View
9.945
Download
13
Tags:
Embed Size (px)
DESCRIPTION
How can ISO/IEC 27001 ISMS solve the GRC dilemma? Check this presentation out...
Citation preview
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
Compiled by; Mark E.S. Bernard, ISO 27001 Lead Auditor, CISSP, CISM, SABSA-F2, CISA, CRISC, CGEIT
• Introduction
• Threats • Governance • Risk • Compliance • ISMS Overview • Incident Management • Security Architecture • Policy, Procedure, Standards
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
Registration need not be the final goal however every business can benefit from adopting a management system that provides assurance of information assets in alignment with strategy and tactical business goals while addressing Governance, Risk Management, Compliance Management requirements.
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
Mark E.S. Bernard,
CRISC, CGEIT, CISA, CISM, CISSP, PM, ISO 27001, SABSA-F2
Information Security, Privacy, Governance ,Risk Management, Consultant
Mark has 22 years of proven experience within the domain of Information Security, Privacy & Governance. Mark has
led teams of 30 or more as a Director and Project Manager and managed budgets of $5 Million +. Mark has also provided
over sight as a senior manager during government outsourcing contract valued at $300 million and smaller contracts for
specialized services for ERP systems and security testing. Mark has led his work-stream during RFP process, negotiations,
on-boarding, contract renegotiation and as Service Manager. Mark has architected information security and privacy programs
based on ISO 27001 and reengineered IT processes based on Service Manager ITIL/ISO 20000 building in Quality
Management ISO 9001.
Mark is a volunteer on the local professional associations for HTCIA, ISACA, ISSA, IIA. Mark has also been published in trade
magazines and on the Internet in addition to being sought after as an expert by local radio, news papers and television. Mark
has taught as a Professor of a third-year iSeries systems engineering course and led many workshops, led keynote speeches.
Mark’s expertise has been applied in a number of verticals including Financial Services, Banking, Insurance, Pharmaceutical,
Telecommunications, Technology, Manufacturing and Academia. Some of Mark’s recent project highlights are as follows:
Accomplishments: • In 2012 Assisted a Executive Relocation Organization to ISO/IEC 27001 Registration/Certification
• In 2012 Assisted a Nanotechnology Fabrication Facility to ISO/IEC 27001 Registration/Certification
• In 2012 Assisted a Cloud Software as a Service Provider to ISO/IEC 27001 Registration/Certification
• In 2010/11 co-led US based Cloud Service Provider ISO/IEC 27001 Registration/Certification
• In 2009 led 1st Canadian Public Sector ISO/IEC 27001 Registration/Certification
• In 2009 led On-boarding Project for ERP Service Provider
• In 2009 led Technology and Operations work-stream during Negotiated Request for Proposal
• In 2007 led 1st Canadian Online banking, Trade & Wholesale Service to ISO/IEC 27001 Registration /Certification
• In 2005 led Privacy, Security, and Privacy Compliance work-stream during outsourcing to alternate service delivery organization
• In 2002 led Information Security Program development for International Food Manufacturer.
• In1999 led Independent Security Assurance Review of financial systems located off shore.
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
Source: Computer Security Institute 2010/11 Survey
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
Source: Verizon business 2011 Data Breach Investigations Report
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
• Large-scale breaches dropped dramatically while small attacks increased. The report notes there are several possible reasons for this trend, including the fact that small to medium-sized businesses represent prime attack targets for many hackers, who favour highly automated, repeatable attacks against these more vulnerable targets, possibly because criminals are opting to play it safe in light of recent arrests and prosecutions of high-profile hackers.
• Outsiders are responsible for most data breaches. Ninety-two percent of data breaches were caused by external sources. Contrary to the malicious-employee stereotype, insiders were responsible for only 16 percent of attacks. Partner-related attacks continued to decline, and business partners accounted for less than 1 percent of breaches.
• Physical attacks are on the rise. After doubling as a percentage of all breaches in 2009, attacks involving physical actions doubled again in 2010, and included manipulating common credit-card devices such as ATMs, gas pumps and point-of-sale terminals. The data indicates that organized crime groups are responsible for most of these card-skimming schemes.
• Hacking and malware is the most popular attack method. Malware was a factor in about half of the 2010 caseload and was responsible for almost 80 percent of lost data. The most common kinds of malware found in the caseload were those involving sending data to an external entity, opening backdoors, and key logger functionalities.
• Stolen passwords and credentials are out of control. Ineffective, weak or stolen credentials continue to wreak havoc on enterprise security. Failure to change default credentials remains an issue, particularly in the financial services, retail and hospitality industries.
