220 likes | 425 Views
Information S ecurity Standard ISO/IEC 27000 e ISO/IEC 27001. Trabalho de Segurança da Informação MCI 2012/13 Docente: José Manuel de Magalhães Cruz Faculdade de Engenharia da Universidade do Porto Mestrado em Ciência da Informação. Information Security.
E N D
InformationSecurityStandard ISO/IEC 27000 e ISO/IEC 27001 Trabalho de Segurança da Informação MCI 2012/13 Docente: José Manuel de Magalhães Cruz Faculdade de Engenharia da Universidade do Porto Mestrado em Ciência da Informação
InformationSecurity • Increased dependence of firms on Information Technologies and Systems • + • Web Evaluation • + • ProliferationofInformation. • Access control to information is a fundamental requirement in organization systems; • Establishing a securitypolicy; • The management of the risks of information security to ensure that the information is not denied or becomes unavailable, it will not be lost, destroyed or damaged, unauthorized disclosure or even stolen.Management of the risks of information security to ensure that the information is not denied or becomes unavailable, it will not be lost, destroyed or damaged, unauthorized disclosure or even stolen. • InformationSecurity • InformationSecurity Management Systems
InformationSecurity InformationSecurity Ensuring the protection and preservation of existing information in any format; Risk analysis to identify all the risks that threaten the information, pointing solutions that eliminate, minimize or transfer risks. Beal (2005, p.71) defines Information Security as "the process of protecting information from threats to ensure the integrity, availability and confidentiality.“ CONFIDENTIALITY INTEGRITY AVAILABILITY AUTHENTICITY Threats are all situations that puts in question the Information Security • Natural phenomenon • Human Causes (theft and fraud) • Technical defects (hardware and software failures) • Purposeful attacks (hackers, virus disseminators, among others)
InformationSecurity Access Control Control the persons authorized to enter into certain location and logs the date and time of access, controlling and deciding which permissions each user has. Intrusion Detection Alert the administrators to potential intruders from entering the systems. These systems attempt to recognize a behavior / action intrusive. Encryption Art of encoding that enables reversible transformation of information in order to make it intelligible to third parties. Digital Signature Set of encrypted data associated with a document that guarantee its integrity and authenticity. Protection of Stored Data Antivirus software that is able to detect and remove malicious programs or files. Disaster Recovery Emergency plans to ensure the preservation of documents and own physical integrity of the employees of an organization in case of occurrence of natural disasters.
InformationSecurity Standard ISO/IEC 27000 e 27001 Standard ISO/IEC 27000: vocabularyanddefinitions Standard ISO/IEC 27001: requirements Standard ISO/IEC 27000 It is a standard certification of management systems, in this case applies to the implementation of Systems Management for Information Security (ISMS). Contains terms and definitions used throughout the series vocabulary clearly defined to avoid different interpretations Includes patterns that define the requirements for an ISMS and certification of these systems and provide direct support and detailed guidance for the processes and requirements of the PDCA cycle Supports any sector organizations, to understand the fundamentals, principles and concepts that enable better management of their information assets Good Management of Information Security
InformationSecurity Some terms defined in Standard Access control - ways to ensure that access to assets is permitted and restricted based on work and safety requirements; Responsibility - responsibility to an entity for their actions and decisions; Assets - anything that has value to the organization (information, software, the computer itself, services, people, etc.); Corrective action - action to eliminate the cause of a detected nonconformity or other undesirable situation; Authentication - provide assurance that one characteristic claimed by an entity is correct; Authenticity - property that tells us that an entity is really what it claims to be; Availability - the property of being accessible and usable by an authorized entity; Confidentiality - property that ensures that the information is not available or disclosed to unauthorized individuals, entities or processes;
InformationSecurity Information Security - preservation of confidentiality, integrity and information availability; Management System of Information Security - part of the overall management system, based on a business risk approach, to establish, implement, operate, monitor, review, maintain and improve information security; Integrity - the correctness to protect property assets; Risk-combination of the probability of an event and its consequences; Risk analysis - the systematic use of information to identify sources and to estimate the occurrence of a risk. Risk management - coordinated activities to direct and control an organization in relation to a particular risk; Threat - a potential cause of an undesired event, which may result in damage to a system or entity; Vulnerability - weakness or control of an asset, which can be exploited by threat.
InformationSecurity Security Management System Provides a model for the establishment, implementation, operation, monitoring, reviewing, maintaining and improving the protection of information assets The successful implementation of an ISMS depends on the analysis of requirements and appropriate controls to protect information assets The implementation has as main the result of reduced risks of SI The ISMS it’s able to be certified, must satisfy a set of requirements defined by ISO / IEC 27001. Some basic principles for a successful implementation of an ISMS: • Awareness of the need for information security; • The allocation of responsibilities for information security; • Incorporate the commitment of management and the interests of all stakeholders; • Reinforce the values of society; • Evaluate the risks to determine the appropriate controls to achieve acceptable levels of risk; • Active prevention and detection of incidents of information security; • Continuous reavaluationtof information security.
InformationSecurity Process Approach A process is the transformation of inputs into outputs that uses one set of interconnected or interacting activities In ISMS family of standards, the process approach is based on the exploitation of the PDCA cycle: • PLAN (Planning) - Establishment of policies, objectives, processes and procedures relevant to managing risk and improving information security. Plans according to the results of the organization's strategy. • DO (Do) - Implementation and operation of control policies, processes and procedures. • CHECK (Check) - Inspection of process performance compared with the policies and objectives of an ISMS. These results should be reported to management for review. • ACT (Acting) - Taking corrective and preventive actions, based on the results of the internal ISMS audits and other information from management or other relevant sources.
