Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
Scribd
Upload
345 views166 pages

Isms 01

Uploaded by

Milorad

Copyright:

© All Rights Reserved
Download as PPT, PDF, TXT or read online from Scribd
Download as ppt, pdf, or txt

Isms 01

Uploaded by

Milorad
345 views166 pages

Original Title

ISMS 01.ppt

Copyright

© © All Rights Reserved

Available Formats

PPT, PDF, TXT or read online from Scribd

Did you find this document useful?

Is this content inappropriate?

Copyright:

© All Rights Reserved
Download as PPT, PDF, TXT or read online from Scribd
Download as ppt, pdf, or txt
345 views166 pages

Isms 01

Uploaded by

Milorad

Copyright:

© All Rights Reserved
Download as PPT, PDF, TXT or read online from Scribd
Download as ppt, pdf, or txt
You are on page 1/ 166

Uspostava Sistema Upravljanja

Informatičke Bezbednosti (ISMS) u


skladu sa ISO/IEC 27001:2005
standardom

Prof. Dr Milan Marković

Zaštita računarskih i poslovnih


sistema
Prezentacija 1
Contents

• Information Security
• Plan Do Check Act cycle and ISMS
• Implementation of an ISMS
• Awareness training
• Certification to ISO/IEC 27001:2005
Stages in the implementation of ISMS (1)

• Step 1 – Define the scope & boundaries


• Step 2 – Define the ISMS policy
• Step 3 – Define the risk assessment approach
• Step 4 – Identify the risks
• Step 5 – Analyse & evaluate the risks
• Step 6 – Identify & evaluate options for treatment of risks
• Step 7 – Prepare statement of applicability
Stages in the implementation of ISMS (2)

• Step 8 – Implement and operate the ISMS


• Step 9 – Monitor and review the ISMS
• Step 10 – Maintain and improve the ISMS
• Step 11 – Business Continuity Management
• Step 12 – Final Implementation
• Step 13 – Certification
Information Security and Security
Management
Information and Information Security

Information is an asset which, like other important business


assets, has value to an organization and consequently
needs to be suitably protected.

Information Security preservation of confidentiality, integrity


and availability of information; in addition, other properties,
such as authenticity, accountability, non-repudiation, and
reliability can also be involved.
Information – A Valuable Asset

Without suitable protection, information can be:


• Given away, leaked or disclosed in an unauthorised way
• Modified without your knowledge to become less valuable
• Lost without trace or hope of recovery
• Can be rendered unavailable when needed
• Information should be protected and properly managed like
any other important business asset of an organization.
Types of Information

• From a security perspective, appropriate protection should be applied to


all forms of information:
• Paper (printed or written)
• Databases
• Films
• View foils
• Tapes
• Diskettes
• CD ROMs
• Conversations
• Post
• Whatever form the information takes, or means by which it is shared or
stored, it should always be appropriately protected.
Information Security

Is characterised as preservation of:


• Confidentiality: the property that information is not made
available or disclosed to unauthorised individuals, entities,
or processes
• Integrity: the property of safeguarding the accuracy and
completeness of assets
• Availability: the property of being accessible and useable
upon demand by an authorised entity
In some organizations, integrity and/or availability may be
more important than confidentiality.
Information Activities

Information can be:


CREATED
PROCESSED
STORED
TRANSMITTED
DESTROYED
USED – for proper and improper purposes
LOST
CORRUPTED
Business Requirements

Business requirements for information security management:


• Commercial requirements
• Legal requirements
• What is information security?
• Basic components
• Managing information boundaries
• Sharing information with partners
• Holistic approach
Commercial Requirements

Client/Customer/Stakeholder – requirement of
contract/condition for Invitation to Tender.

Marketing – seen as giving a competitive edge in marketing of


product/service.

Demonstration to Trading Partner of commitment to


information security.

Internal management tool – for control and confidence.


Legal Requirements

• Companies Trading Regulation


• Copyright, Designs and Patents Regulation
• Data Protection Requirements
• Computer Misuse
• Regulation of Investigatory Powers
Where is Information Found

Information takes many forms


• Stored on computers
• Transmitted across networks
• Printed out or written down on paper
• Spoken in conversations etc.
• Waste bins!
Why Do I Need to Protect My Business
Information (1)
Your business will have information
• Needed to make your business run properly
• To help you survive in competitive markets
• To be prosperous and profitable
• To deliver services and products to your customers
Why Do I Need to Protect My Business
Information (2)
Your information
• Is it important to you and your business
• Available when you need it
• Accurate and complete when you use it
• Safe from those that don’t need to
– See it
– Use it
– Hear about it
Why Do I Need to Protect My Business
Information (3)
Example 1 – Confidentiality
• Some of your information might be commercially sensitive
and therefore it needs to remain confidential to those
authorised to see this information.
Why Do I Need to Protect My Business
Information (4)
Example 2 – Integrity
• Some of your information might be critical to management
and operational decision-making and so its accuracy and
completeness is essential for the success of your
business.
Why Do I Need to Protect My Business
Information (5)
Example 3 – Availability
• Having your information available when you need it
ensures uninterrupted operations, continued productivity
and effective service delivery.
Sharing Information with Partners

Types of information covered by an information


security management system

Internal – Information that you would not want your


competitors to know.

Customer/client/supplier – Information that they would


not wish you to divulge.

