Title: Assessment
1IT Auditing 9 Information Security, Code
of Practice for Information Security Management,
Certification of Information Security Dr. Ir.
Paul L. Overbeek RE Overbeek.paul_at_kpmg.nl
2Roadmap
3(No Transcript)
4Agenda
- 101 on Information Security
- Introduction to the Code of Practice for
Information Security Management - Certification of Information Security
5What are we talking about
- Information is essential in our business
- Information security is integrated in our
business processes - And is certainly not a specialists only-area
- It is the responsibility of both management and
employees - Information security remains a moving target
- business new products, new markets
- organisation mergers, take-overs,
reorganisations, job rotation, retention - IT new technology, applications, operating
systems, protocols - Information security is change control
- A Pro-actif approach is required information
security in control
6Basic information security objectives
- Confidentiality
- ensuring that information is accessible only to
those authorised to have access - Integrity
- safeguarding the authenticity, accuracy and
completeness of information and processing
methods - Availability
- ensuring that authorised users have access to
information and associated assets when required
7Security from a business perspective
8Reliability requirements
measures
assets
information
9Threats
- Natural causes
- Intentional actions - by authorised employees
- by unauthorised employees / outsider - Human errors, mistakes - by authorised
employees - by unauthorised employees /
outsiders - Software errors
- Hardware communication errors
10External requirements
Social context Privacy Anonimity
Evidence Legal requirements Third party
requirements
11Requirements set by the organisation
Organisational context- Structure-
Management- Functions and responsibilities-
Reporting structures
George W
Scrooge
Alice
Bob
Chris
12Security measures
Organisational Physical Procedural
Technical
LOGIN
13Incident Cycle
Threat
Prevention
Reduction
Incident
Detection
Repression
Damage
Correction
Recovery
Evaluation
14Change is the only constant
- Technology
- Products and services
- Business processes
- Co-operation between organisations
- Information security must change too!
- From reactive to proactive
15The Information Security Management Cycle
Policy
Control, organisation
Risk analysis
Feedback
Planning
OrganisationalTechnicalProceduralPhysical
Controls
Evaluation Testing
Implementation
16Conclusion
- Security should be based on strong organisational
foundations from the start. - Why?
- Keep up with change
- Be prepared for incidents
- Deal with personnel turnover
- Avoid omissions caused by ad hoc approach
- Create security awareness among your staff
- Grow in the right direction
17Basic Risk Analysis
- Real versus perceived risks of the IT
- What should be done with enthousiasm, what is to
be considered, and what is far over the top - Good housekeeping policies, guidelines,
organisation, responsibilities, relationships or
- Security Management
- Risk management
- The risks of using IT and the management of these
risks
18Searching for the real risks - The threats
?
- Natural causes
- Intentional actions - by authorised employees
- by unauthorised employees / outsider - Human errors, mistakes - by authorised
employees - by unauthorised employees /
outsiders - Software errors
- Hardware communication errors
19Searching for the real risks Ability to offer
a certain security quality?
- Privacy and confidentiality
- Persistent to hackers, etc
- Persistent to criminality
- Authenticity
- Authorised use and access
- Integrity
- Non repudiation
- Availability
- Access when needed
- Transparency (audit ability)
- Payment
- Compliance with regulation
- Integration of services
?
20Searching for the real risks Impact on your
business processes
- Political consequences
- Financial / economical impact
- Commercial impact
- Environmental impact
- Impact on society, partners, clients
- Loss of trustworthiness
- Equal reaction, or worse
- Legal aspects
- Non compliance with laws and regulation
- Loss or harm for civilians, clients, relations,
partners, - Safety
- Privacy
- Culture
- Trust
- Local or international?
- Corporate Image
- Loss of good reputation / goodwill
21Risk management
- IT risks and the control thereof
- Each security activity is (part of) a process
- That needs to be managed and contained
- A standstill implies decline
- Information security is a set of processes
- uniform, at all levels of your organisation
Strategy
Tactics
Operations
22Risk Management
- Top management demands control and therefore
overseeing the quality of the information
security process and the measures - Management information often does not address
todays needs - Large quantity of activities and measures
- Responsibilities and reporting is scattered
- Solution
- Uniformity
- A structured, integrated approach
- The Code of Practice for Information Security
Management(BS7799/ ISO 17799 / IST 17799 / ANZ
7799 / .)
23Risk management being in control
- in control of what?
- Confidentiality
- Integrity Information Security
- Auditability
- Availability
- Effectiveness
- Efficiency
- Manageability
- etc.
