Embed Size (px)
Citation preview
Suricate Solutions Inclusive Digital Future Data Security Workshop
2019/06/25 1
Information technology — Security techniques — Code of practice for information security controls
List based on ISO/IEC 27002:2013€, original numbering has been retained.
Information Security Clauses (14) / Control Categories (35) / Controls (133) Objectives
5 Information security policies5.1 Management direction for information security To provide management direction and support for information security in
accordance with business requirements and relevant laws and regulations.5.1.1 Policies for information security5.1.2 Review of the policies for information security6 Organization of information security6.1 Internal organization To establish a management framework to initiate and control the
implementation and operation of information security within the organization.
6.1.1 Information security roles and responsibilities6.1.2 Segregation of duties6.1.3 Contact with authorities6.1.4 Contact with special interest groups6.1.5 Information security in project management6.2 Mobile devices and teleworking To ensure the security of teleworking and use of mobile devices.6.2.1 Mobile device policy6.2.2 Teleworking7 Human resource security7.1 Prior to employment To ensure that employees and contractors understand their responsibilities and
are suitable for the roles for which they are considered.7.1.1 Screening7.1.2 Terms and conditions of employment7.2 During employment To ensure that employees and contractors are aware of and fulfil their
information security responsibilities.7.2.1 Management responsibilities7.2.2 Information security awareness, education and training7.2.3 Disciplinary process7.3 Termination and change of employment To protect the organization’s interests as part of the process of changing or
terminating employment.7.3.1 Termination or change of employment responsibilities8 Asset management8.1 Responsibility for assets To identify organizational assets and define appropriate protection
responsibilities.8.1.1 Inventory of assets8.1.2 Ownership of assets8.1.3 Acceptable use of assets8.1.4 Return of assets8.2 Information classification To ensure that information receives an appropriate level of protection in
accordance with its importance to the organization8.2.1 Classification of information8.2.2 Labelling of information8.2.3 Handling of assets8.3 Media handling To prevent unauthorized disclosure, modification, removal or destruction of
information stored on media.8.3.1 Management of removable media8.3.2 Disposal of media8.3.3 Physical media transfer9 Access control9.1 Business requirements of access control To limit access to information and information processing facilities.9.1.1 Access control policy9.1.2 Access to networks and network services9.2 User access management To ensure authorized user access and to prevent unauthorized access to
systems and services.9.2.1 User registration and de-registration9.2.2 User access provisioning9.2.3 Management of privileged access rights9.2.4 Management of secret authentication information of users9.2.5 Review of user access rights9.2.6 Removal or adjustment of access rights9.3 User responsibilities To make users accountable for safeguarding their authentication information9.3.1 Use of secret authentication information9.4 System and application access control To prevent unauthorized access to systems and applications
Suricate Solutions Inclusive Digital Future Data Security Workshop
2019/06/25 2
Information technology — Security techniques — Code of practice for information security controls
List based on ISO/IEC 27002:2013€, original numbering has been retained.
