ISO 27001 ON AWS_ ANDREW WASILCZUK | he/him/his

$whoami Senior Consultant Information Security Manager Systems guy at heart

GETTING TO KNOW YOU_

ISO/IEC 27001 Defines requirements for an ISMS Non-prescriptive Risk based approach

WHY DO WE NEED ISO 27001?_

SUPPLIER QUESTIONNAIRES_

ANOTHER POLL_

WITH COMPLIANCE_ Questionnaires are easier to answer …or avoided altogether Sales cycle is shorter Close bigger deals Reduce operational risks

TWO PARTS_ ISO 27001 Mandatory ISMS Requirements ISO 27002 Optional Annex A Controls

WHERE DO I START?_

COMPLIANCE JOURNEY_ Establish an ISMS Conduct a risk assessment Choose Annex A controls Establish an AWS account strategy Treat the risks (or have a plan) Collect evidence Schedule your audit 1 6 2 3 4 5 7

AUTOMATED COMPLIANCE PLATFORMS_ TIP

Policy templates Risk register Asset management Evidence collection Easier audits Multiple standards Vulnerability management AWS integration Vulnerability management Security awareness training On-boarding/off-boarding flows Vendor assessments Access review Endpoint monitoring

RISK REDUCTION CYCLE_

IMPLEMENTING ANNEX A CONTROLS ON AWS_

THE SHARED RESPONSIBILITY MODEL_

8.15 LOGGING_ To record events, generate evidence, ensure the integrity of log information, prevent against unauthorized access, identify information security events that can lead to an information security incident and to support investigations. “

8.15 LOGGING DEPENDENCIES_ 5.25 Assessment and decision on info sec events 5.28 Collection of evidence 5.37 Privacy & protection of PII 8.10 Information deletion 8.11 Data masking 8.16 Monitoring activities 8.17 Synchronised time sources

8.15 LOGGING GUIDELINES_ Log structure & types of events to log Protected from de-activation (inc. by privileged users), Protected from deletion & modification Protected from failure of storage media Stored in-line with the data retention requirements Sensitive data in logs is protected Log analytics & anomalous behaviour detection

No content

8.15 LOGGING GUIDELINES_ Log structure & types of events to log Protected from de-activation (inc. by privileged users), Protected from deletion & modification Protected from failure of storage media Stored in-line with the data retention policy Sensitive data protection Log analytics & anomalous behaviour detection

No content

{ "Version": "2012-10-17", "Statement": [ { "Action": [ "cloudtrail:StopLogging", "cloudtrail:DeleteTrail" ], "Resource": "*", "Effect": "Deny" } ] }

8.15 LOGGING GUIDELINES_ Log structure & types of events to log Protected from de-activation (inc. by privileged users), Protected from deletion & modification Protected from failure of storage media Stored in-line with the data retention policy Sensitive data protection Log analytics & anomalous behaviour detection

No content

8.15 LOGGING GUIDELINES_ Log structure & types of events to log Protected from de-activation (inc. by privileged users), Protected from deletion & modification Protected from failure of storage media Stored in-line with the data retention policy Sensitive data protection Log analytics & anomalous behaviour detection

AWS ACCOUNT STRATEGY_

AWS CONTROL TOWER_ Centralised audit logging (AWS CloudTrail) AWS account management AWS IAM Identity Center Ready baked controls: Preventative (Service Control Policies) Detective (AWS Config) Proactive (AWS CloudFormation Hooks) Compliance dashboard

YOUR NEXT STEPS_ FREE CONSULTATION ISO 27001 AWS READINESS ASSESSMENT A review of your current AWS practice. FREE CONSULTATION ISO 27001 AWS RISK ASSESSMENT REVIEW A review of the AWS risks you’ve identified, and advice on risk treatment.

FINAL POLL_

KEEP IN TOUCH_ http:/ /www.scalefactory.com/ https:/ /github.com/scalefactory @scalefactory akw@scalefactory.com