Shared – Information that needs to be shared with other


trading partners.
Protection for Information

From a security perspective, appropriate protection should


be applied to all forms of information.
Background to ISO/IEC 27001:2005
History of Standards

• Industry working group – January 1993


• Code of Practice issued – September 1993
• BS 7799 Part One published – February 1995
• BS 7799 Part Two published – February 1998
• BS 7799:1999: Part 1 and Part 2 – April 1999
• ISO 17799 (BS 7799-1) published 2000
• BS 7799-2 published 2002

• Latest (see next slide)


Changes to Documents

ISO/IEC 17799: 2005


• New 2005 version
– Published June 2005
– ISO 17799:2000 version withdrawn

• ISO/IEC 27001: 2005


• New 2005 version
– Published November 2005
– BS 7799-2: 2002 version withdrawn
ISO/IEC 17799:2005

Information Technology – Security Techniques – Code of


practice for information security management

Provides guidance on best practice for ISM


Prime objectives
– A common basis for organizations
– Confidence in inter-organizational dealings
Defines a set of control objectives, controls and implementation
guidance

It cannot be used for assessment and certification


ISO/IEC 27001:2005 (1)

Information Technology – Security Techniques – Information


Security Management Systems – Requirements
Specifies requirements:
• For establishing, implementing, operating, monitoring,
reviewing, maintaining and improving a documented ISMS
• Designed to:
• Ensure adequate security controls to protect information
assets, documenting Information Security Management
Systems (ISMS)
• Give confidence to customers & interested parties
It can be used for assessment and certification
ISO/IEC 27001:2005 (2)

ISO 27001:2005 defines best practice for Information Security


Management.
• The management system should balance physical,
technical, procedural and personnel security.
• Without a formal information security management system
such as a ISO/IEC 27001: 2005 based system, security
will be breached.
• Information security is a Management process, not a
Technological process.
Comparison Between ISO 27001:2005 & ISO
17799:2005
ISO/IEC 27001:2005 ISO/IEC 17799:2005
0 Introduction 0 Introduction
1 Scope 1 Scope
2 Normative references 2 Terms & definitions
3 Terms & definitions 3 Structure of this standard
4 Risk assessment & treatment
Clauses 4 to 8
Annex A Control objectives & controls
Control objectives & controls 5 to 15
A.5 to A.15
Annex B OECD principles Bibliography
Annex C Correspondence between Index
standards
Details of the Plan - Do - Check - Act Process

• PDCA model used in the ISO/IEC 27001: 2005


• Process approach for
– Establish ISMS (Plan)
– Implement and operate ISMS (Do)
– Monitor and review ISMS (Check)
– Maintain and improve ISMS (Act)
PDCA Model Applied to ISMS Processes

Plan

Establish
ISMS

Do Act
Interested
Implement Maintain
Interested Parties
and and
Parties operate improve
the ISMS the ISMS

Information Monitor
security and
requirements Managed
review Information
and the ISMS
expectations Security
Check
Clause 4 Information Security Management System

4 Information Security Management System


4.1 General Requirements
4.2 Establishing and Managing the ISMS
4.2.1 Establish the ISMS (PLAN)
4.2.2 Implement and Operate the ISMS (DO)
4.2.3 Monitor and Review the ISMS (CHECK)
4.2.4 Maintain and Improve the ISMS (ACT)
General

The organization shall establish, implement, operate, monitor,


review, maintain and improve a documented ISMS within the
context of the organization's overall business activities and
risks they face.

Process used is based on the PDCA model.


Step 1 - Establish the ISMS (PLAN)
Establish the ISMS

• Define Scope & boundaries


• Define Policy
• Define Risk Assessment approach
• Identify the risks - assets, threats, vulnerabilities and impacts
on loss of confidentiality, integrity & availability on assets
• Assess & evaluate the risks - impact, realistic likelihood of
such a security failure occurring, controls currently implemented
• Identify and evaluate options for treatment of risk - apply
appropriate controls, accept risks, avoid risks, transferring risk to
other parties
• Select Control Objectives & Controls for the treatment of risks
(Annex A)
Establish the ISMS (2)

• Obtain Management Approval of proposed residual risks


• Obtain Management Authorisation to implement and
operate the ISMS
• Prepare Statement of Applicability
Scope and Boundaries

Define in terms of:


• Characteristics of the business
• Organization
• Location
• Assets
• Technology

Include details of and justification for any exclusions from the


scope (clause 1.2 application)
Information Boundaries

Intranet connections to other business units,


Extranets to business partners,
Remote connections to staff working off-site,
Virtual Private Networks (VPN’s),
Customer networks,
Supplier chains,
Service Level Agreements, contracts, outsourcing arrangements,
Third Party access / Outsourcing
Written Scope of ISMS

The provision of financial services such as loans and leases


by the head office in Asia which has branches throughout
Europe. It also includes the provision of support services like
supervision, reschedulement of the repayment and the
collection of payments. The main asset of the company is its
manpower and the use of the IT hardware and software to
support the business.
Scope

Customer
satisfaction
Outsourced services
Couriers
Research Total organization

HR
Area covered by scope Administration
Operations
-Evaluation Maintenance
-Appraisal Rpt suppliers
Supervision
-Approval
Utilities
-Letter of offer
Marketing -Documentation IT
-Disbursement

Legal
Finance

Insurance
Customer
needs Outsource
Suppliers
suppliers
Network Diagram

Internet WAN

Router Router

FW Router
IDS

Switch Switch

Servers
Servers

Hubs Hubs

PCs
PCs

Printer Scanner
Hardware and Software Listing

Name Make & Model Software Purpose

Router1 Cisco 2850 Cisco IOS Pri Internet Conn.


