Mark E.S. Bernard Cyber Security Defense-In-Depth based on ISO 27001 and ITIL

Compiled by; Mark E.S. Bernard, ISO 27001 Lead Auditor, CISSP, CISM, SABSA-F2, CISA, CRISC, CGEIT

*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***

• Introduction

• Layer 1 - ISMS causes 4 – 8

• Layer 2 - Policy, Organizational Design, Legal Obligations, Asset

Management

• Layer 3 - Human Resources

• Layer 4 - Incident Management

• Layer 5 - Access Control

• Layer 6 - Physical & Environmental

• Layer 7 - Information Systems Acquisition, Development &

Maintenance

• Layer 8 - Communications and Operations Management

• Layer 9 - Business Continuity Management

• ITIL – ICT, ISMS, DiD – Operational Integration



When Mark is a volunteer and was recognized by the Premier of New Brunswick for his work in the Knowledge Industry establishing the Atlantic Chapter of the High technology Crime Investigation Association. Mark has also volunteered with local professional associations for HTCIA, ISACA, ISSA, IIA and FMI. Mark has also been published in trade magazines and on the Internet in addition to being sought after as an expert by local radio, newspapers and television. In Toronto Mark volunteer on the annual Toronto Children’s Sick Kids Telethon and road a stationary bike on a marathon Juvenile Diabetes campaign. Mark has also volunteered with local Minor Hockey, Minor Fastball, Elementary School, Middle School, Boys Scots and assisted with raising money for the Food bank in conjunction with the annual NHL Old-Timers Challenge. Mark is continuing to contribute his knowledge through ISACA with the development of Cloud Computing whitepaper and the Canadian Standards Institute’s workgroup updating ISO/IEC 27001:2012 – Information Security Management Systems framework.

Mark is an independent contractor who formerly worked in BC Government as a Director overseeing the Government’s payments systems and public accounts processing in excess of $42 billion annually in payments to firemen, judges, social service clients etc… Mark also spent time over seeing the privacy and security programs for BC Government Revenue Service & Small Business and Central 1 credit Union.


Probably the most famous German castle. Neuschwanstein Castle is a 19th-century Gothic Revival palace on a rugged hill above the village of Hohenschwangau near Füssen in southwest Bavaria, Germany.


Fort Bourtange: Eighty Years' War (c. 1568–1648) when William I of Orange wanted to control the only road between Germany and the city of Groningen which was controlled by the Spaniards.


Training of handling weapons: they primarily used wickerwork shields and wooden swords made to standards but twice as heavy. If a soldier could fight with these heavy dummy weapons then he would be twice as effective with the standard weaponry.

Marching and Physical Training: Soldiers were taught to march and they could march at a rapid speed for long intervals. Any army that could be split up by stragglers at the back or soldiers trundling along at differing speeds would be vulnerable to attack.


The Roman heavy infantry typically was deployed, as the main body, facing the enemy, in three approximately equal lines, with the cavalry on their wings to prevent them being flanked and light infantry in a screen in front of them to hide changes in deployment strategy. The heavy infantry, harass the enemy forces and, in some cases, drive off units such as elephants that would be a great threat to close-order heavy infantry.



• Compliance Management

• Risk Management

• Identity Management

• Authorization Management

• Accountability Management

• Availability Management

• Configuration Management

• Incident Management


• Security Policy

• Information Security Org

• Asset Management

• Human Resources

• Physical & Environmental Security

• Communications & Operations Management

• Access Control

• Information System Acquisition, Development & Maintenance

• Information Security Incident Management

• Business Continuity Management

• Compliance *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***


Source: Computer Security Institute 2010/11 Survey






Source: Verizon business 2011 Data Breach Investigations Report


• Large-scale breaches dropped dramatically while small attacks increased. The report notes there are several possible reasons for this trend, including the fact that small to medium-sized businesses represent prime attack targets for many hackers, who favor highly automated, repeatable attacks against these more vulnerable targets, possibly because criminals are opting to play it safe in light of recent arrests and prosecutions of high-profile hackers. • Outsiders are responsible for most data breaches. Ninety-two percent of data breaches were caused by external sources. Contrary to the malicious-employee stereotype, insiders were responsible for only 16 percent of attacks. Partner-related attacks continued to decline, and business partners accounted for less than 1 percent of breaches. • Physical attacks are on the rise. After doubling as a percentage of all breaches in 2009, attacks involving physical actions doubled again in 2010, and included manipulating common credit-card devices such as ATMs, gas pumps and point-of-sale terminals. The data indicates that organized crime groups are responsible for most of these card-skimming schemes. • Hacking and malware is the most popular attack method. Malware was a factor in about half of the 2010 caseload and was responsible for almost 80 percent of lost data. The most common kinds of malware found in the caseload were those involving sending data to an external entity, opening backdoors, and key logger functionalities. • Stolen passwords and credentials are out of control. Ineffective, weak or stolen credentials continue to wreak havoc on enterprise security. Failure to change default credentials remains an issue, particularly in the financial services, retail and hospitality industries.

