Vous êtes sur la page 1sur 30

InformationSecurity

ManagementSystem
(ISMS)Overview

ArhnelKlydeS.Terroza

May12,2015
1
ArhnelKlydeS.Terroza
CPA,CISA,CISM,CRISC,ISO27001ProvisionalAuditor
InternalAuditoratClarienBankLimited
FormerITRiskandAssuranceManagerwith
Ernst&Young FinancialServicesOrganization
(FSO) Hamilton,BermudaandSanAntonio,TX
CertifiedPublicAccountant(CPA Philippines),
CertifiedInformationSystemsAuditor(CISA),
CertifiedInformationSecurityManager(CISM),
CertifiedinRiskandInformationSystemsControl
(CRISC),andISO27001ProvisionalAuditor
BachelorofScienceinAccountancyfrom
SillimanUniversity(Philippines)

2
AGENDA
WhatisInformationSecurityManagement
System(ISMS)?
Whatarethestandards,laws,and
regulationsouttherethatwillhelpyoubuild
orassessyourInfoSecManagement
Program?
WhatisISO/IEC27001:2013?
WhataretheISO/IEC27001Controls?
WhatarethebenefitsofadoptingISO
27001?
WhydoyouneedtoconductanInfoSec
awarenesssurvey?
3
www.novainfosec.com

4
WhatisISMS?
Partoftheoverallmanagementsystem,basedonabusinessriskapproach,to
establish,implement,operate,monitor,review,maintainandimprove
informationsecurity(ISOdefinition)
Note:Amanagementsystemisasetofinterrelatedorinteractingelementsofan
organizationtoestablishpoliciesandobjectivesandprocessestoachievethoseobjectives.
Thescopeofamanagementsystemmayincludethewholeoftheorganization,specificand
identifiedfunctionsoftheorganization,specificandidentifiedsectionsoftheorganization,
oroneormorefunctionsacrossagroupoforganizations.
Influencedbytheorganizationsneedsandobjectives,securityrequirements,the
processesemployedandthesizeandstructureoftheorganization.
Expectedtochangeovertime.
Aholisticapproachtomanaginginformationsecurity confidentiality,integrity,
andavailabilityofinformationanddata.

5
WhataretheInfoSecrelatedstandards,lawsand
regulations?
ISO27000FamilyofInternationalStandards OtherStandards
ProvidesthebestpracticerecommendationsonInfoSec
management,risksandcontrolswithinthecontextofan PaymentCardIndustryDataSecurity
overallISMS. Standard(PCIDSS)
ISO27000:OverviewandVocabulary(2014)
ISO27001:ISMSRequirements(2013)
USNationalInstituteofStandardsand
Technology(NIST)
ISO27002:CodeofPractice(2013)
ISO27003:ISMSImplementationGuidance(2010) SecurityandPrivacyControlsforFederal
ISO27004:ISMMeasurement(2009) InformationSystemsandOrganizations
ISO27005:InfoSecRiskManagement(2011) (NISTSpecialPublication80053)
ISO27006:RequirementsforBodiesProvidingAuditand FrameworkforImprovingCritical
CertificationofISMS(2011) InfrastructureCybersecurity
ISO27007 27008:GuidelinesforAuditingInfoSec (CybersecurityFramework)
Controls(2011)
ISO27014:GovernanceofInfoSec(2013) ISACACybersecurityNexus
ISO27015:ISMGuidelinesforFinancialServices(2012) TheIIAGTAG15:InformationSecurity
www.iso.org Governance(2010)
6
WhataretheInfoSecrelatedstandards,lawsand
regulations?
Governmentallawsandregulationswith(orwillhave)asignificanteffecton
InfoSec
UKDataProtectionAct1998
TheComputerMisuseAct1990 (UK)
FederalInformationSecurityManagementAct2001(US)
GrammLeachBlileyAct(GLBA)1999(US)
FederalFinancialInstitutionsExaminationCouncils(FFIEC)securityguidelines(US)
SarbanesOxleyAct(SOX)2002(US)
Statesecuritybreachnotificationlaws(e.g.California)(US)
FamilyEducationalRightsandPrivacyAct(US)
HealthInsurancePortabilityandAccountabilityAct(HIPAA)1996(US)
BermudaLaws???
7
WhatisISO/IEC27001:2013?
LeadingInternationalStandardforISMS.Specifiestherequirementsforestablishing,
implementing,maintaining,monitoring,reviewingandcontinuallyimprovingtheISMSwithin
thecontextoftheorganization.IncludesassessmentandtreatmentofInfoSecrisks.
Bestframeworkforcomplyingwithinformationsecuritylegislation.
NotatechnicalstandardthatdescribestheISMSintechnicaldetail.
Doesnotfocusoninformationtechnologyalone,butalsootherimportantbusinessassets,
resources,andprocessesintheorganization.

