- 1. ISO27001 and 27002 Removing the Smoke & Mirrors Ken
Anderson
2. AGENDA
- History of ISO and Timeline
- Threats and Impacts ISO addresses
- Objectives and benefits for measuring security
3. History of ISO - Timeline
- 1992 The Department of Trade and Industry (DTI), which is part
of the UK Government, publish a 'Code of Practice for Information
Security Management'.
- 1995 This document is amended and re-published by the British
Standards Institute (BSI) in 1995 as BS7799.
- 1996 Support and compliance tools begin to emerge, such as
COBRA. David Lilburn Watson becomes the first qualified certified
BS7799 c:cure Auditor
- 1999 The first major revision of BS7799 was published. This
included many major enhancements. Accreditation and certification
schemes are launched. LRQA and BSI are the first certification
bodies.
4. History of ISO The Timeline
- 2000 In December, BS7799 is again re-published, this time as a
fast tracked ISO standard. It becomes ISO 17799 (or more formally,
ISO/IEC 17799).
- 2001 The 'ISO 17799 Toolkit' is launched.
- 2002 A second part to the standard is published: BS7799-2. This
is an Information Security Management Specification, rather than a
code of practice. It begins the process of alignment with other
management standards such as ISO 9000.
- 2005 A new version of ISO 17799 is published. This includes two
new sections, and closer alignment with BS7799-2 processes..
- 2005 ISO 27001 is published, replacing BS7799-2, which is
withdrawn. This is a specification for an ISMS (information
security management system), which aligns with ISO 17799 and is
compatible with ISO 9001 and ISO 14001
5. Where did 17799 come from?
- BS7799 was conceived, as a technology-neutral, vendor-neutral
management system that, properly implemented, would enable an
organization's management to assure itself that its information
security measures and arrangements were effective.
- From the outset, BS7799 focused on protecting the availability,
confidentiality and integrity of organizational information and
these remain, today, the driving objectives of the standard.
- BS7799 was originally just a single standard, and had the
status of a Code of Practice. In other words, it provided guidance
for organizations, but hadn't been written as a specification that
could form the basis of an external third party verification and
certification scheme.
6. Overview ISO 27000 (base standard)
- ISO/IEC 27001- the certification standard against which
organizations' ISMS may be certified (published in 2005)
- ISO/IEC 27002- the re-naming of existing standard ISO 17799
(last revised in 2005, and renumbered ISO/IEC 27002:2005 in July
2007)
- ISO/IEC 27006- a guide to the certification/registration
process (published in 2007)
- ISO/IEC 27000- a standard vocabulary for the ISMS
standards
- ISO/IEC 27003- a new ISMS implementation guide
- ISO/IEC 27004- a new standard for information security
management measurements
- ISO/IEC 27005- a proposed standard for risk management
- ISO/IEC 27007- a guideline for auditing information security
management systems
- ISO/IEC 27011- a guideline for telecommunications in
information security management system
- ISO/IEC 27799- guidance on implementing ISO/IEC 27002 in the
healthcare industry
7. ISO/IEC 27001
- ISO/IEC 27001certification usually involves a three-stage audit
process:
- Stage 1is a "table top" review of the existence and
completeness of key documentation such as the organization's
security policy, Statement of Applicability (SoA) and Risk
Treatment Plan (RTP).
- Stage 2is a detailed, in-depth audit involving testing the
existence and effectiveness of the information security controls
stated in the SoA and RTP, as well as their supporting
documentation.
- Stage 3is a follow-up reassessment audit to confirm that a
previously-certified organization remains in compliance with the
standard. Certification maintenance involves periodic reviews and
re-assessments to confirm that theISMScontinues to operate as
specified and intended.
8. ISO/IEC 27002
- ISO/IEC 27002 provides best practice recommendations on IS
security management systems (ISMS).
- The standard contains the following twelve main sections:
- Risk Assessment determining asset vulnerability
- Security Policy- management direction
- Organization of Information Security- governance of information
security
- Asset Management- inventory and classification of information
assets
- Human Resources Security- security aspects for employees
joining, moving and leaving an organization
- Physical and Environmental Security- protection of the computer
facilities
9. ISO/IEC 27002
- 7.Communications and Operations Management- management of
technical security controls
- 8.Access Control- restriction of access rights to networks,
systems, applications, functions and data
- 9.Information Systems Acquisition, development and maintenance-
building security into applications
- 10.Information Security Incident Management- anticipating and
responding appropriately to security breaches
- 11.Business Continuity Management- protecting, maintaining and
recovering business-critical processes and systems
- 12.Compliance- ensuring conformance with information security
policies, standards, laws and regulations
10. ISO/IEC 27002
- Within each section, information security controls and their
objectives are specified and outlined.
- Specific controls are not mandated since:
- Each organization is expected to undertake a structured
information security risk assessment process to determine its
specific requirements before selecting controls that are
appropriate to its particular circumstances.
- It is practically impossible to list all conceivable controls
in a general purpose standard. Industry-specific implementation
guidance for ISO/IEC 27001 and 27002 are anticipated to give advice
tailored to organizations in the telecomms, financial services,
healthcare, lotteries and other industries.
11.
12. 13. Information security threats of 2008
- CISSP / ISO27k implementers forum identifies the following
threats:
- Imposition of legal and regulatory obligations.
- Storms, tornados, floods - Acts of God
- Unethical Employees who misuse/misconfigure system security
functions
- Unauthorized access, modification, disclosure of, information
assets
- Nations attacking critical information infrastructures to cause
disruption.
