580 likes | 841 Views
Section 2: standards and models. Information Security Management. Information Security Management Systems. Information Security Management. SYSTEM. A set of things working together as parts of a mechanism or an interconnecting network. International Organization for Standardization.
E N D
Section 2: standards and models Information Security Management
Information Security Management Systems Information Security Management
SYSTEM Aset of things working together as parts of a mechanism or an interconnecting network
International Organization for Standardization • ISO is based in Geneva, Switzerland (http://www.iso.org) • Founded in 1947 • 146 member nations • 1 member per country (represented through national standards organization – ANSI, DIN, SABS, etc) • 13700 standards, 3000 technical bodies, 30000 experts
International Organization for Standardization • NGO – unlike UN • Delegates not national governments • May be mandated by government • Roots in private sector and industry associations • All ISO standards are based on consensus • ISO’s work involves all relevant stakeholders and includes experts from: industry and commerce, government, consumers, labour, academia, standards applications, NGO’s.
International Organization for Standardization • ISO is the world's largest developer of standards. • "International Organization for Standardization“ would have different abbreviations in different languages ("IOS" in English, "OIN" in French), it was decided at the outset to use a word derived from the Greek ISOS, meaning "equal". • Therefore, whatever the country, whatever the language, the short form of the organization's name is always ISO.
International Organization for Standardization • Full members (or member bodies) influence ISO standards development and strategy by participating and voting in ISO technical and policy meetings. Full members sell and adopt ISO International Standards nationally. • Correspondent members observe the development of ISO standards and strategy by attending ISO technical and policy meetings as observers. Correspondent members can sell and adopt ISO International Standards nationally. • Subscriber members keep up to date on ISO’s work but cannot participate in it. They do not sell or adopt ISO International Standards nationally.
At June 2007 The ISO system 156 national members • Consensus at two levels: • Amongst global experts • Amongst countries through ISO members Catalogue of more than 16 000 published standards • IT tools • Standards development procedures • Consensus building • Dissemination 685 active Committees 3000 technical bodies 50 000 experts Central Secrétariat in Geneva 150 staff
Some Types of ISO • ISO 9000 : family addresses various aspects of quality management and contains some of ISO’s best known standards. • ISO 14000 : is a series of environmental management standards • ISO 16949 : Automotive Quality Management • ISO 17799 (27002) : is a code of practice for information security • OHSAS 18000 : is an international occupational health and safety management system specification.
The ISO contribution to conformity assessment • World Standards Cooperation (WSC) - leading international standards bodies • Collaborate to meet the challenges of converging technologies • Use of common conformity assessment standards • Multi-discipline and cross-sector, including conformity assessment • For electrotechnology • For telecommunications
History and Development of ISMS September 2002 Updated version of BS 7799-2 (revised and corrected) 2001 Review of BS 7799-2 December 2000 ISO/IEC 17799:2000 1999 Swedish standards SS 62 77 99 Parts 1 and 2 Updated version of BS 7799 Parts 1 and 2 1998 BS 7799 :2 1995 BS 7799 :1
The purpose of BS 7799 • The purpose of BS 7799 is to assure the confidentiality, integrity and availability of information assets for youbut more importantly, your customers. • Assurance is attained through controls that management creates and maintains within the organization. To do this BS 7799 defines a process that on completion provides the basis for the whole of the Information Security Management System.
The purpose of BS 7799 • The key factors of this process are as follows: • Define a security policy • Define the scope of the ISMS • Undertake a risk assessment • Manage the risk • Select control objectives and controls to be implemented • Prepare a statement of applicability.
