Implementing a Security Frameworkonline.aoi.edu.au/documents/1307891123Learning_resource_2.pdf · Focused on Security. Committed to Success. Implementing a Security Framework Based

Focused on Security.Committed to Success.

Implementing a Security FrameworkBased on ISO/IEC 27002Based on ISO/IEC 27002

Presented by: Michael Leung, CGEIT, CISM, CISA, CISSP-ISSMPDate: February 24, 2011

Table of ContentsI l ti S it F k b d ISO/IEC 27002

• Sections of ISO/IEC 27002 Code of Practice

Implementing a Security Framework based on ISO/IEC 27002

• ISO 27002 Scope of Assessment

• Maturity Modely

• Policy Framework & Governance

• Benchmarking & ComparisonBenchmarking & Comparison

• The Start of the Journey

• The Next Steps• The Next Steps

• Information Security Job Practice

Focused on Security. Committed to Success

ISO/IEC 27002 Code of PracticeSections of ISO/IEC 27002 Code of Practice

0 Introduction

1 Scopep

2 Terms and Definitions

3 Structure of this Standard

4 Risk Assessment and Treatment

5 Security Policy

6 Organization of Information Security

7 Asset Management

8 Human Resource Security

9 Physical and Environmental Security

10 Communications and Operations Management

11 A C t l11 Access Control

12 Information Systems Acquisition, Development and Maintenance

13 Information Security Incident Management

14 Business Continuity Management



15 Compliance

ISO 27002 Scope of AssessmentSections of ISO/IEC 27002 Code of Practice

0 Introduction

1 Scopep

2 Terms and Definitions

3 Structure of this Standard

4 Risk Assessment and Treatment5 Security Policy6 Organization of Information Security

7 Asset Management

8 Human Resource Security

9 Physical and Environmental Security

10 Communications and Operations Management

11 A C t l11 Access Control

12 Information Systems Acquisition, Development and Maintenance

13 Information Security Incident Management




15 Compliance

Maturity Model (ref: COBIT 4.1)


Maturity Model (ref: COBIT 4.1 Appendix)Maturity Level ISO Maturity Level Status of the Internal Control Environment

0 - Non-existent There is no recognition of the need for internal control. Control is not part of the organization’s culture or mission. There is a high risk of control deficiencies and incidents.0-1 - Practice not yet in existence.

1 Initial/ad hoc There is some recognition of the need for internal control The approach to risk and1 - Initial/ad hoc There is some recognition of the need for internal control. The approach to risk and control requirements is ad hoc and disorganized, without communication or monitoring. Deficiencies are not identified. Employees are not aware of their responsibilities.

1-2 - Practice does not fully achieve ISO objectives; however, efforts are underway.2 - Repeatable but

IntuitiveControls are in place but are not documented. Their operation is dependent on knowledge and motivation of individuals. Effectiveness is not adequately evaluated. Many control weaknesses exist and are not adequately addressed; the impact can be severe. Management actions to resolve control issues are not prioritized or consistent. Employees may not be aware of their responsibilities.

2-3 - Practice achieves ISO objectives; however, the program isn’t documented or universally effective or understood.

3 - Defined Controls are in place and are adequately documented. Operating effectiveness is evaluated on a periodic basis and there is an average number of issues. However, the evaluation process is not documented. Whilst management is able to able to deal predictably with most control issues, some control weaknesses persist and impacts could still be severe. Employees are aware of their responsibilities for control.

3-4 - Practice achieves and documents ISO objectives; however, the program isn’t universally effective or understood.

4 - Managed & Measureable

There is an effective internal control and risk management environment. A formal, documented evaluation of controls occurs frequently Many controls are automatedMeasureable documented evaluation of controls occurs frequently. Many controls are automated and regularly reviewed. Management is likely to detect most control issues, but not all issues are routinely identified. There is consistent follow-up to address identified control weaknesses. A limited, tactical us of technology is applied to automate controls.

4-5 - Practice achieves ISO objectives, is documented and is universally effective and understood.5 - Optimized An enterprise wide risk and control program provides continuous and effective


control and risk issues resolution. Internal control and risk management are integrated with enterprise practices, supported with automated real-time monitoring with full accountability for control monitoring, risk management and compliance enforcement. Control evaluation is continuous, based on self-assessments and gap and root cause analyses. Employees are proactively involved in control improvements.

Policy Framework & Governance

Information Security Corporate Policy

Information Security Management Policy

Information Security Corporate Policy

Table of Contents

A. Organization of Information Security

B Asset Management

& Framework

B. Asset ManagementC. Human ResourcesD. Physical & Environmental SecurityE. Communications & Operations

ManagementF. Access ControlG I f ti S t A i itiG. Information System Acquisition,

Development & MaintenanceH. Information Security Incident

ManagementI. Business Continuity ManagementJ. Compliance

For Board Approval


pp


Information Security

Corporate Policies - delegation of authority from the Board of Directors to Management at y

Corporate Policy

Corporate PolicesB d A l

from the Board of Directors to Management at the executive level. The high level statement of management’s intent, expectations and direction.

