Strategies for Managing Information Risk Utilizing ISOIEC 2700127002 - PowerPoint PPT Presentation

1 / 44
About This Presentation
Title:

Strategies for Managing Information Risk Utilizing ISOIEC 2700127002

Description:

CIA Confidentiality, Integrity, Availability. PCI, HIPAA, SOX, State Privacy Regulations ... and effective approach is applied to the management of ... – PowerPoint PPT presentation

Number of Views:51
Avg rating:3.0/5.0
Slides: 45
Provided by: hbc3
Category:

less

Transcript and Presenter's Notes

Title: Strategies for Managing Information Risk Utilizing ISOIEC 2700127002


1
Strategies for Managing Information
Risk-Utilizing ISO/IEC 27001/27002
  • Dec 10, 2008

Tom Witwicki Director, Information Security
2
Agenda
  • The need for IS Governance
  • The ISO Framework
  • ISO/IEC 27001
  • ISO/IEC 27002
  • The Hannaford ISMS Roadmap
  • A Controls Framework
  • Information Security Organization Mission and
    Structure
  • Discussion/Questions/Lessons Learned

3
Information Security Governance
  • How can an organization make good decisions about
    information risk?
  • Risks identified, mitigated, accepted equals
    security
  • Information Security is a business requirement
  • CIA Confidentiality, Integrity, Availability
  • PCI, HIPAA, SOX, State Privacy Regulations
  • Impact of loss of security on an organization is
    extreme
  • Damage to brand, share price
  • Direct costs
  • Litigation Liability
  • FTC actions
  • Unavailable critical business processes
  • Business awareness of impact is key

4
What is the ISO Framework?
  • International Organization for Standardization
  • Governance - ISO 27001
  • Establishing and Operating the ISMS Plan, DO,
    Check, Act
  • Management commitment and involvement
  • Information Asset Ownership
  • Controls ISO 27002
  • Deterrent
  • Preventative
  • Detective
  • Corrective
  • Recovery
  • Compensating
  • Available for download as Intellectual Property

5
What is ISO 27001?
  • A management process to evaluate, implement and
    maintain an Information Security Management
    System (ISMS).
  • An internationally recognized structured
    methodology dedicated to information security.
  • A comprehensive set of controls (ISO 27002)
    comprised of best practices in information
    security.
  • A standard that can be customized to address the
    level of risk (or vulnerability), that could
    cause negative business impact should it not be
    addressed.
  • Certification available

6
Information Security Management System (ISMS)The
Security Program
Do Implement and Operate Controls Measure
  • Charge the ISGC (Mission Statement)
  • Scope and Boundaries
  • Define the ISMS Policy
  • Identify a Risk Assessment methodology
  • Develop criteria for accepting risks
  • Identify Risks (Risk Assessment)
  • Analyze and evaluate risks
  • Develop Risk Treatment Plan
  • Select Control Objectives and Controls
  • Prepare a Statement of Applicability
  • Implement the Risk Treatment Plan
  • Measure the effectiveness of controls
  • Implement an Incident Response process

Plan Establish the ISMS
Check Monitor Audit Review
ISO/IEC 270001 Roadmap
  • Monitor and review procedures and controls
  • Regular reviews of the effectiveness of the ISMS
  • Review risk assessments at planned intervals
    taking into account changes in Organization,
    Business process, Technology, Threats, Regulatory
    environment
  • Conduct Internal Audits at planned intervals
  • Management review of ISMS
  • Take corrective action to improve the ISMS
  • Take preventative action based on the prioritized
    results of risk assessments in anticipation of
    potential problems

Act Maintain Improve The ISMS
7
Establish the ISMS
Plan
  • Charge the ISGC (Mission Statement)
  • Scope and Boundaries
  • Define the ISMS Policy
  • Identify a Risk Assessment methodology
  • Develop criteria for accepting risks
  • Identify Risks (Risk Assessment)
  • Analyze and evaluate risks
  • Develop Risk Treatment Plan
  • Select Control Objectives and Controls
  • Prepare a Statement of Applicability

8
Implement the ISMS
Do
  • Implement the Risk Treatment Plan
  • Measure the effectiveness of controls
  • Implement an Incident Response process

9
Monitor, Audit and Review
Check
  • Monitor and review procedures and controls
  • Attempted and successful security breaches
  • Determine if actions to prevent breaches were
    successful
  • Regular reviews of the effectiveness of the ISMS
  • Review risk assessments at planned intervals
    taking into account changes in
  • Organization
  • Business process
  • Technology
  • Threats
  • Regulatory environment
  • Conduct Internal Audits at planned intervals
  • Management review of ISMS

