1 / 37

The use of standards to tackle emerging information security risks

The use of standards to tackle emerging information security risks. Suzanne Fribbins EMEA Product Marketing Manager - Risk. No owners/ shareholders … all profit reinvested into the business. Global independent business services organization. Founded in 1901.

Download Presentation

The use of standards to tackle emerging information security risks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. The use of standards to tackle emerging information security risks Suzanne Fribbins EMEA Product Marketing Manager - Risk

  2. No owners/shareholders … all profit reinvested into the business Global independent business services organization Founded in 1901 Standards, assessment, testing, certification, training, software National Standards Body in the UK #1 certification body in the UK, USA >2,900 staff and >50% non-UK 65 offices located around the world Trained over 73,000 people worldwide in 2012 70,000 clients in 150 countries Who is BSI? – 10 fast facts

  3. The changing information security risk landscape

  4. The changing information security risk landscape

  5. New security challenges

  6. New security challenges

  7. Key information security statistics • Recent government research has found 93% of large organizations and 87% of small businesses suffering a breach last year (up more than 10% on the previous year) • And we're starting to see the impact of emerging technologies on information security • The 2013 PwC information security breaches survey found: • 14% of large organisations had a security breach relating to social networking sites; and • 9% had a breach relating to smartphones or tablets • 4% of respondents had a security or data breach in the last year relating to one of their cloud computing services Source:2013 Information Security Breaches Survey

  8. Increasing regulatory compliance • Concern about security risks and their impact on citizen data has triggered a wave of regulatory compliance with progressively heavier penalties for personal data breaches • Increased ICO activity (34 fines in just over two years) relating to: • Emailing of sensitive personal information to the wrong recipients • Mailing sensitive information to the wrong recipient/s • Faxing of information to incorrect number/s • Personal information mistakenly published on public website/s • Loss of unencrypted laptops • Loss of unencrypted memory sticks, DVD’s • Theft of sensitive paper records from a mobile worker • Unsecure disposal of sensitive personal records • Sensitive information left on disused IT equipment

  9. 9 Global growth in certification 12% 21% 40%

  10. Information Security Breaches Survey 2013 - PwC • 76% of large respondents and 36% of smaller organizations have implemented ISO 27001 at least partially • 85% of large organisations and 61% of small businesses have been asked by their customers to comply with security standards • 45% of large organisations have specifically been asked for ISO 27001 compliance Source:2013 Information Security Breaches Survey

  11. What is happening in the ISO 27000 suite to address the changing risk landscape? “The ISO 27000s are the ones you want to be looking for” (Paul Simmonds, co-founder of the Jericho Forum, ex-CIO of AstraZeneca, 2011)

  12. The ISO 27000 series

  13. The ISO 27000 series

  14. The ISO 27000 series

  15. The ISO 27000 series

  16. The ISO 27000 series

  17. Cloud security – how standards can help? • Understand the chain of custody risk of the data • When you put it into the cloud • How the supplier maintains it and backs it up • How you can prove your data has been destroyed, if you choose to move to a new supplier

  18. Requirements for an information security management system (revision due 2013, ISO 27001 will continue to be the certification standard for Information Security) Code of practice for information security management (revision due 2013)

  19. Requirements for an information security management system Security in cloud computing (due 2014, will include cloud-specific controls, in addition to those recommended in the new ISO 27002. Standard is supported by the Cloud Security Alliance) Code of practice for information security management

  20. Other standards initiatives

  21. PAS 555 • The focus of PAS 555 is cyber security • Looks at cyber security at the organizational level • Outcomes based - provides a framework that enables understanding of the broad scope of capabilities required • Other standards and guidelines to tackle cyber security risk tend to define good practice as to how effective cyber security might be achieved • PAS 555 does not specify such processes or actions

  22. PAS 555 • The focus of PAS 555 is cyber security • Looks at cyber security at the organizational level • Outcomes based - provides a framework that enables understanding of the broad scope of capabilities required • Other standards and guidelines to tackle cyber security risk tend to define good practice as to how effective cyber security might be achieved • PAS 555 does not specify such processes or actions

  23. Cloud Security STAR certification • ISO 27001 is widely recognised and respected • “Users should look for the providers to be 27001 certified” (John Pecatore, Gartner Cloud Analyst, 2011) • Perception = insufficient focus on detail in certain areas of security for particular sectors • ISO 27001 is written with expectation that additional controls could be added • Developed by CSA, the Cloud Controls Matrix (CCM) bridges this gap, providing focus on critical controls for cloud security • In addition, it is felt a pass/fail approach does not allow cloud service purchasers to make informed decisions

  24. How was the CCM developed? • Joint agreement signed between CSA and BSI in August 2012 • CCM initially developed by CSA • Working group assembled to further develop CCM using a consensus based model • Expertise in maturity modelling provided by BSI

  25. ISO 27001 + CCM + Maturity Model = STAR STAR Certification

  26. Cloud controls – what are they about?

  27. Audience, key drivers, benefits • Scheme available to any organization providing cloud services, that has, or is in the process of, certifying to ISO 27001 • The scope of the ISO 27001 certification must not be less than the scope of the STAR certification • STAR certification ensures that: • Specific issues critical to cloud services have been addressed • That this has been independently checked and verified by a third-party • Encourages CSP’s to move beyond compliance to continued improvement • Management capability model gives management visibility of effectiveness of controls, and allows performance to be benchmarked and improvements tracked year on year

  28. General Management System Cloud Specific Controls Well MANAGED and FOCUSED system STAR Certification

  29. Approving assessors STAR Assessor

  30. Revision of ISO 27001 ISO 27001 is “increasingly becoming the lingua franca for information security” Source - Information Security Breaches Survey 2010 - PwC

  31. ISO 27001 revision: status report • ISO 27001:2005 has been undergoing revision. • Draft International Standard (DIS) released to the National Standards Bodies on 16 January 2013. • Consultation closed 23 March 2013. • Draft International Standard (DIS) passed its DIS ballot at the meeting of the ISO Committee in April. • A Final Draft International Standard (FDIS) will follow. • Publication is expected toward the end of 2013.

  32. What can you expect from the new ISO 27001? • Standard has been written in accordance with Annex SL • Definitions in 2005 version have been removed and relocated to ISO 27000 • There have been changes to the terminology used • Requirements for Management Commitments have been revised and are presented in the Leadership Clause • Preventive action has been replaced with “actions to address, risks and opportunities” • The risk assessment requirements are more general • SOA requirements are similar but with more clarity on the determination of controls by the risk treatment process • The new standard puts greater emphasis on setting the objectives, monitoring performance and metrics

  33. ISO 27001 structure

  34. Controls

  35. Questions?

  36. Contact us

More Related