Corporate Policies provide the Framework Board Approval

Directives - support the Corporate Policies by providing a more focused, detail of information.

and Governance of Information Security

Operational Level“polices” or standardsSr. Exec Committee

or other approval

Standards - are the metrics forming a technical requirement that must be met in order to meet the terms of the Corporate Policy

Operational Level

Guidelines - contain information that will be helpful in executing the procedures.

Procedures – step by step instructions.


procedures or guidelines


Information Security Corporate PolicyTable of Contents


Ratings for Benchmarking & Comparison

ISO Maturity Model Ratings

Policy

PeoplePeople

Process

T h l Technology





A. Organization of Information Security – x.x

B. Asset Management – x.x

C. Human Resources Security - x.x

D. Physical & Environmental Security – x.x

E. Communications & Operations Management – x.x

F. Access Control – x.x

G. Information Systems Acquisition,Development & Maintenance – x.x

H. Information Security IncidentManagement – x.x

I. Business Continuity Management – x.x

J Compliance x x


J. Compliance – x.x

Return on Security Posture Investment(ROSPI) Methodology(ROSPI) Methodology

Internet Security Alliance July 2002/Data from Dr. William M. Hancock


Focused on Security.C itt d t SCommitted to Success.

The Start of the Journey• Addressing Other Audits & Assessments• Assessment of Scope – Risk Registrar• Risk Assessment & Treatment• Tracking & ReportingTracking & Reporting

Addressing Other Audits & Assessments


Addressing Other Audits & Assessments


Assessment of Scope – Risk Registrar


Assessment of Scope – Risk Registrar

Risk Assessment & Treatment4.1 Assessing Security RisksRisk assessments should identify, quantify, and prioritize risks against criteria for risk acceptance and objectives relevant to the organization.

4.2 Treating Security RisksBefore considering the treatment of a risk, the organization should decide criteria for determining whether or not risks can be accepted Risks may be accepted if for example it is assessed thatwhether or not risks can be accepted. Risks may be accepted if, for example, it is assessed that the risk is low or that the cost of treatment is not cost-effective for the organization. Such decisions should be recorded.


Risk Assessment & Treatment Residual Risk Rating = Consequence x Likelihood

Low < 5 Med >=5 to <10 High >=10

Level Descriptor Monetary Impact Operational Efficiency Impact(incl. Regulatory & Member)

Reputation Impact Employee Impact

5 Catastrophic Would have significant financial Would have significant and prolonged Key Stakeholders Would result in the

CONSEQUENCEThe impact on the objectives if the risk occurs.

High >=10

consequences: compromising quality of balance sheet and ability to address capital adequacy requirements.

impact on operations. Processes are irreconcilable resulting in undeliverable customer service.

(Members/Vendors) loose confidence in Coast’s ability to deliver with low likelihood of regaining trust.

unexpected loss of multiple (key) staff including executive.

4 Major The consequences would threaten continued effective provision of services and require top-level management intervention.3 Moderate Would have some financial

consequences: threatening budgeted net income, medium term

Would have some impact on operations. Processes would be suspended resulting in delayed delivery of

i

Some stakeholders would lose trust in Coast and likely have some media attention.

Would result in the unexpected loss of some (key) staff and have an i learnings and planned capital

expenditures.customer service. impact on morale.

2 Minor The consequences would impact the efficiency or effectiveness of some services, but could be dealt with internally.1 Insignificant Would not have material financial

consequence: impacts/losses could be absorbed in departmental budgets.

Would have little impact on operations. Processes would be slightly delayed although no delay in delivery of customer service

Few stakeholders, if any, would be aware of the incident.

Would have negligible impact on staff.

Level Descriptor Description5 Almost Certain For a pre-defined period of time (e.g. 24 months), the risk event is expected to occur >80% of the time.4 Likely For a pre-defined period of time (e.g. 24 months), the risk event is expected to occur >60% of the time3 Possible For a pre-defined period of time (e.g. 24 months), the risk event is expected to occur >30% and <60% of

the time

LIKELIHOODThe probability that a risk event will occur, given current controls in place.


the time2 Unlikely For a pre-defined period of time (e.g. 24 months), the risk event is expected to occur <30% of the time1 Rare For a pre-defined period of time (e.g. 24 months), the risk event is expected to occur <10% of the time

Tracking & Reporting






The Next Steps…


...The Next Steps

“The @*%!'s chess,it ain't checkers!”it ain t checkers!

- Alonzo Harris (Denzel Washington)


The Next Steps…


The Next Steps – Program Development


Information Security Job Practice

Domain 1—Information Security GovernanceE t bli h d i t i f k t id th tEstablish and maintain a framework to provide assurance that information security strategies are aligned with business objectives and consistent with applicable laws and regulations.

D l i f ti it t t li d ith b i l d bj ti Develop an information security strategy aligned with business goals and objectives.

Align information security strategy with corporate governance.

Develop business cases justifying investment in information security.

Identify current and potential legal and regulatory requirements affecting information security Identify current and potential legal and regulatory requirements affecting information security.

Identify drivers affecting the organization (e.g., technology, business environment, risk tolerance, geographic location) and their impact on information security.

