An Overview of ISO/IEC 27001:2013 Implementation

Transcription

1 0 An Overview of ISO/IEC 27001:2013 Implementation Exploring the drivers and benefits of using a recognized framework to build a strong information security management capability

2 1 Introduction Steve Crutchley Founder & CEO of C2CSmartCompliance 40+ Years IT Experience 22+ Years GRC - Security/Compliance Experience International Consultant ISO 27001/ISO 27002/ISO 20000, ISO 22301Qualified Lead Auditor IRCA approved ISO 27001, ISO 20000, ISO 22301Trainer and ACP for BSI Experience in Government, Finance, Utilities, Pharmaceutical, Transportation (Airports) and Insurance Developed Assessment Software to support the Business & Security/Risk needs Numerous Articles and Speaking and TV appearances related to security and security related solutions Product architect for C2C Compliance Mapper

3 2 What exactly is ISO/IEC 27001? ISO/IEC is an international standard for information security management It is NOT a technical standard nor an endorsement for specific technical solutions While controls are included as Annex A of ISO/IEC 27001, there are actually two discrete standards documents 1. ISO/IEC ISMS Requirements specifies the management process for an information security management system (ISMS). These process requirements that must be met to obtain certification 2. ISO/IEC Code of Practice contains a well organized, industry independent, holistic set of control objectives and controls that may be selected for the treatment of risks to information assets. A summary of these control objectives and controls is included as Annex A of ISO/IEC ISO/IEC ISMS Requirements specifies the management process required for certification ISO/IEC Code of Practice describes a suggested set of control objectives and controls Note: The controls included in ISO/IEC are a notional set to begin control selection from - there is no requirement to implement all of the controls in an ISMS unless a related risk exists, and an organization cannot certify against ISO/IEC 27002

4 3 What is the Purpose of ISO/IEC The assessment and treatment of information security risks tailored to the needs of the organization.

5 4 How is this achieved? Information security is achieved by implementing a suitable set of controls, including policies, processes, procedures, organizational structures and software and hardware functions. These controls need to be established, implemented, monitored, reviewed and improved, where necessary, to ensure that the specific security and business objectives of the organization are met. An ISMS such as that specified in ISO/IEC takes a holistic, coordinated view of the organization s information security risks in order to implement a comprehensive suite of information security controls under the overall framework of a coherent management system.

6 5 Information & Assets Information Asset Asset anything that has value to the organization knowledge or data that has value to the organization (IP/PII/PHI) Reference ISO/IEC 27000:2009 NOTE There are many types of assets, including: a) information; b) software, such as a computer program; c) physical, such as computer; d) services; e) people, and their qualifications, skills, and experience; and f) intangibles, such as reputation and image.

7 6 What Can Be Done with information? Created Processed Stored Transmitted Destroyed? Used - (for proper and improper purposes) Lost! Corrupted!

8 7 Types of Information Printed or written on paper Stored electronically Transmitted by courier or using electronic means Shown on corporate videos Verbal (e.g., spoken in conversations).

9 Example Threats to Information Malware/Viruses Mobile Devices Management Social Networking/Information Leakage Lack of implemented or enforced policies and procedures Natural and unnatural disasters (i.e., fire, flood, earthquake, terrorism, etc.) Lack of BCM/DR plans Cloud Computing Security Threats Careless Employees. 8

10 9 Impacts Loss of business Loss of brand equity Loss of productivity Increased labor costs for containment, repair, and reconstitution Increased insurance premiums Increased legal fees Fines and possible incarceration

11 10 Types of Information Covered by an ISMS Internal Information that you would not want your competitors to know Customer or Client Outsourced Information that customers would not wish you to divulge Information that needs to be shared with other trading partners

12 11 What is Information Security? Confidentiality Clause 2.9 of ISO/IEC The property that information is not made available or disclosed to unauthorized individuals, entities, or processes Integrity Clause 2.25 of ISO/IEC The property of protecting the accuracy and completeness of assets Availability Clause 2.7 of ISO/IEC The property of being accessible and usable upon demand by an authorized entity

13 12 Security is a Process, Not a Product! 100 % Security or 0 % Risk Both are Impossible Product People Successful Balancing = Reasonable Security Training Process

14 13 CIA Balance Integrity Confidentiality Availability In some organizations, integrity and/or availability may be more important than confidentiality.

