Slide 1 Information Security Management Systems An ISO 27001 Introduction Mahmood Justanieah ISACA-Jeddah Technical Meeting 18-March-2009
Slide 1
Information Security Management SystemsAn ISO 27001 Introduction
Mahmood Justanieah
ISACA-Jeddah Technical Meeting18-March-2009
Slide 2
19h00 Information Security ISO 27001: 2005 and ISO 27002:2005 Control objectives and controls Deffrinces between ISO 27001 & other Standards
ITIL, Cobit, ISO 2000019h45: Questions & Answers
20h00 Closure
Slide 3
Section 1Information Security
Slide 4
► Compliance requirements, new notification laws and the growing of breaches have made organizations aware they need a structured approach to data security.
►Organizations are increasingly dependent on information assets
► Information users (internal & external) are demanding increased availability
► The number of incidents that threaten the continuity of operations is growing
► A single security breach can:
destroy a company’s Image
depress the value of the business
erode the “bottom line”; and
compromise future earnings
Scenario
Slide 5
► For 2007, per-record compromised costs continued to increase (2007 Annual Study: US Cost of Data Breach- research conducted by Ponemon Institute LLC).
► The average total cost per reporting company was more than 6.3 million US Dollars per breach and ranged between 225.000 to almost 35 million
Data breach costs
Slide 6
Cause of data breach► Lost or stolen laptops and other devices such as USB flash drivers were the
most significant source of a data breach. (2007 Annual Study: US Cost of Data Breach- research conducted by Ponemon Institute LLC)
Slide 7
Risks and Threats
► Data Breach
Media attention
Breach notifications
Brand degradation
Government Agency Audit
► Customer Complaint
Government Agency s finding/order
Litigation
Loss of customer
► Non-Compliance
Restrictions on business activities
Loss of a contract
New privacy controls
Publicly named through a Commissioner’s order or legal proceedings
► Over-Compliance
Unnecessary restrictions on business activities
Decreased customer satisfaction
Competitive disadvantage
Slide 8
Information as an Asset
► Information is:
• ‘An asset that, like other important business assets, is essential to an organization’s business and consequently needs to be suitably protected.’
• Source: ISO/IEC 27002:2005 Section 0.1
► Asset Definition:
• “anything that has value to the organization”
• Source: ISO/IEC 27001:2005, 3.1
Slide 9
Information Security not IT Security
► Information must be protected throughout its entire lifecycle:
Creation
Storage
Processing
Distribution
► Information must be protected independent from its format or media
► Not IT
Paper document (on desks, in waste bins, left on photocopiers)
Whiteboards conversations overheard
Conversations on public transports
………
People
Slide 10
Information Security
► Information Security
• “preservation of confidentiality, integrity and availability of information; in addition, other properties, such as authenticity, accountability, non-repudiation, and reliability can also be involved”
• Source: ISO/IEC 27001:2005
► Confidentiality: Ensuring that information is accessible only to those authorized to have access. Clause 3.3 of ISO/IEC 27001
► Integrity: Safeguarding the accuracy and completeness of information and process methods. Clause 3.8 of ISO/IEC 27001
► Availability: Ensuring that authorized users have access to information and associated assets when required. Clause 3.2 of ISO/IEC 27001
Slide 11
Information Security Management System
► Information Security Management System (ISMS)
That part of the overall management system, based on a business risk approach, to establish, implement, operate, monitor, review, maintain and improve information security
Is a Management Process and Not a technological process
Strategic decision of an organization
• Design and implementation
• Needs and objectives
• Security requirements
• Processes employed
• Size and structure of the organization
• Scaled with ‘needs’
Slide 12
Section 2ISO 27001: 2005 and ISO 27002:2005
Slide 13
The History of ISO 27001
1992The Department of Trade and Industry (DTI), which is part of the UK Government, publish a 'Code of Practice for Information Security Management'.
1995This document is amended and re-published by the British Standards Institute (BSI) in 1995 as BS7799.
1996Support and compliance tools begin to emerge, such as COBRA.David Lilburn Watson becomes the first qualified certified BS7799 Auditor1999The first major revision of BS7799 was published. This included many major enhancements.Accreditation and certification schemes are launched. LRQA and BSI are the first certification bodies.2000In December, BS7799 is again re-published, this time as a fast tracked ISO standard. It becomes ISO 17799 (or more formally, ISO/IEC 17799).
Slide 14
The History of ISO 27001
2002A second part to the standard is published: BS7799-2. This is an Information Security Management Specification, rather than a code of practice. It begins the process of alignment with other management standards such as ISO 9000.
