Professional Documents
Culture Documents
IT Governance
CEN 667
1
Project proposal - week 2
• Goal of the projects are to find applicable measurement and metric methods to improve processes:
– For 27000 series of standards 27001 and 27004 –
– For ITIL
– For Business Continuity and BS 25999
– For Disaster Recovery –
– For Penetration testing –
– For Operational and Security Incident management
– For Risk Management
– Secure method for visual authentication –
– Mobile securty access with speach recognition –
– Other agreed with lecturer
• Literature review on selected topic - between 500 and 1000 words
• Proposal / for improvements of choosen method, approach, techniqe, - up to
2000 words
• List of references
• Document prepared in two columns as it should
Be prepared for the conference paper
• Week report on updates
2
Lectures Schedule
Week Topic
Introduction to IT governance
Week 1
Overwiev of Information Security standards - ISO 27000 series of standards
Week 2 (27001, 27002, 27003, 27004, 27005)
Week 3 Information Technology Service management ISO 20000-1 and ISO 20000-2
Week 4 ITIL
Week 5 Business Continuity and BS 25999-1 and BS 25999-2
Week 6 Disaster Recovery
Week 7 COBIT
Week 8 Project implementation (ISO 10006 and ISO 27003)
Week 9 Midterm
Week 10 Risk Managament (ISO 27005)
Week 11 Application and Network Security and security testing
Week 12 Specific Requirements and Controls Implementation (ISO 27002)
Week 13 Operational and Security Incident managament
Week 14 Perforamnce Measurement and Metrics (ISO 27004)
Week 15 Audit (ISO 19011) and Plan- Do-Check-Act impovement cyclus 3
Agenda
– The ISO 27000 Framework
• ISO/IEC 27001:2005 ISMS
• ISO/IEC 27002:2005 Controls
• ISO/IEC 27003:2010 implementation guidance
• ISO/IEC 27004:2009 Measurement and Metrics
• ISO/IEC 27005:2008 Risk Management
– The ISMS Roadmap
– A Controls Framework
– Information Security Organization – Mission and
Structure
– Discussion/Questions/Lessons Learned
4
Information Security Governance
– How can an organization make good decisions about information risk?
– Risks identified, mitigated, accepted equals security
– Information Security is a business requirement
– CIA – Confidentiality, Integrity, Availability
– PCI, HIPAA, SOX, State Privacy Regulations
– Impact of loss of security on an organization is extreme
• Damage to brand, share price
• Direct costs
• Unavailable critical business processes
– Business awareness of impact is key
5
Cofidentality Integrity Availability
C I A
Information
ensuring that
integrity is the Ensuring that only
information is
assurance that authorized personel
accessible only
information is have access to
to those
consistent, information when
authorized to
certified and can they neede it
have access
be reconciled.
11
Buncefield fuel depot (Hemel Hempstead ) London, December 2005
1
2
12
Northgate Information Solutions
Buncefield fuel depo
1 2
13
Next case...
14
2
2 3
16
Planiranje i testiranje nastvka poslovanja
Planiranje i testiranje nastvka poslovanja
Leading data loss causes
Computer Viruses 7%
Natural Disasters 3%
Gartner
20
Sa BH informativnih portala
Ljudi ne znaju šta im se dogodilo
A policija traga
Opet vijesti...
Koliko je čest SPAM i koliko nas košta?
Krađe lozinke i troškovi
Velike štete
Primjer iz telekomunikacijskog sektora
Špijunjiranje – realna stvarnost
Špijunjiranje – realna stvarnost
Trend porasta
Ove stvari se ne mogu desiti u BiH???
Ove stvari se ne mogu desiti u BiH???
Facts
• Information security, is not Information Technology (IT)
security.
• It is security of information and informatio assets.
• Information assets are:
– Electronic Information
– Non-electronic Information;
– Environment / Infrastructure;
– Hardware;
– Software; Information security is to keep CIA
Confidentiality,
– Physical; Integrity,
– People; Availability
– Services.
