Assessment

1
IT Auditing 9 Information Security, Code
of Practice for Information Security Management,
Certification of Information Security Dr. Ir.
Paul L. Overbeek RE Overbeek.paul_at_kpmg.nl
2
Roadmap
3
(No Transcript)
4
Agenda

• 101 on Information Security
• Introduction to the Code of Practice for
  Information Security Management
• Certification of Information Security

5
What are we talking about

• Information is essential in our business
• Information security is integrated in our
  business processes
• And is certainly not a specialists only-area
• It is the responsibility of both management and
  employees
• Information security remains a moving target
• business new products, new markets
• organisation mergers, take-overs,
  reorganisations, job rotation, retention
• IT new technology, applications, operating
  systems, protocols
• Information security is change control
• A Pro-actif approach is required information
  security in control

6
Basic information security objectives

• Confidentiality
• ensuring that information is accessible only to
  those authorised to have access
• Integrity
• safeguarding the authenticity, accuracy and
  completeness of information and processing
  methods
• Availability
• ensuring that authorised users have access to
  information and associated assets when required

7
Security from a business perspective
8
Reliability requirements
measures
assets
information
9
Threats

• Natural causes
• Intentional actions - by authorised employees
  - by unauthorised employees / outsider
• Human errors, mistakes - by authorised
  employees - by unauthorised employees /
  outsiders
• Software errors
• Hardware communication errors

10
External requirements
Social context Privacy Anonimity
Evidence Legal requirements Third party
requirements
11
Requirements set by the organisation
Organisational context- Structure-
Management- Functions and responsibilities-
Reporting structures
George W
Scrooge
Alice
Bob
Chris
12
Security measures
Organisational Physical Procedural
Technical
LOGIN
13
Incident Cycle
Threat
Prevention
Reduction
Incident
Detection
Repression
Damage
Correction
Recovery
Evaluation
14
Change is the only constant

• Technology
• Products and services
• Business processes
• Co-operation between organisations
• Information security must change too!
• From reactive to proactive

15
The Information Security Management Cycle
Policy
Control, organisation
Risk analysis
Feedback
Planning
OrganisationalTechnicalProceduralPhysical
Controls
Evaluation Testing
Implementation
16
Conclusion

• Security should be based on strong organisational
  foundations from the start.
• Why?
• Keep up with change
• Be prepared for incidents
• Deal with personnel turnover
• Avoid omissions caused by ad hoc approach
• Create security awareness among your staff
• Grow in the right direction

17
Basic Risk Analysis

• Real versus perceived risks of the IT
• What should be done with enthousiasm, what is to
  be considered, and what is far over the top
• Good housekeeping policies, guidelines,
  organisation, responsibilities, relationships or
  
• Security Management
• Risk management
• The risks of using IT and the management of these
  risks

18
Searching for the real risks - The threats
?

• Natural causes
• Intentional actions - by authorised employees
  - by unauthorised employees / outsider
• Human errors, mistakes - by authorised
  employees - by unauthorised employees /
  outsiders
• Software errors
• Hardware communication errors

19
Searching for the real risks Ability to offer
a certain security quality?

• Privacy and confidentiality
• Persistent to hackers, etc
• Persistent to criminality
• Authenticity
• Authorised use and access
• Integrity
• Non repudiation
• Availability
• Access when needed
• Transparency (audit ability)
• Payment
• Compliance with regulation
• Integration of services

?
20
Searching for the real risks Impact on your
business processes

• Political consequences
• Financial / economical impact
• Commercial impact
• Environmental impact
• Impact on society, partners, clients
• Loss of trustworthiness
• Equal reaction, or worse
• Legal aspects
• Non compliance with laws and regulation
• Loss or harm for civilians, clients, relations,
  partners,
• Safety
• Privacy
• Culture
• Trust
• Local or international?
• Corporate Image
• Loss of good reputation / goodwill

21
Risk management

• IT risks and the control thereof
• Each security activity is (part of) a process
• That needs to be managed and contained
• A standstill implies decline
• Information security is a set of processes
• uniform, at all levels of your organisation

Strategy
Tactics
Operations
22
Risk Management

• Top management demands control and therefore
  overseeing the quality of the information
  security process and the measures
• Management information often does not address
  todays needs
• Large quantity of activities and measures
• Responsibilities and reporting is scattered
• Solution
• Uniformity
• A structured, integrated approach
• The Code of Practice for Information Security
  Management(BS7799/ ISO 17799 / IST 17799 / ANZ
  7799 / .)

