to... § Protect information assets § Satisfy regulatory requirements § Reduce risks and legal exposures § Support business functions § Usually, information security is seen as an impediment to conclude the work § Compliance helps to boost security § But compliance ≠ security
scope § Physical environments § Processes § Depends on relationship with other business areas/ partners § Depends on business threats § Different regulation for different threats ¨ e.g.: PCI-DSS and HITECH
§ “This publication does not purport to include all the necessary provisions of a contract. Users are responsible for its correct application.” § “Compliance with a British Standard cannot confer immunity from legal obligations.”
the 2012 "HIMSS Analytics Report: Security of Patient Data," increasingly strict regulation and increased compliance from providers haven't slowed an increase in breaches over the past six years.” ¨ http://www.csoonline.com/article/704577/compliance-isn-t-security- but-companies-still-pretend-it-is-according-to-survey Overview
to the survey, which included CIOs, compliance officers and HIMs, expressed confidence that they are better prepared for attempted data theft -- in spite of evidence to the contrary -- because they are in better compliance with regulations like the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009.” § “The results of that are predictable. The number of organizations reporting breaches went from 13 percent in 2008 to 19 percent in 2010 to 27 percent in the past year [2011].” Overview
survey did [find] some organizational flaws as well, specifically in confusion over who is really responsible for data security. The respondents' answers ranged through CIO, CSO, CEO, HIM and chief compliance officer.” Overview CSO: Chief Security Officer HIM: Health Information Management
PhD. § Social Psychology, Northwestern University Thesis: “Hoping for the Best or Preparing for the Worst? Regulatory Focus and Preferences for Optimism and Pessimism in Predicting Personal Outcomes” ¨ http://psychcentral.com/blog/archives/2011/03/17/pessimism-vs- optimism/
PhD. § “To cope with this unpredictability some of us choose to think optimistically because it helps motivate us to try, try again. For others a pessimistic mindset performs the same function. By thinking about what might go wrong it helps protect us against when things do go wrong.” § “In two initial studies optimists were found to have a ‘promotion focus’. In other words they preferred to think about how they could advance and grow. Pessimists, meanwhile, were more preoccupied with security and safety.”
Today: “Having realistic expectations may actually be a recipe for happiness” § Wikipedia: “Pessimism is a state of mind in which one anticipates negative outcomes...” § The Uses and Abuses of Optimism and Pessimism § http://www.psychologytoday.com/articles/201110/the-uses-and- abuses-optimism-and-pessimism ¨ Ctrl+F: “And pessimism?”
Uses and Abuses of Optimism and Pessimism § “And pessimism? When is it useful? Surprisingly, it can be most helpful at the moments when we might seem to have the least to feel pessimistic about. When we've been successful before and have a realistic expectation of being successful again, we may be lulled into laziness and overconfidence. Pessimism can give us the push that we need to try our best. This phenomenon, known as "defensive pessimism," involves imagining all the things that might go wrong in the future. It spurs us to take action to head off the potential catastrophes we conjure and prevent them from happening. (…)”
Estimate the risks involved § Determinate your risk appetite § Define roles and responsibilities § Build a Risk Assumption Model § Make Risk Management a business process
the asset affected by a single occurrence of the incident and is used when the asset sustains damage. § For example, in case of fire, it is possible to estimate that 90% of the asset will be destroyed. In this case, EF is 90% (0,9) § SLE (Single Loss Expectancy) § SLE is the expected loss in case of risk materialization with business impact § Depending on the threat EF may not be taken into consideration SLE = Financial value of the asset x EF or SLE = Loss caused by the threat Risk-based prioritization
number of occurrences of a security incident in a given period (usually defined as a year, as the name implies) § ALE (Annualized Loss Expectancy) § ALE amounts to loss caused by a single occurrence times the number of occurrences in a year period ARO = Number of occurrences / evaluated period ALE = SLE x ARO Risk-based prioritization
processes § Determinate the critical business processes, disruption impact and estimated unavailability, that shall reflect the Maximum Tolerable Downtime (MTD) for the mission of the Organization § Identify necessary resources § Necessary resources to restart operations, including environment, personnel, equipment, software, information, etc. § Identify recovery priorities § Resources shall be related to business processes and priority levels may be established for recovery
know that we know. There are known unknowns; that is to say, there are things that we now know we don't know. But there are also unknown unknowns – there are things we do not know we don’t know. (…) it is the latter category that tend to be the difficult ones. — Donald Rumsfeld United States Secretary of Defense,12.02.2002 It ain’t what you don’t know that gets you into trouble. It’s what you know for sure that just ain’t so. — Mark Twain
Impact Likelihood Insignificant Minor Major Disastrous Insignificant Unlikely Likely Almost Certain PII disclosed Rogue WiFi Website defacement Server unavailable Missing contractual clauses Example
on your team § Members of the core security team § Need to have a risk/reward frame of mind § An exceptional set of skills § Be good at risk assessments § Understand the business and its processes § Should be able to partner with the business, offer alternatives and speak to issues beyond those associated with security § They are not easy to find § It’s usually a matter of training them, and mentoring is often the best way to go about it § Choosing the wrong people can cost a lot § They can take an inordinate amount of time to do the work; § Or at worst, cause you to redo their work
of general management expertise or education.” § “(…) it may be useful to make an effort to educate senior management in the areas of regulatory compliance and the organization's dependence on its information assets. It may also be useful to document risks and potential impacts faced by the organization, making sure senior management is informed of the results and finds them acceptable.” ISACA CISM Review Manual 2009, Section 4.5
