Académique Documents
Professionnel Documents
Culture Documents
An introduction to ISO27k
s e c u r i t y
This work is copyright 2012, Mohan Kamat and ISO27k Forum, some rights reserved. It is licensed under the Creative Commons Attribution-Noncommercial-Share Alike 3.0 License. You are welcome to reproduce, circulate, use and create derivative works from this provided that: (a) it is not sold or incorporated into a commercial product; (b) it is properly attributed to the ISO27k Forum (www.ISO27001security.com); and (c) any derivative works that are shared are subject to the same terms as this work.
A g e n d a
What is information?
I N F O R M A T I O N
Information
is an
like other important business organization and consequently needs to be suitably protected
asset
which,
ISO/IEC 27002:2005
I n f o r m a t i o n t y p e s
Whatever form the information takes, or means by which it is shared or stored, it should always be appropriately protected
(ISO/IEC 27002:2005)
I n f o l i f e c y c l e
Information can be
Created Owned (it is an asset) Stored Processed Transmitted/communicated Used (for proper or improper purposes) Modified or corrupted Shared or disclosed (whether appropriately or not) Destroyed or lost Stolen Controlled, secured and protected throughout its existence
5
treating
them
o Protecting CIA (Confidentiality, Integrity and Availability) o Avoiding, preventing, detecting and recovering from incidents o Securing people, processes and technology not just IT!
S e c u r i t y e l e m e n t s
PEOPLE
Staff & management
PROCESSES
Business activities
TECHNOLOGY
IT, phones, pens
People
P e o p l e
People who use or have an interest in our information security include:
Shareholders / owners
Management & staff Customers / clients, suppliers & business partners Service providers, contractors, consultants & advisors Authorities, regulators & judges
Our biggest
engineers, unethical competitors, hackers, fraudsters, careless workers, bugs, flaws ), yet our biggest
threats
asset
Processes
P r o c e s s e s Processes are work practices or workflows, the steps or activities needed to accomplish business objectives.
Processes are described in procedures. Virtually all business processes involve and/or depend on information making information a critical business asset.
Information security policies and procedures define how we secure information appropriately and repeatedly.
T e c h n o l o g y
Technology
Information technologies
Cabling, data/voice networks and equipment Telecommunications services (PABX, VoIP, ISDN, videoconferencing)
Paperwork, files
Pens, ink
Security technologies
Locks, barriers, card-access systems, CCTV
10
C I A
Confidentiality
Integrity
Availability
12
I m p a c t s
What is risk?
K e y t e r m
Risk is the possibility that a
vulnerability
leading to an adverse
threat
exploits a
in an information asset,
impact
on the organization
Threat: something that might cause harm Vulnerability: a weakness that might be exploited Impact: financial damage etc.
14
R e l a t i o n s h i p s
Risk relationships
Threats
exploit
Vulnerabilities
Controls
reduce
Risk
to
Information assets
Security requirements
Value
15
T h r e a t a g e n t
Threat agent
Machine
Nature
16
Motive
M o t i v e
17
T h r e a t
t y p e s
19
I S O 2 7 k
1990s
Information Security Management Code of Practice
produced by a UK government-sponsored working group Based on the security policy used by Shell Became British Standard BS7799
2000s
Adopted by ISO/IEC Became ISO/IEC 17799 (later renumbered ISO/IEC 27002) ISO/IEC 27001 published & certification scheme started
Now
Expanding into a suite of information security standards
(known as ISO27k) Updated and reissued every few years
20
ISO 27001
I S O 2 7 0 0 1
Concerns the
Uses Plan, Do, Check, Act (PDCA) to achieve, maintain and improve alignment of security with risks
Covers all types of organizations (e.g. commercial companies, government agencies, not-for-profit organizations) and all sizes
Thousands of organizations worldwide have been certified compliant
21
Plan-Do-Check-Act
ISMS PROCESS
Interested parties
Management responsibility
P D C A
Interested parties
PLAN
Establish ISMS
DO
Implement & operate the ISMS
ACT
Maintain & improve
CHECK
Monitor & review ISMS
22
C O N T R O L
Compliance
Asset Management
C L A U S E S
Physical Security
Access Control
23
C O N T R O L
Information security policy - management direction Organization of information security management framework for implementation Asset management assessment, classification and protection of valuable information assets HR security security for joiners, movers and leavers
C L A U S E S
Physical & environmental security - prevents unauthorised access, theft, compromise, damage to information and computing facilities, power cuts
24
C O N T R O L
Communications & operations management ensures the correct and secure operation of IT Access control restrict unauthorized access to information assets Information systems acquisition, development & maintenance build security into systems Information security incident management deal sensibly with security incidents that arise
C L A U S E S
Business continuity management maintain essential business processes and restore any that fail Compliance - avoid breaching laws, regulations, policies and other security obligations
25
I M P L E M E N T A T I O N
IS POLICY
SECURITY ORGANISATION
MANAGEMENT REVIEW
P R O C E S S C Y C L E
Establish ISMS
PLAN
DO
ACT
Review ISMS
CONTROL SELECTION & IMPLEMENTATION
Monitor &
CHECK
CHECK PROCESSES
26
B e n e f i t s
Demonstrable commitment to security by the organization Legal and regulatory compliance Better risk management Commercial credibility, confidence, and assurance Reduced costs Clear employee direction and improved awareness
27
ISMS scope
S c o p e
Data center & DR site All information assets throughout the organization
28
K e y d o c u m e n t s
29
V I S I O N &
M I S S I O N
To design, implement, operate, manage and maintain an Information Security Management System that complies with international standards, incorporating generally-accepted good security practices
30
Who is responsible?
