ISACA ISO 27K Presentation
-
Upload
kurnia-haristiadi -
Category
Documents
-
view
216 -
download
0
Transcript of ISACA ISO 27K Presentation
-
8/7/2019 ISACA ISO 27K Presentation
1/38
Slide 1
Information Security Management Systems
An ISO 27001 IntroductionMahmood Justanieah
ISACA-Jeddah Technical Meeting
18-March-2009
-
8/7/2019 ISACA ISO 27K Presentation
2/38
Slide 2
19h00
Information Security ISO 27001: 2005 and ISO 27002:2005
Control objectives and controls
Deffrinces between ISO 27001 & other StandardsITIL, Cobit, ISO 20000
19h45: Questions & Answers
20h00 Closure
-
8/7/2019 ISACA ISO 27K Presentation
3/38
Slide 3
Section 1
Information Security
-
8/7/2019 ISACA ISO 27K Presentation
4/38
Slide 4
Compliance requirements, new notification laws and the growing ofbreaches have made organizations aware they need a structured
approach to data security.
Organizations are increasingly dependent on information assets
Information users (internal & external) are demanding increasedavailability
The number of incidents that threaten the continuity of operations isgrowing
A single security breach can:
destroy a companys Image
depress the value of the business
erode the bottom line; and
compromise future earnings
Scenario
-
8/7/2019 ISACA ISO 27K Presentation
5/38
Slide 5
For 2007, per-record compromised costs continued to increase (2007 AnnualStudy: US Cost of Data Breach- research conducted by Ponemon Institute LLC).
The average total cost per reporting company was more than 6.3 million USDollars per breach and ranged between 225.000 to almost 35 million
Data breach costs
-
8/7/2019 ISACA ISO 27K Presentation
6/38
Slide 6
Cause of data breach Lost or stolen laptops and other devices such as USB flash drivers were the
most significant source of a data breach. (2007 Annual Study: US Cost of DataBreach- research conducted by Ponemon Institute LLC)
-
8/7/2019 ISACA ISO 27K Presentation
7/38
Slide 7
Risks and Threats
Data Breach
Media attention
Breach notifications
Brand degradation
Government Agency Audit
Customer Complaint
Government Agency s finding/order
Litigation
Loss of customer
Non-Compliance
Restrictions on business activities
Loss of a contract
New privacy controls
Publicly named through aCommissioners order or legalproceedings
Over-Compliance
Unnecessary restrictions on businessactivities
Decreased customer satisfaction
Competitive disadvantage
-
8/7/2019 ISACA ISO 27K Presentation
8/38
Slide 8
Information as an Asset
Information is:
An asset that, like other important business assets, is essentialto an organizations business and consequently needs to besuitably protected.
Source: ISO/IEC 27002:2005 Section 0.1
Asset Definition:
anything that has value to the organization
Source: ISO/IEC 27001:2005, 3.1
-
8/7/2019 ISACA ISO 27K Presentation
9/38
Slide 9
Information Security not IT Security
Information must be protected throughout its entire lifecycle:
Creation
Storage
Processing
Distribution
Information must be protected independent from its format or media
Not IT
Paper document (on desks, in waste bins, left on photocopiers)
Whiteboards conversations overheard
Conversations on public transports
People
-
8/7/2019 ISACA ISO 27K Presentation
10/38
Slide 10
Information Security
Information Security
preservation ofconf ident ial it y, integr it y and avail abil it yof
information; in addition, other properties, such as authenticity,
accountability, non-repudiation, and reliability can also be involved
Source: ISO/IEC 27001:2005
Confidentiality: Ensuring that information is accessible only to thoseauthorized to have access. Clause 3.3 of ISO/IEC 27001
Integrity: Safeguarding the accuracy and completeness of information and
process methods. Clause 3.8 of ISO/IEC 27001
Availability: Ensuring that authorized users have access to information andassociated assets when required. Clause 3.2 of ISO/IEC 27001
-
8/7/2019 ISACA ISO 27K Presentation
11/38
Slide 11
Information Security Management System
Information Security Management System (ISMS)
That part of the overall management system, based on a business riskapproach, to establish, implement, operate, monitor, review, maintain andimprove information security
Is a Management Process and Not a technological process
Strategic decision of an organization
Design and implementation
Needs and objectives
Security requirements
Processes employed
Size and structure of the organization
Scaled with needs
-
8/7/2019 ISACA ISO 27K Presentation
12/38
Slide 12
Section 2
ISO 27001: 2005 and ISO 27002:2005
-
8/7/2019 ISACA ISO 27K Presentation
13/38
Slide 13
The History of ISO 27001
1992The Department of Trade and Industry (DTI), which is part of the UK Government,
publish a 'Code of Practice for Information Security Management'.
