260 likes | 730 Views
ISO/IEC 27001 Information Security Management System (ISMS) for Mobile Devices. AGENDA. • Why apply ISMS to Mobile Devices? Overview ISMS Templates 69 Risks Identified 26 Risk Mitigations 7 Templates > 250 pages Password & Mobile Device Security SOPs Applicable Cyberlaw.
E N D
ISO/IEC 27001 Information Security Management System (ISMS) for Mobile Devices AGENDA • • Why apply ISMS to Mobile Devices? • Overview ISMS Templates • 69 Risks Identified • 26 Risk Mitigations • 7 Templates > 250 pages • Password & Mobile Device Security SOPs • Applicable Cyberlaw
INTERNATIONAL ISO/IEC STANDARD 27002 INTERNATIONAL ISO/IEC STANDARD 27001 INTERNATIONAL ISO/IEC STANDARD 27005 Information technology – Security Techniques – Code of practice for Information security management Information technology – Security Techniques – information security Management systems - requirements Information technology – Security Techniques – information security risk management IEC IEC ISO ISO IEC ISO What is ISO/IEC 27001? ISO/IEC 27001 - gold standard guidance for information security management Stacy (Dene’) Nelson Student ID #000221918
What are Mobile Devices? Who uses them? Leverage ISO/IEC 27001 ISMS to address new information security risks created when workers use Mobile Devices around the world Stacy (Dene’) Nelson Student ID #000221918
New Risks Associated with Mobile Devices • Small size -> easy to lose, easy to steal • Bad mobile social media posts can ruin reputations, leak information, violate privacy and intellectual property laws… • Malware downloaded from the cloud, communications networks, desktop synchronization and tainted storage media • Spam • Spyware can be used for electronic eavesdropping on phone calls, texts… • Geotagging & location tracking allow the whereabouts of registered cell phones to be known and monitored • Server-resident content such as email may expose sensitive information via server vulnerabilities Stacy (Dene’) Nelson Student ID #000221918
Overview of ISMS Mobile • 7 templates (>250 pages) per ISO/IEC 27001 Section 4.3list of documents for robust security management, identification of risks & countermeasures, & support of ISMS certification: • ISMS Mobile Policy (MS Word) ISMS Mobile Scope (MS Word) ISMS Mobile Project Plan (MS Project) ISMS Mobile Risk Assessment Methodology (MS Word) ISMS Mobile Risk Assessment (MS Excel) ISMS Mobile Risk Treatment Plan (MS Word) ISMS Mobile Statement of Applicability (SoA) (MS Word) • Additional templates: • ISMS Mobile Password Policy Template (MS Word) ISMS Mobile SOP - Mobile Device Security Template (MS Word) • ISMS Mobile formally tested by an independent quality control specialist • ISMS Mobile can jumpstart safeguarding mobile information for organizations
Overview of ISMS Mobile ISMS Mobile templates are password protected files that can be downloaded from the ISMS Mobile website http://www.drdenenelson.com/ISMS-Template.htm
ISMS Mobile Risk Evaluation Risk Level Likelihood: Low, Medium, High Impact: Low, Medium, High Risk Prioritization Risk Level: 1,2,3 Detectability: Low, Medium, High
Correlating Risk to Risk Treatment ISMS Mobile Risk Register ISMS Mobile Risk Treatment Plan Find Risk Treatment Name & Number in Risk Treatment Column of Risk Register
Example from the ISMS Mobile Statement of Applicability - Implemented
Example from the ISMS Mobile Statement of Applicability – Outside Scope
Special Strategies Used in ISMS Mobile Process used at NASA for safety-critical software was applied to security of mobile devices
What is Included in ISMS for Mobile Devices 110 ISO/IEC 27001 Annex A Security Controls Investigated: 25 deemed out of ISMS Mobile project scope 85 security controls addressed 69 Risks Identified for Mobile Devices: 2 high priority 25 medium priority 42 low priority (but high impact should they occur) 26 Risk Treatments Devised & Justified (eg. cost vs. risk, already in use…) 2 Additional Templates: - ISMS Mobile Password Policy template - ISMS Mobile SOP - Mobile Devices Security template