Information Security Management Committee
Information Security Manager/CISO and Department Incident Response Team Business Continuity Team IT, Legal/Compliance, HR, Risk and other departments Audit Committee Last but not least,
W h o
you!
Policy is signed by the CEO and mandated by top management Find it on the intranet
32
I N F O A S S E T C L A S S I F I C A T I O N
33
Confidentiality C l a s s i f i c a t i o n
Confidentiality of information concerns the protection of sensitive (and often highly valuable) information from unauthorized or inappropriate disclosure.
Confidentiality level
High
Medium Low
3/10/
Explanation Information which is very sensitive or private, of great value to the organization and intended for specific individuals only. The unauthorized disclosure of such information can cause severe harm such as legal or financial liabilities, competitive disadvantage, loss of brand value e.g. merger and acquisition related information, marketing strategy Information belonging to the company and not for disclosure to public or external parties. The unauthorized disclosure of this information may harm to the organization somewhat e.g. organization charts, internal contact lists. Non-sensitive information available for public disclosure. The impact of unauthorized disclosure of such information shall not harm Organisation anyway. E.g. Press releases, Companys News letters e.g. Information published on companys website
Mohan Kamat
34
U S E R
Physical security
R E S P O N S I B I L I T I E S
Do
Read and follow security policies and procedures Display identity cards while on the premises Challenge or report anyone without an ID card Visit the intranet Security Zone or call IT Help/Service Desk for advice on most information security matters
Do not
Allow unauthorized visitors onto the premises Bring weapons, hazardous/combustible materials, recording devices etc., especially in secure areas
Use personal IT devices for work purposes, unless explicitly authorized by management
35
U S E R
Password Guidelines
R E S P O N S I B I L I T I E S Use long, complicated passphrases - whole sentences if you can Reserve your strongest passphrases for high security systems (dont re-use the same passphrase everywhere) Use famous quotes, lines from your favorite songs, poems etc. to make them memorable
Use short or easily-guessed passwords Write down passwords or store them in plain text Share passwords over phone or email
36
U S E R
Internet usage
R E S P O N S I B I L I T I E S
Use the corporate Internet facilities only for legitimate and authorized business purposes
Avoid websites that would be classed as obscene, racist, offensive or illegal anything that would be embarrassing Do not access online auction or shopping sites, except where authorized by your manager Dont hack! Do not download or upload commercial software or other copyrighted material without the correct license and permission from your manager
Warning: Internet usage is routinely logged and monitored. Be careful which websites you visit and what you disclose.
37
U S E R
E-mail usage
R E S P O N S I B I L I T I E S
Use corporate email for business purposes only Follow the email storage guidelines If you receive spam email, simply delete it. If it is offensive or you receive a lot, call the IT Help/Service Desk
Do not use your corporate email address for personal email Do not circulate chain letters, hoaxes, inappropriate jokes, videos etc. Do not send emails outside the organization unless you are authorized to do so Be very wary of email attachments and links, especially in unsolicited emails (most are virus-infected)
38
U S E R
Security incidents
R E S P O N S I B I L I T I E S
Report information security incidents, concerns and near-misses to IT Help/Service Desk: Email Telephone Anonymous drop-boxes Take their advice on what to do
Do not discuss security incidents with anyone outside the organization Do not attempt to interfere with, obstruct or prevent anyone else from reporting incidents
39
R e s p o n s i b i l i t i e s
Ensure your PC is getting antivirus updates and patches Lock your keyboard (Windows-L) before leaving your PC unattended, and log-off at the end of the day Store laptops and valuable information (paperwork as well as CDs, USB sticks etc.) securely under lock and key Keep your wits about you while traveling:
Keep your voice down on the cellphone
41