Overwiev of Information Security

standards - ISO 27000 series of standards

(27001, 27002, 27003, 27004, 27005)

IT Governance
CEN 667

1
 Project proposal - week 2
• Goal of the projects are to find applicable measurement and metric methods to improve processes:
– For 27000 series of standards 27001 and 27004 –
– For ITIL
– For Business Continuity and BS 25999
– For Disaster Recovery –
– For Penetration testing –
– For Operational and Security Incident management
– For Risk Management
– Secure method for visual authentication –
– Mobile securty access with speach recognition –
– Other agreed with lecturer
• Literature review on selected topic - between 500 and 1000 words
• Proposal / for improvements of choosen method, approach, techniqe, - up to
2000 words
• List of references
• Document prepared in two columns as it should
Be prepared for the conference paper
• Week report on updates

2
 Lectures Schedule
Week Topic
Introduction to IT governance
Week 1
Overwiev of Information Security standards - ISO 27000 series of standards
Week 2 (27001, 27002, 27003, 27004, 27005)
Week 3 Information Technology Service management ISO 20000-1 and ISO 20000-2
Week 4 ITIL
Week 5 Business Continuity and BS 25999-1 and BS 25999-2
Week 6 Disaster Recovery
Week 7 COBIT
Week 8 Project implementation (ISO 10006 and ISO 27003)
Week 9 Midterm
Week 10 Risk Managament (ISO 27005)
Week 11 Application and Network Security and security testing
Week 12 Specific Requirements and Controls Implementation (ISO 27002)
Week 13 Operational and Security Incident managament
Week 14 Perforamnce Measurement and Metrics (ISO 27004)
Week 15 Audit (ISO 19011) and Plan- Do-Check-Act impovement cyclus 3
 Agenda
– The ISO 27000 Framework
• ISO/IEC 27001:2005 ISMS
• ISO/IEC 27002:2005 Controls
• ISO/IEC 27003:2010 implementation guidance
• ISO/IEC 27004:2009 Measurement and Metrics
• ISO/IEC 27005:2008 Risk Management
– The ISMS Roadmap
– A Controls Framework
– Information Security Organization – Mission and
Structure
– Discussion/Questions/Lessons Learned

4
 Information Security Governance
– How can an organization make good decisions about information risk?
– Risks identified, mitigated, accepted equals security
– Information Security is a business requirement
– CIA – Confidentiality, Integrity, Availability
– PCI, HIPAA, SOX, State Privacy Regulations
– Impact of loss of security on an organization is extreme
• Damage to brand, share price
• Direct costs
• Unavailable critical business processes
– Business awareness of impact is key

5
 Cofidentality Integrity Availability

C I A
Information
ensuring that
integrity is the Ensuring that only
information is
assurance that authorized personel
accessible only
information is have access to
to those
consistent, information when
authorized to
certified and can they neede it
have access
be reconciled.

Keep CIA, and this is a way

6
7
Mjerenje KPI
9
10
 Other cases
• Sources:
• - Business continuity lessons from Buncefield, Continuity Central,
Huddersfield, West Yorkshire, England,
• - Jon William Toigo, Disater Recovery Planing: Preparing for
Unthinkable, Third edition. Foreword xi

11
Buncefield fuel depot (Hemel Hempstead ) London, December 2005

1
2

12
 Northgate Information Solutions
Buncefield fuel depo
1 2

13
Next case...
14
 2

Emergecny Response Team / Center for Port

Authority

Responsible for 3 airports, tunels, bridges,

buses and trains meet at Marriot Hotel.
15
1

2 3

16
Planiranje i testiranje nastvka poslovanja
Planiranje i testiranje nastvka poslovanja
 Leading data loss causes

 Hardware or System Malfunctions 44%

 Human Error 32%

 Software Corruption 14%

 Computer Viruses 7%
 Natural Disasters 3%

Gartner
20
Sa BH informativnih portala
Ljudi ne znaju šta im se dogodilo
A policija traga
Opet vijesti...
Koliko je čest SPAM i koliko nas košta?
Krađe lozinke i troškovi
Velike štete
Primjer iz telekomunikacijskog sektora
Špijunjiranje – realna stvarnost
Špijunjiranje – realna stvarnost
Trend porasta
Ove stvari se ne mogu desiti u BiH???
Ove stvari se ne mogu desiti u BiH???
 Facts
• Information security, is not Information Technology (IT)
security.
• It is security of information and informatio assets.
• Information assets are:
– Electronic Information
– Non-electronic Information;
– Environment / Infrastructure;
– Hardware;
– Software; Information security is to keep CIA
Confidentiality,
– Physical; Integrity,
– People; Availability

