This action might not be possible to undo. Are you sure you want to continue?
World leader in Risk Management and Compliance solutions. Create value and minimize your risks through our on-demand management systems.
Real ISO Corp. 626, Glenn Curtiss Uniondale, 11556 New York – USA www.realiso.com
Modus Operandi ISO 27001 - Training
Implementation Guide – Part One
» General view of Information Security » Focus on security management » Understanding an ISMS » Understanding Risk Analysis » Study of Information Security management processes
General aspects of Modus Operandi Information Security .
What does Information Security mean? » Foreign hackers capturing CC numbers » Large corporation websites being distorted for political reasons » Virus attacks that render large corporations inactive » Digital spies capturing and selling information on competition and huge databases » Young people invading systems not knowing the true information value .
What does Information Security mean? Old-fashioned view!!! .
» Decision-Taking Control Information Decision-Making » A good decision depends on the quality of information .
Information Security Far beyond firewall! » Security does not depend upon IT alone » Assuring security does not mean simply ensuring information secrecy » Proper decisions depend on accurate information » Security may generate perceivable value .
What is information? » On paper: Memos. . standards. identification photos. facilities photos. videotapes. formulas. » Sound: Meeting recording. designs. messages left on telephone switchboards. CDs. digital videos. strategies. » Image: Document photos. » On digital media: Disks. transmitted files. cell phone mailbox. tapes.
Should not change transmitted information .Resources » Processing: Ability to handle information and generate results » Storage: Ability to store information. Does not change information » Communication: Ability to transmit information.
Last Paradigm: Responsibility » Due Diligence: shows that the company is carrying out security activities on a steady basis. » Warning: Not carrying out “Due Diligence” and “Due Care” may characterize administrative negligence. and an ISMS. Shows that Management has taken the required decisions and actions to protect the company. . » Due Care: development of information security policies. risk analysis.
» Confidentiality: given information that may not be made available or disclosed for people, entities or processes without permission. A concept to ensure that sensitive, confidential information is limited to an appropriate group of individuals or organizations.
» Integrity: the condition by which information or information resources are protected from unauthorized changes. Information accuracy and completeness.
» Availability: information is to be delivered to the right people, when needed.
Framework and Implementation
What is ISO 27001? » A standard with the requirements for a company to implement an information security management system » It was originated from BS 7799. created by BSI – British Standard Institute » Business process-oriented and not technology infrastructure-oriented » Based on PDCA management cycle .
What is ISO 27001? » Determines that a company must have an ISMS – IS Management System » May be applied to any company type » Enables a company to have its ISMS certificated » In line with ISO 9000. ISO 14000 standards .
For that ISO 27002 is available » A methodology for information security management .What ISO 27001 is NOT? » A technical standard » A standard developed for IT area » A guide for best practices.
and administrative » Monitoring and reviewing System performance Indicators and objective metrics » Improving on an ongoing basis Corrective and preventive actions .IS Management System . physical.PDCA » Understanding security requirements Assess business risks and requirements » Implementing and operating controls Technological.
ISO 27001 Application Why implementing an ISMS? » The System was developed with the aim of suiting and providing security controls that properly protect the company’s information assets. increasing reliability of customers and other concerned parties .
ISO 27001 Application Basic Requirements » However. the following items may not be disregarded: » 4 – Information Security Management System » 5 – Management Responsibility » 6 – Internal ISMS Audits » 7 – Management Review of the ISMS » 8 – ISMS Improvement .
Information Security Management System The Security Management System should: » Follow PDCA model » Consider business context and Information risks » Be business process-oriented » Comply with the standard requirements .
Implementing ISMS - Starting Point .
System Scope Which processes will my system act upon? » The scope defines which information assets the system will act upon » It is interesting to define scope through business process approach » Scope definition should be clear and allow identification of locations and assets involved .
Information Security Policy Management System guidelines » Policy should reflect the company’s philosophy with regard to its information security » It should provide directions to all concerned parties » It should consider business requirements and applicable regulatory requirements .
Information Security Policy Strategic Line-up » Which are the main company’s strategies? » How does information security relate to these strategies? » Which are the company’s security objectives? .
Risk Analysis Security Requirements for a Company » Information Security risks » Regulatory and Contractual Obligations » Set of principles. objectives and business requirements needed for information processing .
Risk Analysis National and International Standards References » ISO 13335-1 and ISO 13335-2 » ISO Guide 73 – Risk management Vocabulary » AS NZS 4360 .
What are Risks?
