Information Security Management, Standards and best practices - PowerPoint PPT Presentation

About This Presentation
Title:

Information Security Management, Standards and best practices

Description:

ISO/IEC 27002: 2005 * Risk assessment (c.-d.-e.) The three stages are risk assessment execution: Identify a risk assessment methodology that is suited to the ISMS, ... – PowerPoint PPT presentation

Number of Views:1365
Avg rating:3.0/5.0
Slides: 54
Provided by: et4
Category:

less

Transcript and Presenter's Notes

Title: Information Security Management, Standards and best practices


1
Information Security Management, Standards and
best practices
  • S. ?????????
  • ?e t? s??e?sf??? t?? ?. ?a??da ?a? ?. ?s????

2
Standards Standardization Process
  • De facto de jure standards
  • Standardization bodies
  • ISO (International Organization for
    Standardization) National bodies Technical
    Committees
  • ???? (????????? ???a??sµ?? ??p?p???s??)
  • CEN, ANSI, NIST, BSI
  • Processes
  • Certification
  • Accreditation

3
Why?
  • Threat of legal liability
  • Organizations and software vendors are being held
    to a higher degree of accountability for
    security, if not in the courtroom, by their
    customers
  • Business partners and stakeholders demanding
    security
  • Organizations are challenged to prove they are
    managing security to a level that will satisfy
    their business partners and stakeholders.
  • Proliferation of standards, regulations and
    legislation
  • Organizations face complex requirements to comply
    with a myriad of regulations.

4
Comprehensive IS Management Principles Based
  • OECD Guidelines for the Security of Information
    Systems and Networks (2002) 9 pervasive
    principles for information security
  • NIST (National Institute of Standards and
    Technology)
  • SP 800-14 Generally Accepted Principles and
    Practices for Securing IT Systems, 1996
  • SP 800-18, Guide for Developing Security Plans
    for Federal Information Systems,1998 (revised
    2006)
  • SP 800-30 Risk Management Guide for IT Systems,
    2002
  • IFAC International Guidelines on Information
    Technology ManagementManaging Information
    Technology Planning for Business Impact
    International Federation of Accountants, New
    York, 1999.

5
Comprehensive IS Management - Controls Based
  • BS 7799 Parts 1, 2 3 Code of Practice for
    Information Security Management (British
    Standards Institute)
  • ISO 27001 Information Technology Information
    Security Management Systems - Requirements
  • ISO 27002 Information Technology Code of
    Practice for Information Security Management
    (former ISO 17799)
  • ISO 27003 Information Technology Information
    management system implementation guidance
  • ISO 27004 Information technology - Information
    security management - Measurement
  • ISO 27005 Information Technology Information
    security risk management
  • IT Baseline Protection Manual - BSI (Bundesamt
    für Sicherheit in der Informationstechnik)
  • NIST
  • 800-53 - Recommended Security Controls for
    Federal Information Systems
  • Several specific standards (e.g. Secure Web
    Services, PDA security, Implementing HIPAA,
    Contingency planning, etc.)

6
Other categories
  • Capability Maturity Model
  • ISO 21827 System Security Engineering -
    Capability Maturity Model (SSE-CMM)
  • Product Security Models
  • ISO 15408 Common Criteria
  • TCSEC, ITSEC
  • Business Continuity Management
  • ISO24762 Information Technology Guidelines for
    information and communication technology disaster
    recovery services
  • ISO27031 Information Technology Security
    Techniques Guidelines for ICT readiness for
    Business Continuity
  • BS25999 Business Continuity Management
  • ISO18044 Information technology Information
    security incident management
  • Governance Guides
  • ISO38500 Corporate guidance of IT
  • COBIT Control Objectives for Information and
    Related Technologies (ISACA)
  • IT Governance Implementation Guide (ISACA)

7
OECD Guidelines -1-
  • towards a culture of security
  • Awareness
  • Participants should be aware of the need for
    security of information systems and networks and
    what they can do to enhance security.
  • Responsibility
  • All participants are responsible for the security
    of information systems and networks.
  • Response
  • Participants should act in a timely and
    co-operative manner to prevent, detect and
    respond to security incidents.
  • Ethics
  • Participants should respect the legitimate
    interests of others.
  • Democracy
  • The security of information systems and networks
    should be compatible with essential values of a
    democratic society.

