*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** Compiled by; Mark E.S. Bernard, ISO 27001 Lead Auditor, CISSP, CISM, SABSA-F2, CISA, CRISC, CGEIT
May 12, 2015
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
Compiled by; Mark E.S. Bernard, ISO 27001 Lead Auditor, CISSP, CISM, SABSA-F2, CISA, CRISC, CGEIT
• Introduction
• Threats • Potential Impacts • Identifying Threats • Risk Management • Identifying Legal Threats • Compliance Management • Contact Information • Policy, Procedure, Standards
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
Mark E.S. Bernard,
CRISC, CGEIT, CISA, CISM, CISSP, PM, ISO 27001, SABSA-F2
Information Security, Privacy, Governance ,Risk Management, Consultant
Mark has 22 years of proven experience within the domain of Information Security, Privacy & Governance. Mark has led
teams of 30 or more as a Director and Project Manager and managed budgets of $5 Million +. Mark has also provided over
sight as a senior manager during government outsourcing contract valued at $300 million and smaller contracts for specialized
services for ERP systems and security testing. Mark has led his work-stream during RFP process, negotiations, on-boarding,
contract renegotiation and as Service Manager. Mark has architected information security and privacy programs based on ISO
27001 and reengineered IT processes based on Service Manager ITIL/ISO 20000 building in Quality Management ISO 9001.
Mark is a volunteer on the local professional associations for HTCIA, ISACA, ISSA, IIA. Mark has also been published in trade
magazines and on the Internet in addition to being sought after as an expert by local radio, news papers and television. Mark
has taught as a Professor of a third-year iSeries systems engineering course and led many workshops, led keynote speeches.
Mark’s expertise has been applied in a number of verticals including Financial Services, Banking, Insurance, Pharmaceutical,
Telecommunications, Technology, Manufacturing and Academia. Some of Mark’s recent project highlights are as follows:
Accomplishments: • In 2012 Assisted a Executive Relocation Organization to ISO/IEC 27001 Registration/Certification
• In 2012 Assisted a Nanotechnology Fabrication Facility to ISO/IEC 27001 Registration/Certification
• In 2012 Assisted a Cloud Software as a Service Provider to ISO/IEC 27001 Registration/Certification
• In 2010/11 co-led US based Cloud Service Provider ISO/IEC 27001 Registration/Certification
• In 2009 led 1st Canadian Public Sector ISO/IEC 27001 Registration/Certification
• In 2009 led On-boarding Project for ERP Service Provider
• In 2009 led Technology and Operations work-stream during Negotiated Request for Proposal
• In 2007 led 1st Canadian Online banking, Trade & Wholesale Service to ISO/IEC 27001 Registration /Certification
• In 2005 led Privacy, Security, and Privacy Compliance work-stream during outsourcing to alternate service delivery organization
• In 2002 led Information Security Program development for International Food Manufacturer.
• In1999 led Independent Security Assurance Review of financial systems located off shore.
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
Registration need not be the final goal however every business can benefit from adopting a management system that provides assurance of information assets in alignment with strategy and tactical business goals while addressing Governance, Risk Management, Compliance Management requirements.
The demand for ISO/IEC 27001:2005 has nearly tripled in six years and the number of countries adopting the Information Security Management System has doubled. ISO/IEC 27001:2005 will soon be releasing its first major revision since the 2005 adoption and if it turns out to be anything like the changes that we've seen in ICFR /ICIF, ISAE 3402 or NIST SP 53 there will be significant improvements to be leveraged. In 2006, the first year of the annual survey, ISO/IEC 27001:2005 certificates at the end of December 2006 totaled 5,797. The number of countries adopting ISO/IEC 27001 totaled 64. At the end of 2010, at least 15,625 certificates had been issued in 117 countries. The 2010 total represents an increase of 2,691 or (+21 %) since December 2009. In 2006 the top three countries adopting ISO/IEC 27001 included Japan, United Kingdom and India and in 2010 that trend continued. However, the top three countries from December 2009 to 2010 were Japan, China and the Czech Republic.
