Implementing a Security Framework based on ISO/IEC 27002

1. Focused on Security. Committed to Success. Implementing a Security Framework Based on ISO/IEC 27002 Presented by: Michael Leung, CRISC, CGEIT, CISM, CISA, CISSP-ISSMP Date: February 24, 2011

2. Table of Contents Implementing a Security Framework based on ISO/IEC 27002 • Sections of ISO/IEC 27002 Code of Practice • ISO 27002 Scope of Assessment • Maturity Model • Policy Framework & Governance • Benchmarking & Comparison • The Start of the Journey • The Next Steps • Information Security Job Practice Focused on Security. Committed to Success

3. ISO/IEC 27002 Code of Practice Sections of ISO/IEC 27002 Code of Practice 0 Introduction 1 Scope 2 Terms and Definitions 3 Structure of this Standard 4 Risk Assessment and Treatment 5 Security Policy 6 Organization of Information Security 7 Asset Management 8 Human Resource Security 9 Physical and Environmental Security 10 Communications and Operations Management 11 Access Control 12 Information Systems Acquisition, Development and Maintenance 13 Information Security Incident Management 14 Business Continuity Management 15 Compliance Focused on Security. Committed to Success

4. ISO 27002 Scope of Assessment Sections of ISO/IEC 27002 Code of Practice 0 Introduction 1 Scope 2 Terms and Definitions 3 Structure of this Standard 4 Risk Assessment and Treatment 5 Security Policy 6 Organization of Information Security 7 Asset Management 8 Human Resource Security 9 Physical and Environmental Security 10 Communications and Operations Management 11 Access Control 12 Information Systems Acquisition, Development and Maintenance 13 Information Security Incident Management 14 Business Continuity Management 15 Compliance Focused on Security. Committed to Success

5. Maturity Model (ref: COBIT 4.1) Focused on Security. Committed to Success

6. Maturity Model (ref: COBIT 4.1 Appendix) Maturity Level ISO Maturity Level Status of the Internal Control Environment 0 - Non-existent There is no recognition of the need for internal control. Control is not part of the organization’s culture or mission. There is a high risk of control deficiencies and 0-1 - Practice not yet in existence. incidents. 1 - Initial/ad hoc There is some recognition of the need for internal control. The approach to risk and control requirements is ad hoc and disorganized, without communication or 1-2 - Practice does not fully achieve monitoring. Deficiencies are not identified. Employees are not aware of their ISO objectives; however, responsibilities. efforts are underway. 2 - Repeatable but Controls are in place but are not documented. Their operation is dependent on Intuitive knowledge and motivation of individuals. Effectiveness is not adequately evaluated. Many control weaknesses exist and are not adequately addressed; the impact can 2-3 - Practice achieves ISO be severe. Management actions to resolve control issues are not prioritized or objectives; however, the consistent. Employees may not be aware of their responsibilities. program isn’t documented or 3 - Defined universally effective or Controls are in place and are adequately documented. Operating effectiveness is understood. evaluated on a periodic basis and there is an average number of issues. However, the evaluation process is not documented. Whilst management is able to able to 3-4 - Practice achieves and deal predictably with most control issues, some control weaknesses persist and documents ISO objectives; impacts could still be severe. Employees are aware of their responsibilities for however, the program isn’t control. 4 - Managed & universally effective or There is an effective internal control and risk management environment. A formal, Measureable understood. documented evaluation of controls occurs frequently. Many controls are automated and regularly reviewed. Management is likely to detect most control issues, but not 4-5 - Practice achieves ISO all issues are routinely identified. There is consistent follow-up to address identified objectives, is documented control weaknesses. A limited, tactical us of technology is applied to automate and is universally effective controls. 5 - Optimized and understood. An enterprise wide risk and control program provides continuous and effective control and risk issues resolution. Internal control and risk management are integrated with enterprise practices, supported with automated real-time monitoring with full accountability for control monitoring, risk management and compliance enforcement. Control evaluation is continuous, based on self-assessments and gap Focused on Security. Committed to Success and root cause analyses. Employees are proactively involved in control improvements.