• Keep aseet CIA 47
Everyday media reports, reveal information
of security Incidents
As a result of unmanaged information security
49
What is the ISO Framework cont.
• Implementation - ISO 27003
– Managament approval
– Defining scope
– Objective
– Scope
– Processes
– Assets
– Risk assesment
52
What is ISO 27001?
•A management process to evaluate, implement and maintain an Information
Security Management System (ISMS).
•An internationally recognized structured methodology dedicated to information
security.
•A comprehensive set of controls (ISO 27002) comprised of best practices in
information security.
•A standard that can be customized to address the level of risk (or
vulnerability), that could cause negative business impact should it not be
addressed.
•Certification available
53
Content of standards (27001 and 27002)
ISO 27002:2005 (17799:2005 standard which itself was formerly known as BS7799-1)
5. SECURITY POLICY
6. ORGANIZATION OF INFORMATION SECURITY
7. ASSET MANAGEMENT
8. HUMAN RESOURCES SECURITY
9. PHYSICAL AND ENVIRONMENTAL SECURITY
10. COMMUNICATIONS AND OPERATIONS MANAGEMENT
11. ACCESS CONTROL
12. INFORMATION SYSTEMS ACQUISITION, DEVELOPMENT AND MAINTENANCE
13. INFORMATION SECURITY INCIDENT MANAGEMENT
14. BUSINESS CONTINUITY MANAGEMENT
15. COMPLIANCE
54
Information Security Management System (ISMS)
The Security Program
55
2. Common reasons to implement ISMS
1. Strategic
2. Client / partner confidence
3. Internal efficiency ISMS Roadmap
Training and
2nd time
4. Regulations awareness
PDCA circle
Governing board
Governing Risk approval
Board assessment Monitoring
policy Gap analysis Record and
aproved Proces Auditing Improvements
maping collection
Asset Implementation
Project collection & of controls,
borders Asset value Statement of procedures...
agreement PLAN applicability DO CHECK ACT
56
Establish the ISMS
Plan
Mission Statement
Scope and Boundaries
Define the ISMS Policy
Identify a Risk Assessment methodology
Develop criteria for accepting risks
Identify Risks (Risk Assessment)
Analyze and evaluate risks
Develop Risk Treatment Plan
Select Control Objectives and Controls
Prepare a Statement of Applicability
57
Implement the ISMS
Do
58
Monitor, Audit
Check and Review
Monitor and review procedures and controls
• Attempted and successful security breaches
• Determine if actions to prevent breaches were successful
Regular reviews of the effectiveness of the ISMS
Review risk assessments at planned intervals taking into account changes
in:
• Organization
• Business process
• Technology
• Threats
• Regulatory environment
Conduct Internal Audits at planned intervals
Management review of ISMS
59
Maintain and Improve
Act
60
Risk Management Process
– Risk Assessment (awareness)
• Asset discovery
• Threat Identification
• Vulnerability Identification
• Control Analysis
• Likelihood Determination
• Impact analysis
• Risk Determination
61
Risk Management Process
– Risk Treatment Plan
• Control Recommendations to mitigate risk
• Evaluate/Accept Risk
• Risk Mitigation Investments
62
Evaluating Information Risk
• The likelihood of a given threat-source’s attempting
to exercise a given vulnerability
• The magnitude of the impact should a threat-source
successfully exercise the vulnerability
• The adequacy of planned or existing security
controls for reducing or eliminating risk.
63
Risk Evaluation and Acceptance Criteria
64
ISO 27002 Controls
• 11 Security Control “Clauses”
• 49 Control Categories
– Control Objective
– 133 total controls
• Controls selected based on:
– Assessment of Risk
– Business objectives
– Legal, regulatory, contractual obligations
• Function of a control: to mitigate risk
– Deterrent
– Preventative
– Detective
– Corrective
– Recovery
– Compensating
65
Controls Rationalization
• ISO 27002 becomes the overarching control
framework
• Regulatory requirements map to ISO
• New requirements potentially satisfied with
existing controls
• Simplifies auditing and control testing
• Example
66
5 Information Security Policy
“Top Level”
• 5.1 Information Security Policy
– Objective: To provide management direction and support
for information security in accordance with business
requirements and relevant laws and regulations.
