Embed Size (px)
Citation preview
ISO27002 Security-ProgramPhase 1 Review
James FaxonCISO for Aviall – A Boeing Company
Factors Under Consideration
• Aerospace & Defense Industry does not require ISO 2700x-Compliance
• No regulations or contracts that require ISO 2700x-Compliance
• No Security compromise which has adversely impacted the Aviall Business
• No firm commitment from Boeing Security in relation to financial-assistance
• Weekly meetings set to discuss status
• The ISO 27001/2 due for change end of 2011 beginning 2012
Phase 1 – Initial Assessment
ISO-27002
DOMAIN
RQMT/ Control
Description
5.0 Security Policy
Must have I/S Policy
7.0 Asset Mgt
Standards for Asset Owner
9.0 Physical Security
Security Perimeters
3 -Risk
Mgmt
Tool( Enterprise )
4.0 Risk Assessment and Treatment
5.0 Security Policy
6.0 Organization of Information Security
7.0 Asset Management
8.0 Human-Resources Security
9.0 Physical and Environmental Security
10.0 Communications and Operations Management
11.0 Access Control
12.0 Information-Systems Acquisition,
Development and Maintenance
13.0 Information-Security Incident-Management
14.0 Business-Continuity Management
15.0 Compliance
High-Level
Assessment of
Applications +
Infrastructure
Risk
RatingHigh
Med
Low
GENERAL
Domains
2 31
-Control Exists ?
- Is Working ?
- Documented ?
- Training done ?
AVIALL
MGT
ISO 27002 – DOMAINS
Prioritize effort and
drive Phase-2 WBS,
with focus on High-
Risk DOMAINS
Report
To
BOEING
• Financial-Loss Tolerance (EBIT) **• Critical Loss (High) – more than $15 MM - Operating Earnings• Significant Loss (Med) - $1 -15 MM - Operating Earnings• Minor Loss (Low) - $0 up to $1 MM - Operating Earnings
• Business-Operations Disruption Tolerance **• Critical Delay – More than 720 hrs (Greater than 4 weeks)• Significant Delay – 336 hours up to 720 hrs (2 weeks to 4 weeks)• Minor Delay – 1 hrs – 336 hrs (1 day to 2 weeks)
• Regulatory Non-Compliance **• Reputational Damage – Critical• Customer Confidence - Critical• Shareholder Value - Critical
**As Agreed to by Executive Management 3q 2010
ISO Program Rollup• Status today – Phase 1 Complete
• Phase 1 was a high level gap assessment against the ISO 27002 standard to answer – Question ‘What’s missing? (where’s the Risk?)’
• Review also designed to collect data for Boeing questions regarding Coverage (Breadth) and Maturity (Depth) of security-controls• Overall, 86 observations were found, rated as:
• Considered High (24%),
• Considered Medium (40%),
• Considered Low-Risk (36%)
• Of the observations found, 72% were process or procedure related
GAPS by Risk
High Med Low TOTAL
21 34 31 86
Phase 1 GAP-Assessment Results
L
I
K
E
L
I
H
O
O
D I M P A C T
Synopsis of Major Risks Identified:
• Access-Control is Configured & managed manually prone to errors
• No Changing of Passwords for shared-ID’s – System/Application
Accounts
• No Network-Traffic Monitoring (don’t know what’s coming in or going out)
• Lack of Company-Wide Data-Classification Program
• No Centralized Management and Correlation of Security-Event Logs (the
1st Line of Notification )
• Little review of Escalated Privileges / Access
• No Database Encryption for Sensitive Data (Specific to PCI )
• No Business Continuity Plan (BCP) coupled with IS Disaster Recovery
Plan
Risks Identified by Boeing CIO (John Hinshaw) and CISO (Linda Meeks): • Espionage or business disruption attacks by nation states or criminals
• Insiders may inadvertently access or un-intentionally disclose information
• Unauthorized modification of infrastructure by insiders
• Insiders modifying financial information for personal gain
• Application vulnerabilities due to lack of application security practices
• Denial-Of-Service attacks by nation states; resultant unavailability
• Malware due to software sourcing or contractors causing unauthorized modification of applications
Note – Analysis conducted based on worse
case scenario
Total Cost and Hours to Meet Policy Mandate
TOTAL COST IMPLEMENTATION – $8.88 MM ANNUAL COST - $5.151 MM
To Implement the entire ISO 27002 security requirements as
outlined by Boeing.