1995This document is amended and re-published by the British Standards Institute (BSI) in
1995 as BS7799.
1996
Support and compliance tools begin to emerge, such as COBRA.David Lilburn Watson becomes the first qualified certified BS7799 Auditor
1999The first major revision of BS7799 was published. This included many major
enhancements.
Accreditation and certification schemes are launched. LRQA and BSI are the first
certification bodies.
2000In December, BS7799 is again re-published, this time as a fast tracked ISO standard. It
becomes ISO 17799 (or more formally, ISO/IEC 17799).
-
8/7/2019 ISACA ISO 27K Presentation
14/38
Slide 14
The History of ISO 27001
2002
A second part to the standard is published: BS7799-2. This is an InformationSecurity Management Specification, rather than a code of practice. It begins
the process of alignment with other management standards such as ISO
9000.
2005
A new version of ISO 17799 is published. This includes two new sections, andcloser alignment with BS7799-2 processes..
2005
ISO 27001 is published, replacing BS7799-2, which is withdrawn. This is a
specification for an ISMS (information security management system), which
aligns with ISO 17799 and is compatible with ISO 9001 and ISO 14001.
-
8/7/2019 ISACA ISO 27K Presentation
15/38
Slide 15
ISO 27001
There are two closely related standards:
ISO/IEC 27001 is a standard specification for requirements of anInformation Security Management Systems (ISMS).
ISO/IEC 27002:2005 is the standard code of practice and can beregarded as a comprehensive catalogue of good security things to do.
ISO/IEC 27001
Specifies requirements:
For establishing, implementing, operating, monitoring, reviewing,maintaining and improving a documented ISMS
Designed to:
Ensure adequate security controls to protect information assets,documenting ISMS
Give confidence to customers & interested parties
-
8/7/2019 ISACA ISO 27K Presentation
16/38
Slide 16
Other related standards
ISO/IEC 27006 - Information technology -- Security techniques - Requirements forbodies providing audit and certification of information security management systems
ISO/IEC FDIS 27011 - Information technology -- Information security management
guidelines for telecommunications
SSE-CMM, Software Security Engineering Capability Maturity Model, nowreleased as ISO 21827: 2002
Helps organizations determine their security maturity relative to a set of capabilitymetrics
Under development
ISO/IEC 27000 - an introduction and overview for the ISMS Family of Standards, plus aglossary of common terms
ISO/IEC 27003 - ISMS implementation guide
ISO/IEC 27004 - information security management measurements
ISO/IEC 27005 - information security risk management
ISO/IEC 27007 - guideline for auditing ISMSs
ISO/IEC 27011 - guideline for ISMSs in the telecommunications industry
ISO/IEC 27799 - guidance on implementing ISO/IEC 27002 in the healthcare industry
-
8/7/2019 ISACA ISO 27K Presentation
17/38
Slide 17
Process Approach
ISO 27001 has adopted a Process Approach, which means an organizationneeds to identify and manage many activities in order to function effectively
Any activity using resources and managed in order to enable thetransformation ofInputs into Outputs, can be considered to be a Process
Inputs >>>>>>> Process >>>>>>> outputs*
*Often, outputs from one process provide inputs into the next
Process approach for ISMS encourages users to emphasize the importance of:
understanding an organizations information security requirements and the need toestablish POLICY and OBJECTIVES for information security
implementing and operating CONTROLS to manage an organizations information
security risks in the context of the organizations overall business risks monitoring and reviewing the performance and effectiveness of the ISMS, and
CONTINUAL IMPROVEMENT based on objective measurement
-
8/7/2019 ISACA ISO 27K Presentation
18/38
Slide 18
PDCA
Plan, Do, Check, Act is to be applied to structure all ISMS processes
Figure illustrates how an ISMS takes the information securityrequirements and expectations of the interested parties and, throughthe necessary actions and processes, produces information securityoutcomes that meets those requirements and expectations
-
8/7/2019 ISACA ISO 27K Presentation
19/38
Slide 19
PDCA
The continuous change of the company, technology and societyrequires a process of continuously evaluating the effectiveness andefficiency of all security controls and adopting the security system to
changing requirements.