ISO/IEC27001Evolution Source:www.iso27001security.com

8
WhatisISO/IEC27001:2013?
WorlddistributionofISO/IEC27001certificatesin2013
2013 22,293(up14%)
2012 19,620
Japan 7,084
India 1,931
UnitedKingdom 1,923
China 1,710
Spain 799
UnitedStates 566
Australia 138
Canada 66

Source:www.iso.org

9
WhatisISO/IEC27001:2013?
EvolutionofISO/IEC27001certificates

UnitedStates Source:www.iso.org UnitedKingdom


ISOdoesnotperformcertification.Organizationslookingtogetcertifiedtoan
ISOstandardmustcontactanindependentcertificationbody.Certification bodies
museusetheISOsCommitteeonConformityAssessment(CASCO)standards
relatedtothecertificationprocess.
10
WhatisISO/IEC27001:2013?
ISO/IEC 27001 - Worldwide total
25,000

Middle East
451
2061
20,000
332 Central and
1668
South Asia
279
1497 East Asia and
218
15,000 1328 10748 Pacific
206
10422
Europe
1303
9665
10,000
128
8788 North America
839
71
519 7394

Central / South
383
America
5,000 5807 7950
5550 6379
4210
4800 5289
Africa
3563
2172
1064 1432 552 712
322 329 435
,0 112 212
2006 2007 2008 2009 2010 2011 2012 2013

11 Source:www.iso.org
WhatisISO/IEC27001:2013?

Sources:
http://iaardirectory.jadianonline.com/Directory
12 http://www.bsiamerica.com
WhatisISO/IEC27001:2013?
Processapproachforestablishing,implementing,operating,monitoring,reviewing,
maintainingandimprovinganorganizationsISMS:

13
WhataretheISO/IEC27001Controls?
Eight(8)mandatoryclauses(controls/controlobjectives)fororganizationsclaiming
conformancetoISO/IEC27001standard:
Clause4 Contextoftheorganization
4.1 Understandingtheorganizationanditscontext
4.2 Understandingtheneedsandexpectationsofinterestedparties
4.3 Determiningthescopeoftheinformationsecuritymanagementsystem
4.4 Informationsecuritymanagementsystem
Clause5 Leadership
5.1 Leadershipandcommitment
5.2 Policy
5.3 Organizationalroles,responsibilitiesandauthorities
Clause6 Planning
6.1 Actionstoaddressrisksandopportunities
6.2 Informationsecurityobjectivesandplanningtoachievethem

14
WhataretheISO/IEC27001Controls?
Eight(8)mandatoryclauses(cont):
Clause7 Support
7.1 Resources
7.2 Competence
7.3 Awareness
7.4 Communication
7.5 Documentedinformation
Clause8 Operation
8.1 Operationalplanningandcontrol
8.2 Informationsecurityriskassessment
8.3 Informationsecurityrisktreatment
Clause9 PerformanceEvaluation
9.1 Monitoring,measurement,analysisandevaluation
9.2 Internalaudit
9.3 Managementreview

15
WhataretheISO/IEC27001Controls?
Eight(8)mandatoryclauses(cont):
Clause10 Improvement
10.1 Nonconformityandcorrectiveaction
10.2 Continualimprovement

ISO/IEC27001:2013ISMSControlPointandControlObjectiveSummary
Reference Description ControlTotal
Clause4 Contextoftheorganization 8
Clause5 Leadership 19
Mandatory

Clause6 Planning 39
Clause7 Support 28
Clause8 Operation 9
Clause9 Performanceevaluation 29
Clause10 Improvement 16
TotalControlPoints: 148
Source:www.slideshare.net byMarkE.S.Bernard(2013)
16
WhataretheISO/IEC27001Controls?
14ControlCategories(Domain/ControlArea) DiscretionaryControls(AnnexA)
A.5 Informationsecuritypolicies
A.5.1 Managementdirectionforinformationsecurity
A.6 Organizationofinformationsecurity
A.6.1 Internalorganization
A.6.2 Mobiledevicesandteleworking
A.7 Humanresourcesecurity
A.7.1 Priortoemployment
A.7.2 Duringemployment
A.7.3 Terminationandchangeofemployment

