SlideShare une entreprise Scribd logo

ISO/IEC 27034 Application Security – How to trust, without paying too much!

PECB
PECB

This series of standard offers a new vision, new principles, and elements that will facilitate application security planning, implementation, management and repeatable verification. In this webinar, you will hear how a Lead Implementer should select and adjust them taking account of business, legal and technological contexts, priorities and its organization's limited resources. Mr. Luc Poulin has more than thirty years of experience in computer science, during which he acquired a solid expertise in IT systems and software engineering. He has a Ph.D. CISSP-ISSMP CSSLP CISM CISA CASLI , CASLA and currently working as CEO- Information / Application Security Senior Advisor at Cogentas Inc. Link of the recorded session published on YouTube: https://youtu.be/Saba09xOcVI

Formation
1  sur  29
– Luc PoulinApplication Security Institute
– Luc Poulin– Luc Poulin Application Security Institute Luc Poulin CEO & Information / Application Security Senior Advisor Mr. Luc Poulin has more than thirty years' experience in computer science, during which he acquired a solid expertise in IT systems and software engineering. He has a Ph.D. CISSP-ISSMP, CSSLP, CISM, CISA, 27034ASLI, 27034ASLA and currently working as Information / Application Security Senior Advisor at Cogentas Inc. Contact Information +1 418 473-4473 Information@cogentas.org www.cogentas.org ca.linkedin.com/in/lucpoulin
– Luc Poulin– Luc Poulin Application Security Institute IT APPLICATIONS SECURITY ISO/IEC 27034 – Application security How to trust... without paying too much! for PECB November 8th 2016 Luc Poulin Ph.D, CISSP-ISSMP, CSSLP, CISA, CISM, 27034ASLI, 27034ASLA CEO, ISO/IEC 27034 Project editor
– Luc PoulinApplication Security Institute Plan 1. Context 2. ISO/IEC 27034 Application security 3. Key Elements and cost management strategies 4. Conclusion 4
– Luc PoulinApplication Security Institute Context ▶ IT continues to evolve rapidly New technologies, attacks, vulnerabilities, risks... ▶ Regulatory context evolves New laws, regulations, regions… ▶ Business evolves New business contexts, market sectors, needs, opportunities and expectations 5
– Luc PoulinApplication Security Institute Context ▶ We have tools IT tools, standards, methods, best practices… ▶ We allocate resources training, acquisition, hiring, audits… ▶ What is missing to be confident in the security of an application... Without paying too much? to be able to declare an application secure? 6
– Luc PoulinApplication Security Institute Context ▶ Information security becomes a major concern for managers / administrators ▶ Organizations are having limited resources ▶ Every organization exists in a specific business context ▶ Usually the scope of the security of an application is not adequately defined organizations do not have the slightest idea of the security of their applications 7
– Luc PoulinApplication Security Institute Context – Concepts & definitions ▶ Information security (ISO/IEC 27000) preservation of confidentiality, integrity and availability of information ▶ Application security (ISO/IEC 27034) preservation of confidentiality, integrity and availability of information collected, processed, stored and communicated by an application ▶ Information security is based on risk management ▶ Risk can not be eliminated but can only be mitigated to an acceptable level ▶ Application security must be demonstrated 8
– Luc PoulinApplication Security Institute ISO/IEC 27034 standards series ▶ ISO/IEC 27034 – Application Security ▶ Identifies  target audience  AS objectives, principles, concepts, vision, scope, terms and definitions ▶ Specifies components, processes, and AS framework on two levels :  organization  application ▶ Identify requirements as recommendations:“should” ▶ Does not propose any security controls ▶ No certification available – in progress
– Luc PoulinApplication Security Institute ISO/IEC 27034 standards serie ▶ ISO/IEC 27034 – Application Security  Part 1: Overview and concepts (2011)  Part 2: Organization normative framework (2015)  Part 3: Application security management process (2017)  Part 4: Application security validation (2019)  Part 5: Protocols and application security control data structure (2017)  Part 5-1: XML Schemas (2017)  Part 6: Case studies (2016)  Part 7: Assurance prediction framework (2017)
– Luc PoulinApplication Security Institute ▶ Four areas of intervention ▶ Each has: Technology Process People ISO/IEC 27034 – A new vision for AS 11 Verification & control (Conformity) Security Management (Governance) Application & IT System (Development and Evolution) Technology (Acquisition, Maintenance and Contingency) Critical Information
– Luc PoulinApplication Security Institute ISO/IEC 27034 – A new vision of AS ▶ 9 groups of information to protect Group of information Application AS scope Organization and user’s data Application data Roles and permissions Application specifications Technological context Processes involving the application Application life cycle processes Regulatory context Business context            
– Luc PoulinApplication Security Institute 13 ▶ Changing Perspective – Cost Management Organization ISO/IEC 27034 – A new vision for AS Technology People Process Information  Infrastructure  Software ApplicationApplications Security
– Luc PoulinApplication Security Institute Application Security Life Cycle Reference Model Operation stages Utilization and maintenance Archival DestructionDisposal 14 Actors Role 1 Role 2 Role 3 Role 4 Role n Provisioning stages Preparation Realization Transition Application management Application provisionning management Application operation management Infrastructure management Application provisionning infrastructure management Application operation infrastructure management Disposal Application audit Application provisioning audit Application operation audit Layers Application provisionning and operation Preparation Utilization Archival Destruction Outsourcing Development Acquisition Transition Key elements and cost management strategies
– Luc PoulinApplication Security Institute Key elements and cost management strategies ▶ Risk management in AS Impact = $$$ Sources of Risk for AS Technological context Regulatory context Business context Application specifications R R R R R R R R R R R R 15
– Luc PoulinApplication Security Institute Key elements and cost management strategies ▶ Risk Treatment For governance for applications security 16 Risk AS Requirement expected evidence supporting the reduced risk claim Risk Mitigated risk Control ASCCSA Impact before $$$ Impact after $ Cost ?/? ASC
– Luc PoulinApplication Security Institute Security Activity (what, how, where, who, when, how much) Application Target Level of Trust (why) Security Requirements · Application specifications, · Compliance to regulations, · Standards and best practices, · Etc. (why) Verification Measurement (what, how, where, who, when, how much) ASC Application Security Life Cycle Reference Model 17 $/t $/t Key elements and cost management strategies ▶ The Application Security Control (ASC)
– Luc PoulinApplication Security Institute ASC ASC ASC ASC ASC ASC ASC ASC ASC ASC ASC ASC ASC ASC ▶ ASCs may have a graph relationship  Mitigate risk  hiding/segmenting complexity Key elements and cost management strategies 18 Business Functional Infrastructure User CSA ASC Online Payment ASC Online PaymentPCI-DSS Std.
– Luc PoulinApplication Security Institute Business ASC Online Payment Key elements and cost management strategies ▶ ASCs may have a graph relationship  Mitigate risk  hiding/segmenting complexity ▶ Facilitates cost management 19 CSA CSA CSA CSA CSA CSA CSA CSA CSA CSA CSA CSA CSA CSA Functional Infrastructure User $ $ $ $ $ $ $ $ $ $ $ $ $ $ $
– Luc PoulinApplication Security Institute Business ASC Online Payment ▶ ASCs may have a graph relationship  Mitigate risk  hiding/segmenting complexity ▶ Facilitates project, ressources, training and qualifications management, etc… Key elements and cost management strategies 20 CSA CSA CSA CSA CSA CSA CSA CSA CSA CSA CSA CSA CSA CSA Functional Infrastructure User t t t t t t t t t t t t t t t
– Luc PoulinApplication Security Institute 21 ...0 Organisation ASC Library 1 32 9 10 Application levels of trust used by the organisation Source of specifications and constraints Specifications and constraints ASC ASC ASCASC ASC Application specifications Online payment Secure Log ASC ASCASC ASC Business context PCI-DSS Aeronautics ASC ASCASC Regulatory context Privacy Laws ASC ASC ASC ASC ASC ASC Technological context Wireless SSL Connection Key elements and cost management strategies $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $$ $$ $ $$ $$$ $$ $ $$ $$ $$$ $$$$$ $$$ ▶ ASC Library
– Luc PoulinApplication Security Institute Key elements and cost management strategies ▶ Level of Trust Target: List of ASCs that have been identified and approved by the application owner Expected: List of ASCs that succeeded and those that are predicted to succeed verification tests Actual: List of ASCs that succeeded verification tests ▶ Application can be considered secure when 22 ≥Actual Level of Trust Target Level of Trust
– Luc PoulinApplication Security Institute Key elements and cost management strategies ▶ The ONF Repository, authoritative source of information Does not require the implementation of all elements Respecting the priorities and capabilities of the organization (restaurant menu) 23 Organization Normative Framework (ONF) Business context Application specifications and functionalities repository Regulatory context Technological context Roles, responsibilities and qualifications repository Categorized information groups repository ASC Library ASC (Application Securty Controls) Application Security Tracability Matrix Application Security Life Cycle Reference Model Application Normative Frameworks (ANF) Application Security Life Cycle Model Management processes related to application security Application Security Risk Management ONF Committee Management ONF Management Application Security Management Application Security Conformance
– Luc PoulinApplication Security Institute Conclusion ▶ ISO 27034 can help to manage AS costs Offers a more comprehensive and inclusive security vision - Only an approach that takes into account the interests of all stakeholders and the nature of the systems, networks and related services can ensure effective security (OCDE, 2002) Supports the risk management model - Follows the critical information flow inside application processes and components - Only protects an application’s critical elements Facilitates estimation of AS cost - Evaluate implementation costs of "small" security controls to improve estimation quality (Caulkins et al., 2007) 24
– Luc PoulinApplication Security Institute Conclusion ▶ ISO 27034 can help to manage AS costs Helps organizations to: - identify and establish the Level of Trust for an application  ASC requirements and related to an application according to its AS risk • Supplier selection: RFP / Service Offering • Follow AS implementation - provide evidence that an application has achieved and maintained a target level of trust, according to a specific usage context  Expected results for every ASC - justify the trust of an organization to protect its application accordingly to risk coming from application contexts  Risk analysis results -vs- Target Level of Trust 25
– Luc PoulinApplication Security Institute Conclusion ▶ ISO 27034 can help to minimize AS costs Promotes the integration of security activities in the existing organization processes - minimize application security impacts - minimize resistance to change Help organizations to: - set / manage ASCs and Levels of trust - respect organization resources and priorities - improve internal knowledge and best practices - encapsulate knowledge in ASCs - standardize ASCs and activities across the organization - apply ASCs to people, processes and technology (depending easier / cheaper) - promote reuse - reduce training, implementation and auditing costs 26
– Luc Poulin– Luc Poulin Application Security Institute Thank for your time ISO/IEC 27034 – Application security How to trust... without paying too much! for PECB November 8th 2016 Luc Poulin Ph.D, CISSP-ISSMP, CSSLP, CISA, CISM, 27034ASLI, 27034ASLA CEO, ISO/IEC 27034 Project editor Luc.Poulin@Cogentas.org
– Luc Poulin– Luc Poulin Application Security Institute ISO/IEC 27034 Training Courses  ISO/IEC 27034 Application Security Introduction 27034ASI – 1 Day Course  ISO/IEC 27034 Application Security Foundation 27034ASF – 2 Days Course  ISO/IEC 27034 Lead Application Security Implementer 27034ASLI – 5 Days Course  ISO/IEC 27034 Lead Application Security Auditor 27034ASLA – 5 Days Course Exam and certification fees are included in the training price. https://pecb.com/iso-iec-27034-training-courses | www.pecb.com/events
– Luc Poulin– Luc Poulin Application Security Institute THANK YOU ? +1 418 473-4473 Information@cogentas.org www.cogentas.org ca.linkedin.com/in/LucPoulin