– Services.
• Keep aseet CIA 47
 Everyday media reports, reveal information
of security Incidents
As a result of unmanaged information security

These cases leads to:

•Resignations of important postions in institutions

•Civil court cases
•Assets lost
•Reputation lost and public embarisment
•End of business

SUNDAY MORNING 10:00 O’clock

You don’t want to be this guy: to read about

information security incident in his organization
on Sunday morning
48
 What is the ISO 2700 Framework?
• International Organization for Standardization
• Governance - ISO 27001
– Establishing and Operating the ISMS – Plan, DO, Check, Act
– Management commitment and involvement
– Information Asset “Ownership”
• Controls – ISO 27002
– Deterrent
– Preventative
– Detective
– Corrective
– Recovery
– Compensating
• Available for download as Intellectual Property

49
 What is the ISO Framework cont.
• Implementation - ISO 27003
– Managament approval
– Defining scope
– Objective
– Scope
– Processes
– Assets
– Risk assesment

• Metrics – ISO 27004

– Key Performance Indicators
– Chosing what to measure
– Collecting data
• Risk managament – ISO 27005
– Risk analysis
– Risk identification
– Risk estmation
– Risk evaluation
– Risk reduction
– Risk retention
– Risk avoidance
– Risk transfer
– Risk acceptance
– Riks Communication 50
 To keep direction of the business activities on the
right track, measurement and correction is needed
(6.1.1, 6.1.8, 61.2, 6.1.3) 27004:2009
3. An aircraft with constant 6.1 INTERNAL ORGANIZATION
6.1.1 Management commitment to information security
control of path (autopilot) 6.1.2 Information security Co-ordination
Destination 6.1.3 Allocation of information security Responsibilities
and managament of
6.1.4 Authorization process for information processing facilities
direction is able to reach 6.1.5 Confidentiality agreements
destination 6.1.6 Contact with authorities
6.1.7 Contact with special interest groups
6.1.8 Independent review of information security
1. Side wind has 6.2 EXTERNAL PARTIES
inpact on an 6.2.1 Identification of risks related to external parties
6.2.2 Addressing security when dealing with customers
aircraft flight path 6.2.3 Addressing security in third party agreements

Case: Flight Control 2. Path of an aircraft

without constant
 managing of path will
never reach the
destination 51
 What is the ISO Framework cont.
• Risk managament – ISO 27005
– Risk analysis
– Risk identification
– Risk estmation
– Risk evaluation
– Risk reduction
– Risk retention
– Risk avoidance
– Risk transfer
– Risk acceptance
– Riks Communication

52
 What is ISO 27001?
•A management process to evaluate, implement and maintain an Information
Security Management System (ISMS).
•An internationally recognized structured methodology dedicated to information
security.
•A comprehensive set of controls (ISO 27002) comprised of best practices in
information security.
•A standard that can be customized to address the level of risk (or
vulnerability), that could cause negative business impact should it not be
addressed.
•Certification available

53
Content of standards (27001 and 27002)

ISO 27001:2005 (System establishment)

4. Information security amanagement system
5. Managament responsibility
6. Internal ISMS audits
7. Managament review of the ISMS
8. ISMS improvement

ISO 27002:2005 (17799:2005 standard which itself was formerly known as BS7799-1)
5. SECURITY POLICY
6. ORGANIZATION OF INFORMATION SECURITY
7. ASSET MANAGEMENT
8. HUMAN RESOURCES SECURITY
9. PHYSICAL AND ENVIRONMENTAL SECURITY
10. COMMUNICATIONS AND OPERATIONS MANAGEMENT
11. ACCESS CONTROL
12. INFORMATION SYSTEMS ACQUISITION, DEVELOPMENT AND MAINTENANCE
13. INFORMATION SECURITY INCIDENT MANAGEMENT
14. BUSINESS CONTINUITY MANAGEMENT
15. COMPLIANCE

54
 Information Security Management System (ISMS)
The Security Program

 Charge the ISGC (Mission Statement) Do

 Scope and Boundaries
 Define the ISMS Policy Implement and 

Implement the Risk Treatment Plan
Measure the effectiveness of controls
 Identify a Risk Assessment methodology
 Develop criteria for accepting risks Operate Controls  Implement an Incident Response
process


Identify Risks (Risk Assessment)
Analyze and evaluate risks
& Measure
 Develop Risk Treatment Plan
 Select Control Objectives and Controls
 Prepare a Statement of Applicability