The Ten Key Contexts of BS7799 The ten key controls identified by BS 7799 for the implementation of a successful information security program are: Security policy Compliance Organizational security Business continuity management Asset classification and control Integrity Confidentiality Information Systems development & maintenance Personnel security Availability The degree of assurance required is attained through controls that management creates and maintains within the organization. Access control Physical and environmental security Communications and operations management
BS:7799 part 110 Areas: To have and to hold • Security policy: Adopting a security process that outlines an organization's expectations for security, which can then demonstrate management's support and commitment to security. Provide guidelines and management advice for improving information security. • Security organization: Having a management structure for security, including appointing security coordinators, delegating security management responsibilities and establishing a security incident response process. Facilitate information security management within the organization.
10 Areas: To have and to hold • Asset classification and control: Conducting a detailed assessment and inventory of an organization's information infrastructure and information assets to determine an appropriate level of security. Carry out an inventory of assets and protect theseassets effectively. • Personnel security: Making security a key component of the human resources and business operations. This includes writing security expectations in job responsibilities (IT admins and end users), screening new personnel for criminal histories, using confidentiality agreements when dealing with sensitive information and having a reporting process for security incidents. Minimize the risks of human error, theft, fraud or the abusive use of equipment.
10 Areas: To have and to hold • Physical and environmental security: Establishing a policy that protects the IT infrastructure, physical plant and employees. This includes controlling building access, having backup power supplies, performing routine equipment maintenance and securing off-site equipment. Prevent the violation, deterioration or disruption of industrial facilities and data. • Communications and operations management: Preventing security incidents by implementing preventive measures, such as using antivirus protection, maintaining and monitoring logs, securing remote connections and having incident response procedures. Ensure the adequate and reliable operation of information processing devices.
10 Areas: To have and to hold • Access control: Protecting against internal abuses and external intrusions by controlling access to network and application resources through such measures as password management, authentication and event logging. Control access to information. • Systems development and maintenance: Ensuring that security is an integral part of any network deployment or expansion, and that existing systems are properly maintained. Ensure that security is incorporated into information systems.
10 Areas: To have and to hold • Business continuity management: Planning for disasters--natural and man-made--and recovering from them. Minimize the impact of business interruptions and protect the company’s essential processes from failure and major disasters. • Compliance: Complying with any applicable regulatory and legal requirements. Avoid any breach of criminal or civil law, of statutory or contractual requirements, and of security requirements.
The Ten Key Contexts of BS7799 Organizational 1. Security policy 2. Organizational security 3. Asset classification and control 7. Access control 10. Compliance 5. Physical and environmental security 4. Personnel security 8. Systems development and maintenance 9. Business continuity management 6. Communications and operations management Operational
ISO 27001-N • ISO/IEC 27001:2005, Information security management systems —Requirementsنيازمندي ها • ISO/IEC 27002:2005, Code of practice for information security management آئين نامه كاري مديريت امنيت اطلاعات • ISO/IEC 27003, Information security management system implementation guidance راهنماي پياده سازي سيستم مديريت امنيت اطلاعات • ISO/IEC 27004, Information security management — Measurement مديريت امنيت اطلاعات - سنجش • ISO/IEC 27005, Information security risk management مديريت مخاطرات امنيت اطلاعات • ISO/IEC 27006, Requirements for bodies providing audit and certification of information security management systems راهنماي مميزي سيستم هاي مديريت امنيت اطلاعات
Is it ISO or just BS? • ISO (the International Organization for Standardization) and IEC (the International ElectroTechnicalCommission) form the specialized system for worldwide standardization. • National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organization to deal with particular fields of technical activity. • ISO and IEC technical committees collaborate in fields of mutual interest.
Section 3 : ISO 27001 Information Security Management
Is it ISO or just BS? • In the field of informationtechnology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1. • The main task of the joint technical committee is to prepare International Standards. • Draft International Standards adopted by the joint technical committee are circulated to national bodies for voting. • Publication as an International Standard requires approval by at least 75% of the national bodies casting a vote.
General points- Goals: • This International Standard has been prepared to provide a model for establishing, implementing, operating, monitoring, reviewing, maintainingand improvingan Information Security Management System (ISMS).