10
Maintain and Improve
Act
  • Take corrective action to improve the ISMS
  • Take preventative action based on the prioritized
    results of risk assessments in anticipation of
    potential problems

11
Risk Management Process
  • Risk Assessment (awareness)
  • Asset discovery
  • Threat Identification
  • Vulnerability Identification
  • Control Analysis
  • Likelihood Determination
  • Impact analysis
  • Risk Determination

12
Risk Management Process
  • Risk Treatment Plan
  • Control Recommendations to mitigate risk
  • Evaluate/Accept Risk
  • Risk Mitigation Investments

13
Evaluating Information Risk
  • The likelihood of a given threat-sources
    attempting to exercise a given vulnerability
  • The magnitude of the impact should a
    threat-source successfully exercise the
    vulnerability
  • The adequacy of planned or existing security
    controls for reducing or eliminating risk.

14
Risk Evaluation and Acceptance Criteria
  • NIST Special Publication 800-30 Risk Management
    Guide
  • Information Risk evaluation and Acceptance
    defined
  • High (Executive Committee)
  • Medium (Info Security Governance Committee)
  • Low (Business Owner or CISO)

15
ISO 27002 Controls
  • 11 Security Control Clauses
  • 49 Control Categories
  • Control Objective
  • 133 total controls
  • Controls selected based on
  • Assessment of Risk
  • Business objectives
  • Legal, regulatory, contractual obligations
  • Function of a control to mitigate risk
  • Deterrent
  • Preventative
  • Detective
  • Corrective
  • Recovery
  • Compensating

16
Controls Rationalization
  • ISO 27002 becomes the overarching control
    framework
  • Regulatory requirements map to ISO
  • New requirements potentially satisfied with
    existing controls
  • Simplifies auditing and control testing
  • Example

17
5 Information Security PolicyTop Level
  • 5.1 Information Security Policy
  • Objective To provide management direction and
    support for information security in accordance
    with business requirements and relevant laws and
    regulations. Management should set a clear
    policy direction in line with business objectives
    and demonstrate support for, and commitment to,
    information security through the issue and
    maintenance of an information security policy
    across the organization.

18
5 Security Policy
  • 5.1.1 Information security policy document
  • Control
  • An information security policy document should be
    approved by management, and published and
    communicated to all employees and relevant
    external parties.
  • Implementation guidance
  • The information security policy document should
    state management commitment and set out the
    organizations approach to managing information
    security. The policy document should contain
    statements concerning
  • a) a definition of information security, its
    overall objectives and scope and the importance
    of security as an enabling mechanism for
    information sharing (see introduction)
  • b) a statement of management intent, supporting
    the goals and principles of information security
    in line with the business strategy and
    objectives
  • c) a framework for setting control objectives and
    controls, including the structure of risk
  • assessment and risk management

19
5.1.1 (Continued)
  • d) a brief explanation of the security policies,
    principles, standards, and compliance
  • requirements of particular importance to the
    organization, including
  • 1) compliance with legislative, regulatory, and
    contractual requirements
  • 2) security education, training, and awareness
    requirements
  • 3) business continuity management
  • 4) consequences of information security policy
    violations
  • e) a definition of general and specific
    responsibilities for information security
    management,
  • including reporting information security
    incidents
  • f) references to documentation which may support
    the policy, e.g. more detailed security
  • policies and procedures for specific information
    systems or security rules users should
  • comply with.
  • This information security policy should be
    communicated throughout the organization to users
    in a form that is relevant, accessible and
    understandable to the intended reader.

20
6 Organization of information security
  • 6.1 Internal organization
  • Objective To manage information security within
    the organization
  • 6.2 External parties
  • Objective To maintain the security of the
    organizations information and information
    processing facilities that are accessed,
    processed, communicated to, or managed by
    external parties.

21
Critical Roles and Responsibilities
  • Governance Committee and Chair
  • Data Owner (Business Owner)
  • Data Custodian
  • Privacy Officer
  • CISO
  • IT
  • Internal Audit
  • All employees

22
7 Asset Management
  • 7.1 Responsibility for assets
  • Objective To achieve and maintain appropriate
    protection of organizational assets
  • 7.2 Information classification
  • Objective To ensure that information receives an
    appropriate level of protection.