program § A security strategy with senior management acceptance and support § A security strategy intrinsically linked with business objectives § Security policies that are complete and consistent with strategy § Clear assignment of roles and responsibilities § Information assets that have been identified and classified by criticality and sensitivity § Tested functional, incident and emergency response capabilities § Tested business continuity/disaster recovery plans § Appropriate security approval in change management processes § …
the security program § Educate and direct senior management § Be familiarized with the standards (e.g.: ISO 27000 family) § Have knowledge of risk management § Take into consideration several different technologies § Maintain relationship with other groups § ISO/IEC 27001:2013 § A.6.1.1 Information security roles and responsibilities ¨ All information security responsibilities shall be defined and allocated Roles and responsibilities
manager should clearly define the roles, responsibilities, scope and activities of the information security steering committee. -- ISACA CISM Manual 2009 Roles and responsibilities
Security Manager writes and publishes Source: ISACA CISM Manual Information Security Manager conducts classes and publishes announcements Information Security Manager monitors industry practices and makes recommendations Information Security Manager is the point of escalation for issues that may require investigation Information Security Manager reviews critical configuration on a periodic basis, and maintains metrics on security configuration and logs of user activities Information Security Manager contributes to secure architecture, design and engineering strategy
Assure Communicate Evaluate Direct Monitor Strategy, Policy Proposals Performance Governing Body Figure 2 – Governance process of information security Source: ISO/IEC 27014:2013
and financial management § Licensing (annuity) § Training (budget surplus) § Team management § Project and program management § Operation and services management § Metrics implementation § IT life cycle management
assets and their criticality on the business (through Risk Analysis and Business Impact Analysis) § Definition/validation of key assets that must be protected § SOX: audit committee for financial controls § Leadership through information security examples § Integration and cooperation with business processes owners Roles and responsibilities
IS-related activities § Determinate the level of involvement in information security (called tone at the top, is reflected in organization culture), and how risk management will permeate business processes, a non- official indicator § Receives guidance from Information Security Manager § ISO/IEC 27001:2013 ¨ A.5.1 Management direction for information security ¨ To provide management direction and support for information security in accordance with business requirements and relevant laws and regulations. Roles and responsibilities
§ 5.1 Leadership and commitment ¨ Top management shall demonstrate leadership and commitment with respect to the information security management system § 5.3 Organization roles, responsibilities and authorities ¨ Top management shall ensure that the responsibilities and authorities for roles relevant to information security are assigned and communicated. Roles and responsibilities
information security ¨ A set of policies for information security shall be defined, approved by management, published and communicated to employees and relevant external parties. § ISO/IEC 27005:2011 § Section 6, page 9 ¨ The risk acceptance activity has to ensure residual risks are explicitly accepted by the managers of the organization. This is especially important in a situation where the implementation of controls is omitted or postponed, e.g. due to cost. Roles and responsibilities
Security techniques — Governance of information security § Section 5.3.3 Direct ¨ “Direct” is the governance process, by which the governing body gives direction about the information security objectives and strategy that need to be implemented. ¨ To accomplish the “Direct” process, the governing body should: ¨ determine the organisation’s risk appetite, ¨ approve the information security strategy and policy, ¨ allocate adequate investment and resources. ¨ To accomplish the “Direct” process, executive management should:, ¨ develop and implement information security strategy and policy, ¨ align information security objectives with business objectives, ¨ promote a positive information security culture. Roles and responsibilities
are involved § Consensus when defining priorities and tackling risks § Communication and alignment of security with business objectives § Roles and responsibilities assigned by the Information Security Manager, to avoid extra topics Roles and responsibilities
11 ¨ Risk acceptance criteria may differ according to how long the risk is expected to exist, e.g. the risk may be associated with a temporary or short term activity. Risk acceptance criteria should be set up considering the following: ¨ Business criteria ¨ Legal and regulatory aspects ¨ Operations ¨ Technology ¨ Finance ¨ Social and humanitarian factors Roles and responsibilities
of primary assets ¨ To describe the scope more accurately, this activity consists in identifying the primary assets (business processes and activities, information). This identification is carried out by a mixed work group representative of the process (managers, information systems specialists and users). Roles and responsibilities
good relationship with IT § Information Security Manager shall comply with IS standards but trying to achieve performance and efficiency (IT) § There should be privilege segregation between IT and IS § Usually, IT designs, implements and operates security controls (IT Security) Roles and responsibilities
according to information security requirements § Escalate security incidents § Shall be members of Steering Committee § Make sure IS requirements were taken into consideration since the beginning of product development § Relationship § Information Security Manager should keep in touch with Business Unit Manager to make sure IS will be involved on product development Roles and responsibilities
Propagate security policies § Relationship § IS Manager should keep in touch with HR (and Legal) and get them involved in case of employee monitoring and resources abuse suspects § ISO/IEC 27001:2013 § A.7.2.2 Information security awareness, education and training ¨ Management shall require all employees and contractors to apply information security in accordance with the established policies and procedures of the organization. Roles and responsibilities