Recommandé

Cybersecurity Frameworks for DMZCON23 230905.pdf
Cybersecurity Frameworks for DMZCON23 230905.pdfCybersecurity Frameworks for DMZCON23 230905.pdf
Cybersecurity Frameworks for DMZCON23 230905.pdfAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
Quick Guide to ISO/IEC 27701 - The Newest Privacy Information Standard
Quick Guide to ISO/IEC 27701 - The Newest Privacy Information StandardQuick Guide to ISO/IEC 27701 - The Newest Privacy Information Standard
Quick Guide to ISO/IEC 27701 - The Newest Privacy Information StandardPECB
 
ISO 27005:2022 Overview 221028.pdf
ISO 27005:2022 Overview 221028.pdfISO 27005:2022 Overview 221028.pdf
ISO 27005:2022 Overview 221028.pdfAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
ISO 27001
ISO 27001ISO 27001
ISO 27001n|u - The Open Security Community
 
NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity frameworkShriya Rai
 
SOC Cyber Security
SOC Cyber SecuritySOC Cyber Security
SOC Cyber SecuritySteppa Cyber Security
 
FFIEC and NIST: What You Need to Know About Two Prevalent New IT Security Com...
FFIEC and NIST: What You Need to Know About Two Prevalent New IT Security Com...FFIEC and NIST: What You Need to Know About Two Prevalent New IT Security Com...
FFIEC and NIST: What You Need to Know About Two Prevalent New IT Security Com...West Monroe Partners
 
Project plan for ISO 27001
Project plan for ISO 27001Project plan for ISO 27001
Project plan for ISO 27001technakama
 

Recommandé

Cybersecurity Frameworks for DMZCON23 230905.pdf
Cybersecurity Frameworks for DMZCON23 230905.pdfCybersecurity Frameworks for DMZCON23 230905.pdf
Cybersecurity Frameworks for DMZCON23 230905.pdfAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
Quick Guide to ISO/IEC 27701 - The Newest Privacy Information Standard
Quick Guide to ISO/IEC 27701 - The Newest Privacy Information StandardQuick Guide to ISO/IEC 27701 - The Newest Privacy Information Standard
Quick Guide to ISO/IEC 27701 - The Newest Privacy Information StandardPECB
 
ISO 27005:2022 Overview 221028.pdf
ISO 27005:2022 Overview 221028.pdfISO 27005:2022 Overview 221028.pdf
ISO 27005:2022 Overview 221028.pdfAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
ISO 27001
ISO 27001ISO 27001
ISO 27001n|u - The Open Security Community
 
NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity frameworkShriya Rai
 
SOC Cyber Security
SOC Cyber SecuritySOC Cyber Security
SOC Cyber SecuritySteppa Cyber Security
 
FFIEC and NIST: What You Need to Know About Two Prevalent New IT Security Com...
FFIEC and NIST: What You Need to Know About Two Prevalent New IT Security Com...FFIEC and NIST: What You Need to Know About Two Prevalent New IT Security Com...
FFIEC and NIST: What You Need to Know About Two Prevalent New IT Security Com...West Monroe Partners
 
Project plan for ISO 27001
Project plan for ISO 27001Project plan for ISO 27001
Project plan for ISO 27001technakama
 
Sample network vulnerability analysis proposal
Sample network vulnerability analysis proposalSample network vulnerability analysis proposal
Sample network vulnerability analysis proposalDavid Sweigert
 
ISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewShankar Subramaniyan
 
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...PECB
 
IT SECURITY ASSESSMENT PROPOSAL
IT SECURITY ASSESSMENT PROPOSALIT SECURITY ASSESSMENT PROPOSAL
IT SECURITY ASSESSMENT PROPOSALCYBER SENSE
 
Iso 27001 isms presentation
Iso 27001 isms presentationIso 27001 isms presentation
Iso 27001 isms presentationMidhun Nirmal
 
NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101 NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101 Erick Kish, U.S. Commercial Service
 
Iso 27001 Checklist
Iso 27001 ChecklistIso 27001 Checklist
Iso 27001 ChecklistCraig Willetts ISO Expert
 
ISO 27001 Benefits
ISO 27001 BenefitsISO 27001 Benefits
ISO 27001 BenefitsDejan Kosutic
 
CyberSecurity Certifications | CyberSecurity Career | CyberSecurity Certifica...
CyberSecurity Certifications | CyberSecurity Career | CyberSecurity Certifica...CyberSecurity Certifications | CyberSecurity Career | CyberSecurity Certifica...
CyberSecurity Certifications | CyberSecurity Career | CyberSecurity Certifica...Edureka!
 
ISO 27001:2022 What has changed.pdf
ISO 27001:2022 What has changed.pdfISO 27001:2022 What has changed.pdf
ISO 27001:2022 What has changed.pdfAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
Zero Trust Framework for Network Security​
Zero Trust Framework for Network Security​Zero Trust Framework for Network Security​
Zero Trust Framework for Network Security​AlgoSec
 
Enterprise Security Architecture: From access to audit
Enterprise Security Architecture: From access to auditEnterprise Security Architecture: From access to audit
Enterprise Security Architecture: From access to auditBob Rhubart
 
ISO 27001_2022 What has changed 2.0 for ISACA.pdf
ISO 27001_2022 What has changed 2.0 for ISACA.pdfISO 27001_2022 What has changed 2.0 for ISACA.pdf
ISO 27001_2022 What has changed 2.0 for ISACA.pdfAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
microsoft-cybersecurity-reference-architectures (1).pptx
microsoft-cybersecurity-reference-architectures (1).pptxmicrosoft-cybersecurity-reference-architectures (1).pptx
microsoft-cybersecurity-reference-architectures (1).pptxGenericName6
 
27001 awareness Training
27001 awareness Training27001 awareness Training
27001 awareness TrainingDr Madhu Aman Sharma
 
ISO 27001 - information security user awareness training presentation -part 2
ISO 27001 - information security user awareness training presentation -part 2ISO 27001 - information security user awareness training presentation -part 2
ISO 27001 - information security user awareness training presentation -part 2Tanmay Shinde
 
Cloud Security Assessment Methods.pptx
Cloud Security Assessment Methods.pptxCloud Security Assessment Methods.pptx
Cloud Security Assessment Methods.pptxAdityaChawan4
 
2022 Webinar - ISO 27001 Certification.pdf
2022 Webinar - ISO 27001 Certification.pdf2022 Webinar - ISO 27001 Certification.pdf
2022 Webinar - ISO 27001 Certification.pdfControlCase
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewTandhy Simanjuntak
 
Cyber risk management and the benefits of quantification
Cyber risk management and the benefits of quantificationCyber risk management and the benefits of quantification
Cyber risk management and the benefits of quantificationDavid X Martin
 
NISO Webinar: RFID Systems in Libraries Part 2: Standards
NISO Webinar: RFID Systems in Libraries Part 2: StandardsNISO Webinar: RFID Systems in Libraries Part 2: Standards
NISO Webinar: RFID Systems in Libraries Part 2: StandardsNational Information Standards Organization (NISO)
 
An Insight to Survey Findings on ISO 45001
An Insight to Survey Findings on ISO 45001An Insight to Survey Findings on ISO 45001
An Insight to Survey Findings on ISO 45001PECB
 

Contenu connexe

Tendances

Sample network vulnerability analysis proposal
Sample network vulnerability analysis proposalSample network vulnerability analysis proposal
Sample network vulnerability analysis proposalDavid Sweigert
 
ISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewShankar Subramaniyan
 
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...PECB
 
IT SECURITY ASSESSMENT PROPOSAL
IT SECURITY ASSESSMENT PROPOSALIT SECURITY ASSESSMENT PROPOSAL
IT SECURITY ASSESSMENT PROPOSALCYBER SENSE
 
Iso 27001 isms presentation
Iso 27001 isms presentationIso 27001 isms presentation
Iso 27001 isms presentationMidhun Nirmal
 
CyberSecurity Certifications | CyberSecurity Career | CyberSecurity Certifica...
CyberSecurity Certifications | CyberSecurity Career | CyberSecurity Certifica...CyberSecurity Certifications | CyberSecurity Career | CyberSecurity Certifica...
CyberSecurity Certifications | CyberSecurity Career | CyberSecurity Certifica...Edureka!
 
Zero Trust Framework for Network Security​
Zero Trust Framework for Network Security​Zero Trust Framework for Network Security​
Zero Trust Framework for Network Security​AlgoSec
 
Enterprise Security Architecture: From access to audit
Enterprise Security Architecture: From access to auditEnterprise Security Architecture: From access to audit
Enterprise Security Architecture: From access to auditBob Rhubart
 
microsoft-cybersecurity-reference-architectures (1).pptx
microsoft-cybersecurity-reference-architectures (1).pptxmicrosoft-cybersecurity-reference-architectures (1).pptx
microsoft-cybersecurity-reference-architectures (1).pptxGenericName6
 
ISO 27001 - information security user awareness training presentation -part 2
ISO 27001 - information security user awareness training presentation -part 2ISO 27001 - information security user awareness training presentation -part 2
ISO 27001 - information security user awareness training presentation -part 2Tanmay Shinde
 
Cloud Security Assessment Methods.pptx
Cloud Security Assessment Methods.pptxCloud Security Assessment Methods.pptx
Cloud Security Assessment Methods.pptxAdityaChawan4
 
2022 Webinar - ISO 27001 Certification.pdf
2022 Webinar - ISO 27001 Certification.pdf2022 Webinar - ISO 27001 Certification.pdf
2022 Webinar - ISO 27001 Certification.pdfControlCase
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewTandhy Simanjuntak
 
Cyber risk management and the benefits of quantification
Cyber risk management and the benefits of quantificationCyber risk management and the benefits of quantification
Cyber risk management and the benefits of quantificationDavid X Martin
 

Tendances (20)

Sample network vulnerability analysis proposal
Sample network vulnerability analysis proposalSample network vulnerability analysis proposal
Sample network vulnerability analysis proposal
 
ISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process Overview
 
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
 
IT SECURITY ASSESSMENT PROPOSAL
IT SECURITY ASSESSMENT PROPOSALIT SECURITY ASSESSMENT PROPOSAL
IT SECURITY ASSESSMENT PROPOSAL
 
Iso 27001 isms presentation
Iso 27001 isms presentationIso 27001 isms presentation
Iso 27001 isms presentation
 
NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101 NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101
 
Iso 27001 Checklist
Iso 27001 ChecklistIso 27001 Checklist
Iso 27001 Checklist
 
ISO 27001 Benefits
ISO 27001 BenefitsISO 27001 Benefits
ISO 27001 Benefits
 
CyberSecurity Certifications | CyberSecurity Career | CyberSecurity Certifica...
CyberSecurity Certifications | CyberSecurity Career | CyberSecurity Certifica...CyberSecurity Certifications | CyberSecurity Career | CyberSecurity Certifica...
CyberSecurity Certifications | CyberSecurity Career | CyberSecurity Certifica...
 