24Code of Practice Introduction
- The purpose of information security is to ensure
business continuity and to minimize business
damage by preventing and minimizing the impact of
security incidents. - Information security management enables
information to be shared, while ensuring the
protection of information and computing assets. - The three basic components (quality aspects) of
CoP are - CONFIDENTIALITY
- INTEGRITY
- AVAILABILITY
- Information takes many forms. It can be stored on
computers, transmitted across networks, printed
out or written down on paper, and spoken in
conversations. - From a security perspective, appropriate
protection must be applied to all forms of
information, including papers, databases, films,
view foils, models, tapes, diskettes,
conversation and any other methods to convey
knowledge and ideas.
25Positioning CoP
Top management (Board of Directors)
Policy Reporting on security health
Line management and staff
Code of Practice for IT Security
Technical security standards and
studies (Committees of EDP auditors, such as PI)
IT management and staff
Procedural
OS/390 RACF Oracle
Internet Intranet Workflow
Unix OS/400 NT
Physical
Personnel
26 UNIFORMITY CODE of Practice for Information
Security Management1999
27CODE OF PRACTICE FOR INFORMATION SECURITY
MANAGEMENT (CoP)
- Developed in UK and NL
- Also published in many other countries
- Update 1999
- Based on best practice of participants
- Purpose
- intended as a standard for a baseline level of
security (due care) - enable mutual trust between partners
- suitable for small, medium and large enterprises
- Organisational and technical measures
- 100 pages, 10 sections, 8 essential controls
- Note It is not an implementation standard but a
set of guidelines and attention items. Use it
with common sense!
28Use of the CoP
- 8 essential controls
- 10 main categories
- 36 objectives
- 125 measures
- Can be used for
- Implementation of information security management
- IT security management based on ITIL Sec Man
- Audits en benchmarking
- Agreements between partners (SLAs, IA)
- Certification
- Provides a Consistent and uniform approach
29Code of Practice for Information Security
- 10 Sections
- 3 Security Policy
- 4 Security Organisation
- 5 Asset Classification and Control
- 6 Personnel security
- 7 Physical and environmental security
- 8 Communications and operations management
- 9 Access control
- 10 Systems development and maintenace
- 11 Business continuity management
- 12 Compliance
30Where to start
- Essential measures from a legislative viewpoint
- Intellectual property rigths
- Safeguarding organisational records
- Privacy of personal information
- Essential measures for information security
- Objectives / policy
- Allocation of responsibilities for information
security - Education and Training
- Reporting security incidents
- Business continuity management
31CoP
32CoP Background information
- THREE PRIMARY QUALITY ASPECT (CIA)
- CONFIDENTIALITY
- Protecting sensitive information from
unauthorized disclosure or intelligible
interception - INTEGRITY (In revised CoP Data integrity)
- Safeguarding the accuracy and completeness of
information and computer software - AVAILABILITY
- Ensuring that information and vital services are
available to the business processes when required - CoP DEALS WITH INFORMATION SECURITY
- INFORMATION in CoP has been defined as
- The quality aspects apply to all forms of
information data stored on computers (data,
text, video, speech), transmitted across
networks, printed out or written down on paper,
and spoken in conversations
!
!
33CoP 3 Security policy
- Information security policy
- Objective To provide management direction and
support for information security. - Top management should set a clear direction and
demonstrate their support for and commitment to
information security through the issue of an
information security policy across the
organization. - Information security policy must be defined by
top management - There must be an explicit owner of the policy,
also responsible for periodical revisions and
updates - Accessible to all persons involved
- Attention for threats specific to the own business
34CoP 4 Security organisation
- Objective To manage information security within
the organization. - A management framework should be established to
initiate and control the implementation of
information security within the organization. - Steering committee / coordination
- Allocation of security responsibilities
- Authorisation process for IT facilities
- Specialist security advice
- Cooperation between organisations
- Indepence of reviews
- Security of third party access
- Revised CoP Text has been added to describe when
third party access happens, what are the risks of
third party access, what should be included in a
third party contract and what should be covered
by an outsourcing contract
35CoP 5 Assets classification and control
- Accountability for assets
- Objective To maintain appropriate protection of
organizational assets. - All major information assets should be accounted
for and have a nominated owner. - Accountability for assets helps ensure that
adequate security protection is maintained.
Owners should be identified for major assets and
assigned responsibility for the maintenance of
appropriate security measures. Responsibility for
implementing security measures may be delegated,
though accountability should remain with the
nominated owner of the asset.
- Label
- vital to busines
- Top Secret data
RESOURCE
owner
classifi- cation
36CoP 5 Assets classification and control ...
- Inventory of assets
- Each asset must have an owner
- Classification guidelines
- Classification labels
- Revised CoP Text on the valuation and importance
of assets has been added, and the concept of
information classification has been broadened to
cover the general aspect of information
labelling, including integrity and availability
labels
37CoP 6 Personnel security
- Security in job definition and resourcing
- Objective To reduce the risks of human error,
theft, fraud or misuse of facilities. - Security should be addressed at the recruitment
stage, included in job descriptions and
contracts, and monitored during an individual's
employment. - Managers should ensure that job descriptions
address all relevant security responsibilities.