Plan ISO/IEC 270001 Check

Establish the Roadmap Monitor
ISMS Audit
Review
 Monitor and review procedures and
 Take corrective action to controls
improve the ISMS Act  Regular reviews of the effectiveness of
the ISMS
 Take preventative action based
on the prioritized results of risk Maintain  Review risk assessments at planned
intervals taking into account changes in
assessments in anticipation of Organization, Business process,
potential problems & Improve Technology, Threats, Regulatory
environment
The ISMS  Conduct Internal Audits at planned
intervals
 Management review of ISMS

55
 2. Common reasons to implement ISMS
1. Strategic
2. Client / partner confidence
3. Internal efficiency ISMS Roadmap
Training and
2nd time
4. Regulations awareness
PDCA circle
Governing board
Governing Risk approval
Board assessment Monitoring
policy Gap analysis Record and
aproved Proces Auditing Improvements
maping collection

Asset Implementation
Project collection & of controls,
borders Asset value Statement of procedures...
agreement PLAN applicability DO CHECK ACT
56
 Establish the ISMS
Plan

 Mission Statement
 Scope and Boundaries
 Define the ISMS Policy
 Identify a Risk Assessment methodology
 Develop criteria for accepting risks
 Identify Risks (Risk Assessment)
 Analyze and evaluate risks
 Develop Risk Treatment Plan
 Select Control Objectives and Controls
 Prepare a Statement of Applicability

57
 Implement the ISMS
Do

Implement the Risk Treatment Plan

Measure the effectiveness of controls
Implement an Incident Response process

58
 Monitor, Audit
Check and Review
 Monitor and review procedures and controls
• Attempted and successful security breaches
• Determine if actions to prevent breaches were successful
 Regular reviews of the effectiveness of the ISMS
 Review risk assessments at planned intervals taking into account changes
in:
• Organization
• Business process
• Technology
• Threats
• Regulatory environment
 Conduct Internal Audits at planned intervals
 Management review of ISMS

59
 Maintain and Improve
Act

Take corrective action to improve the ISMS

Take preventative action based on the
prioritized results of risk assessments in
anticipation of potential problems

60
 Risk Management Process
– Risk Assessment (awareness)
• Asset discovery
• Threat Identification
• Vulnerability Identification
• Control Analysis
• Likelihood Determination
• Impact analysis
• Risk Determination

61
 Risk Management Process
– Risk Treatment Plan
• Control Recommendations to mitigate risk
• Evaluate/Accept Risk
• Risk Mitigation Investments

62
 Evaluating Information Risk
• The likelihood of a given threat-source’s attempting
to exercise a given vulnerability
• The magnitude of the impact should a threat-source
successfully exercise the vulnerability
• The adequacy of planned or existing security
controls for reducing or eliminating risk.

63
 Risk Evaluation and Acceptance Criteria

• NIST Special Publication 800-30 – Risk

Management Guide
• ISO 27005
• Information Risk evaluation and Acceptance
defined
– High (Executive Committee)
– Medium (Info Security Governance Committee)
– Low (Business Owner or CISO)

64
 ISO 27002 Controls
• 11 Security Control “Clauses”
• 49 Control Categories
– Control Objective
– 133 total controls
• Controls selected based on:
– Assessment of Risk
– Business objectives
– Legal, regulatory, contractual obligations
• Function of a control: to mitigate risk
– Deterrent
– Preventative
– Detective
– Corrective
– Recovery
– Compensating

65
 Controls Rationalization
• ISO 27002 becomes the overarching control
framework
• Regulatory requirements map to ISO
• New requirements potentially satisfied with
existing controls
• Simplifies auditing and control testing
• Example

66
 5 Information Security Policy
“Top Level”
• 5.1 Information Security Policy
– Objective: To provide management direction and support
for information security in accordance with business
requirements and relevant laws and regulations.
Management should set a clear policy direction in line with
business objectives and demonstrate support for, and
commitment to, information security through the issue
and maintenance of an information security policy across
the organization.

67
 5 Security Policy
5.1.1 Information security policy document
Control
An information security policy document should be approved by management, and
published and communicated to all employees and relevant external parties.

Implementation guidance
The information security policy document should state management commitment and set
out the organization’s approach to managing information security. The policy document
should contain statements concerning:
– a) a definition of information security, its overall objectives and scope and the importance of security
as an enabling mechanism for information sharing (see introduction);
– b) a statement of management intent, supporting the goals and principles of information security in
line with the business strategy and objectives;
– c) a framework for setting control objectives and controls, including the structure of risk
– assessment and risk management;

68
 5.1.1 (Continued)
d) a brief explanation of the security policies, principles, standards, and compliance
requirements of particular importance to the organization, including:
1) compliance with legislative, regulatory, and contractual requirements;
2) security education, training, and awareness requirements;
3) business continuity management;
4) consequences of information security policy violations;
e) a definition of general and specific responsibilities for information security management,
including reporting information security incidents;
f) references to documentation which may support the policy, e.g. more detailed security
policies and procedures for specific information systems or security rules users should
comply with.
This information security policy should be communicated throughout the organization to users in
a form that is relevant, accessible and understandable to the intended reader.