This results in a control loop known as PDCA model:
Plan and implement security controls
Operate security controls
Monitor the security system and the world around you
Initiate necessary change of the security system
-
8/7/2019 ISACA ISO 27K Presentation
20/38
Slide 20
Compatibility with other management systems
ISO 27001 is aligned with ISO 9001:2000 and ISO 14001:2004 in orderto support consistent and integrated implementation and operationwith related management standards.
ISO 27001 illustrates the relationship between its requirements, ISO9001:2000 and ISO 14001:2004.
This International Standard is designed to enable an organization toalign or integrate its ISMS with related management system
requirements.
.
-
8/7/2019 ISACA ISO 27K Presentation
21/38
Slide 21
Compliance to ISO/IEC 27001
All clauses in ISO/IEC 27001 are mandatory
Risk treatment plan based on risk assessment
Documentation supporting various clauses
Statement of applicability based on scoping, justifying the choice ofcontrols
Annex A lists mandatory controls to choose from
Valid justification must be documented to eliminate a control
Chosen controls must be documented for audit purposes
Certification to the standard requires that all clauses be implemented
-
8/7/2019 ISACA ISO 27K Presentation
22/38
Slide 22
Process Flow for Information Security
Define the information
security policy
Define the scope of ISMS
Undertake risk
assessment
Manage the risk
Select control objectives
and controls to be
implemented
Step 1
Step 2
Step 3Threats, Vulnerabilities,
Impacts
Step 4Organizations
approach
to risk management
Degree of assurance
required
Step 5Control Objectives
and controls
Additional Controls
Information Security policy
Scope of ISMS
Risk assessment
Areas of risk to be managed
Statement of Applicability
Information Assets
Selected control options
Results and conclusions
-
8/7/2019 ISACA ISO 27K Presentation
23/38
Slide 23
Implementation of an ISMS - Plan
Establish and manage the ISMS
Scope and boundaries
Policy / objectives
Define risk assessment approach
Identify risks
Analyse and evaluate the risks
Identify and evaluate options for treatment of risks
Select control objectives & controls (Annex A)
Obtain management approval of the proposed residual risks
Obtain management authorisation to implement and operate the ISMS
Prepare a Statement of Applicability
-
8/7/2019 ISACA ISO 27K Presentation
24/38
Slide 24
Implementation of an ISMS - Do
Implement and operate the ISMS
Formulate risk treatment plan
Implement risk treatment plan
Define how to measure effectiveness of selected controls
Implement controls selected to meet control objectives
Implement training and awareness
Manage operations and resources
Implement procedures and other controls
-
8/7/2019 ISACA ISO 27K Presentation
25/38
Slide 25
Implementation of an ISMS - Check
Monitor and review the ISMS
Execute monitoring procedures and other controls
Undertake regular reviews of the effectiveness of the ISMS
Measure effectiveness of controls
Review risk assessments at planned intervals
Review level of residual risk and identified acceptable risk
Internal ISMS audits / Management review
Update security plans
Record actions and events
-
8/7/2019 ISACA ISO 27K Presentation
26/38
Slide 26
Implementation of an ISMS - Act
Maintain and improve the ISMS
Implement identified improvements
Take appropriate corrective and preventive actions
Communicate the actions and improvements
Ensure improvements achieve intended objectives
-
8/7/2019 ISACA ISO 27K Presentation
27/38
Slide 27
Section 3
Control objectives and Controls
-
8/7/2019 ISACA ISO 27K Presentation
28/38
Slide 28
The only system which is truly secure is one which isswitched off and unplugged, locked in a titanium lined
safe, buried in a concrete bunker, and is surrounded bynerve gas and very highly paid armed guards. Eventhen, I wouldnt stake my l ife on it.