8
OECD Guidelines -2-
  • Risk assessment
  • Participants should conduct risk assessments.
  • Security design and implementation
  • Participants should incorporate security as an
    essential element of information systems and
    networks.
  • Security management
  • Participants should adopt a comprehensive
    approach to security management.
  • Reassessment
  • Participants should review and reassess the
    security of information systems and networks, and
    make appropriate modifications to security
    policies, practices, measures and procedures.

9
Information Security Standards
  • TCSEC (Orange Book)
  • ITSEC
  • Common Criteria

10
Standards history -1-
  • 1983 Trusted Computer System Evaluation Criteria
    (TCSEC) developed in the United States.
  • 1991 Information Technology Security Evaluation
    Criteria (ITSEC) version 1.2 published by the
    European Commission (joint development by France,
    Germany, the Netherlands, and the UK).
  • 1993 Canadian Trusted Computer Product
    Evaluation Criteria (CTCPEC) version 3.0,
    published as a combination of the ITSEC and TCSEC
    approaches.

11
Standards history -2-
  • 1990 the International Organization for
    Standardization (ISO) starts to develop an
    international standard evaluation criteria for
    general use.
  • June 1993 the sponsoring organisations of the
    CTCPEC, FC, TCSEC and ITSEC began a joint
    activity to align their separate criteria into a
    single set of IT security criteria that could be
    widely used. This activity was named the CC
    Project.

12
Common Criteria -1-
  • Meant to be used as the basis for evaluation of
    security properties of IT products and systems.
  • Permits comparability between the results of
    independent security evaluations.
  • Guide for the development of products or systems
    with IT security functions and for the
    procurement of commercial products and systems
    with such functions.
  • Addresses protection of information from
    unauthorised disclosure,modification, or loss of
    use (confidentiality, integrity, availability).
  • It is applicable to IT security measures
    implemented in hardware, firmware or software.

13
Common Criteria -2-
  • Does not contain security evaluation criteria
    pertaining to administrative security measures
    not related directly to the IT security measures.
  • De facto standard in the US since 1998.
  • Accepted as ISO 15408
  • Includes
  • CC documents
  • CC Evaluation Methodology (CEM)
  • CC National Scheme
  • 7 Evaluation Assurance Levels
  • EAL1 to EAL7
  • 11 Functionality Requirements Classes
  • 10 Assurance Requirements Classes

14
Evaluation Context
15
Common Criteria Target Group
  • Consumers
  • They can use the results of evaluations to help
    decide whether an evaluated product or system
    fulfils their security needs. They can also use
    the evaluation results to compare different
    products or systems.
  • Developers
  • CC can support developers in preparing for and
    assisting in the evaluation of their products or
    systems and in identifying security requirements
    to be satisfied by each of their products or
    systems.
  • Evaluators
  • The CC contains criteria to be used by
    evaluators when forming judgments about the
    conformance of TOEs to their security
    requirements.
  • Others
  • Auditors, Security Officers

16
Common Criteria Basic concepts
  • Protection Profile (PP)
  • An implementation-independent set of security
    requirements for a category of TOEs that meet
    specific consumer needs.
  • Target of Evaluation (TOE)
  • An IT product or system and its associated
    administrator and user guidance documentation
    that is the subject of an evaluation.
  • Security Target (ST)
  • A set of security requirements and specifications
    to be used as the basis for evaluation of an
    identified TOE.

