Embed Size (px)
Citation preview
Copyright © 2013 BSI. All rights reserved.
IOSH 2013. Rev 0
The use of standards to tackle emerging information security risks
Suzanne Fribbins EMEA Product Marketing Manager - Risk
Copyright © 2013 BSI. All rights reserved.
2
Who is BSI? – 10 fast facts
Founded in 1901
Standards, assessment, testing,
certification, training, software
No owners/shareholders … all profit reinvested into the business
Global independent business services
organization
>2,900 staff and >50%
non-UK
#1 certification body in the
UK, USA
National Standards
Body in the UK
Trained over 73,000 people worldwide in
2012
70,000 clients in 150
countries
65 offices located around
the world
Copyright © 2013 BSI. All rights reserved.
3
The changing information security risk landscape
Copyright © 2013 BSI. All rights reserved.
4
The changing information security risk landscape
Copyright © 2013 BSI. All rights reserved.
5
New security challenges
Copyright © 2013 BSI. All rights reserved.
6
New security challenges
Copyright © 2013 BSI. All rights reserved.
7
Key information security statistics
• Recent government research has found 93% of large organizations and 87% of small businesses suffering a breach last year (up more than 10% on the previous year)
• And we're starting to see the impact of emerging technologies on information security
• The 2013 PwC information security breaches survey found:• 14% of large organisations had a security breach relating to
social networking sites; and• 9% had a breach relating to smartphones or tablets• 4% of respondents had a security or data breach in the last
year relating to one of their cloud computing servicesSource: 2013 Information Security Breaches Survey
Copyright © 2013 BSI. All rights reserved.
8
Increasing regulatory compliance
• Concern about security risks and their impact on citizen data has triggered a wave of regulatory compliance with progressively heavier penalties for personal data breaches
• Increased ICO activity (34 fines in just over two years) relating to:• Emailing of sensitive personal information to the wrong
recipients• Mailing sensitive information to the wrong recipient/s• Faxing of information to incorrect number/s• Personal information mistakenly published on public website/s• Loss of unencrypted laptops• Loss of unencrypted memory sticks, DVD’s• Theft of sensitive paper records from a mobile worker• Unsecure disposal of sensitive personal records• Sensitive information left on disused IT equipment
Copyright © 2013 BSI. All rights reserved.
9
Global growth in certification
0
2000
4000
6000
8000
10000
12000
14000
16000
18000
20000
2006 2007 2008 2009 2010 2011
Num
ber
of C
ertifi
cate
s
21%
40%
12%
Copyright © 2013 BSI. All rights reserved.
10
Information Security Breaches Survey 2013 - PwC
• 76% of large respondents and 36% of smaller organizations have implemented ISO 27001 at least partially
• 85% of large organisations and 61% of small businesses have been asked by their customers to comply with security standards
• 45% of large organisations have specifically been asked for ISO 27001 compliance
Source: 2013 Information Security Breaches Survey
Copyright © 2013 BSI. All rights reserved.
11
What is happening in the ISO 27000 suite to address the changing risk landscape?
“The ISO 27000s are the ones you want to be looking for” (Paul Simmonds, co-founder of the Jericho Forum, ex-CIO of AstraZeneca, 2011)
Copyright © 2013 BSI. All rights reserved.
12
The ISO 27000 series
Copyright © 2013 BSI. All rights reserved.
13
The ISO 27000 series
2011/ISO/IEC 27034 - Guidelines for application security (6 part standard)
2011ISO/IEC 27031 - Guidelines for ICT readiness for business continuity
2012ISO/IEC 27032 – Guidelines for cyber security
2012ISO/IEC 27013 – Guidelines on the integrated implementation of ISO/IEC 27001 & ISO 20000-1
2009/10/11ISO/IEC 27033 - Security Techniques, Network Security (3 part standard)
ISO/IEC 27018 – Information security in cloud computing (relevant controls in 27001 – DP/Privacy)
ISO/IEC 27017 – Information security in cloud computing (relevant controls in 27001)
ISO/IEC 27016 – Information security management – organizational economics
2012ISO/IEC 27015 – Information security management guidelines for financial services
ISO/IEC 27014 – Governance of information security
Standard Published
2011/ISO/IEC 27034 - Guidelines for application security (6 part standard)
2011ISO/IEC 27031 - Guidelines for ICT readiness for business continuity
2012ISO/IEC 27032 – Guidelines for cyber security
2012ISO/IEC 27013 – Guidelines on the integrated implementation of ISO/IEC 27001 & ISO 20000-1
2009/10/11ISO/IEC 27033 - Security Techniques, Network Security (3 part standard)
ISO/IEC 27018 – Information security in cloud computing (relevant controls in 27001 – DP/Privacy)
ISO/IEC 27017 – Information security in cloud computing (relevant controls in 27001)
ISO/IEC 27016 – Information security management – organizational economics
2012ISO/IEC 27015 – Information security management guidelines for financial services
ISO/IEC 27014 – Governance of information security
Standard Published
Under development
Copyright © 2013 BSI. All rights reserved.
