Вы находитесь на странице: 1из 30

InformationSecurity

ManagementSystem
(ISMS)Overview
ArhnelKlydeS.Terroza

May12,2015
1

ArhnelKlydeS.Terroza
CPA,CISA,CISM,CRISC,ISO27001ProvisionalAuditor
InternalAuditoratClarienBankLimited
FormerITRiskandAssuranceManagerwith
Ernst&Young FinancialServicesOrganization
(FSO) Hamilton,BermudaandSanAntonio,TX
CertifiedPublicAccountant(CPA Philippines),
CertifiedInformationSystemsAuditor(CISA),
CertifiedInformationSecurityManager(CISM),
CertifiedinRiskandInformationSystemsControl
(CRISC),andISO27001ProvisionalAuditor
BachelorofScienceinAccountancyfrom
SillimanUniversity(Philippines)
2

AGENDA
WhatisInformationSecurityManagement
System(ISMS)?
Whatarethestandards,laws,and
regulationsouttherethatwillhelpyoubuild
orassessyourInfoSecManagement
Program?
WhatisISO/IEC27001:2013?
WhataretheISO/IEC27001Controls?
WhatarethebenefitsofadoptingISO
27001?
WhydoyouneedtoconductanInfoSec
awarenesssurvey?
3

www.novainfosec.com
4

WhatisISMS?
Partoftheoverallmanagementsystem,basedonabusinessriskapproach,to
establish,implement,operate,monitor,review,maintainandimprove
informationsecurity(ISOdefinition)
Note:Amanagementsystemisasetofinterrelatedorinteractingelementsofan
organizationtoestablishpoliciesandobjectivesandprocessestoachievethoseobjectives.
Thescopeofamanagementsystemmayincludethewholeoftheorganization,specificand
identifiedfunctionsoftheorganization,specificandidentifiedsectionsoftheorganization,
oroneormorefunctionsacrossagroupoforganizations.

Influencedbytheorganizationsneedsandobjectives,securityrequirements,the
processesemployedandthesizeandstructureoftheorganization.
Expectedtochangeovertime.
Aholisticapproachtomanaginginformationsecurity confidentiality,integrity,
andavailabilityofinformationanddata.
5

WhataretheInfoSecrelatedstandards,lawsand
regulations?
ISO27000FamilyofInternationalStandards
ProvidesthebestpracticerecommendationsonInfoSec
management,risksandcontrolswithinthecontextofan
overallISMS.
ISO27000:OverviewandVocabulary(2014)
ISO27001:ISMSRequirements(2013)
ISO27002:CodeofPractice(2013)
ISO27003:ISMSImplementationGuidance(2010)
ISO27004:ISMMeasurement(2009)
ISO27005:InfoSecRiskManagement(2011)
ISO27006:RequirementsforBodiesProvidingAuditand
CertificationofISMS(2011)
ISO27007 27008:GuidelinesforAuditingInfoSec
Controls(2011)
ISO27014:GovernanceofInfoSec(2013)
ISO27015:ISMGuidelinesforFinancialServices(2012)
www.iso.org
6

OtherStandards
PaymentCardIndustryDataSecurity
Standard(PCIDSS)
USNationalInstituteofStandardsand
Technology(NIST)
SecurityandPrivacyControlsforFederal
InformationSystemsandOrganizations
(NISTSpecialPublication80053)
FrameworkforImprovingCritical
InfrastructureCybersecurity
(CybersecurityFramework)
ISACACybersecurityNexus
TheIIAGTAG15:InformationSecurity
Governance(2010)

WhataretheInfoSecrelatedstandards,lawsand
regulations?
Governmentallawsandregulationswith(orwillhave)asignificanteffecton
InfoSec
UKDataProtectionAct1998
TheComputerMisuseAct1990 (UK)
FederalInformationSecurityManagementAct2001(US)
GrammLeachBlileyAct(GLBA)1999(US)
FederalFinancialInstitutionsExaminationCouncils(FFIEC)securityguidelines(US)
SarbanesOxleyAct(SOX)2002(US)
Statesecuritybreachnotificationlaws(e.g.California)(US)
FamilyEducationalRightsandPrivacyAct(US)
HealthInsurancePortabilityandAccountabilityAct(HIPAA)1996(US)
BermudaLaws???
7

WhatisISO/IEC27001:2013?
LeadingInternationalStandardforISMS.Specifiestherequirementsforestablishing,
implementing,maintaining,monitoring,reviewingandcontinuallyimprovingtheISMSwithin
thecontextoftheorganization.IncludesassessmentandtreatmentofInfoSecrisks.
Bestframeworkforcomplyingwithinformationsecuritylegislation.
NotatechnicalstandardthatdescribestheISMSintechnicaldetail.
Doesnotfocusoninformationtechnologyalone,butalsootherimportantbusinessassets,
resources,andprocessesintheorganization.

