Loading presentation...

Present Remotely

Send the link below via email or IM

Copy

Present to your audience

Start remote presentation

  • Invited audience members will follow you as you navigate and present
  • People invited to a presentation do not need a Prezi account
  • This link expires 10 minutes after you close the presentation
  • A maximum of 30 users can follow your presentation
  • Learn more about this feature in our knowledge base article

Do you really want to delete this prezi?

Neither you, nor the coeditors you shared it with will be able to recover it again.

DeleteCancel

ISO 27K Best Practices

No description
by

Faham Usman

on 22 May 2014

Comments (0)

Please log in to add your comment.

Report abuse

Transcript of ISO 27K Best Practices

Information Security
ISO 27K Best Practices
Awareness Campaign
Agenda
Salim is your Cyber Security Advisor.
Aims at promoting, building and ensuring a safer & secure cyber environment and culture in the UAE.
About aeCERT
One of the initiatives of the UAE Telecommunications Regulatory Authority.
aeCERT is the United Arab Emirates Computer Emergency Response Team.
About aeCERT
ISO27001 Methodology
ISO
ISO27002:2013 Clauses
Information Security Threats
Security Policy
ISMS
Human Resources Security
Asset Management
Access Control
Communication Security
Cryptography
Information Security Incident Management
Physical & Environment Security
Business Continuity Management
Operations Security
Compliance
Conclusion
aeCERT
Salim (aeCERT)
@salim_aecert
For more information
www.aecert.ae
info@aecert.ae
Questions
The attacker intercepts the encrypted packet and compares it with the original one allowing him to get encryption key

What is ISO and IEO
ISO:
World’s largest developer of voluntary international standards
Founded in 1947, it has published more than 19,500 standards, used in government, business and Industry sectors

ISO developed with IEC (International Electrotechnical Commission)
ISO 27001/27002 : The Basics
Two complimentary standards for information security systems, processes and controls
27001 standard focuses on management, policies and processes
27002 standard focuses on providing necessary controls to make 27001 standard possible
Definitions
ISO/IEC 27001:2013
ISO/IEC 27001:2013
Instructs how to apply ISO/IEC 27002 and build, operate, maintain and improve an ISMS
A standard specification for an Information Security Management Systems (ISMS)
A standard code of practice and considered a comprehensive catalogue for practicing good security
ISO / IEC 27001 & 27002 :
The Certification Process
Guidelinesa
Certification
ISO/IEC 27002: 2013
ISO/IEC 27001: 2013
Step 1: Documentation review and evaluation of organization’s readiness
Step 2: Implementation audit & evaluation of the effectiveness of organization’s systems
Step 3: Lead Auditor’s recommendation to certify an organization
Step 4: Certification issued by ISO
What is Information?
An asset – essential to an organization’s business and needs to be protected.
Protection is vital in the increasingly interconnected business environment.
Forms of information- printed, written, stored electronically, transmitted by post, email.
The Challenge
Protection of information and information systems to meet business and legal requirements
Provision and demonstration of secure environment to organizations
Preventing loss of product knowledge to external parties
Preventing leak of confidential information
Information Security
Definition:
It is defined as the protection of information from broader range of threats in order to ensure
Business continuity
Minimized business risk
Maximized ROI ( return on investments) and business opportunities.
Why Information Security?
Computer-assisted fraud
Sabotage
Espionage
Vandalism
Fire or flood
Hacking
Denial of service attacks
Organizations and their information systems and network infrastructures are facing security threats from a wide range of sources, including;
Information Security Threats
Potential Issues
Information Security Threats
Potential Issues
Information Security Threats
ISMS
Information Security Threats
An Information Security Management System provides a framework to establish, implement, operate, monitor, review, maintain and improve the information security within an organization
ISMS provides means to;
Why ISMS?
Information Security Threats
ISMS Cycle
Information Security Threats
Who Needs ISMS?
Information Security Threats
Every organization which values their information needs enough to protect it;
Banks
Call centers
IT organizations
Government & state bodies
Manufacturing industries
Hospitals
Insurance companies
Educational institutes
Credit card processors
Business entities
Implementing ISMS
Information Security Threats
The means to implement ISO/IEC 27001
The organization should set up an ISMS collaboration team
Based on the Deming PDCA Cycle - Plan Do Check Act
Common to other ISO management standards e.g. ISO 9000
The ingredient that allows the integration of the different management systems that these standards define.
Effectively monitor information security posture

