ISO 27002 Control and Metrics based on NIST - Angelfire: …€¦ · XLS file · Web view · 2012-01-24In base to that mapping we prepared a Table (*) with the reverse mapping,

05/08/2023 - 14:49:55 © Carlos Ormella Meyer iso 27002 metrics - 1 of 17

ISO 27702 CONTROLS VS. NIST CONTROLS AND DETERMINATION OF ISO 27002 METRICS© Carlos Ormella Meyer

Introduction

In base to that mapping we prepared a Table (*) with the reverse mapping, that is, each ISO 27002 control has been linked to NIST control/s.

Then, we extended the mapping table by collecting corresponding NIST metrics, as found in NIST 800-55 Appendix A.

NIST Control Name NIST Metrics/Measures ISO 27002 Control Metrics

5.1.1

AT-1

CP-1

While NIST uses controls other than those of the ISO 27002, there is a mapping in NIST 800-53r1 Appendix G from NIST controls to other standard controls such as those of ISO 27002.

Keep in mind that the metrics set forth in NIST 800-55 are not for every control but for the whole family or group concerned. Therefore the application of a metric should be discussed with attention to details of each NIST 800-53r1 control (page.42 et seq), taking into account the concepts of corresponding ISO 27002 control.

Finally, appropriate metrics for each ISO 27002 control could be determined reviewing mapped-NIST control metrics (acceptable or not, or with comments) . Furthermore, some additional metrics could be derived from analysis of the ISO 27002 controls applying GQM (Goal Question Metric).

(*) The table that follows responds to an extract of the document we have used in our projects and that in turn is a practical exercise that is proposed to extend / complete by attendants to the Workshop Seminar on "Metrics for Information Security" and similar seminars that are given regularly in different Latin American countries.

METRICS TABLE - © Carlos Ormella Meyer

ISO 27002 Control Name

ISO Ctrl.

NIST Ctrl.

Information Security Policy Document

Security Awareness and Training Policy and Procedures

1)% of total required policies, procedures, awareness and training that have been developed

Contingency Planning Policy and Procedures

2)% of the total required Contingency Policy implementation procedures have been developed


5.1.2 N/A N/A N/A

6.1.1

PL-1

PL-2 System Security Plan

PL-3 System Security Plan Update

6.1.2

PL-1



6.1.3

PL-1



6.1.4

AC-20

CA-1

PL-1



6.1.5

PL-1



PS-6 Access Agreements

6.1.6

IR-4 Incident HandlingIR-6 Incident Reporting

Review of Information Security Policy

1) Frequency of reviews by security management 2) Frequency of security policy reviews

Management Commitment to information security

Security Planning Policy and Procedures

1)% of the total required security policy and security planning procedures have been developed

Information security Co-ordination


Allocation of information security Responsibilities


Authorization process for Information Processing facilities

Personally Owned Information SystemsCertification, Accreditatión, and Securiy Assessment Policies and ProceduresSecurity Planning Policy and Procedures

Confidentiality agreements


Contact with authorities


6.1.6 PL-1



6.1.7

AT-5

PL-1



SI-5 Security Alerts and Advisories

6.1.8

CA-2 Security Assessments

PL-1



6.2.1

PS-7 Third-party Personnel Security

RA-3 Risk Assessment

SA-9

6.2.2 AC-2 Account ManagementIR-6 Incident Reporting

6.2.3

AC-2 Account ManagementAT-2 Security AwarenessIR-6 Incident ReportingMA-5 Maintenance Personnel


SA-9

Inventory of assets 7.1.1 CM-2

7.1.2 N/A N/A

Contact with authorities


Contact with special interest groups

Contacts with Security Groups and AssociationsSecurity Planning Policy and Procedures

Independent review of information security


Identification of risk related to external parties Outsourced Information

System ServiceAddressing security when dealing with customers

Addressing security in third party agreements

Outsourced Information System ServiceBaseline Configuration and System Component Inventory

Ownership of Assets


7.1.3 PL-4 Rules of Behavior

7.2.1 RA-2 Security Categorization

7.2.2

AC-15 Automated MarkingAC-16 Automated LabelingMP-3 Media Labeling

SC-16

8.1.1PS-1


Screening 8.1.2

PS-2 Position CategorizationPS-3 Personnel Screening


8.1.3

PL-4 Rules of BehaviorPS-4 Personnel TerminationPS-6 Access Agreements


8.2.1 PS-7 Third-party Personnel Security

8.2.2

AT-1

AT-2 Security Awareness

AT-3 Security Training


Acceptable use of assetsClassification Guidelines

Information Labeling and Handling Transmission of Security

Parameters

Roles and Responsibilities

Personnel Security Policy and Procedures

Terms and conditions of employment

Management Responsibility

Information security awareness, education and training

Security Awareness and Training Policy and Procedures

1)% of total required policies, awareness and training procedures that have been developed

