Upload
primrose-heath
View
216
Download
4
Tags:
Embed Size (px)
Citation preview
Lecture 09Network Security Management through the ISMS
Asst.Prof.Supakorn Kungpisdan, [email protected]
1NETE0519-ITEC4614
Learning Objectives
Explain the purpose of an ISMS and the process for: Establishing Implementing Operating Monitoring Reviewing Improving the ISMS
Explain the purpose and the contents of ISO27001, ISO27002, ISO27005 and their relationship
NETE0519-ITEC4614 2
Asset Identification
Exercise Give example of Asset
NETE0519-ITEC4614 3
Asset Valuation
NETE0519-ITEC4614 4
Information
Information asset Knowledge or data that has value to the organization
NETE0519-ITEC4614 5
Storing and communicating information
Printed or written on paper Stored electronically Transmitted by post or using electronic means Shown on corporate videos Verbal-spoken in conversations “Whatever form the information takes, or means by which it
is shared or stored, it should always be appropriated protected”
NETE0519-ITEC4614 6
What is Information Security?
ISO27001:2005 defines Information Security asPreservation of Confidentiality: the property that information is not
made available or disclosed to unauthorized individuals, entities, or processes
Integrity: the property of safeguarding the accuracy and completeness of assets
Availability: the property of being accessible and usable upon demand by an authorized party
of information
NETE0519-ITEC4614 7
What is Information Security? (cont.)
Authenticity Non-repudiation Accountability Reliability
NETE0519-ITEC4614 8
Exercise
Give an example of networking technologies, activities, or processes that are related to Confidentiality Integrity availability
NETE0519-ITEC4614 9
Sensitive or critical information
Assessment can identify sensitive and critical information based on value to the organization
Sensitive or critical information can be based on time. Some financial information will be very sensitive before reporting to the stock market, but have no sensitivity after once reported
Sensitivity reflects data classification level Assessment involves in valuation of information assets
in order to calculate risks and security level required to protect these assets using appropriate controls
NETE0519-ITEC4614 10
Management System includes..
NETE0519-ITEC4614 11
Information Security Management System
Part of the overall management system, based on a business risk approach, to establish, implement, operate, monitor, review, maintain and improve information security
Information security should be seen as an ongoing activity of continual improvement
ISMS adoption should be a strategic decision by the top management
NETE0519-ITEC4614 12
ISMS (cont.)
ISMS requires that everyone is clear about what is required of them, that: they are trained in what they are meant to do, they have the facilities and resources they need, etc.
ISMS to initiate the production of standard set of (broad) requirements which all have to be complied with.
NETE0519-ITEC4614 13
Consideration on overall performance of the organization may impact…
NETE0519-ITEC4614 14
Consideration on overall performance of the organization may impact…
NETE0519-ITEC4614 15
Notes
Information security protects information from a wide range of threats in order to ensure business continuity, minimize business damage and maximize return on investment and business opportunities
Every organization will have a differing set of requirements in terms of control requirements and the level of confidentiality, integrity, and availability
From the Introduction section of ISO27002
NETE0519-ITEC4614 16
History and Family of ISO 27001 Standards
NETE0519-ITEC4614 17
ISO27001 Standard
ISO/IEC 27001, part of a growing family of ISO/IEC 27000 standards, is an information security management system (ISMS) standard published in October 2005 by the ISO and the International Electrotechnical Commission (IEC).
Its full name is ISO/IEC 27001:2005—Information technology—Security techniques—Information security management systems—Requirements but it is com- monly known as ISO 27001.