Router2 Cisco 2850 Cisco IOS Sec Internet Conn.
Firewall1 Cisco PIX525 Cisco IOS Pri firewall service
Firewall2 Cisco PIX525 Cisco IOS Sec firewall service
IDS1 Cisco IDS4250 Cisco IOS Pri IDS
IDS2 Cisco IDS4250 Cisco IOS Sec IDS
Switch1 Cisco 3750 Cisco IOS Pri LAN connectivity
Switch2 Cisco 3750 Cisco IOS Sec LAN connectivity
WebServer1 Sun Fire V210 Solaris, Apache Pri web services
WebServer2 Sun Fire V210 Solaris, Apache Sec web services
App/DB Server1 Sun Fire V480 Solaris, Oracle Pri database
App/DB Server 2 Sun Fire V480 Solaris, Oracle Sec database
Service Level Agreements (SLA) / Contracts

• Memoranda of Understanding (MOU)


• Service/Operational Level Agreements (SLA/OLA)
– HR, Marketing, Finance, Administration, Legal, IT and
Research
• Contracts
– Maintenance suppliers, Outsource Suppliers,
Insurance, Utilities and Couriers, External access to
organization’s electronic applications/datasets by
customers
Process Based on PDCA Model

Process
A set of interrelated or interacting activities which transforms
inputs from outputs.
Processes

• Main core processes / departments within scope


• Supporting processes / departments outside scope but
within the organization
Process Model
Input
Interested Parties
Process Requirements & Expectations Process
Owner Objectives/KPI’s

Specifications/Criteria Changes
Resources
Information
Methods
No
Review
Output
Output Achieved
Interested Parties
Managed Information Security Yes

Records for evidence


Inter-Relationship of Processes

Holistic view
Top Management
Measure business performance

A process A process

Process Owner
measure efficiency/
effectiveness of process
Step 2 – Define an ISMS Policy
ISMS Policy

State management commitment & set out organization’s approach to managing


information security
• Definition of information security, objectives & scope
• Statement of management intent, supporting goals & principles
• Include framework for setting control objectives & controls
• Brief explanation of security policies, principles and standards
– Compliance with legislative, regulatory & contractual requirements
– Security education, training & awareness requirements
– Business continuity management
– Consequences of information security policy violations
• Definition of general & specific responsibilities
• References to documentation supporting policy

• Communicated throughout the organization


Types of Policy

• Internal
– Security Policy communicated to all staff
– Levels of policy – more than one
– Sub policies

• External
– Identifying organization’s management of information security
to interested parties, i.e. customers
Key Elements to an Information Security Policy

• Easy to understand
• Applicable
• Easy to implement
• Enforceable
• Meet business objectives
Step 3 – Define the Risk Assessment
Approach of the Organization
Risk Assessment Approach (1)

• Identify a suitable risk assessment methodology


• Develop criteria for accepting risks
• Identify acceptable levels of risk (5.1f)
• Ensure that risk assessments
– Produce comparable and reproducible results
• Method is decided by company
• Any method may be used
– ISO/IEC TR 13335-3 (Guidelines for the Management of IT Security:
Techniques for the Management of IT Security) – obsolete
– ISO/IEC 27005:2008
– Different methodologies for risk assessment
Risk Assessment Approach (2)

Method needs to cover the risks related to:


• Organizational aspects
• Personnel controls
• Business processes
• Operational and maintenance processes and procedures
• Legal, regulatory and contractual matters
• Information processing facilities
Risk Assessment Approach (3)

• Risk assessment is mandatory requirement


• Does not require use of automated software tools
• Many benefit from using tools when:
– Risks need to be re-assessed
– Risk related information needs updating
• Threats, vulnerabilities and assets

– Method and approach depends on ISMS


– Techniques depends on levels of assurance
Tools and Methods

• Many methods are available


• Any method is permissible
• System developed by organization
• Commercially available tools
Features to Look for in a Risk Assessment Tool (1)

The tool should be able to :


• Collect data
• Analyse data
• Provide output of results
• Repeatable
Features to Look for in a Risk Assessment Tool (2)

• Clear instructions for use and analysis of tool data


• Should be compatible with the hardware and software in
use in the organization.
• Training and support for the tool
• Capable of reporting results in a clear and accurate
manner
• Ensure clear understanding of tool
• Installed and configured correctly
Step 4 – Identify the Risks
Identify the Risks

Identify:
• Assets and owners of assets within the scope of the ISMS
• Threats to those assets
• Vulnerabilities that might be exploited by the threats
• Impacts that losses of confidentiality, integrity and
availability may have on the assets
Risk Assessment Process

• Identification and valuation of assets


• Identification of all security requirements
– Threats and vulnerabilities
– Legal and business requirements

• Impact of loss of CIA


• Assess likelihood of threats and vulnerabilities to occur
• Calculate the level of risk
• Selection of appropriate risk treatment option
• Selection of controls to reduce risks to acceptable level
Assets (1)

• Asset
– Anything that has value to an organization

• Accountability for assets


– Helps ensure that adequate information is maintained

• Owners/ Responsibility / Users


– Should be identified for major assets
Assets (2)

• Assign the responsibility


– For maintenance of appropriate security controls

• Responsibility may be delegated


– Although accountability remains with nominated owner
Asset Identification (1)

• Assets will not necessarily include all those things normally


considered as having a value within an organization.