» Risks are events that negatively impact the organization’s ability to achieve their goals as far as the probability of their occurrence and the related consequences are concerned
» Analyze risks means identifying and quantifying these events so that specific actions may be planned and developed
» To identify the main risks to information security in a systematic way » To ensure compliance of Security Management process with ISO 27001 standard » To present in a quantified way the events that may prevent the organization to achieve their goals – Security Policy
» To provide an overview of the aspects that need to be managed to assure compliance to the Security Policy Risk Management is one of the main ways to ensure safety for diverse market segments
Risk Analysis Methodology » What are the risks of non-compliance with Security Policy? » Analysis of risks: » Technological » Physical » Administrative .
Risk Analysis Methodology » Business focus: » What are the risks really impacting my business » Every organization area must be involved » Direct participation of managers and those individuals responsible for information assets .
Risk Analysis Methodology » Identification and evaluation through: » On-site analyses » Interviews and meetings » Authorized simulations » Interim results must be submitted to approval .
life and destruction of information » Identify flow main components .Risk Analysis Business Processes » Information flow » Consider the point where information is generated or starts to be part of the processes » Consider emergence.
outsourced resources » Forms. telephone. documents. fax » People. reports » Evaluate asset importance for the company .Risk Analysis Information Assets » Information flow components » Examples of assets: » Computers.
Correio Eletrônico Internet Router Server Internet Firewall Example of Information Flow .» Information flow Clientes Customers Atendente Telemarketing Telemarketing Operator Mainframe Telefone Phone Central Telefônica Telephone Switchboard Telefone Telephone Hub Estação de Trabalho Workstation Softwares: 1 -SysCall 2.
services. software.Risk Analysis Information Assets » Identify main components » Equipment. etc. » Identify main network and information transmission segments » Identify main information transmitted through flows .
Risk Analysis – Identifying Security Risks .
Risk Analysis Threats and Vulnerabilities » Threat: risk agent » Hackers. security gaps . computer virus » Vulnerabilities: fault enabling threat action » Software flaws. design errors. spies.
Risk Analysis Threats and Vulnerabilities » Events = association of threats and vulnerabilities » Identify potential events for each information asset » Evaluate possible scenarios » Earthquake? .
Risk Analysis Threats and Vulnerabilities » Remind: potential events considering Information Security Policy » What are the possibilities of non-compliance with the Security Policy? .
Risk Analysis .Exercise Threats and Vulnerabilities » Gather into groups of 3 » Identify possible events by considering the already defined Security Policy » We will be discussing these events with the other groups within 30 minutes .
Risk Analysis Methodology Consequences (impact) » What is the damage to the company if the event really takes place? » This estimation must consider: » Revenue and financial losses » Penalties and indemnifications » Impact to the company’s image » Evaluate damage in face of loss of reliability. integrity and availability .
integrity and availability » We will be discussing these impacts with the other groups within 20 minutes .Risk Analysis Methodology Exercise Consequences (impact) » Gather into groups of 3 » Identify the impact of identified events considering the impact to reliability.
Risk Analysis Methodology incident History » Identification of the probability for the listed events to occur » Determining factors: » Internal history (many times insufficient) » External history (statistics and surveys) .
Risk Analysis Methodology Incident History » Participation of the company management » What is the frequency by which the issues occur » Great impact on the final risk rate » Probability is one of the risk determining factors .
Risk Analysis Methodology Exercise Probability » Gather into groups of 3 » Determine metrics for probability definition » Determine the probability for listed events to occur » We will be discussing within 20 minutes .
Risk Analysis Methodology Result: Risks » Risks are the result from threats and vulnerabilities. when considering their probability to occur and related damages » Risks must be quantified into a numeric scale » Asset value must always be considered .
Exercise Consolidating Results » Gather into groups of 3 » Define the best way to get risk final score » Quantify mapped risks up to now » Results will be discussed with the other groups .Risk Treatment .
Risk Analysis – Modus Operandi Risk Treatment .
greater risk » Conservative: stability. lower risk » Risk acceptance criteria must be defined » Management decision » Risks must be advertently accepted or handled .Risk Treatment Risk Acceptance Criteria » Companies have distinct profiles » Daring: speed.
Risk Treatment Treatment Options » Apply controls for risk reduction » Recognize and accept risks as per predefined criteria » Avoid risks » Transfer risks .
IMPLEMENTAÇÃO DA NORMA ISO 27001 Risk Treatment Selection of Controls » Conformance with the risk acceptance criteria » Risks should be selected that will be handled by application of controls » ISO 17799:2005 » Additional controls may be used .