inter-organizational communications § Section 4.1, Introduction § ISO/IEC 27002:2013 defines controls that cover the exchange of information between organizations on a bilateral basis, and also controls for the general distribution of publicly available information. However, in some circumstances there exists a need to share information within a community of organizations where the information is sensitive in some way and cannot be made publicly available other than to members of the community. Roles and responsibilities
§ Framework for Improving Critical Infrastructure Cybersecurity ¨ “(…) Cybersecurity Framework – a set of industry standards and best practices to help organizations manage cybersecurity risks.” ¨ “‘prioritized, flexible, repeatable, performance-based, and cost- effective approach’ to manage cybersecurity risk for those processes, information, and systems directly involved in the delivery of critical infrastructure services.” § https://www.nist.gov/cyberframework
relationships according to ISO 15408:2005 Owners Attack Vectors Risks reduce to value to that increase impose that may be reduced by that may possess leading to may be aware of that exploit wish to minimise use give rise to based on (set of) Security Context wish to abuse and/or may damage Threat agents Threats
violate security policy and includes such controls as access control enforcement, encryption and authentication § Detective § Warn of violations or attempted violations of security policy and include such controls as audit trails, intrusion detection methods and checksums § Corrective § Remediate vulnerabilities. backup restore procedures are a corrective measure § Compensatory § Compensate for increased risk by adding controls steps that mitigate a risk; for example, adding a challenge response component to weak access controls can compensate for the deficiency § Deterrent § Provide warnings that can deter potential compromises; for example, warning banners on login screens or offering rewards for the arrest of hackers
Directive on security of network and information systems (NIS Directive) ¨ https://ec.europa.eu/digital-single-market/en/network-and- information-security-nis-directive § ENISA ¨ http://www.enisa.europa.eu/ § CERT-EU ¨ https://cert.europa.eu/cert/plainedition/en/cert_about.html § Data Protection Framework § ePrivacy Directive ¨ https://ec.europa.eu/digital-single-market/en/online-privacy § General Data Protection Regulation ¨ http://ec.europa.eu/justice/data-protection/reform/index_en.htm
Information Security § Information security and privacy standards for SMEs § https://www.enisa.europa.eu/publications/standardisation-for-smes/ § Governance framework for European standardisation § https://www.enisa.europa.eu/publications/policy-industry-research § Definition of Cybersecurity - Gaps and overlaps in standardisation § https://www.enisa.europa.eu/publications/definition-of-cybersecurity § Risk Management - Principles and Inventories for Risk Management / Risk Assessment methods and tools § https://www.enisa.europa.eu/publications/risk-management- principles-and-inventories-for-risk-management-risk-assessment- methods-and-tools/
Data Protection Act 1998 § Computer Misuse Act 1990 § The Human Rights Act 1998 § The Regulation of Investigatory Powers Act (RIPA) 2000 § The Copyright, Designs and Patent Act 1998 § The Freedom of Information Act 2000 (public sector) § Privacy and Electronic Communications Regulations 2003 § Terrorism Act 2006 § US Laws § Gramm-Leach-Bliley Act (GLBA) § The Health Insurance Portability and Availability Act (HIPAA) § The Californian Senate Bill 1386 § Online Personal Protection Act § Sarbanes-Oxley Act (SOX) § Federal Information Security Management Act (FISMA) Laws affect the application of frameworks and standards
the next decade § Works in sync with ISO 9001, ISO 14001, ISO/IEC 20000-1 among others for a better integration of management systems § Implements Plan-Do-Check-Act (PDCA) model § Aligned with OECD recommendations for digital security risk management
§ (IOS in English, OIN in French for Organisation internationale de normalisation), our founders decided to give it the short form ISO. ISO is derived from the Greek isos, meaning equal. § IEC - International Electrotechnical Commission § www.iec.ch § The IEC is one of three global sister organizations (IEC, ISO, ITU) that develop International Standards for the world. § TR: Technical Report (ISO) § An informative document containing information of a different kind from that normally published in a normative document
and Security Incident Management Source: ISO/IEC 27013:2015 - Information technology -- Security techniques -- Guidance on the integrated implementation of ISO/IEC 27001 and ISO/IEC 20000-1
Vocabulary standard • 27001 – Information security management systems - Requirements • 27006 – Requirements for bodies providing audit and certification of information security management systems • 27009 - Information technology -- Security techniques -- Sector-specific application of ISO/IEC 27001 -- Requirements Requirement standards • 27002 – Code of practice for information security controls • 27003 – Information security management system implementation guidance • 27004 – Information security management - Measurement • 27005 – Information security risk management • 27007 – Guidelines for information security management systems auditing • TR 27008 – ISMS Controls Audit Guidelines • 27013 – Guidance on the integrated implementation of ISO/IEC 27001 and ISO/IEC 20000-1 • 27014 – Governance of information security • TR 27016 – Information security management – Organizational economics Guideline standards
for inter-sector and inter- organizational communications • 27011 – Information security management guidelines for telecommunications organizations based on ISO/IEC 27002 • TR 27015 – Information security management guidelines for financial services • TS 27017 – Guidelines on information security controls for the use of cloud computing services based on ISO/IEC 27002 • 27018 - Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors • TR 27019 - Information technology -- Security techniques -- Information security management guidelines based on ISO/IEC 27002 for process control systems specific to the energy utility industry Sector-specific guideline standards • 2703x • 2704x Control-specific guideline standards