ISO/IEC27001Evolution
8

Source:www.iso27001security.com

WhatisISO/IEC27001:2013?
WorlddistributionofISO/IEC27001certificatesin2013
2013 22,293(up14%)
2012 19,620
Japan 7,084
India 1,931
UnitedKingdom 1,923
China 1,710
Spain 799
UnitedStates 566
Australia 138
Canada 66
Source:www.iso.org

WhatisISO/IEC27001:2013?
EvolutionofISO/IEC27001certificates

UnitedStates

Source:www.iso.org

UnitedKingdom

ISOdoesnotperformcertification.Organizationslookingtogetcertifiedtoan
ISOstandardmustcontactanindependentcertificationbody.Certification bodies
museusetheISOsCommitteeonConformityAssessment(CASCO)standards
relatedtothecertificationprocess.
10

WhatisISO/IEC27001:2013?
ISO/IEC 27001 - Worldwide total
25,000

Middle East
451
2061

20,000

332
1668
279
1497
218
1328

15,000

10748

206
1303

7394

71
519
5,000

383

5807

7950

5550

6379

4210
3563
,0

11

North America

8788

128
839

1064

1432
112

2006

2007

East Asia and


Pacific
Europe

10422
9665

10,000

Central and
South Asia

4800

5289

435

2172
212

322

329

2008

2009

2010

2011

Source:www.iso.org

Central / South
America
Africa

552

712

2012

2013

WhatisISO/IEC27001:2013?

12

Sources:
http://iaardirectory.jadianonline.com/Directory
http://www.bsiamerica.com

WhatisISO/IEC27001:2013?
Processapproachforestablishing,implementing,operating,monitoring,reviewing,
maintainingandimprovinganorganizationsISMS:

13

WhataretheISO/IEC27001Controls?
Eight(8)mandatoryclauses(controls/controlobjectives)fororganizationsclaiming
conformancetoISO/IEC27001standard:
Clause4 Contextoftheorganization

4.1
4.2
4.3
4.4

Clause5
5.1
5.2
5.3

Clause6
6.1
6.2
14

Understandingtheorganizationanditscontext
Understandingtheneedsandexpectationsofinterestedparties
Determiningthescopeoftheinformationsecuritymanagementsystem
Informationsecuritymanagementsystem

Leadership
Leadershipandcommitment
Policy
Organizationalroles,responsibilitiesandauthorities

Planning
Actionstoaddressrisksandopportunities
Informationsecurityobjectivesandplanningtoachievethem

WhataretheISO/IEC27001Controls?
Eight(8)mandatoryclauses(cont):
Clause7 Support

7.1
7.2
7.3
7.4
7.5

Clause8
8.1
8.2
8.3

Clause9
9.1
9.2
9.3
15

Resources
Competence
Awareness
Communication
Documentedinformation

Operation
Operationalplanningandcontrol
Informationsecurityriskassessment
Informationsecurityrisktreatment

PerformanceEvaluation
Monitoring,measurement,analysisandevaluation
Internalaudit
Managementreview

WhataretheISO/IEC27001Controls?
Eight(8)mandatoryclauses(cont):
Clause10 Improvement
10.1
10.2

Nonconformityandcorrectiveaction
Continualimprovement

Mandatory

ISO/IEC27001:2013ISMSControlPointandControlObjectiveSummary
Reference
Description
ControlTotal
Clause4
Contextoftheorganization
8
Clause5
Leadership
19
Clause6
Planning
39
Clause7
Support
28
Clause8
Operation
9
Clause9
Performanceevaluation
29
Clause10
Improvement
16
TotalControlPoints:
148
16

Source:www.slideshare.net byMarkE.S.Bernard(2013)

WhataretheISO/IEC27001Controls?
14ControlCategories(Domain/ControlArea) DiscretionaryControls(AnnexA)
A.5
Informationsecuritypolicies
A.5.1

A.6
A.6.1
A.6.2

A.7
A.7.1
A.7.2
A.7.3

17

Managementdirectionforinformationsecurity

Organizationofinformationsecurity
Internalorganization
Mobiledevicesandteleworking

Humanresourcesecurity
Priortoemployment
Duringemployment
Terminationandchangeofemployment

WhataretheISO/IEC27001Controls?
14ControlCategories(Domain/ControlArea) DiscretionaryControls(AnnexA)
A.8
Assetmanagement
A.8.1
A.8.2
A.8.3