• An organization must determine which assets may:


– Materially affect delivery of product / service by their absence
or degradation
– Damage the organization through loss of:
– Confidentiality
– Integrity
– Availability
Asset Identification (2)

• Inventory is drawn up of major assets


– Containing all major assets in ISMS
– Location
– Owner

• Defined in terms of:


– Characteristics of the business
– Organization
– Technology
Asset Categories

• Information assets
• Paper documents
• Software assets
• Physical assets
• People
• Company image and reputation
• Services
Asset Examples (1)

• Information Assets – databases and datafiles, system


documentation, user manuals, training material, operational or
support procedures, continuity plans, fallback arrangements
• Paper Documents – contracts, guidelines, company
documentation, documents containing important business results
• Software Assets – application software, system software,
development tools, utilities
• Physical Assets – computer and communications equipment,
magnetic media (tapes and discs), other technical equipment
(power supplies, air-conditioning units), furniture,
accommodation
Asset Examples (2)

• People – Personnel (full time, part time), customers,


subscribers, suppliers
• Company Image and Reputation
• Services – computing and communication services, other
technical services (heating, lighting, power, air-conditioning
Asset Valuation (1)

• Assess values in terms of importance to business


• Potential values given certain opportunities
• Values expressed in terms of potential impacts of
unwanted incidents, e.g.
– Disclosure
– Modification
– Non-availability
– Destruction of information

• Valuation provided by owners and users of assets


Asset Valuation (2)

• Value should relate to cost of obtaining and maintaining


asset
• Impacts that loss of Confidentiality, Integrity and Availability
could have to business
• Many organizations perceive asset ‘values’ as the cost of
purchase, hire or replacement
– Little bearing on the true value of the asset in the event of a security
breach
– If CIA affected, organization may not recover

• Consistency required across organization


• Value applied to each asset
Asset Valuation (3)

• Value identified:
– Express business impacts if CIA and other important property
of the asset is damaged
• Example valuations:
– Negligible – low – medium – high – very high
– 1–2–3–4–5
– 0–1–2–3–4

• Organization defines own limits for valuation scale


Sources of Requirements (1)

• Security requirements are derived from three main sources

– Threats and Vulnerabilities leading to significant loss in


business if they occur

– Statutory and Contractual requirements


– Unique set of Principles, Objectives and
Requirements for information processing developed by
the organization
Sources of Requirements (2)

• Identify security requirements in terms of:

– Confidentiality
– Integrity
– Availability

• At some stage, either before of after risk assessment


activities
– Review security controls already implemented
Identification of Threats and Vulnerabilities

Threat
• A potential cause of an unwanted incident which may result in
harm to a system or organization

Vulnerability
• A weakness of an asset or group of assets, which can be
exploited by a threat
• A vulnerability in itself does not cause harm, it is merely a
condition or set of conditions that may allow a threat to affect
an asset
Example Threats

• Natural disaster – flooding, hurricane, earthquake, lightning,


tsunami
• Human – staff shortage, maintenance error, user error
• Technological – failure of network, traffic overloading,
hardware failure
• Deliberate threats
• Accidental threats
• Threat frequency
Vulnerability

• Vulnerability identification should identify the weaknesses


related to the assets in the :
– Physical environment
– Personnel, management and administration procedures and
controls
– Hardware, software or communications equipment and
facilities
Example Vulnerabilities

• Absence of key personnel • Wrong allocation of password


rights
• Unstable power grid
• Insufficient security training
• Unprotected cabling lines
• No firewall installed
• Lack of security awareness
• Unlocked door

Further Examples identified in Section 4 (Additional Information)


Assessment of Threats and Vulnerabilities

• After identifying threats and vulnerabilities


• Necessary to assess the likelihood that combination of
threats and vulnerabilities occur
• Note:
– Threats and vulnerabilities assessed separately
• Separate valuation

– Threats and vulnerabilities assessed together


• Combined valuation

• Should be decided upon when deciding the overall risk


assessment approach
Legal, Regulatory and Contractual Requirements

• Important that ISMS supports requirements, e.g.:


– Control of proprietary software copying
– Safeguarding organization records
– Data protection

• Should not breach any statutory, criminal or civil


obligations, or commercial contracts
Organizational Principles, Objectives and Business
Requirements
Security requirements be documented in ISMS
• To ensure:
– Competitive edge
– Cash flow / profitability

• Implementation, or absence of security controls should not


impede efficient business operations
• Business objectives and requirements should be identified
for each asset
Assessment of Security Requirements

• Similar to valuation of assets


• Identify a scale for valuation of security requirements
• Suitable for risk assessment methodology applied
• Example valuations:
– Negligible – low – medium – high – very high
– 1–2–3–4–5
Risk Assessment

Example 1
• A virus can destroy all the files on your computer system
but the risk is low provided you have taken the necessary
precautions, e.g. virus checked your drives and
accessories.
Example 2
• Accidental disclosure of your commercially sensitive
information to competitors could happen via your email
system but the risk of exposure can be reduced by
appropriate staff training on the use of email and staff
awareness on how to handle such information.
Evaluating Risk Assessment Methods

Considerations:
• Does it identify vulnerabilities and threats?
• Does it attempt to evaluate likelihood of such a security
failure occurring?
• Would someone else using the same data arrive at the
same results?
• Is the process repeatable and sustainable?
• Does it allow for analysis of impact of changes?
Deliverables from the Risk Assessment