Information Security Clauses (14) / Control Categories (35) / Controls (133) Objectives
9.4.1 Information access restriction9.4.2 Secure log-on procedures9.4.3 Password management system9.4.4 Use of privileged utility programs9.4.5 Access control to program source code10 Cryptography10.1 Cryptographic controls To ensure proper and effective use of cryptography to protect the
Confidentiality, Authenticity, and/or Integrity of information10.1.1 Policy on the use of cryptographic controls10.1.2 Key management11 Physical and environmental security11.1 Secure areas To prevent unauthorized physical access, damage and interference to the
organization’s information and information processing facilities11.1.1 Physical security perimeter11.1.2 Physical entry controls11.1.3 Securing offices, rooms and facilities11.1.4 Protecting against external and environmental threats11.1.5 Working in secure areas11.1.6 Delivery and loading areas11.2 Equipment To prevent loss, damage, theft or compromise of assets and interruption to the
organization’s operations11.2.1 Equipment siting and protection11.2.2 Supporting utilities11.2.3 Cabling security11.2.4 Equipment maintenance11.2.5 Removal of assets11.2.6 Security of equipment and assets off-premises11.2.7 Secure disposal or re-use of equipment11.2.8 Unattended user equipment11.2.9 Clear desk and clear screen policy12 Operations security12.1 Operational procedures and responsibilities To ensure correct and secure operations of information processing facilities.12.1.1 Documented operating procedures12.1.2 Change management12.1.3 Capacity management12.1.4 Separation of development, testing and operational environments12.2 Protection from malware To ensure that information and information processing facilities are protected
against malware.12.2.1 Controls against malware12.3 Backup To protect against loss of data12.3.1 Information backup12.4 Logging and monitoring To record events and generate evidence12.4.1 Event logging12.4.2 Protection of log information12.4.3 Administrator and operator logs12.4.4 Clock synchronisation12.5 Control of operational software To ensure the integrity of operational systems12.5.1 Installation of software on operational systems12.6 Technical vulnerability management To prevent exploitation of technical vulnerabilities12.6.1 Management of technical vulnerabilities12.6.2 Restrictions on software installation12.7 Information systems audit considerations To minimise the impact of audit activities on operational systems12.7.1 Information systems audit controls13 Communications security13.1 Network security management To ensure the protection of information in networks and its supporting
information processing facilities13.1.1 Network controls13.1.2 Security of network services13.1.3 Segregation in networks13.2 Information transfer To maintain the security of information transferred within an organization and
with any external entity.13.2.1 Information transfer policies and procedures13.2.2 Agreements on information transfer
Suricate Solutions Inclusive Digital Future Data Security Workshop
2019/06/25 3
Information technology — Security techniques — Code of practice for information security controls
List based on ISO/IEC 27002:2013€, original numbering has been retained.
Information Security Clauses (14) / Control Categories (35) / Controls (133) Objectives
13.2.3 Electronic messaging13.2.4 Confidentiality or non-disclosure agreements14 System acquisition, development and maintenance14.1 Security requirements of information systems To ensure that information security is an integral part of information systems
across the entire lifecycle. This also includes the requirements for information systems which provide services over public networks.
14.1.1 Information security requirements analysis and specification14.1.2 Securing application services on public networks14.1.3 Protecting application services transactions14.2 Security in development and support processes To ensure that information security is designed and implemented within the
development lifecycle of information systems.14.2.1 Secure development policy14.2.2 System change control procedures14.2.3 Technical review of applications after operating platform changes14.2.4 Restrictions on changes to software packages14.2.5 Secure system engineering principles14.2.6 Secure development environment14.2.7 Outsourced development14.2.8 System security testing14.2.9 System acceptance testing14.3 Test data To ensure the protection of data used for testing.14.3.1 Protection of test data15 Supplier relationships15.1 Information security in supplier relationships To ensure protection of the organization’s assets that is accessible by suppliers.
15.1.1 Information security policy for supplier relationships15.1.2 Addressing security within supplier agreements15.1.3 Information and communication technology supply chain15.2 Supplier service delivery management To maintain an agreed level of information security and service delivery in line
with supplier agreements.15.2.1 Monitoring and review of supplier services15.2.2 Managing changes to supplier services16 Information security incident management16.1 Management of information security incidents and improvements To ensure a consistent and effective approach to the management of
information security incidents, including communication on security events and weaknesses.
16.1.1 Responsibilities and procedures16.1.2 Reporting information security events16.1.3 Reporting information security weaknesses16.1.4 Assessment of and decision on information security events16.1.5 Response to information security incidents16.1.6 Learning from information security incidents16.1.7 Collection of evidence17 Information security aspects of business continuity management17.1 Information security continuity Information security continuity should be embedded in the organization’s
business continuity management systems.17.1.1 Planning information security continuity17.1.2 Implementing information security continuity17.1.3 Verify, review and evaluate information security continuity17.2 Redundancies To ensure availability of information processing facilities.17.2.1 Availability of information processing facilities18 Compliance18.1 Compliance with legal and contractual requirements To avoid breaches of legal, statutory, regulatory or contractual obligations
related to information security and of any security requirements.18.1.1 Identification of applicable legislation and contractual requirements18.1.2 Intellectual property rights18.1.3 Protection of records18.1.4 Privacy and protection of personally identifiable information18.1.5 Regulation of cryptographic controls18.2 Information security reviews To ensure that information security is implemented and operated in accordance
with the organizational policies and procedures.18.2.1 Independent review of information security18.2.2 Compliance with security policies and standards
Suricate Solutions Inclusive Digital Future Data Security Workshop
2019/06/25 4
Information technology — Security techniques — Code of practice for information security controls
List based on ISO/IEC 27002:2013€, original numbering has been retained.