ISMS Process
Information Security Threats
ISMS Process
Information Security Threats
Obtain Management Approval (Pre-plan phase)
Define the ISMS scope & the ISMS policy
Identify & assess the risks
Formulate a Risk Treatment Plan - outcome
Apply appropriate control to reduce risk
Accept the risk – substantiate why
Avoid the risk – do not allow action causing risk
Transfer the risk to a third party e.g. insurer
Select control objectives and controls
Prepare a Statement of Applicability
ISMS Process
Information Security Threats
Allocate resources & conduct training
Implement the risk treatment plan
Implement controls selected to meet the control objectives
ISMS Process – Check Phase
Execute monitoring processes
Conduct internal audits of the ISMS at planned intervals
Undertake regular management reviews of the effectiveness of the ISMS
Review levels of residual risk and acceptable risk
ISMS Process – Act Phase
Implement improvements identified
Take appropriate preventive and corrective actions
Communicate the results and actions
Ensure improvements meet their intended objectives
Steps Towards Certification
Benefits of ISMS
Assurance through discipline of compliance
Increased trust & customer confidence & business opportunities
Better risk management
Minimized security breaches (increased continuity of business)
Broader user level awareness on security threats and measures
People, Process & Technology Controls
ISO27001 - Methodology
Task 1 –
Current State Assessment
IT: Current State Assessment
Review Existing Policies & Procedures
Performing Gap Analysis vis-à-vis ISO 27001 control objectives

ISO27001 - Methodology
Task 2 –
Establish the Context
Define Business Objectives
Create Security Forum
ISO27001 - Methodology
Task 3 –
Risk Identification & Assessment
Business Risk
Network Design Risks
Environment Risks
ISO27001 - Methodology
Task 4 –
Managing the Risks
Creating Information Security Mgmt. System (ISMS)
Control Selection & Prepare Statement of applicability
Formulate IT Security Policies & Procedures
Security Architecture Definition
Formulating Disaster Recovery Plan (DRP)
ISO27001 - Methodology
Task 5 –
Implementation of Controls
Training on Security Policies & Procedures
Vulnerability Fix & Hardening
Implementation of Security Architecture / ITSPP
Implementation of DRP
Preparation for ISO 27001 Certification
ISO27001 - Methodology
Task 6 –
Pre-Certification Support
Review of Implementation Methodology
ISO 27001 Pre Certification Internal Audit
ISO27001 - Methodology
Task 7 –
ISO 27001 Certification
Achieving ISO 27001 / ISO 27001 Certification
Creating Information Security Management System
Creating Information Security Management System
Control Selection & Prepare Statement of Applicability
Analyze organizational business processes
Understand the business risks
Map business risk with ISO 27001 controls
Select ISO 27001 controls applicable to organization
Prepare report justifying non-applicability of controls
Security Architecture Definition
Multi-layered Security Architecture
Application Level
Collaboration Level
Data Center Level
Network Level
Contingency Planning Process
Contingency Planning Process
Contingency Plan Structure
Supporting Information
Introduction
Concept of Operations
Notification/Activation Phase
Notification Procedures
Damage assessment
Plan activation

Recovery Phase
Sequence of recovery activities
Recovery procedures
Reconstitution Phase
Restore original site
Test systems
Terminate operations
Plan Appendices
POC Lists
System requirements
SOPs
Vital records

Plan Development
Incorporate BIA findings
Document recovery strategy
Contingency Plan Structure
ISO 27002:2013
In November 2013, security standards ISO 27001 and 27002 have been revised
Technically and structurally revised over ISO 27002:2005