ISO 27001:2022 What has changed.pdf
ISO 27001:2022 What has changed.pdfISO 27001:2022 What has changed.pdf
ISO 27001:2022 What has changed.pdf
 
Zero Trust Framework for Network Security​
Zero Trust Framework for Network Security​Zero Trust Framework for Network Security​
Zero Trust Framework for Network Security​
 
Enterprise Security Architecture: From access to audit
Enterprise Security Architecture: From access to auditEnterprise Security Architecture: From access to audit
Enterprise Security Architecture: From access to audit
 
ISO 27001_2022 What has changed 2.0 for ISACA.pdf
ISO 27001_2022 What has changed 2.0 for ISACA.pdfISO 27001_2022 What has changed 2.0 for ISACA.pdf
ISO 27001_2022 What has changed 2.0 for ISACA.pdf
 
microsoft-cybersecurity-reference-architectures (1).pptx
microsoft-cybersecurity-reference-architectures (1).pptxmicrosoft-cybersecurity-reference-architectures (1).pptx
microsoft-cybersecurity-reference-architectures (1).pptx
 
27001 awareness Training
27001 awareness Training27001 awareness Training
27001 awareness Training
 
ISO 27001 - information security user awareness training presentation -part 2
ISO 27001 - information security user awareness training presentation -part 2ISO 27001 - information security user awareness training presentation -part 2
ISO 27001 - information security user awareness training presentation -part 2
 
Cloud Security Assessment Methods.pptx
Cloud Security Assessment Methods.pptxCloud Security Assessment Methods.pptx
Cloud Security Assessment Methods.pptx
 
2022 Webinar - ISO 27001 Certification.pdf
2022 Webinar - ISO 27001 Certification.pdf2022 Webinar - ISO 27001 Certification.pdf
2022 Webinar - ISO 27001 Certification.pdf
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An Overview
 
Cyber risk management and the benefits of quantification
Cyber risk management and the benefits of quantificationCyber risk management and the benefits of quantification
Cyber risk management and the benefits of quantification
 

En vedette

An Insight to Survey Findings on ISO 45001
An Insight to Survey Findings on ISO 45001An Insight to Survey Findings on ISO 45001
An Insight to Survey Findings on ISO 45001PECB
 
Using ISO 31000 as a strategic tool for National Planning and Governance
Using ISO 31000 as a strategic tool for National Planning and GovernanceUsing ISO 31000 as a strategic tool for National Planning and Governance
Using ISO 31000 as a strategic tool for National Planning and GovernancePECB
 
Management par la qualité selon l’ISO 9001 au service de la maîtrise des risques
Management par la qualité selon l’ISO 9001 au service de la maîtrise des risquesManagement par la qualité selon l’ISO 9001 au service de la maîtrise des risques
Management par la qualité selon l’ISO 9001 au service de la maîtrise des risquesPECB
 
How to establish strategic approach to ISO 9001:2015
How to establish strategic approach to ISO 9001:2015How to establish strategic approach to ISO 9001:2015
How to establish strategic approach to ISO 9001:2015PECB
 
Embracing Cybersecurity on Cloud Computing
Embracing Cybersecurity on Cloud ComputingEmbracing Cybersecurity on Cloud Computing
Embracing Cybersecurity on Cloud ComputingPECB
 
Cyber Security Testing
Cyber Security TestingCyber Security Testing
Cyber Security TestingPECB
 
Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032PECB
 
The influence of Deming's 14 points to ISO 9001:2015
The influence of Deming's 14 points to ISO 9001:2015The influence of Deming's 14 points to ISO 9001:2015
The influence of Deming's 14 points to ISO 9001:2015PECB
 
Estimation of Measurement Uncertainty in Labs: a requirement for ISO 17025 Ac...
Estimation of Measurement Uncertainty in Labs: a requirement for ISO 17025 Ac...Estimation of Measurement Uncertainty in Labs: a requirement for ISO 17025 Ac...
Estimation of Measurement Uncertainty in Labs: a requirement for ISO 17025 Ac...PECB
 
5 Top Tips for Implementing a Successful Safety Culture in Global Organizations
5 Top Tips for Implementing a Successful Safety Culture in Global Organizations5 Top Tips for Implementing a Successful Safety Culture in Global Organizations
5 Top Tips for Implementing a Successful Safety Culture in Global OrganizationsPECB
 
Best Practices for a Mature Application Security Program Webinar - February 2016
Best Practices for a Mature Application Security Program Webinar - February 2016Best Practices for a Mature Application Security Program Webinar - February 2016
Best Practices for a Mature Application Security Program Webinar - February 2016Security Innovation
 
Structuring and Scaling an Application Security Program
Structuring and Scaling an Application Security ProgramStructuring and Scaling an Application Security Program
Structuring and Scaling an Application Security ProgramDenim Group
 
An ISO/IEC 33000-compliant Measurement Framework for Software Process Sustain...
An ISO/IEC 33000-compliant Measurement Framework for Software Process Sustain...An ISO/IEC 33000-compliant Measurement Framework for Software Process Sustain...
An ISO/IEC 33000-compliant Measurement Framework for Software Process Sustain...Luigi Buglione
 
ISO/IEC 27001 as a Starting Point for GRC
ISO/IEC 27001 as a Starting Point for GRCISO/IEC 27001 as a Starting Point for GRC
ISO/IEC 27001 as a Starting Point for GRCPECB
 
CakePHPのレールの外し方 (CakePHP勉強会@uluru 20130419)
CakePHPのレールの外し方 (CakePHP勉強会@uluru 20130419)CakePHPのレールの外し方 (CakePHP勉強会@uluru 20130419)
CakePHPのレールの外し方 (CakePHP勉強会@uluru 20130419)ichikaway
 
Iso iec 12207 software life cycle processes
Iso iec 12207 software life cycle processesIso iec 12207 software life cycle processes
Iso iec 12207 software life cycle processesEpididimo
 

En vedette (19)

NISO Webinar: RFID Systems in Libraries Part 2: Standards
NISO Webinar: RFID Systems in Libraries Part 2: StandardsNISO Webinar: RFID Systems in Libraries Part 2: Standards
NISO Webinar: RFID Systems in Libraries Part 2: Standards
 
An Insight to Survey Findings on ISO 45001
An Insight to Survey Findings on ISO 45001An Insight to Survey Findings on ISO 45001
An Insight to Survey Findings on ISO 45001
 
Using ISO 31000 as a strategic tool for National Planning and Governance
Using ISO 31000 as a strategic tool for National Planning and GovernanceUsing ISO 31000 as a strategic tool for National Planning and Governance
Using ISO 31000 as a strategic tool for National Planning and Governance
 
Management par la qualité selon l’ISO 9001 au service de la maîtrise des risques
Management par la qualité selon l’ISO 9001 au service de la maîtrise des risquesManagement par la qualité selon l’ISO 9001 au service de la maîtrise des risques
Management par la qualité selon l’ISO 9001 au service de la maîtrise des risques
 
How to establish strategic approach to ISO 9001:2015
How to establish strategic approach to ISO 9001:2015How to establish strategic approach to ISO 9001:2015
How to establish strategic approach to ISO 9001:2015
 
Embracing Cybersecurity on Cloud Computing
Embracing Cybersecurity on Cloud ComputingEmbracing Cybersecurity on Cloud Computing
Embracing Cybersecurity on Cloud Computing
 
Cyber Security Testing
Cyber Security TestingCyber Security Testing
Cyber Security Testing
 
Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032
 
The influence of Deming's 14 points to ISO 9001:2015
The influence of Deming's 14 points to ISO 9001:2015The influence of Deming's 14 points to ISO 9001:2015
The influence of Deming's 14 points to ISO 9001:2015
 
Estimation of Measurement Uncertainty in Labs: a requirement for ISO 17025 Ac...
Estimation of Measurement Uncertainty in Labs: a requirement for ISO 17025 Ac...Estimation of Measurement Uncertainty in Labs: a requirement for ISO 17025 Ac...
Estimation of Measurement Uncertainty in Labs: a requirement for ISO 17025 Ac...
 