Information Security Clauses (14) / Control Categories (35) / Controls (133) Objectives
18.2.3 Technical compliance review
Information technology — Security techniques — Code of practice for information security controls
List based on ISO/IEC 27002:2013€, original numbering has been retained.items that should be stressed
Information Security Clauses (14) / Control Categories (35) / Controls (133)
5 Information security policies5.1 Management direction for information security
5.1.1 Policies for information security5.1.2 Review of the policies for information security6 Organization of information security6.1 Internal organization
6.1.1 Information security roles and responsibilities6.1.2 Segregation of duties6.1.3 Contact with authorities6.1.4 Contact with special interest groups6.1.5 Information security in project management6.2 Mobile devices and teleworking
6.2.1 Mobile device policy6.2.2 Teleworking7 Human resource security7.1 Prior to employment
7.1.1 Screening7.1.2 Terms and conditions of employment7.2 During employment
7.2.1 Management responsibilities7.2.2 Information security awareness, education and training7.2.3 Disciplinary process7.3 Termination and change of employment
7.3.1 Termination or change of employment responsibilities8 Asset management
8.1 Responsibility for assets
8.1.1 Inventory of assets8.1.2 Ownership of assets8.1.3 Acceptable use of assets8.1.4 Return of assets8.2 Information classification
8.2.1 Classification of information8.2.2 Labelling of information8.2.3 Handling of assets8.3 Media handling
8.3.1 Management of removable media8.3.2 Disposal of media8.3.3 Physical media transfer9 Access control9.1 Business requirements of access control
9.1.1 Access control policy9.1.2 Access to networks and network services9.2 User access management
9.2.1 User registration and de-registration9.2.2 User access provisioning9.2.3 Management of privileged access rights9.2.4 Management of secret authentication information of users9.2.5 Review of user access rights9.2.6 Removal or adjustment of access rights9.3 User responsibilities
9.3.1 Use of secret authentication information9.4 System and application access control9.4.1 Information access restriction9.4.2 Secure log-on procedures9.4.3 Password management system9.4.4 Use of privileged utility programs9.4.5 Access control to program source code10 Cryptography10.1 Cryptographic controls
10.1.1 Policy on the use of cryptographic controls10.1.2 Key management
11 Physical and environmental security11.1 Secure areas
11.1.1 Physical security perimeter11.1.2 Physical entry controls11.1.3 Securing offices, rooms and facilities11.1.4 Protecting against external and environmental threats11.1.5 Working in secure areas11.1.6 Delivery and loading areas11.2 Equipment
11.2.1 Equipment siting and protection11.2.2 Supporting utilities11.2.3 Cabling security11.2.4 Equipment maintenance11.2.5 Removal of assets11.2.6 Security of equipment and assets off-premises11.2.7 Secure disposal or re-use of equipment11.2.8 Unattended user equipment11.2.9 Clear desk and clear screen policy12 Operations security12.1 Operational procedures and responsibilities
12.1.1 Documented operating procedures12.1.2 Change management12.1.3 Capacity management12.1.4 Separation of development, testing and operational environments12.2 Protection from malware
12.2.1 Controls against malware12.3 Backup12.3.1 Information backup12.4 Logging and monitoring12.4.1 Event logging12.4.2 Protection of log information12.4.3 Administrator and operator logs12.4.4 Clock synchronisation12.5 Control of operational software12.5.1 Installation of software on operational systems12.6 Technical vulnerability management12.6.1 Management of technical vulnerabilities12.6.2 Restrictions on software installation12.7 Information systems audit considerations
12.7.1 Information systems audit controls13 Communications security13.1 Network security management
13.1.1 Network controls13.1.2 Security of network services13.1.3 Segregation in networks13.2 Information transfer
13.2.1 Information transfer policies and procedures13.2.2 Agreements on information transfer13.2.3 Electronic messaging13.2.4 Confidentiality or non-disclosure agreements14 System acquisition, development and maintenance14.1 Security requirements of information systems
14.1.1 Information security requirements analysis and specification14.1.2 Securing application services on public networks14.1.3 Protecting application services transactions14.2 Security in development and support processes