Source: 2010 Cloud Security Alliance Threats
#1: Abuse and Nefarious Use of Cloud Computing #2: Insecure Interfaces and APIs #3: Malicious Insiders #4: Shared Technology Issues #5: Data Loss or Leakage #6: Account or Service Hijacking #7: Unknown Risk Profile
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
Source: 2010 OWSAP Top 10 Web Application Security Risks
A1: Injection A2: Cross-Site Scripting (XSS) A3: Broken Authentication and Session Management A4: Insecure Direct Object References A5: Cross-Site Request Forgery (CSRF) A6: Security Misconfiguration A7: Insecure Cryptographic Storage A8: Failure to Restrict URL Access A9: Insufficient Transport Layer Protection A10: Invalidated Redirects and Forwards
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
Source: ‘The Risk of Insider Fraud’ Ponemon Institute 2011
•Employee-related incidents of fraud, on average, occur weekly in participating organizations.
• Sixty-four percent of the respondents in this study say the risk of insider fraud is very high or
high within their organizations.
• CEO’s and other C-level executives may be ignoring the threat, according to respondents.
• The majority of insider fraud incidents go unpunished, leaving organizations vulnerable to
future such incidents.
• The threat vectors most difficult to secure and safeguard from insider fraud are mobile
devices, outsourced relationships (including cloud providers) and applications.
• The majority of respondents do not believe their organization has the appropriate
technologies to prevent or quickly detect insider fraud, including employees’ misuse of IT
resources.
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
Source: Computer Security Institute 2010/11 Survey
***
THIS
DO
CU
MEN
T IS
CLA
SSIF
IED
FO
R P
UB
LIC
AC
CES
S **
*
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
Purpose: Management shall review the organization’s ISMS at planned intervals (at least once a year) to ensure its continuing suitability, adequacy and effectiveness. This review shall include assessing opportunities for improvement and the need for changes to the ISMS, including the information security policy and information security objectives. The results of the reviews shall be clearly documented and records shall be maintained, (ISO27k clause 4.3.3). Goals: The ISMS Management Review Committee has been formed to provide an effective joint forum which will contribute to the following goals:
• Decision making which supports the CSO program; • Balanced and informed review and advisory services contributing to a range of CSO planning, service delivery and issue resolution activities; and • Proactive CSO alignment with higher level joint governance functions to improve the effectiveness and efficiency within the CSO domain.
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
Committee Functions: Review input (ISO27k clause 7.2) The input to a management review shall include:
a). results of ISMS audits and reviews; b). feedback from interested parties; c). techniques, products or procedures, which could be used in the organization to improve the ISMS performance and effectiveness; d). status of preventive and corrective actions; e). vulnerabilities or threats not adequately addressed in the previous risk assessment; f). results from effectiveness measurements; g). follow-up actions from previous management reviews; h). any changes that could affect the ISMS; and i). recommendations for improvement.
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
Review output (ISO27k clause 7.3) The output from the management review shall include any decisions and actions related to the following. a). Improvement of the effectiveness of the ISMS. b). Update of the risk assessment and risk treatment plan. c). Modification of procedures and controls that effect information security, as necessary, to respond to internal or external events that may impact on the ISMS, including changes to: 1). business requirements; 2). security requirements; 3). business processes effecting the existing business requirements; 4). regulatory or legal requirements; 5). contractual obligations; and 6). levels of risk and/or criteria for accepting risks. d). Resource needs. e). Improvement on how the effectiveness of controls is being measured
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
Extreme = range 90+: A Risk Rating of 90+ indicates that an ‘Extremely’ serious risk exists based on our assessment a highly motivated threat is present with the technical capability to exploit multiple vulnerabilities that will result in a serious impact to Enterprise assets and services. Compounding the seriousness of this situation is the fact that existing controls are ineffective to prevent the known threat from exploiting the known vulnerability and/or no controls have been implemented resulting in the same serious ‘Extreme’ risky condition to Enterprise assets and services. Risk Rating of 80 – 89: indicates that a ‘Critical’ risk exists based on our assessment a highly motivated threat is present with some technical capability to exploit a known vulnerability that will result in a negative impact to Enterprise assets and services. Compounding the seriousness of this situation is the fact that existing controls are somewhat effective and may or may not prevent a known threat from exploiting a known vulnerability and/or no controls have been implemented resulting in a ‘Critically’ risky condition to Enterprise assets and services.