General points- Goals: • The adoption of an ISMS should be a strategic decision for an organization. • The design and implementation of an organization’s ISMS is influenced by their needsobjectives, security requirements, the processes employed and the and sizeand structure of the organization.
Process Approach • This International Standard adopts a process approach for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an organization's ISMS. • Any activity using resources and managed in order to enable the transformation of inputs into outputs can be considered to be a process. Often the output from one process directly forms the input to the next process .
Process Approach • The application of a system of processes within an organization, together with the identification and interactions of these processes, and their management, can be referred to as a “processapproach”.
Process Approach • The process approach for information security management presented in this International Standard encourages its users to emphasize the importance of: • a) understanding an organization’s information security requirements and the need to establish policy and objectivesfor information security; • b) Implementing and operating controls to manage an organization's information security risks in the context of the organization’s overall business risks ; • c) monitoring and reviewing the performance and effectiveness of the ISMS; • d) continual improvement based on objective measurement.
PDCA model • This International Standard adopts the "Plan-Do-Check-Act" (PDCA) model, which is applied to structure all ISMS processes.
Interested Parties Interested Parties Development, maintenance and improvement cycle Plan Establish the ISMS Act Do Implement and operate the ISMS Maintain and improve the ISMS Check Information security requirements and expectations Monitor and review the ISMS Managed information security BS ISO/IEC 27001:2005
PDCA Model Applied to ISMS • Plan (establish the ISMS) • Establish ISMS policy, objectives, processes and procedures relevant to managing risk and improving information security to deliver results in accordance with an organization’s overall policies and objectives. • Do (implement and operate the ISMS) • Implement and operate the ISMS policy, controls, processes and procedures. • Check (monitor and review the ISMS) • Assess and, where applicable, measure process performance against ISMS policy, objectives and practical experience and report the results to management for review. • Act (maintain and improve the ISMS) • Take corrective and preventive actions, based on the results of the internal ISMS audit and management review or other relevant information, to achieve continual improvement of the ISMS.
ISMS: General requirements: • The organization shall establish, implement, operate, monitor, review, maintain and improve a documented ISMS within the context of the organization’s overall business activities and the risks it faces. • For the purposes of this International Standard the process used is based on the PDCA model.
Establishing the ISMS • Define the scope and boundaries of the ISMS (in terms of characteristic of the business, location, assets, technology, …) • Define an ISMS policy (in terms of characteristic of the business, location, assets, technology, …) that: • includes a framework for setting objectivesand establishes an overall sense of direction and principles for action with regard to information security; • takes into account business and legalor regulatory requirements, and contractual security obligations; • aligns with the organization’s strategic risk management context in which the establishment and maintenance of the ISMS will take place; • establishes criteria against which risk will be evaluated • has been approved by management.
Establishing the ISMS • Define the risk assessment approach of the organization • Identify a risk assessment methodology that is suited to the ISMS, and the identified business information security, legal and regulatory requirements. • Develop criteria for accepting risks and identify the acceptable levels of risk. RISK ASSESSMENT: overall process of risk analysis and risk evaluation • Identify the risks • Identify the assets within the scope of the ISMS, and the owners of these assets. • Identify the threats to those assets. • Identify the vulnerabilities that might be exploited by the threats. • Identify the impacts that lossesof confidentiality, integrity and availability may have on the assets.