Source: 2010 Cloud Security Alliance Threats Threat statistics


#1: Abuse and Nefarious Use of Cloud Computing #2: Insecure Interfaces and APIs #3: Malicious Insiders #4: Shared Technology Issues #5: Data Loss or Leakage #6: Account or Service Hijacking #7: Unknown Risk Profile

Source: 2010 OWSAP Top 10 Web Application Security Risks Threat statistics


A1: Injection A2: Cross-Site Scripting (XSS) A3: Broken Authentication and Session Management A4: Insecure Direct Object References A5: Cross-Site Request Forgery (CSRF) A6: Security Mis-configuration A7: Insecure Cryptographic Storage A8: Failure to Restrict URL Access A9: Insufficient Transport Layer Protection A10: Invalidated Redirects and Forwards

***

THIS

DO

CU

MEN

T IS

CLA

SSIF

IED

FO

R P

UB

LIC

AC

CES

S **

*










Risk Assessment – Threats: • Malware 67% • Fraudulent Phishing 39% • Laptop or mobile computer theft or lost 34% • Bots Zombies within the Infrastructure 29% • Insider abuse email and Internet 25%

Risk Assessment – Vulnerabilities: • Inadequate governance • Inadequate security policy • Inadequate risk management methodology • Inadequate security training/awareness • Inadequate security architecture • Inadequate monitoring or surveillance capabilities • Inadequate incident response procedures • Inadequate vulnerability assessment methodologies


Clause 4 Information security management system

The organization shall establish, implement, operate,

monitor, review, maintain and improve a documented

ISMS within the context of the organization’s overall

business activities and the risks it faces.


4.2.1 Establish the ISMS

a) Define the scope and boundaries

b) Define an ISMS policy

c) Define the risk assessment approach

d) Identify the risks

e) Analyse and evaluate the risks.

f) Identify and evaluate options for the treatment of risks.

g) Select control objectives and controls for the treatment of risks.

h) Obtain management approval of the proposed residual risks.

i) Obtain management authorization to implement /operate ISMS.

j) Prepare a Statement of Applicability.


4.2.2 Implement and operate the ISMS

a) Formulate a risk treatment plan

b) Implement the risk treatment plan

c) Implement controls

d) Define how to measure the effectiveness

e) Implement training and awareness

f) Manage operation of the ISMS

g) Manage resources for the ISMS

h) Implement procedures and controls

(produce comparable and reproducible results)


4.2.3 Monitor and review the ISMS a) Execute monitoring and reviewing procedures

1) promptly detect errors

2) promptly identify security breaches and incidents

3) determine if the ISMS is performing as expected

4) help detect security events

5) determine if breach resolution actions were effective

b) Undertake regular reviews of the ISMS

c) Measure the effectiveness of controls

d) Review risk assessments at planned intervals

e) Conduct internal ISMS audits

f) Undertake a management review of the ISMS

g) Update security plans

h) Record actions and events


4.2.4 Maintain and improve the ISMS a) Implement the identified improvements b) Take appropriate corrective and preventive actions c) Communicate the actions and improvements d) Ensure that the improvements achieve their intended objectives


4.3 Documentation requirements a) documented ISMS policy b) the scope c) procedures and controls d) the risk assessment methodology e) the risk assessment report f) the risk treatment plan g) documented procedures needed for planning, operation and control h) records required by this International Standard i) the Statement of Applicability


4.3.2 Control of documents a) approve documents b) review and update documents as necessary c) ensure that the current revision status are verified d) ensure that relevant documents are available e) ensure that documents remain legible f) ensure that documents are available to those who need them, and are transferred, stored and ultimately disposed of in accordance with the procedures applicable to their classification; g) ensure that documents of external origin are identified h) ensure that the distribution of documentation is controlled i) prevent the unintended use of obsolete documents


4.3.3 Control of records

•Records shall be maintained in accordance with legal obligations

defined by statutes, regulations and contracts

•Records shall be maintained to provide evidence of conformity

•Records shall be protected and controlled in accordance with legal

obligations

•Records shall remain legible, readily identifiable and retrievable.

•Records shall be retained and processed in accordance with legal

obligations

•Records shall be archived in accordance with legal obligations

•Records shall be destroyed in accordance with legal obligations


5 Management responsibility

5.1 Management commitment

a) establishing the policy

b) ensuring that objectives and plans are established

c) establishing roles and responsibilities

d) communicating to the organization

e) providing sufficient resources

f) deciding the criteria for accepting risks & acceptable levels of risk

g) ensuring that internal audits are conducted

h) conducting management reviews


Roles and Responsibilities:

• ISMS Consultant

• ISMS Manager

• ISMS Analyst

• ISMS Auditor

• Executives

• Managers

• Subject Matter Experts

• External Parties

• Customers


5.2 Resource management

5.2.1 Provision of resources

a) establishing the policy

b) ensuring that objectives and plans are established

c) establishing roles and responsibilities

d) communicating to the organization

e) providing sufficient resources

f) deciding the criteria for accepting risks & acceptable levels of risk

g) ensuring that internal audits are conducted

h) conducting management reviews


5.2.2 Training, awareness and competence

a) determining the necessary competencies for personnel

b) providing training or taking other actions

c) evaluating the effectiveness of the actions taken

d) maintaining records of education, training, skills, experience

and qualifications


6 Internal ISMS audits

a) conform to the requirements of this International Standard

and relevant legislation or regulations;

b) conform to the identified information security requirements;

c) are effectively implemented and maintained; and

d) perform as expected.