-- Security techniques -- Information security management systems -- Requirements ISO/IEC 27002:2013 Information technology -- Security techniques -- Code of practice for information security controls ISO/IEC 27003:2010 Information technology -- Security techniques -- Information security management system implementation guidance ISO/IEC 27004:2016 Information technology -- Security techniques -- Information security management -- Monitoring, measurement, analysis and evaluation ISO/IEC 27005:2011 Information technology -- Security techniques -- Information security risk management ISO/IEC 27014:2013 Information technology -- Security techniques -- Governance of information security ISO/IEC 27031:2011 Information technology -- Security techniques -- Guidelines for information and communication technology readiness for business continuity ISO/IEC 27035-1:2016 Information technology -- Security techniques -- Information security incident management -- Part 1: Principles of incident management ISO/IEC 27035-2:2016 Information technology -- Security techniques -- Information security incident management -- Part 2: Guidelines to plan and prepare for incident response
guidelines ISO/TR 31004:2013 Risk management -- Guidance for the implementation of ISO 31000 IEC 31010:2009 Risk management -- Risk assessment techniques ISO Guide 73:2009 Risk management -- Vocabulary § ISO 31000 § “(…) ISO 31000 cannot be used for certification purposes, but does provide guidance for internal or external audit programmes.” -- iso.org
application of ISO/IEC 27001 -- Requirements ISO/IEC 27015:2012 Information technology -- Security techniques -- Information security management guidelines for financial services ISO/IEC 27011:2016 Information technology -- Security techniques -- Code of practice for Information security controls based on ISO/IEC 27002 for telecommunications organizations ISO/IEC TR 27019:2013 Information technology -- Security techniques -- Information security management guidelines based on ISO/IEC 27002 for process control systems specific to the energy utility industry
security management -- Organizational economics ISO/IEC 27017:2015 Information technology -- Security techniques -- Code of practice for information security controls based on ISO/ IEC 27002 for cloud services ISO/IEC 27018:2014 Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors ISO 27799:2016 Health informatics -- Information security management in health using ISO/IEC 27002
and availability of information in Cyberspace ISO/IEC 27033-1:2015 Information technology -- Security techniques -- Network security -- Part 1: Overview and concepts ISO/IEC 27033-2:2012 Information technology -- Security techniques -- Network security -- Part 2: Guidelines for the design and implementation of network security ISO/IEC 27033-3:2010 Information technology -- Security techniques -- Network security -- Part 3: Reference networking scenarios -- Threats, design techniques and control issues ISO/IEC 27033-4:2014 Information technology -- Security techniques -- Network security -- Part 4: Securing communications between networks using security gateways
security for supplier relationships -- Part 1: Overview and concepts ISO/IEC 27036-2:2014 Information technology -- Security techniques -- Information security for supplier relationships -- Part 2: Requirements ISO/IEC 27036-3:2013 Information technology -- Security techniques -- Information security for supplier relationships -- Part 3: Guidelines for information and communication technology supply chain security ISO/IEC 27036-4:2016 Information technology -- Security techniques -- Information security for supplier relationships -- Part 4: Guidelines for security of cloud services
for identification, collection, acquisition and preservation of digital evidence ISO/IEC 27038:2014 Information technology -- Security techniques -- Specification for digital redaction ISO/IEC 27039:2015 Information technology -- Security techniques -- Selection, deployment and operations of intrusion detection and prevention systems (IDPS) ISO/IEC 27040:2015 Information technology -- Security techniques -- Storage security
on assuring suitability and adequacy of incident investigative method ISO/IEC 27042:2015 Information technology -- Security techniques -- Guidelines for the analysis and interpretation of digital evidence ISO/IEC 27043:2015 Information technology -- Security techniques -- Incident investigation principles and processes ISO/IEC 27050-1:2016 Information technology -- Security techniques -- Electronic discovery -- Part 1: Overview and concepts
Work Item Stage where initial feasibility is assessed NP New Proposal Stage where formal scoping takes place WD Working Draft The developmental phase CD Committee Draft The quality control stage FCD Final Committee Draft Ready for final approval DIS Draft International Standard International bodies vote formally on a Standard, submitting comments FDIS Final Distribution International Standard Standard is ready to publish IS International Standard The Standard is published ISO Deliverables: http://www.iso.org/iso/home/standards_development/deliverables-all.htm
Part 3: Application security management process ISO/IEC 27034-5 DIS Information technology -- Security techniques -- Application security -- Part 5: Protocols and application security controls data structure ISO/IEC 27034-7 DIS Information technology -- Security techniques -- Application security -- Part 7: Application security assurance prediction model § Under development
— Guidelines for information security management systems auditing § 5.4.2.1 Defining the objectives, scope and criteria for an individual audit (Practical help – Examples of audit criteria) § 4) measurement of the effectiveness of the implemented controls, and that these measurements have been applied as defined to measure control effectiveness (see ISO/IEC 27004); § Annex A § Optional additional standards can be used to guide the auditee or auditor. These are listed as “Relevant Standards” in the tables below. Auditors are reminded to base nonconformities solely on the audit criteria and the requirements of ISO/IEC 27001.
NIST SP 800-55 Revision 1, Performance Measurement Guide for Information Security § Information security measures are used to facilitate decision making and improve performance and accountability through the collection, analysis, and reporting of relevant performance-related data. The purpose of measuring performance is to monitor the status of measured activities and facilitate improvement in those activities by applying corrective actions based on observed measurements.
