350 likes | 553 Views
Official Title of ISO 27001:2013. "Information technology— Security techniques — Information security management systems — Requirements". An Awareness Training on ISO 27001:2013. What is Information Security. Data stored on computers Transmitted across networks Printed out
E N D
Official Title of ISO 27001:2013 "Information technology— Security techniques — Information security management systems — Requirements". An Awareness Training on ISO 27001:2013
What is Information Security • Data stored on computers • Transmitted across networks • Printed out • Written on a paper, sent by fax • Stored on disks • Held on microfilm The protection of information against unauthorized disclosure, transfer, modification, or destruction, whether accidental or intentional Information Assets • Asset is something that has “value to the organization” • Information assets of an organization can be: • business data • E-mail data • Employee information • Research records • Price lists • Tender documents • Spoken in conversations over the telephone Organization must determine which assets can materially affect the delivery of product/service by their absence or degradation Information Security Management relates to all types of information, be it paper-based, electronic or other. It determines how information is processed, stored, transferred, archived and destroyed. A secure information is one which ensures Confidentiality, Integrity, and Availability. It is all about protecting information assets from potential security breaches.
What is Information Security • Confidentiality • Is my communication private? • Ensuring that the data is read only by the intended person • Protection of data against unauthorized access or disclosure • Possible through access control and encryption • Integrity • Has my communication been altered? • Protection of data against unauthorized modification or substitution • If integrity is compromised, no point in protecting data • A transparent envelope that is tamper evident • Availability • Are the systems responsible for delivering, storing and processing information accessible when needed • Are the above systems accessible to only those who need them
Need for ISMS Management Concerns • Market reputation • Business continuity • Disaster recovery • Business loss • Loss of confidential data • Loss of customer confidence • Legal liability • Cost of security Security Measures/Controls • Technical • Procedural • Physical • Logical • Personnel • Management All these can be addressed effectively and efficiently only by establishing a proper Information Security Management System (ISMS)
Comparing ISO 27001:2005 to ISO 27001:2013 ISO 27001:2005 ISO 27001:2013 Structure The specification is spread across 5 clauses, which approach the ISMS from a managerial perspective. • Information security management system • Management responsibility • Internal ISMS audits • Management review of the ISMS • ISMS improvement Structure The specification is spread across 7 clauses, which do not have to be followed in the order they are listed. • Context of the organization • Leadership • Planning • Support • Operation • Performance evaluation • Improvement
Comparing ISO 27001:2005 to ISO 27001:2013 ISO 27001:2005 ISO 27001:2013 Process The standard clearly states that it follows the PDCA (Plan-Do-Check-Act) model Process The standard does not specify any particular process model. The standard requires that a process of continual improvement is used Governance and management Senior management plays a major role. Management and board engagement is high but the separation between board and management is not clear. Governance and management Management roles are described as ‘management’ and ‘top management’, removing reference to the board. The organization is that part of the business that falls within the scope, and not necessarily the legal entity. The board initiates the ISMS; management oversees the implementation of the ISMS
Comparing ISO 27001:2005 to ISO 27001:2013 ISO 27001:2005 ISO 27001:2013 Risk assessments The definition of risk is the “combination of the probability of an event and its consequences”. The organization identifies risks against assets. The asset owner determines how to treat the risk, accepting residual risk. Controls are drawn from Annex A. Annex A is not exhaustive, so additional controls can be drawn from other sources. The Statement of Applicability records whether a control from Annex A is selected and why. Risk assessments The definition of risk is the “effect of uncertainty on objectives”, which may be positive or negative. Baseline controls based on regulatory, business and contractual obligations may be identified and implemented before the risk assessment is conducted. The organization identifies risks to the organization's information the assessment does not have to be asset-based. The risk owner determines how to treat the risk, accepting residual risk. Controls are drawn from any source or control Set Selected controls are compared to those in Annex A. The Statement of Applicability records whether a control from Annex A is selected and why
Comparing ISO 27001:2005 to ISO 27001:2013 ISO 27001:2005 ISO 27001:2013 Controls Annex A contains 133 controls across 11 control categories. Controls from other sources are used to ‘plug gaps’ not covered by Annex A controls Controls Annex A contains 114 controls across 14 control categories Controls (from any source) are identified before referring to Annex A Documentation The standard recognizes two forms: documents and records. Documents include policies, procedures, process diagrams, etc. Records track work completed, audit schedules, etc. Documentation The standard makes no distinction between documents and records. Documents and records are subject to the same control requirements.