1) No, it does not fit well to 8.2.2 control 2) OK 3) OK 4) OK 5)% of total staff who are taught security awareness 6) Frequency of update training plans

2)% of total staff who are taught security awareness before allowing access to systems

3)% of total staff with significant roles and responsibilities that has received security training before being allowed to access to systems

4)% of total service provider of information systems to which they were established security requirements including roles and responsibilities


Disciplinary process 8.2.3 PS-8 Personnel Sanctions

8.3.1 PS-4 Personnel TerminationPS-5 Personnel Transfer

Return of assets 8.3.2 PS-4 Personnel Termination

8.3.3AC-2 Account ManagementPS-4 Personnel TerminationPS-5 Personnel Transfer

9.1.1 PE-3 Physical Access Control

9.1.2

PE-2

PE-3 Physical Access Control

PE-5

PE-6 Monitoring Physical AccessPE-7 Visitor ControlPE-8 Access Logs

9.1.3 N/A N/A

9.1.4 PE-13 Fire ProtectionPE-15 Water Damage Protection

9.1.5 PE-3 Physical Access Control

9.1.6PE-2

PE-3 Physical Access ControlPE-16 Delivery and Removal

9.2.1

PE-13 Fire Protection

PE-14

PE-15 Water Damage Protection

PE-18

Support utilities 9.2.2

PE-9

PE-10 Emergency ShutoffPE-11 Emergency Power

Termination responsibility

Removal of access rights

Physical security Perimeter

Physical entry controls

Physical Access Authorizations

Access Control for Display Medium

Securing offices, rooms and facilitiesProtecting against external and environmental threatsWorking in secure areas

Public access, delivery and loading areas

Physical Access Authorizations

Equipment sitting and protection

Temperature and Humiodity Controls

Location of Information System ComponentsPower Equipment and Power Cabling


Support utilities 9.2.2

PE-12 Emergency Lighting

Cabling security 9.2.3PE-4

PE-9

9.2.4 MA-2 Periodic MaintenanceMA-5 Maintenance Personnel

9.2.5 AC-20

9.2.6 MP-6

9.2.7 PE-16 Delivery and Removal

10.1.1MA-1

MP-1

10.1.2CM-3 Configuration Change Control

CM-4

10.1.3 AC-5 Separation of Duties

10.1.4 N/A N/A

Service Delivery 10.2.1 SA-9

10.2.2 SA-9

10.2.3 CM-3 Configuration Change Control

10.3.1 SA-2 Allocation of Resources

System acceptance 10.3.2

AT-3 Security Training

Access Control for Transmission MediumPower Equipment and Power Cabling

Equipment MaintenanceSecurity of equipment off-premises

Personally Owned Information Systems

Secure disposal or reuse of equipment

Media Sanitization and Disposal

Removal of Property

Documented operating Procedures

System Maintenance Policy and ProceduresMedia Protection Policy and Procedures

Change Management Monitoring Configuration

ChangesSegregation of Duties

Separation of development and Operations facilities

Outsourced Information System Service

Monitoring and review of third party services

Outsourced Information System Service

Manage changes to the third party servicesCapacity management


System acceptance 10.3.2CA-1

CA-4 Security CertificationCA-6 Security AccreditationCP-2 Plan de Contingencia

10.4.1

AT-2 Security Awareness

CP-1

CP-2 Plan de Contingencia

IR-1

SC-18 Mobile Code

SI-3 Malicious Code Protection

SI-5 Security Alerts and Advisories

10.4.2 SC-18 Mobile Code

Information Backup 10.5.1

CP-4 Contingency Plan TestingCP-6 Alternate Storage SitesCP-9 Information System BackupPE-3 Physical Access Control

PE-14

Network controls 10.6.1AC-5 Separation of DutiesSC-8 Transmission IntegritySC-9 Transmission Confidenciality

10.6.2

AC-4 Information Flow Enforcement

Certification, Accreditatión, and Securiy Assessment Policies and Procedures

Controls against malicious code

1)% of total staff who are taught security awareness before allowing access to systems

1) Not, only limited to the prohibition of unauthorized software 2) OK 3) OK 4) Not here 5) Not here 6) OK 7) OK 8) Number of controls on data content and software used in critical processes 9) Number of violations detected in the download of files with no evidence of malicious content tested10)% of total staff who are taught awareness regarding use, reporting and recovery of malicious code attacks


2)% of the total required Contingency Policy implementation procedures have been developed

3)% of total systems of high and medium impact on those who contingency plans have been successfully tested in the last period

Incident Response Policy and Procedures

4)% of total incidents have been reported within the time scheduled for the appropriate category in each case

5) Number of total restrictions on mobile code download and execution on users' computers

6) Number of events produced by malicious code (viruses, worms, trojans, spyware, etc.).