Additional headcount
required to support (16+)
A centralized Sec organization should be considered to support the technical infrastructure and process / procedural work required (Under Joe Church)
All Capital and Expense cost represent internal BEST
estimate without a formal RFP or BRD
Project cost could be 2x
Domain DescriptionInternal
HRSCAP
EXTExpense
TOTALAnnualDepre
AnnualMaint
Added Payroll
TOTAL
4 Risk Assessment and Treatment 1,024 -$ -$ -$ -$ -$ -$ -$
5 Information-Security Policy - -$ -$ -$ -$ -$ -$ -$
6 Organization of Information-Security (function)
200 -$ 160,000.0$ 160,000$ -$ -$ -$ -$
7 Asset Mgmt 3,392 -$ -$ -$ -$ -$ -$ -$
8 Human-Resources Security 660 -$ -$ -$ -$ -$ -$ -$
9 Physical and Environmental Security
1,080 -$ -$ -$ -$ -$ -$ -$
10 Communications and Oper's Mgmt
4,588 6,500,000$ -$ 6,500,000$ 1,300,000$ 1,300,000$ $1,120,000 3,720,000$
11 Access Control 6,640 800,000$ -$ 800,000$ 160,000$ 160,000$ 575,000$ 895,000$
12 IS Systems-Acquisition, Develop, and Maint
5,224 820,000$ -$ 820,000$ 164,000$ 164,000$ -$ 328,000$
13 Information Security - Incident-Mgmt (function)
1,384 -$ -$ -$ -$ -$ 208,000$ 208,000$
14 Business-Continuity Mgt / Disaster-Recovery
3,024 -$ 600,000.0$ 600,000$ -$ -$ -$ -$
15 Compliance - Regulatory and Int'l Laws
2,500 -$ -$ -$ -$ -$ -$ -$
TOTAL 29,716 8,120,000$ 760,000.0$ 8,880,000.0$ 1,624,000$ 1,624,000$ ######## 5,151,000$
Implementation Cost Ongoing Annual Cost
High-Risk AreasRemediation Costs / Hours for All HIGH-RISK AREASHigh-Risk Items Implementation
Additional headcount required to support (9+)
A centralized TECHNICAL Security organization should be considered to support the technical infrastructure and process and procedural work required - (Under Joe Church)
All Capital and Expense cost represent internal BEST estimate without a formal RFP or BRD - Dollar values could be as high as 2x
TOTAL COST IMPLEMENTATION – $3.72 MM ANNUAL COST - $2.58 MM
Domain Description HRS CAPEXT
ExpenseTOTAL
AnnualDepre
AnnualMaint
Added Payroll
TOTAL
8 Human-Resources Security 660 -$ -$ -$ -$ -$ -$ -$
10 Communications and Oper's Mgmt
4,588 1,500,000$ -$ 1,500,000$ 300,000$ 600,000$ $824,000 $1,724,000
11 Access Control 6,640 800,000$ -$ 800,000$ 160,000$ 160,000$ $104,000 424,000$
12 IS Systems-Acquisition, Develop, and Maint
5,224 820,000$ -$ 820,000$ 164,000$ 164,000$ -$ 328,000$
13 Information Security - Incident-Mgmt (function)
1,384 -$ -$ -$ -$ -$ $104,000 104,000$
14 Business-Continuity Mgt / Disaster-Recovery
3,024 -$ 600,000$ 600,000$ -$ -$ -$ -$
TOTAL 18,496 3,120,000$ 600,000$ 3,720,000.0$ 624,000$ 924,000$ $1,032,000 $2,580,000
Compliance Program
ISO-27002
DOMAINS
RQMT/ Control
Description
Boeing Equiv.
Aviall Equiv.
5.0 Security Policy
Must have I/S Policy
GCSSM 1.6
ISPG § 2.1, Info Mgt Pol
7.0 Asset Mgt
Standards for Asset Owner
PRO-2227 ISPG § 3, IMP § 4
9.0 Physical Security
Security Perimeters
PRO-2227 missing
3 -Risk
Mgmt
Tool
( Enterprise )
1 - Review
APPLS + Tech
Infrastructure
2 - Identify
GAPS
5 - Follow-Up List
4 - Develop
Remediation Plan
6 - Risk-Based Annual
Plan
Feed in new RQMTS
• DoD
• Safe Harbor
• ISODeep-Dive
Assessment
• Validate Remedy
• Re-Testable
• Mgmt Review
Update / Add New Controls
Re-Usable Documentation
• Audit Test Plan
• Test Scripts
• Test Data (sample)
• Execute / Review Results
• Store Evidence
• Prepare Reports
Risk Rating
High
Med
Low
Internal Audit
Reviews S
ubstantiv
e
Approve ?
I/S Managed
Audit
Review
EXEC
Review
Back
to 3
YES
NO
Escalate
based on
Cost / Staff Impact
v 0806
Assess / Test Annually
Schedule & Perform Tests based on
Risk / RQMT Category (1 – 2 – 3 years)
Report
To
BOEING
Detailed Requirements (and Controls)
(Compliance-Plan)
Prioritized
Work-List
9
• New / Improved Controls
• Tools (Security, Monitor, etc)
• Improve Process / WorkFlow
• P + P / Mgt or User-Guides
• Budget / Staff
• Training
6
5
8
4
7
Phase 2 – Deep Dive