15 14 Summary Information security protects information from a wide range of threats in order to ensure business continuity, minimize business damage, and maximize return on investment and business opportunities Every organization will have a differing set of requirements in terms of controls and the level of confidentiality, integrity, and availability required So what do we get?

16 15 The Information Security Management System (ISMS) is a process framework that is foundational to an information security program Provides a strong governance foundation on which functional information security processes and controls are built Is strategic in nature and takes a risk-based approach to evaluating information assets and ensuring there is an acceptable level of control around those assets Is inclusive and flexible, rather than rigid and prescriptive, to allow organizations to adapt and utilize a variety of their existing processes and controls Provides organizational alignment to ensure the appropriate disciplines actively participate in the process Creates a repeatable and consistent method for addressing both strategic and tactical information security concerns Focuses on continuous improvement of the process, strategy, and implementation of controls to ensure the program remains viable and addresses both current and foreseeable business issues Can be readily designed to provide both enterprise-wide and focused security program management processes, with its scope of coverage easily extended beyond areas requiring certification

17 A s s e s s m e n t S c h e d u l e A s s e s s m e n t T e a m F o r m a t i o n S t a n d a r d e m a i l a n n o u n c e m e n t w i l l b e f o l l o w e d - u p w i t h p h o n e c a l l C o n t a c t n e c e s s a r y p e r s o n n e l D e s i g n a t e P e r s o n n e l a n d R e s p o n s i b i l i t i e s : - E P A P e r s o n n e l - T e a m L e a d - T e a m M e m b e r s I n b r i e f A s s e s s m e n t O u t b r i e f T e a m p r e p a r a t i o n a n d r e v i e w o f a n y i n f o r m a t i o n o n p r e v i o u s a s s e s s m e n t C o n d u c t A s s e s s m e n t C o n f i r m I n f o r m a t i o n W i t h F a c i l i t y P O C E s t a b l i s h t i m e l i n e a n d n e c e s s a r y e v e n t s f o r a s s e s s m e n t 16 An ISMS addresses the growing list of security requirements from compliance mandates, market pressures, and business demands Legal, Regulatory and Contractual Requirements Changing/growing legal & regulatory requirements: SOX, GLBA, HIPAA, FFIEC, NERC, FERPA, Global Privacy FISMA, CA SB-1386 Customer/Partner contractual requirements for security (PCI, ITIL, outsourcing, SLA) Market Pressures Demands for 3rd party audits Bid requirements for standards compliance/certification Customer/prospect demands Global demands for international standards FISMA conformance SOX HIPAA Basel II OECD Competitive positioning Guidelines Other Business Drivers Aligning security spend with business risk Responding to incidents by improving compliance throughout the enterprise Changing technology & increased mobility Growing/evolving threats International expansion Commercial re-entry CobiT COSO PMBOK ITIL CMMi ISMS Requirements and Objectives ISO/IEC Information Security Management System (ISMS) ISO Information Security Management Standard Processes Functions and Processes Infrastructure People Information

18 17 Many businesses find implementing strong security governance processes (e.g., ISMS) have a measurable effect on security performance Organizations with mature security governance show significant improvements in security metrics reduction in number of actual security incidents reduction in average time to identify, respond and recover from incidents reduction in total cost and impact from security incidents reduction in audit failures (instances of non-compliance) The benefits were primarily the result of implementing consistent, monitored and managed processes, such as those required to establish an ISMS Regular auditing, reporting and management of risks are also key contributors to improvements These organizations also have visible, active participation of business leaders in the identification, management and reporting of security as part of their enterprise risk management framework The benefits occur in organizations that pursue conformance, compliance or certification for some or all of their business areas, with the largest improvements occurring when compliance is achieved The bottom line Adoption of standards like ISO/IEC helps create a business environment that ensures information is available - to only the right people, at the right time, every time, without posing excessive risk or breaking the bank