7. Policy Framework & Governance Information Security Management Policy & Framework Information Security Corporate Policy Table of Contents A. Organization of Information Security B. Asset Management C. Human Resources D. Physical & Environmental Security E. Communications & Operations Management F. Access Control G. Information System Acquisition, Development & Maintenance H. Information Security Incident Management I. Business Continuity Management J. Compliance For Board Approval Focused on Security. Committed to Success

8. Policy Framework & Governance Corporate Policies - delegation of authority Information from the Board of Directors to Management at Security Corporate the executive level. The high level statement of Policy management’s intent, expectations and direction. Corporate Policies provide the Framework Corporate Polices and Governance of Information Security Board Approval Directives - support the Corporate Policies by providing a more focused, detail of information. Operational Level Standards - are the metrics forming a technical “polices” or standards requirement that must be met in order to meet the terms of the Corporate Policy Sr. Exec Committee or other approval Guidelines - contain information that will be helpful in executing the procedures. Procedures – step by step instructions. Operational Level procedures or guidelines Focused on Security. Committed to Success

9. Policy Framework & Governance Information Security Corporate Policy Table of Contents A. Organization of Information Security B. Asset Management C. Human Resources Security D. Physical & Environmental Security E. Communications & Operations Management F. Access Control G. Information Systems Acquisition, Development & Maintenance H. Information Security Incident Management I. Business Continuity Management J. Compliance Focused on Security. Committed to Success

10. Ratings for Benchmarking & Comparison ISO Maturity Model Ratings  Policy  People  Process   Technology  Focused on Security. Committed to Success

11. Ratings for Benchmarking & Comparison A. Organization of Information Security B. Asset Management C. Human Resources Security D. Physical & Environmental Security E. Communications & Operations Management F. Access Control G. Information Systems Acquisition, Development & Maintenance H. Information Security Incident Management I. Business Continuity Management J. Compliance Focused on Security. Committed to Success

12. Ratings for Benchmarking & Comparison A. Organization of Information Security – x.x B. Asset Management – x.x C. Human Resources Security - x.x D. Physical & Environmental Security – x.x nl ple E. Communications & Operations Management – x.x am y F. Access Control – x.x Ex G. Information Systems Acquisition, Development & Maintenance – x.x O H. Information Security Incident Management – x.x I. Business Continuity Management – x.x J. Compliance – x.x Focused on Security. Committed to Success

13. Return on Security Posture Investment (ROSPI) Methodology Internet Security Alliance July 2002/Data from Dr. William M. Hancock Focused on Security. Committed to Success

14. Focused on Security. Committed to Success. The Start of the Journey • Addressing Other Audits & Assessments • Assessment of Scope – Risk Registrar • Risk Assessment & Treatment • Tracking & Reporting

15. Addressing Other Audits & Assessments Focused on Security. Committed to Success

16. Addressing Other Audits & Assessments Focused on Security. Committed to Success

17. Assessment of Scope – Risk Registrar Focused on Security. Committed to Success

18. Assessment of Scope – Risk Registrar Risk Assessment & Treatment 4.1 Assessing Security Risks Risk assessments should identify, quantify, and prioritize risks against criteria for risk acceptance and objectives relevant to the organization. 4.2 Treating Security Risks Before considering the treatment of a risk, the organization should decide criteria for determining whether or not risks can be accepted. Risks may be accepted if, for example, it is assessed that the risk is low or that the cost of treatment is not cost-effective for the organization. Such decisions should be recorded. Focused on Security. Committed to Success