14
The ISO 27000 series
2011/ISO/IEC 27034 - Guidelines for application security (6 part standard)
2011ISO/IEC 27031 - Guidelines for ICT readiness for business continuity
2012ISO/IEC 27032 – Guidelines for cyber security
2012ISO/IEC 27013 – Guidelines on the integrated implementation of ISO/IEC 27001 & ISO 20000-1
2009/10/11ISO/IEC 27033 - Security Techniques, Network Security (3 part standard)
ISO/IEC 27018 – Information security in cloud computing (relevant controls in 27001 – DP/Privacy)
ISO/IEC 27017 – Information security in cloud computing (relevant controls in 27001)
ISO/IEC 27016 – Information security management – organizational economics
2012ISO/IEC 27015 – Information security management guidelines for financial services
ISO/IEC 27014 – Governance of information security
Standard Published
2011/ISO/IEC 27034 - Guidelines for application security (6 part standard)
2011ISO/IEC 27031 - Guidelines for ICT readiness for business continuity
2012ISO/IEC 27032 – Guidelines for cyber security
2012ISO/IEC 27013 – Guidelines on the integrated implementation of ISO/IEC 27001 & ISO 20000-1
2009/10/11ISO/IEC 27033 - Security Techniques, Network Security (3 part standard)
ISO/IEC 27018 – Information security in cloud computing (relevant controls in 27001 – DP/Privacy)
ISO/IEC 27017 – Information security in cloud computing (relevant controls in 27001)
ISO/IEC 27016 – Information security management – organizational economics
2012ISO/IEC 27015 – Information security management guidelines for financial services
ISO/IEC 27014 – Governance of information security
Standard Published
Under development
Copyright © 2013 BSI. All rights reserved.
15
The ISO 27000 series
ISO/IEC 27044 – Guidelines for security information and event management (SIEM)
ISO/IEC 27043 – Investigation principles and processes
ISO/IEC 27042 – Guidelines for the analysis and interpretation of digital evidence
ISO/IEC 27041 – Guidance on assuring suitability and adequacy of investigative measures
ISO/IEC 27035 – Information security management (3 part standard)
ISO/IEC 27040 – Storage security
ISO/IEC 27039 – Selection, deployment and operations of intrusion detection andprevention systems
ISO/IEC 27038 – Specification for digital redaction
2012ISO/IEC 27037 – Guidelines for identification, collection, acquisition and presentation of digital evidence
ISO/IEC 27036 – Information security for supplier relationships (4 part standard)
Standard Published
ISO/IEC 27044 – Guidelines for security information and event management (SIEM)
ISO/IEC 27043 – Investigation principles and processes
ISO/IEC 27042 – Guidelines for the analysis and interpretation of digital evidence
ISO/IEC 27041 – Guidance on assuring suitability and adequacy of investigative measures
ISO/IEC 27035 – Information security management (3 part standard)
ISO/IEC 27040 – Storage security
ISO/IEC 27039 – Selection, deployment and operations of intrusion detection andprevention systems
ISO/IEC 27038 – Specification for digital redaction
2012ISO/IEC 27037 – Guidelines for identification, collection, acquisition and presentation of digital evidence
ISO/IEC 27036 – Information security for supplier relationships (4 part standard)
Standard Published
Under development
Copyright © 2013 BSI. All rights reserved.
16
The ISO 27000 series
ISO/IEC 27044 – Guidelines for security information and event management (SIEM)
ISO/IEC 27043 – Investigation principles and processes
ISO/IEC 27042 – Guidelines for the analysis and interpretation of digital evidence
ISO/IEC 27041 – Guidance on assuring suitability and adequacy of investigative measures
ISO/IEC 27035 – Information security management (3 part standard)
ISO/IEC 27040 – Storage security
ISO/IEC 27039 – Selection, deployment and operations of intrusion detection andprevention systems
ISO/IEC 27038 – Specification for digital redaction
2012ISO/IEC 27037 – Guidelines for identification, collection, acquisition and presentation of digital evidence
ISO/IEC 27036 – Information security for supplier relationships (4 part standard)
Standard Published
ISO/IEC 27044 – Guidelines for security information and event management (SIEM)
ISO/IEC 27043 – Investigation principles and processes
ISO/IEC 27042 – Guidelines for the analysis and interpretation of digital evidence
ISO/IEC 27041 – Guidance on assuring suitability and adequacy of investigative measures
ISO/IEC 27035 – Information security management (3 part standard)
ISO/IEC 27040 – Storage security
ISO/IEC 27039 – Selection, deployment and operations of intrusion detection andprevention systems
ISO/IEC 27038 – Specification for digital redaction
2012ISO/IEC 27037 – Guidelines for identification, collection, acquisition and presentation of digital evidence
ISO/IEC 27036 – Information security for supplier relationships (4 part standard)
Standard Published
Under development
Copyright © 2013 BSI. All rights reserved.
17
Cloud security – how standards can help?
