Académique Documents
Professionnel Documents
Culture Documents
daniel.dresner@ncc.co.uk
2005
PROVIDING PERSONAL AND PROFESSIONAL The National FOR IT LEADERS2008 DEVLOMENT Computing Centre
You cant undisclose a disclosure1 The National Computing Centre The landscape of Information Security standards Introduce a corporate information security programme step-by-step Good practice security controls for information management
ISO/IEC TR 15443-3 Framework for IT security assurance: Analysis of assurance methods Accredit UK
All business or service processes need the ability to go through iterative phases of plan-do-check-act. This chart shows how the top 8 national and international standards (emboldened text) form part of the best practice framework in information technology. This standards framework is the foundation for organisations to accept the technical standards of particular technologies including those special to vendors. Control Objectives for Information and Related Technology (CobIT)
ISO 18019 Guidelines for the design and preparation of user documentation for application software
ISO/IEC 12207 Software life cycle BS ISO/IEC 38500 processes Corporate governance of information technology STARTS Software Techniques e-Government Interoperability for Reliable, Framework (e-GIF) Trusted Systems ISO 27005 Information security: risk management
User
Training
Corporate User
Rapid Surveys RFI service Round Tables Bespoke Reports Advisory services
3 o. N
Technical Consultant
System Developer
System Analyst
System Tester
Technical Support
Technical Support
Human Firewall
2005: ISO 17799 (Revised):=27002 2005 ISO 27001 (aka BS 7799 Part 2)
4
Code of practice Catalogue of 135 controls! Pick and mix using ISO 27001 No certificates!
Quality policy Preventive action Customer feedback Responsibility, authority and communication Measurement Resource management
Purchasing
7
gement
TickIT
rocesses need the ability to go ISO/IEC 20000 do-check-act. This chart shows IT service management ternational standards (emboldened practice framework in information hnology. ISO/IEC 25000 s the foundation for organisations Quality characteristics cal standards of particular g those special to vendors. ISO/IEC 24762 Guidelines for ICT disaster recovery services
ISO 18019 Guidelines for the design and preparation of user documentation for application software ection 8
ISO/IEC 15288 How to do it? System 27001 Life Cycle BS 25777 Processes on security IT service continuity nt systems. ements BS 10008 Evidential weight and legal admissibility 12207 ISO/IEC of electronic information Software life cycle BS ISO/IEC 38500 processes Corporate governance of information technology STARTS Software Techniques e-Government Interoperability for Reliable, Framework (e-GIF) Trusted Systems ISO 27005 Information security: risk management
2005
PROVIDING PERSONAL AND PROFESSIONAL The National FOR IT LEADERS2008 DEVLOMENT Computing Centre
Project plan
(1) Senior management acceptance and endorsement of security (2) Information security organisation and infrastructure (3) High level security policy (4) Staff training and education creating security awareness (5) Identify and classify the assets (6) Risk assessment (7) (8) Risk treatment plan Security standards document (control measures) Statement of applicability System security plans and procedures Monitor and review the ISMS performance Maintain the ISMS; continuous improvement Extending the scope
(13)
10
Project plan
(1) Senior management acceptance and endorsement of security (2) Information security organisation and infrastructure (3) High level security policy (4) Staff training and education creating security awareness (5) Identify and classify the assets (6) Risk assessment (7) (8) Risk treatment plan Security standards document (control measures) Statement of applicability System security plans and procedures Monitor and review the ISMS performance Maintain the ISMS; continuous improvement Extending the scope
(13)
11
Project plan
(1) Senior management acceptance and endorsement of security (2) Information security organisation and infrastructure (3) High level security policy (4) Staff training and education creating security awareness (5) Identify and classify the assets (6) Risk assessment (7) (8) Risk treatment plan Security standards document (control measures) Statement of applicability System security plans and procedures Monitor and review the ISMS performance Maintain the ISMS; continuous improvement Extending the scope
(13)
12
Project plan
(1) Senior management acceptance and endorsement of security (2) Information security organisation and infrastructure (3) High level security policy (4) Staff training and education creating security awareness (5) Identify and classify the assets (6) Risk assessment (7) (8) Risk treatment plan Security standards document (control measures) Statement of applicability System security plans and procedures Monitor and review the ISMS performance Maintain the ISMS; continuous improvement Extending the scope
(13)
13
Project plan
(1) Senior management acceptance and endorsement of security (2) Information security organisation and infrastructure (3) High level security policy (4) Staff training and education creating security awareness (5) Identify and classify the assets (6) Risk assessment (7) (8) Risk treatment plan Security standards document (control measures) Statement of applicability System security plans and procedures Monitor and review the ISMS performance Maintain the ISMS; continuous improvement Extending the scope
(13)
14
15
Project plan
(1) Senior management acceptance and endorsement of security (2) Information security organisation and infrastructure (3) High level security policy (4) Staff training and education creating security awareness (5) Identify and classify the assets (6) Risk assessment (7) (8) Risk treatment plan Security standards document (control measures) Statement of applicability System security plans and procedures Monitor and review the ISMS performance Maintain the ISMS; continuous improvement Extending the scope
(13)
16
Project plan