7 Management review of the ISMS (input)

a) results of ISMS audits

b) feedback from interested parties

c) techniques, products or procedures used to improve the ISMS

d) status of preventive and corrective actions

e) vulnerabilities or threats not adequately addressed

f) results from effectiveness measurements

g) follow-up actions from previous management reviews

h) any changes that could affect the ISMS

i) recommendations for improvement


7 Management review of the ISMS (output)

a) Improvement of the ISMS

b) Update of the risk assessment and risk treatment plan

c) Modification of procedures and controls due to internal or

external events such as:

1) business requirements

2) security requirements

3) business processes effecting the existing business

requirements

4) regulatory or legal requirements

5) contractual obligations

6) levels of risk and/or criteria for accepting risks

d) Resource needs

e) Improvement to how the effectiveness of controls is being

measured


8 ISMS improvement 8.1 Continual improvement

The organization shall continually improve the effectiveness of the ISMS through the use of the information security policy, information security objectives, audit results, analysis of monitored events, corrective and preventive actions and management review


8 ISMS improvement 8.2 Corrective action

a) identifying nonconformities

b) determining the causes of nonconformities

c) evaluating the need for actions to ensure that nonconformities do not

recur

d) determining and implementing the corrective action needed

e) recording results of action taken

f) reviewing of corrective action taken


8 ISMS improvement 8.3 Preventive action

a) identifying potential nonconformities and their causes

b) evaluating the need for action to prevent occurrence of

nonconformities

c) determining and implementing preventive action needed

d) recording results of action taken

e) reviewing of preventive action taken



Exclusions Please note clause 1.2 - Any exclusion of controls found to be necessary to satisfy the risk acceptance criteria needs to be justified and evidence needs to be provided that the associated risks have been accepted by accountable persons. Where any controls are excluded, claims of conformity to this International Standard are not acceptable unless such exclusions do not affect the organization’s ability, and/or responsibility, to provide information security that meets the security requirements determined by risk assessment and applicable legal or regulatory requirements.




Risk Assessment – Vulnerabilities: • Inadequate governance process • Inadequate security policy • Inadequate risk assessment methodology • Inadequate security training/awareness • Inadequate security architecture • Inadequate monitoring or surveillance capabilities • Inadequate incident response procedures • Inadequate vulnerability assessment methodologies


A.5 Security policy A.5.1 Information security policy

A.5.1.1 Information security policy document A.5.1.2 Review of the information security policy


A.6 Organization of information security A.6.1 Internal organization

A.6.1.1 Management commitment to information security A.6.1.2 Information security coordination A.6.1.3 Allocation of information security responsibilities A.6.1.4 Authorization process for information processing facilities A.6.1.5 Confidentiality agreements A.6.1.6 Contact with authorities A.6.1.7 Contact with special interest groups A.6.1.8 Independent review of information security


A.6 Organization of information security A.6.2 External parties

A.6.2.1 Identification of risks related to external parties A.6.2.2 Addressing security when dealing with customers A.6.2.3 Addressing security in third party agreements


A.7 Asset management A.7.1 Responsibility for assets

A.7.1.1 Inventory of assets A.7.1.2 Ownership of assets A.7.1.3 Acceptable use of assets

A.7.2 Information classification

A.7.2.1 Classification guidelines A.7.2.2 Information labeling and handling


A.15 Compliance A.15.1 Compliance with legal requirements

A.15.1.1 Identification of applicable legislation A.15.1.2 Intellectual property rights (IPR) A.15.1.3 Protection of organizational records A.15.1.4 Data protection and privacy of personal information A.15.1.5 Prevention of misuse of information processing facilities A.15.1.6 Regulation of cryptographic controls

A.15.2 Compliance with security policies and standards, and technical compliance

A.15.2.1 Compliance with security policies and standards A.15.2.2 Technical compliance checking


A.15.3 Information systems audit considerations A.15.3.1 Information systems audit controls A.15.3.2 Protection of information systems audit tools







A.8 Human resources security A.8.1 Prior to employment

A.8.1.1 Roles and responsibilities A.8.1.2 Screening A.8.1.3 Terms and conditions of employment

A.8.2 During employment

A.8.2.1 Management responsibilities A.8.2.2 Information security awareness, education and training A.8.2.3 Disciplinary process


A.8.3 Termination or change of employment A.8.3.1 Termination responsibilities A.8.3.2 Return of assets A.8.3.3 Removal of access rights







A.13.1 Reporting information security events and weaknesses A.13.1.1 Reporting information security events A.13.1.2 Reporting security weaknesses

A.13.2 Management of information security incidents and improvements

A.13.2.1 Responsibilities and procedures A.13.2.2 Learning from information security incidents A.13.2.3 Collection of evidence







A.11 Access control A.11.1 Business requirement for access control

A.11.1.1 Access control policy A.11.2 User access management

A.11.2.1 User registration A.11.2.2 Privilege management A.11.2.3 User password management A.11.2.4 Review of user access rights


A.11.3 User responsibilities A.11.3.1 Password use A.11.3.2 Unattended user equipment A.11.3.3 Clear desk and clear screen policy

A.11.4 Network access control

A.11.4.1 Policy on use of network services A.11.4.2 User authentication for external connections A.11.4.3 Equipment identification in networks A.11.4.4 Remote diagnostic and configuration port protection A.11.4.5 Segregation in networks A.11.4.6 Network connection control A.11.4.7 Network routing control


A.11.5 Operating system access control A.11.5.1 Secure log-on procedures A.11.5.2 User identification and authentication A.11.5.3 Password management system A.11.5.4 Use of system utilities A.11.5.5 Session time-out A.11.5.6 Limitation of connection time

A.11.6 Application and information access control

A.11.6.1 Information access restriction A.11.6.2 Sensitive system isolation







A.9 Physical and environmental security A.9.1 Secure areas A.9.1.1 Physical security perimeter A.9.1.2 Physical entry controls A.9.1.3 Securing offices, rooms and facilities A.9.1.4 Protecting against external and environmental threats A.9.1.5 Working in secure areas A.9.1.6 Public access, delivery and loading areas


