Ledningssystem  för  informationssäkerhet.    4  Risk  Management  Shortcuts  in  an  ISMS  

Presented  by  Lars  Neupart    Founder,  CEO  of  Neupart  –  The  ERP  of  Security.  LN@neupart.com  twiBer  @neupart    

About  Neupart  •  ISO  27001  certified  company.  

•  Provides  SecureAware®,    an  all-­‐in-­‐one,  efficient  ISMS  solution  allowing  organizations  to  automate  IT  governance,  risk  and  compliance  management.    

•  “The  ERP  of  Security”  

•  HQ  in  Denmark,  subsidiary  in  Germany  and  a  200+  customer  portfolio  covering  a  wide  range  of  private  enterprises  and  governmental  agencies.    

IT  GRC  =  IT  Governance,    

Risk  &  Compliance  Management  

Program  

ISMS    

• The  new  ISO  27001  

Risk  Management  

•  ISO  27005  Method  &  Guidance  

Lessons  Learned  

• Running  an  ISMS  

Selected  ISO  2700x  standards  

ISO  27000  • Overview  and  vocabulary  

ISO27001  • InformaQon  Security  Management  Systems  –  Requirements  

ISO27002  • Code  of  pracQce  for  informaQon  security  management  

ISO  27003    • ISMS  ImplementaQon  Guidelines  

ISO  27004  • InformaQon  Security  Management  -­‐  Measurement    

ISO27005  • InformaQon  Security  Risk  Management  

ISO27006  • Requirements  for  bodies  providing  audit  and  cerQficaQon    

+  +  +  +    

How  do  you  use  ISO  27001  today?  1.  Do  not  use  2.  Best  practice  

inspiration  3.  We  plan  to  comply;  no  

certification  4.  We  plan  to  certify  5.  We  are  certified  

What’s  new  in  the  2013  edition?  ISO  27001:  •  New  content,  new  

requirements  numbering  •  Still  short:  9  pages  of  

requirements  to  an  ISMS  •  Controls  are  still  listed  in  

Annex  A,  and  referring  to  ISO  27002  (the  new)  

•  Maintaining  a  fair  portion  of  backwards  compatibility  

2013:  Still  risk  oriented:  •  The  first  requirement  

in  the  new  ISO  27001  refers  to  an  Enterprise  Risk  Management  Standard:  ISO  31000  

ISO  31000  Enterprise  Risk  Management  

Plan  

Do  

Check  

Act  

Enterprise  Risk  Management  • (ISO  31000)  

InformaQon  Security  Risk  Management  • (ISO  27005)  

ISMS  Requirements  • (ISO  27001)    

27001  News:  Not  only  downside  risks  •  6.1  Actions  to  address  risks  and  

opportunities    

•  Quote  ISO  31000:  “Organizations  of  all  types  and  sizes  face  internal  and  external  factors  and  influences  that  make  it  uncertain  whether  and  when  they  will  achieve  their  objectives.  The  effect  this  uncertainty  has  on  an  organization's  objectives  is  “risk”.  

Risk  Owner  •  Risk  Owner  approves  risk  treatment  plan  and  accepts  residual  risks  •  Note:  Asset  ownership  is  formally  no  longer  a  ISO  27001  requirement,  but  it’s  still  in  

the  annex  A  Control  List.  Practically  same  requirement,  as  you  can’t  claim  it’s  not  applicable  

Increased  flexibility  in  your  choice    of  risk  method  

The  organization  shall  define  an  information  security  risk  assessment  process  that:    1.  establishes  and  maintains  information  security  risk  

criteria,  including  the  risk  acceptance  criteria;    2.  determines  the  criteria  for  performing  information  

security  risk  assessments;  and    3.  ensures  that  repeated  information  security  risk  

assessments  produce  consistent,  valid  and  comparable  results.    