19. Risk Assessment & Treatment  Residual Risk Rating = Consequence x Likelihood  Low < 5  Med >=5 to <10  High >=10 CONSEQUENCE The impact on the objectives if the risk occurs. Level Descriptor Monetary Impact Operational Efficiency Impact Reputation Impact Employee Impact (incl. Regulatory & Member) 5 Catastrophic Would have significant financial Would have significant and prolonged Key Stakeholders Would result in the consequences: compromising impact on operations. Processes are (Members/Vendors) loose unexpected loss of multiple quality of balance sheet and ability irreconcilable resulting in undeliverable confidence in Coast’s ability to (key) staff including to address capital adequacy customer service. deliver with low likelihood of executive. requirements. regaining trust. 4 Major The consequences would threaten continued effective provision of services and require top-level management intervention. 3 Moderate Would have some financial Would have some impact on Some stakeholders would lose Would result in the consequences: threatening operations. Processes would be trust in Coast and likely have unexpected loss of some budgeted net income, medium term suspended resulting in delayed delivery of some media attention. (key) staff and have an earnings and planned capital customer service. impact on morale. expenditures. 2 Minor The consequences would impact the efficiency or effectiveness of some services, but could be dealt with internally. 1 Insignificant Would not have material financial Would have little impact on Few stakeholders, if any, would be Would have negligible consequence: impacts/losses could operations. Processes would be slightly aware of the incident. impact on staff. be absorbed in departmental delayed although no delay in delivery of budgets. customer service LIKELIHOOD The probability that a risk event will occur, given current controls in place. Level Descriptor Description 5 Almost Certain For a pre-defined period of time (e.g. 24 months), the risk event is expected to occur >80% of the time. 4 Likely For a pre-defined period of time (e.g. 24 months), the risk event is expected to occur >60% of the time 3 Possible For a pre-defined period of time (e.g. 24 months), the risk event is expected to occur >30% and <60% of the time 2 Unlikely For a pre-defined period of time (e.g. 24 months), the risk event is expected to occur <30% of the time 1 Rare For a pre-defined period of time (e.g. 24 months), the risk event is expected to occur <10% of the time Focused on Security. Committed to Success

20. Tracking & Reporting Focused on Security. Committed to Success

21. Tracking & Reporting Focused on Security. Committed to Success

22. Tracking & Reporting A. Organization of Information Security – x.x B. Asset Management – x.x C. Human Resources Security - x.x D. Physical & Environmental Security – x.x nl le O mp E. Communications & Operations Management – x.x y F. Access Control – x.x a Ex G. Information Systems Acquisition, Development & Maintenance – x.x H. Information Security Incident Management – x.x I. Business Continuity Management – x.x J. Compliance – x.x Focused on Security. Committed to Success

23. The Next Steps… Focused on Security. Committed to Success

24. ...The Next Steps “The @*%!'s chess, it ain't checkers!” - Alonzo Harris (Denzel Washington) Focused on Security. Committed to Success

25. The Next Steps… Focused on Security. Committed to Success

26. The Next Steps – Program Development Focused on Security. Committed to Success

27. Information Security Job Practice Domain 1—Information Security Governance Establish and maintain a framework to provide assurance that information security strategies are aligned with business objectives and consistent with applicable laws and regulations.  Develop an information security strategy aligned with business goals and objectives.  Align information security strategy with corporate governance.  Develop business cases justifying investment in information security.  Identify current and potential legal and regulatory requirements affecting information security.  Identify drivers affecting the organization (e.g., technology, business environment, risk tolerance, geographic location) and their impact on information security.  Obtain senior management commitment to information security.  Define roles and responsibilities for information security throughout the organization.  Establish internal and external reporting and communication channels that support information security. Focused on Security. Committed to Success

28. Information Security Job Practice Domain 2—Information Risk Management Identify and manage information security risks to achieve business objectives.  Establish a process for information asset classification and ownership.  Implement a systematic and structured information risk assessment process.  Ensure that business impact assessments are conducted periodically.  Ensure that threat and vulnerability evaluations are performed on an ongoing basis.  Identify and periodically evaluate information security controls and countermeasures to mitigate risk to acceptable levels.  Integrate risk, threat and vulnerability identification and management into life cycle processes (e.g., development, procurement and employment life cycles).  Report significant changes in information risk to appropriate levels of management for acceptance on both a periodic and event-driven basis. Focused on Security. Committed to Success