» Documenting Security Controls SC – Security Control Objectives – Related Risks Description – How control is applied Control Metrics – What are the evaluation metrics and the service levels which the control must conform to Example of content for a Security Control document Evaluation of Results – where is information evidencing control effectiveness .
Risk Treatment Risk Treatment Plan » Document indicating responsibilities for risk treatment » Must indicate Residual Risk » Must indicate deadlines » Must describe how risks will be treated » Document required in the course of the certification process .
Risk Treatment Residual Risk » Control implementation may be in two ways: » By minimizing impact » By minimizing probability » Residual Risk is the new risk value after control implementation .
Exercise Documenting Controls » Gather into groups of 3 » Select one or more controls from Attachment A of ISO 27001 standard » Document and identify metrics as per items presented in CS document » Results will be discussed with the other groups within 20 minutes .Risk Treatment .
Risk Treatment Statement of Applicability (SoA) » Describes all controls in Attachment A of the standard » Identifies the ones that are applied and those that are not » Justifies non-implementation of discarded controls » Justifies implementation of selected controls » Indicates additional controls » Indicates where control application is described .
Exercise Statement of Applicability » Gather into groups of 3 » Prepare a statement of applicability » Results will be discussed with the other groups within 45 minutes .Risk Treatment .
» Risk Management Security Policy Monitor and Review Risk Communication Identify Risks Quantify Risks Evaluate Risks Treat Risks .
IMPLEMENTAÇÃO DA NORMA ISO 27001 Risk Management ISO Guide 73 .
IMPLEMENTAÇÃO DA NORMA ISO 27001 Modus Operandi Documentation and Responsibilities .
Documentation Documentation Requirements » Statements of Security Policy and security objectives » System scope as well as procedures and controls supporting the system » Risk Analysis Report and Risk Treatment Plan .
operation and control for your security processes » Remaining records required by ISO 27001 » Statement of Applicability .Documentation Documentation Requirements » Procedures required to ensure effectiveness.
Documentation Document Control » System for document approval » Document review and update » Identification of changes and revision traceability » Make sure the latest document version is always in place wherever it is used .
Documentation Document Control » Control of document distribution » Ensure external document source identification » Ensure document access control! .
Documentation Record Control » Records are documents evidencing that a given control or procedure has been performed » Records have usually date and represent instances of a same document » Examples of records: » Completed forms » Minutes of Meetings » System Logs .
Documentation Record Control » The standard requires maintenance of records evidencing that System has been executed » Records must be kept secure for predetermined periods » Record maintenance requirements must be clearly identified .
» Document hierarchy SM SC SI SR Security Management Security Control Security Instruction Security Record Example of document arrangement .
» Relationship among documents SM – Security Management SC .Control SI SI SR SR SR SR SR SR SR SR SR SR SR SR Document Arrangement Example of document arrangement .Control SI SI SC .Control SI SI SC .
Document Control . Create some instructions for this control » Results will be discussed with the other groups within 30 minutes .Exercise Controls x Instructions x Records » Gather into groups of 3 » Select one or more controls from previous tasks » Briefly describe the possible content for the control document.
Management Responsibility Commitment with the System » Management must set a Security Policy » They must make sure that security objectives and plans are in place » They must define security roles and responsibilities .
Management Responsibilities Commitment with the System » Management must communicate to the whole organization the importance of achieving security objectives through compliance with Policy and individual responsibilities » For these objectives to be met Management must provide the required resources .
Management Responsibilities Commitment with the System » Management must define the acceptable risk level according to methodology » Management must periodically review the system in search of improvement opportunities » Management must monitor and check efficiency of ISMS and Security Controls .
Management Responsibilities Resource Management » Management must provide the required resources to establish. implement. operate and maintain the System » They must provide resources to make sure proper application of controls and compliance to regulatory and contractual requirements » They must assure a periodic critical analysis and System improvement .
Management Responsibilities Training. Culture and Capabilities » Management must make sure that individuals have the required capability to perform their assigned tasks » The organization culture level must be periodically evaluated and improvement actions performed » Records must be kept of all training and remaining qualification services .
Training Capability and responsibility » Each function must have clearly defined responsibilities – Job Description » It must be assured that individuals performing these functions have due skills to perform them » Training must be carried out in line with the required skills .
» Security Awareness Maintenance Processes Technology Awareness Disclosure Perimeter People Training .
