ISO 27001 ISMS With Mark E.S. Bernard. Title: Threats, Vulnerabilities, Risks to Enterprise Assets and Legal Obligations.

*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***

Compiled by; Mark E.S. Bernard, ISO 27001 Lead Auditor, CISSP, CISM, SABSA-F2, CISA, CRISC, CGEIT

• Introduction

• Threats • Potential Impacts • Identifying Threats • Risk Management • Identifying Legal Threats • Compliance Management • Contact Information • Policy, Procedure, Standards




Mark E.S. Bernard,

CRISC, CGEIT, CISA, CISM, CISSP, PM, ISO 27001, SABSA-F2

Information Security, Privacy, Governance ,Risk Management, Consultant

Mark has 22 years of proven experience within the domain of Information Security, Privacy & Governance. Mark has led

teams of 30 or more as a Director and Project Manager and managed budgets of $5 Million +. Mark has also provided over

sight as a senior manager during government outsourcing contract valued at $300 million and smaller contracts for specialized

services for ERP systems and security testing. Mark has led his work-stream during RFP process, negotiations, on-boarding,

contract renegotiation and as Service Manager. Mark has architected information security and privacy programs based on ISO

27001 and reengineered IT processes based on Service Manager ITIL/ISO 20000 building in Quality Management ISO 9001.

Mark is a volunteer on the local professional associations for HTCIA, ISACA, ISSA, IIA. Mark has also been published in trade

magazines and on the Internet in addition to being sought after as an expert by local radio, news papers and television. Mark

has taught as a Professor of a third-year iSeries systems engineering course and led many workshops, led keynote speeches.

Mark’s expertise has been applied in a number of verticals including Financial Services, Banking, Insurance, Pharmaceutical,

Telecommunications, Technology, Manufacturing and Academia. Some of Mark’s recent project highlights are as follows:

Accomplishments: • In 2012 Assisted a Executive Relocation Organization to ISO/IEC 27001 Registration/Certification

• In 2012 Assisted a Nanotechnology Fabrication Facility to ISO/IEC 27001 Registration/Certification

• In 2012 Assisted a Cloud Software as a Service Provider to ISO/IEC 27001 Registration/Certification

• In 2010/11 co-led US based Cloud Service Provider ISO/IEC 27001 Registration/Certification

• In 2009 led 1st Canadian Public Sector ISO/IEC 27001 Registration/Certification

• In 2009 led On-boarding Project for ERP Service Provider

• In 2009 led Technology and Operations work-stream during Negotiated Request for Proposal

• In 2007 led 1st Canadian Online banking, Trade & Wholesale Service to ISO/IEC 27001 Registration /Certification

• In 2005 led Privacy, Security, and Privacy Compliance work-stream during outsourcing to alternate service delivery organization

• In 2002 led Information Security Program development for International Food Manufacturer.

• In1999 led Independent Security Assurance Review of financial systems located off shore.


Registration need not be the final goal however every business can benefit from adopting a management system that provides assurance of information assets in alignment with strategy and tactical business goals while addressing Governance, Risk Management, Compliance Management requirements.

The demand for ISO/IEC 27001:2005 has nearly tripled in six years and the number of countries adopting the Information Security Management System has doubled. ISO/IEC 27001:2005 will soon be releasing its first major revision since the 2005 adoption and if it turns out to be anything like the changes that we've seen in ICFR /ICIF, ISAE 3402 or NIST SP 53 there will be significant improvements to be leveraged. In 2006, the first year of the annual survey, ISO/IEC 27001:2005 certificates at the end of December 2006 totaled 5,797. The number of countries adopting ISO/IEC 27001 totaled 64. At the end of 2010, at least 15,625 certificates had been issued in 117 countries. The 2010 total represents an increase of 2,691 or (+21 %) since December 2009. In 2006 the top three countries adopting ISO/IEC 27001 included Japan, United Kingdom and India and in 2010 that trend continued. However, the top three countries from December 2009 to 2010 were Japan, China and the Czech Republic.



Source: Computer Security Institute 2010/11 Survey


Source: Verizon business 2011 Data Breach Investigations Report


• Large-scale breaches dropped dramatically while small attacks increased. The report notes there are several possible reasons for this trend, including the fact that small to medium-sized businesses represent prime attack targets for many hackers, who favour highly automated, repeatable attacks against these more vulnerable targets, possibly because criminals are opting to play it safe in light of recent arrests and prosecutions of high-profile hackers.

• Outsiders are responsible for most data breaches. Ninety-two percent of data breaches were caused by external sources. Contrary to the malicious-employee stereotype, insiders were responsible for only 16 percent of attacks. Partner-related attacks continued to decline, and business partners accounted for less than 1 percent of breaches.

• Physical attacks are on the rise. After doubling as a percentage of all breaches in 2009, attacks involving physical actions doubled again in 2010, and included manipulating common credit-card devices such as ATMs, gas pumps and point-of-sale terminals. The data indicates that organized crime groups are responsible for most of these card-skimming schemes.

• Hacking and malware is the most popular attack method. Malware was a factor in about half of the 2010 caseload and was responsible for almost 80 percent of lost data. The most common kinds of malware found in the caseload were those involving sending data to an external entity, opening backdoors, and key logger functionalities.

• Stolen passwords and credentials are out of control. Ineffective, weak or stolen credentials continue to wreak havoc on enterprise security. Failure to change default credentials remains an issue, particularly in the financial services, retail and hospitality industries.