29. Information Security Job Practice Domain 3—Information Security Program Development Create and maintain a program to implement the information security strategy.  Develop and maintain plans to implement the information security strategy.  Specify the activities to be performed within the information security program.  Ensure alignment between the information security program and other assurance functions (e.g., physical, HR, quality, IT).  Identify internal and external resources (e.g., finances, people, equipment, systems) required to execute the information security program).  Ensure the development of information security architectures (e.g., people, processes, technology).  Establish, communicate and maintain information security policies that support the security strategy.  Design and develop a program for information security awareness, training and education.  Ensure the development, communication and maintenance of standards, procedures and other documentation (e.g., guidelines, baselines, codes of conduct) that support information security policies.  Integrate information security requirements into the organization's processes (e.g., change control, mergers and acquisitions) and life cycle activities (e.g., development, employment, procurement).  Develop a process to integrate information security controls into contracts (e.g., with joint ventures, outsourced providers, business partners, customers, third parties).  Establish metrics to evaluate the effectiveness of the information security program. Focused on Security. Committed to Success

30. Information Security Job Practice Domain 4—Information Security Program Management Oversee and direct information security activities to execute the information security program.  Manage internal and external resources (e.g., finances, people, equipment, systems) required to execute the information security program.  Ensure that processes and procedures are performed in compliance with the organization’s information security policies and standards.  Ensure that the information security controls agreed to in contracts (e.g., with joint ventures, outsourced providers, business partners, customers, third parties) are performed.  Ensure that information security is an integral part of the systems development process.  Ensure that information security is maintained throughout the organization's processes (e.g., change control, mergers and acquisitions) and life cycle activities (e.g., development, employment, procurement).  Provide information security advice and guidance (e.g., risk analysis, control selection) to the organization.  Provide information security awareness, training and education to stakeholders (e.g., business process owners, users, information technology).  Monitor, measure, test and report on the effectiveness and efficiency of information security controls and compliance with information security policies.  Ensure that noncompliance issues and other variances are resolved in a timely manner. Focused on Security. Committed to Success

31. Information Security Job Practice Domain 5—Incident Management & Response Plan, develop and manage a capability to detect, respond to and recover from information security incidents.  Develop and implement processes for detecting, identifying, analyzing and responding to information security incidents.  Establish escalation and communication processes and lines of authority.  Develop plans to respond to and document information security incidents.  Establish the capability to investigate information security incidents (e.g., forensics, evidence collection and preservation, log analysis, interviewing).  Develop a process to communicate with internal parties and external organizations (e.g., media, law enforcement, customers).  Integrate information security incident response plans with the organization’s Disaster Recovery (DR) and Business Continuity Plan (BCP).  Organize, train and equip teams to respond to information security incidents.  Periodically test and refine information security incident response plans.  Manage the response to information security incidents.  Conduct reviews to identify causes of information security incidents, develop corrective actions and reassess risk. Focused on Security. Committed to Success

32. CISM: Information Security Job Practice • The CISM certification program is developed specifically for experienced information security managers and those who have information security management responsibilities. • The management-focused CISM is a unique certification for individuals who design, build and manage enterprise information security programs. The CISM certification promotes international practices and individuals earning the CISM become part of an elite peer network, attaining a one-of-a-kind credential. Focused on Security. Committed to Success

33. Thank You! Michael Leung CRISC, CGEIT, CISM, CISA, CISSP-ISSMP ISACA Vancouver Chapter www.isaca-vancouver.org Focused on Security. Committed to Success

Implementing a Security Framework based on ISO/IEC 27002

Vous êtes en train de lire un aperçu.

Consultez-les par la suite

Implementing a Security Framework based on ISO/IEC 27002

Plus De Contenu Connexe

Diaporamas pour vous (20)

Les utilisateurs ont également aimé (20)

Similaire à Implementing a Security Framework based on ISO/IEC 27002 (20)