23
Risk management being in control

• in control of what?
• Confidentiality
• Integrity Information Security
• Auditability
• Availability
• Effectiveness
• Efficiency
• Manageability
• etc.

24
Code of Practice Introduction

• The purpose of information security is to ensure
  business continuity and to minimize business
  damage by preventing and minimizing the impact of
  security incidents.
• Information security management enables
  information to be shared, while ensuring the
  protection of information and computing assets.
• The three basic components (quality aspects) of
  CoP are
• CONFIDENTIALITY
• INTEGRITY
• AVAILABILITY
• Information takes many forms. It can be stored on
  computers, transmitted across networks, printed
  out or written down on paper, and spoken in
  conversations.
• From a security perspective, appropriate
  protection must be applied to all forms of
  information, including papers, databases, films,
  view foils, models, tapes, diskettes,
  conversation and any other methods to convey
  knowledge and ideas.

25
Positioning CoP
Top management (Board of Directors)
Policy Reporting on security health
Line management and staff
Code of Practice for IT Security
Technical security standards and
studies (Committees of EDP auditors, such as PI)
IT management and staff
Procedural
OS/390 RACF Oracle
Internet Intranet Workflow
Unix OS/400 NT
Physical
Personnel
26
UNIFORMITY CODE of Practice for Information
Security Management1999
27
CODE OF PRACTICE FOR INFORMATION SECURITY
MANAGEMENT (CoP)

• Developed in UK and NL
• Also published in many other countries
• Update 1999
• Based on best practice of participants
• Purpose
• intended as a standard for a baseline level of
  security (due care)
• enable mutual trust between partners
• suitable for small, medium and large enterprises
• Organisational and technical measures
• 100 pages, 10 sections, 8 essential controls
• Note It is not an implementation standard but a
  set of guidelines and attention items. Use it
  with common sense!

28
Use of the CoP

• 8 essential controls
• 10 main categories
• 36 objectives
• 125 measures
• Can be used for
• Implementation of information security management
• IT security management based on ITIL Sec Man
• Audits en benchmarking
• Agreements between partners (SLAs, IA)
• Certification
• Provides a Consistent and uniform approach

29
Code of Practice for Information Security

• 10 Sections
• 3 Security Policy
• 4 Security Organisation
• 5 Asset Classification and Control
• 6 Personnel security
• 7 Physical and environmental security
• 8 Communications and operations management
• 9 Access control
• 10 Systems development and maintenace
• 11 Business continuity management
• 12 Compliance

30
Where to start

• Essential measures from a legislative viewpoint
• Intellectual property rigths
• Safeguarding organisational records
• Privacy of personal information
• Essential measures for information security
• Objectives / policy
• Allocation of responsibilities for information
  security
• Education and Training
• Reporting security incidents
• Business continuity management

31
CoP

• Background information

32
CoP Background information

• THREE PRIMARY QUALITY ASPECT (CIA)
• CONFIDENTIALITY
• Protecting sensitive information from
  unauthorized disclosure or intelligible
  interception
• INTEGRITY (In revised CoP Data integrity)
• Safeguarding the accuracy and completeness of
  information and computer software
• AVAILABILITY
• Ensuring that information and vital services are
  available to the business processes when required
• CoP DEALS WITH INFORMATION SECURITY
• INFORMATION in CoP has been defined as
• The quality aspects apply to all forms of
  information data stored on computers (data,
  text, video, speech), transmitted across
  networks, printed out or written down on paper,
  and spoken in conversations