A.9

A.9.1
A.9.2
A.9.3
A.9.4

A.10
A.10.1

18

Responsibilityforassets
Informationclassification
MediaHandling

Accesscontrol
Businessrequirementsofaccesscontrol
Useraccessmanagement
Userresponsibilities
Systemandapplicationaccesscontrol

Cryptography
Cryptographiccontrols

WhataretheISO/IEC27001Controls?
14ControlCategories(Domain/ControlArea) DiscretionaryControls(AnnexA)
A.11
Physicalandenvironmentalsecurity
A.11.1
A.11.2

A.12

19

A.12.1
A.12.2
A.12.3
A.12.4
A.12.5
A.12.6
A.12.7

Secureareas
Equipment

Operationssecurity
Operationalproceduresandresponsibilities
Protectionfrommalware
Backup
Loggingandmonitoring
Controlofoperationalsoftware
Technicalvulnerabilitymanagement
Informationsystemsauditconsiderations

WhataretheISO/IEC27001Controls?
14ControlCategories(Domain/ControlArea) DiscretionaryControls(AnnexA)
A.13
Communicationssecurity
A.13.1
A.13.2

A.14
A.14.1
A.14.2
A.14.3

A.15
A.15.1
A.15.2

A.16
A.16.1
20

Networksecuritymanagement
Informationtransfer

Systemacquisition,developmentandmaintenance
Securityrequirementsofinformationsystems
Securityindevelopmentandsupportprocesses
Testdata

Supplierrelationships
Informationsecurityinsupplierrelationships
Supplierservicedeliverymanagement

Informationsecurityincidentmanagement
Managementofinformationsecurityincidentsandimprovements

WhataretheISO/IEC27001Controls?
14ControlCategories(Domain/ControlArea) DiscretionaryControls(AnnexA)
A.17
Informationsecurityaspectsofbusinesscontinuitymanagement
A.17.1
A.17.2

Informationsecuritycontinuity
Redundancies

Note: AcomprehensiveBCMSstandardwaspublishedbyISOin2012 ISO22301:2012

A.18
A.18.1
A.18.2

Compliance
Compliancewithlegalandcontractualrequirements
Informationsecurityreviews

ISO/IEC27002:2013isabetterreferenceforselectingcontrolswhenimplementinganISMS
basedonISO/IEC27001:2013,eitherforcertificationpurposesoralignmenttoaleading
standard.Oritcouldsimplybeusedasaguidancedocumentforimplementingcommonly
acceptedinformationsecuritycontrols.
21

WhataretheISO/IEC27001Controls?

Discretionary

ISO/IEC27001:2013ISMSControlPointandControlObjectiveSummary
Reference
Description
ControlTotal
A5
Informationsecuritypolicies
2
A6
Organizationofinformationsecurity
7
A7
Humanresourcesecurity
6
A8
Assetmanagement
10
A9
Accesscontrol
13
A10
Cryptography
2
A11
Physicalandenvironmentalsecurity
15
A12
Operationssecurity
14
A13
Communicationssecurity
7
A14
Systemacquisition,developmentandmaintenance
13
A15
Supplierrelationships
5
A16
Informationsecurityincidentmanagement
7
A17
Informationsecurityaspectsofbusinesscontinuitymanagement
4
A18
Compliance
8
Source:www.slideshare.net byMarkE.S.Bernard(2013) Source:MarkE.S.Bernard
TotalControlPoints:
113

22

WhatarethebenefitsofISO/IEC27001:2013?
Bestframeworkforcomplyingwithinformationsecuritylegal,regulatoryand
contractualrequirements
Betterorganizationalimagebecauseofthecertificateissuedbyacertification
body
Provesthatseniormanagementarecommittedtothesecurityofthe
organization,includingcustomersinformation
Focusedonreducingtherisksforinformationthatisvaluablefortheorganization
Providesacommongoal
Optimizedoperationswithintheorganizationbecauseofclearlydefined
responsibilitiesandbusinessprocesses
Buildsacultureofsecurity
23

WhatarethebenefitsofISO/IEC27001:2013?
BSIStudyonISO27001
87%ofrespondentsstatedthatimplementingISO/IEC27001hadapositiveorvery
positiveoutcome
Abilitytomeetcompliancerequirementsincreasedfor60%oforganizations
Numberofsecurityincidentsdecreasedfor39%
DowntimeofITsystemsdecreasedfor39%
Abilitytorespondtotendersincreasedfor43%
Relativecompetitivepositionincreasedfor47%
51%sawanincreaseinexternalcustomersatisfactionfollowingtheimplementationof
anISMS
40%sawanincreaseininternalcustomersatisfaction
66%notedanincreaseinthequalitycontrolofinformationsecurityprocessesand
proceduresand40%decreaseinrisk
24