Systems Security – 26 Risk Treatments for Mobile Devices – page 1 T1: Change Defaults T2: Disciplinary Action Procedure T3: Event Log T4: Forensics T5: Information Access Control Procedure T6: Mobile Malware Protection and Detection Software T7: Prevent Unauthorized Electronic Tracking T8: Prevention of Attagging T9: Prevention of Electronic Eavesdropping T10: Prevention of Jailbreaking T11: Prevention of Tapjacking (clickjacking) T12: Procedure for Lost or Stolen Mobile Device T13: Proper use of Geotagging (Alphabetical Order) Stacy (Dene’) Nelson Student ID #000221918
Systems Security – 26 Risk Treatments for Mobile Devices – page 2 T14: Retrieval of Information - Lost or Forgotten Passwords T15: Safeguarding Mobile Data T16: Secure Bluetooth T17: Secure Mobile Device Enterprise Server T18: Secure Wired Network T19: Secure Wireless Network Transactions T20: Securing Mobile Cloud Computing T21: Security Incident T22: Synchronization – ActiveSync T23: Synchronization Configuration T24: Synchronization - HotSync T25: Test Data Password Protected T26: Training for Mobile Social Media Usage (Alphabetical Order) Stacy (Dene’) Nelson Student ID #000221918
Security Planning and Management Not always a 1-1 relationship between risks and countermeasures Security controls must be planned, implemented, tested, & monitored to ensure they protect data 1 countermeasure for changing defaults required for many mobile devices 1 SOP covers many risks
Applicable Cyberlaw, Regulations and Compliance – page 1 • Cyberlaw struggles with privacy concepts such as when the needs of the many supercede the rights of the individual, for example: • ECPA Section 2709 allows FBI to issue National Security Letters to ISPs ordering disclosure of customer records (Electronic Communications Privacy Act of 1986, 2012) • In the USA, laws are specific to certain industries, for example: • FISMA - Federal Information Systems Management Act of 2002 • Graham-Leach-Bliley Act – personal financial security (Graham-Leach-Bliley Act, 2012) • HIPAA - privacy of health data (Health Insurance Portability and Accountability Act, 2012) • Sarbanes-Oxley Act of 2002 (SOX) – public financial security (Sarbanes-Oxley Act, 2012) Stacy (Dene’) Nelson Student ID #000221918
Applicable Cyberlaw, Regulations and Compliance – page 2 Guidelines Used for ISMS Mobile: ISO/IEC 27001 (ISMS) ISO/IEC 27002 (Security Controls) ISO/IEC 27005 - Information Security Risk Management NIST Guidelines on Mobile Security NIST Guidelines on PDA Forensics NIST National Vulnerability DatabaseGenerally Accepted Information Security Principles
References Electronic Communications Privacy Act. (2012). Retrieved from http://en.wikipedia.org/wiki/Electronic_Communications_Privacy_Act. Federal Information Security Management Act of 2002. (2012). Retrieved from http://en.wikipedia.org/wiki/Federal_Information_Security_Management_Act_of_2002. GAISP. (2004). Generally Accepted Information Security Principles. Retrieved from http://all.net/books/standards/GAISP-v30.pdf. Graham-Leach-Bliley Act. (2012). Retrieved from http://en.wikipedia.org/wiki/Gramm%E2%80%93Leach%E2%80%93Bliley_Act. Health Insurance Portability and Accountability Act. (2012). Retrieved from http://en.wikipedia.org/wiki/Health_Insurance_Portability_and_Accountability_Act. ISO/IEC 27001. (2005). Information Technology — Security Techniques — Information Security Management Systems – Requirements. Retrieved from http://www.iso27001security.com/html/27001.html ISO/IEC 27005. (2012). Information Technology — Security Techniques — Information Security Risk Management (Second Edition). Retrieved from http://www.iso27001security.com/html/27005.html NIST SP 800-30. (2002). Risk Management Guide for Information Technology Systems. Retrieved from http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf Sarbanes–Oxley Act. (2012). Retrieved from http://en.wikipedia.org/wiki/Sarbanes%E2%80%93Oxley_Act.a Stacy (Dene’) Nelson Student ID #000221918