NIST SP 800-55 Revision 1, Performance Measurement Guide for Information Security § Information security measures must yield quantifiable information for comparison purposes, apply formulas for analysis, and track changes using the same points of reference. Percentages or averages are most common. Absolute numbers are sometimes useful, depending on the activity that is being measured.
accountability § Demonstrate compliance with laws, rules and regulation § Provide quantifiable inputs for resource allocation decisions § Demonstrate and improve the effectiveness of information security investments § Maximize the effectiveness of the framework and its resources
be collected, stored, compiled and analyzed § Meaningful § Shall make sense for the receiver and be relevant to the objectives § Actionable § Shall point in the right direction § Unambiguous § Confuse information is useless § Reliable § Wrong target is worse than no target at all § Timely § Shall be available when needed Monitoring and Measurement
§ The organization shall determine: ¨ a) what needs to be monitored and measured, including information security processes and controls; ¨ b) the methods for monitoring, measurement, analysis and evaluation, as applicable, to ensure valid results; ¨ NOTE The methods selected should produce comparable and reproducible results to be considered valid. Monitoring and Measurement Requirement
Information security management — Measurement § Section 0.1 General § The Information Security Measurement Programme will assist management in identifying and evaluating noncompliant and ineffective ISMS processes and controls and prioritizing actions associated with improvement or changing these processes and/or controls. § It may also assist the organization in demonstrating ISO/IEC 27001 compliance and provide additional evidence for management review and information security risk management processes. Monitoring and Measurement
to achieve them § The organization shall establish information security objectives at relevant functions and levels. The information security objectives shall: ¨ b) be measurable (if practicable); § 9.1 Monitoring, measurement, analysis and evaluation § The organization shall evaluate the information security performance and the effectiveness of the information security management system. Monitoring and Measurement Requirement
Management is responsible for establishing the Information Security Measurement Programme, involving relevant stakeholders (see 7.5.8) in the measurement activities, accepting measurement results as an input into management review and using measurement result in improvement activities within the ISMS. Monitoring and Measurement Management responsibilities
training, awareness, and competence § Management should ensure that: ¨ a) The stakeholders (see 7.5.8) are trained adequately for achieving their roles and responsibilities in the implemented Information Security Measurement Programme, and appropriately qualified to perform their roles and responsibilities; and ¨ b) The stakeholders understand that their duties include making suggestions for improvements in the implemented Information Security Measurement Programme. Monitoring and Measurement Management responsibilities
Governance of information security § Section 5.3.4 Monitor § “Monitor” is the governance process that enables the governing body to assess the achievement of strategic objectives. § To accomplish the “Monitor” process, the governing body should: ¨ assess the effectiveness of information security management activities, § To accomplish the “Monitor” process, executive management should: ¨ select appropriate performance metrics from a business perspective, ¨ provide feedback on information security performance results to the governing body including performance of action previously identified by governing body and their impacts on the organisation Monitoring and Measurement Responsibilities
Management) External Stakeholders Assure Communicate Evaluate Direct Monitor Strategy, Policy Proposals Performance Governing Body Figure 2 – Governance process of information security
address risks and opportunities ¨ When planning for the information security management system, the organization shall consider the issues referred to in 4.1 and the requirements referred to in 4.2 and determine the risks and opportunities that need to be addressed to: ¨ 6.1.1 General ¨ e) how to ¨ 1) integrate and implement the actions into its information security management system processes; and ¨ 2) evaluate the effectiveness of these actions. Monitoring and Measurement Process Input
shall review the organization’s information security management system at planned intervals to ensure its continuing suitability, adequacy and effectiveness. § The management review shall include consideration of: § c) feedback on the information security performance, including trends in: ¨ 2) monitoring and measurement results; § e) results of risk assessment and status of risk treatment plan; Monitoring and Measurement Process Output
review shall include consideration of: § f) opportunities for continual improvement. ¨ The outputs of the management review shall include decisions related to continual improvement opportunities and any needs for changes to the information security management system. ¨ The organization shall retain documented information as evidence of the results of management reviews. Monitoring and Measurement Process Output
Evaluation and Improvement, Overview § Management should specify the frequency of such evaluation, plan periodic revisions and establish the mechanisms for making such revisions possible (see clause 7.2 of ISO/IEC 27001:2005). Monitoring and Measurement Improvement
vulnerability management approach poses the following questions: § How many technical or operational vulnerabilities exist? § How many have been resolved? § What is the average time to resolve them? § How many recurred? § How many systems (critical or otherwise) are impacted by them? § How many have the potential for external exploit? § How many have the potential for gross compromise (e.g., remote privileged code execution, unauthorized administrative access, bulk exposure of sensitive printed information)? Monitoring and Measurement
management approach is concerned with the following questions: § How many high-, medium- and low-risk issues are unresolved? What is the aggregate annual loss expectancy (ALE)? § How many were resolved during the reporting period? If available, what is the aggregate ALE that has been eliminated? § How many were completely eliminated vs. partially mitigated vs. transferred? § How many were accepted because no mitigation nor compensation method was tenable? § How many remain open because of inaction or lack of cooperation? Monitoring and Measurement
prevention approach is concerned with the following questions: § Were there loss events during the reporting period? What is the aggregate loss including investigation, recovery, data reconstruction and customer relationship management? § How many events were preventable (i.e., risk or vulnerability identified prior to the loss event)? § What was the average amount of time taken to identify loss incidents? To initiate incident response procedures? To isolate incidents from other systems? To contain event losses? Monitoring and Measurement
§ Qualitative measures § Do risk management activities occur as scheduled? § Have incident response and business continuity plans been tested? § Are asset inventories, custodianships, valuations and risk analyses up to date? § Is there consensus among information security stakeholders as to acceptable levels of risk to the organization? § Do executive management oversight and review activities occur as planned?