!
!
33
CoP 3 Security policy

• Information security policy
• Objective To provide management direction and
  support for information security.
• Top management should set a clear direction and
  demonstrate their support for and commitment to
  information security through the issue of an
  information security policy across the
  organization.
• Information security policy must be defined by
  top management
• There must be an explicit owner of the policy,
  also responsible for periodical revisions and
  updates
• Accessible to all persons involved
• Attention for threats specific to the own business

34
CoP 4 Security organisation

• Objective To manage information security within
  the organization.
• A management framework should be established to
  initiate and control the implementation of
  information security within the organization.
• Steering committee / coordination
• Allocation of security responsibilities
• Authorisation process for IT facilities
• Specialist security advice
• Cooperation between organisations
• Indepence of reviews
• Security of third party access
• Revised CoP Text has been added to describe when
  third party access happens, what are the risks of
  third party access, what should be included in a
  third party contract and what should be covered
  by an outsourcing contract

35
CoP 5 Assets classification and control

• Accountability for assets
• Objective To maintain appropriate protection of
  organizational assets.
• All major information assets should be accounted
  for and have a nominated owner.
• Accountability for assets helps ensure that
  adequate security protection is maintained.
  Owners should be identified for major assets and
  assigned responsibility for the maintenance of
  appropriate security measures. Responsibility for
  implementing security measures may be delegated,
  though accountability should remain with the
  nominated owner of the asset.

• Label
• vital to busines
• Top Secret data

RESOURCE
owner
classifi- cation
36
CoP 5 Assets classification and control ...

• Inventory of assets
• Each asset must have an owner
• Classification guidelines
• Classification labels
• Revised CoP Text on the valuation and importance
  of assets has been added, and the concept of
  information classification has been broadened to
  cover the general aspect of information
  labelling, including integrity and availability
  labels

37
CoP 6 Personnel security

• Security in job definition and resourcing
• Objective To reduce the risks of human error,
  theft, fraud or misuse of facilities.
• Security should be addressed at the recruitment
  stage, included in job descriptions and
  contracts, and monitored during an individual's
  employment.
• Managers should ensure that job descriptions
  address all relevant security responsibilities.
  Potential recruits should be adequately screened,
  especially for sensitive jobs. All employees and
  third party users of IT facilities should sign a
  confidentiality (non-disclosure) undertaking.

38
CoP 6 Personnel security ...

• Security in job descriptions
• Recruitment screening
• Confidentiality agreement
• User education and training
• Responding to incidents
• reporting of security incidents
• reporting of security weaknesses
• reporting of software malfunctions
• disciplinary process
• Revised CoP Text has been added to cover terms
  and conditions of employment, the need for the
  employee to abide by the same rules and
  principles as the rest of the organisation, and
  more details on personnel screening and policy.
  The fact that security incidents should be used
  in awareness and training, and that lesson should
  be learnt from them was emphasised

39
CoP 7 Physical and environmental security

• Secure areas
• Objective To prevent unauthorized access, damage
  and interference to IT services.
• IT facilities supporting critical or sensitive
  business activities should be housed in secure
  areas.
• Such facilities should also be physically
  protected from unauthorized access, damage and
  interference. They should be sited in secure
  areas, protected by a defined security perimeter,
  with appropriate entry controls and security
  barriers. A clear desk policy is recommended to
  reduce the risk of unauthorized access or damage
  to papers and media.

40
CoP 7 Physical and environmental security ...

• Physical security perimeter
• buildings and/or campus
• physical barriers and procedures
• badges, card keys
• registration andsupervision of visitors
• Physical entry controls
• data centers, computer rooms
• clear desk policy
• Equipment security
• due care Revised CoP Minor additions on
  intruder alarms, fire alarms, visitor
  instructions, and security furniture. Security
  issues arising from equipment used off-site and
  home working have also been considered

Non-IBM Space
IBM Public Space
IBM Internal Space
Controlled Access (1) Area
Office room, locked when unattended
Controlled Access (2) Area raised floor
Isolated Area
41
CoP 8 Computer and network management

• Operational procedures and responsibilities
• Objective To ensure the correct and secure
  operation of computer and network facilities.
• Responsibilities and procedures for the
  management and operation of all computers and
  networks should be established.
• This should be supported by appropriate operating
  instructions and incident response procedures.
  The principle of segregation of duties should be
  applied, where appropriate, to reduce the risk of
  negligent or deliberate system misuse.