InformationSecurity Standard ISO/IEC 27001 Published in 2005 Designed to specify the requirements for the establishment, implementation, operation, monitoring, reviewing, maintaining and improving an ISMS. The certification is not a requirement of ISO / IEC 27001, is a decision of the organization. However, eighteen months after its publication more than 2000 organizations in over 50 countries have been certified and growth in this area has increased. The ISO / IEC 27001 is universal for all types of organizations and specifies requirements for the implementation of security controls customized according to the needs of an organization.
InformationSecurity Application The certification usually involves an audit process in two stages : Stage 1 - Review of key documentation and security policy of the organization, statement of applicability (SOA) and risk treatment plan (PTR). Phase 2 - Conduct an audit involving deep control of ISMS stated in SOA and the PTR as well as supporting documentation Renovation of the certificate involves some periodic reviews confirming that the ISMS continues to work as desired The ISO / IEC 27001 involves several components: The Management System of Information Security: • Establish, implement, operate, monitor, review, maintain and improve the ISMS; • Documentation Requirements; • Documents Control; • Records control.
InformationSecurity Responsibilities of the direction: Commitment of direction; Management and provision of resources; Training, awareness and competence. Internal audits that determine if an ISMS: Meets the standard Meets safety requirements identified It run as expected The entire procedure is documented in an audit and the auditors can not audit its own work, giving objectivity and impartiality. Critical analysis of the ISMS by direction: Entry: results of audits and reviews, status of preventive and corrective actions, vulnerabilities not properly contemplated in previous analyzes, findings, recommendations and changes; Output: opportunity to include improvements and changes, modification of the ISMS and resource needs. Improving the ISMS: Continuous improvement through the use of established policy, audit results, analysis of monitored events, corrective action (previous steps); Elimination of non-compliance through corrective and preventive actions.
InformationSecurity Perspective of reconciliation of ISO / IEC 27000 and 27001 There is no absolute security because you can not eliminate 100% of the risks and threats. However, there may be a control plane previously defined. The 27000 comes standard as a way to define some terms and definitions, while the standard 27001 has some requirements for future implementation of a Management System of Information Security The Management of Information Security should be performed taking into account some control measures suggested by both standards - the PDCA process model and process analysis / evaluation and treatment of risks.
InformationSecurity PDCA ProcessModel Requirements and expectations of Information Security Management System of Information Security This model is based on process control and verification of Systems Information Security. The result of the PDCA process is the correct management of the Information Systems Security, based on the expectations and needs of an organization.
InformationSecurity Analysis and risk assessment The management and evaluation of the risks are the key aspects of ISO 27001. As a result of the risk assessment should be made a list of identified risks, ranked in order of severity measures for later The results of the risk analysis should help to direct and determine the most appropriate control measures to manage these risks. The risk assessment should be made taking into account a cost-benefit, compensates to reveal if a risk be minimizedor transfered. In short, if a risk has a low probability of occurring and the cost of treatment is high, this does not make decisions.
InformationSecurity After the process of analysis and risk assessment, there are several options for its treatment: • Apply safety measures: choose the most appropriate measures to reduce the cost; • Accept the risk: knowing and consciously accept the risk, knowing that this attentive to the security policy of the organization; • Avoid the risk: Do not allow actions that may even cause the occurrence of risks; • Transfer the risk: transfer risks to other parts, eg insurance or suppliers. These measures are defined by ISO / IEC 27002, which supports the development of security plans and guides the best way to Management of Information Security.
InformationSecurity Family Series ISO / IEC 27000 Standard ISO 27002 - Code of Practice From 2007 is the new name of ISO 17799. This standard is a best practice guide that describes the control objectives and controls recommended for SI. ISO 27003 - Implementation Guide Discusses some guidelines for the implementation of ISMS and contains information about using PDCA and requirements of its different phases, that means, will provide a process-oriented approach to successfully implementing an ISMS in accordance with ISO / IEC 27001. ISO 27004 - Metrics and Measurement Specifies metrics and measurement techniques applicable to determine the effectiveness of the ISMS, the control objectives and controls used to implement and manage Information Security. These metrics are used primarily to measure the components of phase "CHECK" PDCA cycle. ISO 27005 - Guidelines for Risk Management Establishes guidelines for the management of risk in SI, providing directions for implementation, monitoring and continuous improvement of the control systems. It is applied to all types of organizations designed to manage risks that could compromise the security of your information. ISO 27006 - Guidelines for Disaster Recovery Services Specifies requirements and provides guidance for bodies providing audit and certification of an ISMS.
InformationSecurity Some practical cases of implementation of ISO / IEC 27001 The ISO 27001 has already a high number of certifications distributed by various countries:
InformationSecurity Certification Process of an ISMS The first phase of the process involves the organizations, the fact that they are prepared for certification of its ISMS. The second phase involves an audit of the organization's ISMS, involving accredited certification bodies. The certificate provided a duration for three years, so the third phase of the process is monitored by the certification bodies. Certification Bodies
InformationSecurity Organizations with ISMS Certificates in Portugal
InformationSecurity Conclusions • Understand what are the control mechanisms to threats. • Studying the ISO 27000 and 27001 is to understand the assumptions related to Information Security. • This theme is quite relevant today, since it talks a lot about hackers and crackers against digital platforms, trying to gain access to confidential information. • Information is an asset with great value for organizations and needs to be properly protected in order to maintain its confidentiality, availability, integrity and authenticity. • We analyze the standards and identify clearly enough what characterizes each of them. • The standard ISO 27000 gives us some terms and definitions and ISO 27001 standard adopts a process approach for establishing, implementation, operation, monitoring, reviewing, maintaining and improving a Management System of Information Security.