• Understand the chain of custody risk of the data• When you put it into the cloud• How the supplier maintains it and backs it up• How you can prove your data has been destroyed, if
you choose to move to a new supplier
Copyright © 2013 BSI. All rights reserved.
18
27001
27002
Requirements for an information security management system
(revision due 2013, ISO 27001 will continue to be the certification standard for
Information Security)
Code of practice for information security management
(revision due 2013)
Copyright © 2013 BSI. All rights reserved.
19
27001
27017
27002
Requirements for an information security management system
Code of practice for information security
management
Security in cloud computing (due 2014, will include cloud-specific
controls, in addition to those recommended in the new ISO 27002.
Standard is supported by the Cloud Security Alliance)
Copyright © 2013 BSI. All rights reserved.
20
Other standards initiatives
Copyright © 2013 BSI. All rights reserved.
21
PAS 555
• The focus of PAS 555 is cyber security• Looks at cyber security at the organizational level• Outcomes based - provides a framework that
enables understanding of the broad scope of capabilities required
• Other standards and guidelines to tackle cyber security risk tend to define good practice as to how effective cyber security might be achieved
• PAS 555 does not specify such processes or actions
Copyright © 2013 BSI. All rights reserved.
22
PAS 555
• The focus of PAS 555 is cyber security• Looks at cyber security at the organizational level• Outcomes based - provides a framework that
enables understanding of the broad scope of capabilities required
• Other standards and guidelines to tackle cyber security risk tend to define good practice as to how effective cyber security might be achieved
• PAS 555 does not specify such processes or actions
Copyright © 2013 BSI. All rights reserved.
23
Cloud Security STAR certification
• ISO 27001 is widely recognised and respected• “Users should look for the providers to be 27001 certified”
(John Pecatore, Gartner Cloud Analyst, 2011)• Perception = insufficient focus on detail in certain
areas of security for particular sectors• ISO 27001 is written with expectation that additional
controls could be added• Developed by CSA, the Cloud Controls Matrix (CCM)
bridges this gap, providing focus on critical controls for cloud security
• In addition, it is felt a pass/fail approach does not allow cloud service purchasers to make informed decisions
Copyright © 2013 BSI. All rights reserved.
24
How was the CCM developed?
• Joint agreement signed between CSA and BSI in August 2012
• CCM initially developed by CSA• Working group assembled to further develop CCM
using a consensus based model• Expertise in maturity modelling provided by BSI
Copyright © 2013 BSI. All rights reserved.
25
ISO 27001 + CCM + Maturity Model = STAR
STARCertification
STARCertification
Copyright © 2013 BSI. All rights reserved.
26
Cloud controls – what are they about?
Copyright © 2013 BSI. All rights reserved.
27
Audience, key drivers, benefits
• Scheme available to any organization providing cloud services, that has, or is in the process of, certifying to ISO 27001
• The scope of the ISO 27001 certification must not be less than the scope of the STAR certification
• STAR certification ensures that:• Specific issues critical to cloud services have been addressed• That this has been independently checked and verified by a
third-party• Encourages CSP’s to move beyond compliance to continued
improvement• Management capability model gives management visibility of
effectiveness of controls, and allows performance to be benchmarked and improvements tracked year on year
Copyright © 2013 BSI. All rights reserved.
28
General Management
System
Cloud Specific Controls
Well MANAGED and FOCUSED system
STAR Certification
Copyright © 2013 BSI. All rights reserved.
29
STAR Assessor
STAR Assessor
Approving assessors
Copyright © 2013 BSI. All rights reserved.
30
Revision of ISO 27001
ISO 27001 is “increasingly becoming the lingua franca for information security”Source - Information Security Breaches Survey 2010 - PwC
Copyright © 2013 BSI. All rights reserved.
31
ISO 27001 revision: status report
• ISO 27001:2005 has been undergoing revision.• Draft International Standard (DIS) released to the
National Standards Bodies on 16 January 2013.• Consultation closed 23 March 2013.• Draft International Standard (DIS) passed its DIS
ballot at the meeting of the ISO Committee in April.• A Final Draft International Standard (FDIS) will
follow.• Publication is expected toward the end of 2013.
Copyright © 2013 BSI. All rights reserved.
32
What can you expect from the new ISO 27001?
• Standard has been written in accordance with Annex SL• Definitions in 2005 version have been removed and relocated
to ISO 27000 • There have been changes to the terminology used• Requirements for Management Commitments have been
revised and are presented in the Leadership Clause• Preventive action has been replaced with “actions to address,
risks and opportunities” • The risk assessment requirements are more general • SOA requirements are similar but with more clarity on the
determination of controls by the risk treatment process • The new standard puts greater emphasis on setting the
objectives, monitoring performance and metrics
Copyright © 2013 BSI. All rights reserved.
33
ISO 27001 structure
Copyright © 2013 BSI. All rights reserved.
34
Controls
Copyright © 2013 BSI. All rights reserved.
35
Questions?
Copyright © 2013 BSI. All rights reserved.
36
Contact us