A.9.2 Equipment security A.9.2.1 Equipment sitting and protection A.9.2.2 Supporting utilities A.9.2.3 Cabling security A.9.2.4 Equipment maintenance A.9.2.5 Security of equipment off premises A.9.2.6 Secure disposal or re-use of equipment A.9.2.7 Removal of property







A.12 Information systems acquisition, development and maintenance A.12.1 Security requirements of information systems

A.12.1.1 Security requirements analysis and specification A.12.2 Correct processing in applications

A.12.2.1 Input data validation A.12.2.2 Control of internal processing A.12.2.3 Message integrity A.12.2.4 Output data validation


A.12.3 Cryptographic controls A.12.3.1 Policy on the use of cryptographic controls A.12.3.2 Key management

A.12.4 Security of system files

A.12.4.1 Control of operational software A.12.4.2 Protection of system test data A.12.4.3 Access control to program source code


A.12.5 Security in development and support processes A.12.5.1 Change control procedures A.12.5.2 Technical review of applications after operating system changes A.12.5.3 Restrictions on changes to software packages A.12.5.4 Information leakage A.12.5.5 Outsourced software development

A.12.6 Technical Vulnerability Management

A.12.6.1 Control of technical vulnerabilities







A.10 Communications and operations management A.10.1 Operational procedures and responsibilities

A.10.1.1 Documented operating procedures A.10.1.2 Change management A.10.1.3 Segregation of duties A.10.1.4 Separation of development, test and operational facilities

A.10.2 Third party service delivery management

A.10.2.1 Service delivery A.10.2.2 Monitoring and review of third party services A.10.2.3 Managing changes to third party services

A.10.3 System planning and acceptance A.10.3.1 Capacity management A.10.3.2 System acceptance


A.10.4 Protection against malicious and mobile code A.10.4.1 Controls against malicious code A.10.4.2 Controls against mobile code

A.10.5 Back-up

A.10.5.1 Information back-up

A.10.6 Network security management

A.10.6.1 Network controls A.10.6.2 Security of network services

A.10.7 Media handling

A.10.7.1 Management of removable media A.10.7.2 Disposal of media A.10.7.3 Information handling procedures A.10.7.4 Security of system documentation


A.10.8 Exchange of information A.10.8.1 Information exchange policies and procedures A.10.8.2 Exchange agreements A.10.8.3 Physical media in transit A.10.8.4 Electronic messaging A.10.8.5 Business information systems

A.10.9 Electronic commerce services

A.10.9.1 Electronic commerce A.10.9.2 On-line transactions A.10.9.3 Publicly available information


A.10.10 Monitoring A.10.10.1 Audit logging A.10.10.2 Monitoring system use A.10.10.3 Protection of log information A.10.10.4 Administrator and operator logs A.10.10.5 Fault logging A.10.10.6 Clock synchronization






A.14 Business continuity management

A.14.1 Information security aspects of business continuity

management

A.14.1.1 Including information security in the business

continuity management process

A.14.1.2 Business continuity and risk assessment

A.14.1.3 Developing and implementing continuity plans

including Information security

A.14.1.4 Business continuity planning framework

A.14.1.5 Testing, maintaining and reassessing business

continuity plans





Goals


ISMS Goals

• Reduce risks and threats to the Confidentiality, Integrity and Availability of the organizations

Information Assets and System Resources by providing policies, practices and standards

designed to mitigate or eliminate all known risks and threats.

• Improve the effectiveness and efficiency of Information Security Management by

implementing a world class best practice and framework for consistent, concise information

security administration.

• Improve effectiveness and efficiencies of existing information security mechanisms by

formalizing new practices to monitor compliance and maintain sensitive data awareness.

• Improve reassurance testing and validation outcomes by Internal Audit and External Auditors

to further assure senior management and shareholders that Information Assets and System

Resources are secure.

• Reduce the likelihood that an accidental incident originating from staff could have an adverse

affect on organizational reputation or liabilities potentially leading to financial losses, by

providing an ongoing information security program.


ITSM Goals

IT Security Management has two primary objectives that fit

perfectly with the ISMS Goals:

1). To meet the security requirements of SLA’s and

external requirements further to contracts, legislation and

external imposed policies.

2). To provide a basic level of security, independent of

external requirements.


Quality Management


Quality Management

Quality Management for IT services is a systematic way of ensuring that all the activities necessary to design, develop, implement and maintain IT services satisfy the requirements of the organization and its employees while providing assurance that strategic and tactical activities are carried out cost-effectively.

“Quote”

‘We have learned to live in a world of mistakes and defective products as if they were necessary to life. It is time to adopt a new philosophy...’

(W. Edwards Deming, 1900–1993)


Quality Management

Excerpts from Deming’s 14 points relevant to Service Management: - break down barriers between departments (improves communications and management) -management must learn their responsibilities, and take on leadership (process improvement requires commitment from the top; good leaders motivate people to improve themselves and therefore the image of the organization)

-improve constantly (a central theme for service managers is continual improvement; this is also a theme for Quality Management. A process led approach is key to achieve this target)

-institute a programme of education and self-improvement (learning and improving skills have been the focus of Service Management for many years)

-training on the job (linked to continual improvement)

-transformation is everyone's job (the emphasis being on teamwork and understanding).


Quality Management

Deming’s 14 point Service Management guidelines focuse on 4 repetitive activities, which are Plan – Do – Check – Act. Through the establishment of a common theme “continuous improvement”. These activities are easily identifiable within both the ITSM and ISMS frameworks and can also be linked in to the Capability Maturity Model.


