Mark E.S. Bernard ISMS ISO 27001 Governance, Risk, Compliance (GRC)

*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***

Compiled by; Mark E.S. Bernard, ISO 27001 Lead Auditor, CISSP, CISM, SABSA-F2, CISA, CRISC, CGEIT

• Introduction

• Threats • Governance • Risk • Compliance • ISMS Overview • Incident Management • Security Architecture • Policy, Procedure, Standards




Registration need not be the final goal however every business can benefit from adopting a management system that provides assurance of information assets in alignment with strategy and tactical business goals while addressing Governance, Risk Management, Compliance Management requirements.


Mark E.S. Bernard,

CRISC, CGEIT, CISA, CISM, CISSP, PM, ISO 27001, SABSA-F2

Information Security, Privacy, Governance ,Risk Management, Consultant

Mark has 22 years of proven experience within the domain of Information Security, Privacy & Governance. Mark has

led teams of 30 or more as a Director and Project Manager and managed budgets of $5 Million +. Mark has also provided

over sight as a senior manager during government outsourcing contract valued at $300 million and smaller contracts for

specialized services for ERP systems and security testing. Mark has led his work-stream during RFP process, negotiations,

on-boarding, contract renegotiation and as Service Manager. Mark has architected information security and privacy programs

based on ISO 27001 and reengineered IT processes based on Service Manager ITIL/ISO 20000 building in Quality

Management ISO 9001.

Mark is a volunteer on the local professional associations for HTCIA, ISACA, ISSA, IIA. Mark has also been published in trade

magazines and on the Internet in addition to being sought after as an expert by local radio, news papers and television. Mark

has taught as a Professor of a third-year iSeries systems engineering course and led many workshops, led keynote speeches.

Mark’s expertise has been applied in a number of verticals including Financial Services, Banking, Insurance, Pharmaceutical,

Telecommunications, Technology, Manufacturing and Academia. Some of Mark’s recent project highlights are as follows:

Accomplishments: • In 2012 Assisted a Executive Relocation Organization to ISO/IEC 27001 Registration/Certification

• In 2012 Assisted a Nanotechnology Fabrication Facility to ISO/IEC 27001 Registration/Certification

• In 2012 Assisted a Cloud Software as a Service Provider to ISO/IEC 27001 Registration/Certification

• In 2010/11 co-led US based Cloud Service Provider ISO/IEC 27001 Registration/Certification

• In 2009 led 1st Canadian Public Sector ISO/IEC 27001 Registration/Certification

• In 2009 led On-boarding Project for ERP Service Provider

• In 2009 led Technology and Operations work-stream during Negotiated Request for Proposal

• In 2007 led 1st Canadian Online banking, Trade & Wholesale Service to ISO/IEC 27001 Registration /Certification

• In 2005 led Privacy, Security, and Privacy Compliance work-stream during outsourcing to alternate service delivery organization

• In 2002 led Information Security Program development for International Food Manufacturer.

• In1999 led Independent Security Assurance Review of financial systems located off shore.


Source: Computer Security Institute 2010/11 Survey


Source: Verizon business 2011 Data Breach Investigations Report


• Large-scale breaches dropped dramatically while small attacks increased. The report notes there are several possible reasons for this trend, including the fact that small to medium-sized businesses represent prime attack targets for many hackers, who favour highly automated, repeatable attacks against these more vulnerable targets, possibly because criminals are opting to play it safe in light of recent arrests and prosecutions of high-profile hackers.

• Outsiders are responsible for most data breaches. Ninety-two percent of data breaches were caused by external sources. Contrary to the malicious-employee stereotype, insiders were responsible for only 16 percent of attacks. Partner-related attacks continued to decline, and business partners accounted for less than 1 percent of breaches.

• Physical attacks are on the rise. After doubling as a percentage of all breaches in 2009, attacks involving physical actions doubled again in 2010, and included manipulating common credit-card devices such as ATMs, gas pumps and point-of-sale terminals. The data indicates that organized crime groups are responsible for most of these card-skimming schemes.

• Hacking and malware is the most popular attack method. Malware was a factor in about half of the 2010 caseload and was responsible for almost 80 percent of lost data. The most common kinds of malware found in the caseload were those involving sending data to an external entity, opening backdoors, and key logger functionalities.

• Stolen passwords and credentials are out of control. Ineffective, weak or stolen credentials continue to wreak havoc on enterprise security. Failure to change default credentials remains an issue, particularly in the financial services, retail and hospitality industries.