42
CoP 8 Computer and network management ...

• Documented operating, development and control
• Capacity planning, acceptance
• Contingency
• Change management
• Virus controle
• Backups, operator logs, airco
• Network security
• Protection of removable media

43
CoP 8 Computer and network management ...

• Revised CoP
• This chapter has been renamed Communications and
  Operations Management and extended to cover a
  wide interpretation of information processing
• Text has been added on computers, networks,
  mobile computing and communications, voice mail
  and communications, messaging, multimedia, postal
  services, fax machines, and any other existing or
  developing technology for the processing and
  communication of information
• The discussion on viruses has been broadened to
  any unauthorised or malicious software
• The section on data and software exchange has
  been extended to cover electronic commerce and
  messaging, and a new subsection on publicly
  available systems was added

44
CoP 9 System access control

• Business requirement for system access
• Objective To control access to business
  information.
• Access to computer services and data should be
  controlled on the basis of business requirements.
• This should take account of policies for
  information dissemination and entitlement.
• User registration
• User password management
• Access control for work stations, network,
  services and applications
• Monitoring system access and use

45
CoP 9 System access control ...

• Revised CoP
• This chapter has been renamed Access Control
  and generally edited to cover the extension from
  IT to information
• The amount of detail, especially within the
  subsections on passwords, has been reduced to
  achieve a consistent level of detail throughout
  the document
• It has been emphasised that passwords are not the
  only way of authentication and a new section of
  mobile computing and Tele-working has been added

46
CoP 10 Systems development and maintenance

• Security requirements of systems
• Objective To ensure that security is built into
  IT systems.
• Security requirements should be identified and
  agreed prior to the development of IT systems.
• Security countermeasures are substantially
  cheaper and more effective if incorporated in
  application systems at the requirements
  specification and design stages. All security
  requirements, including the need for fallback
  processing, should be identified at the
  requirements phase of a project and justified,
  agreed and documented as part of the overall
  business case for an information system.

47
CoP 10 Systems development and maintenance ...

• Security requirements analysis and specification
• Input data validation
• Data encryption
• Message authentication
• Change management
• Technical review of operating system changes
• Revised CoP
• New subsections on output validation, digital
  signatures, non-repudiation, key management,
  covert channels and Trojan code have been added
• More emphasis has been put on the description of
  cryptographic techniques, and how they can be
  employed to achieve various ways of protection
• Text on software integrity and evaluation has
  been added to the section on security
  requirements analysis and specification

48
CoP 11 Business continuity planning

• Aspects of business continuity planning
• Objective To have plans available to counteract
  interruptions to business activities.
• Business continuity plans should be available to
  protect critical business processes from the
  effects of major failures or disasters.
• There should be a process to develop and maintain
  appropriate plans for the speedy restoration of
  critical business processes and services in the
  event of serious business interruptions.
• Business continuity planning should include
  measures to identify and reduce risks, limit the
  consequences should a threat be realized, and
  ensure speedy resumption of essential operations.
• Revised CoP This chapter has been renamed
  Business Continuity Management and has been
  restructured and extended to put more emphasis on
  the business continuity management process. A
  business continuity and impact analysis must be
  the basis of any business continuity plan

49
CoP 12 Compliance

• Compliance with legal requirements
• Objective To avoid breaches of any statutory,
  criminal or civil obligations and of any security
  requirements.
• The design, operation and use of IT systems may
  be subject to statutory and contractual security
  requirements.
• All relevant statutory and contractual
  requirements should be explicitly defined and
  documented for each IT system. The specific
  controls, countermeasures and individual
  responsibilities to meet these requirements
  should be similarly defined and documented.
• Advice on specific legal requirements should be
  sought from the organization's legal advisers.
  Legislative requirements vary from country to
  country.

