Slide 1

Slide 1 text

ISO 27001 ON AWS_ ANDREW WASILCZUK | he/him/his

Slide 2

Slide 2 text

$whoami Senior Consultant Information Security Manager Systems guy at heart

Slide 3

Slide 3 text

GETTING TO KNOW YOU_

Slide 4

Slide 4 text

ISO/IEC 27001 Defines requirements for an ISMS Non-prescriptive Risk based approach

Slide 5

Slide 5 text

WHY DO WE NEED ISO 27001?_

Slide 6

Slide 6 text

SUPPLIER QUESTIONNAIRES_

Slide 7

Slide 7 text

ANOTHER POLL_

Slide 8

Slide 8 text

WITH COMPLIANCE_ Questionnaires are easier to answer …or avoided altogether Sales cycle is shorter Close bigger deals Reduce operational risks

Slide 9

Slide 9 text

TWO PARTS_ ISO 27001 Mandatory ISMS Requirements ISO 27002 Optional Annex A Controls

Slide 10

Slide 10 text

WHERE DO I START?_

Slide 11

Slide 11 text

COMPLIANCE JOURNEY_ Establish an ISMS Conduct a risk assessment Choose Annex A controls Establish an AWS account strategy Treat the risks (or have a plan) Collect evidence Schedule your audit 1 6 2 3 4 5 7

Slide 12

Slide 12 text

AUTOMATED COMPLIANCE PLATFORMS_ TIP

Slide 13

Slide 13 text

Policy templates Risk register Asset management Evidence collection Easier audits Multiple standards Vulnerability management AWS integration Vulnerability management Security awareness training On-boarding/off-boarding flows Vendor assessments Access review Endpoint monitoring

Slide 14

Slide 14 text

RISK REDUCTION CYCLE_

Slide 15

Slide 15 text

IMPLEMENTING ANNEX A CONTROLS ON AWS_

Slide 16

Slide 16 text

THE SHARED RESPONSIBILITY MODEL_

Slide 17

Slide 17 text

8.15 LOGGING_ To record events, generate evidence, ensure the integrity of log information, prevent against unauthorized access, identify information security events that can lead to an information security incident and to support investigations. “

Slide 18

Slide 18 text

8.15 LOGGING DEPENDENCIES_ 5.25 Assessment and decision on info sec events 5.28 Collection of evidence 5.37 Privacy & protection of PII 8.10 Information deletion 8.11 Data masking 8.16 Monitoring activities 8.17 Synchronised time sources

Slide 19

Slide 19 text

8.15 LOGGING GUIDELINES_ Log structure & types of events to log Protected from de-activation (inc. by privileged users), Protected from deletion & modification Protected from failure of storage media Stored in-line with the data retention requirements Sensitive data in logs is protected Log analytics & anomalous behaviour detection

Slide 20

Slide 20 text

No content

Slide 21

Slide 21 text

8.15 LOGGING GUIDELINES_ Log structure & types of events to log Protected from de-activation (inc. by privileged users), Protected from deletion & modification Protected from failure of storage media Stored in-line with the data retention policy Sensitive data protection Log analytics & anomalous behaviour detection

Slide 22

Slide 22 text

No content

Slide 23

Slide 23 text

{ "Version": "2012-10-17", "Statement": [ { "Action": [ "cloudtrail:StopLogging", "cloudtrail:DeleteTrail" ], "Resource": "*", "Effect": "Deny" } ] }

Slide 24

Slide 24 text

8.15 LOGGING GUIDELINES_ Log structure & types of events to log Protected from de-activation (inc. by privileged users), Protected from deletion & modification Protected from failure of storage media Stored in-line with the data retention policy Sensitive data protection Log analytics & anomalous behaviour detection

Slide 25

Slide 25 text

No content

Slide 26

Slide 26 text

8.15 LOGGING GUIDELINES_ Log structure & types of events to log Protected from de-activation (inc. by privileged users), Protected from deletion & modification Protected from failure of storage media Stored in-line with the data retention policy Sensitive data protection Log analytics & anomalous behaviour detection

Slide 27

Slide 27 text

AWS ACCOUNT STRATEGY_

Slide 28

Slide 28 text

AWS CONTROL TOWER_ Centralised audit logging (AWS CloudTrail) AWS account management AWS IAM Identity Center Ready baked controls: Preventative (Service Control Policies) Detective (AWS Config) Proactive (AWS CloudFormation Hooks) Compliance dashboard

Slide 29

Slide 29 text

YOUR NEXT STEPS_ FREE CONSULTATION ISO 27001 AWS READINESS ASSESSMENT A review of your current AWS practice. FREE CONSULTATION ISO 27001 AWS RISK ASSESSMENT REVIEW A review of the AWS risks you’ve identified, and advice on risk treatment.

Slide 30

Slide 30 text

FINAL POLL_

Slide 31

Slide 31 text

KEEP IN TOUCH_ http:/ /www.scalefactory.com/ https:/ /github.com/scalefactory @scalefactory [email protected]