(1) Senior management acceptance and endorsement of security (2) Information security organisation and infrastructure (3) High level security policy (4) Staff training and education creating security awareness (5) Identify and classify the assets (6) Risk assessment (7) (8) Risk treatment plan Security standards document (control measures) Statement of applicability System security plans and procedures Monitor and review the ISMS performance Maintain the ISMS; continuous improvement Extending the scope
(13)
17
Project plan
(1) Senior management acceptance and endorsement of security (2) Information security organisation and infrastructure (3) High level security policy (4) Staff training and education creating security awareness (5) Identify and classify the assets (6) Risk assessment (7) (8) Risk treatment plan Security standards document (control measures) Statement of applicability System security plans and procedures Monitor and review the ISMS performance Maintain the ISMS; continuous improvement Extending the scope
(13)
18
Project plan
(1) Senior management acceptance and endorsement of security (2) Information security organisation and infrastructure (3) High level security policy (4) Staff training and education creating security awareness (5) Identify and classify the assets (6) Risk assessment (7) (8) Risk treatment plan Security standards document (control measures) Statement of applicability System security plans and procedures Monitor and review the ISMS performance Maintain the ISMS; continuous improvement Extending the scope
(13)
19
Project plan
(1) Senior management acceptance and endorsement of security (2) Information security organisation and infrastructure (3) High level security policy (4) Staff training and education creating security awareness (5) Identify and classify the assets (6) Risk assessment (7) (8) Risk treatment plan Security standards document (control measures) Statement of applicability System security plans and procedures Monitor and review the ISMS performance Maintain the ISMS; continuous improvement Extending the scope
(13)
20
Project plan
(1) Senior management acceptance and endorsement of security (2) Information security organisation and infrastructure (3) High level security policy (4) Staff training and education creating security awareness (5) Identify and classify the assets (6) Risk assessment (7) (8) Risk treatment plan Security standards document (control measures) Statement of applicability System security plans and procedures Monitor and review the ISMS performance Maintain the ISMS; continuous improvement Extending the scope
(13)
21
3. Risk Assessment
Test
4. Security Controls
Update
2. Policy
Secu Security Incid rity ents Incidents
S In ec ci ur de ity nt s
5. Applicability
Reappraise
Asset ownership?
1. Scope
What assets are we protecting?
22
6. Business Continuity
7. Processes
Project plan
(1) Senior management acceptance and endorsement of security (2) Information security organisation and infrastructure (3) High level security policy (4) Staff training and education creating security awareness (5) Identify and classify the assets (6) Risk assessment (7) (8) Risk treatment plan Security standards document (control measures) Statement of applicability System security plans and procedures Monitor and review the ISMS performance Maintain the ISMS; continuous improvement Extending the scope
(13)
23
Project plan
(1) Senior management acceptance and endorsement of security (2) Information security organisation and infrastructure time (3) High level security policy (4) Staff training and education creating security awareness (5) Identify and classify the quality assets (6) Risk assessment (7) (8) Risk treatment plan Security standards document (control measures) Statement of applicability System security plans and procedures Monitor and review the ISMS performance Maintain the ISMS; continuous improvement Extending the scope
content
cost
(13)
24
Project plan
(1) Senior management acceptance and endorsement of security (2) Information security organisation and infrastructure (3) High level security policy (4) Staff training and education creating security awareness (5) Identify and classify the assets (6) Risk assessment (7) (8) Risk treatment plan Security standards document (control measures) Statement of applicability System security plans and procedures Monitor and review the ISMS performance Maintain the ISMS; continuous improvement Extending the scope
(13)
25
Guide retention, storage media type, handling, and disposal to meet business, statutory, regulatory or contractual requirements Keep inventory of sources of key information Implement procedures (with/without technology) to protect records and information from:
Loss Destruction Falsification.
26
Store cryptographic keys and programs to enable decryption See ISO 15489-1 . . .
ISMS=RMS
ISMSIT
The National Computing Centre 2009
Final thought
2008
The year of lost data (UK)
2009
The year of encryption
2010
The year of lost encryption keys
You cant undisclose a disclosure The National Computing Centre The landscape of Information Security standards Introduce a corporate information security programme step-by-step Good practice security controls for information management
ISO/IEC TR 15443-3 Framework for IT security assurance: Analysis of assurance methods Accredit UK
All business or service processes need the ability to go through iterative phases of plan-do-check-act. This chart shows how the top 8 national and international standards (emboldened text) form part of the best practice framework in information technology. This standards framework is the foundation for organisations to accept the technical standards of particular technologies including those special to vendors. Control Objectives for Information and Related Technology (CobIT)
ISO 18019 Guidelines for the design and preparation of user documentation for application software
28
ISO/IEC 12207 Software life cycle BS ISO/IEC 38500 processes Corporate governance of information technology STARTS Software Techniques e-Government Interoperability for Reliable, Framework (e-GIF) Trusted Systems ISO 27005 Information security: risk management
PAS 77:2006
IT Service continuity
29
30