Potential recruits should be adequately screened,
especially for sensitive jobs. All employees and
third party users of IT facilities should sign a
confidentiality (non-disclosure) undertaking.
38CoP 6 Personnel security ...
- Security in job descriptions
- Recruitment screening
- Confidentiality agreement
- User education and training
- Responding to incidents
- reporting of security incidents
- reporting of security weaknesses
- reporting of software malfunctions
- disciplinary process
- Revised CoP Text has been added to cover terms
and conditions of employment, the need for the
employee to abide by the same rules and
principles as the rest of the organisation, and
more details on personnel screening and policy.
The fact that security incidents should be used
in awareness and training, and that lesson should
be learnt from them was emphasised
39CoP 7 Physical and environmental security
- Secure areas
- Objective To prevent unauthorized access, damage
and interference to IT services. - IT facilities supporting critical or sensitive
business activities should be housed in secure
areas. - Such facilities should also be physically
protected from unauthorized access, damage and
interference. They should be sited in secure
areas, protected by a defined security perimeter,
with appropriate entry controls and security
barriers. A clear desk policy is recommended to
reduce the risk of unauthorized access or damage
to papers and media.
40CoP 7 Physical and environmental security ...
- Physical security perimeter
- buildings and/or campus
- physical barriers and procedures
- badges, card keys
- registration andsupervision of visitors
- Physical entry controls
- data centers, computer rooms
- clear desk policy
- Equipment security
- due care Revised CoP Minor additions on
intruder alarms, fire alarms, visitor
instructions, and security furniture. Security
issues arising from equipment used off-site and
home working have also been considered
Non-IBM Space
IBM Public Space
IBM Internal Space
Controlled Access (1) Area
Office room, locked when unattended
Controlled Access (2) Area raised floor
Isolated Area
41CoP 8 Computer and network management
- Operational procedures and responsibilities
- Objective To ensure the correct and secure
operation of computer and network facilities. - Responsibilities and procedures for the
management and operation of all computers and
networks should be established. - This should be supported by appropriate operating
instructions and incident response procedures.
The principle of segregation of duties should be
applied, where appropriate, to reduce the risk of
negligent or deliberate system misuse.
42CoP 8 Computer and network management ...
- Documented operating, development and control
- Capacity planning, acceptance
- Contingency
- Change management
- Virus controle
- Backups, operator logs, airco
- Network security
- Protection of removable media
43CoP 8 Computer and network management ...
- Revised CoP
- This chapter has been renamed Communications and
Operations Management and extended to cover a
wide interpretation of information processing - Text has been added on computers, networks,
mobile computing and communications, voice mail
and communications, messaging, multimedia, postal
services, fax machines, and any other existing or
developing technology for the processing and
communication of information - The discussion on viruses has been broadened to
any unauthorised or malicious software - The section on data and software exchange has
been extended to cover electronic commerce and
messaging, and a new subsection on publicly
available systems was added
44CoP 9 System access control
- Business requirement for system access
- Objective To control access to business
information. - Access to computer services and data should be
controlled on the basis of business requirements. - This should take account of policies for
information dissemination and entitlement. - User registration
- User password management
- Access control for work stations, network,
services and applications - Monitoring system access and use
45CoP 9 System access control ...
- Revised CoP
- This chapter has been renamed Access Control
and generally edited to cover the extension from
IT to information - The amount of detail, especially within the
subsections on passwords, has been reduced to
achieve a consistent level of detail throughout
the document - It has been emphasised that passwords are not the
only way of authentication and a new section of
mobile computing and Tele-working has been added
46CoP 10 Systems development and maintenance
- Security requirements of systems
- Objective To ensure that security is built into
IT systems. - Security requirements should be identified and
agreed prior to the development of IT systems. - Security countermeasures are substantially
cheaper and more effective if incorporated in
application systems at the requirements
specification and design stages. All security
requirements, including the need for fallback
processing, should be identified at the
requirements phase of a project and justified,
agreed and documented as part of the overall
business case for an information system.
47CoP 10 Systems development and maintenance ...