50
CoP 12 Compliance

• Compliance with legal and contractual
  requirements
• illegal copies
• confidential data
• privacy laws
• computer crime and abuse act
• Compliance with security policy
• Technical compliance checking
• Revised CoP
• The text has been reworded to make it more
  international in nature, and so all (UK/NL)
  specific references have been removed
• The text on control of proprietary software
  copying and safeguarding of organisational
  records has been extended, and a new subsection
  of collection of evidence was added

51
Agenda

• 101 on Information Security
• Introduction to the Code of Practice for
  Information Security Management
• The certification process - overview
• The Statement of applicability
• Documentation assessment
• Implementation assessment

52
CERTIFICATION AGAINST CoP

• Creates a goal and offers an additional
  management tool
• Methods techniques

53
Why evaluation and certification against CoP ?

• Overall benefit for organisations
• strengthening the confidence between trading
  partners
• better protection of customer and other external
  interests
• CoP (BS7799) is an international accepted
  security standard
• CoP is fit for Small Medium Enterprises (SME)
  and Multi Nationals (MN)
• CoP should be tailored to the customers needs
• Key players adopt CoP as their security standard

54
Evaluation approach to certify

• Application for certification against CoP
• Trial assessment
• Review of documentation
• Implementation assessment
• Decision to certify
• Issue the certificate
• The period of the certification agreement is
  three years
• Each year surveillance audits

55
Security evaluation and certification

• Prepare yourself
• Step 1
• confirm review scope
• review controls selection process
• determine internal review strategy
• Step 2
• organise self assessments or
• organise internal / third party audits
• use standard questionnaires and toolkit
• analyse results
• define improvementplan (security yearplan)
• Step 3
• agree corrective action
• prepare compliance statement
• management approval and sign off
• Step 4 apply for certification

56
Implication of the certificate

• The certificate implies that
• a management framework for information security
  is in place
• there are no critical non-conformities against
  the code of practice
• there can exists some non-critical
  non-conformities
• The certificate does not imply that
• no weaknesses exist at all
• there cannot raise any shortcomings on the
  information security ever

57
Certification process

• The certification process will show necessary
  improvement actions, but no surprises should
  emerge
• The certification process is a pro-active
  approach
• The certification process depends on input local
  management
• Clear communication of what it is needed
• its positive
• no surprises
• looking ahead
• stimulance

58
Remarks on certification

• Accreditation and certification is a not an one
  time action, but an ongoing process
• This process has to be implemented into the
  management framework
• Accreditation and certification can help an
  organisation to grow to a mature level of
  information security
• A certificate is not an assurance that everything
  is all right always and everywhere and that
  nothing will go wrong ever.
• Overall benefit
• strengthening the confidence between trading
  partners
• better protection of customer and other external
  interests

59
The Scheme
CoP(BS7799)
Internalaudits
Statement ofcompliance
Your Securityplan

• Criteria
• Processes
• Audit results
• Management framework

Certificatestatement ofapplicability
Implementedplan
CertificationAudit
60
What do you do anyway
Define your security plan
Demand compliance / implement plan
Internal audit to check compliance
Responsibility The organisation
Statement ofcompliance
61
Additional for certification
Define your security plan
Certification audit
Demand compliance / implement plan
Internal audit to check compliance
Certificate
62
Certification Audit
Dont lie to an auditor
63
Conclusion on Certification

• Benefits
• Get your house in order
• Strengthen trust between business partners
• Limitations
• Scope and depth
• Process oriented
• And of course
• Improves information security permanently!
• Better protection of our clients and third party
  interest

64
Conclusion of today

• Information Security
• Code of Practice for Information Security
  Management
• ITIL Security Management
• Audits and Benchmarking
• Agreements with partners (SLAs)
• Certification
• What is in it for you
• And for your organisation

65
Questions
?