17
TOE Development Method
  • Protection Profile (PP)
  • Target of Evaluation (TOE)
  • Security Target (ST)

18
ISO 27002 (former 17799)
  • First edition 2000. Current edition 2005
  • Prepared by the British Standards Institution (as
    BS 7799) and was adopted by Joint Technical
    Committee ISO/IEC JTC 1, Information Technology,
    in parallel with its approval by national bodies
    of ISO and IEC.
  • Information technology Code of practice for
    information security management

19
ISO 27002 as a code of practice
  • May be regarded as a starting point for
    developing organization specific guidance.
  • Not all of the guidance and controls in this code
    of practice may be applicable.
  • Furthermore, additional controls not included in
    this document may be required.

20
ISO 27002
  • Gives recommendations for information security
    management for use by those who are responsible
    for initiating, implementing or maintaining
    security in their organization.
  • It is intended to provide a common basis for
    developing organizational security standards and
    effective security management practice and to
    provide confidence in inter-organizational
    dealings.
  • Recommendations from this standard should be
    selected and used in accordance with applicable
    laws and regulations.

21
ISO 27002 Information Security Policy
  • Information security policy document
  • Review and evaluation

22
ISO 27002 Organizational Security
  • Information security is a business
    responsibility shared by all members of the
    management team.
  • Information security infrastructure
  • management framework management fora with
    management leadership should be established to
    approve the information security policy, assign
    security roles and co-ordinate the implementation
    of security across the organization
  • multi-disciplinary approach to information
    security involving the co-operation and
    collaboration of managers, users, administrators,
    application designers, auditors and security
    staff, and specialist skills in areas such as
    insurance and

23
ISO 27002 Asset classification and control
  • Asset accountability
  • Accountability should remain with the owner of
    the asset. Responsibility for implementing
    controls may be delegated.
  • Information classification
  • Information should be classified to indicate the
    need, priorities and degree of protection,
    depending on varying degrees of sensitivity and
    criticality.

24
ISO 27002 Personnel security
  • Security in job definition and resourcing
  • User training
  • Users should be trained in security procedures
    and the correct use of information processing
    facilities to minimize possible security risks.
  • Responding to security incidents and malfunctions
  • Weaknesses, malfunctions
  • Learning from incidents
  • Disciplinary process

25
ISO 27002 Physical and environmental security
  • Secure areas
  • Security perimeter, entry controls
  • Protection provided should be commensurate with
    the identified risks.
  • Equipment security
  • Safety

26
ISO 27002 Communications and operations
management
  • Operational procedures and responsibilities
  • Incident management procedures
  • Segregation of duties
  • Separation of development and operational
    facilities
  • System planning and acceptance
  • Capacity planning, performance requirements,
    system acceptance
  • Protection against malicious software
  • Back ups, logging
  • Network management
  • Media handling
  • tapes, disks, cassettes
  • Information exchange between organizations
  • Policy on Email
  • Electronic commerce security

27
ISO 27002 Access control
  • Access control policy
  • User access management
  • Access rights, passwords
  • User responsibilities
  • Network access control
  • Network segregation
  • Operating system access control
  • Application access control
  • Monitoring system access and use
  • Mobile computing and teleworking

28
ISO 27002 Systems development and maintenance
  • Security requirements of systems
  • built-in security
  • Security in application systems
  • Message authentication, hash algorithms,
    cryptography
  • Cryptographic controls
  • To protect the confidentiality, authenticity or
    integrity of information (encryption, digital
    signatures, key management)

29
ISO 27002 Business continuity management -1-
  • To counteract interruptions to business
    activities and to protect critical business
    processes from the effects of major failures or
    disasters.
  • A business continuity management process should
    be implemented to reduce the disruption caused by
    disasters and security failures (which may be the
    result of, for example, natural disasters,
    accidents, equipment failures, and deliberate
    actions) to an acceptable level through a
    combination of preventative and recovery controls.

30
ISO 27002 Business continuity management -2-
  • The consequences of disasters, security failures
    and loss of service should be analyzed.
    Contingency plans should be developed and
    implemented to ensure that business processes can
    be restored within the required time-scales. Such
    plans should be maintained and practiced to
    become an integral part of all other management
    processes.
  • Business continuity management should include
    controls to identify and reduce risks, limit the
    consequences of damaging incidents, and ensure
    the timely resumption of essential operations.