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
Source: Computer Security Institute 2010/11 Survey
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
Source: Verizon business 2011 Data Breach Investigations Report
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
• Large-scale breaches dropped dramatically while small attacks increased. The report notes there are several possible reasons for this trend, including the fact that small to medium-sized businesses represent prime attack targets for many hackers, who favour highly automated, repeatable attacks against these more vulnerable targets, possibly because criminals are opting to play it safe in light of recent arrests and prosecutions of high-profile hackers.
• Outsiders are responsible for most data breaches. Ninety-two percent of data breaches were caused by external sources. Contrary to the malicious-employee stereotype, insiders were responsible for only 16 percent of attacks. Partner-related attacks continued to decline, and business partners accounted for less than 1 percent of breaches.
• Physical attacks are on the rise. After doubling as a percentage of all breaches in 2009, attacks involving physical actions doubled again in 2010, and included manipulating common credit-card devices such as ATMs, gas pumps and point-of-sale terminals. The data indicates that organized crime groups are responsible for most of these card-skimming schemes.
• Hacking and malware is the most popular attack method. Malware was a factor in about half of the 2010 caseload and was responsible for almost 80 percent of lost data. The most common kinds of malware found in the caseload were those involving sending data to an external entity, opening backdoors, and key logger functionalities.
• Stolen passwords and credentials are out of control. Ineffective, weak or stolen credentials continue to wreak havoc on enterprise security. Failure to change default credentials remains an issue, particularly in the financial services, retail and hospitality industries.
Source: 2010 Cloud Security Alliance Threats
#1: Abuse and Nefarious Use of Cloud Computing #2: Insecure Interfaces and APIs #3: Malicious Insiders #4: Shared Technology Issues #5: Data Loss or Leakage #6: Account or Service Hijacking #7: Unknown Risk Profile
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
Source: 2010 OWSAP Top 10 Web Application Security Risks
A1: Injection A2: Cross-Site Scripting (XSS) A3: Broken Authentication and Session Management A4: Insecure Direct Object References A5: Cross-Site Request Forgery (CSRF) A6: Security Misconfiguration A7: Insecure Cryptographic Storage A8: Failure to Restrict URL Access A9: Insufficient Transport Layer Protection A10: Invalidated Redirects and Forwards
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
Source: ‘The Risk of Insider Fraud’ Ponemon Institute 2011
•Employee-related incidents of fraud, on average, occur weekly in participating organizations.
• Sixty-four percent of the respondents in this study say the risk of insider fraud is very high or
high within their organizations.
• CEO’s and other C-level executives may be ignoring the threat, according to respondents.
• The majority of insider fraud incidents go unpunished, leaving organizations vulnerable to
future such incidents.
• The threat vectors most difficult to secure and safeguard from insider fraud are mobile
devices, outsourced relationships (including cloud providers) and applications.
• The majority of respondents do not believe their organization has the appropriate
technologies to prevent or quickly detect insider fraud, including employees’ misuse of IT
resources.
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
Source: Computer Security Institute 2010/11 Survey
***
THIS
DO
CU
MEN
T IS
CLA
SSIF
IED
FO
R P
UB
LIC
AC
CES
S **
*
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
The following example is a
subset demonstrating the
potential results of an
exploited vulnerability within
‘People Assets’ and most
common Enterprises. The
impacts are measured
against the principles of
information security,
confidentiality, integrity, and
availability. The severity in
this example is rated high,
medium or low to simplify
the message to a broad audience.
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
The following example is
a subset demonstrating
the potential results of an
exploited vulnerability
within ‘Information Assets’
and most common
Enterprises. The impacts
are measured against the
principles of information
security, confidentiality,
integrity, and availability.
The severity in this
example is rated high,
medium or low to simplify
the message to a broad audience.
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
The following example is a
subset demonstrating the
potential results of an
exploited vulnerability
within ‘Software Assets’
and most common
Enterprises. The impacts
are measured against the
principles of information
security, confidentiality,
integrity, and availability.
The severity in this
example is rated high,
medium or low to simplify
the message to a broad audience.
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
The following example is a
subset demonstrating the
potential results of an
exploited vulnerability
within ‘Hardware Assets’
and most common
Enterprises. The impacts
are measured against the
principles of information
security, confidentiality,
integrity, and availability.