17
WhataretheISO/IEC27001Controls?
14ControlCategories(Domain/ControlArea) DiscretionaryControls(AnnexA)
A.8 Assetmanagement
A.8.1 Responsibilityforassets
A.8.2 Informationclassification
A.8.3 MediaHandling
A.9 Accesscontrol
A.9.1 Businessrequirementsofaccesscontrol
A.9.2 Useraccessmanagement
A.9.3 Userresponsibilities
A.9.4 Systemandapplicationaccesscontrol
A.10 Cryptography
A.10.1 Cryptographiccontrols

18
WhataretheISO/IEC27001Controls?
14ControlCategories(Domain/ControlArea) DiscretionaryControls(AnnexA)
A.11 Physicalandenvironmentalsecurity
A.11.1 Secureareas
A.11.2 Equipment
A.12 Operationssecurity
A.12.1 Operationalproceduresandresponsibilities
A.12.2 Protectionfrommalware
A.12.3 Backup
A.12.4 Loggingandmonitoring
A.12.5 Controlofoperationalsoftware
A.12.6 Technicalvulnerabilitymanagement
A.12.7 Informationsystemsauditconsiderations

19
WhataretheISO/IEC27001Controls?
14ControlCategories(Domain/ControlArea) DiscretionaryControls(AnnexA)
A.13 Communicationssecurity
A.13.1 Networksecuritymanagement
A.13.2 Informationtransfer
A.14 Systemacquisition,developmentandmaintenance
A.14.1 Securityrequirementsofinformationsystems
A.14.2 Securityindevelopmentandsupportprocesses
A.14.3 Testdata
A.15 Supplierrelationships
A.15.1 Informationsecurityinsupplierrelationships
A.15.2 Supplierservicedeliverymanagement
A.16 Informationsecurityincidentmanagement
A.16.1 Managementofinformationsecurityincidentsandimprovements
20
WhataretheISO/IEC27001Controls?
14ControlCategories(Domain/ControlArea) DiscretionaryControls(AnnexA)
A.17 Informationsecurityaspectsofbusinesscontinuitymanagement
A.17.1 Informationsecuritycontinuity
A.17.2 Redundancies
Note: AcomprehensiveBCMSstandardwaspublishedbyISOin2012 ISO22301:2012
A.18 Compliance
A.18.1 Compliancewithlegalandcontractualrequirements
A.18.2 Informationsecurityreviews

ISO/IEC27002:2013isabetterreferenceforselectingcontrolswhenimplementinganISMS
basedonISO/IEC27001:2013,eitherforcertificationpurposesoralignmenttoaleading
standard.Oritcouldsimplybeusedasaguidancedocumentforimplementingcommonly
acceptedinformationsecuritycontrols.

21
WhataretheISO/IEC27001Controls?
ISO/IEC27001:2013ISMSControlPointandControlObjectiveSummary
Reference Description ControlTotal
A5 Informationsecuritypolicies 2
A6 Organizationofinformationsecurity 7
A7 Humanresourcesecurity 6
A8 Assetmanagement 10
A9 Accesscontrol 13
Discretionary

A10 Cryptography 2
A11 Physicalandenvironmentalsecurity 15
A12 Operationssecurity 14
A13 Communicationssecurity 7
A14 Systemacquisition,developmentandmaintenance 13
A15 Supplierrelationships 5
A16 Informationsecurityincidentmanagement 7
A17 Informationsecurityaspectsofbusinesscontinuitymanagement 4
A18 Compliance 8
22
Source:www.slideshare.net byMarkE.S.Bernard(2013) Source:MarkE.S.Bernard
TotalControlPoints: 113
WhatarethebenefitsofISO/IEC27001:2013?
Bestframeworkforcomplyingwithinformationsecuritylegal,regulatoryand
contractualrequirements
Betterorganizationalimagebecauseofthecertificateissuedbyacertification
body
Provesthatseniormanagementarecommittedtothesecurityofthe
organization,includingcustomersinformation
Focusedonreducingtherisksforinformationthatisvaluablefortheorganization
Providesacommongoal
Optimizedoperationswithintheorganizationbecauseofclearlydefined
responsibilitiesandbusinessprocesses
Buildsacultureofsecurity
23
WhatarethebenefitsofISO/IEC27001:2013?
BSIStudyonISO27001
87%ofrespondentsstatedthatimplementingISO/IEC27001hadapositiveorvery
positiveoutcome
Abilitytomeetcompliancerequirementsincreasedfor60%oforganizations
Numberofsecurityincidentsdecreasedfor39%
DowntimeofITsystemsdecreasedfor39%
Abilitytorespondtotendersincreasedfor43%
Relativecompetitivepositionincreasedfor47%
51%sawanincreaseinexternalcustomersatisfactionfollowingtheimplementationof
anISMS
40%sawanincreaseininternalcustomersatisfaction
66%notedanincreaseinthequalitycontrolofinformationsecurityprocessesand
proceduresand40%decreaseinrisk
24 Sources:http://www.bsiamerica.com
WhydoyouneedtoconductanInfoSecawareness
survey?
Whatisaninformationsecurityawarenessprogram?
Promotesriskandsecurityawareculture.
Helpsinmanagingsecurityincidents,compliancerisks,andfinanciallosses.
e.g.Phishingexercises,newsletters,posters