Source: 2010 Cloud Security Alliance Threats

#1: Abuse and Nefarious Use of Cloud Computing #2: Insecure Interfaces and APIs #3: Malicious Insiders #4: Shared Technology Issues #5: Data Loss or Leakage #6: Account or Service Hijacking #7: Unknown Risk Profile


Source: 2010 OWSAP Top 10 Web Application Security Risks

A1: Injection A2: Cross-Site Scripting (XSS) A3: Broken Authentication and Session Management A4: Insecure Direct Object References A5: Cross-Site Request Forgery (CSRF) A6: Security Misconfiguration A7: Insecure Cryptographic Storage A8: Failure to Restrict URL Access A9: Insufficient Transport Layer Protection A10: Invalidated Redirects and Forwards


Source: ‘The Risk of Insider Fraud’ Ponemon Institute 2011

•Employee-related incidents of fraud, on average, occur weekly in participating organizations.

• Sixty-four percent of the respondents in this study say the risk of insider fraud is very high or

high within their organizations.

• CEO’s and other C-level executives may be ignoring the threat, according to respondents.

• The majority of insider fraud incidents go unpunished, leaving organizations vulnerable to

future such incidents.

• The threat vectors most difficult to secure and safeguard from insider fraud are mobile

devices, outsourced relationships (including cloud providers) and applications.

• The majority of respondents do not believe their organization has the appropriate

technologies to prevent or quickly detect insider fraud, including employees’ misuse of IT

resources.


Source: Computer Security Institute 2010/11 Survey

***

THIS

DO

CU

MEN

T IS

CLA

SSIF

IED

FO

R P

UB

LIC

AC

CES

S **

*



The following example is a

subset demonstrating the

potential results of an

exploited vulnerability within

‘People Assets’ and most

common Enterprises. The

impacts are measured

against the principles of

information security,

confidentiality, integrity, and

availability. The severity in

this example is rated high,

medium or low to simplify

the message to a broad audience.


The following example is

a subset demonstrating

the potential results of an

exploited vulnerability

within ‘Information Assets’

and most common

Enterprises. The impacts

are measured against the

principles of information

security, confidentiality,

integrity, and availability.

The severity in this

example is rated high,








within ‘Software Assets’

and most common















within ‘Hardware Assets’

and most common















within ‘Telecommunication

Assets’ and most common














exploited vulnerability within

‘Facility Assets’ and most

common Enterprises. The

impacts are measured

against the principles of

information security,

confidentiality, integrity, and

availability. The severity in

this example is rated high,





We can choose

to respond to the

security incident

after the fact? Or

before a Threat

exploit the known Vulnerability?

We can choose

to identify the

threats and

matching

vulnerabilities

and remediate

them to

acceptable levels.


ISO 27001 has

already

developed

controls that are

designed to

remediate

common or

known threats,

vulnerabilities and risks.


A close assessment

of the technology

stack can easily

identify vulnerabilities

that might be exposed

to threats leading to risks.



The are thousands of

threats to the Enterprise

but only a small subset

maintain the potential to

negatively impact the

Enterprise, so a 9 point

evaluation of threats is

essential to help

establish a common

threat index for the risk assessment process.


There are hundreds of

vulnerabilities within

any Enterprise however

only a subset will be

identified with a

matching threat, so its

very likely that some

vulnerabilities will not

be remediated as the

overall risk rating will

rank them below the risk appitie.


ISO 27001 has identified

the most common controls

utilized to remediate the

most common threats,

vulnerabilities and risks to

most Enterprises. The

emphasis of Total Quality

Management is the

remediation of those risks

based on a standard series

of controls listed within the Statement of Applicability.


Within the Risk

Management

Process we

systematically

identify and

address threats,

vulnerabilities to

Enterprise Assets,

and take action to

mitigate those

risks to acceptable levels.


The Risk Rating helps match actual risks to the risk appetite.


Following the

assessment of

threats,

vulnerabilities

and identification

of risks

management

makes a decision

and we begin

monitoring and tracking risks.


In more advanced

ISMS Risk

Management

programs we

monitor and track

risks in connection

with the Enterprise

Risk Management program.


We should not

only track risks

internally as

many risks are

shared with

external vendors

and service

providers through

Service

Management

processes and Service Desk.






•Health Insurance Portability and Accountability Act (HIPAA)

•Health Information Technology for Economic and Clinical Health Act (HITECH Act)

•Federal Information Security Management Act (FISMA)

•Gramm-Leach-Bliley Act (GLBA)

•Payment Card Industry Data Security Standard (PCI-DSS)

•Payment Card Industry Payment Application Standard

•Sarbanes-Oxley Act (SOX)

•U.S. state data breach notification law

•International privacy or security laws


Before we can treat compliance concerns we need to identify, record

and map ISO 27001 controls listed in the Statement of Applicability to

specific legal obligations defined by provisions and clauses within statutes, regulations and internal/external facing contracts.


Here is an

example of how

ISO 27001 –

ISMS can easily

and seamlessly

address all

HIPAA legal requirements.


When all the

mapping has

been completed

approximately 70

of the already

existing 133 ISO

27001 control

objectives will be

leveraged to

address HIPAA Compliance.


Within procedures

we can identify and

integrate control

points designed to

remediate risks. In

the example I’ve

identified threats,

risks and controls to

demonstrate how

risks control designed function.


Within the following

example I list out the

specific threat,

potential impact and mitigating control.


Within this example

I take the process

one step further

and identify the test

scenario designed

to verify and

validate the control

design. This is a

requirement for SOX.


For more information contact Skype; Mark_E_S_Bernard

Twitter; @MESB_TechSecure LinkedIn; http://ca.linkedin.com/in/markesbernard

ISO 27001 ISMS With Mark E.S. Bernard. Title: Threats, Vulnerabilities, Risks to Enterprise Assets and Legal Obligations.

Business

public access

canadian public sector

domain of information

security testing

sabsaf2 information

threats risk management

management systemthat

erp service provider