be revised by Steering Committee § Is there documented correlation between key organizational milestones and the objectives of the information security management program? § How many information security objectives were successfully completed in support of organizational goals? § Were there organizational goals that were not fulfilled because information security objectives were not met? § How strong is consensus among business units, executive management and other information security stakeholders that program objectives are complete and appropriate? Monitoring and Measurement
unacceptable when piloting passenger jets or operating nuclear power plants since impacts are likely to be catastrophic and unacceptable § For any activity that is not life or organization-threatening, the cost of compliance efforts must be weighted against the benefits and potential impacts Monitoring and Measurement
§ Probe and attack attempts repelled by network access control devices; qualify by asset or resource targeted source geography and attack type § Probe and attack attempts detected by intrusion detection systems (IDS) on internal networks; qualify by internal vs. external source, resource targeted and attack type § Number and type of actual compromises; qualify by attack severity, attack type, impact severity and source of attack § Statistics on viruses, worms and other malware identified and neutralized; qualify by impact potential, severity of larger Internet outbreaks and malware vector § Amount of downtime attributable to security flaws and unpatched systems § Number of messages processed sessions examined and kilobytes (KB) of data examined by IDS Monitoring and Measurement
§ Individual technical mechanisms have been tested to verify control objectives and policy enforcement. § The security architecture is constructed of appropriate controls in a layered fashion. § Control mechanisms are properly configured and monitored in real-time, self-protection implemented and information security personnel alerted to faults. § All critical systems stream events to information security personnel or to event analysis automation tools for real-time threat detection. Monitoring and Measurement
§ 001-1: Information Security Indicators (ISI); Indicators (INC); Part 1: A full set of operational indicators for organizations to use to benchmark their security posture ¨ http://www.etsi.org/deliver/etsi_gs/ISI/001_099/00101/01.01.02_60/ gs_ISI00101v010102p.pdf § 001-2: Information Security Indicators (ISI); Indicators (INC); Part 2: Guide to select operational indicators based on the full set given in part 1 ¨ http://www.etsi.org/deliver/etsi_gs/ISI/001_099/00102/01.01.02_60/ gs_ISI00102v010102p.pdf Monitoring and Measurement
address information security and therefore, often view it as a marginally important issue that adds cost with little value § These views often reflect misunderstanding of the organization's dependence on information systems, the threat and risk environment, or the impact that the organization faces or may be unknowingly experiencing § There are always cultural and organization challenges in any job function and he path is not cleared for the information security manager simply by virtue of gaining senior management support Source: ISACA CISM Review Manual
as industry statistics, organizational impact and dependency analyses, and reviews of common threats to the organization's specific information processing systems. § In addition, management may require guidance in what is expected of them and approaches that industry peers are taking to address information security. Even if initial education does not result in immediate strengthening of support, ongoing education should still be conducted to develop awareness of security needs. Source: ISACA CISM Review Manual Challenges
security investments § Security being viewed as a low-value cost centre § Management not conceptually understanding where existing money is going § The organizational need for a security investment not being understood § The need for more awareness of industry trends in security investment Source: ISACA CISM Review Manual Challenges
other organizational units (e.g., product development, internal audit, information systems) to implement needed security program components § Improving the efficiency of existing information security program components § Working with the information security steering committee to reprioritize security resource assignments and providing senior management with analysis of what security components will become underresourced and the risk implications Source: ISACA CISM Review Manual Challenges
or accepted is not likely to be followed § Most people are willing to live within the boundaries if they know what they are § Policies and their related standards must be openly published and made readily accessible to the impacted community and their managers.
requirements for people, processes and technology § To be relevant, standards must be set at the strategic, management and operational levels § Standards may need to be changed in response to changing threats, new technologies, additional regulatory requirements or when baselines no longer provide adequate levels of protection
processes throughout the enterprise are documented in procedures reviewed to ensure compliance with standards § Procedures must be clear and unambiguous, and terms must be exact. For example, the words "must," "shall" and "will" shall be used for any task that is mandatory § The words "should" must be used to mean a preferred action that is not mandatory. The term "may" or "can" must only be used to denote a purely discretionary action
be helpful in executing the procedures § This can include dependencies, suggestions and examples, narrative clarifying the procedures, background information that may be useful, tools that can be used, etc.
audience (senior management, business managers, IT staff, users)? § What is the intended message (policies, procedures, recent events)? § What is the intended result (improved policy compliance, behavioral change, better practices)? § What communication method will be used (computer- based training [CBT], all-hands meeting, intranet, newsletters, etc.)? § What is the organizational structure and culture?
to demonstrate due diligence § Encourages § Efficient management of security costs § Compliance with laws and regulation § Interoperability with partners due to a common set of guidance § Increases IS awareness among employees, customers, vendors, etc. § Increases the alignment between IS and business § Provides a process framework for IS implementation § Helps to determinate IS status and compliance level with standards and policies
due to § The size of the Organization and the physical/logical scope of certification § Current maturity level of ISMS § The gap between current state and desired state of controls § Internal capacity to develop the ISMS and close identified gaps § How quickly the certificate is necessary
in 14 groups and 35 control objectives; the 2005 standard had 133 controls in 11 groups § A.5: Information security policies (2 controls) § A.6: Organization of information security (7 controls) § A.7: HR security (6 controls that are applied before, during, or after employment) § A.8: Asset management (10 controls) § A.9: Access control (14 controls) § A.10: Cryptography (2 controls) § A.11: Physical and environmental security (15 controls) § A.12: Operations security (14 controls) § A.13: Communications security (7 controls) § A.14: System acquisition, development and maintenance (13 controls) § A.15: Supplier relationships (5 controls) § A.16: Information security incident management (7 controls) § A.17: Information security aspects of business continuity mgmt. (4 controls) § A.18: Compliance; with internal requirements, such as policies, and with external requirements, such as laws (8 controls)
Phase 1: Scope definition, Risk assessment, Risk Treatment Plan, Gap assessment, Remediation plan for implementation in Phase 2, Statement of Applicability, selection of the ISO certification body § Phase 2: Gap resolution, ISMS development, risk management committee, incident response, ISMS internal audit § Phase 3: Independent tests of the ISMS against the requirements specified in ISO/IEC 27001 (certification) § Phase 4: Follow-up reviews and period audits
system § The organization shall establish, implement, maintain and continually improve an information security management system, in accordance with the requirements of this International Standard.