PDCA

‘PLAN – DO – CHECK – ACT’


Plan-Do-Check-Act

Information

Security

requirements &

expectations

Managed

Information

Security

Interested Parties

Design & Plan

Information Security

Program

Maintain & Improve


Program

Monitor, Audit,

Review Information

Security Program

Lead Corrective,

Preventative, and

Continuous Improvement

action plans

Interested PartiesPLAN

DO

CHECK

ACT

The PDCA Methodology is an iterative process model

PLANDesign, plan and initiate the information security program. These activities including creating a strategy,

socialization concepts, creating policies, goals, objectives and practices as necessary to manage risk.

DO Execute and control the information security strategy including the integration into organizational practices.

CHECKFacilitate semi-annual audits to determine conformance to the statement of applicability and identify

opportunities for improvement. Wherever appropriate develop and integrate performance matrices which

support information security program goals and objectives.

ACT

Upon the discovery of nonconformities and/or opportunities create and track corrective, preventive, and

continuous improvement action plans. Present findings from internal/external audit and risk assessments to

the Management Review Committee for decisions regarding the acceptance, rejection, or transfer of risk and

the commitment of resources and capital to facilitate subsequent efforts.

STEP #1

STEP #2

STEP #3

STEP #4


ITIL – IT Security Management (ITSM)

. .

Customer defines business requirements

Reporting According to

SLA, OLA, UC

SLA/Security Chapter

Agreement between

customer and provider

PLAN:

* Service Level Agreements

* Underpinning Contracts

* Operational Level Agreements

* Internal Policies

MAINTAIN:

* Learn

* Improve

* Plan

* Implement

IT Service Provider implements SLA Security requirements

CONTROL:

* Organize

* Create Management Framework

* Allocate Responsibilities

IMPLEMENT:

* Improve awareness

* Classification and management

resources

* Personal Security

* Physical Security

* Security management of hardware,

networks, applications, etc…

* Access Control

* Resolve security incidents

EVALUATE:

* Internal audits

* External audits

* Self Assessments

* Security incidents

STEP #1

Plan

STEP #2

Do

STEP #3

Check

STEP #4

Act

*** THIS D

OC

UM

ENT IS C

LASSIFIED

FOR

PU

BLIC

AC

CESS ***

Information Security Management System (ISMS)

ISMS ISO27K

AUDIT

STATEMENT

OF

APPLICABILITY

CONFORMITY

YES

NO

MANAGEMENT

REVIEW

ACTION PLANS/

PROJECT

PLANS

ACCEPT,

REJECT OR

TRANSFER

RISK

THREAT/RISK

ASSESSMENT

ISMS AUDIT

PROCESS

RISK

TREATMENT

PLAN

CONTINUOUS

IMPROVEMENT

PROGRAM

NO

YES

AUDIT

REPORT

RISK

ASSESSMENT

RA REPORTASSET

INVENTORY

DATA

SENSITIVITY

YES

NO

ISMS MANAGEMENT

REVIEW PROCESS

RECORDS/

EVIDENCE

CORRECTIVE

OR

PREVENTATIVE

ACTION

PARTNER/

CUSTOMER

FEEDBACK

BUSINESS

PLANS

ISMS RECORD

MANAGEMENT

ISMS EXTERNAL

INPUT

LEGISLATIVE

CHANGES

A

A: Integrated into

the ITIL Incident

and Problem

Management

processes,

Project

Management,

Service Desk,

Human

Resources,

Systems

Development,

B

B: Integrated

into the project

Management

Dashboards

Meeting

Minutes

Statutory,

Regulator

Registry

Contract

Registry

InfoSec

Management

Review

Committee

Human

Resources

Manager

VP Finance,

Property

Administration

Manager,

VP of Product

Development,

Director of

Technical

Operations,

Director of

Product

Development,

VP of Payment

Services,

Director of

Online Banking

Services,

Director of

Internal Audit.

Risk Assessment

Strategies

include:

(1). Control Self-

Assessment

(2). Privacy

Impact

Assessment,

(3). Threat-Risk

Assessment,

(4). OCTAVE

STEP #1

Plan

STEP #3

Check

STEP #4

Act

STEP #2

Do

*** THIS D

OC

UM

ENT IS C

LASSIFIED

FOR

PU

BLIC

AC

CESS ***

ISMS / ITSM

“under the covers”




Program “Inputs”


Program “Inputs”

ITSM: Inputs: SLA, OLA, Information Security Policy, Statutes, Regulations

ISMS: Inputs:

a) Improve the effectiveness of ISMS; b) Update the risk assessment and risk treatment plan; c) Modification of practices and controls that effect information security, as necessary, to respond to internal or external events that may impact the ISMS, including changes to: 1) business requirements; 2) security requirements; 3) business processes effecting the existing business requirements; 4) regulatory or legal requirements; 5) contractual obligations; and, 6) levels of risk and/or criteria for accepting risks; d) Resource needs; e) Improvement on how the effectiveness of controls is being measured.


Program “Outputs”


Program “Outputs”

ITSM: Outputs: SLA status pertaining to Security Management Metrics,

Exceptions, routine security planning, ISMS Management Review Committee

ISMS: Outputs:

a) results of ISMS audits and reviews; b) feedback from interested parties; c) techniques, products or procedures, which could be used in the organization to improve the ISMS performance and effectiveness; d) status of preventive and corrective actions; e) vulnerabilities or threats not adequately addressed in the previous risk assessment; f) results from effectiveness measurements; g) follow-up actions from previous management reviews; h) any changes that could affect the ISMS; and, i) recommendations for improvement.