NETE0519-ITEC4614 18
History of ISMS Standards
1992: BSI approached by industry sectors and service providers with concerns over the increase of electronic office systems and potential problems related to controls over these systems
Jan 1993: set up an industry working group to review the concerns raised by the industry. The results published is called “Code of Practice”
Feb 1995: Code of Practice had become BS 7799-1 standard Feb 1998: BSI produced BS 7799-2 to form basis for organization to be registered
for an ISMS system (focused on audit) April 1999: both BS 7799-1 and BS 7799-2 were aligned and republished as BS
7799-1:1999 and BS 7799-2:1999 2000: BS7799-1 had become ISO17799:2000 2005: ISO17799:2000 were revised and re-numbered to ISO 27002:2005 2005: BS 7799-2 has been adopted as ISO 27001:2005
NETE0519-ITEC4614 19
The ISO27001 family of standards
ISO27000 – Overview and vocabulary ISO27001 – Audit requirements ISO27002 – Code of Practices (was ISO17799:2005) ISO27003 – Implementation Guidance ISO27004 – Measurement ISO27005 – Risk Management ISO27006 – Requirements for Bodies providing Audit and
Certification of ISMSs
NETE0519-ITEC4614 20
Why Implement ISO27001:2005
Without suitable protection, information can be: Given away, leaked or disclosed in an authorized way Modified without your knowledge to become less valuable Loss without trace or hope of recovery Can be rendered unavailable when needed
Information should be protected and properly managed like other business asset of the organization
NETE0519-ITEC4614 21
ISMS Implementation and ISO 27001 Certification Process
NETE0519-ITEC4614 22
ISMS Implementation and ISO 27001 Certification Process
See ISO27k ISMS implementation and certification
process.ppt
NETE0519-ITEC4614 23
Establishing the ISMS
NETE0519-ITEC4614 24
PDCA Cycle
NETE0519-ITEC4614 25
Continual improvement of the management systemContinual improvement of the management system
NETE0519-ITEC4614 26
PDCA (cont.)
Meeting ISO 27001:2005 Requirements
NETE0519-ITEC4614 27
Meeting ISO 27001:2005 Requirements
1. The requirements contained in the ISMS process, that are described in clauses 4-8 of ISO 27001:2005. ISMS process requirements address how an
organization should establish and maintain their ISMS, based on PDCA model
Any organization wants to achieve ISO 27001:2005 certification need to comply with all these requirements, exclusions are not acceptable
NETE0519-ITEC4614 28
Meeting ISO 27001:2005 Requirements (cont.)
2. The ISMS control requirements, contained in Annex A of ISO 27001:2005 ISMS control requirements are applicable for an
organization unless the risk assessment and risk acceptance criteria prove that this is not the case
“Any exclusions of controls found to be necessary to satisfy the risk acceptance criteria need to be justified and evidence need to be provided that the associated risks have been properly accepted by accountable person.”
NETE0519-ITEC4614 29
Steps of ISO27001
1. Establish the ISMS (clause 4.2.1)2. Implement and operate the ISMS (clause 4.2.2)3. Monitor and review the ISMS (clause 4.2.3)4. Maintain and improve the ISMS (clause 4.2.4)
NETE0519-ITEC4614 30
4.2.1 Establish the ISMS
NETE0519-ITEC4614 31
See ISO 27001 document for details
4.2.1 Establish the ISMS (cont.)
In terms of: Characteristics of the business The organization Its location Its assets Its technology
Define scope and boundaries of the ISMS Define an ISMS policy
NETE0519-ITEC4614 32
ISMS Policy Example
See example from ISO27001 toolkit
NETE0519-ITEC4614 33
Control Objectives
A.5 Security policy A.6 Organization of information security A.7 Asset management A.8 Human resources security A.9 Physical and environmental security A.10 Communications and operations management A.11 Access control A.12 Information systems acquisition, development and maintenance A.13 Information security incident management A.14 Business continuity management A.15 Compliance
NETE0519-ITEC4614 34
Implementing and operating the ISMS
NETE0519-ITEC4614 35
4.2.2 Implement and operate the ISMS
NETE0519-ITEC4614 36
See ISO 27001 document for details
4.2.3 Monitor and review the ISMS
NETE0519-ITEC4614 37
See ISO 27001 document for details
Maintain and improve the ISMS
NETE0519-ITEC4614 38
See ISO 27001 document for details
NETE0519-ITEC4614 39
Questions?