improve the Information Security Risk Management Process • Implementation of risk treatment plan • Establishing the context • Risk assessment • Developing risk treatment plan • Risk acceptance Plan Do Check Act Certification ISO/IEC 27005:2011 — Information technology — Security techniques — Information security risk management
Obtaining management approval for initiating an ISMS project Defining ISMS scope, boundaries and ISMS policy Conducting information security requirements analysis Conducting risk assessment and planning risk treatment Design the ISMS 5 6 7 8 9 Management approval for initiating ISMS Project The ISMS Scope and boundaries ISMS Policy Information security requirements Information assets Results from information security assessment Written notice of management approval for implementing the ISMS Risk treatment plan SoA, including the control objectives and the selected controls Final ISMS project implementation plan Timeline
Obtaining management approval for initiating an ISMS project Defining ISMS scope, boundaries and ISMS policy Conducting information security requirements analysis Conducting risk assessment and planning risk treatment Design the ISMS 5 6 7 8 9 Management approval for initiating ISMS Project The ISMS Scope and boundaries ISMS Policy Information security requirements Information assets Results from information security assessment Written notice of management approval for implementing the ISMS Risk treatment plan SoA, including the control objectives and the selected controls Final ISMS project implementation plan Timeline
management approval for initiating an ISMS project § NOTE The output from Clause 5 (Documented management commitment to plan and implement an ISMS) and one of the outputs of Clause 7 (Document summarization of the information security status) are not requirements of ISO/IEC 27001:2005. However, the outputs from these activities are recommended input to other activities described in this document. ISO/IEC 27003:2010 (latest version) references ISO/IEC 27001:2005 (superseded)
Obtaining management approval for initiating an ISMS project Defining ISMS scope, boundaries and ISMS policy Conducting information security requirements analysis Conducting risk assessment and planning risk treatment Design the ISMS 5 6 7 8 9 Management approval for initiating ISMS Project The ISMS Scope and boundaries ISMS Policy Information security requirements Information assets Results from information security assessment Written notice of management approval for implementing the ISMS Risk treatment plan SoA, including the control objectives and the selected controls Final ISMS project implementation plan Timeline
of the information security management system § The organization shall determine the boundaries and applicability of the information security management system to establish its scope. (…) § The scope shall be available as documented information.
Obtaining management approval for initiating an ISMS project Defining ISMS scope, boundaries and ISMS policy Conducting information security requirements analysis Conducting risk assessment and planning risk treatment Design the ISMS 5 6 7 8 9 Management approval for initiating ISMS Project The ISMS Scope and boundaries ISMS Policy Information security requirements Information assets Results from information security assessment Written notice of management approval for implementing the ISMS Risk treatment plan SoA, including the control objectives and the selected controls Final ISMS project implementation plan Timeline
management shall establish an information security policy that: § a) is appropriate to the purpose of the organization; § b) includes information security objectives (see 6.2) or provides the framework for setting information security objectives; (…) § e) be available as documented information;
Obtaining management approval for initiating an ISMS project Defining ISMS scope, boundaries and ISMS policy Conducting information security requirements analysis Conducting risk assessment and planning risk treatment Design the ISMS 5 6 7 8 9 Management approval for initiating ISMS Project The ISMS Scope and boundaries ISMS Policy Information security requirements Information assets Results from information security assessment Written notice of management approval for implementing the ISMS Risk treatment plan SoA, including the control objectives and the selected controls Final ISMS project implementation plan Timeline
— Information security risk management § B.1.1 The identification of primary assets Primary assets are of two types: § 1 - Business processes (or sub-processes) and activities, for example ¨ Processes whose loss or degradation make it impossible to carry out the mission of the organization ¨ Processes that contain secret processes or processes involving proprietary technology ¨ Processes that, if modified, can greatly affect the accomplishment of the organization's mission ¨ Processes that are necessary for the organization to comply with contractual, legal or regulatory requirements
— Information security risk management § B.1.1 The identification of primary assets § 2 – Information More generally, primary information mainly comprises: ¨ Vital information for the exercise of the organization's mission or business ¨ Personal information, as can be defined specifically in the sense of the national laws regarding privacy ¨ Strategic information required for achieving objectives determined by the strategic orientations ¨ High-cost information whose gathering, storage, processing and transmission require a long time and/or involve a high acquisition cost
Obtaining management approval for initiating an ISMS project Defining ISMS scope, boundaries and ISMS policy Conducting information security requirements analysis Conducting risk assessment and planning risk treatment Design the ISMS 5 6 7 8 9 Management approval for initiating ISMS Project The ISMS Scope and boundaries ISMS Policy Information security requirements Information assets Results from information security assessment Written notice of management approval for implementing the ISMS Risk treatment plan SoA, including the control objectives and the selected controls Final ISMS project implementation plan Timeline
improve the Information Security Risk Management Process • Implementation of risk treatment plan • Establishing the context • Risk assessment • Developing risk treatment plan • Risk acceptance Plan Do Check Act Certification ISO/IEC 27005:2011 — Information technology — Security techniques — Information security risk management
— Guidelines for information security management systems auditing § ISO/IEC 27001 does not state which risk assessment approach should be employed and any approach is acceptable as long as it meets the requirements in ISO/ IEC 27001. § ISO/IEC 27005 provides guidance on risk assessment and risk management. The auditor should be aware that there are quantitative and qualitative methods, or any combination of the two, for risk assessment, and that it is up to the organization to decide which approach to use.