CYBERSECURITY

Program ‘Integration’

with operational level

processes


ITSM Integration Points • Configuration Management • Incident Management • Problem Management • Change Management • Release Management • Capacity Management • Availability Management • IT Service Continuity Management • Service Level Management


Configuration Management ITSM: Integration: The creation and maintenance of classified Configuration

Items (CI). This classification links the CI with specified security practices and standards. This classification takes into consideration requirements for confidentiality, integrity and availability based on business requirements for compliance with statutory, regulatory and contractual obligations. These requirements are determined as the result of risk assessments like the TRA, PIA and BIA

ISMS: Integration: A.7.1.1 All assets shall be clearly identified and an

inventory of all important assets drawn up and maintained. A.7.2.1 Information shall be classified in terms of its value, legal requirements, sensitivity and criticality to the organization. A.7.2.2 An appropriate set of procedures for information labelling and handling shall be developed and implemented in accordance with the classification scheme adopted by the organization.


Configuration Management


People - Staff and managers, particularly those in key knowledge management roles such as senior/executive managers, software architects/developers/testers, systems managers, security administrators, operators, legal and regulatory compliance people....... Information - Personal, financial, legal, research and development, strategic and commercial, email, voicemail, databases, personal and shared drives, backup tapes/CDs/DVDs and digital archives, encryption keys, Personal, financial, legal....... Software - In-house/custom-written systems, client software (including shared or single-user ‘End User Computing’ desktop applications), ’commercial off-the-shelf’ (COTS), ERP, MIS, databases, software utilities/tools, eBusiness applications, middleware....

Configuration Management


Hardware - "Computing and storage devices e.g. desktops, workstations, laptops, handhelds, servers, mainframes, modems and line terminators, communications devices (network nodes), printers/copiers/FAX machines and multifunction devices. Telecommunications - "Fiber Internet Connection, DSL Internet Connection, General Packet Radio Service (GPRS), Gateway GPRS Support Node (GGSN), Protocol/Port Summary (- UDP 9000 (MO, MT), - UDP 53248 (MT), - FTP 21 (MO), - SSH 22 (MT), - HTTP 8005 (MT), - TCP 1225, 1121, 2189 (MO), - UDP 1120, 1121, 2188 (MO), - Unicom - IDC - ASN: 4808), Wireless Devices (GPRS, Public), Wireless Carriers, Internet Service Providers. Facilities - IT buildings, data centers, server/computer rooms, LAN/wiring closets, offices, desks/drawers/filing cabinets, media storage rooms.....

Corrective/Preventative Actions

110 incidents of which the majority impacted the information security principle

“availability”.

Confidentiality was no surprise only impacting 7% of all tickets. Even though

the numbers are usually low within this category, events affecting

”confidentiality” typically result in the biggest headaches.

The real surprise was the high rate of incidents impacting the information

security principle “integrity”.


Incident Management

ITSM: Integration: Incident Management is an

important process for reporting security incidents. Information security incidents are not clearly understood by most business people, so its very likely the information security incidents may be handled through a different practice other than incident management. It is therefore essential that Incident Management recognize security incidents as such. Any incident that may interfere with achieving the SLA security requirements is classified as a security incident by ITSM. It is useful to include a description in the SLA of the type of incidents to be considered as security incidents. In addition, any incident that interferes with achieving the basic internal security level is also classified as a security incident.


Incident Management ISMS: Integration: A.13.1.1 Information security events shall be reported

through appropriate management channels as quickly as possible.


Problem Management

ITSM: Integration: Problem

Management is responsible for identifying and solving structural security failings. The resolution of a problem could introduce a new security risk which is why, Problem Management must involve Security Management during the resolution of the problem. This certification should be based on compliance with the SLA and organizational security requirements.


Corrective/Preventative Management ITSM: Integration:

Corrective action - 8.2 The documented procedure for corrective action shall define requirements for: a) identifying nonconformities; b) determining the causes of nonconformities; c) evaluating the need for actions to ensure that nonconformities do not recur; d) determining and implementing the corrective action needed; e) recording results of action taken (see 4.3.3); and f) reviewing of corrective action taken. Preventive action - 8.3 The documented procedure for preventive action shall define requirements for: a) identifying potential nonconformities and their causes; b) evaluating the need for action to prevent occurrence of nonconformities; c) determining and implementing preventive action needed; d) recording results of action taken (see 4.3.3); and e) reviewing of preventive action taken.


Corrective/Preventative Management ITSM: Integration: 8.2 Corrective action and 8.3 Preventive action



23 Active Projects Monitored

Risk is measured in terms of High, Med, Low Impact is accessed against the principles of information security, Confidentiality, Integrity and/or Availability

Dept “A”

Dept “B” Dept “C” Dept “D”

Dept “E”



Risk is measured in terms of High, Med, Low Impact is accessed against the principles of information security, Confidentiality, Integrity and/or Availability

Project Managers facilitate a control self assessment and the security and privacy office follows up. If the balance between the number of active projects and impact/risk is relative then generally projects continue without direct involvement of the security and privacy office.



However, if the balance between the number of active projects and impact/risk appears out of balance then the security and privacy office will get involved.


Change Management

ITSM: Integration: Change

Management activities are often closely associated with security because Change Management and Security Management are interdependent. There are a number of standard operations to ensure that this security is maintained including the Request For Change (RFC) associated with governance for acceptance. The RFC should also include a proposal for dealing with security issues and based on the SLA requirements Preferably, the Security Manager (and possibly the customer’s Security Officer) should be a member of the Change Advisory Board (CAB).