ISO27001 ISO/IEC 27001:2013 Auditable Standard Clauses: Mandatory Processes Annex A: Control Objectives 4 Context of the organisation 14 Domains 5 Leadership 35 Control Objectives 6 Planning 114 controls 7 Support 8 Operation ISO27001 Structure 9 Performance evaluation 10 ISMS Improvement
ISO 27001 Main Clauses • Clause 4: Context of the organization • Understanding the organization and its context • Understanding the needs and expectation of interested parties. • Determining the scope of the information security management system • Information security management system • Clause 5: Leadership • Leadership and Commitment • Policy • Organization, roles, responsibilities and authorties • Clause 6: Planning • Action to address Risk and Opportunities • Information security objectives and Planning to achieve them • Clause 7: Support • Resource • Competence • Awareness • Communication • Documented Information
ISO 27001 Main Clauses • Clause 8: Operation • Operation planning and control • Information security Risk assessment • Information security Risk Treatment • Clause 9: Performance evaluation • Monitoring, measurement, analysis and evaluation • Internal Audit • Management Review • Clause 10: Improvement • Non conformity and corrective action • Continual improvement
ISMS Scope The Information Security Management Systems covering all business functions and processes associated with information assets to provide customers, employees and business partners benefits and services in the organization.
Quality Policy & Business Objectives Quality & Security Policy : NST is committed to maintain high quality standards in delivering timely and cost effective solutions to our customers by continual improvement of our processes, instilling quality consciousness amongst all employees and recognizing the confidentiality, integrity and availability of information assets to relevant stakeholders including our customers. Business Objectives Key Objective 1: Provide high quality services to our clients. Key Objective 2: Continuous focus on employee satisfaction and competency development so as to reduce and stabilize employee attrition. Key Objective 3:Continual improvement of services to our internal & external customers. Key Objective 4:To secure its information assets and of its customers, NST shall deploy procedures to maintain confidentiality, integrity and availability of all information assets. Key Objective 5: To have year on year revenue increase while maintaining profitability.
Management framework policies Policy, scope Risk Assessment, statement of applicability Level 1 ISMS Manual (Apex document) Describes processes who, what, when, where Level 2 Procedure Level 3 Describes how tasks and specific activities are done Work Instructions, checklists, forms, etc. Provides objective evidence of compliance to ISMS requirements Records Level 4 ISMS Documentation
Risk Assessment and Management • Risk Assessment • Identify all Stakeholders • Identify Business Process • Identify Operation Process • Identify Assets • Identify Risk on the basis of all Stakeholders • Identify Threats and Vulnerabilities • Evaluate Probability and Impact • Calculate Risk Value • Risk treatment • Mitigate/Reduce risk • Avoid risk • Transfer risk • Accept risk • Risk Management • Mitigate the risk by appropriate controls • Evaluate controls periodically
ISO 27001:2013 Main Clauses-10 • Clause 4: Context of the Organization • Clause 5: Leadership • Clause 6: Planning • Clause 7: Support • Clause 8: Operation • Clause 9: Performance Evaluation • Clause 10: Improvement • Clause 11: Domain, Control Objective & Controls There are 14 domains 35 control objectives and 114 detail controls
Structure of ISO 27001:2013 Controls 14 Domains comprising 35 Control Objectives and 114 Controls A.5 Information security policies – controls on how the policies are written and reviewed A.6 Organization of information security – controls on how the responsibilities are assigned; also includes the controls for mobile devices and teleworking A.7 Human resources security – controls prior to employment, during, and after the employment A.8 Asset management – controls related to inventory of assets and acceptable use, also for information classification and media handling A.9 Access control – controls for Access control policy, user access management, system and application access control, and user Responsibilities A.10 Cryptography – controls related to encryption and key management A.11 Physical and environmental security – controls defining secure areas, entry controls, protection against threats, equipment security, secure disposal, clear desk and clear screen policy, etc. A.12 Operational security – lots of controls related to management of IT production: change management, capacity management, malware, backup, logging, monitoring, installation, vulnerabilities, etc. A.13 Communications security – controls related to network security, segregation, Network services, transfer of information, messaging, etc.