14.2.1 Secure development policy14.2.2 System change control procedures14.2.3 Technical review of applications after operating platform changes14.2.4 Restrictions on changes to software packages14.2.5 Secure system engineering principles14.2.6 Secure development environment14.2.7 Outsourced development14.2.8 System security testing14.2.9 System acceptance testing14.3 Test data14.3.1 Protection of test data15 Supplier relationships15.1 Information security in supplier relationships
15.1.1 Information security policy for supplier relationships15.1.2 Addressing security within supplier agreements15.1.3 Information and communication technology supply chain15.2 Supplier service delivery management
15.2.1 Monitoring and review of supplier services
15.2.2 Managing changes to supplier services16 Information security incident management16.1 Management of information security incidents and improvements
16.1.1 Responsibilities and procedures16.1.2 Reporting information security events16.1.3 Reporting information security weaknesses16.1.4 Assessment of and decision on information security events16.1.5 Response to information security incidents16.1.6 Learning from information security incidents16.1.7 Collection of evidence17 Information security aspects of business continuity management17.1 Information security continuity
17.1.1 Planning information security continuity17.1.2 Implementing information security continuity17.1.3 Verify, review and evaluate information security continuity17.2 Redundancies17.2.1 Availability of information processing facilities18 Compliance18.1 Compliance with legal and contractual requirements
18.1.1 Identification of applicable legislation and contractual requirements18.1.2 Intellectual property rights18.1.3 Protection of records18.1.4 Privacy and protection of personally identifiable information18.1.5 Regulation of cryptographic controls18.2 Information security reviews
18.2.1 Independent review of information security18.2.2 Compliance with security policies and standards18.2.3 Technical compliance review
Importance (5 high, 1 low)
Maturity (5 high, 1 low)
4 3
3 4
4 2
5 1
4 2
3 4
4 2
5 1
4 2
5 1
4 2
4 1
5 0
3 44 1
3 3
00.5
11.5
22.5
33.5
44.5
55 Information security…
5.1.1 Policies for…
11.2.7 Secure disposal or…11.2.9 Clear desk and clear…12.1 Operational…12.1.2 Change management12.1.4 Separation of…12.2.1 Controls against…12.3.1 Information backup12.4.1 Event logging12.4.3 Administrator and…12.5 Control of operational…12.6 Technical vulnerability…12.6.2 Restrictions on…12.7.1 Information systems…13.1 Network security…13.1.2 Security of network…13.2 Information transfer
13.2.2 Agreements on…13.2.4 Conf identiality or…
14.1 Security requirements…14.1.2 Securing application…
14.2 Security in…14.2.2 System change…14.2.4 Restrictions on…
14.2.6 Secure development…14.2.8 System security testing
14.3 Test data15 Supplier relationships15.1.1 Information security…15.1.3 Information and…15.2.1 Monitoring and…16 Information security…16.1.1 Responsibilities and…16.1.3 Reporting…16.1.5 Response to…16.1.7 Collection of evidence17.1 Information security…17.1.2 Implementing…17.2 Redundancies18 Compliance
Cyber Security Assessment ExerciseSample
5 Information security…5.1.1 Policies for…6 Organization of…6.1.1 Information security…6.1.3 Contact with authorities6.1.5 Information security…6.2.1 Mobile device policy7 Human resource security7.1.1 Screening7.2 During employment7.2.2 Information security…7.3 Termination and change…8 Asset management8.1.1 Inventory of assets
8.1.3 Acceptable use of assets8.2 Information classification8.2.2 Labelling of information8.3 Media handling8.3.2 Disposal of media9 Access control9.1.1 Access control policy9.2 User access management9.2.2 User access provisioning9.2.4 Management of secret…
9.2.6 Removal or…9.3.1 Use of secret…9.4.1 Information access…9.4.3 Password…9.4.5 Access control to…10.1 Cryptographic controls10.1.2 Key management11.1 Secure areas11.1.2 Physical entry controls11.1.4 Protecting against…11.1.6 Delivery and loading…11.2.1 Equipment siting and…11.2.3 Cabling security11.2.5 Removal of assets11.2.7 Secure disposal or…11.2.9 Clear desk and clear…12.1 Operational…
18 Compliance
Cyber Security Assessment Exercise
Importance
Maturity
Information technology — Security techniques — Code of practice for information security controls
List based on ISO/IEC 27002:2013€, original numbering has been retained.items that should be stressedNb of tables