Change Management

Decision

USE

Paper

Document

Manual

Operation

“Purpose”

Why are we collecting the

information?

Digital

camera

Optical

scannervideo

fax computerphone

Mobile

phone

Electronic

interface

Parallel information collection

Parallel information collection

INFORMATION SECURITY


Process

“Protection”

Facilitate Risk Assessment

select & implement

safeguards

Business Driver; we have

an opportunity and/or our

partners and clients have

requested a new function or

feature…..

CHANGE

ADD

DELETE

SECURE

AUDIT

ARCHIVE

DISPOSE

INTERFACE

CREATE

MIGRATE

CONSOLIDATE

DISCLOSE

SHARE

?

RECYCLE

ISMS: Integration: A.10.1.2 Changes to information processing facilities and

systems shall be controlled.

Access (add,

change, delete)

Are we removing

access?

Has the appropriate

manager approved?

Manager to

review annually

Remove

Authorization

Transfer a

remove classified

information

Remove

username from

an authorized list

Assign or modify

the level of

authorization

What level of

authorization has

been assigned

Apply document

control security

standards

Request access to

classified information

assets

Release

information

Authorization

List

- RBAC

- Workgroups

- SOD

D= Declassified

O= Operational

C= Confidential

P= Private

Notify manager

Notify user

NO

NO

YES

YES Validate

Information

asset

Release method

(ftp, email, mail,

hardcopy)

Maintain Record

of distribution

i.e. email

record, courier

receipt

1d

R1C5

CP2

C1

C1

C2C3 C4R2 R4

R5

R3

CP1

R1

1a

1b

1c

1e

1f

1g

1h

1i

Data

Store

Legend:

DocumentDecision InterfaceActivityPage

ConnectControl

Risk

ManagementTools

C: Control

R: Risk

T: Tools

CP: Communications Plan

TS: Test Plan


Release Management

ITSM: Integration: All new versions of software, hardware, data

communications equipment, etc… should be controlled and rolled out by Release Management. This process will ensure that:

* The correct hardware and software are used * The hardware and software are tested before use * The introduction is correctly authorized using change control * The software is legal * The software is free from viruses and that viruses are not introduced during distribution * The version numbers are known and recorded in the CMDB by Configuration Management * The rollout is managed effectively


Release Management ISMS: Integration: A.10.1.2 Changes to information processing facilities and

systems shall be controlled. A.10.1.4 Development, test and operational facilities shall be separated to reduce the risks of unauthorized access or changes to the operational system.

Access (add,

change, delete)

Are we removing

access?

Has the appropriate

manager approved?

Manager to

review annually

Remove

Authorization

Transfer a

remove classified

information

Remove

username from

an authorized list

Assign or modify

the level of

authorization

What level of

authorization has

been assigned

Apply document

control security

standards

Request access to

classified information

assets

Release

information

Authorization

List

- RBAC

- Workgroups

- SOD

D= Declassified

O= Operational

C= Confidential

P= Private

Notify manager

Notify user

NO

NO

YES

YES Validate

Information

asset

Release method

(ftp, email, mail,

hardcopy)

Maintain Record

of distribution

i.e. email

record, courier

receipt

1d

R1C5

CP2

C1

C1

C2C3 C4R2 R4

R5

R3

CP1

R1

1a

1b

1c

1e

1f

1g

1h

1i

Data

Store

Legend:

DocumentDecision InterfaceActivityPage

ConnectControl

Risk

ManagementTools

C: Control

R: Risk

T: Tools

CP: Communications Plan

TS: Test Plan


Availability Management

ITSM: Integration: Availability Management addresses the technical availability of IT

components in relationship to the availability of the service. The quality of availability is assured by continuity, maintainability and resilience. Availability Management is the most important process related to the information security principle, availability and the availability of information assets. As many security measures benefit both availability and the security principles confidentiality and integrity, effective coordination of measures between Availability Management, IT Service Continuity Management, and Security Management is essential.


Capacity Management ITSM: Integration: Capacity Management is responsible for the best use of IT resources,

as agreed with the customer. The performance requirements are based on the qualitative and quantitative standards defined by Service Level Management. Almost all the activities of Capacity Management affect availability and therefore also Security Management.


Capacity Management ISMS: Integration: A.10.10.5 Faults shall be logged, analyzed, and appropriate action

taken. A.14.1.1 A managed process shall be developed and maintained for business continuity throughout the organization that addresses the information security requirements needed for the organization's business continuity.


IT Service Continuity Management

ITSM: Integration: IT Service

Continuity Management ensures that the impact of any contingencies is limited to the level agreed with the customer. Contingencies need not necessarily turn into disasters. The major activities and defined, maintained, implemented, and testing the contingency plan, and taking preventative action. Because of security aspects, there are ties with Security Management. On the other hand, failure to fulfill basic security requirements may be considered itself contingency.