Structure of ISO 27001:2013 Controls A.14 System acquisition, development and maintenance – controls defining security requirements and security in development and support processes A.15 Supplier relationships – controls on what to include in agreements, and how to monitor the suppliers A.16 Information security incident management – controls for reporting events and weaknesses, defining responsibilities, response procedures, and collection of evidence A.17 Information security aspects of business continuity management – controls requiring the planning of business continuity, procedures, verification and reviewing, and IT redundancy A.18 Compliance – controls requiring the identification of applicable laws and regulations, intellectual property protection, personal data protection, and reviews of information security
Guidelines for using the Risk Register Sheet-13 Risk analysis is an evaluation of the identified risk events to determine the likelihood of the events occurring and their impact, to assign a risk rating based on the project criteria and to prioritize the risks. For each risk event, the following risk analysis guidelines can be used: 2 1 3
Understanding the Needs and Expectation from Interested Parties
Communication Communications provide the statement to the Organization of the Information Security of the business that highlighting the importance of information s protection. Users shall be made aware about the risk of Information Security while exchanging information through Voice, Email, Fax, and Video Communication facility
Statement of Applicability Document describing the control objectives and controls that are relevant and applicable to the organization’s ISMS, based on the results of risk assessment and risk treatment processes.
Exercise Given below are various risks that may faced by an organization. Go through the list of clauses and map them against each risk.
Generic Changes from ISO 27001:2005 standard Puts more emphasis on measuring and evaluating how well an organization's ISMS is performing New section on Outsourcing Does not emphasize the Plan-Do-Check-Act cycle. More attention is paid to the organizational context of information security. Risk assessment has changed. Management commitment requirements have a focus on “leadership” Preventive action has been replaced with “actions to address, risks and opportunities” SOA requirements are similar, with more clarity on the need to determine controls by the risk treatment process Controls in Annex A have been modified to reflect changing threats, remove duplication and have a more logical grouping. Stress on maintaining documented information, rather than information record Greater emphasis is on setting objectives, monitoring performance and metric
Risk assessment and risk treatment • Risk management is the activities to make clear what kind of information security risks may occur, determine the risk treatment and manage the risks. • The activities to make the risks clear are referred to as "risk assessment". • Identify the risk owners • The actions taken for the risks,which are made clear, are referred to as "risk treatment". • Avoiding: Withdrawal of business, etc. • Taking or increasing risk in order to pursuean opportunity: Additional investment, etc. • Changing the likelihood of risks: Performing preventive measures, etc. • Removing the risk sources: Performing preventive measures, etc. • Changing the consequences of risks: Preparing the actions taken for the possible situations, etc. • Sharing the risks with another parties: Insuring the risks, etc. • Retaining the risk as they are: Accepting the risks upon recognition • This is the same as the "management judgment" conventionally conducted by Management.
New controls 14.2.1 Secure development policy – rules for development of software and information systems 14.2.5 Secure system engineering principles – principles for system engineering 14.2.6 Secure development environment – establishing and protecting development environment 14.2.8 System security testing – tests of security functionality 16.1.4 Assessment of and decision on information security events – this is part of incident management 17.2.1 Availability of information processing facilities – achieving redundancy