This webinar gives an idea of what is the relation of ISO 27032 with ISO 55001, and how these two standards cover one another. Get more information on Cybersecurity as the importance is given more to the security industry nowadays.
Main points covered:
• Protection assets in Cyberspace
• Covering ISO 27032 in ISO 55001 and ISO 55001 in ISO 27032
• Sample of Cybersecurity Risks in Assets
• Highlights of the Implementation of the Cyber Security program Framework
Presenter:
This webinar was presented by PECB Partner and Trainer Mr. Claude Essomba, who is a Managing Director at GETSEC SARL, and has more than 9 years of experience in IT and Information Security.
Link of the recorded session published on YouTube: https://youtu.be/_280jG77iKY
Fostering Friendships - Enhancing Social Bonds in the Classroom
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
1. 1
Implementing of a Cyber security assets
oriented program Framework from ISO
27032 to ISO 55001
2. Claude Essomba
Senior Security Consultant
Claude Essomba is Managing Director at GETSEC SARL and has more than 9 years of
experience in IT and Information Security in various countries such as German, Canada,
USA,and AFRICA.He is currently senior auditor for compliance audit and based in Cameroun.
+237 98 98 04 65 claudeessomba@yahoo.ca www.getsec.com
https://www.linkedin.com/in/claude-essomba-npfat-cissp-cism-iso-27001-la-342335
3. Agenda
Context Introduction
What Assets in Cyberspace ?
ISO/IEC 27032:2012 FOR WHAT ?
Cybersecurity Risks in Assets
Protection assets in Cyberspace
Covering ISO 55001 in ISO 27032/22301/27001
Conclusion
4. Cyber security is ranked as the top priority for 2015 by asset managers,
according to a February 2015 report from Cerulli Associates Europe.
“Nearly 60% of the global asset servicing companies that responded to our
survey said that cyber security was seen by asset managers as the leading
issue this year,” says Barbara Wall, Europe research director at Cerulli.
“However, Cerulli’s analysis also identifies weaknesses, which we believe
will require a change of mindset by some organisations. For example, there
is an alarming degree of complacency among some asset managers as to
the dangers employees can pose.”
Thirty-six percent of the respondents in Cerulli’s survey said that asset
managers are spending around $15m a year on preventing cyber incidents,
with some budgeting more than twice that sum. The firms polled expect that
spending on cyber security by asset managers will rise steadily over the
next few years.
“Banks have been favourite targets in the past, but asset managers are now
taking the threat of major attacks more seriously”
Matthew Martindale
Context Introduction
5. Assets in the Cyberspace
An asset is anything that has value to an individual or an
organization. There are many types of assets,
including but not limited to:
a) information; b) software, such as a computer program; c) physical,
such as a computer;
d) services; e) people, their qualifcations, skills, and experience; and f)
intangibles, such as reputation and image.
Personal assets
One of the key virtual assets is an individual consumer’s online identity and
his online credit information. Online identity is considered an asset, since it
is the key identifier for any individual consumer in the Cyberspace.
Organizational assets
A key aspect of the Cyberspace is the infrastructure that makes it all
possible. This infrastructure is a meshed interconnection of networks,
servers and applications which belongs to many service providers.
However, the reliability and availability of this infrastructure is crucial in
ensuring that the Cyberspace services and applications are available to
anyone in the Cyberspace.
What Assets in Cyberspace ?
6. ISO/IEC 27032:2012 provides guidance for improving the state of
Cybersecurity, drawing out the unique aspects of that activity and its
dependencies on other security domains, in particular:
information security,
network security,
internet security, and
critical information infrastructure protection (CIIP).
It covers the baseline security practices for stakeholders in the
Cyberspace. This International Standard provides:
an overview of Cybersecurity,
an explanation of the relationship between Cybersecurity and other
types of security,a definition of stakeholders and a description of their
roles in Cybersecurity,guidance for addressing common Cybersecurity
issues, and
a framework to enable stakeholders to collaborate on resolving
Cybersecurity issues.
ISO/IEC 27032:2012 FOR WHAT ?
7. Threats to personal assets revolve mainly around identity
issues, posed by the leakage or theft of personal
information.
Organizations’ online presence and online business are
often targeted by miscreants whose intent is more than
plain mischief.
A threat agent is an individual or group of individuals who
have any role in the execution or support of an attack.
Vulnerability is a weakness of an asset or control that can
be exploited by a threat.
