Lecture 09 Network Security Management through the ISMS Asst.Prof.Supakorn Kungpisdan, Ph.D. [email protected] 1 NETE0519-ITEC4614

Lecture 09Network Security Management through the ISMS

Asst.Prof.Supakorn Kungpisdan, [email protected]

1NETE0519-ITEC4614

Learning Objectives

Explain the purpose of an ISMS and the process for: Establishing Implementing Operating Monitoring Reviewing Improving the ISMS

Explain the purpose and the contents of ISO27001, ISO27002, ISO27005 and their relationship

NETE0519-ITEC4614 2

Asset Identification

Exercise Give example of Asset

NETE0519-ITEC4614 3

Asset Valuation

NETE0519-ITEC4614 4

Information

Information asset Knowledge or data that has value to the organization

NETE0519-ITEC4614 5

Storing and communicating information

Printed or written on paper Stored electronically Transmitted by post or using electronic means Shown on corporate videos Verbal-spoken in conversations “Whatever form the information takes, or means by which it

is shared or stored, it should always be appropriated protected”

NETE0519-ITEC4614 6

What is Information Security?

ISO27001:2005 defines Information Security asPreservation of Confidentiality: the property that information is not

made available or disclosed to unauthorized individuals, entities, or processes

Integrity: the property of safeguarding the accuracy and completeness of assets

Availability: the property of being accessible and usable upon demand by an authorized party

of information

NETE0519-ITEC4614 7

What is Information Security? (cont.)

Authenticity Non-repudiation Accountability Reliability

NETE0519-ITEC4614 8

Exercise

Give an example of networking technologies, activities, or processes that are related to Confidentiality Integrity availability

NETE0519-ITEC4614 9

Sensitive or critical information

Assessment can identify sensitive and critical information based on value to the organization

Sensitive or critical information can be based on time. Some financial information will be very sensitive before reporting to the stock market, but have no sensitivity after once reported

Sensitivity reflects data classification level Assessment involves in valuation of information assets

in order to calculate risks and security level required to protect these assets using appropriate controls

NETE0519-ITEC4614 10

Management System includes..


Information Security Management System

Part of the overall management system, based on a business risk approach, to establish, implement, operate, monitor, review, maintain and improve information security

Information security should be seen as an ongoing activity of continual improvement

ISMS adoption should be a strategic decision by the top management


ISMS (cont.)

ISMS requires that everyone is clear about what is required of them, that: they are trained in what they are meant to do, they have the facilities and resources they need, etc.

ISMS to initiate the production of standard set of (broad) requirements which all have to be complied with.


Consideration on overall performance of the organization may impact…


Consideration on overall performance of the organization may impact…


Notes

Information security protects information from a wide range of threats in order to ensure business continuity, minimize business damage and maximize return on investment and business opportunities

Every organization will have a differing set of requirements in terms of control requirements and the level of confidentiality, integrity, and availability

From the Introduction section of ISO27002


History and Family of ISO 27001 Standards


ISO27001 Standard

ISO/IEC 27001, part of a growing family of ISO/IEC 27000 standards, is an information security management system (ISMS) standard published in October 2005 by the ISO and the International Electrotechnical Commission (IEC).

Its full name is ISO/IEC 27001:2005—Information technology—Security techniques—Information security management systems—Requirements but it is com- monly known as ISO 27001.


History of ISMS Standards

1992: BSI approached by industry sectors and service providers with concerns over the increase of electronic office systems and potential problems related to controls over these systems

Jan 1993: set up an industry working group to review the concerns raised by the industry. The results published is called “Code of Practice”

Feb 1995: Code of Practice had become BS 7799-1 standard Feb 1998: BSI produced BS 7799-2 to form basis for organization to be registered

for an ISMS system (focused on audit) April 1999: both BS 7799-1 and BS 7799-2 were aligned and republished as BS

7799-1:1999 and BS 7799-2:1999 2000: BS7799-1 had become ISO17799:2000 2005: ISO17799:2000 were revised and re-numbered to ISO 27002:2005 2005: BS 7799-2 has been adopted as ISO 27001:2005


The ISO27001 family of standards

ISO27000 – Overview and vocabulary ISO27001 – Audit requirements ISO27002 – Code of Practices (was ISO17799:2005) ISO27003 – Implementation Guidance ISO27004 – Measurement ISO27005 – Risk Management ISO27006 – Requirements for Bodies providing Audit and

Certification of ISMSs


Why Implement ISO27001:2005

Without suitable protection, information can be: Given away, leaked or disclosed in an authorized way Modified without your knowledge to become less valuable Loss without trace or hope of recovery Can be rendered unavailable when needed

Information should be protected and properly managed like other business asset of the organization


ISMS Implementation and ISO 27001 Certification Process


ISMS Implementation and ISO 27001 Certification Process

See ISO27k ISMS implementation and certification

process.ppt


Establishing the ISMS


PDCA Cycle


Continual improvement of the management systemContinual improvement of the management system


PDCA (cont.)

Meeting ISO 27001:2005 Requirements


Meeting ISO 27001:2005 Requirements

1. The requirements contained in the ISMS process, that are described in clauses 4-8 of ISO 27001:2005. ISMS process requirements address how an

organization should establish and maintain their ISMS, based on PDCA model

Any organization wants to achieve ISO 27001:2005 certification need to comply with all these requirements, exclusions are not acceptable


Meeting ISO 27001:2005 Requirements (cont.)

2. The ISMS control requirements, contained in Annex A of ISO 27001:2005 ISMS control requirements are applicable for an

organization unless the risk assessment and risk acceptance criteria prove that this is not the case

“Any exclusions of controls found to be necessary to satisfy the risk acceptance criteria need to be justified and evidence need to be provided that the associated risks have been properly accepted by accountable person.”


Steps of ISO27001

1. Establish the ISMS (clause 4.2.1)2. Implement and operate the ISMS (clause 4.2.2)3. Monitor and review the ISMS (clause 4.2.3)4. Maintain and improve the ISMS (clause 4.2.4)


4.2.1 Establish the ISMS


See ISO 27001 document for details

4.2.1 Establish the ISMS (cont.)

In terms of: Characteristics of the business The organization Its location Its assets Its technology

Define scope and boundaries of the ISMS Define an ISMS policy


ISMS Policy Example

See example from ISO27001 toolkit


Control Objectives

A.5 Security policy A.6 Organization of information security A.7 Asset management A.8 Human resources security A.9 Physical and environmental security A.10 Communications and operations management A.11 Access control A.12 Information systems acquisition, development and maintenance A.13 Information security incident management A.14 Business continuity management A.15 Compliance


Implementing and operating the ISMS


4.2.2 Implement and operate the ISMS



4.2.3 Monitor and review the ISMS



Maintain and improve the ISMS




Questions?

Documents

Lecture 09 Network Security Management through the ISMS Asst.Prof.Supakorn Kungpisdan, Ph.D. [email protected] 1 NETE0519-ITEC4614