69
6 Organization of information security
6.1 Internal organization
Objective: To manage information security within the
organization

6.2 External parties

Objective: To maintain the security of the organization’s
information and information processing facilities that
are accessed, processed, communicated to, or
managed by external parties.

70
 Critical Roles and Responsibilities
• Governance Committee and Chair
• Data Owner (Business Owner)
• Data Custodian
• Privacy Officer
• CISO
• IT
• Internal Audit
• All employees

71
 7 Asset Management
7.1 Responsibility for assets
Objective: To achieve and maintain appropriate
protection of organizational assets

7.2 Information classification

Objective: To ensure that information receives an
appropriate level of protection.

72
 7 Asset Management
7.1 Responsibility for assets
Objective: To achieve and maintain appropriate protection of
organizational assets.
All assets should be accounted for and have a nominated owner.
Owners should be identified for all assets and the responsibility
for the maintenance of appropriate
controls should be assigned. The implementation of specific
controls may be delegated by the owner
as appropriate but the owner remains responsible for the proper
protection of the assets.

73
 7 Asset Management
7.1.2 Ownership of assets
Control:
All information and assets associated with information processing facilities should be
“owned” by a designated part of the organization.

Implementation guidance
The asset owner should be responsible for:
a) ensuring that information and assets associated with information processing
facilities are appropriately classified;
b) defining and periodically reviewing access restrictions and classifications, taking
into account applicable access control policies.

The term ‘owner’ identifies an individual or entity that has approved management
responsibility for controlling the production, development, maintenance, use and
security of the assets.

74
 7 Asset Management
7.2 Information classification
Objective: To ensure that information receives an appropriate level of
protection.
Information should be classified to indicate the need, priorities, and expected
degree of protection when handling the information.
Information has varying degrees of sensitivity and criticality. Some items may
require an additional
level of protection or special handling. An information classification
scheme should be used to define
an appropriate set of protection levels and communicate the need for
special handling measures.

75
 8 Human Resources Security
8.1 Prior to employment
Objective: To ensure that employees, contractors and third party users understand
their responsibilities, and are suitable for the roles they are considered for, and to
reduce the risk of theft, fraud or misuse of facilities.

8.2 During employment

Objective: To ensure that all employees, contractors and third party users are aware of
information security threats and concerns, their responsibilities and liabilities, and
are equipped to support organizational security policy in the course of their
normal work, and to reduce the risk of human error.

8.3 Termination or change of employment

Objective: To ensure that employees, contractors and third party users exit an
organization or change employment in an orderly manner.

76
9 Physical and Environmental Security
9.1 Secure areas
Objective: To prevent unauthorized physical access,
damage and interference to the organization’s
premises and information.

9.2 Equipment security

Objective: To prevent loss, damage, theft or
compromise of assets and interruption to the
organization’s activities

77
 10 Communications and operations
management
10.1 Operational procedures and responsibilities
Objective: To ensure the correct and secure operation of
information processing facilities.

10.2 Third party service delivery management

Objective: To implement and maintain the appropriate level of
information security and service delivery in line with third
party service delivery agreements.

10.3 System planning and acceptance

Objective: To minimize the risk of systems failures.

78
 10 Communications and operations
management (cont.)
10.4 Protection against malicious and mobile code
Objective: To protect the integrity of software and information.

10.5 Back-up
Objective: To maintain the integrity and availability of information and information
processing facilities.

10.6 Network security management

Objective: To ensure the protection of information in networks and the protection of
the supporting infrastructure

10.7 Media handling

Objective: To prevent unauthorized disclosure, modification, removal or destruction of
assets, and interruption to business activities.

79
 10 Communications and operations
management (cont.)
10.8 Exchange of information
Objective: To maintain the security of information and software
exchanged within an organization and with any external
entity.

10.9 Electronic commerce services

Objective: To ensure the security of electronic commerce
services, and their secure use.

10.10 Monitoring
Objective: To detect unauthorized information processing
activities.

80
 11 Access Control
11.1 Business requirement for access control
Objective: To control access to information.

11.2 User access management

Objective: To ensure authorized user access and to prevent unauthorized
access to information systems.

11.3 User responsibilities

Objective: To prevent unauthorized user access, and compromise or theft of
information and information processing facilities.