- Technical advances that can render encryption algorithms
obsolete
14. Information security impacts
- Resulting information security incidents can cause:
- Disruption to organizational routines and processes
- Direct financial losses through information theft and
fraud
- Decrease in shareholder value
- Reputational damage causing brand devaluation
- Expenditure on information security assest and data damaged,
stolen, corrupted or lost in incidents
- Loss of competitive advantage
- Impaired growth due to inflexible
infrastructure/system/application environments
- Injury or loss of life if safety-critical systems fail
15. Objectives of measuring security
- So what are the objectives of measuring security?
- To show ongoing improvement;
- To show compliance (with Standards, contracts, SLAs, OLAs,
etc);
- To justify any future expenditure (new security software,
training, people, etc);
- ISO 27001 certification requires it. Other Management Systems
also require it ISO 9001, ISO 20000;
- To identify where implemented controls are not effective in
meeting their objectives;
- To provide confidence to senior management and stakeholders
that implemented controls are effective.
16. Benefits of measuring security
- So what are the benefits of measuring security?
- Actually eases process of monitoring the effectiveness of the
ISMS (e.g. less labor intensive, for example, if using tools, and
provides a means of self checking);
- Proactive tools to measure / prevent problems arising at a
later date (e.g. network bottlenecks, disk clutter, development of
poor human practices);
- Reduction of incidents, etc;
- Motivates staff when senior management set targets;
- Tangible evidence to auditors, and assurance to senior
management that you are in control i.e. Corporate Information
Assurance (Corporate Governance), and top down approach to
Information Assurance.
17. What should be measured
- They have been broken down into the following categories:
- Management Controls: Security Policy, IT Policies, Security
Procedures, Business Continuity Plans, Security Improvement Plans,
Business Objectives, Management Reviews
- Business Processes: Risk Assessment & Risk Treatment
Management Process, Human Resource Process, SOA selection process,
Media Handling Process
- Operational Controls: Operational Procedures, Change Control,
Problem Management, Capacity Management, Release Management, Back
up, Secure Disposal, Equipment off site
- Technical Controls: Patch Management, Anti-Virus Controls, IDS,
Firewall, Content Filtering
18. What needs to be measured?
- Measurement can be achieved against:
- A particular security control or objective;
- Against main controls within a Standard;
- Specific controls within an IT component.
19. Process for deciding which controls should be used.
- Confirm relevance of controls through risk assessment;
- Define objectives, ensuring they map back to the business;
- Use existing Indicators wherever possible, e.g. in ITIL terms,
KPIs:
-
- A KPI helps a business define progress towards a particular
goal;
-
- KPIs are measurements critical to the success of the
business.
- Within the ISMS audit framework, identify controls which can be
continuously monitored, using chosen technique;
- Before using any tools, confirm the objectives with senior
managers as well as staff. Corroborate with third parties, or
through SLAs/OLAs where internal third parties are concerned e.g.
ISO15000 (ITIL);
20. Process for deciding which controls should be used.
- Establish a baseline, against which all future measurements can
be contrasted/compared;
- Provide periodic reports to appropriate management forum/ISMS
owners (show graphs, pictures paint a thousand words);
- Identify Review Input agreed recommendations, corrective
actions, etc;
- Implement improvements within your Integrated Management
Systems (IMS) e.g. merged ISOs 9001, 14000, 27001, 20000;
- Establish/agree new baseline, review the output, apply the PDCA
approach (Plan Do Check Act).
21. Measuring the effectiveness of Security Apply the
vulnerability management lifecycle...
- Prioritize based on vulnerability data, threat data, and asset
classification plan
- Eliminate high-priority vulnerabilities
- Monitor known vulnerabilities
- Alert other suspicious activity
22. Regulatory Concerns why look at ISO
- Government concerns (e.g. Systrust, GCCR)
- Payment Card Industry (PCI)
- NERC (Electric Regulatory)
- Cross border regulations (HIPPA, GLBA)
- ISA SP 99 (Future Industrial Standard?)
- There will be more to follow ..
23. Why Best Practices are Important!
- Today, the effective use of best practices can help avoid
re-inventing wheels, optimize the use of scarce IT resources and
reduce the occurrence of major IT risks, such as:
-
- Failures by service providers to understand and meet customer
requirements
24. Why Best Practices are Important!
- COBIT, ITIL and ISO 17799 are valuable to the ongoing growth
and success of an organization because:
-
- Companies are demanding better returns from IT investments
-
- Best practices help meet regulatory requirements for IT
controls
-
- Organizations face increasingly complex IT-related risks
-
- Organizations can optimize costs by standardizing controls
-
- Best practices help organizations assess how IT is
performing
-
- Management of IT is critical to the success of enterprise
strategy
-
- They help enable effective governance of IT activities
-
- A management framework helps staff understand what to do
(policy, internal controls and defined practices)
-
- They can provide efficiency gains, less reliance on experts,
fewer errors, increased trust from business partners and respect
from regulators
25. SUMMARY
- ISO started as a management system
- ISO 17799 (BS7799) has become a defacto IT standard
- ISO 27000 takes standards to a new level
- Most organizations are using or looking at the standard for
help
- Many more uses down the road
26. ISO 27000 Reference Links
- http://www.iso.org/iso/home.htm
-
http://standards.iso.org/ittf/PubliclyAvailableStandards/index.html
- http://www.standardsglossary.com/
-
http://isotc.iso.org/livelink/livelink/fetch/2000/2122/327993/customview.html?func=ll&objId=327993
- http://en.wikipedia.org/wiki/ISO_27000
- http://www.27000-toolkit.com/
- http://www.iso27001security.com/
- http://www.praxiom.com/27001.htm
- http:// www.information
-security-policies-andstandards.com/standard/index.htm
- http://www.informationshield.com/iso17799.html
27.