Establishing the ISMS • Analyze and evaluate the risks • Assess the business impacts upon the organization that might result from security failures, taking into account the consequences of a loss of confidentiality, integrity or availability of the assets. • Assess the realistic likelihood of security failures occurring in the light of prevailing threats and vulnerabilities, and impacts associated with these assets, and the controls currently implemented. • Estimate the levels of risks. • Determine whether the risks are acceptable or require treatment
Establishing the ISMS • Identify and evaluate options for the treatment of risks • applying appropriate controls; • knowingly and objectively accepting risks, providing they clearly satisfy the organization’s policies and the criteria for accepting risks; • avoiding risks; • transferring the associated business risks to other parties, e.g. insurers, suppliers RISK TREATMENT: process of selection and implementation of measures to modify risk
Establishing the ISMS • Select control objectives and controls for the treatment of risks. • Control objectives and controls shall be selected and implemented to meet the requirements identified by the risk assessment and risk treatment process. This selection shall take account of the criteria for accepting risks as well as legal, regulatory and contractual requirements. • The control objectives and controls shall be selected as part of this process as suitable to cover the identified requirements.
Establishing the ISMS • Obtain management approval of the proposed residual risks • Obtain management authorization to implement and operate the ISMS • Prepare a Statement of Applicability • the control objectives and controls selectedand the reasons for their selection; • the control objectives and controls currentlyimplemented; • the exclusion of any control objectives and controls justification for their exclusion. SOA: documented statement describing the control objectives and controls that are relevant and applicable to the organization’s ISMS.
Implement & operate the ISMS • Formulate a risk treatment plan that identifies the appropriate management action, resources, responsibilities and priorities for managing information security risks. • Implement the risk treatment plan in order to achieve the identified control objectives, which includes consideration of funding and allocation of roles and responsibilities. • Implement selected controls to meet the control objectives.
Implement & operate the ISMS • Define how to measure the effectiveness of the selected controls or groups of controls and specify how these measurements are to be used to assess control effectiveness to produce comparable and reproducible results. • Implement training and awarenessprograms • Manage operation of the ISMS. • Manage resources for the ISMS • Implement procedures and other controls capable of enabling prompt detection of security events and response to security incidents.
Monitor & Review the ISMS • Execute monitoring and reviewing procedures and other controls to: • promptly detect errors in the results of processing; • promptly identify attempted and successful security breaches and incidents; • enable management to determine whether the security activities delegated to people or implemented by information technology are performing as expected; • help detect security events and thereby prevent security incidents by the use of indicators; and • determine whether the actions taken to resolve a breach of security were effective.
Monitor & Review the ISMS • Undertake regular reviews of the effectiveness of the ISMS (including meeting ISMS policy and objectives, and review of security controls) • Measure the effectiveness of controls to verify that security requirements have been met.
Monitor & Review the ISMS • Review risk assessments at planned intervals and review the residual risks and the identified acceptable levels of risks, taking into account changes to: • the organization; • technology; • business objectives and processes; • identified threats; • effectiveness of the implemented controls; and • external events, such as changes to the legal or regulatory environment, changed contractual obligations, and changes in social climate.
Monitor & Review the ISMS • Conduct internal ISMS audits at planned intervals • Undertake a management review of the ISMS on a regular basis to ensure that the scope remains adequate and improvements in the ISMS process are identified. • Update security plans to take into account the findings of monitoring and reviewing activities. • Record actions and events that could have an impact on the effectiveness or performance of the ISMS.
Maintain & Improve the ISMS • Implement the identified improvements in the SMS. • Take appropriate corrective and preventive actions. Apply the lessons learnt from the security experiences of other organizations and those of the organization itself. • Communicate the actions and improvements to all interested parties with a level of detail appropriate to the circumstances and, as relevant, agree on how to proceed. • Ensure that the improvements achieve their intended objectives.
Document Requirements • Documentation shall include records of management decisions, ensure that actions are traceable to management decisions and policies, and ensure that the recorded results are reproducible.
The ISMS documentation shall include: • documented statements of the ISMS policyand objective; • the scope of the ISMS ; • proceduresand controls in support of the ISMS; • a description of the risk assessment methodology ; • the risk assessment report; • the risk treatment plan; • documented procedures needed by the organization to ensure the effective planning, operation and control of its information security processes and describe how to measure the effectiveness of controls ; • recordsrequired by this International Standard • the Statement of Applicability.