19 18 The level of effort and implementation costs to achieve ISO/IEC certification are directly related to the registered scope of the ISMS The two most common mistakes causing problems with certification are: Defining too broad an ISMS scope, and Thinking that the ISMS and certification are IT-only responsibilities The ISO/IEC management process must be implemented for all the core processes, information assets (including people), and locations directly included in the scope The ISMS scope will generally include some cross functional organizational dependencies An ISMS scope and related Statement of Applicability define the boundaries of the certification audit, which are typically narrower than the actual scope of implemented controls across the enterprise Once a certification is obtained, the scope can be readily expanded to include additional areas as appropriate for the business To get a certification in the shortest amount of time, an ISMS scope must be limited to a set of processes, locations, information and people that can be readily managed and provide tangible business benefits (i.e. partner/client trust, regulatory compliance, or market position) Most organizations start small they identify an initial scope for their first ISMS deployment that reflects a critical business service or support process, and then extend the same controls and processes to other areas of the business as appropriate.

20 Organizations pursue the level of ISO/IEC adoption appropriate to their unique business requirements, objectives and market pressures Degrees of ISO/IEC Implementation Scope Characteristics Typical Rationale Conformance Compliance Wants to adopt some best practices (controls/processes) Recognized need to implement an ISMS to reduce level of risk Needs improved information security management, but with a less rigorous implementation Need to establish recognizable framework to manage agreements with third party service providers Loosely defined scope and limited ISMS management processes Implementation of the ISMS methodology, but without a formal certification Controls are selected primarily according to templates Loosely managed asset inventory Metrics are primarily reactive and do not result in management reviews or continuous improvement Entire enterprise Certification Clear market and/ business requirement to have 3rd party verification of security processes Need security certification to integrate with other efforts, such as ISO/IEC or ISO/IEC Implements all aspects of the ISO/IEC ISMS requirements Comprehensive asset registry, Provides most of the business benefits processes and risk-based controls of certification without the cost of 3rd Verified continuous improvement party assessments Annual 3rd party certification review May lack some key documentation, procedures or information repositories May also involve publication of certificate for public viewing Entire enterprise, or high risk business Select areas of functions driven by areas at a minimum clients or market differentiation Certification is often not the initial driver behind a company s adoption of ISO/IEC the goal is most often an identified need to improve security operational efficiency and increase the defensibility of their security controls in managing risk 19

21 20 Overview of ISO/IEC ISMS implementation steps Establish the ISMS Identify goals, objectives, and requirements Determine Scope (primary and supporting processes) and Boundaries Establish Policy Identify and value information assets Assess risks to information assets Select control objectives and controls to mitigate risk Prepare a Statement of Applicability Implement and Operate the ISMS Prepare risk treatment plans Implement approved controls to meet control objectives (includes supporting documentation and awareness training) Monitor and Review the ISMS Conduct periodic management reviews Perform periodic internal audits Maintain and Improve the ISMS Implement corrective actions & Risk Treatment Plans Measure the results of changes

22 21 Throughout the process there are Required Management Responsibilities Management must demonstrate commitment to the ISMS A cross-functional management committee should be formed to issue policy, communicate the importance of information security throughout the organization, and oversee the effectiveness of the ISMS Risk Owners must review risk treatment plans, accept residual risk, and authorize the ISMS implementation and operation The organization must: Provide the resources to meet the requirements of the standard Ensure personnel are competent Ensure personnel are aware of the relevance and importance of their information security activities Management must periodically review the effectiveness of the ISMS As with all of the ISMS requirements, management responsibilities are core elements of establishing an effective security program, regardless of whether the program aims to be conformant, compliant or certified to ISO/IEC 27001