(section  6.1  )    

The  organization  shall  apply  an  information  security  risk  treatment  

process    

Treating  Risks  

Accept   Reduce  

Share   Avoid  Treatment  opQons  according  to  ISO  27005  (and  ISO  27001:2005).  ISO  27001:2013,  do  not  require  these  specific  treatment  opQons;  but  you  are  free  to    choose  these.  

SoA  closer  linked  to  Risk  Treatment  

Risk  treatment  

SoA  =  Statement  

of  Applicability  

•  Select  treatment  options  •  Determine  controls  •  Check  controls  with  Annex  A,    

verify  no  necessary  controls  are  omitted  

•  Make  SoA  and  justify  exclusions  AND  inclusions  (this  is  new)  

•  Clearly  worded  that  you  must  determine  all  necessary  controls  –  e.g.  –  Formal  requirements  to  Swedish  

Energy  Companies  –  Regulations    

Oh,  what  happened  to  PDCA?  Plan  -­‐  Do  –  Check  -­‐  Act  is  still  there  J.      

Now  called  continual  improvement  and  integrated  in  the  content.  

Program  

ISMS    

• The  new  ISO  27001  

Risk  Management  

•  ISO  27005  Method  &  Guidance  

Lessons  Learned  

• Running  an  ISMS  

What  is  ISO  27005?  

A  threat  based  risk  management  guidance  

Reduce Likelihood Proactive

Security IT Security Policy Compliance & Awareness Change Management Operating Procedures Access Control Monitoring System Redundancy Firewall Antivirus

Reactive Security

Reduce Consequence

IT Service Continuity Teams IT Service Continuity Strategy

IT Service Continuity Plans Disaster Recovery Procedures

Emergency Operations Flexibility

Standby Equipment Virtualization

Backup

IT  Risk  Management  -­‐  Explained  

Risk

Prioritization

Incident Likelihood

Incident Consequence

Threat Frequency

Threat Effect

Threats

Preventive Measures

Corrective Measures

Threats  

Not  all  assets  burn  (hint:  link  your  threats  to  asset  types)  

Vulnerability  &  control  environment  assessment  

AdministraQve  Measures  

Physical  /  Technical  Measures  

PrevenQve  Measures  

CorrecQve  Measures  

Firewalls   AnQvirus  

Server  Clusters  

RAID   Backup/Restore  Standby  

Equipment  VirtualizaQon  

Security  Policy  

System  DocumentaQon  

Awareness  

Compliance  Checks  

Alarm  System  

Fire  Suppression  

Logging  Change  

Management  

IT  Service  ConQnuity  Plan  

Disaster  Recovery  Procedures  

Business  ConQnuity  Strategy  

Redundancy  

Access  Control  System  

Standby  Site  

Server  snapshots  

RecommendaQon:  Base  assessments  on  a  maturity  level  scale  

Monitoring  

Assess  how  well  your  controls  addresses  relevant  threats  

Assets:  Dependency  Hierarchy  Business  Impact  values  are  inherited  downwards  

Vulnerability  values  are  inherited  upwards  

Server  01  Virtual  Server  

SAN  01  Data  Staorage  

HP  DL380  Hardware    unit  

Data  Center  Oslo  Datacenter  

Finance  DB  Database  

ERP  IT  Service  

Dynamics  AOS  Business  system  

HP  DL380  Hardware  unit  

Server  02  Virtual  Server  

Finance  

Business  Process  

Business  Impact  Assessment  ISO  27005:  Estimate  the  business  impact  from  breaches  on  CIA  (confidentiality,  integrity,  availability)    •  Financial  terms    

– Revenue,  cash  flow,  costs,  liabilities  •  Non-­‐financial  terms:  

–  Image,  non-­‐compliance,  competitiveness,  service  level  

Comparing  ISO  27005,  NIST  SP800-­‐30  ISO  27005   NIST  SP800-­‐30  

Context  establishment              

Identification  of  assets   System  Characterization  Identification  of  threats   Threat  Identification  

Identification  of  existing  controls   Vulnerability  Identification  Identification  of  vulnerabilities   Control  Analysis  Identification  of  consequences      

       Assessment  of  consequences   Likelihood  Determination  

Assessment  of  incident  likelihood   Impact  Analysis  Risk  estimation   Risk  Determination  

       Risk  evaluation      

       Risk  treatment   Control  Recommendations  Risk  acceptance      

Risk  communication   Results  Documentation  

Program  

ISMS    

• The  new  ISO  27001  

Risk  Management  

•  ISO  27005  Method  &  Guidance  

Lessons  Learned  

• Running  an  ISMS  

How  to  make  an  ISMS  efficient?    