• The process should identify any significant risk to all


identified assets in the context of use.
• The process should provide a comprehensive report to
management.
• The report should rank the risks according to potential
impact on the organization and its customers.
• It should identify any quick wins where it is possible to
reduce risks substantially, quickly and cost effectively.
• It should, where possible, identify alternative solutions with
pros and cons.
Module 7

Analyse and Evaluate the Risks


Analyse & Evaluate the Risks

• Assess the business impact upon the organization


– That may result in a security failure
– Take into account the consequences of a loss of Confidentiality, Integrity or
Availability of the assets

• Assess the realistic likelihood of such a security failure occurring


– In the light of prevailing threats & vulnerabilities
– And impacts associated with these assets
– And controls currently implemented

• Estimate the levels of risk


• Determine whether the risk is acceptable or requires treatment
using risk acceptance criteria established
Likelihood of Threats (1)

• Assessment of the likelihood should take account of:


– Deliberate threats - motivation, capabilities, resources
available to possible attackers and the perception of
attractiveness
– Accidental threats - frequency, experience, statistics,
geographical factors, equipment malfunction, etc
Likelihood of Threats (2)

• Overall likelihood for a security failure to occur


• Depends also on the vulnerability of the assets, i.e. how easy that they may
be exploited
• May be rated
– Highly probable or probable
• It is easy to exploit the vulnerability
• There is no or very little protection in place
– Possible
• The vulnerability might be exploited
• Some protection in place
– Unlikely or impossible
• It is not easy to exploit the vulnerability
• The protection in place is good
Assessment of Legal and Business Requirements

• Identify value for legal and business requirements


• Consider:
– How serious impact to business
• If legal/contractual or business requirement not fulfilled
– What consequences for
• Asset
• Whole ISMS
– How likely this is to happen
• Results should be used to identify an appropriate value for each asset

Result: Value assigned for all identified security requirements


Calculation of Security Risks

• Risks are calculated from:


– Combination of asset values
– Assessed levels of related security

• Many different ways, e.g. Values assigned to:


– Assets, threats and vulnerabilities, legal and business requirements
– Combined to give measures of risks
– There is no ‘right’ or ‘wrong’ way of calculating risks
– Must be carried out in a systematic way

• Up to the organization to identify suitable method for risk


assessment
Matrix for Separate Threat / Vulnerability Assessment

Levels of Threat   L     M     H  

Levels of                

Vulnerability L M H L M H L M H

  0 0 1 2 1 2 3 2 3 4

  1 1 2 3 2 3 4 3 4 5

Asset Value 2 2 3 4 3 4 5 4 5 6

  3 3 4 5 4 5 6 5 6 7

  4 4 5 6 5 6 7 6 7 8
Ranking of Incidents by Measures of Risk

Incident Impact (asset) Likelihood of Measure Incident


description (a) value (b) incident of risk (d) Ranking (e)
occurrence (c)

Incident A 5 2 10 2

Incident B 2 4 8 3

Incident C 3 5 15 1

Incident D 1 3 3 5

Incident E 4 1 4 4

Incident F 2 4 8 3
Assessing the Risks for Systems

Asset value
(Potential damage) 0 1 2 3 4
Incident frequency
value

0 0 1 2 3 4

1 1 2 3 4 5

2 2 3 4 5 6

3 3 4 5 6 7

4 4 5 6 7 8
Distinction Between Acceptable and Not Acceptable
Risks

Damage Value 0 1 2 3 4
Incident
Frequency Value
0 A A A A N
1 A A A N N
2 A A N N N
3 A N N N N
4 N N N N N

Key:
A = Acceptable
N = Not acceptable
Security Risk – Calculations

Risk =Asset value x Threat x Vulnerability


x Probability

Risk =Asset value x Group (Threat/Vulnerability/Legal)


x Likelihood

Any other method

Consider CIA during calculation


Module 8

Identify and Evaluate Options


for the Treatment of Risks
Identify and Evaluate Options for the Treatment of Risks

• Manage and treat risks appropriately within business


context
– Apply appropriate controls
– Accept risks
– Avoid risk
– Transfer risk
Select Control Objectives and Controls for the Treatment of
Risks

• Select and implement Control Objectives and Controls


– To meet requirements identified by risk assessment and
risk treatment process
• Take into account of criteria for accepting risks (4.2.1c)
• Legal, regulatory and contractual requirements
• Control objectives & controls selected from Annex A
Annex A Control Objectives and Controls

ISO/IEC 27001:2005 ISO/IEC 17799:2005

0 Introduction 0 Introduction
1 Scope 1 Scope
2 Normative references 2 Terms & definitions
3 Terms & definitions 3 Structure of this standard
4 Risk assessment & treatment

Clauses 4 to 8
Annex A Control objectives & controls
Control objectives & controls 5 to 15
A.5 to A.15
Annex B OECD principles Bibliography
Annex C Correspondence between Index
standards
Control Objectives and Controls (1)
A.5

A.6
A.15 Security
Policy
Organization of
Compliance Information
Security
A.7
A.14
Business Asset
Continuity Management
Management

Control Objectives
Information Human Resources
A.13 Security Incident and Controls Security A.8
Management

Information Systems Physical and


Acquisition, Development Environmental
and Maintenance Security
A.12 Communications A.9
Access and Operations
Control Management

A.11 A.10
Selection of Security Controls (1)

• Additional control objectives and controls:


– organization might consider that additional control objectives
and controls are necessary

• Not all the controls will be relevant to every


situation:
– Consider local environmental or technological constraints
– In a form that suits every potential user in an organization
Selection of Security Controls (2)