Management should set a clear policy direction in line with
business objectives and demonstrate support for, and
commitment to, information security through the issue
and maintenance of an information security policy across
the organization.
67
5 Security Policy
5.1.1 Information security policy document
Control
An information security policy document should be approved by management, and
published and communicated to all employees and relevant external parties.
Implementation guidance
The information security policy document should state management commitment and set
out the organization’s approach to managing information security. The policy document
should contain statements concerning:
– a) a definition of information security, its overall objectives and scope and the importance of security
as an enabling mechanism for information sharing (see introduction);
– b) a statement of management intent, supporting the goals and principles of information security in
line with the business strategy and objectives;
– c) a framework for setting control objectives and controls, including the structure of risk
– assessment and risk management;
68
5.1.1 (Continued)
d) a brief explanation of the security policies, principles, standards, and compliance
requirements of particular importance to the organization, including:
1) compliance with legislative, regulatory, and contractual requirements;
2) security education, training, and awareness requirements;
3) business continuity management;
4) consequences of information security policy violations;
e) a definition of general and specific responsibilities for information security management,
including reporting information security incidents;
f) references to documentation which may support the policy, e.g. more detailed security
policies and procedures for specific information systems or security rules users should
comply with.
This information security policy should be communicated throughout the organization to users in
a form that is relevant, accessible and understandable to the intended reader.
69
6 Organization of information security
6.1 Internal organization
Objective: To manage information security within the
organization
70
Critical Roles and Responsibilities
• Governance Committee and Chair
• Data Owner (Business Owner)
• Data Custodian
• Privacy Officer
• CISO
• IT
• Internal Audit
• All employees
71
7 Asset Management
7.1 Responsibility for assets
Objective: To achieve and maintain appropriate
protection of organizational assets
72
7 Asset Management
7.1 Responsibility for assets
Objective: To achieve and maintain appropriate protection of
organizational assets.
All assets should be accounted for and have a nominated owner.
Owners should be identified for all assets and the responsibility
for the maintenance of appropriate
controls should be assigned. The implementation of specific
controls may be delegated by the owner
as appropriate but the owner remains responsible for the proper
protection of the assets.
73
7 Asset Management
7.1.2 Ownership of assets
Control:
All information and assets associated with information processing facilities should be
“owned” by a designated part of the organization.
Implementation guidance
The asset owner should be responsible for:
a) ensuring that information and assets associated with information processing
facilities are appropriately classified;
b) defining and periodically reviewing access restrictions and classifications, taking
into account applicable access control policies.
The term ‘owner’ identifies an individual or entity that has approved management
responsibility for controlling the production, development, maintenance, use and
security of the assets.
74
7 Asset Management
7.2 Information classification
Objective: To ensure that information receives an appropriate level of
protection.
Information should be classified to indicate the need, priorities, and expected
degree of protection when handling the information.
Information has varying degrees of sensitivity and criticality. Some items may
require an additional
level of protection or special handling. An information classification
scheme should be used to define
an appropriate set of protection levels and communicate the need for
special handling measures.
75
8 Human Resources Security
8.1 Prior to employment
Objective: To ensure that employees, contractors and third party users understand
their responsibilities, and are suitable for the roles they are considered for, and to
reduce the risk of theft, fraud or misuse of facilities.
76
9 Physical and Environmental Security
9.1 Secure areas
Objective: To prevent unauthorized physical access,
damage and interference to the organization’s
premises and information.
77
10 Communications and operations
management
10.1 Operational procedures and responsibilities
Objective: To ensure the correct and secure operation of
information processing facilities.
78
10 Communications and operations
management (cont.)
10.4 Protection against malicious and mobile code
Objective: To protect the integrity of software and information.
10.5 Back-up
Objective: To maintain the integrity and availability of information and information
processing facilities.
79
10 Communications and operations
management (cont.)
10.8 Exchange of information
Objective: To maintain the security of information and software
exchanged within an organization and with any external
entity.