7)% of total warnings and alerts that have been circulated in time

Controls against Mobile code

Temperature and Humiodity Controls

Security of Network services


10.6.2

CA-3

SA-9

SI-4

10.7.1

MP-1

MP-4 Media Storage

MP-6

PE-14

PE-16 Delivery and Removal

Disposal of Media 10.7.2

MP-1

MP-4 Media Storage

MP-6

10.7.3

MP-1

MP-2 Media AccessMP-3 Media LabelingMP-4 Media Storage

SI-10

SI-12

10.7.4

MP-1

MP-4 Media Storage

SA-5

SC-14 Public Access Protections

10.8.1

SC-1

Security of Network services

Information Security ConnectionsOutsourced Information System Service

Information System Monitoring Tools and Techniques

Management of removable media

Media Protection Policy and Procedures

Media Sanitization and DisposalTemperature and Humiodity Controls


Media Sanitization and Disposal

Information handling procedures


Informatio Accuracy, Completeness, Validity and AuthenticityInformation Output Handling and Retention

Security of system documentation


Information System Documentation

Information exchange policies and procedures

System and Communication Protection Policy and Procedures


10.8.1 SC-4 Information RemmantsSC-8 Transmission IntegritySC-9 Transmission Confidenciality

10.8.2

AU-10 Non RepudiationMP-3 Media Labeling

SC-16

10.8.3 MP-5 Media Transport

10.8.4 SC-5 Denial of Service Protection

10.8.5 CP-2 Plan de Contingencia

10.9.1

AU-10 Non Repudiation

CA-3

SC-8 Transmission IntegritySC-9 Transmission Confidenciality

10.9.2SC-11 Trsuted Path

SC-16

10.9.3 SC-14 Public Access Protections

Audit logging 10.10.1

AC-5 Separation of Duties

AU-1

AU-2 Auditable EventsAU-3 Content of Audit Records

AU-11 Audit Retention

SI-4

10.10.2

AC-13

AU-1

AU-6

Information exchange policies and procedures

Exchange agreements Transmission of Security

ParametersPhysical media in transitElectronic MessagingBusiness Information systems

Electronic Cimmerce

Information Security Connections

On-Line transactions Transmission of Security

ParametersPublicly available information

Audit and Accountability Policy and Procedures


Monitoring system use

Supervision and Review - Access ControlAudit and Accountability Policy and ProceduresAudit Monitoring, Analysis and Reporting


10.10.2


SI-4

10.10.3

AU-1

AU-4 Audit Storage CapacityAU-5 Audit Processing

AU-7

AU-9 Protection of Audit Information

10.10.4

AU-1

AU-3 Content of Audit Records

AU-6

SI-4

Fault logging 10.10.5AU-1

RA-3 Risk AssessmentSI-2 Flaw Remediation

Clock Syncronization 10.10.6 AU-1

AU-8 Time Stamps

11.1.1 AC-1

User Registration 11.2.1

AC-2 Account ManagementPS-4 Personnel TerminationPS-5 Personnel Transfer


PS-8 Personnel Sanctions

11.2.2AC-2 Account Management

Monitoring system use


Protection of log information


Audit Reducton and Report Generation

Administrator and operator logs


Audit Monitoring, Analysis and Reporting




Access control Policy

Access Control Policy and Procedures

Privilege Measurement

1)% of total remote access points from which login have made without authorized registration

4)% of total identification with privileges that have no identification for non-privileged tasks 5)% of total staff members who have been assigned roles and


11.2.2

AC-6 Least Privilege

11.2.3 IA-2

IA-4 Identifier Management

11.2.4

AC-2 Account ManagementAC-3 Imposición de acceso

AC-13

Password Use 11.3.1 N/A N/A

11.3.2 AC-11 Session LockAC-12 Session Terminations

11.3.3 PE-5

11.4.1 AC-1

11.4.2

AC-17 Remote Access

AC-18 Wireless Access Restrictions

IA-2

IA-3

11.4.3AC-17 Remote Access

IA-3

11.4.4 AC-17 Remote AccessMA-4 Remote Maintenance

11.4.5

AC-3 Access EnforcementAC-4 Information Flow Enforcement

CA-3

Privilege Measurement have been assigned roles and

responsibilities and implemented conformign tools as RBAC (Based

2) Number of privileges set for the access of people, ports, protocols and services

User password management

User identificaton and Authentication

Review of user access rights Supervision and Review -

Access Control

Unattended user equipment

Clear Desk and Clear Screen Policy

Access Control for Display Medium

Policy on use of network services

Access Control Policy and Procedures

User authentication for external connections

1) Number of documents indicating the types of monitoring and controls.