5 Top Tips for Implementing a Successful Safety Culture in Global Organizations
5 Top Tips for Implementing a Successful Safety Culture in Global Organizations5 Top Tips for Implementing a Successful Safety Culture in Global Organizations
5 Top Tips for Implementing a Successful Safety Culture in Global Organizations
 
Best Practices for a Mature Application Security Program Webinar - February 2016
Best Practices for a Mature Application Security Program Webinar - February 2016Best Practices for a Mature Application Security Program Webinar - February 2016
Best Practices for a Mature Application Security Program Webinar - February 2016
 
Structuring and Scaling an Application Security Program
Structuring and Scaling an Application Security ProgramStructuring and Scaling an Application Security Program
Structuring and Scaling an Application Security Program
 
An ISO/IEC 33000-compliant Measurement Framework for Software Process Sustain...
An ISO/IEC 33000-compliant Measurement Framework for Software Process Sustain...An ISO/IEC 33000-compliant Measurement Framework for Software Process Sustain...
An ISO/IEC 33000-compliant Measurement Framework for Software Process Sustain...
 
ISO/IEC 27001 as a Starting Point for GRC
ISO/IEC 27001 as a Starting Point for GRCISO/IEC 27001 as a Starting Point for GRC
ISO/IEC 27001 as a Starting Point for GRC
 
ISO/NISO
ISO/NISOISO/NISO
ISO/NISO
 
CakePHPのレールの外し方 (CakePHP勉強会@uluru 20130419)
CakePHPのレールの外し方 (CakePHP勉強会@uluru 20130419)CakePHPのレールの外し方 (CakePHP勉強会@uluru 20130419)
CakePHPのレールの外し方 (CakePHP勉強会@uluru 20130419)
 
ISO/IEC 27001:2005
ISO/IEC 27001:2005ISO/IEC 27001:2005
ISO/IEC 27001:2005
 
Iso iec 12207 software life cycle processes
Iso iec 12207 software life cycle processesIso iec 12207 software life cycle processes
Iso iec 12207 software life cycle processes
 

Similaire à ISO/IEC 27034 Application Security – How to trust, without paying too much!

ISO 27034 Lead Implementer - Two Page Brochure
ISO 27034 Lead Implementer - Two Page Brochure ISO 27034 Lead Implementer - Two Page Brochure
ISO 27034 Lead Implementer - Two Page Brochure PECB
 
What is needed to start trusting the security of your applications in the cloud?
What is needed to start trusting the security of your applications in the cloud?What is needed to start trusting the security of your applications in the cloud?
What is needed to start trusting the security of your applications in the cloud?PECB
 
ISO 27034 Lead Implementer - Four Page Brochure
ISO 27034 Lead Implementer - Four Page Brochure ISO 27034 Lead Implementer - Four Page Brochure
ISO 27034 Lead Implementer - Four Page Brochure PECB
 
Resume_IshitaKundu_CISA
Resume_IshitaKundu_CISAResume_IshitaKundu_CISA
Resume_IshitaKundu_CISAIshita Kundu
 
Walls of Steel, Doors of Wood - Relevance of Application Security
Walls of Steel, Doors of Wood - Relevance of Application SecurityWalls of Steel, Doors of Wood - Relevance of Application Security
Walls of Steel, Doors of Wood - Relevance of Application SecurityAbdul Jaleel
 
Supplement To Student Guide Seminar 03 A 3 Nov09
Supplement To Student Guide Seminar 03 A 3 Nov09Supplement To Student Guide Seminar 03 A 3 Nov09
Supplement To Student Guide Seminar 03 A 3 Nov09Tammy Clark
 
Abidance Cip Presentation
Abidance Cip PresentationAbidance Cip Presentation
Abidance Cip Presentationjamesholler
 
webapplication-security-assessment-casestudy
webapplication-security-assessment-casestudy webapplication-security-assessment-casestudy
webapplication-security-assessment-casestudy AbiramiManikandan5
 
ISMS Requirements
ISMS RequirementsISMS Requirements
ISMS Requirementshumanus2
 
The significance of the Shift to Risk Management from Threat & Vulnerability ...
The significance of the Shift to Risk Management from Threat & Vulnerability ...The significance of the Shift to Risk Management from Threat & Vulnerability ...
The significance of the Shift to Risk Management from Threat & Vulnerability ...PECB
 
Gs Us Roadmap For A World Class Information Security Management System– Isoie...
Gs Us Roadmap For A World Class Information Security Management System– Isoie...Gs Us Roadmap For A World Class Information Security Management System– Isoie...
Gs Us Roadmap For A World Class Information Security Management System– Isoie...Tammy Clark
 
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001PECB
 
Resume_IshitaKundu_CISA
Resume_IshitaKundu_CISAResume_IshitaKundu_CISA
Resume_IshitaKundu_CISAIshita Kundu
 
Resume_IshitaKundu_CISA
Resume_IshitaKundu_CISAResume_IshitaKundu_CISA
Resume_IshitaKundu_CISAIshita Kundu
 
english_bok_ismp_202306.pptx
english_bok_ismp_202306.pptxenglish_bok_ismp_202306.pptx
english_bok_ismp_202306.pptxssuser00d6eb
 
IT Compliance in 2015 - Beyond the “v” model
IT Compliance in 2015 - Beyond the “v” modelIT Compliance in 2015 - Beyond the “v” model
IT Compliance in 2015 - Beyond the “v” modelIGATE Corporation
 
A Major Revision of the CISRCP Program
A Major Revision of the CISRCP ProgramA Major Revision of the CISRCP Program
A Major Revision of the CISRCP ProgramGoogleNewsSubmit
 
How to Achieve Functional Safety in Safety-Citical Embedded Systems
How to Achieve Functional Safety in Safety-Citical Embedded SystemsHow to Achieve Functional Safety in Safety-Citical Embedded Systems
How to Achieve Functional Safety in Safety-Citical Embedded Systemsevatjohnson
 
How to Achieve Functional Safety in Safety-Critical Embedded Systems
How to Achieve Functional Safety in Safety-Critical Embedded SystemsHow to Achieve Functional Safety in Safety-Critical Embedded Systems
How to Achieve Functional Safety in Safety-Critical Embedded SystemsIntland Software GmbH
 

Similaire à ISO/IEC 27034 Application Security – How to trust, without paying too much! (20)

ISO 27034 Lead Implementer - Two Page Brochure
ISO 27034 Lead Implementer - Two Page Brochure ISO 27034 Lead Implementer - Two Page Brochure
ISO 27034 Lead Implementer - Two Page Brochure
 
What is needed to start trusting the security of your applications in the cloud?
What is needed to start trusting the security of your applications in the cloud?What is needed to start trusting the security of your applications in the cloud?
What is needed to start trusting the security of your applications in the cloud?
 