23
7 Asset Management
  • 7.1 Responsibility for assets
  • Objective To achieve and maintain appropriate
    protection of organizational assets.
  • All assets should be accounted for and have a
    nominated owner.
  • Owners should be identified for all assets and
    the responsibility for the maintenance of
    appropriate
  • controls should be assigned. The implementation
    of specific controls may be delegated by the
    owner
  • as appropriate but the owner remains responsible
    for the proper protection of the assets.

24
7 Asset Management
  • 7.1.2 Ownership of assets
  • Control
  • All information and assets associated with
    information processing facilities should be
    owned by a designated part of the organization.
  • Implementation guidance
  • The asset owner should be responsible for
  • a) ensuring that information and assets
    associated with information processing facilities
    are appropriately classified
  • b) defining and periodically reviewing access
    restrictions and classifications, taking into
    account applicable access control policies.
  • The term owner identifies an individual or
    entity that has approved management
    responsibility for controlling the production,
    development, maintenance, use and security of the
    assets.

25
7 Asset Management
  • 7.2 Information classification
  • Objective To ensure that information receives an
    appropriate level of protection.
  • Information should be classified to indicate the
    need, priorities, and expected degree of
    protection when handling the information.
  • Information has varying degrees of sensitivity
    and criticality. Some items may require an
    additional
  • level of protection or special handling. An
    information classification scheme should be used
    to define
  • an appropriate set of protection levels and
    communicate the need for special handling
    measures.

26
8 Human Resources Security
  • 8.1 Prior to employment
  • Objective To ensure that employees, contractors
    and third party users understand their
    responsibilities, and are suitable for the roles
    they are considered for, and to reduce the risk
    of theft, fraud or misuse of facilities.
  • 8.2 During employment
  • Objective To ensure that all employees,
    contractors and third party users are aware of
    information security threats and concerns, their
    responsibilities and liabilities, and are
    equipped to support organizational security
    policy in the course of their normal work, and to
    reduce the risk of human error.
  • 8.3 Termination or change of employment
  • Objective To ensure that employees, contractors
    and third party users exit an organization or
    change employment in an orderly manner.

27
9 Physical and Environmental Security
  • 9.1 Secure areas
  • Objective To prevent unauthorized physical
    access, damage and interference to the
    organizations premises and information.
  • 9.2 Equipment security
  • Objective To prevent loss, damage, theft or
    compromise of assets and interruption to the
    organizations activities

28
10 Communications and operations management
  • 10.1 Operational procedures and responsibilities
  • Objective To ensure the correct and secure
    operation of information processing facilities.
  • 10.2 Third party service delivery management
  • Objective To implement and maintain the
    appropriate level of information security and
    service delivery in line with third party service
    delivery agreements.
  • 10.3 System planning and acceptance
  • Objective To minimize the risk of systems
    failures.

29
10 Communications and operations management
(cont.)
  • 10.4 Protection against malicious and mobile code
  • Objective To protect the integrity of software
    and information.
  • 10.5 Back-up
  • Objective To maintain the integrity and
    availability of information and information
    processing facilities.
  • 10.6 Network security management
  • Objective To ensure the protection of
    information in networks and the protection of the
    supporting infrastructure
  • 10.7 Media handling
  • Objective To prevent unauthorized disclosure,
    modification, removal or destruction of assets,
    and interruption to business activities.

30
10 Communications and operations management
(cont.)
  • 10.8 Exchange of information
  • Objective To maintain the security of
    information and software exchanged within an
    organization and with any external entity.
  • 10.9 Electronic commerce services
  • Objective To ensure the security of electronic
    commerce services, and their secure use.
  • 10.10 Monitoring
  • Objective To detect unauthorized information
    processing activities.

31
11 Access Control
  • 11.1 Business requirement for access control
  • Objective To control access to information.
  • 11.2 User access management
  • Objective To ensure authorized user access and
    to prevent unauthorized access to information
    systems.
  • 11.3 User responsibilities
  • Objective To prevent unauthorized user access,
    and compromise or theft of information and
    information processing facilities.
  • 11.4 Network access control
  • Objective To prevent unauthorized access to
    networked services.

32
11 Access Control (Cont.)
  • 11.5 Operating system access control
  • Objective To prevent unauthorized access to
    operating systems.
  • 11.6 Application and information access control
  • Objective To prevent unauthorized access to
    information held in application systems.
  • 11.7 Mobile computing and teleworking
  • Objective To ensure information security when
    using mobile computing and teleworking facilities.