Area Manager.Responsibilities . Asset Manager. Security Officer » Results will be discussed with the other groups within 30 minutes . Control Manager.Exercise Basic Responsibilities » Gather into groups of 3 » Briefly describe responsibilities of the following roles » Process Manager.
ISMS Monitoring Performance evaluation » The organization must carry out monitoring routines and other controls to: » Detect errors in process results » Identify incidents and security flaws » Check if security routines are being carried out » Determine whether actions reflect business priorities .
ISMS Monitoring System Efficiency » The organization must carry out monitoring routines and other controls to: » Check if ISMS procedures are being efficient » Check if security controls are being efficient » Check if security objectives are being met .
» Residual Risk and Security Incidents Risks identified but not treated Information Security Incidents Risks not considered in the Risk Analysis Residual risk after treatment .
ISMS Monitoring Risk Management » The organization must periodically review risks by considering changes in: » the organization » technology » business objectives and processes » identified threats » external events such as changes in the political social or economical scenario .
procedures and controls » Checking of compliance with ISO 27001 and regulatory / contractual requirements » Checking of compliance with security requirements » Checking of effective implementation and maintenance of security controls . business processes.Internal Audit Process-oriented » Audits of all areas.
Internal Audit Basic Aspects » It is important to keep trained and skilled internal auditors to audit ISMS » Experts to check technical compliance » Audits must be planned: » Audit Schedule » Previous audit results must be considered when planning audits Auditors should never audit their own work .
» Audit Schedule Technical knowledge Physical and Technological Controls Knowledge of processes and standards Administrative Controls Information Security Management Knowledge of Management Systems Example of audit segregation .
Internal Audit Audit Performance » They must be focused on the audit scope » There must be an opening meeting » Non-compliances found must be recorded as well as notes and incidents » The audited ones must formally acknowledge the audit results .
Internal Audit Audit Techniques » Sampling audit » Interviews with managers and employees » Reading of controls and procedures and requesting of records » Checking of work routine performance » Simulation of scenarios .
Management Critical Analysis of the System General Aspects » This critical analysis must be carried out in order to assure system applicability and to identify improvement opportunities » It is indicated to take place at least yearly » System effectiveness and efficiency must be critically analyzed against target objectives .
products or procedures that may be used by the System to increase efficiency » Status of improvement actions and non-compliances » Vulnerabilities and threats non-properly addressed in the last risk analysis .Management Critical Analysis of the System Input Data » Results of internal audits and remaining critical analyses » Feedback from the concerned parties » Techniques.
Management Critical Analysis of the System Input Data » Results of security control efficiency monitoring » Security strategic objectives and general ISMS indicators .
Management Critical Analysis of the System Output Data » Follow-up of actions generated in previous meetings » Any change that may impact the system » Recommendations for system improvement » Plan with actions. objectives and persons in charge » Security goals for the period » Is ISMS properly implemented? .
» Critical Analysis Schedule Input Data System Efficiency Audit Results New Risks Business changes Output Data Critical Analysis Management Improvement Actions .
System Improvement Ongoing Improvement » Most similar features among ISO standards » Critical analysis actions. efficiency monitoring and audit should generate improvement actions » Corrective and preventive actions must be considered The organization must be capable of showing its ability to improve system with time .
System Improvement Corrective Actions » Identification and elimination of non-compliance causes » Assurance that non-compliance will not recur » Base for System improvement actions » Results of corrective actions must be recorded » Corrective action results must be periodically revised .
System Improvement Preventive Actions » Pro-activity: identifying non-compliances in advance » Implementing preventive actions » Results of such actions must be recorded » Evaluated risks and possibility of changes in the initial scenario must be considered The cost for preventive actions is generally lower than the cost for corrective actions .
» Ongoing Improvement Optimal security level is achieved after several PDCA “turns” .
Certification Audit Required actions » Full “turn” on PDCA » Internal Audit and identification of the required improvements » Evidences proving system life for approximately 3 months » Evidences that Management critically analyzed ISMS and found it adequate to their needs .
Certification Audit Audit System » Pre-audit » Certification Audit » Periodical audits .
realiso. Real ISO Corp.IMPLEMENTAÇÃO DA NORMA ISO 27001 World leader in Risk Management and Compliance solutions.com . 11556 New York – USA www. Glenn Curtiss Uniondale. Create value and minimize your risks through our on-demand management systems. 626.
This action might not be possible to undo. Are you sure you want to continue?
We've moved you to where you read on your other device.
Get the full title to continue reading from where you left off, or restart the preview.