ISO 27034 Lead Implementer - Four Page Brochure
ISO 27034 Lead Implementer - Four Page Brochure ISO 27034 Lead Implementer - Four Page Brochure
ISO 27034 Lead Implementer - Four Page Brochure
 
Resume_IshitaKundu_CISA
Resume_IshitaKundu_CISAResume_IshitaKundu_CISA
Resume_IshitaKundu_CISA
 
Walls of Steel, Doors of Wood - Relevance of Application Security
Walls of Steel, Doors of Wood - Relevance of Application SecurityWalls of Steel, Doors of Wood - Relevance of Application Security
Walls of Steel, Doors of Wood - Relevance of Application Security
 
Supplement To Student Guide Seminar 03 A 3 Nov09
Supplement To Student Guide Seminar 03 A 3 Nov09Supplement To Student Guide Seminar 03 A 3 Nov09
Supplement To Student Guide Seminar 03 A 3 Nov09
 
Abidance Cip Presentation
Abidance Cip PresentationAbidance Cip Presentation
Abidance Cip Presentation
 
webapplication-security-assessment-casestudy
webapplication-security-assessment-casestudy webapplication-security-assessment-casestudy
webapplication-security-assessment-casestudy
 
ISMS Requirements
ISMS RequirementsISMS Requirements
ISMS Requirements
 
The significance of the Shift to Risk Management from Threat & Vulnerability ...
The significance of the Shift to Risk Management from Threat & Vulnerability ...The significance of the Shift to Risk Management from Threat & Vulnerability ...
The significance of the Shift to Risk Management from Threat & Vulnerability ...
 
Gs Us Roadmap For A World Class Information Security Management System– Isoie...
Gs Us Roadmap For A World Class Information Security Management System– Isoie...Gs Us Roadmap For A World Class Information Security Management System– Isoie...
Gs Us Roadmap For A World Class Information Security Management System– Isoie...
 
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
 
Resume_IshitaKundu_CISA
Resume_IshitaKundu_CISAResume_IshitaKundu_CISA
Resume_IshitaKundu_CISA
 
Resume_IshitaKundu_CISA
Resume_IshitaKundu_CISAResume_IshitaKundu_CISA
Resume_IshitaKundu_CISA
 
english_bok_ismp_202306.pptx
english_bok_ismp_202306.pptxenglish_bok_ismp_202306.pptx
english_bok_ismp_202306.pptx
 
ISO/IEC 27001.pdf
ISO/IEC 27001.pdfISO/IEC 27001.pdf
ISO/IEC 27001.pdf
 
IT Compliance in 2015 - Beyond the “v” model
IT Compliance in 2015 - Beyond the “v” modelIT Compliance in 2015 - Beyond the “v” model
IT Compliance in 2015 - Beyond the “v” model
 
A Major Revision of the CISRCP Program
A Major Revision of the CISRCP ProgramA Major Revision of the CISRCP Program
A Major Revision of the CISRCP Program
 
How to Achieve Functional Safety in Safety-Citical Embedded Systems
How to Achieve Functional Safety in Safety-Citical Embedded SystemsHow to Achieve Functional Safety in Safety-Citical Embedded Systems
How to Achieve Functional Safety in Safety-Citical Embedded Systems
 
How to Achieve Functional Safety in Safety-Critical Embedded Systems
How to Achieve Functional Safety in Safety-Critical Embedded SystemsHow to Achieve Functional Safety in Safety-Critical Embedded Systems
How to Achieve Functional Safety in Safety-Critical Embedded Systems
 

Plus de PECB

Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactPECB
 
DORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of Cybersecurity
DORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of CybersecurityDORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of Cybersecurity
DORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of CybersecurityPECB
 
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI Governance
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI GovernanceSecuring the Future: ISO/IEC 27001, ISO/IEC 42001, and AI Governance
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI GovernancePECB
 
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...PECB
 
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...PECB
 
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks EffectivelyISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks EffectivelyPECB
 
Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...
Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...
Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...PECB
 
ISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital Transformation
ISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital TransformationISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital Transformation
ISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital TransformationPECB
 
Managing ISO 31000 Framework in AI Systems - The EU ACT and other regulations
Managing ISO 31000 Framework in AI Systems - The EU ACT and other regulationsManaging ISO 31000 Framework in AI Systems - The EU ACT and other regulations
Managing ISO 31000 Framework in AI Systems - The EU ACT and other regulationsPECB
 
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?PECB
 
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...PECB
 
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...PECB
 
Student Information Session University KTMC
Student Information Session University KTMC Student Information Session University KTMC
Student Information Session University KTMC PECB
 
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...PECB
 
Student Information Session University CREST ADVISORY AFRICA
Student Information Session University CREST ADVISORY AFRICA Student Information Session University CREST ADVISORY AFRICA
Student Information Session University CREST ADVISORY AFRICA PECB
 
IT Governance and Information Security – How do they map?
IT Governance and Information Security – How do they map?IT Governance and Information Security – How do they map?
IT Governance and Information Security – How do they map?PECB
 
Information Session University Egybyte.pptx
Information Session University Egybyte.pptxInformation Session University Egybyte.pptx
Information Session University Egybyte.pptxPECB
 
Student Information Session University Digital Encode.pptx
Student Information Session University Digital Encode.pptxStudent Information Session University Digital Encode.pptx
Student Information Session University Digital Encode.pptxPECB
 
Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023PECB
 
ISO 28000:2022 – Reduce risks and improve the security management system
ISO 28000:2022 – Reduce risks and improve the security management systemISO 28000:2022 – Reduce risks and improve the security management system
ISO 28000:2022 – Reduce risks and improve the security management systemPECB
 

Plus de PECB (20)

Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global Impact
 
DORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of Cybersecurity
DORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of CybersecurityDORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of Cybersecurity
DORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of Cybersecurity
 
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI Governance
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI GovernanceSecuring the Future: ISO/IEC 27001, ISO/IEC 42001, and AI Governance
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI Governance
 
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
 
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...
 
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks EffectivelyISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
 
Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...
Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...
Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...
 
ISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital Transformation
ISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital TransformationISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital Transformation
ISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital Transformation
 
Managing ISO 31000 Framework in AI Systems - The EU ACT and other regulations
Managing ISO 31000 Framework in AI Systems - The EU ACT and other regulationsManaging ISO 31000 Framework in AI Systems - The EU ACT and other regulations
Managing ISO 31000 Framework in AI Systems - The EU ACT and other regulations
 
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
 
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
 
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
 
Student Information Session University KTMC
Student Information Session University KTMC Student Information Session University KTMC
Student Information Session University KTMC
 
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
 
Student Information Session University CREST ADVISORY AFRICA
Student Information Session University CREST ADVISORY AFRICA Student Information Session University CREST ADVISORY AFRICA
Student Information Session University CREST ADVISORY AFRICA
 
IT Governance and Information Security – How do they map?
IT Governance and Information Security – How do they map?IT Governance and Information Security – How do they map?
IT Governance and Information Security – How do they map?
 