23 22 Implementation begins with the identification of goals, objectives, and requirements, followed by the establishment of the ISMS High Level Policy Level 1 Policies, Objectives, Scope (Risk Assessment Report, Risk Treatment Plan, Statement of Applicability) Establishes the high level policy, objectives and scope to guide the development of the ISMS Level 3 Level 2 Procedures (Risk Methodology, Corrective Action Plan, Risk Treatment Plans) Operational Guidelines, (instructions, checklists, forms, etc.) Describes risk control processes. Who? What? When? Where? How? Describes how control tasks and specific activities are done Level 4 Records Provides objective evidence of compliance with ISMS requirements The ISMS goal is creating processes and reporting that establish effective, sustainable security

24 23 A Notional ISMS Documentation System and Typical Documents Security Manual Index (Home Page) Search Engine Document Master List Organization Process Mapping Generic Procedures Policies Scope Document Objectives Asset Register Risk Reports Statement of Applicability Generic Procedures Other procedures Standards Guidelines Process Maps Parameter Specifications Scope Org. Charts Job Descriptions Responsibilities Document Control Control of Records Incident Reporting Risk Treatment Corrective Action Parameter Specifications Parameter Specifications Parameter Specifications

25 24 Defining the ISMS Scope and boundaries limits the certification audit as well as the implementation effort, time, and cost Vendors ISMS Supporting Organization ISMS Organization ISMS Core Processes Customer Support Customers Legal Data Management Core Financial Reporting System Marketing HR 3 rd Party Background Co. Analysts ISMS Management Committee IT ISP 3 rd Party Data Storage

26 25 A repeatable, consistent risk methodology must be followed in the ISMS The ISO standards enable organizations to adapt and reuse existing security controls and processes

27 26 An Information Asset Register focuses efforts on high value assets GOAL: Rank information assets by relative business impact if compromised From the core business processes within the ISMS scope, determine the information assets that could materially affect the confidentiality, integrity, or availability (CIA) of the object information Identify asset owners familiar with the business value of the assets and responsible for their protection Value the information assets based upon the business/process impact of a compromise of security affecting the assets Create an asset register # Asset Name Value Description Type 1 Customer Records - Clean 3.67 Cleaned DB from sites Information Asset Owner Smith 2 Financial Data Sets 3.67 Oracle Extracted Data Information Smith 3 Production Data Sets 3.67 Original DB from sites Information Smith 4 Production Backups 3.67 Backup Media Media Jones 5 Network Manager 3.67 Key Personnel Personnel Green 6 System Admin Key Personnel Personnel Green 7 IT Manager/ISMS Manager 8 PIX Firewall - external 9 Backup Storage Service 10 Data Base Administrator1 11 Data Base Administrator Key Personnel Personnel Green Firewall DMZ to Internet Hardware Jones Remote Tape Storage Service Black Key Personnel Personnel Olive Key Personnel Personnel Olive 12 SAS Programmer Key Personnel Personnel Olive 13 SAS Programmer Key Personnel Personnel Olive 14 Prod 1 File Server 3.34 Citrix Snapshot Hardware Miller 15 DC1 Server 3.34 Domain Controller Hardware Miller

28 27 Information assets include more than just documents and electronic data Information Databases and files, system documentation, user manuals, training material, procedures, continuity plans Paper Documents Contracts, guidelines, company documentation, documents containing important enterprise results Software Physical Equipment People Application and system software, development tools, utilities Computer and communications equipment, magnetic media, technical equipment (power supplies, air-conditioning units), facilities, filing cabinets, etc. Personnel, customers, subscribers, partners, affiliates, suppliers Communication Services Data and communication services, other technical services, utilities Image and Reputation The view others have of the organization

29 28 Identify and Assess Risks to assets to focus effort on high risk assets GOAL: Create a definitive list of all information assets - by relative business risk level Identify threats to the information assets Identify vulnerabilities of the information assets Evaluate the likelihood of the threat Evaluate the business impact of the risk Calculate the relative risk rating of the assets Involve asset/process owners Produce a report of ranked risks