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
•Health Insurance Portability and Accountability Act (HIPAA)
•Health Information Technology for Economic and Clinical Health Act (HITECH Act)
•Federal Information Security Management Act (FISMA)
•Gramm-Leach-Bliley Act (GLBA)
•Payment Card Industry Data Security Standard (PCI-DSS)
•Payment Card Industry Payment Application Standard
•Sarbanes-Oxley Act (SOX)
•U.S. state data breach notification law
•International privacy or security laws
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
The demand for ISO/IEC 27001:2005 has nearly tripled in six years and the number of countries adopting the Information Security Management System has doubled. ISO/IEC 27001:2005 will soon be releasing its first major revision since the 2005 adoption and if it turns out to be anything like the changes that we've seen in ICFR /ICIF, ISAE 3402 or NIST SP 53 there will be significant improvements to be leveraged. In 2006, the first year of the annual survey, ISO/IEC 27001:2005 certificates at the end of December 2006 totaled 5,797. The number of countries adopting ISO/IEC 27001 totaled 64. At the end of 2010, at least 15,625 certificates had been issued in 117 countries. The 2010 total represents an increase of 2,691 or (+21 %) since December 2009. In 2006 the top three countries adopting ISO/IEC 27001 included Japan, United Kingdom and India and in 2010 that trend continued. However, the top three countries from December 2009 to 2010 were Japan, China and the Czech Republic.
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
• Governance • Human Resources
• Roles and Responsibilities • Charter • Oversight Committee (ToR) • Communication Strategy • Statement of Applicability • Impact • Budget
• Risk Management • Policy • Methodology • Procedure • Risk Treatment
• Continuous Improvement • Document Control • Record Management • Monitoring
• Incident Management • Security Architecture • Internal Audit • Legal Obligations • Service Management • Knowledge Management • Procurement
• Annual Security Testing • Outsourcing
• Awareness Training •Implementing ISMS
• PDCA Activities • Time allocations • Resources
• Post Implementing ISMS • PDCA Activities • Time allocations • Resources
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
An Information Security Event occurs when a threat agent attempts to exploit a
vulnerability within the Enterprise Environment, but is not successful. A report
maybe generated on a weekly, biweekly or monthly basis and securely distributed
to the Enterprise Information Security Office for further analysis and reporting.
An Information Security Incident results when a threat agent successfully exploits a
vulnerability within the Enterprise Environment. The Enterprise Information
Security Office must be notified immediately whenever a Security Incident occurs.
The Enterprise Security Office will assist with the evidence collection,
containment, eradication and recovery.
Information security incidents typically result in a negative impact to Enterprise Assets
and one or more of the characteristics defined by three principles of information
security confidentiality, integrity or availability
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
Key
Control Objectives Practices Specifically linked to the role of TSH CISO .
Physical &
Environmental
Asset
Management
Access Control
Systems Acquisition,
Development, Maintenance
Compliance
Business
Continuity
Human
Resources
Communications & Operations
Information
Security Policy
Allocation
of InfoSec
Responsibilities
Correct
Processing in
Applications
Technical
Vulnerability
Management
Business
Continuity
Management
Management of
InfoSec Incident &
Improvements
Personal
Information Breach
Process
Practice
Policy
Incident
Management
InfoSec
Education &
Awareness
Standard
Personal Information
Protection Standard
• Information Security Policy (ISMS Policy)* • Acceptable use of assets** • Backup policy • Access control policy • Clear desk and clear screen policy • Policy on use of network services • Mobile computing and communications • Policy on the use of cryptographic controls
*I recommend having one policy at this level and calling it the ‘Information Security Policy’. **not identified as a specific requirement however I highly recommend this policy.
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
NOTE: Each process is documented using the template described in subsequent slides Level 1 - Description of the process in wording * High-level Narrative Describing the General Process Operating Parameters and Interaction of Participating Organizations• Level 2 - Process end to end summary * Mid-level End-to-End Flowchart Summary of Key Sub-processes Described in Level 3A Documents Level 3A- Detailed process description * Walkthrough"-level Process Flowchart: Shows Operational Execution Sequence with Participants and Key Financial Control Points Identified. Typically Detailed to the line Manager Layer. (NOTE: 3-A Is Not Detailed Down to the Desk Procedures Level) Level 3B - Control design, objective, risks, control point * Control Design Evaluation Template: Maps to the -A Flowchart: Indicates control objectives for the Process with Associated Risks: Lists Key Controls for these Risks: and Summarizes the Execution of These Controls. Level 3C - Test procedure description * Testing and Remediation Template: Lists Key I-rnarzcral Control Points: Documents Specific Tests Pertaining to Each Control: and Describes Any Notable Exception Items that Require Correction.
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
For more information contact Skype; Mark_E_S_Bernard
Twitter; @MESB_TechSecure LinkedIn; http://ca.linkedin.com/in/markesbernard