• Review controls already in place

– Remove
– Improve

• Implement additional controls


Selection of Security Controls (3)

A number of factors should be considered:


• Ease of the use of the control
• Transparency to the user
• Help provided to the users to perform their function
• Relative strength of the controls
• Types of functions performed

Prevention, deterrence, detection, recovery, correction,


monitoring, awareness
Risk Reduction and Acceptance

Risk Acceptance – Decision to accept a risk


• Identify acceptable level of risk
• Apply appropriate controls to:
– Reducing the likelihood of the threat or vulnerability that
causes the risk
– Ensuring the fulfillment of legal or business requirements
– Reducing the possible impact if the risk occurs
– Detect unwanted events, react and recover from them
Residual Risk

The risk remaining after risk treatment


• Assess how much controls will reduce risk
• Reduced residual risk
– Acceptable or unacceptable

• Implement more controls


• May have to accept

• Obtain Management Approval of proposed residual risk


Management Authorisation

• Obtain Management Authorisation to implement and


operate the ISMS
Module 9

Prepare a
Statement of Applicability
Statement of Applicability (1)

Definition
Documented statement describing the control objectives and
controls that are relevant and applicable to the organization’s
ISMS.
Statement of Applicability (2)

Contents of Statement of Applicability


• Control objectives and controls selected
• Reasons for selection
• Control objectives and controls currently implemented
• Exclusion of any control objectives and controls to be listed
in Annex A and the justification for their exclusion

• The statement of applicability provides a summary of decisions


concerning risk treatment. Justifying exclusions provides a cross-check
that no controls have been inadvertently omitted.
Statement of Applicability (3)

Why a control has not been fully implemented


• Risk – not justified by risk exposure
• Budget – financial constraints
• Environment – influence on safeguards, climate, space etc.
• Technology – some measures are not technically feasible
• Culture – sociological constraints
• Time – some requirements cannot be implemented now.
• N/A – not applicable
• Others – ?
Module 10

Clause 4.2.2
Implement and Operate the ISMS
(DO)
Implement and Operate the ISMS

• Formulate Risk Treatment Plan


• Implement Risk Treatment Plan
• Implement selected controls
• Define how to measure the effectiveness of selected controls or
groups of controls
• Implement training and awareness programmes
• Manage operations of the ISMS
• Manage resources for the ISMS
• Implement procedures and other controls capable of enabling
prompt detection of and response to security incidents
Implementation Plan

• An implementation plan needs to be produced


• Agree time period for completion
• Identify key steps
• Implement actions
• Consider resources (internal / external)
• Ensure that all parts of ISMS are effectively implemented
• Test system
• Certification
Implementation Plan
ID Task Name Duration Start Finish Predecessors
15 Nov 22 Nov 29 Nov
M T WT F S S M T WT F S S MT W
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
Formulate a Risk Treatment Plan

• Identify appropriate management action


– Resources
– Responsibilities
– Priorities for managing information security risks
Implement a Risk Treatment Plan

• To achieve identified control objectives


• Consider
– Funding
– Allocation of roles and responsibilities

• Implement controls selected to meet the control objectives


Measure Effectiveness of Selected Controls or Groups of
Controls

• Specify how these measurements are to be used


• Assess control effectiveness
• Produce comparable and reproducible results

Measuring the effectiveness of controls allow managers and


staff to determine how well controls achieve planned control
objectives.
Implement Training and Awareness Programmes (1)

Appropriate training to be given


• Staff (full-time / part-time) within scope
– Management / supervisors
– Technical
– Non technical

• Personnel outside scope who interface with scope


• Customers
• Suppliers
Implement Training and Awareness Programmes (2)

• Understanding and complying with the information security


policy and objectives
• Understanding security responsibilities
• What to do regarding:
– Reporting security incidents, weaknesses
– Applying virus protection
– Doing backups
– Complying with relevant Local and International legislation
– Correct use of company equipment
– Correct use of e-mail and the internet
– etc
Module 11

Clause 4.2.3
Monitor and Review the ISMS
(CHECK)
Monitor and Review the ISMS (1)

• Execute monitoring procedures and other controls:


– Promptly detect errors
– Promptly identify attempted and successful security breaches
and incidents
– Security activities delegated to people or implemented by
information technology are performing as expected
– Help detect security events
• Prevent security incidents

– Determine whether actions taken to resolve a breach of


security were effective
Monitor and Review the ISMS (2)

• Undertake regular reviews of effectiveness of ISMS


– ISMS policy and objectives
– Security controls

• Take into account:


– Security audits
– Incidents
– Effective measurements
– Suggestions and feedback from interested parties

• Measure the effectiveness of controls


– Verify security requirements are met
Monitor and Review the ISMS (3)

• Review risk assessments at planned intervals


– Level of residual risk
– Identified acceptable risk

• Consider changes to:


– Organization
– Technology
– Business objectives and processes
– Identified threats
– Effectiveness of implemented controls
– External events (legal and regulatory environment, changed
contractual obligations, changes in social climate)
Monitor and Review the ISMS (4)

• Conduct internal ISMS audits at planned intervals


• Undertake Management reviews of ISMS on a regular
basis
• Update security plans
– Monitoring and reviewing activities

• Record actions and events


– Impact on the effectiveness or performance of ISMS
Module 12

Clause 4.2.4
Maintain and Improve the ISMS
(ACT)
Maintain and Improve the ISMS

• Implement identified improvements


• Take appropriate corrective and preventive actions
• Communicate actions and improvements to interested
parties
• Ensure improvements achieve intended objectives
Clauses 4 (cont) and 5 to 8

4.3 Documentation requirements


5 Management responsibility
6 Internal ISMS audits
7 Management review of the ISMS
8 ISMS improvement
Clause 4.3 Documentation Requirements

4.3.1 General
• Minimum documentation identified

4.3.2 Control of documents


• Procedure to define management actions

4.3.3 Control of Records


• Established and maintained to provide evidence of conformity
• Protected and controlled
• Legal or regulatory requirements and contractual obligations
• Legible, readily identifiable and retrievable
• Controls documented and implemented
• Performance of processes
• Occurrence of significant security incidents
ISMS Structure

High level document giving Security Policy


general outline of intent.