Obtaining management approval for initiating an ISMS project Defining ISMS scope, boundaries and ISMS policy Conducting information security requirements analysis Conducting risk assessment and planning risk treatment Design the ISMS 5 6 7 8 9 Management approval for initiating ISMS Project The ISMS Scope and boundaries ISMS Policy Information security requirements Information assets Results from information security assessment Written notice of management approval for implementing the ISMS Risk treatment plan SoA, including the control objectives and the selected controls Final ISMS project implementation plan Timeline
To cancel the operation avoids the risk but may not be the best option. • The objective is to make money with adequate risks. Transfer Risk • Insurance won’t transfer risk. It will only transfer risk of financial losses. • Health insurance won’t transfer death risk. Life insurance? Not a chance. • Control cost is the cost of insurance. Accept Risk • May not be so bad. Depends on factors and costs. • A soccer coach knows there is about 50/50 chance of winning the match, even managing the stronger team. • Risk is inherent to business.
Obtaining management approval for initiating an ISMS project Defining ISMS scope, boundaries and ISMS policy Conducting information security requirements analysis Conducting risk assessment and planning risk treatment Design the ISMS 5 6 7 8 9 Management approval for initiating ISMS Project The ISMS Scope and boundaries ISMS Policy Information security requirements Information assets Results from information security assessment Written notice of management approval for implementing the ISMS Risk treatment plan SoA, including the control objectives and the selected controls Final ISMS project implementation plan Timeline
treatment § The organization shall define and apply an information security risk treatment process to: (…) § d) produce a Statement of Applicability that contains the necessary controls (see 6.1.3 b) and c)) and justification for inclusions, whether they are implemented or not, and the justification for exclusions of controls from Annex A; (…) § The organization shall retain documented information about the information security risk treatment process. § NOTE The information security risk assessment and treatment process in this International Standard aligns with the principles and generic guidelines provided in ISO 31000[5].
Control Applicable (Y/N) Reason for selection / justification for exclusion Control objective Current status of control A.5 Information security policies A.5.1 Management direction for information security A.5.1.1 Policies for information security A.5.1.2 Review of the policies for information security ... ...
C - Information about Internal Auditing ¨ In an ISMS audit, auditing results should be determined based on evidence. Therefore, some suitable length of time during the ISMS operations should be allocated to collecting suitable evidence.
Determining the feasibility of the audit ¨ Before the audit commences, the auditee should be asked whether any ISMS records are unavailable for review by the audit team, e.g. because they contain confidential or sensitive information. ¨ The person responsible for managing the audit programme should determine whether the ISMS can be adequately audited in the absence of these records. ¨ If the conclusion is that it is not possible to adequately audit the ISMS without reviewing the identified records, the person should advise the auditee that the audit cannot take place until appropriate access arrangements are granted and an alternative could be proposed to or by the auditee.
A: Practice Guidance for ISMS Auditing § Annex A - A.1 ISMS scope, policy and risk assessment approach (ISO/IEC 27001 4.1 & 4.2.1a) to c)) § Audit evidence includes: ¨ Scope of the ISMS (4.3.1 b)); ¨ Organization chart; ¨ Organization strategy; ¨ Business policy statement, business processes and activities; ¨ Documentation of roles and responsibilities; ¨ Network configuration; ¨ Sites information, including a list of branches, business, offices and facilities, and their floor layouts; ¨ Interfaces and dependencies that the business activities carried out in the scope of the ISMS have with those outside the scope; ¨ Relevant laws, regulations and contracts; ¨ Primary assets information; ¨ ISMS policy document. { ISO/IEC 27007:2011 (latest version) references ISO/IEC 27001:2005 (superseded)
A - A.4 Implementation and operation of the ISMS (4.2.2) § Audit evidence includes: ¨ Risk treatment plan and progress records on the plan projects; ¨ Documented procedures and records for control effectiveness measurements. { ISO/IEC 27007:2011 (latest version) references ISO/IEC 27001:2005 (superseded)
Rev. 1 - Guide for Conducting Risk Assessments (referenced by ISO/IEC 27005:2011) § 800-55 Rev. 1 - Performance Measurement Guide for Information Security (referenced by ISO/IEC 27004:2009) § 800-12, An Introduction to Computer Security: The NIST Handbook (referenced by ISO/IEC 27005:2011)
with business objectives § Define roles and responsibilities § Integrate controls in a framework § Structure policies, standards, procedures e guidelines § Implement ISMS according to the compliance framework of ISO/IEC 27001 § Define an ISMS measurement programme § Improve the ISMS according to measurement results
driven § Many organizations still continue to be compliance driven as the major driver for their security practices and safeguards § Many organizations do the minimum necessary to meet regulatory or other industry compliance requirements § Several of the financial institutions breached in the last couple of years were PCI compliant, yet they were still breached
mmartins000
os1ma
ebarakazuhiro
isaoshimizu
recruitengineers
yuhta28
tomorrowkey
tetsuyaooooo
baseballyama
mokocm
takakiyo
emiki
wmsbill
ufuk
tammyeverts
addyosmani
chriscoyier
bkeepers
aleyda
jakevdp
smashingmag
frogandcode
jeffersonlam
kastner