33
12 Information systems acquisition, development
and maintenance
  • 12.1 Security requirements of information systems
  • Objective To ensure that security is an integral
    part of information systems.
  • 12.2 Correct processing in applications
  • Objective To prevent errors, loss, unauthorized
    modification or misuse of information in
    applications.
  • 12.3 Cryptographic controls
  • Objective To protect the confidentiality,
    authenticity or integrity of information by
    cryptographic means.

34
12 Information systems acquisition, development
and maintenance (Cont.)
  • 12.4 Security of system files
  • Objective To ensure the security of system
    files.
  • 12.5 Security in development and support
    processes
  • Objective To maintain the security of
    application system software and information.
  • 12.6 Technical Vulnerability Management
  • Objective To reduce risks resulting from
    exploitation of published technical
    vulnerabilities.

35
13 Information security incident management
  • 13.1 Reporting information security events and
    weaknesses
  • Objective To ensure information security events
    and weaknesses associated with information
    systems are
  • communicated in a manner allowing timely
    corrective action to be taken.
  • 13.2 Management of information security incidents
    and improvements
  • Objective To ensure a consistent and effective
    approach is applied to the management of
    information security incidents.

36
14 Business continuity management
  • 14.1 Information security aspects of business
    continuity management
  • Objective To counteract interruptions to
    business activities and to protect critical
    business processes from the effects of major
    failures of information systems or disasters and
    to ensure their timely resumption.

37
15 Compliance
  • 15.1 Compliance with legal requirements
  • Objective To avoid breaches of any law,
    statutory, regulatory or contractual obligations,
    and of any security requirements.
  • 15.2 Compliance with security policies and
    standards, and technical compliance
  • Objective To ensure compliance of systems with
    organizational security policies and standards.
  • 15.3 Information systems audit considerations
  • Objective To maximize the effectiveness of and
    to minimize interference to/from the information
    systems audit process.

38
Information Security Organization and Structure
  • Its all about ability to execute
  • Muti-disciplinary approach involving
    collaboration and cooperation
  • Organization segregation of control execution
    from control requirements and approvals
  • Control executors accountable for control
    execution
  • Oversight responsibility where does Information
    Security report?

39
Business Governance
Information Security Program
Internal Audit
  • Information Risk Mgt
  • Security Policy
  • Risk Assessments
  • Security Assurance
  • Monitoring and Response
  • Vulnerability Mgt
  • Identity Mgt
  • External Compliance
  • PCI,SOX,HIPAA,PII
  • Control Implementation
  • Access Administration
  • Patching
  • Anti-virus
  • Baseline Configurations
  • Firewall rules
  • Application Security Stds
  • Policy
  • Controls
  • Compliance

Information Security
IT
40
Information Security Functions
  • Chief Information Security Officer
  • Information Security Office
  • Compliance Management
  • Identity Management
  • Security Configuration Management
  • Risk Assessment
  • Security Education, Awareness and Training (SETA)
  • Security Operations
  • SOC/NOC Coordination
  • Incident Response
  • Security Integrated Process Team Management
  • Compliance
  • PII, HIPPA, and PCI compliance policy
  • Controls compliance program

41
Information Security Office (ISO)
  • Enterprise Security Mgt
  • Security Architecture
  • System Accreditation
  • Access and Identity Management
  • Physical Security requirements
  • Risk Management
  • Security Assurance
  • Application Vulnerability Mgt
  • Risk Assessment execution
  • 3rd Party Risk Management
  • Security Education, Awareness and Training
  • Disaster Recovery/BCP

42
Security Operations Center (SOC)
  • Security Monitoring
  • Monitoring and alerting
  • Intrusion Detection
  • Policy violations
  • Anti-Virus monitoring
  • Log Analysis
  • Incident Response
  • Incident Response Plan
  • Incident Response Team Mgt
  • Management reporting
  • Security Engineering
  • Vulnerability/Penetration testing
  • Vulnerability remediation
  • Policy violation remediation
  • Network Integrity mgt
  • Technology control effectiveness

43
Information Security Compliance (ISC)
  • Security Policies and Compliance
  • PCI, HIPAA, SOX, Privacy
  • ISO 27001/ISO 27002
  • IT Operational Controls Compliance
  • Vulnerability Management
  • Baseline Configuration
  • Policy/Standards/Process Compliance
  • Audit/Assessment Mgt
  • Compliance evidence
  • Management Response
  • Remediation Mgt
  • Document Mgt

44
Discussion
  • Lessons Learned
  • Going Forward
  • Your Experience?
  • Governance
  • ISO
  • Other security frameworks
Write a Comment
User Comments (0)
About PowerShow.com