Specific policies relating


to and supporting the Intent
policy statement Policies

Rules and regulations Standards


that are mandatory Requirements
Legal Regulatory

Framework of
understanding Guidelines Tools to do it
and working

How to apply How to do it


the polices
Procedures
Policy – Backing up Data on Portable Computers

Policy Statement
• Information and data stored on laptop or portable computers must
be backed up regularly. It is the responsibility of the user to ensure
that this takes place on a regular basis

Explanatory note:
• Backing up data held on portable computing devices, is means to
protect against loss

Information security issues to be considered when implementing


your policy include the following:
• Data held on a laptop computer may be lost due to an internal
(system) failure; such data may be of significant value – especially
to the individual concerned

Related ISO/IEC 27001:2005 control objective & control


• A.11.7 – Mobile computing and teleworking
Policy – Clear Desk Policy

Policy Statement:
• This organization expects all employees to operate a clear desk policy

Explanatory note:
• With open plan offices now common, you may accidentally expose confidential
material. Information can be read from papers on your desk, especially when you
are away from your desk. A clear desk policy is an effective safeguard

Information security issues to be considered when implementing your policy


include the following:
• Material could be removed from your desk or work areas and copied or stolen

Related ISO/IEC 27001: 2005 control


• A.11.3.3 – Clear desk and clear screen policy
Module 13

Clauses 5, 6, 7 and 8
Clause 5 Management Responsibility

5.1 Management commitment


• Evidence of commitment

5.2 Resource management


5.2.1 Resource management
5.2.2 Training awareness and competence
Training, Awareness and Competency

• Determine necessary competencies


• Provide training or other actions
– Employ competent personnel

• Evaluate effectiveness of actions taken


• Maintain records
Clause 6 Internal ISMS Audits

• Audits at planned intervals


• Status and importance of the processes and areas
• Review previous audits
• Auditors
– Selected to ensure objectivity and impartiality
– Not audit their own work

• Documented procedure
• Actions taken on non-conformances and causes
• Follow up verification
Clause 7 Management Review of the ISMS

7.1 General
• Review at planned intervals

7.2 Review input

7.3 Review output


Clause 8 ISMS Improvement

8.1 Continual improvement

8.2 Corrective action

8.3 Preventive action


Module 14

Business Continuity Management


ISO/IEC 27001: 2005 Controls for BCP

• Control A.14
• Business Continuity Management Process
• Business Continuity and Risk Assessment
• Developing and Implementing Continuity Plans
• Business Continuity Planning Framework
• Testing, Maintaining and Re-assessing Business
Continuity Plans
Typical Disaster Phases

Crisis
Within the first few hours after the incident starts. For example,
caused by ongoing damage to premises, or restricted access to
building, systems not operating, etc
Emergency Response
May last for a few minutes or a few hours following the crisis stage.
During this time, the situation has to be assessed and decisions
made quickly to aid rapid recovery, etc
Recovery
This may last several months following the disaster. It ends when
normal operations can restart. During this phase, essential or primary
operations will restart and continue in recovery format
Restoration
Conditions restored to normal. Planning for this phase might start
within a few days of the actual incident. If there was physical damage
to the premises, this phase will not occur
BCP can effectively prevent chaos in a crisis
Stages of BCM
Phases of the BCP
Business Continuity Management

PLAN – Do you have a plan?


• Covering what to do and who is responsible for actions, training of
staff, etc
• To deal with business interruptions and other similar incidents
• To avoid serious business interruptions, security failures and loss of
service
DO – Have you implemented your plan?
CHECK – Do you regularly monitor, test, review and check your plan to
ensure that it is up to date to meet your business requirements?
ACT – Do you revise your plan? Do you implement improvements to
reflect changes to the plan?
BCM – An Ongoing Process

1. Top level commitment

8. Test, Exercise and 2. Initiate the


Maintain the Plan Management Process

7. Developing and 3. Identify the


Implementing the Plan Threats and Risks

6. Develop Strategies 4. Manage the Risks as


part of Risk Management

5. Business Impact Analysis (BIA)


Developing and Implementing a BCP

7. Keep it up to date and 1. Identify the readers who


Practice frequently will need this plan in a crisis

2. Avoid listing
6. Show simple media
individuals by name.
Holding statements.
Tasks and functions
Avoid ‘no comment’
are more important

5. List recovery matrices, 3. Keep it simple. Use


showing where and when Flowcharts wherever
business functions go in a crisis Possible – key data at
The front.
4. Refer to departmental
Recovery plans in summary
Business Continuity Planning Process

The bcp process will cover the following:


• Identification and prioritisation of business processes.
• Determination of the potential impact upon the business process
of various major incidents and disaster scenarios.
• Identification and agreement of all responsibilities and
emergency arrangements.
• Documentation of agreed procedures, processes and re-
instatement timescales.
• Education of staff in the execution of plans.
• Exercising and Testing of plans.
• Maintenance of Plans.
Framework

• Emergency Procedures – describing the immediate


actions to be taken following a major incident in order to
protect human life and business processes.
• Fallback Procedures – describing the actions to be
taken to provide continuity of service without normal IT
facilities, accommodation, personnel and communications.
• Contingency Procedures – describing the actions to be
taken to move business activities and support services to
alternate facilities.
Resources to be Covered

• Buildings and accommodation


• Personnel
• Computer hardware
• Computer operating systems and applications
• Data, whether held on magnetic, optical or other media
• Terminals
• Voice or data communications and networks
• Manual processes which depend on, or support IT functions
• Critical non-IT records
Updating of Plans

Examples of changes which may necessitate the updating of


plans
• Acquisition of new equipment
• Upgrading of operational systems
• Staff or organizational changes
• Changes of address or telephone numbers
• New or obsolete business processes
• Changes in legislation
• Revised or new operating practices
Module 15

Final Implementation, Audit and


Review of Information Security
Management System
Implementation of an ISMS – Summary (1)

• Define scope and boundaries, security policy


• Define risk assessment approach
• Identify the risks
– Assets/threats/vulnerabilities/impacts
• Analyse and evaluate the risks
• Identify and evaluate options for treatment of risks
• Select control objectives and controls for treatment of risks
• Obtain management approval of the proposed residual risks
• Obtain management authorisation to implement and operate the ISMS
• Prepare Statement of Applicability
• Formulate and implement the risk treatment plan
Implementation of an ISMS – Summary (2)

• Implement controls to meet the control objectives


• Measure the effectiveness of selected controls or groups of controls
• Implement training and awareness
• Manage operations and resources
• Implement sub-policies or procedures
• Monitor and review the ISMS
– Effectiveness of ISMS and controls
– Risk assessments
– Internal ISMS audits and management review
• Maintain and improve the ISMS
– Corrective and preventive actions
– Ensure improvements achieve intended objectives
Structure of ISMS

• Electronic:
– Stand alone
– Intranet

• Manual:
– Paper

• Consider how to control:


– Distribution
– Updates
– Authorisation
Are You Ready for an ISO/IEC 27001:2005 Audit?

• Ensure:
– All Clauses 4 to 8 defining the set of processes for the
ISMS implemented
– Appropriate Controls A5 to A15 implemented

• Could use BIP 0072


Final Steps in Implementation

• Training
– Initial awareness
– Ongoing
– Specific policies
• Internal ISMS audits
– Competent auditors (internal/external)
– Audit process and reporting
• Management Review
– Regular basis
– Scope remains adequate
– Improvements in ISMS process are identified
Re-evaluating the System

• Risk Assessment and Risk Treatment are not one-off


events

• ISMS should identify how the system is to be re-evaluated


and updated
Module 16

Certification
Assessment and Certification

Pre-assessment (optional)
Pre-
Stage 1 – Documentation Audit certification

Stage 2 – Implementation Audit

Continuing Surveillance
Post-
3-Year Re-assessment certification
Stage 1 – Documentation Audit

• Generally conducted on site


• Examines the ISMS framework for compliance with
ISO/IEC 27001:2005
• Looks at policy, scope, risk assessment, risk management,
selection of controls and statement of applicability
• Auditors will probably not look in depth at specific
procedures, but will expect adequate ‘sign-posting’ to
standards, procedures and work instructions

Stage 1 – Constitutes a significant part of the assessment


process for ISO/IEC 27001:2005
Stage 2 – Implementation Audit

• Follow up nonconformities from Stage 1 – Documentation


Audit
• Verify implementation and operation of ISMS
– More focused
– Drill down

• The Assessment Team Leader makes a recommendation


but does not make final decision for certification –
confirmed by office
Certification

• A certificate will be issued for ISO/IEC 27001: 2005


certification

• The certificate is valid for a period of three years, excepting


suspension, withdrawal or cancellation

• The certificate carries wording relating to scope and


reference to the Statement of Applicability available at the
time of assessment
Continuing Surveillance Audit

• The Certification Body


– Carries out a surveillance audit generally twice per year
– Aims to cover the scope of certification over a three year
cycle
– Intermediate audits (i.e. Special Visits) may be carried
Triennial Re-assessment

• The period of validity of the certificate is three years

• At the end of this period the certification body can extend


the certificate for a new period of three years on condition
of a positive re-assessment
Assessment Time Requirements

• Depends on a variety of factors:


• Size of scope of activities covered by the assessment
• Number of sites within scope
• Business functions within scope
• Other certifications may be taken into account
– e.g. ISO 9001:2000
Certificate Register

International register of ISO/IEC 27001:2005


Accredited Certificates
• List of organizations awarded certificate
• Produced in co-operation with international network of
certification bodies, DTI (UK) and ISMS International User
Group (IUG)
• Contents: Country Profile Directory, ISMS Scopes,
Certificates per Country
• Web site: www.iso27001certificates.com
Scope of Certification (Examples)

Example 1
• The management of information security of the business
operations including security consultancy and supply of
security software tools. This is in accordance with the
Statement of Applicability, issue 1.00
Example 2
• Network services (ISP, Hosting), Design and Construction
of Network, Development of Internet Website, all in
accordance with Statement of Applicability, version 3.01
ХВАЛА НА ПАЖЊИ

You might also like