Sources:http://www.bsiamerica.com

WhydoyouneedtoconductanInfoSecawareness
survey?
Whatisaninformationsecurityawarenessprogram?
Promotesriskandsecurityawareculture.
Helpsinmanagingsecurityincidents,compliancerisks,andfinanciallosses.
e.g.Phishingexercises,newsletters,posters

Whatarethebenefitsofconductinganinformationsecurityawarenesssurvey?
Providesvisibilityintoorganizationalbehaviorwithrespecttoinformationsecurity.
Datacollectedcanbeusedtoidentifyareasofpossibleimprovementandriskreduction.
Initialsurveycanprovideabaselineofsecurityawarenessoftheorganization;when
appliedovertime,canindicateprogressorchallengesintheinfosec awarenessprogram.
HelpstheInfoSecTeamandHumanResourcesgainadegreeofunderstandingof
personnelsattitudesandhabitsrelatedtoinformationsecuritywithinthecontextoftheir
daytodayactivities
25

WhydoyouneedtoconductanInfoSecawareness
survey?
Misconceptionofawarenesssurvey
InformationsecurityawarenesssurveyisnotintendedtoassesstheorganizationsISMS

Howtodeploysurveys
Onlinesurveytools(e.g.SurveyMonkey)
Traditionalmail

Howtoanalyzedatafromthesurvey?
Quantitative aggregateresponsestoaquestion.
Qualitative openendedquestionscanprovidequalitativedata.Comparisonofresults
acrossdepartments,roles,anddemographics(e.g.tenurewithinthecompany)
Note:Howyouanalyzedatedependsonwhatquestionsareincluded

26

WhydoyouneedtoconductanInfoSecawareness
survey?
Cananoverallriskbeconcludedfromthesurvey?
Questionscanbedesignedinsuchamannerthatanswersareassignedariskscore.
Forexample,eachquestionresponseareassignedariskvalueofonetofive onebeinglowestriskvalue
andfiveasthehighestriskvalue

Resultsofthesurveycanbesuedtodeterminetheoverallriskscoreoftheorganization
Forexample:
RiskScore
Low(25 39)

Description
Usersareawareofgoodsecurityprinciplesandthreats,havebeenproperlytrained,andcomply
withtheOrganizationssecuritypoliciesandstandards.
Elevated(40 59)
UsershavealreadybeentrainedontheOrganizationssecuritypoliciesandstandards,theyare
awareofthreats,butmaynotfollowgoodsecurityprinciplesandcontrols.
Moderate(60 79)
Usersareawareofthreatsandknowtheyshouldfollowgoodsecurityprinciplesandcontrols,
butneedtrainingontheOrganizationssecuritypoliciesandstandards.Theyalsomaynotknow
howtoidentifyorreportasecurityevent.
Significant(80 99)
Usersarenotawareofgoodsecurityprinciplesorthreatsnoraretheyawareoforcompliant
withtheOrganizationssecuritypoliciesandstandards.
High(100andhigher) Usersarenotawareofthreatsanddisregardknownsecuritypoliciesandstandardsordonot
comply.Theyarelikelytoengageinactivitiesorpracticesthatareeasilyattackedandexploited.
27

SUMMARY
Anorganizationneedstoundertakethefollowingstepsinestablishing,monitoring,
maintainingandimprovingitsISMS:
Identifyinformationassetsandtheirassociatedinformationsecurity
requirements
Assessinformationsecurityrisksandtreatinformationsecurityrisks[toan
acceptablelevel]
Selectandimplementrelevantcontrolstomanageunacceptablerisks[orto
reduceriskstoacceptablelevels]
Monitor,maintainandimprovetheeffectivenessofcontrolsassociatedwiththe
organizationsinformationassets
28

SUMMARY
AdoptionofanISMSshouldbeastrategicdecisionforanorganization.
ISMSisaholisticapproachtomanaginginformationsecurity confidentiality,
integrity,andavailabilityofinformationanddata.
Lawsandregulationsarecontinuingtoevolvetoaddressinformationsecurityrisk
andprivacy.ISO/IEC27001:2013isthebestframeworkforcomplyingwith
informationsecuritylegislation.
ISO/IEC27001:2013isnotatechnicalstandardforITonly.
Increasingtrendinadoptingaholisticapproach(usingISO/IEC27001:2013)in
managinginformationsecurityrisks.
Organizationsneedtoconductaninformationsecurityawarenesssurvey.
29

Questions

30