- Security requirements analysis and specification
- Input data validation
- Data encryption
- Message authentication
- Change management
- Technical review of operating system changes
- Revised CoP
- New subsections on output validation, digital
signatures, non-repudiation, key management,
covert channels and Trojan code have been added - More emphasis has been put on the description of
cryptographic techniques, and how they can be
employed to achieve various ways of protection - Text on software integrity and evaluation has
been added to the section on security
requirements analysis and specification
48CoP 11 Business continuity planning
- Aspects of business continuity planning
- Objective To have plans available to counteract
interruptions to business activities. - Business continuity plans should be available to
protect critical business processes from the
effects of major failures or disasters. - There should be a process to develop and maintain
appropriate plans for the speedy restoration of
critical business processes and services in the
event of serious business interruptions. - Business continuity planning should include
measures to identify and reduce risks, limit the
consequences should a threat be realized, and
ensure speedy resumption of essential operations. - Revised CoP This chapter has been renamed
Business Continuity Management and has been
restructured and extended to put more emphasis on
the business continuity management process. A
business continuity and impact analysis must be
the basis of any business continuity plan
49CoP 12 Compliance
- Compliance with legal requirements
- Objective To avoid breaches of any statutory,
criminal or civil obligations and of any security
requirements. - The design, operation and use of IT systems may
be subject to statutory and contractual security
requirements. - All relevant statutory and contractual
requirements should be explicitly defined and
documented for each IT system. The specific
controls, countermeasures and individual
responsibilities to meet these requirements
should be similarly defined and documented. - Advice on specific legal requirements should be
sought from the organization's legal advisers.
Legislative requirements vary from country to
country.
50CoP 12 Compliance
- Compliance with legal and contractual
requirements - illegal copies
- confidential data
- privacy laws
- computer crime and abuse act
- Compliance with security policy
- Technical compliance checking
- Revised CoP
- The text has been reworded to make it more
international in nature, and so all (UK/NL)
specific references have been removed - The text on control of proprietary software
copying and safeguarding of organisational
records has been extended, and a new subsection
of collection of evidence was added
51Agenda
- 101 on Information Security
- Introduction to the Code of Practice for
Information Security Management - The certification process - overview
- The Statement of applicability
- Documentation assessment
- Implementation assessment
52CERTIFICATION AGAINST CoP
- Creates a goal and offers an additional
management tool - Methods techniques
53Why evaluation and certification against CoP ?
- Overall benefit for organisations
- strengthening the confidence between trading
partners - better protection of customer and other external
interests - CoP (BS7799) is an international accepted
security standard - CoP is fit for Small Medium Enterprises (SME)
and Multi Nationals (MN) - CoP should be tailored to the customers needs
- Key players adopt CoP as their security standard
54Evaluation approach to certify
- Application for certification against CoP
- Trial assessment
- Review of documentation
- Implementation assessment
- Decision to certify
- Issue the certificate
- The period of the certification agreement is
three years - Each year surveillance audits
55Security evaluation and certification
- Prepare yourself
- Step 1
- confirm review scope
- review controls selection process
- determine internal review strategy
- Step 2
- organise self assessments or
- organise internal / third party audits
- use standard questionnaires and toolkit
- analyse results
- define improvementplan (security yearplan)
- Step 3
- agree corrective action
- prepare compliance statement
- management approval and sign off
- Step 4 apply for certification
56Implication of the certificate
- The certificate implies that
- a management framework for information security
is in place - there are no critical non-conformities against
the code of practice - there can exists some non-critical
non-conformities - The certificate does not imply that
- no weaknesses exist at all
- there cannot raise any shortcomings on the
information security ever
57Certification process
- The certification process will show necessary
improvement actions, but no surprises should
emerge - The certification process is a pro-active
approach - The certification process depends on input local
management - Clear communication of what it is needed
- its positive
- no surprises
- looking ahead
- stimulance
58Remarks on certification
- Accreditation and certification is a not an one
time action, but an ongoing process - This process has to be implemented into the
management framework - Accreditation and certification can help an
organisation to grow to a mature level of
information security - A certificate is not an assurance that everything
is all right always and everywhere and that
nothing will go wrong ever. - Overall benefit
- strengthening the confidence between trading
partners - better protection of customer and other external
interests
59The Scheme
CoP(BS7799)
Internalaudits
Statement ofcompliance
Your Securityplan
- Criteria
- Processes
- Audit results
- Management framework
Certificatestatement ofapplicability
Implementedplan
CertificationAudit
60What do you do anyway
Define your security plan
Demand compliance / implement plan
Internal audit to check compliance
Responsibility The organisation
Statement ofcompliance
61Additional for certification
Define your security plan
Certification audit
Demand compliance / implement plan
Internal audit to check compliance
Certificate
62Certification Audit
Dont lie to an auditor
63Conclusion on Certification
- Benefits
- Get your house in order
- Strengthen trust between business partners
- Limitations
- Scope and depth
- Process oriented
- And of course
- Improves information security permanently!
- Better protection of our clients and third party
interest
64Conclusion of today
- Information Security
- Code of Practice for Information Security
Management - ITIL Security Management
- Audits and Benchmarking
- Agreements with partners (SLAs)
- Certification
- What is in it for you
- And for your organisation
65Questions
?