Business Continuity

Info

rma

tio

n

Da

taB

ase

Consumer &

Business

Requirements

CUSTOMER

764536748 BOB

GTH4567

NBMJRL908712343536475 MARY

Your Business Your Service

Providers

SERVICE REQUIRES INFORMATION TO FUNCTION

REQUIREMENTSBUSINESS DRIVERS

“CUSTOMERS DEMAND

NEW SERVICES AND

IMPROVEMENTS TO

EXISTING SERVICES”

=+ BUSINESS SYSTEMS

TECHNOLOGY=To deliver these

services we’ll need

specific information

gathered and stored,

maintained, processed

and exchanged

To deliver these services we’ll need business systems created in a program language to ensure consistent and

effective processing. We’ll also need reliable hardware and telecommunication suitable for the requirements and

skilled people/resources to write code, trouble shoot administered security, patching/fixes, configure systems,

configures communications, build in redundancy

+ HARDWARE

+ TELECOMMUNICATIONS

+ SKILLED LABOR

`


Service Level Management ITSM: Integration: Service Level Management ensures that agreements about services to

be provided to customers are defined and achieved. The Service Level Agreements should also address security measures. The objective is to optimize the level of service provided. Service Level Management includes a number of related security activities, in which Security Management plays an important role:

(a). Identification of the security needs of the customers. Naturally, determining the security

needs is the responsibility of the customer as these needs are based on their business interests verifying the feasibility of the customer’s security requirements

(b). Proposing, discussing and defining the security level of IT services in the SLA Identifying, developing and defining the internal security requirements for IT services

through OLA (c). Monitoring the security standards defined within OLA (d). Reporting on the IT services provided


Service Providers

Organizational

Security and

Privacy

ManagersService

ProvidersExecutives

Organizational Security and Privacy group will assist Managers by reviewing and recommending

amendments to contracts and agreements to ensure they address information security and privacy

obligations as outlined within data protection statutes (PIP Act, PIPED Act, and FOIPP Act). Some of

these provisions may include the following:

• Disclosure of Personal Information

• Annual Compliance Certificate

• Ownership and Control of Personal Information

• Privacy Strategy/Plan

• Training/Awareness

• Risk Assessments (PIA, TRA, CSA)

• Testing and Development Work

• Removal of Personal Information

• Destruction of sensitive information and media

Containing sensitive information

• Physical and Environmental Security

• Security standards for sensitive Databases

• Transmission and Back-ups of Personal Information

• Information handling for Database/Media

• System Logs, Audit Logs

• Breach or Demand Notification

• Security Controls for Authorized Personnel

• Agreements with contractors/service providers

• US based companies

• Sensitive information sharing

• Collection of Personal Information

• Non-Compliance Reports


Service Catalogue


SLA, OLA, and UC


Key Performance Indicators

• If the risk rating equals “High” for Internet facing system then “Immediate” action is require.

• If the risk rating is “high” for an internal system then a resolution must be applied within “7 days”, all other systems must be have 60 days to remediate; • If the risk rating equals “Medium” for Internet facing systems then remediation is required within “7 days”.

• If the risk rating is “Medium” for an Internal system then remediation is required within “60 days”. All other systems have a 90 day time span to remediate gaps in security; • If the risk rating is “Low” for Internet facing system then remediation is required within “30 days”.

• If the risk rating is “Low” for an Internal system then remediation is required within “180 days”.

• All other systems have up to 18 months for remediation or until the next maintenance cycle, whichever is first.


Contractual Obligations ISMS: Integration: A.15.1.1 All relevant statutory, regulatory and contractual requirements

and the organization's approach to meet these requirements shall be explicitly defined, documented, and kept up to date for each information system and the organization.


Customer Service Reports ITSM: Integration: Customer Service Reports must be provided at the

intervals agreed in the SLA. These reports compare the agreed service levels and the service levels that were actually measured. Examples include the following:

* availability and downtime during a specific period * average response times during peak periods * transaction rates during peak periods * number of functional areas * frequency and duration of service degradation * average number of users at peak periods * number of successful and unsuccessful attempts to circumvent security * proportion of service capacity used * number of completed and open changes * cost of service provided


External Reports ISMS: Integration: Statement of Applicability, Compliance Management, Risk

Treatment Plan, etc….


Management Reports ITSM: Integration: Management reports, in contrast to service level reports,

are not for the customer, but to control or manage the internal process. The may contain metrics about actual service levels supported, and trends such as:

* total number of SLA in the pool * number of time SLA was not fulfilled * cost of measuring and monitoring the SLA * customer satisfaction, based on survey/complaints * statistics about incidents, problems, and changes * progress of continuous improvement action plans


Internal Reports ISMS: Integration: Compliance Management, Asset Management, Risk

Treatment Management, Continuous Improvement, TRA, PIA, CSA, etc…



Multiple Threat Vectors can

attack and exploit the same

vulnerability in multiple ways

making it difficult to take

effective corrective action or

preventive action.


The ISMS mitigates threats by

applying a strategy that deploys

a reduced set of controls in a

matrix effect which addresses

specific security weaknesses.

This CyberSecurity Tactical

Manager is responsible for the

Defense-in-Depth , properly

executed is will be more effective

than any other approach.

Currently there is no other

security framework available

that is internationally accepted

other than the ISMS.

CyberSecurity is important and the ISO/IEC 27001 ISMS - framework can be utilized to provide assurance to customers,

shareholders and partners.

A crucial aspect of managing CyberSecurity effectively is the active engagement of managers and employees, especially those

who have been assigned specific accountabilities and responsibilities for various aspects of CyberSecurity.


If you have questions please contact …….


Mark E.S. Bernard Skype; Mark_E_S_Bernard

Twitter; @MESB_TechSecure LinkedIn; http://ca.linkedin.com/in/markesbernard

Mark E.S. Bernard Cyber Security Defense-In-Depth based on ISO 27001 and ITIL

Business

public access

access control layer

public accounts processing

operations management

incident management

assetmanagement layer

introduction layer

computer security institute