risk treatment options Risk modification Risk avoidance Risk sharing Risk retention Residual risk ISO/IEC 27005:2011 - The risk treatment activity

Slide 153

Slide 153 text

Slide 154

Slide 154 text

Certification §  ISO/IEC 27001:2013 §  Section 6.1.3 Information security risk treatment §  The organization shall define and apply an information security risk treatment process to: (…) §  d) produce a Statement of Applicability that contains the necessary controls (see 6.1.3 b) and c)) and justification for inclusions, whether they are implemented or not, and the justification for exclusions of controls from Annex A; (…) §  The organization shall retain documented information about the information security risk treatment process. §  NOTE The information security risk assessment and treatment process in this International Standard aligns with the principles and generic guidelines provided in ISO 31000[5].

Slide 155

Slide 155 text

Certification §  Statement of Applicability (SoA) §  Example Clause No Control Applicable (Y/N) Reason for selection / justification for exclusion Control objective Current status of control A.5 Information security policies A.5.1 Management direction for information security A.5.1.1 Policies for information security A.5.1.2 Review of the policies for information security ... ...

Slide 156

Slide 156 text

Certification §  Audit and Certification §  ISO/IEC 27003:2010 §  Annex C - Information about Internal Auditing ¨  In an ISMS audit, auditing results should be determined based on evidence. Therefore, some suitable length of time during the ISMS operations should be allocated to collecting suitable evidence.

Slide 157

Slide 157 text

Certification §  Audit and Certification §  ISO/IEC 27007:2011 §  6.2.3.1 Determining the feasibility of the audit ¨  Before the audit commences, the auditee should be asked whether any ISMS records are unavailable for review by the audit team, e.g. because they contain confidential or sensitive information. ¨  The person responsible for managing the audit programme should determine whether the ISMS can be adequately audited in the absence of these records. ¨  If the conclusion is that it is not possible to adequately audit the ISMS without reviewing the identified records, the person should advise the auditee that the audit cannot take place until appropriate access arrangements are granted and an alternative could be proposed to or by the auditee.

Slide 158

Slide 158 text

Certification §  Audit and Certification §  ISO/IEC 27007:2011 – Annex A: Practice Guidance for ISMS Auditing §  Annex A - A.1 ISMS scope, policy and risk assessment approach (ISO/IEC 27001 4.1 & 4.2.1a) to c)) §  Audit evidence includes: ¨  Scope of the ISMS (4.3.1 b)); ¨  Organization chart; ¨  Organization strategy; ¨  Business policy statement, business processes and activities; ¨  Documentation of roles and responsibilities; ¨  Network configuration; ¨  Sites information, including a list of branches, business, offices and facilities, and their floor layouts; ¨  Interfaces and dependencies that the business activities carried out in the scope of the ISMS have with those outside the scope; ¨  Relevant laws, regulations and contracts; ¨  Primary assets information; ¨  ISMS policy document. { ISO/IEC 27007:2011 (latest version) references ISO/IEC 27001:2005 (superseded)

Slide 159

Slide 159 text

Certification §  Audit and Certification §  ISO/IEC 27007:2011 §  Annex A - A.2 Risk identification, analysis and evaluation, and risk treatment option identification and evaluation (ISO/IEC 27001 4.2.1d)～f)) §  Audit evidence includes: ¨  Inventory of assets; ¨  Documents for the risk assessment methodology; ¨  Risk assessment reports. { ISO/IEC 27007:2011 (latest version) references ISO/IEC 27001:2005 (superseded)

Slide 160

Slide 160 text

Certification §  Audit and Certification §  ISO/IEC 27007:2011 §  Annex A - A.4 Implementation and operation of the ISMS (4.2.2) §  Audit evidence includes: ¨  Risk treatment plan and progress records on the plan projects; ¨  Documented procedures and records for control effectiveness measurements. { ISO/IEC 27007:2011 (latest version) references ISO/IEC 27001:2005 (superseded)

Slide 161

Slide 161 text

Certification §  Certification Body Requirements §  Analyse the requirements from §  ISO/IEC 27006:2015 - Information technology -- Security techniques -- Requirements for bodies providing audit and certification of information security management systems §  ISO/IEC 17021:2015 - Conformity assessment -- Requirements for bodies providing audit and certification of management systems -- Part 1: Requirements §  ISO: Certification… §  “ISO does not perform certification” §  http://www.iso.org/iso/home/standards/certification.htm §  IAF §  UKAS ¨  https://www.ukas.com/search-accredited-organisations/ §  ANAB ¨  http://anab.org/accredited-organizations/ §  INMETRO ¨  http://www.inmetro.gov.br/organismos/index.asp

Slide 162

Slide 162 text

References §  NIST Special Publications (SP) §  http://csrc.nist.gov/publications/PubsSPs.html §  800-30 Rev. 1 - Guide for Conducting Risk Assessments (referenced by ISO/IEC 27005:2011) §  800-55 Rev. 1 - Performance Measurement Guide for Information Security (referenced by ISO/IEC 27004:2009) §  800-12, An Introduction to Computer Security: The NIST Handbook (referenced by ISO/IEC 27005:2011)

Slide 163

Slide 163 text

References §  Cloud Security §  NIST SP: http://csrc.nist.gov/publications/PubsSPs.html §  800-146 - Cloud Computing Synopsis and Recommendations §  800-145 - The NIST Definition of Cloud Computing §  800-144 - Guidelines on Security and Privacy in Public Cloud Computing §  800-125 - Guide to Security for Full Virtualization Technologies §  Cloud Security Alliance: Security Guidance §  https://cloudsecurityalliance.org/guidance/ §  ENISA Cloud Computing Risk Assessment §  http://www.enisa.europa.eu/activities/risk-management/files/ deliverables/cloud-computing-risk-assessment

Slide 164

Slide 164 text

Conclusion §  The primary objectives §  Align information security objectives with business objectives §  Define roles and responsibilities §  Integrate controls in a framework §  Structure policies, standards, procedures e guidelines §  Implement ISMS according to the compliance framework of ISO/IEC 27001 §  Define an ISMS measurement programme §  Improve the ISMS according to measurement results

Slide 165

Slide 165 text

Conclusion §  Organizations must be cyber threat driven not compliance driven §  Many organizations still continue to be compliance driven as the major driver for their security practices and safeguards §  Many organizations do the minimum necessary to meet regulatory or other industry compliance requirements §  Several of the financial institutions breached in the last couple of years were PCI compliant, yet they were still breached