The severity in this
example is rated high,
medium or low to simplify
the message to a broad audience.
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
The following example is a
subset demonstrating the
potential results of an
exploited vulnerability
within ‘Telecommunication
Assets’ and most common
Enterprises. The impacts
are measured against the
principles of information
security, confidentiality,
integrity, and availability.
The severity in this
example is rated high,
medium or low to simplify
the message to a broad audience.
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
The following example is a
subset demonstrating the
potential results of an
exploited vulnerability within
‘Facility Assets’ and most
common Enterprises. The
impacts are measured
against the principles of
information security,
confidentiality, integrity, and
availability. The severity in
this example is rated high,
medium or low to simplify
the message to a broad audience.
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
We can choose
to respond to the
security incident
after the fact? Or
before a Threat
exploit the known Vulnerability?
We can choose
to identify the
threats and
matching
vulnerabilities
and remediate
them to
acceptable levels.
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
ISO 27001 has
already
developed
controls that are
designed to
remediate
common or
known threats,
vulnerabilities and risks.
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
A close assessment
of the technology
stack can easily
identify vulnerabilities
that might be exposed
to threats leading to risks.
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
The are thousands of
threats to the Enterprise
but only a small subset
maintain the potential to
negatively impact the
Enterprise, so a 9 point
evaluation of threats is
essential to help
establish a common
threat index for the risk assessment process.
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
There are hundreds of
vulnerabilities within
any Enterprise however
only a subset will be
identified with a
matching threat, so its
very likely that some
vulnerabilities will not
be remediated as the
overall risk rating will
rank them below the risk appitie.
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
ISO 27001 has identified
the most common controls
utilized to remediate the
most common threats,
vulnerabilities and risks to
most Enterprises. The
emphasis of Total Quality
Management is the
remediation of those risks
based on a standard series
of controls listed within the Statement of Applicability.
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
Within the Risk
Management
Process we
systematically
identify and
address threats,
vulnerabilities to
Enterprise Assets,
and take action to
mitigate those
risks to acceptable levels.
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
The Risk Rating helps match actual risks to the risk appetite.
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
Following the
assessment of
threats,
vulnerabilities
and identification
of risks
management
makes a decision
and we begin
monitoring and tracking risks.
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
In more advanced
ISMS Risk
Management
programs we
monitor and track
risks in connection
with the Enterprise
Risk Management program.
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
We should not
only track risks
internally as
many risks are
shared with
external vendors
and service
providers through
Service
Management
processes and Service Desk.
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
•Health Insurance Portability and Accountability Act (HIPAA)
•Health Information Technology for Economic and Clinical Health Act (HITECH Act)
•Federal Information Security Management Act (FISMA)
•Gramm-Leach-Bliley Act (GLBA)
•Payment Card Industry Data Security Standard (PCI-DSS)
•Payment Card Industry Payment Application Standard
•Sarbanes-Oxley Act (SOX)
•U.S. state data breach notification law
•International privacy or security laws
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
Before we can treat compliance concerns we need to identify, record
and map ISO 27001 controls listed in the Statement of Applicability to
specific legal obligations defined by provisions and clauses within statutes, regulations and internal/external facing contracts.
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
Here is an
example of how
ISO 27001 –
ISMS can easily
and seamlessly
address all
HIPAA legal requirements.
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
When all the
mapping has
been completed
approximately 70
of the already
existing 133 ISO
27001 control
objectives will be
leveraged to
address HIPAA Compliance.
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
Within procedures
we can identify and
integrate control
points designed to
remediate risks. In
the example I’ve
identified threats,
risks and controls to
demonstrate how
risks control designed function.
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
Within the following
example I list out the
specific threat,
potential impact and mitigating control.
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
Within this example
I take the process
one step further
and identify the test
scenario designed
to verify and
validate the control
design. This is a
requirement for SOX.
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
For more information contact Skype; Mark_E_S_Bernard
Twitter; @MESB_TechSecure LinkedIn; http://ca.linkedin.com/in/markesbernard