31
ISO 27002 Compliance
  • Compliance with legal requirements
  • Data protection and privacy of personal
    information
  • Intellectual property rights (IPR)
  • Regulation of cryptographic controls
  • Compliance with security policy

32
ISO/IEC 27001 2005
  • Specifies the requirements for establishing,
    implementing, operating, monitoring, reviewing,
    maintaining and improving a documented
    Information Security Management System (ISMS)
    within the context of the organizations overall
    business risks.
  • May serve as a suitable basis for ISMS
    certification.

33
ISO/IEC 27001 2005
  • Contains requirements for the implementation of
    security controls customized to the needs of
    individual organizations or parts of them.
  • Contains requirements in a structure of
  • 11 control clauses that include
  • 39 control objectives
  • 133 controls

34
The PDCA model of ISO/IEC 27001
35
PLAN Establish the ISMS
36
Define the scope of ISMS (a.)
  • Definition of the boundaries of the ISMS in terms
    of the characteristics
  • the business,
  • the organization,
  • its location,
  • assets,
  • technology,
  • justified details of any exclusions from the
    scope.

37
Define an ISMS policy (b.)
  • Definition of an ISMS policy that
  • includes a framework for setting objectives and
    establishes an overall sense of direction and
    principles for action with regard to information
    security
  • takes into account business and legal or
    regulatory requirements, and contractual security
    obligations
  • aligns with the organizations strategic risk
    management context in which the establishment and
    maintenance of the ISMS will take place
  • establishes criteria against which risk will be
    evaluated, and
  • has been approved by management.

38
Risk assessment (c.-d.-e.)
  • Risk assessment is the process of combining risk
    identification, risk analysis and risk
    evaluation.
  • ISO/IEC 13335-1 2004
  • The results of the risk assessment will help to
    guide and determine the appropriate management
    action and priorities for managing information
    security risks, and for implementing controls
    selected to protect against these risks.
  • ISO/IEC 27002 2005

39
Risk assessment (c.-d.-e.)
  • The three stages are risk assessment execution
  • Identify a risk assessment methodology that is
    suited to the ISMS, and the identified business
    information security, legal and regulatory
    requirements.
  • Develop criteria for accepting risks and identify
    the acceptable levels of risk.
  • Identify the risks (assets, threats,
    vulnerabilities, impacts)
  • Analyze and evaluate the risks (estimation of
    level of risks and evaluation whether they are
    acceptable or require treatment).

40
Risk Assessment activities
  • Risk assessment consists of the following
    activities
  • Risk analysis which comprises
  • Risk identification
  • Risk estimation
  • Risk evaluation

41
Prepare Statement of Applicability (j.)
  • The Statement of Applicability shall include the
    following
  • the control objectives and controls selected and
    the reasons for their selection
  • the control objectives and controls currently
    implemented, and
  • the exclusion of any control objectives and
    controls in Annex A and the justification for
    their exclusion.

42
DO Implement and Operate the ISMS (1)
  • Formulate a risk treatment plan, that shall
    contain
  • The method selected for treating the risk
  • What controls are in place
  • What additional controls are proposed
  • Time frame for controls implementation
  • Identified acceptable level of risk (and residual
    risk)
  • Implement the risk treatment plan in order to
    achieve the identified control objectives.

43
DO Implement and Operate the ISMS (2)
  • Implement controls selected to meet the control
    objectives.
  • Define how to measure the effectiveness of the
    selected controls.
  • Implement training and awareness programs.
  • Manage operation of the ISMS.
  • Manage resources for the ISMS.
  • Implement procedures and other controls capable
    of enabling prompt detection of security events
    and response to security incidents.

44
CHECK Monitor and review (1)
  • Execute monitoring and reviewing procedures and
    other controls to
  • promptly detect errors
  • promptly identify attempted and successful
    security breaches and incidents
  • enable management to determine whether the
    security activities delegated to people or
    implemented by information technology are
    performing as expected,
  • help detect security events by the use of
    indicators, and
  • determine whether the actions taken to resolve a
    breach of security were effective.