1) OK 2) OK 3) OK 4) OK 5)% of total nodes and / or remote users for which it has determined the level of protection required

2) Number of wireless access points that have been used to gain unauthorized access.


3)% of total users of high-impact systems that use two-factor authentication based on user information and software or hardware token.

Device Identification and Authentication

4)% of all devices that have been identified and authenticated (with MAC, TCP / IP, EAP, Radius, TTL, etc.) before establishing a connection.

Equipment identification in networks


Remote diagnostic and configuration port protection

Segregation in networks



11.4.5

SC-2 Application PartitioningSC-3 Security Function Isolation

11.4.6

AC-4 Information Flow Enforcement

CA-3

SC-7 Boundary Protection

11.4.7AC-4 Information Flow Enforcement

CA-3

11.5.1

AC-7 Unsuccessful Login AttemptsAC-8 System Use NotificationAC-9 Previous Logon NotificationIA-6 Authenticator Feedback

11.5.2IA-2

IA-4 Identifier ManagementIA-5 Authenticator Feedback

11.5.3 IA-5 Authenticator Feedback

11.5.4 N/A N/A

Session Time-out

11.5.5 AC-12 Session Terminations11.5.6 SC-10 Network Disconnect

11.6.1 CM-5

11.6.2 N/A N/A

11.7.1


AC-19

AC-20

AT-2 Security AwarenessAT-3 Security TrainingCP-9 Information System Backup

IA-3

Segregation in networks

Network connection control


Network Routing control Information Security

Connections

Secure Log-on procedures

User identification and authentication


Password Management systemUse of system utilities

Access Restrictions for Change

Sensitive system isolation

Mobile computing and communication

Access Control for Portable and Mobile SystemsPersonally Owned Information Systems



Teleworking 11.7.2

AC-2 Account Management


PE-17 Alternate Work Site

12.1.1

SA-1

SA-4 AcquisitionsSA-8 Security Design PrinciplesSI-9 Information Input Restrictions

12.2.1

SI-7

SI-9 Information Input Restrictions

SI-10

SI-11 Error Handling

12.2.2

SI-7

SI-9 Information Input Restrictions

SI-10

SI-11 Error HandlingMessage integrity 12.2.3 SI-11 Error Handling

12.2.4

SI-7

SI-11 Error Handling

SI-12

12.3.1

AU-10 Non Repudiation

SC-12

SC-17

Key Management 12.3.2SC-12

SC-17

Security requirement analysis and specifications

System and Services Acquisition Policy and Procedures

Input data validation

Software and Information Integrity

Informatio Accuracy, Completeness, Validity and Authenticity

Control of internal processing


Informatio Accuracy, Completeness, Validity and Authenticity

Output data validation


Information Output Handling and Retention

Policy on the use of cryptographic controls

Cryptography Key Establishment and Mgmt.Public Key Infrastructure CertificatesCryptography Key Establishment and Mgmt.Public Key Infrastructure Certificates


12.4.1CM-1

CM-3 Configuration Change ControlSI-2 Flaw Remediation

12.4.2 N/A N/A

12.4.3 N/A N/A

12.5.1

CM-1

CM-3 Configuration Change ControlRA-3 Risk Assessment

SA-10

SA-11 Developer security TestingSI-2 Flaw Remediation

12.5.2

CM-3 Configuration Change Control

SA-10

SA-11 Developer security TestingSI-2 Flaw Remediation

12.5.3 CM-3 Configuration Change Control

12.5.4 N/A N/A

12.5.5 N/A N/A

12.6.1

RA-3 Risk Assessment 1) Number of assessments conductedRA-5 Vulnerability Scanning 2) Number of scans performed

SI-2 Flaw Remediation

13.1.1

AT-2 Security AwarenessAT-3 Security Training

IR-1

IR-2 Incident Response Training

Control of Operational software

Configuration Management Policy and Procedures

Protection of system test dataAccess control to program source library

Change Control Procedures

Configuration Management Policy and Procedures

Developer Configuration Management

Technical review of applications after Operating system changes

Developer Configuration Management

Restrictions on changes to software packagesInformation LeakageOutsourced Software Development