Sharing  our  ISO  27001  ISMS  lessons  learned  

Our  most  important  lesson  Our  mistake  over  9  years:  •  Our  ISMS  grew  too  big  •  High  on  maintenance    •  Harder  to  comply  with  

 Better  to  simplify  than  to  add  (simple  does  not  always  mean  easy)  

Neuparts  4  responsible  short-­‐cuts.    They  also  apply  to  the  2013  edition  J  

Assess  your  most  important  assets  first    (you  can  add  more  

later)  

1:  Not  all  assets  

Do  not  use  complete  threat  catalogue  on  each  of  your  assets  (relevant  threats  

depends  on  asset  type)  

2:  Not  all  threats  

• Inheritance:  Business  impact  values  inherits  downwards  

• Vulnerability  scores  inherits  upwards  

• Asset  dependencies  /  Hierarchy  

3:  Inheritance  

• Make  overall  assessment  first  –  refine  later  

• Example:  Assess  threats  combined  first  –  individually  later  

4:  Fewer  assessments  

Keep  it  simple:  

Risk  Management    =  

Risk  Assessments    +    

Risk  Treatment  

Risk  Management  •  Risk  Owner  •  (Assets)  •  Threats  •  Business  Impact  

Assessment  •  Vulnerability  Assessment  •  Reporting  &  evaluating  •  Treating  (Accept,  Reduce,  Share,  

Avoid)  

Webinar  for  EBITS  members  •  Hands-­‐on  Risk  Assessment  Demo  for  EBITS  members,  December  5,  14:00.  https://attendee.gotowebinar.com/register/4824545226932596993    

•  Other  educational  webinars  are  at  www.neupart.se/evenemang    –   Risk  Management:  Risk  Assesments,  Risk  Treatment  –  Compliance  Management:  ISO  27001  and  regulations  

 

INFORMATION SECURITY MANAGEMENT

Extra  

Examples  

SecureAware  ISMS  –  main  features  

• Risk  Treatment  Management  • Business  Impact  Assessment  • Visual  Asset  Management    • Vendor  Risk  Assessment  • Cloud  Service  Provider  Assessment  • Risk  ReporQng  

IT  Risk  Management  

• ISO  22301  /  BS  25999  • Templates  • IT  Service  ConQnuity  Plans  • Disaster  Recovery  Plans  • Business  ConQnuity  Plans  • Workflow  to  update  your  plans,  to  test  and  pracQce  your  plans  • Access  your  data  with  our  without  SecureAware  

IT  Disaster  Recovery  /  BCP  

• Policy  Management  • Compliance  Mapping  • Workflow  Management  • ConQnual    Improvement  Process  (PDCA)  • Internal  Audit  • Phishing  Test  &  Awareness  Quizzes  • Data  ProtecQon  

ISO  27001  

SecureAware  Risk  Management  

Exempel:  Hotkatalog  

Exempel:  Sårbarhetsutvärdering  

Exempel:  Business  Impact  Assessment  

Exempel:  Risköversikt  

Exempel:  Riskhantering  

Webinar  for  EBITS  members  •  Hands-­‐on  Risk  Assessment  Demo  for  EBITS  members,  December  5,  14:00.  https://attendee.gotowebinar.com/register/4824545226932596993    

•  Other  educational  webinars  are  at  www.neupart.se/evenemang    –   Risk  Management:  Risk  Assesments,  Risk  Treatment  –  Compliance  Management:  ISO  27001  and  regulations