ISACA GEEK WEEK SECURITY MANAGEMENT TO ENTERPRISE RISK MANAGEMENT USING THE ISO 27001 FRAMEWORK AUGUST 19, 2015
ISACA GEEK WEEKSECURITY MANAGEMENT TO ENTERPRISE RISK MANAGEMENT USING THE ISO 27001 FRAMEWORK
AUGUST 19, 2015
Presenters
• Michael Fuller– Michael has more than 20 years of business experience in Technology,
Operations, Product Development, Marketing, Sales and Finance. He has been a consultant with Coalfire for the past two years and before Coalfire he was Co-Founder and Chief Compliance Officer at CRE Secure Payments, a venture-capital backed company, specializing in securing ecommerce transactions over the internet.
– In his many previous roles he has worked for Apple Inc, Time Warner and Cox Enterprises’ Autotrader.com, as well as several global interactive advertising agencies.
– Michael has worked in 13 countries around the world, has two teenage daughters and holds a Bachelor’s Degree in Earth Science from Macquarie University in Sydney, Australia.
Customer Success Story:
Identity– International, multi-business unit, multi-channel specialty retailer.
Challenge– Extend successful security / compliance program beyond the
cardholder environment, and reduce cyber risk across the enterprise.
Approach– Develop ISMS, pursue ISO certification
Results– 40% of security gaps closed within the first six months of the
program (including all critical findings); cross-functional participation and support.
4
Cyber Incidents Are On the Rise
• In 2013, the FBI notified over 3,000 U.S. companies including money center banks, major defense contractors, and leading retailers that they had been the victims of cyber intrusions
• IBM estimates that over half a billion records of personally identifiable information (names, credit card information, social security numbers, etc.) were stolen in 2014
• 77% of companies detected a security event in the past 12 months(1)
• Organizations on average detect 135 cybersecurity incidents each year(1)
• 7% of U.S. organizations lost $1 million or more and 19% oforganizations lost at least $50k in 2013 due to cybercrime incidents(1)
• 84% of survey respondents believe the number of cyber attacks will increase (2)
• 75% of survey respondents expect cloud security budgets to increase dramatically(3)
1) Source: PWC, Managing Cyber Risks in an Interconnected World, Sept. 30, 2014
(2) Source: BAE Systems, Business and the Cyber Threat: the Rise of Digital Criminality, February 2014
(3) Source: IBM, 3rd Annual CISO Study, December 2014
Large Data Breaches
Over the past 18 months, dozens of major cybersecurity breaches have been announced,
collectively affecting hundreds of millions of people.
Increased Government Oversight
Over the past 12 months, several Federal, state, and international government
agencies have announced specific cybersecurity policies.
Cyber Risk is Now a Matter Corporate Governance
• Cybersecurity is a management issue, not a technology issue
• Boards need to understand legal implications of corporate risk
• Boards need access to cybersecurity expertise at timely and regular intervals
• Directors should set expectations that management will establish an enterprise-wide cyber-risk management framework with adequate staffing and budget
ISO 27001
• ISO 27001 is a security management standard that specifies security management best practices and comprehensive security controls following the ISO 27002 best practice guidance. This is a widely-recognized international security standard in which many companies in the US are showing significant interest. Certification in the standard requires:
• Systematic evaluation of information security risks, taking into account the impact of company threats and vulnerabilities
• Design and implementation of a comprehensive suite of information security controls and other forms of risk management to address company and architecture security risks.
• Adoption of an overarching management process to ensure that the information security controls meet the organizations’ information security needs on an ongoing basis
About ISO 27001
Total worldwide certificates now excess of 20000, with East Asia/Pacific and Europe
dominating the pack.
By Industry
Rank Industrial Sectors # Certs1 Information Technology 5059
2 Other Services 849
3 Construction 396
4 Transport, storage and communication 322
5 Electrical and optical equipment 289
Total number of certifications issued in 2013 by industry sector (data approximate estimate by ISO/IEC)
By far, the largest industry sector seeking certification every year has been Information
Technology
So why ISO
• The ISO 27001 Standard provides the company with a solid yet flexible framework for the effective management of a rigorous, ongoing security program.
• The Information Security Management System (ISMS) required under the standard, defines how the company perpetually manages security in a holistic, comprehensive way.
• The Standard can apply to any type or size of business, big or small and is not hampered by adherence to externally driven forces such is the case for PCI. Which means the design of the ISMS can be driven entirely by the business needs of the particular company or business.
• Companies can adopt the standard as the blueprint for its information security program and choose whether they wish to go for full certification or not.
• Certification by an independent organization accredited as an official Certification Body (CB) such as Coalfire ISO, provides external validation that the organization conforms to the requirements of the international standard.
• ISO certification is recognized in over 60 countries around the world, in all membership countries of the International Accreditation Forum (IAF)
ISO 27001 Advantages
• A powerful combination• ISO 27001 is not driven solely by external considerations as are standards like PCI
Compliance and HIPAA.• The combination of the business - driven, risk based management framework of 27001, and
the cross – over with IT controls required for business and other applicable compliance needs, provides the client with a powerful, organization - wide approach that can be more deeply integrated into client business goals and objectives.
• Wide applicability. • ISO 27001 can be valuable as an operating framework for a small company laying the
groundwork for information security in their business, or complex Fortune 500’s designing a sophisticated Risk – based management framework for all information security in the company. The standard can be applied to virtually any business vertical, and wherever businesses have a concern about the security of information within the organization whether it relates to internal business assets or external customer information.
• Building Blocks• ISO 27001 provides the blueprint for a risk-based information security management
framework that is different from most of the compliance standards currently in use in the US as its scope can be designed entirely by the client based on business needs. The Standard provides rigorous guidance for the management of information security but does not mandate the specific IT controls required.
ISO 27001 Cycle
Gap AnalysisISO 27001
Action PlanISO 27001
TrainingFormation of
ISMS
Domain and Control Area
Analysis
Process Documentation
Documentation Review
Update and Revise
Processes
Training on Defined
Processes
Implementation of Defined Processes
Asset Risk Assessment
Perform Asset Risk Assessment
Identify and Implement
Controls
Internal Audit Training
Internal Audit Readiness
Internal Audit Report
Closure of findings
Certification
ISO 27001 Certification - Cycle
• Three Year Cycle commencing from initial certification audit
• First year Initial Certification is in Two Stages:
• Stage one auditexplanation
• Stage two auditExplanation
• One year outSurveillance Audit 1
• Second year outSurveillance Audit 2
• Third YearFull certification audit again, stage one and two.