Gene Spafford
Director, Computer Operations, audit, and SecurityTechnology (COAST - Computer Operations, Audit and
Security Technology)
Purdue University
-
8/7/2019 ISACA ISO 27K Presentation
29/38
Slide 29
Purpose of controls in ISO/IEC 27002/27001
27002 specifies aspects of an effective information protectionprogram suitable to the needs of business and industry
Protection in 27002 is based on assuring integrity, availability, andconfidentiality of corporate information assets
Assurance is attained through controls that management creates andmaintains within the organization.
Ten of the controls are considered "Key Controls" because they areeither legislatively required or considered fundamental buildingblocks
-
8/7/2019 ISACA ISO 27K Presentation
30/38
Slide 30
ISO 27002 domains
Security Policy
Organization of Information Security
Asset management
Human resources security
Physical and environmental security
Communications and Operations Management
Access Control
Information Systems Acquisition, Development and Maintenance
Information Security Incident Management
Business Continuity Management
Compliance
-
8/7/2019 ISACA ISO 27K Presentation
31/38
Slide 31
Selection of Controls
Additional control objectives and controls:
Organization might consider that additional control objectives andcontrols are necessary
Not all the controls will be relevant to every situation:
Consider local environmental or technological constraints
In a form that suits every potential user in an organization
Choice of controls
-
8/7/2019 ISACA ISO 27K Presentation
32/38
Slide 32
C o ce o co t ols
Controls considered to be essential to an organization from alegislative point of view include:
intellectual property rights (see 15.1.2)
safeguarding of organizational records (see 15.1.3)
data protection and privacy of personal information (see 15.1.4).
Controls considered to be common best practice for informationsecurity include:
information security policy document (see 5.1.1)
allocation of information security responsibilities (see 6.1.3)
information security education and training (see 8.2.2)
reporting information security events (see 13.1.1)
Information security aspects of business continuity management (see14.1)
-
8/7/2019 ISACA ISO 27K Presentation
33/38
Slide 33
Section 4
Differences with Other Standards
ITIL, ISO 20000, Cobit
-
8/7/2019 ISACA ISO 27K Presentation
34/38
Slide 34
Definitions
COBIT
Cobit stands for Control Objective over Information and Related Technology.Cobit issued by ISACA (Information System Control Standard) a non profit
organization for IT Governance. The Cobit main function is to help the
company, mapping their IT process to ISACA best practices standard. Cobit
usually choosen by the company who performing information system audit,
whether related to financial audit or general IT audit.
ITIL
ITIL stands for Information Technology Library. ITIL issued by OGC, is a set of
framework for managing IT Service Level. Although ITIL is quite similar with
COBIT in many ways, but the basic difference is Cobit set the standard by
seeing the process based and risk, and in the other hand ITIL set thestandard from basic IT service.
-
8/7/2019 ISACA ISO 27K Presentation
35/38
Slide 35
ISO27001
ISO27001 is much more differentbetween COBIT and ITIL, because
ISO27001 is a security standard,
so it has smaller but deeper
domain compare to COBIT and
ITIL.
Here is the detail table ofcomparison between this three
standard
Comparison
AREA COBIT ITIL ISO27001
FunctionMapping IT
Process
Mapping IT
Service LevelManagement
Information
SecurityFramework
Area
4 Process
and 34
Domain
9 Process 10 Domain
Issuer ISACA OGC ISO Board
Implementation
InformationSystem Audit
ManageService Level
Compliance
to securitystandard
Consultant
Accounting
Firm, IT
ConsultingFirm
IT Consulting
firm
IT Consultingfirm,
Security
Firm,NetworkConsultant
-
8/7/2019 ISACA ISO 27K Presentation
36/38
Slide 36
-
8/7/2019 ISACA ISO 27K Presentation
37/38
Slide 37
Q&A
-
8/7/2019 ISACA ISO 27K Presentation
38/38
Slid 38