Information Session University Egybyte.pptx
Information Session University Egybyte.pptxInformation Session University Egybyte.pptx
Information Session University Egybyte.pptx
 
Student Information Session University Digital Encode.pptx
Student Information Session University Digital Encode.pptxStudent Information Session University Digital Encode.pptx
Student Information Session University Digital Encode.pptx
 
Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023
 
ISO 28000:2022 – Reduce risks and improve the security management system
ISO 28000:2022 – Reduce risks and improve the security management systemISO 28000:2022 – Reduce risks and improve the security management system
ISO 28000:2022 – Reduce risks and improve the security management system
 

Dernier

ICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptxICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptxAreebaZafar22
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfciinovamais
 
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...ZurliaSoop
 
psychiatric nursing HISTORY COLLECTION .docx
psychiatric nursing HISTORY COLLECTION .docxpsychiatric nursing HISTORY COLLECTION .docx
psychiatric nursing HISTORY COLLECTION .docxPoojaSen20
 
Micro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdfMicro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdfPoh-Sun Goh
 
Unit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptxUnit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptxVishalSingh1417
 
How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17Celine George
 
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...christianmathematics
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdfQucHHunhnh
 
Seal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptxSeal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptxnegromaestrong
 
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptxBasic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptxDenish Jangid
 
Magic bus Group work1and 2 (Team 3).pptx
Magic bus Group work1and 2 (Team 3).pptxMagic bus Group work1and 2 (Team 3).pptx
Magic bus Group work1and 2 (Team 3).pptxdhanalakshmis0310
 
Dyslexia AI Workshop for Slideshare.pptx
Dyslexia AI Workshop for Slideshare.pptxDyslexia AI Workshop for Slideshare.pptx
Dyslexia AI Workshop for Slideshare.pptxcallscotland1987
 
General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...Poonam Aher Patil
 
How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17Celine George
 
Third Battle of Panipat detailed notes.pptx
Third Battle of Panipat detailed notes.pptxThird Battle of Panipat detailed notes.pptx
Third Battle of Panipat detailed notes.pptxAmita Gupta
 
Making communications land - Are they received and understood as intended? we...
Making communications land - Are they received and understood as intended? we...Making communications land - Are they received and understood as intended? we...
Making communications land - Are they received and understood as intended? we...Association for Project Management
 
Unit-V; Pricing (Pharma Marketing Management).pptx
Unit-V; Pricing (Pharma Marketing Management).pptxUnit-V; Pricing (Pharma Marketing Management).pptx
Unit-V; Pricing (Pharma Marketing Management).pptxVishalSingh1417
 
ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.MaryamAhmad92
 
PROCESS RECORDING FORMAT.docx
PROCESS RECORDING FORMAT.docxPROCESS RECORDING FORMAT.docx
PROCESS RECORDING FORMAT.docxPoojaSen20
 

Dernier (20)

ICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptxICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptx
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdf
 
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
 
psychiatric nursing HISTORY COLLECTION .docx
psychiatric nursing HISTORY COLLECTION .docxpsychiatric nursing HISTORY COLLECTION .docx
psychiatric nursing HISTORY COLLECTION .docx
 
Micro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdfMicro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdf
 
Unit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptxUnit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptx
 
How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17
 
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf
 
Seal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptxSeal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptx
 
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptxBasic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
 
Magic bus Group work1and 2 (Team 3).pptx
Magic bus Group work1and 2 (Team 3).pptxMagic bus Group work1and 2 (Team 3).pptx
Magic bus Group work1and 2 (Team 3).pptx
 
Dyslexia AI Workshop for Slideshare.pptx
Dyslexia AI Workshop for Slideshare.pptxDyslexia AI Workshop for Slideshare.pptx
Dyslexia AI Workshop for Slideshare.pptx
 
General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...
 
How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17
 
Third Battle of Panipat detailed notes.pptx
Third Battle of Panipat detailed notes.pptxThird Battle of Panipat detailed notes.pptx
Third Battle of Panipat detailed notes.pptx
 
Making communications land - Are they received and understood as intended? we...
Making communications land - Are they received and understood as intended? we...Making communications land - Are they received and understood as intended? we...
Making communications land - Are they received and understood as intended? we...
 
Unit-V; Pricing (Pharma Marketing Management).pptx
Unit-V; Pricing (Pharma Marketing Management).pptxUnit-V; Pricing (Pharma Marketing Management).pptx
Unit-V; Pricing (Pharma Marketing Management).pptx
 
ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.
 
PROCESS RECORDING FORMAT.docx
PROCESS RECORDING FORMAT.docxPROCESS RECORDING FORMAT.docx
PROCESS RECORDING FORMAT.docx
 

ISO/IEC 27034 Application Security – How to trust, without paying too much!