Control of technical vulnerabilities

3) OK 4)% of total assets that have been inventoried 5)% of the total required roles and responsibilities have been assigned

3)% of all known or scanned security holes that have been corrected

Reporting Information security events



13.1.1

IR-6 Incident Reporting

13.1.2 IR-1

IR-6 Incident Reporting

13.2.1

AU-6

IR-1

IR-4 Incident Handling

SC-5 Denial of Service Protection 4)% of DoS attacks that were protected

13.2.2 IR-4 Incident Handling

13.2.3 N/A N/A

14.1.1 CP-1


14.1.2 RA-3 Risk Assessment

14.1.3

CP-1

CP-2 Plan de ContingenciaCP-3 Contingency TrainingCP-5 Contingency Plan Update

IR-7 Incident Response Assistance

14.1.4

AT-2 Security AwarenessAT-3 Security TrainingCP-2 Plan de ContingenciaCP-3 Contingency TrainingCP-5 Contingency Plan UpdateCP-7 Alternate Processing SitesCP-8 Telecommunication Services

CP-10

Reporting Information security events

Reporting security weaknesses


Responsibilities and Procedures

Audit Monitoring, Analysis and Reporting

1) Number of inappropriate or unusual activities found in the audit records

1) OK, but it could be extended to the evidence subject 2) OK 3) OK 4) OK., but it could be extended to malicious code and others according a) paragraph in ISO 27002 13.2.1 control. 5) Amount of recovery controls made


2)% of total incidents have been reported within the time scheduled for the appropriate category in each case3) Number of actions taken to strengthen the ability of incident management

Learning for Information security incidentsCollection of evidenceInformation Security in Business continuity management


Business continuity and Risk Assessment

Developing and implementing continuity plans including information security


Business continuity planning framework

Information System Recovery and Reconstitution


14.1.5

CP-4 Contingency Plan TestingCP-5 Contingency Plan Update

IR-3

15.1.1

AC-1

AT-1

AU-1

CA-1

CM-1

CP-1

IA-1

IR-1

MA-1

MP-1

PE-1

PL-1

PS-1

RA-1

SA-1

Testing, maintaining and re-assessment business continuity plans

Pruebas de Respuesta a Incidentes

Identification of applicable legislation

Access Control Policy and ProceduresSecurity Awareness and Training Policy and ProceduresAudit and Accountability Policy and ProceduresCertification, Accreditatión, and Securiy Assessment Policies and ProceduresConfiguration Management Policy and ProceduresContingency Planning Policy and ProceduresIdentification and Authentication Policy and ProceduresIncident Response Policy and ProceduresSystem Maintenance Policy and ProceduresMedia Protection Policy and ProceduresPhysical and Environmental Protection Policy and ProceduresSecurity Planning Policy and ProceduresPersonnel Security Policy and ProceduresRisk Assessment Policy and ProceduresSystem and Services Acquisition Policy and Procedures


15.1.1

SC-1

SI-1

15.1.2CM-2

SA-6 Software Usage RestrictionsSA-7 User Installed Software

15.1.3

AU-9 Protection of Audit Information

AU-11 Audit Retention

MP-1

MP-3 Media LabelingMP-4 Media Storage

15.1.4 AT-2 Security AwarenessPL-5 Privacy Impact Assessment

15.1.5 AC-8 System Use NotificationPL-4 Rules of Behavior

15.1.6 N/A N/A

15.2.1

CA-2 Security Assessments

CA-5 Plan of Action and Milestones

CA-7 Continuous Monitoring

15.2.2 CA-2 Security AssessmentsCA-7 Continuous Monitoring

15.3.1 PL-6

15.3.2 AU-9 Protection of Audit Information

Identification of applicable legislation

System and Communication Protection Policy and ProceduresSystem and Informatin Integrity Policy and Procedures

Intellectual property rights (IPR)

Baseline Configuration and System Component Inventory

Protection of organizational records


Data Protection and privacy of personal informationPrevention of misuse of information processing facilitiesRegulation of cryptographic controls

Compliance with security policy

Technical compliance checking

Information System Audit controls

Security Related Activity Planning

Protection of information system audit tools

Documents

ISO 27002 Control and Metrics based on NIST - Angelfire: …€¦ · XLS file · Web view · 2012-01-24In base to that mapping we prepared a Table (*) with the reverse mapping,