2005A new version of ISO 17799 is published. This includes two new sections, and closer alignment with BS7799-2 processes..
2005ISO 27001 is published, replacing BS7799-2, which is withdrawn. This is a specification for an ISMS (information security management system), which aligns with ISO 17799 and is compatible with ISO 9001 and ISO 14001.
Slide 15
ISO 27001
► There are two closely related standards:
• ISO/IEC 27001 is a standard specification for requirements of an Information Security Management Systems (ISMS).
• ISO/IEC 27002:2005 is the standard code of practice and can be regarded as a comprehensive catalogue of good security things to do.
► ISO/IEC 27001
► Specifies requirements:
For establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented ISMS
► Designed to:
Ensure adequate security controls to protect information assets, documenting ISMS
Give confidence to customers & interested parties
Slide 16
Other related standards
► ISO/IEC 27006 - Information technology -- Security techniques - Requirements for bodies providing audit and certification of information security management systems
► ISO/IEC FDIS 27011 - Information technology -- Information security management guidelines for telecommunications
► SSE-CMM, Software Security Engineering – Capability Maturity Model, now released as ISO 21827: 2002
Helps organizations determine their security maturity relative to a set of capability metrics
► Under development
• ISO/IEC 27000 - an introduction and overview for the ISMS Family of Standards, plus a glossary of common terms
• ISO/IEC 27003 - ISMS implementation guide
• ISO/IEC 27004 - information security management measurements
• ISO/IEC 27005 - information security risk management
• ISO/IEC 27007 - guideline for auditing ISMSs
• ISO/IEC 27011 - guideline for ISMSs in the telecommunications industry
• ISO/IEC 27799 - guidance on implementing ISO/IEC 27002 in the healthcare industry
Slide 17
Process Approach
► ISO 27001 has adopted a Process Approach, which means an organization needs to identify and manage many activities in order to function effectively
► Any activity using resources and managed in order to enable the transformation of Inputs into Outputs, can be considered to be a Process
Inputs >>>>>>> Process >>>>>>> outputs**Often, outputs from one process provide inputs into the next
► Process approach for ISMS encourages users to emphasize the importance of:
understanding an organization’s information security requirements and the need to establish POLICY and OBJECTIVES for information security
implementing and operating CONTROLS to manage an organization’s information security risks in the context of the organization’s overall business risks
monitoring and reviewing the performance and effectiveness of the ISMS, and
CONTINUAL IMPROVEMENT based on objective measurement
Slide 18
PDCA► Plan, Do, Check, Act is to be applied to structure all ISMS processes
► Figure illustrates how an ISMS takes the information security requirements and expectations of the interested parties and, through the necessary actions and processes, produces information security outcomes that meets those requirements and expectations
Slide 19
PDCA
► The continuous change of the company, technology and society requires a process of continuously evaluating the effectiveness and efficiency of all security controls and adopting the security system to changing requirements.
► This results in a control loop known as PDCA model:
Plan and implement security controls
Operate security controls
Monitor the security system and the world around you
Initiate necessary change of the security system
Slide 20
Compatibility with other management systems
► ISO 27001 is aligned with ISO 9001:2000 and ISO 14001:2004 in order to support consistent and integrated implementation and operation with related management standards.
► ISO 27001 illustrates the relationship between its requirements, ISO 9001:2000 and ISO 14001:2004.
► This International Standard is designed to enable an organization to align or integrate its ISMS with related management system requirements.
….