Cybersecurity Risks in Assets
8. Attacking Assets: From ISO/IEC 27032:2012 perspective
The attacks can come from two major categories:
— Attacks from inside the private network
CASE 1 One possible case is that system administrators might take
advantage of the system access privileges
CASE 2 use of rogue Access Points (AP) to steal identities
CASE 3 non-protected Wi-Fi network
CASE 4 Vulnerabilities on Computers
CASE 5 use of the promiscuous mode of a network interface
CASE 5 use of Hardware or software Key loggers
— Attacks from outside the private network (e.g. Internet)
There are many different attacks that can be launched from outside the private
network, including the Internet
With the help of a botnet, large scale DoS attacks can be launched that can
bring down a country’s access to the Cyberspace.
Cybersecurity Risks in Assets
9. Guidelines for stakeholders
The guidance in this clause focuses on three main areas:
— security guidance for consumers;— internal information security
risk management of an organization; and— security requirements
that providers should specify for consumers to implement.
The recommendations are structured as follows:
a) an introduction to risk assessment and treatment; b) guidelines
for consumers; and
c) guidelines for organizations, including service providers:
— management of information security risk in the business; and
— security requirements for hosting services and other application
services.
Protection assets in Cyberspace
10. Cybersecurity controls
Once the risks to Cybersecurity are identifed and appropriate guidelines are
drafted, Cybersecurity controls that support the security requirements can be
selected and implemented. This clause gives an overview of the key
Cybersecurity controls that can be implemented to support the guidelines laid
out in this International Standard.
Application level controls
Server protection
End-user controls
Controls against social engineering attacks
• Policies
• Methods and processes
• People and organization
Protection assets in Cyberspace
11. This International Standard applies the definition of “risk” given in ISO
31000:2009 and ISO Guide 73:2009
Ensuring that the approach used for managing risk in asset
management is aligned with the organization’s approach for
managing risk.
Actions to address these risks and opportunities, taking into
account how these risks and opportunities can change with time;
— identification of risks and opportunities;
— assessment of risks and opportunities;
— determining the significance of assets in achieving asset
management objectives;
— implementation of the appropriate treatment, and monitoring, of
risks and opportunities.
Covering ISO 55001 in ISO 27032
12. The organization shall ensure that its asset management related risks
are considered in the organization’s
risk management approach must include contingency planning.
The organization shall include consideration of:
— the significance of the identified risks;
— treating and monitoring risks
— the effectiveness of the asset management system.
The organization shall evaluate and report on the effectiveness of the
processes for managing risks
Covering ISO 55001 in ISO 27032
13. ISO 22301 : Define the requirements that an organization must apply to
certify a Business Continuity Management System (BCSM) . To comply
the requirements of the standard the organization needs to document a
model to develop, implement, operate , monitor , review ,maintain and
improve a BCSM to increase the resilience of an organization in case of
disaster.
Involve all elements related to the cyberspace of an organization
With BCSM the needs of an organization should be determined
before incidence occurrence in order to ensure protection of the
assets
ISO 22301 , clause 3.47 define the resources of an Organization
All assets, people, information, technology, premises and supplies etc.
Covering ISO 55001 in ISO 22301
14. How to protect the assets within the context of the 22301?
BIA, Stockholders, Resilience, Recovery Objectives (RPO, RTO,MAO,
MBCO)
KEY Components of a BCSM according to ISO 22301
A policy
People with defined responsibilities
Management processes relating to policy , planning ,
implementation and operation, Performance assessment,
Management , Review Improvement
Documentation providing auditable evidence
Any BCSM processes relevant to the organization
Covering ISO 55001 in ISO 22301
15. Asset management
Inventory of assets
All assets shall be clearly identified and an inventory of all important assets drawn
up and maintained.
Ownership of assets
All information and assets associated with information processing facilities shall be
‘owned’ by a designated part of the organization.
Acceptable use of assets
Rules for the acceptable use of information and assets associated with information
processing facilities shall be identified, documented, and implemented.
Return of assets
All employees, contractors and third party users shall return all of the organization’s
assets in their possession upon termination of their employment, contract or
agreement.
Equipment security
Segregation of duties
Media handling
Covering ISO 55001 in ISO 27001/2
16. Cyber Security emplies approaching the management of
cyberspace related assets risks by considering the security from
the assets point of view.
ISO 55000 Familly would then help us to identify the assets and
using ISO 27032 guidance and recommendation to implement
the Cyber security framework.
When implementing ISO 55001 looks at the other standard
related control to protect Cyberspace related assets
When implementing ISO 55001 a correlation to others standard
can help to check the compliance on other standard
Assets oriented building of a Cybersecurity framework could lead
to compliance again ISO 27032/ISO 27001/22301/etc
CONCLUSION