Source: 2010 Cloud Security Alliance Threats

#1: Abuse and Nefarious Use of Cloud Computing #2: Insecure Interfaces and APIs #3: Malicious Insiders #4: Shared Technology Issues #5: Data Loss or Leakage #6: Account or Service Hijacking #7: Unknown Risk Profile


Source: 2010 OWSAP Top 10 Web Application Security Risks

A1: Injection A2: Cross-Site Scripting (XSS) A3: Broken Authentication and Session Management A4: Insecure Direct Object References A5: Cross-Site Request Forgery (CSRF) A6: Security Misconfiguration A7: Insecure Cryptographic Storage A8: Failure to Restrict URL Access A9: Insufficient Transport Layer Protection A10: Invalidated Redirects and Forwards


Source: ‘The Risk of Insider Fraud’ Ponemon Institute 2011

•Employee-related incidents of fraud, on average, occur weekly in participating organizations.

• Sixty-four percent of the respondents in this study say the risk of insider fraud is very high or

high within their organizations.

• CEO’s and other C-level executives may be ignoring the threat, according to respondents.

• The majority of insider fraud incidents go unpunished, leaving organizations vulnerable to

future such incidents.

• The threat vectors most difficult to secure and safeguard from insider fraud are mobile

devices, outsourced relationships (including cloud providers) and applications.

• The majority of respondents do not believe their organization has the appropriate

technologies to prevent or quickly detect insider fraud, including employees’ misuse of IT

resources.


Source: Computer Security Institute 2010/11 Survey

***

THIS

DO

CU

MEN

T IS

CLA

SSIF

IED

FO

R P

UB

LIC

AC

CES

S **

*


Purpose: Management shall review the organization’s ISMS at planned intervals (at least once a year) to ensure its continuing suitability, adequacy and effectiveness. This review shall include assessing opportunities for improvement and the need for changes to the ISMS, including the information security policy and information security objectives. The results of the reviews shall be clearly documented and records shall be maintained, (ISO27k clause 4.3.3). Goals: The ISMS Management Review Committee has been formed to provide an effective joint forum which will contribute to the following goals:

• Decision making which supports the CSO program; • Balanced and informed review and advisory services contributing to a range of CSO planning, service delivery and issue resolution activities; and • Proactive CSO alignment with higher level joint governance functions to improve the effectiveness and efficiency within the CSO domain.


Committee Functions: Review input (ISO27k clause 7.2) The input to a management review shall include:

a). results of ISMS audits and reviews; b). feedback from interested parties; c). techniques, products or procedures, which could be used in the organization to improve the ISMS performance and effectiveness; d). status of preventive and corrective actions; e). vulnerabilities or threats not adequately addressed in the previous risk assessment; f). results from effectiveness measurements; g). follow-up actions from previous management reviews; h). any changes that could affect the ISMS; and i). recommendations for improvement.


Review output (ISO27k clause 7.3) The output from the management review shall include any decisions and actions related to the following. a). Improvement of the effectiveness of the ISMS. b). Update of the risk assessment and risk treatment plan. c). Modification of procedures and controls that effect information security, as necessary, to respond to internal or external events that may impact on the ISMS, including changes to: 1). business requirements; 2). security requirements; 3). business processes effecting the existing business requirements; 4). regulatory or legal requirements; 5). contractual obligations; and 6). levels of risk and/or criteria for accepting risks. d). Resource needs. e). Improvement on how the effectiveness of controls is being measured






Extreme = range 90+: A Risk Rating of 90+ indicates that an ‘Extremely’ serious risk exists based on our assessment a highly motivated threat is present with the technical capability to exploit multiple vulnerabilities that will result in a serious impact to Enterprise assets and services. Compounding the seriousness of this situation is the fact that existing controls are ineffective to prevent the known threat from exploiting the known vulnerability and/or no controls have been implemented resulting in the same serious ‘Extreme’ risky condition to Enterprise assets and services. Risk Rating of 80 – 89: indicates that a ‘Critical’ risk exists based on our assessment a highly motivated threat is present with some technical capability to exploit a known vulnerability that will result in a negative impact to Enterprise assets and services. Compounding the seriousness of this situation is the fact that existing controls are somewhat effective and may or may not prevent a known threat from exploiting a known vulnerability and/or no controls have been implemented resulting in a ‘Critically’ risky condition to Enterprise assets and services.