Slide 21
Compliance to ISO/IEC 27001
►All clauses in ISO/IEC 27001 are mandatory
Risk treatment plan based on risk assessment
Documentation supporting various clauses
Statement of applicability based on scoping, justifying the choice of controls
• Annex A lists mandatory controls to choose from
• Valid justification must be documented to eliminate a control
• Chosen controls must be documented for audit purposes
►Certification to the standard requires that all clauses be implemented
Slide 22
Process Flow for Information Security
Define the information security policy
Define the scope of ISMS
Undertake risk assessment
Manage the risk
Select control objectives and controls to be
implemented
Step 1
Step 2
Step 3Threats, Vulnerabilities, Impacts
Step 4Organization’s approachto risk managementDegree of assurance required
Step 5Control Objectivesand controlsAdditional Controls
Information Security policy
Scope of ISMS
Risk assessment
Areas of risk to be managed
Statement of Applicability
Information Assets
Selected control options
Results and conclusions
Slide 23
Implementation of an ISMS - Plan
► Establish and manage the ISMS
Scope and boundaries
Policy / objectives
Define risk assessment approach
Identify risks
Analyse and evaluate the risks
Identify and evaluate options for treatment of risks
Select control objectives & controls (Annex A)
Obtain management approval of the proposed residual risks
Obtain management authorisation to implement and operate the ISMS
Prepare a Statement of Applicability
Slide 24
Implementation of an ISMS - Do
► Implement and operate the ISMS
Formulate risk treatment plan
Implement risk treatment plan
Define how to measure effectiveness of selected controls
Implement controls selected to meet control objectives
Implement training and awareness
Manage operations and resources
Implement procedures and other controls
Slide 25
Implementation of an ISMS - Check
►Monitor and review the ISMS
Execute monitoring procedures and other controls
Undertake regular reviews of the effectiveness of the ISMS
Measure effectiveness of controls
Review risk assessments at planned intervals
Review level of residual risk and identified acceptable risk
Internal ISMS audits / Management review
Update security plans
Record actions and events
Slide 26
Implementation of an ISMS - Act
►Maintain and improve the ISMS
Implement identified improvements
Take appropriate corrective and preventive actions
Communicate the actions and improvements
Ensure improvements achieve intended objectives
Slide 27
Section 3Control objectives and Controls
Slide 28
“The only system which is truly secure is one which is switched off and unplugged, locked in a titanium lined safe, buried in a concrete bunker, and is surrounded by nerve gas and very highly paid armed guards. Even then, I wouldn’t stake my life on it.”
Gene SpaffordDirector, Computer Operations, audit, and Security Technology (COAST - Computer Operations, Audit and Security Technology)Purdue University
Slide 29
Purpose of controls in ISO/IEC 27002/27001
►27002 specifies aspects of an effective information protection program suitable to the needs of business and industry
►Protection in 27002 is based on assuring integrity, availability, and confidentiality of corporate information assets
►Assurance is attained through controls that management creates and maintains within the organization.
►Ten of the controls are considered "Key Controls" because they are either legislatively required or considered fundamental building blocks
Slide 30
ISO 27002 domains
►Security Policy
►Organization of Information Security
►Asset management
►Human resources security
►Physical and environmental security
►Communications and Operations Management
►Access Control
►Information Systems Acquisition, Development and Maintenance
►Information Security Incident Management
►Business Continuity Management
►Compliance
Slide 31
Selection of Controls
► Additional control objectives and controls:
Organization might consider that additional control objectives and controls are necessary
► Not all the controls will be relevant to every situation:
Consider local environmental or technological constraints
In a form that suits every potential user in an organization
Slide 32
Choice of controls►Controls considered to be essential to an organization from a
legislative point of view include:
• intellectual property rights (see 15.1.2)
• safeguarding of organizational records (see 15.1.3)
• data protection and privacy of personal information (see 15.1.4).
►Controls considered to be common best practice for information security include:
• information security policy document (see 5.1.1)
• allocation of information security responsibilities (see 6.1.3)
• information security education and training (see 8.2.2)
• reporting information security events (see 13.1.1)
• Information security aspects of business continuity management (see 14.1)
Slide 33
Section 4Differences with Other Standards
ITIL, ISO 20000, Cobit
Slide 34
Definitions
COBIT
Cobit stands for Control Objective over Information and Related Technology. Cobit issued by ISACA (Information System Control Standard) a non profit organization for IT Governance. The Cobit main function is to help the company, mapping their IT process to ISACA best practices standard. Cobitusually choosen by the company who performing information system audit, whether related to financial audit or general IT audit.
ITIL
ITIL stands for Information Technology Library. ITIL issued by OGC, is a set of framework for managing IT Service Level. Although ITIL is quite similar with COBIT in many ways, but the basic difference is Cobit set the standard by seeing the process based and risk, and in the other hand ITIL set the standard from basic IT service.
Slide 35
ISO27001
ISO27001 is much more different between COBIT and ITIL, because ISO27001 is a security standard, so it has smaller but deeper domain compare to COBIT and ITIL. Here is the detail table of comparison between this three standard
Comparison
AREA COBIT ITIL ISO27001
Function Mapping IT Process
Mapping IT Service Level Management
Information Security Framework
Area4 Process and 34 Domain
9 Process 10 Domain
Issuer ISACA OGC ISO Board
Implementation
Information System Audit
Manage Service Level
Compliance to security standard
Consultant
Accounting Firm, IT Consulting Firm
IT Consulting firm
IT Consulting firm, Security Firm, Network Consultant
Slide 36
Slide 37
Q&A
Slide 38