Information Security Clauses (14) / Control Categories (35) / Controls (133)
5 Information security policies6 Organization of information security7 Human resource security8 Asset management9 Access control10 Cryptography11 Physical and environmental security12 Operations security13 Communications security14 System acquisition, development and maintenance15 Supplier relationships16 Information security incident management17 Information security aspects of business continuity management18 Compliance
2
Objectives Importance Maturity
1 21 21 21 21 21 11 11 11 11 11 11 11 11 1
Table 1
Importance Maturity Importance Maturity Importance Maturity
5 35 35 35 35 35 35 35 35 35 35 35 35 35 3
Table 2 Table 3 Table 4
Importance Maturity Importance Maturity Importance MaturityTable 7Table 5 Table 6
Importance (5 high, 1 low)
Maturity (5 high, 1 low)
3 33 33 33 33 33 23 23 23 23 23 23 23 23 2
0
1
1
2
2
3
35 Information security policies
12 Operations security
13 Communications security
14 System acquisition,development and…
15 Supplier relationships
16 Information securityincident management
17 Information securityaspects of business…
18 Compliance
Cyber Security Assessment Exercise
Workshop
0
1
1
2
2
3
35 Information security policies
6 Organization of informationsecurity
7 Human resource security
8 Asset management
9 Access control
10 Cryptography
11 Physical and environmentalsecurity
12 Operations security
Cyber Security Assessment Exercise
Importance
Maturity
Suricate Solutions Inclusive Digital Future Data Security WorkshopInformation technology — Security techniques — Code of practice for information security controls
TABLE :
List based on ISO/IEC 27002:2013€, original numbering has been retained.
Importance (5 high, 1 low)
Maturity (5 high, 1 low)
Comment
5 Information security policies5.1 Management direction for information security5.1.1 Policies for information security5.1.2 Review of the policies for information security6 Organization of information security6.1 Internal organization6.1.1 Information security roles and responsibilities6.1.2 Segregation of duties6.1.3 Contact with authorities6.1.4 Contact with special interest groups6.1.5 Information security in project management6.2 Mobile devices and teleworking6.2.1 Mobile device policy6.2.2 Teleworking7 Human resource security7.1 Prior to employment7.1.1 Screening7.1.2 Terms and conditions of employment7.2 During employment7.2.1 Management responsibilities7.2.2 Information security awareness, education and training7.2.3 Disciplinary process7.3 Termination and change of employment7.3.1 Termination or change of employment responsibilities8 Asset management8.1 Responsibility for assets8.1.1 Inventory of assets8.1.2 Ownership of assets8.1.3 Acceptable use of assets8.1.4 Return of assets8.2 Information classification8.2.1 Classification of information8.2.2 Labelling of information8.2.3 Handling of assets8.3 Media handling8.3.1 Management of removable media8.3.2 Disposal of media8.3.3 Physical media transfer9 Access control9.1 Business requirements of access control9.1.1 Access control policy9.1.2 Access to networks and network services9.2 User access management9.2.1 User registration and de-registration9.2.2 User access provisioning9.2.3 Management of privileged access rights9.2.4 Management of secret authentication information of users9.2.5 Review of user access rights9.2.6 Removal or adjustment of access rights9.3 User responsibilities9.3.1 Use of secret authentication information9.4 System and application access control9.4.1 Information access restriction9.4.2 Secure log-on procedures9.4.3 Password management system9.4.4 Use of privileged utility programs9.4.5 Access control to program source code10 Cryptography10.1 Cryptographic controls10.1.1 Policy on the use of cryptographic controls10.1.2 Key management11 Physical and environmental security11.1 Secure areas11.1.1 Physical security perimeter11.1.2 Physical entry controls11.1.3 Securing offices, rooms and facilities11.1.4 Protecting against external and environmental threats11.1.5 Working in secure areas11.1.6 Delivery and loading areas11.2 Equipment11.2.1 Equipment siting and protection11.2.2 Supporting utilities11.2.3 Cabling security
Suricate Solutions Inclusive Digital Future Data Security WorkshopInformation technology — Security techniques — Code of practice for information security controls
TABLE :
List based on ISO/IEC 27002:2013€, original numbering has been retained.