ISO 27002:2013
In 27002:2005, there were 11 control domains, now there are 14, including three additional sections which include;
Cryptography (old control 12.3)
Supplier Relationships (old control 6.2)
Communications security (old control 10.6)
In 27002:2005, there were 133 controls and the newer one has 114 controls.
Comparison ISO 27002:2005 & 27002:2013
Comparison ISO 27002:2005 & 27002:2013
ISO 27002:2013 Clauses & Objectives
ISO 27002:2013 Benefits
Increased stake holder confidence
Technology independent
Strategic comprehensive baseline
Basis for assessing risk & cost trade-offs
More accurate and reliable security audits
More effective tactical security
ISO 27002:2013 Clauses
ISO 27002:2013 Clauses
Control Objectives
Security Policy
01
Organization of information
Security
02
Human Resources Security

03
Asset Management
04
Access Control
05
Cryptography
06
ISO 27002:2013 Clauses
Control Objectives
Operations Security
07
Communication Security
08
Systems Acquisition,
Development and
Maintenance

09
Compliance
10
Suppliers Relationship
11
Information Security Incident Management
12
Business Continuity Management
13
Physical & Environment Security
14
Security Policy
Management Direction for Information Security Policy
Organizations should define an “information security policy” approved by management, published and communicated to employees and relevant external parties which outsets the organization’s approach to manage its information security objectives
Organization of Information Security
Internal Organization
The objective of internal organization control is to establish a management framework to initiate and control the implementation & operation of information security in an organization

Organization of Information Security
Mobile Device and Teleworking

The objective of this control is to ensure the security of teleworking and use of mobile devices
A mobile device policy should be devised to manage the risks introduced by mobile devices within an organization
A teleworking policy should be implemented to protect information accessed, processed or stored at teleworking sites

Human Resources Security
Prior to Employment
The objective of this control is to ensure employees and contractors understand their responsibilities for the roles for which they are considered
Background verification check on all employees should be carried out in accordance with relevant laws

Human Resources Security
During Employment
The objective of this control is to ensure that employees and contractors are aware of and fulfill their information security responsibilities
Employees and contractors should apply information security in accordance with the policies and procedures of the organization

Human Resources Security
Termination or Change of Employment
The objective of this control is to protect the organization’s interest as part of the process of changing or terminating employment
After termination or change of employment, information security responsibilities remain valid and should be enforced, defined and communicated to the employee or contractor
Asset Management
Responsibility for Assets

The objective of this control is to identify organizational assets and define appropriate protection responsibilities
Inventory of the assets associated with information and information processing facilities should be identified and maintained
Asset Management
Information Classification

The objective of this control is to ensure that information receives an appropriate level of protection in accordance with its importance to an organization
Information should be classified in terms of legal requirements, value, criticality and sensitivity to unauthorized disclosure or modification
Asset Management
Media Handling

The objective of this control is to prevent unauthorized disclosure, modification, removal or destruction of information stored on media
In accordance with classification scheme adopted by an organization, procedures should be implemented for the management of removable media.
Access Control
Business Requirements of Access Control

The objective of this control is to limit access to information and information processing facilities
An asset control policy should be established, documented and reviewed based on business and information security requirements
Access Control
User Access Management

The objective of this control is to;
To ensure authorized user access
To prevent unauthorized access to systems and services
To enable assignment of access rights, a formal user registration and de-registration process should be in placed and implemented
Access Control
User Responsibilities

The objective of this control is to make users accountable for safeguarding their authentication information
User should be required to follow and practice organization’s secret authentication information
Access Control
System and Application Access control:

The objective of this control is to prevent unauthorized access to systems and applications
Access to information and application system functions should be restricted according to organization’s access control policy
Cryptography
Cryptographic Controls

The objective of this control is to ensure proper and effective use of cryptography to protect the confidentiality, authentication and integrity of information
A policy should be developed and implemented on the use of cryptographic controls for protection of information
Physical & Environment Security
The objective of this control is to prevent unauthorized physical access, damage and interference to an organization’s information and information processing facilities.
Security perimeters should be defined and used to protect areas that contain either sensitive or critical information and information processing facilities
Physical & Environment Security
The objective of this control is to prevent loss, damage, theft or compromise of assets and interruption to the organization’s operation
Equipment should be protected and located to reduce the risks from environmental threats and hazards
Operations Security
Operational Procedures and Responsibilities
The objective of this control is to ensure correct and secure operations of information processing facilities
These operating procedures should be documented and made available to all users who need them
Operations Security
Malware Protection
The objective of this control is to ensure that information and information processing facilities are protected against malware
Detection, prevention and recovery controls to protect against malware should be implemented
Operations Security
Backup
The objective of this control is to protect against the loss of data
Backup copies of information, software and system images should be taken and tested regularly in accordance with an approved backup policy
The backup policy must define the retention and protection requirements
Operations Security
Logging & Monitoring
The objective of this control is to record events and generate evidence accordingly
Events logs should include recording user activities, exceptions, fault and information security events, kept and regularly reviewed
Operations Security
Control of Operational Software
The objective of this control is to ensure the integrity of operational systems