  • 1. – Luc PoulinApplication Security Institute
  • 2. – Luc Poulin– Luc Poulin Application Security Institute Luc Poulin CEO & Information / Application Security Senior Advisor Mr. Luc Poulin has more than thirty years' experience in computer science, during which he acquired a solid expertise in IT systems and software engineering. He has a Ph.D. CISSP-ISSMP, CSSLP, CISM, CISA, 27034ASLI, 27034ASLA and currently working as Information / Application Security Senior Advisor at Cogentas Inc. Contact Information +1 418 473-4473 Information@cogentas.org www.cogentas.org ca.linkedin.com/in/lucpoulin
  • 3. – Luc Poulin– Luc Poulin Application Security Institute IT APPLICATIONS SECURITY ISO/IEC 27034 – Application security How to trust... without paying too much! for PECB November 8th 2016 Luc Poulin Ph.D, CISSP-ISSMP, CSSLP, CISA, CISM, 27034ASLI, 27034ASLA CEO, ISO/IEC 27034 Project editor
  • 4. – Luc PoulinApplication Security Institute Plan 1. Context 2. ISO/IEC 27034 Application security 3. Key Elements and cost management strategies 4. Conclusion 4
  • 5. – Luc PoulinApplication Security Institute Context ▶ IT continues to evolve rapidly New technologies, attacks, vulnerabilities, risks... ▶ Regulatory context evolves New laws, regulations, regions… ▶ Business evolves New business contexts, market sectors, needs, opportunities and expectations 5
  • 6. – Luc PoulinApplication Security Institute Context ▶ We have tools IT tools, standards, methods, best practices… ▶ We allocate resources training, acquisition, hiring, audits… ▶ What is missing to be confident in the security of an application... Without paying too much? to be able to declare an application secure? 6
  • 7. – Luc PoulinApplication Security Institute Context ▶ Information security becomes a major concern for managers / administrators ▶ Organizations are having limited resources ▶ Every organization exists in a specific business context ▶ Usually the scope of the security of an application is not adequately defined organizations do not have the slightest idea of the security of their applications 7
  • 8. – Luc PoulinApplication Security Institute Context – Concepts & definitions ▶ Information security (ISO/IEC 27000) preservation of confidentiality, integrity and availability of information ▶ Application security (ISO/IEC 27034) preservation of confidentiality, integrity and availability of information collected, processed, stored and communicated by an application ▶ Information security is based on risk management ▶ Risk can not be eliminated but can only be mitigated to an acceptable level ▶ Application security must be demonstrated 8
  • 9. – Luc PoulinApplication Security Institute ISO/IEC 27034 standards series ▶ ISO/IEC 27034 – Application Security ▶ Identifies  target audience  AS objectives, principles, concepts, vision, scope, terms and definitions ▶ Specifies components, processes, and AS framework on two levels :  organization  application ▶ Identify requirements as recommendations:“should” ▶ Does not propose any security controls ▶ No certification available – in progress
  • 10. – Luc PoulinApplication Security Institute ISO/IEC 27034 standards serie ▶ ISO/IEC 27034 – Application Security  Part 1: Overview and concepts (2011)  Part 2: Organization normative framework (2015)  Part 3: Application security management process (2017)  Part 4: Application security validation (2019)  Part 5: Protocols and application security control data structure (2017)  Part 5-1: XML Schemas (2017)  Part 6: Case studies (2016)  Part 7: Assurance prediction framework (2017)
  • 11. – Luc PoulinApplication Security Institute ▶ Four areas of intervention ▶ Each has: Technology Process People ISO/IEC 27034 – A new vision for AS 11 Verification & control (Conformity) Security Management (Governance) Application & IT System (Development and Evolution) Technology (Acquisition, Maintenance and Contingency) Critical Information
  • 12. – Luc PoulinApplication Security Institute ISO/IEC 27034 – A new vision of AS ▶ 9 groups of information to protect Group of information Application AS scope Organization and user’s data Application data Roles and permissions Application specifications Technological context Processes involving the application Application life cycle processes Regulatory context Business context            
  • 13. – Luc PoulinApplication Security Institute 13 ▶ Changing Perspective – Cost Management Organization ISO/IEC 27034 – A new vision for AS Technology People Process Information  Infrastructure  Software ApplicationApplications Security
  • 14. – Luc PoulinApplication Security Institute Application Security Life Cycle Reference Model Operation stages Utilization and maintenance Archival DestructionDisposal 14 Actors Role 1 Role 2 Role 3 Role 4 Role n Provisioning stages Preparation Realization Transition Application management Application provisionning management Application operation management Infrastructure management Application provisionning infrastructure management Application operation infrastructure management Disposal Application audit Application provisioning audit Application operation audit Layers Application provisionning and operation Preparation Utilization Archival Destruction Outsourcing Development Acquisition Transition Key elements and cost management strategies
  • 15. – Luc PoulinApplication Security Institute Key elements and cost management strategies ▶ Risk management in AS Impact = $$$ Sources of Risk for AS Technological context Regulatory context Business context Application specifications R R R R R R R R R R R R 15
  • 16. – Luc PoulinApplication Security Institute Key elements and cost management strategies ▶ Risk Treatment For governance for applications security 16 Risk AS Requirement expected evidence supporting the reduced risk claim Risk Mitigated risk Control ASCCSA Impact before $$$ Impact after $ Cost ?/? ASC
  • 17. – Luc PoulinApplication Security Institute Security Activity (what, how, where, who, when, how much) Application Target Level of Trust (why) Security Requirements · Application specifications, · Compliance to regulations, · Standards and best practices, · Etc. (why) Verification Measurement (what, how, where, who, when, how much) ASC Application Security Life Cycle Reference Model 17 $/t $/t Key elements and cost management strategies ▶ The Application Security Control (ASC)
  • 18. – Luc PoulinApplication Security Institute ASC ASC ASC ASC ASC ASC ASC ASC ASC ASC ASC ASC ASC ASC ▶ ASCs may have a graph relationship  Mitigate risk  hiding/segmenting complexity Key elements and cost management strategies 18 Business Functional Infrastructure User CSA ASC Online Payment ASC Online PaymentPCI-DSS Std.
  • 19. – Luc PoulinApplication Security Institute Business ASC Online Payment Key elements and cost management strategies ▶ ASCs may have a graph relationship  Mitigate risk  hiding/segmenting complexity ▶ Facilitates cost management 19 CSA CSA CSA CSA CSA CSA CSA CSA CSA CSA CSA CSA CSA CSA Functional Infrastructure User $ $ $ $ $ $ $ $ $ $ $ $ $ $ $
  • 20. – Luc PoulinApplication Security Institute Business ASC Online Payment ▶ ASCs may have a graph relationship  Mitigate risk  hiding/segmenting complexity ▶ Facilitates project, ressources, training and qualifications management, etc… Key elements and cost management strategies 20 CSA CSA CSA CSA CSA CSA CSA CSA CSA CSA CSA CSA CSA CSA Functional Infrastructure User t t t t t t t t t t t t t t t
  • 21. – Luc PoulinApplication Security Institute 21 ...0 Organisation ASC Library 1 32 9 10 Application levels of trust used by the organisation Source of specifications and constraints Specifications and constraints ASC ASC ASCASC ASC Application specifications Online payment Secure Log ASC ASCASC ASC Business context PCI-DSS Aeronautics ASC ASCASC Regulatory context Privacy Laws ASC ASC ASC ASC ASC ASC Technological context Wireless SSL Connection Key elements and cost management strategies $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $$ $$ $ $$ $$$ $$ $ $$ $$ $$$ $$$$$ $$$ ▶ ASC Library
  • 22. – Luc PoulinApplication Security Institute Key elements and cost management strategies ▶ Level of Trust Target: List of ASCs that have been identified and approved by the application owner Expected: List of ASCs that succeeded and those that are predicted to succeed verification tests Actual: List of ASCs that succeeded verification tests ▶ Application can be considered secure when 22 ≥Actual Level of Trust Target Level of Trust
  • 23. – Luc PoulinApplication Security Institute Key elements and cost management strategies ▶ The ONF Repository, authoritative source of information Does not require the implementation of all elements Respecting the priorities and capabilities of the organization (restaurant menu) 23 Organization Normative Framework (ONF) Business context Application specifications and functionalities repository Regulatory context Technological context Roles, responsibilities and qualifications repository Categorized information groups repository ASC Library ASC (Application Securty Controls) Application Security Tracability Matrix Application Security Life Cycle Reference Model Application Normative Frameworks (ANF) Application Security Life Cycle Model Management processes related to application security Application Security Risk Management ONF Committee Management ONF Management Application Security Management Application Security Conformance
  • 24. – Luc PoulinApplication Security Institute Conclusion ▶ ISO 27034 can help to manage AS costs Offers a more comprehensive and inclusive security vision - Only an approach that takes into account the interests of all stakeholders and the nature of the systems, networks and related services can ensure effective security (OCDE, 2002) Supports the risk management model - Follows the critical information flow inside application processes and components - Only protects an application’s critical elements Facilitates estimation of AS cost - Evaluate implementation costs of "small" security controls to improve estimation quality (Caulkins et al., 2007) 24
  • 25. – Luc PoulinApplication Security Institute Conclusion ▶ ISO 27034 can help to manage AS costs Helps organizations to: - identify and establish the Level of Trust for an application  ASC requirements and related to an application according to its AS risk • Supplier selection: RFP / Service Offering • Follow AS implementation - provide evidence that an application has achieved and maintained a target level of trust, according to a specific usage context  Expected results for every ASC - justify the trust of an organization to protect its application accordingly to risk coming from application contexts  Risk analysis results -vs- Target Level of Trust 25
  • 26. – Luc PoulinApplication Security Institute Conclusion ▶ ISO 27034 can help to minimize AS costs Promotes the integration of security activities in the existing organization processes - minimize application security impacts - minimize resistance to change Help organizations to: - set / manage ASCs and Levels of trust - respect organization resources and priorities - improve internal knowledge and best practices - encapsulate knowledge in ASCs - standardize ASCs and activities across the organization - apply ASCs to people, processes and technology (depending easier / cheaper) - promote reuse - reduce training, implementation and auditing costs 26
  • 27. – Luc Poulin– Luc Poulin Application Security Institute Thank for your time ISO/IEC 27034 – Application security How to trust... without paying too much! for PECB November 8th 2016 Luc Poulin Ph.D, CISSP-ISSMP, CSSLP, CISA, CISM, 27034ASLI, 27034ASLA CEO, ISO/IEC 27034 Project editor Luc.Poulin@Cogentas.org
  • 28. – Luc Poulin– Luc Poulin Application Security Institute ISO/IEC 27034 Training Courses  ISO/IEC 27034 Application Security Introduction 27034ASI – 1 Day Course  ISO/IEC 27034 Application Security Foundation 27034ASF – 2 Days Course  ISO/IEC 27034 Lead Application Security Implementer 27034ASLI – 5 Days Course  ISO/IEC 27034 Lead Application Security Auditor 27034ASLA – 5 Days Course Exam and certification fees are included in the training price. https://pecb.com/iso-iec-27034-training-courses | www.pecb.com/events
  • 29. – Luc Poulin– Luc Poulin Application Security Institute THANK YOU ? +1 418 473-4473 Information@cogentas.org www.cogentas.org ca.linkedin.com/in/LucPoulin