Importance (5 high, 1 low)
Maturity (5 high, 1 low)
Comment
11.2.4 Equipment maintenance11.2.5 Removal of assets11.2.6 Security of equipment and assets off-premises11.2.7 Secure disposal or re-use of equipment11.2.8 Unattended user equipment11.2.9 Clear desk and clear screen policy12 Operations security12.1 Operational procedures and responsibilities12.1.1 Documented operating procedures12.1.2 Change management12.1.3 Capacity management12.1.4 Separation of development, testing and operational environments12.2 Protection from malware12.2.1 Controls against malware12.3 Backup12.3.1 Information backup12.4 Logging and monitoring12.4.1 Event logging12.4.2 Protection of log information12.4.3 Administrator and operator logs12.4.4 Clock synchronisation12.5 Control of operational software12.5.1 Installation of software on operational systems12.6 Technical vulnerability management12.6.1 Management of technical vulnerabilities12.6.2 Restrictions on software installation12.7 Information systems audit considerations12.7.1 Information systems audit controls13 Communications security13.1 Network security management13.1.1 Network controls13.1.2 Security of network services13.1.3 Segregation in networks13.2 Information transfer13.2.1 Information transfer policies and procedures13.2.2 Agreements on information transfer13.2.3 Electronic messaging13.2.4 Confidentiality or non-disclosure agreements14 System acquisition, development and maintenance14.1 Security requirements of information systems14.1.1 Information security requirements analysis and specification14.1.2 Securing application services on public networks14.1.3 Protecting application services transactions14.2 Security in development and support processes14.2.1 Secure development policy14.2.2 System change control procedures14.2.3 Technical review of applications after operating platform changes14.2.4 Restrictions on changes to software packages14.2.5 Secure system engineering principles14.2.6 Secure development environment14.2.7 Outsourced development14.2.8 System security testing14.2.9 System acceptance testing14.3 Test data14.3.1 Protection of test data15 Supplier relationships15.1 Information security in supplier relationships15.1.1 Information security policy for supplier relationships15.1.2 Addressing security within supplier agreements15.1.3 Information and communication technology supply chain15.2 Supplier service delivery management15.2.1 Monitoring and review of supplier services15.2.2 Managing changes to supplier services16 Information security incident management16.1 Management of information security incidents and improvements16.1.1 Responsibilities and procedures16.1.2 Reporting information security events16.1.3 Reporting information security weaknesses16.1.4 Assessment of and decision on information security events16.1.5 Response to information security incidents16.1.6 Learning from information security incidents16.1.7 Collection of evidence17 Information security aspects of business continuity management
Suricate Solutions Inclusive Digital Future Data Security WorkshopInformation technology — Security techniques — Code of practice for information security controls
TABLE :
List based on ISO/IEC 27002:2013€, original numbering has been retained.
Importance (5 high, 1 low)
Maturity (5 high, 1 low)
Comment
17.1 Information security continuity17.1.1 Planning information security continuity17.1.2 Implementing information security continuity17.1.3 Verify, review and evaluate information security continuity17.2 Redundancies17.2.1 Availability of information processing facilities18 Compliance18.1 Compliance with legal and contractual requirements18.1.1 Identification of applicable legislation and contractual requirements18.1.2 Intellectual property rights18.1.3 Protection of records18.1.4 Privacy and protection of personally identifiable information18.1.5 Regulation of cryptographic controls18.2 Information security reviews18.2.1 Independent review of information security18.2.2 Compliance with security policies and standards18.2.3 Technical compliance review