Whatarethebenefitsofconductinganinformationsecurityawarenesssurvey?
Providesvisibilityintoorganizationalbehaviorwithrespecttoinformationsecurity.
Datacollectedcanbeusedtoidentifyareasofpossibleimprovementandriskreduction.
Initialsurveycanprovideabaselineofsecurityawarenessoftheorganization;when
appliedovertime,canindicateprogressorchallengesintheinfosec awarenessprogram.
HelpstheInfoSecTeamandHumanResourcesgainadegreeofunderstandingof
personnelsattitudesandhabitsrelatedtoinformationsecuritywithinthecontextoftheir
daytodayactivities
25
WhydoyouneedtoconductanInfoSecawareness
survey?
Misconceptionofawarenesssurvey
InformationsecurityawarenesssurveyisnotintendedtoassesstheorganizationsISMS

Howtodeploysurveys
Onlinesurveytools(e.g.SurveyMonkey)
Traditionalmail

Howtoanalyzedatafromthesurvey?
Quantitative aggregateresponsestoaquestion.
Qualitative openendedquestionscanprovidequalitativedata.Comparisonofresults
acrossdepartments,roles,anddemographics(e.g.tenurewithinthecompany)
Note:Howyouanalyzedatedependsonwhatquestionsareincluded

26
WhydoyouneedtoconductanInfoSecawareness
survey?
Cananoverallriskbeconcludedfromthesurvey?
Questionscanbedesignedinsuchamannerthatanswersareassignedariskscore.
Forexample,eachquestionresponseareassignedariskvalueofonetofive onebeinglowestriskvalue
andfiveasthehighestriskvalue
Resultsofthesurveycanbesuedtodeterminetheoverallriskscoreoftheorganization
Forexample:
RiskScore Description
Low(25 39) Usersareawareofgoodsecurityprinciplesandthreats,havebeenproperlytrained,andcomply
withtheOrganizationssecuritypoliciesandstandards.
Elevated(40 59) UsershavealreadybeentrainedontheOrganizationssecuritypoliciesandstandards,theyare
awareofthreats,butmaynotfollowgoodsecurityprinciplesandcontrols.
Moderate(60 79) Usersareawareofthreatsandknowtheyshouldfollowgoodsecurityprinciplesandcontrols,
butneedtrainingontheOrganizationssecuritypoliciesandstandards.Theyalsomaynotknow
howtoidentifyorreportasecurityevent.
Significant(80 99) Usersarenotawareofgoodsecurityprinciplesorthreatsnoraretheyawareoforcompliant
withtheOrganizationssecuritypoliciesandstandards.
High(100andhigher) Usersarenotawareofthreatsanddisregardknownsecuritypoliciesandstandardsordonot
comply.Theyarelikelytoengageinactivitiesorpracticesthatareeasilyattackedandexploited.
27
SUMMARY
Anorganizationneedstoundertakethefollowingstepsinestablishing,monitoring,
maintainingandimprovingitsISMS:
Identifyinformationassetsandtheirassociatedinformationsecurity
requirements
Assessinformationsecurityrisksandtreatinformationsecurityrisks[toan
acceptablelevel]
Selectandimplementrelevantcontrolstomanageunacceptablerisks[orto
reduceriskstoacceptablelevels]
Monitor,maintainandimprovetheeffectivenessofcontrolsassociatedwiththe
organizationsinformationassets

28
SUMMARY
AdoptionofanISMSshouldbeastrategicdecisionforanorganization.
ISMSisaholisticapproachtomanaginginformationsecurity confidentiality,
integrity,andavailabilityofinformationanddata.
Lawsandregulationsarecontinuingtoevolvetoaddressinformationsecurityrisk
andprivacy.ISO/IEC27001:2013isthebestframeworkforcomplyingwith
informationsecuritylegislation.
ISO/IEC27001:2013isnotatechnicalstandardforITonly.
Increasingtrendinadoptingaholisticapproach(usingISO/IEC27001:2013)in
managinginformationsecurityrisks.
Organizationsneedtoconductaninformationsecurityawarenesssurvey.

29
Questions

30