Obtain senior management commitment to information security.

Define roles and responsibilities for information security throughout the organization.

Establish internal and external reporting and communication channels that support information security.



Domain 2—Information Risk ManagementId tif d i f ti it i k t hi b iIdentify and manage information security risks to achieve business objectives.

Establish a process for information asset classification and ownership.

I l t t ti d t t d i f ti i k t Implement a systematic and structured information risk assessment process.

Ensure that business impact assessments are conducted periodically.

Ensure that threat and vulnerability evaluations are performed on an ongoing basis.

Identify and periodically evaluate information security controls and countermeasures to Identify and periodically evaluate information security controls and countermeasures to mitigate risk to acceptable levels.

Integrate risk, threat and vulnerability identification and management into life cycle processes (e.g., development, procurement and employment life cycles).

R t i ifi t h i i f ti i k t i t l l f t f Report significant changes in information risk to appropriate levels of management for acceptance on both a periodic and event-driven basis.



Domain 3—Information Security Program DevelopmentC t d i t i t i l t th i f ti itCreate and maintain a program to implement the information security strategy.

Develop and maintain plans to implement the information security strategy.

Specify the activities to be performed within the information security program.p y p y p g

Ensure alignment between the information security program and other assurance functions (e.g., physical, HR, quality, IT).

Identify internal and external resources (e.g., finances, people, equipment, systems) required to execute the information security program).

Ensure the development of information security architectures (e g people processes technology) Ensure the development of information security architectures (e.g., people, processes, technology).

Establish, communicate and maintain information security policies that support the security strategy.

Design and develop a program for information security awareness, training and education.

Ensure the development, communication and maintenance of standards, procedures and other documentation (e.g., guidelines, baselines, codes of conduct) that support information security policies.g ) pp y p

Integrate information security requirements into the organization's processes (e.g., change control, mergers and acquisitions) and life cycle activities (e.g., development, employment, procurement).

Develop a process to integrate information security controls into contracts (e.g., with joint ventures,outsourced providers, business partners, customers, third parties).

Establish metrics to evaluate the effectiveness of the information security program


Establish metrics to evaluate the effectiveness of the information security program.


Domain 4—Information Security Program ManagementO d di t i f ti it ti iti t t thOversee and direct information security activities to execute the information security program.

Manage internal and external resources (e.g., finances, people, equipment, systems) required to execute the information security program.

Ensure that processes and procedures are performed in compliance with the organization’s information security policies and standards.

Ensure that the information security controls agreed to in contracts (e.g., with joint ventures, outsourced providers, business partners, customers, third parties) are performed.

Ensure that information security is an integral part of the systems development process.

Ensure that information security is maintained throughout the organization's processes (e.g., change control, mergers and acquisitions) and life cycle activities (e.g., development, employment, procurement).

Provide information security advice and guidance (e.g., risk analysis, control selection) to the organization.

Provide information security awareness, training and education to stakeholders (e.g., business process owners, users, information technology).

Monitor, measure, test and report on the effectiveness and efficiency of information securitycontrols and compliance with information security policies.

Ensure that noncompliance issues and other variances are resolved in a timely manner


Ensure that noncompliance issues and other variances are resolved in a timely manner.


Domain 5—Incident Management & ResponsePl d l d bilit t d t t d t dPlan, develop and manage a capability to detect, respond to and recover from information security incidents.

Develop and implement processes for detecting, identifying, analyzing and responding to information security incidents.

Establish escalation and communication processes and lines of authority.

Develop plans to respond to and document information security incidents.

Establish the capability to investigate information security incidents (e.g., forensics, evidence collection and preservation, log analysis, interviewing).

Develop a process to communicate with internal parties and external organizations (e.g., media, law enforcement, customers).

Integrate information security incident response plans with the organization’s Disaster Recovery (DR) and Business Continuity Plan (BCP).

Organize, train and equip teams to respond to information security incidents.

Periodically test and refine information security incident response plans.

Manage the response to information security incidents.

Conduct reviews to identify causes of information security incidents, develop corrective


actions and reassess risk.

CISM: Information Security Job Practice

• The CISM certification program is developed specifically for experienced information security managers and those who have information security management responsibilities.

• The management-focused CISM is a unique certification for individuals who design, build and manage enterprise information security programs. The CISM certification promotes international y p g ppractices and individuals earning the CISM become part of an elite peer network, attaining a one-of-a-kind credential.

ISACA Vancouver Chapter Current Statistics: Members: 402 CGEIT: 9 CRISC: 19 CISA: 234


CISA: 234 CISM: 41

Thank You!

Michael Leung Michael LeungCGEIT, CISM, CISA, CISSP-ISSMPSenior Manager, Information SecurityCoast Capital Savingswww.coastcapitalsavings.com

CGEIT, CISM, CISA, CISSP-ISSMPVice PresidentISACA Vancouver Chapterwww.isaca-vancouver.org


[email protected]

Documents

Implementing a Security Frameworkonline.aoi.edu.au/documents/1307891123Learning_resource_2.pdf · Focused on Security. Committed to Success. Implementing a Security Framework Based