Procedures should be implemented to control the installation of software on operational systems

01
02
Operations Security
Technical Vulnerability Management
The objective of this control is to prevent exploitation of technical vulnerabilities
Technical vulnerabilities of information systems being used should be obtained in a timely fashion
The organization’s exposure to such vulnerabilities evaluated and appropriate measures taken to address the associated risk
Operations Security
Vulnerability Management Life Cycle

Discover
Prioritize
Assets
Asses
Report
Remediate
Verify
Operations Security
Information System Audit Consideration
The objective of this control is to minimize the impact of audit activities on operational systems
Audit requirements and activities involving verification of operational systems should be planned carefully and agreed to minimize disruption to business processes

Communication Security
Network Security Management
The objective of this control is to ensure the protection of information in networks and its supporting information processing facilities
Network should be managed and controlled to protect information in systems and applications
Communication Security
Information Transfer
The objective of this control is to maintain the security of information transferred within an organization and with any external entity
Formal and Approved transfer policies, procedures and controls should be in place to protect the transfer of information through the use of all types of communication medium
Systems Acquisition, Development and Maintenance
Security Requirements of Information Systems
The objective of this control is to ensure that information security is an integral part of information systems across the entire lifecycle. This also includes the requirements which provide services over public networks
Information security requirements should be included for new information systems or enhancements to existing information systems
Systems Acquisition, Development and Maintenance
Security in Development and Support Process
The objective of this control is to ensure that information security is an integral part of information systems across the entire lifecycle. This also includes the requirements which provide services over public networks
Information security requirements should be included for new information systems or enhancements to existing information systems
Systems Acquisition, Development and Maintenance
Security in Development and Support Process
01
02
The objective of this control is to ensure that information security is designed and implemented within the development lifecycle of information systems
A secure development policy should be devised for the development of software and systems and applied to developments within an organization
Systems Acquisition, Development and Maintenance
Test Data
The objective of this control is to ensure the protection of data used for testing
Test data should be selected carefully, protected and controlled
Suppliers Relationship
Information Security in Supplier Relationships
The objective of this control is to ensure protection of the organization’s assets that is accessible by suppliers
Information security requirements for mitigating the risks associated with supplier’s access to the organization’s assets should be agreed with supplier and documented
01
02
Suppliers Relationship
Supplier Service Delivery Management
The objective of this control is to maintain an agreed level of information security and service delivery in line with supplier agreements
Organizations should regularly monitor, review and audit supplier service delivery
Information Security Incident Management
Management of Information Security Incidents and Improvements
The objective of this control is to ensure a consistent and effective approach to the management of information security incidents, including communication on security events and weaknesses
Business Continuity Management
Information Security Aspects of Business Continuity
The objective of this control is that information security continuity should be embedded in the organization’s business continuity management systems
The organization should determine its requirements for information security and the continuity of information security management in adverse situation; disaster or crisis
Business Continuity Management
Redundancies
The objective of this control is to ensure the availability of information processing facilities
Information processing facilities should be implemented with redundancy enough to meet availability requirements
Compliance
Compliance with Legal and Contractual Requirements
The objective of this control is to avoid breaches of legal, regulatory or contractual obligations related to information security and of any security requirements
The specific controls and individual responsibilities to meet these requirements should also be defined and documented
Compliance
Information Security Reviews
The objective of this control is to ensure that information security is implemented and operated in accordance with organizational policies and procedures
The organizational approach to manage information security and its implementation (i.e. control objectives, control policies, processes and procedures for information security) should be reviewed independently at planned intervals or when significant changes occur
Conclusion
Conclusion
Full transcript