•Health Insurance Portability and Accountability Act (HIPAA)

•Health Information Technology for Economic and Clinical Health Act (HITECH Act)

•Federal Information Security Management Act (FISMA)

•Gramm-Leach-Bliley Act (GLBA)

•Payment Card Industry Data Security Standard (PCI-DSS)

•Payment Card Industry Payment Application Standard

•Sarbanes-Oxley Act (SOX)

•U.S. state data breach notification law

•International privacy or security laws





The demand for ISO/IEC 27001:2005 has nearly tripled in six years and the number of countries adopting the Information Security Management System has doubled. ISO/IEC 27001:2005 will soon be releasing its first major revision since the 2005 adoption and if it turns out to be anything like the changes that we've seen in ICFR /ICIF, ISAE 3402 or NIST SP 53 there will be significant improvements to be leveraged. In 2006, the first year of the annual survey, ISO/IEC 27001:2005 certificates at the end of December 2006 totaled 5,797. The number of countries adopting ISO/IEC 27001 totaled 64. At the end of 2010, at least 15,625 certificates had been issued in 117 countries. The 2010 total represents an increase of 2,691 or (+21 %) since December 2009. In 2006 the top three countries adopting ISO/IEC 27001 included Japan, United Kingdom and India and in 2010 that trend continued. However, the top three countries from December 2009 to 2010 were Japan, China and the Czech Republic.






• Governance • Human Resources

• Roles and Responsibilities • Charter • Oversight Committee (ToR) • Communication Strategy • Statement of Applicability • Impact • Budget

• Risk Management • Policy • Methodology • Procedure • Risk Treatment

• Continuous Improvement • Document Control • Record Management • Monitoring

• Incident Management • Security Architecture • Internal Audit • Legal Obligations • Service Management • Knowledge Management • Procurement

• Annual Security Testing • Outsourcing

• Awareness Training •Implementing ISMS

• PDCA Activities • Time allocations • Resources

• Post Implementing ISMS • PDCA Activities • Time allocations • Resources







An Information Security Event occurs when a threat agent attempts to exploit a

vulnerability within the Enterprise Environment, but is not successful. A report

maybe generated on a weekly, biweekly or monthly basis and securely distributed

to the Enterprise Information Security Office for further analysis and reporting.

An Information Security Incident results when a threat agent successfully exploits a

vulnerability within the Enterprise Environment. The Enterprise Information

Security Office must be notified immediately whenever a Security Incident occurs.

The Enterprise Security Office will assist with the evidence collection,

containment, eradication and recovery.

Information security incidents typically result in a negative impact to Enterprise Assets

and one or more of the characteristics defined by three principles of information

security confidentiality, integrity or availability







Key

Control Objectives Practices Specifically linked to the role of TSH CISO .

Physical &

Environmental

Asset

Management

Access Control

Systems Acquisition,

Development, Maintenance

Compliance

Business

Continuity

Human

Resources

Communications & Operations

Information

Security Policy

Allocation

of InfoSec

Responsibilities

Correct

Processing in

Applications

Technical

Vulnerability

Management

Business

Continuity

Management

Management of

InfoSec Incident &

Improvements

Personal

Information Breach

Process

Practice

Policy

Incident

Management

InfoSec

Education &

Awareness

Standard

Personal Information

Protection Standard

• Information Security Policy (ISMS Policy)* • Acceptable use of assets** • Backup policy • Access control policy • Clear desk and clear screen policy • Policy on use of network services • Mobile computing and communications • Policy on the use of cryptographic controls

*I recommend having one policy at this level and calling it the ‘Information Security Policy’. **not identified as a specific requirement however I highly recommend this policy.


NOTE: Each process is documented using the template described in subsequent slides Level 1 - Description of the process in wording * High-level Narrative Describing the General Process Operating Parameters and Interaction of Participating Organizations• Level 2 - Process end to end summary * Mid-level End-to-End Flowchart Summary of Key Sub-processes Described in Level 3A Documents Level 3A- Detailed process description * Walkthrough"-level Process Flowchart: Shows Operational Execution Sequence with Participants and Key Financial Control Points Identified. Typically Detailed to the line Manager Layer. (NOTE: 3-A Is Not Detailed Down to the Desk Procedures Level) Level 3B - Control design, objective, risks, control point * Control Design Evaluation Template: Maps to the -A Flowchart: Indicates control objectives for the Process with Associated Risks: Lists Key Controls for these Risks: and Summarizes the Execution of These Controls. Level 3C - Test procedure description * Testing and Remediation Template: Lists Key I-rnarzcral Control Points: Documents Specific Tests Pertaining to Each Control: and Describes Any Notable Exception Items that Require Correction.











For more information contact Skype; Mark_E_S_Bernard

Twitter; @MESB_TechSecure LinkedIn; http://ca.linkedin.com/in/markesbernard

Mark E.S. Bernard ISMS ISO 27001 Governance, Risk, Compliance (GRC)

Business

public access

security testing

consultant mark

percent of data breaches

percent of attacks

domain of information

percent of breaches

sabsaf2 information