30 29 The ISMS plan selects control objectives and controls from ISO/IEC and/or other sources to mitigate the identified risks to the information assets The Fourteen Control Domains of ISO/IEC 27001:2013 Requirements

31 30 The Statement Of Applicability summarizes controls to be used The Statement of Applicability (SOA): Is a documented statement of the control objectives and controls that are relevant and applicable to the organization's ISMS Often starts with the control set defined by ISO/IEC Can include controls defined by other standards, such as COBIT, ITIL or NIST Provides justification for both included and excluded controls Is referenced on the certificate, along with the Scope statement and the SOA version

32 31 The ISMS requires risk treatment plans to be formulated for high risk assets Prepare detailed risk treatment plans for high risk assets (above the risk acceptance criteria ) Identify options for control implementation Specify implications of each option, including relative effort, time, resource requirements, cost Estimate the degree of assurance and residual risk Obtain management approval of residual risks Obtain management authorization to implement the ISMS controls Implementation of approved controls

33 32 Monitor and Review provides periodic evaluation of the ISMS effectiveness Perform periodic management review of the effectiveness of the ISMS Management committee reviews at least twice annually, usually quarterly Review inputs from several sources and identify areas for improvement Conduct periodic internal audits of the ISMS Independent internal audit of compliance with: ISO/IEC requirements; legal, regulatory, contractual requirements; and internal policies and procedures Identify non-conformities Link corrective and preventive action plans to these reviews ISO/IEC Internal Audit Compliance Issues Security awareness training: A Periodic training not yet done Effectiveness of prior training questionable Documented Operating Procedures: A Help Desk procedure Network Engineering procedure Improve Daily Checklist Compliance with Policy/Procedures: A Data Center visitor log Data Center daily checklist New Hire Roles and Responsibilities: A Policy and security responsibilities at time of employment not effectively implemented. Corrective Actions: 10.1 Insufficient records of corrective/preventive actions Close loop between internal audit & CAP/PAP Management Review/Measuring Effectiveness: 9 Review of Incident Management Reporting

34 33 Maintain and Improve ensures continuous improvement of the ISMS Prepare corrective action plans for management review Prepare Risk Treatment plans for management review Obtain authorization to implement improvements Implement corrections and improvements Measure the effectiveness of changes

35 34 Summary of the ISMS Implementation Process Program Needs, Goals and Requirements Program Objectives ISMS Scope Identify core and support processes in scope Identify and value information assets (in context of use) Vulnerabilities - Threats - Probabilities - Impacts - Restoration - Risks Degree of assurance / Acceptable levels of risk Selection of control objectives and controls Gap analysis (optional) Define methods of implementation for each control (if no satisfactory solution in place) Produce Statement of Applicability (or Summary of Controls) Implement through Physical, Technical, Procedural and Personal Security Controls Audit and Review Opportunities for improvement Action Plan

36 35 How do most organizations pursue alignment? 1. Assess the adequacy and effectiveness of the current environment Use a combination of stakeholder workshops, interviews, and documentation and report reviews 2. Identify an initial and ultimate scope of control for the ISMS and security program May have multiple scopes for large, diverse enterprises Focus on achieving compliance first, then determining if certification is warranted 3. Design an ISMS for the initial scope Focus on adaptation and reuse of as many existing processes and controls as possible 4. Develop and execute an implementation plan for the ISMS and supporting controls Start small and expand the scope of coverage as the processes mature 5. Establish the periodic routine for reviewing, reporting and improving the implementation Keep stakeholders involved and informed as the deployment progresses toward compliance The bottom line Adoption of standards like ISO/IEC helps create a business environment that ensures information is available - to only the right people, at the right time, every time, without posing excessive risk or breaking the bank

37 ISO Family of Standards 36

38 Questions and Answers 37

39 38 Presenter Steve Crutchley Telephone: / /