11.4 Network access control

Objective: To prevent unauthorized access to networked services.

81
 11 Access Control (Cont.)
11.5 Operating system access control
Objective: To prevent unauthorized access to operating systems.
11.6 Application and information access control
Objective: To prevent unauthorized access to information held in
application systems.
11.7 Mobile computing and teleworking
Objective: To ensure information security when using mobile
computing and teleworking facilities.

82
 12 Information systems acquisition,
development and maintenance
• 12.1 Security requirements of information systems
• Objective: To ensure that security is an integral part of
information systems.
• 12.2 Correct processing in applications
• Objective: To prevent errors, loss, unauthorized modification
or misuse of information in applications.
12.3 Cryptographic controls
• Objective: To protect the confidentiality, authenticity or
integrity of information by cryptographic means.

83
 12 Information systems acquisition,
development and maintenance (Cont.)
12.4 Security of system files
Objective: To ensure the security of system files.
12.5 Security in development and support processes
Objective: To maintain the security of application system
software and information.
12.6 Technical Vulnerability Management
Objective: To reduce risks resulting from exploitation of
published technical vulnerabilities.

84
 13 Information security incident
management
13.1 Reporting information security events and weaknesses
Objective: To ensure information security events and weaknesses
associated with information systems are
communicated in a manner allowing timely corrective action
to be taken.

13.2 Management of information security incidents and

improvements
Objective: To ensure a consistent and effective approach is
applied to the management of information security incidents.

85
 14 Business continuity management
14.1 Information security aspects of business
continuity management
Objective: To counteract interruptions to
business activities and to protect critical
business processes from the effects of major
failures of information systems or disasters
and to ensure their timely resumption.

86
 15 Compliance
15.1 Compliance with legal requirements
Objective: To avoid breaches of any law, statutory, regulatory or contractual
obligations, and of any security requirements.

15.2 Compliance with security policies and standards, and technical

compliance
Objective: To ensure compliance of systems with organizational security
policies and standards.

15.3 Information systems audit considerations

Objective: To maximize the effectiveness of and to minimize interference
to/from the information systems audit process.

87
 Information Security Organization and
Structure
• It’s all about ability to execute
• Muti-disciplinary approach involving collaboration
and cooperation
• Organization segregation of control execution from
control requirements and approvals
• Control executors accountable for control execution
• Oversight responsibility – where does Information
Security report?

88
 Business
Governance

Internal
Information Security Program Audit

Information Risk Mgt Control Implementation

Security Policy Access Administration

Risk Assessments Policy Patching
Security Assurance Controls Anti-virus
Monitoring and Response Compliance Baseline Configurations
Vulnerability Mgt Firewall rules
Identity Mgt Application Security Stds
External Compliance
PCI,SOX,HIPAA,PII

Information Security IT
89
 Information Security
Functions
• Chief Information Security
Officer CISO
• Information Security Office
• Compliance Management
• Identity Management
• Security Configuration Management
• Risk Assessment Information Security
• Security Education, Awareness and Office (ISO)
Training (SETA)
• Security Operations
• SOC/NOC Coordination
• Incident Response
• Security Integrated Process Team Security Operations
Management
• Compliance
Center (SOC)
• PII, HIPPA, and PCI compliance policy
• Controls compliance program

Information Security
Compliance (ISC)

90
 Information Security Office (ISO)
• Enterprise Security Mgt
• Security Architecture
• System Accreditation
• Access and Identity Management
• Physical Security requirements
• Risk Management
• Security Assurance
• Application Vulnerability Mgt
• Risk Assessment execution
• 3rd Party Risk Management
• Security Education, Awareness
and Training
• Disaster Recovery/BCP

91
Security Operations Center (SOC)
• Security Monitoring
• Monitoring and alerting
• Intrusion Detection
• Policy violations
• Anti-Virus monitoring
• Log Analysis
• Incident Response
• Incident Response Plan
• Incident Response Team Mgt
• Management reporting
• Security Engineering
• Vulnerability/Penetration testing
• Vulnerability remediation
• Policy violation remediation
• Network Integrity mgt
• Technology control effectiveness

92
 Information Security Compliance
(ISC)
• Security Policies and
Compliance
• PCI, HIPAA, SOX, Privacy
• ISO 27001/ISO 27002
• IT Operational Controls
Compliance
• Vulnerability Management
• Baseline Configuration
• Policy/Standards/Process
Compliance
• Audit/Assessment Mgt
• Compliance evidence
• Management Response
• Remediation Mgt
• Document Mgt

93
 Discussion
• Lessons Learned
• Going Forward
• Your Experience?
– Governance
– ISO
– Other security frameworks

94