45
CHECK Monitor and review (2)
  • Undertake regular reviews of the effectiveness of
    the ISMS.
  • Measure the effectiveness of controls to verify
    that security requirements have been met.
  • Review risk assessments at planned intervals and
    review the residual risks and the identified
    acceptable levels of risks, taking into account
    potential changes.
  • Conduct internal ISMS audits at planned
    intervals.
  • Update security plans to take into account the
    findings of monitoring and reviewing activities.
  • Record actions and events that could have an
    impact on the effectiveness or performance of the
    ISMS.

46
ACT Maintain and Improve the ISMS
  • The organization shall regularly
  • Implement the identified improvements in the
    ISMS.
  • Take appropriate corrective and preventive
    actions
  • Apply the lessons learnt from the security
    experiences of other organizations and those of
    the organization itself.
  • Communicate the actions and improvements to all
    interested parties
  • Ensure that the improvements achieve their
    intended objectives.

47
Required documentation (1)
  • Documented statements of the ISMS policy and
    objectives
  • The scope of the ISMS
  • Procedures and controls in support of the ISMS
  • A description of the risk assessment methodology
  • The risk assessment report
  • The risk treatment plan

48
Required documentation (2)
  • Documented procedures needed by the organization
    to ensure the effective planning, operation and
    control of its information security processes and
    describe how to measure the effectiveness of
    controls
  • Records required by the ISO/IEC 270012005, and
  • The Statement of Applicability (SOA).

49
Annex A - Control objectives and controls
  1. Security Policy
  2. Organizing Information Security
  3. Asset Management
  4. Human Resources Security
  5. Physical and Environmental Security
  6. Communications and Operations Management
  7. Access Control
  8. Information Systems Acquisition, Development and
    Maintenance
  9. Information Security Incident Management
  10. Business Continuity Management
  11. Compliance

50
Annex A - Control objectives and controls
Examples (1)
  • A5 Security Policy
  • Objective To provide management direction and
    support for information security in accordance
    with business requirements and relevant laws and
    regulations
  • A5.1 Information security policy document
  • Control An information security policy document
    shall be approved by management, and published
    and communicated to all employees and relevant
    external parties.

51
Annex A - Control objectives and controls
Examples (2)
  • A.11 Access control
  • A.11.2 User access management
  • Objective To ensure authorized user access and
    to prevent unauthorized access to information
    systems
  • A11.2 User responsibilities
  • Objective To prevent unauthorized user access,
    and compromise or theft of information and
    information processing facilities
  • A11.2.3 User password management
  • Control The allocation of passwords shall be
    controlled through a formal management process
  • A11.2.1 Password use
  • Control Users shall be required to follow good
    security practices in the selection and use of
    passwords

52
Trends
  • More regulatory and legislative oversight.
  • Executive and board oversight of information
    security.
  • ISO27001/ISO27002 have become the de facto
    standard for information security program.
  • ISO27000 series
  • ISO27000 Glossary
  • ISO27003 Implementation of ISMS
  • ISO27004 Measurement and metrics
  • ISO27005 Risk management
  • ISO27006 Accreditation guidelines
  • ISO27k to be continued

53
References
  • G???t?a??? S., ??asf???s? ?a? ????????s?
    ?sf??e?a? S?st?µ?t?? ?a? ??????t?? (?ef.9), st?
    ??ts??a? S., G???t?a??? ?. ?a? G???t?a??? S.
    (ep?µ??e?a) ?sf??e?a ?????f???a??? S?st?µ?t??,
    ??d?se?? ???? ?e?????????, ????a 2004, se?.
    267-315.
  • ?a??da ?., ????t???? ?sf??e?a? ?????f???a???
    S?st?µ?t??, st? ??ts??a? S., G???t?a??? ?. ?a?
    G???t?a??? S. (ep?µ??e?a) ?sf??e?a ?????f???a???
    S?st?µ?t??, ??d?se?? ???? ?e?????????, ????a
    2004, se?. 377-406.
Write a Comment
User Comments (0)
About PowerShow.com