10.10 Monitoring
Objective: To detect unauthorized information processing
activities.
80
11 Access Control
11.1 Business requirement for access control
Objective: To control access to information.
81
11 Access Control (Cont.)
11.5 Operating system access control
Objective: To prevent unauthorized access to operating systems.
11.6 Application and information access control
Objective: To prevent unauthorized access to information held in
application systems.
11.7 Mobile computing and teleworking
Objective: To ensure information security when using mobile
computing and teleworking facilities.
82
12 Information systems acquisition,
development and maintenance
• 12.1 Security requirements of information systems
• Objective: To ensure that security is an integral part of
information systems.
• 12.2 Correct processing in applications
• Objective: To prevent errors, loss, unauthorized modification
or misuse of information in applications.
12.3 Cryptographic controls
• Objective: To protect the confidentiality, authenticity or
integrity of information by cryptographic means.
83
12 Information systems acquisition,
development and maintenance (Cont.)
12.4 Security of system files
Objective: To ensure the security of system files.
12.5 Security in development and support processes
Objective: To maintain the security of application system
software and information.
12.6 Technical Vulnerability Management
Objective: To reduce risks resulting from exploitation of
published technical vulnerabilities.
84
13 Information security incident
management
13.1 Reporting information security events and weaknesses
Objective: To ensure information security events and weaknesses
associated with information systems are
communicated in a manner allowing timely corrective action
to be taken.
85
14 Business continuity management
14.1 Information security aspects of business
continuity management
Objective: To counteract interruptions to
business activities and to protect critical
business processes from the effects of major
failures of information systems or disasters
and to ensure their timely resumption.
86
15 Compliance
15.1 Compliance with legal requirements
Objective: To avoid breaches of any law, statutory, regulatory or contractual
obligations, and of any security requirements.
87
Information Security Organization and
Structure
• It’s all about ability to execute
• Muti-disciplinary approach involving collaboration
and cooperation
• Organization segregation of control execution from
control requirements and approvals
• Control executors accountable for control execution
• Oversight responsibility – where does Information
Security report?
88
Business
Governance
Internal
Information Security Program Audit
Information Security IT
89
Information Security
Functions
• Chief Information Security
Officer CISO
• Information Security Office
• Compliance Management
• Identity Management
• Security Configuration Management
• Risk Assessment Information Security
• Security Education, Awareness and Office (ISO)
Training (SETA)
• Security Operations
• SOC/NOC Coordination
• Incident Response
• Security Integrated Process Team Security Operations
Management
• Compliance
Center (SOC)
• PII, HIPPA, and PCI compliance policy
• Controls compliance program
Information Security
Compliance (ISC)
90
Information Security Office (ISO)
• Enterprise Security Mgt
• Security Architecture
• System Accreditation
• Access and Identity Management
• Physical Security requirements
• Risk Management
• Security Assurance
• Application Vulnerability Mgt
• Risk Assessment execution
• 3rd Party Risk Management
• Security Education, Awareness
and Training
• Disaster Recovery/BCP
91
Security Operations Center (SOC)
• Security Monitoring
• Monitoring and alerting
• Intrusion Detection
• Policy violations
• Anti-Virus monitoring
• Log Analysis
• Incident Response
• Incident Response Plan
• Incident Response Team Mgt
• Management reporting
• Security Engineering
• Vulnerability/Penetration testing
• Vulnerability remediation
• Policy violation remediation
• Network Integrity mgt
• Technology control effectiveness
92
Information Security Compliance
(ISC)
• Security Policies and
Compliance
• PCI, HIPAA, SOX, Privacy
• ISO 27001/ISO 27002
• IT Operational Controls
Compliance
• Vulnerability Management
• Baseline Configuration
• Policy/Standards/Process
Compliance
• Audit/Assessment Mgt
• Compliance evidence
• Management Response
• Remediation Mgt
• Document Mgt
93
Discussion
• Lessons Learned
• Going Forward
• Your Experience?
– Governance
– ISO
– Other security frameworks
94