Information Security Management - apcer

18 downloads 170 Views 212KB Size Report
ISO/IEC 21827 – IT - Systems Security Engineering - Capability Maturity Model ... ISO/IEC 27011:2008 – IT - Security techniques - Information security ...
Information Security Management & Certification Seminário Modelos de Gestão em Tecnologias de Informação: Gestão de Serviços, da Segurança e da Inovação Guimarães, Portugal 2010-XI-18

Prof. Filipe de Sá-Soares

University of Minho ISSArg – Information Systems Security and Auditing Research Group [email protected]

Agenda „

A View of Information Security Management

„

Controls

„

Information Security Standards

„

ISO/IEC 27001

„

ISO/IEC 27001 Certification

FSS

2

Dimensions of Information Security

FSS

3

Information Security Management

„

To maintain the integrity of intra- and inter-dimension (technical, formal, and informal) operations, considering the regulatory framework that the organization must observe Any disagreement between the dimensions can create security problems

„

Components

„

„ „ „ „

„

FSS

Evaluation Planning Design Implementation

To manage information security is to implement a set of controls

4

Controls „

By Type „

Regulatory – E.g.: laws, regulations, standards

„

Informal – E.g.: information security training, information security awareness programs, adoption of good practices in management, development of an organizational culture that promotes information security

„

Formal – E.g.: information security policies, definition of responsibilities in the realm of information security, rotation of duties, procedure for recruiting and retaining employees, contingency plans

„

Technical – E.g.: authentication via smart cards or passwords, digital signatures, intrusion detection systems, firewalls, antivirus

FSS

5

Controls (cont) „

By Purpose „ „

„

„

„

„

FSS

Directing – To guide the information security effort. E.g.: information security policies, information assets classification Structuring – To define the information security effort structures of responsibility and authority. E.g.: definition of responsibilities over information resources, definition of responsibilities for the users of those resources, establishment of the duties with responsibility and authority to direct the information security effort Learning – To improve or increase the knowledge about information security effort. E.g.: research and analysis of information security incidents Preventing – To safeguard, dissuade, or block the occurrence of adverse events to the information system. E.g.: logical access controls to the computer network, physical access controls to premises or equipments, backups Detecting – To discover the occurrence of adverse events to the information system. E.g.: antivirus, monitoring of activity and use of systems, report of anomalies or potential security breaches Reacting – To respond to the occurrence of adverse events to the information system. E.g.: antivirus, business continuity procedures, determining liability and imposing sanctions on employees who have not complied with information security rules set by organization

6

Information Security Standards „

Regulatory and prescriptive content acknowledged and accepted by stakeholders

„

Usefulness „ „ „ „ „

„

Significant number of standards „ „ „

FSS

Certification Instrument for self-assessment Best practices Increase of security level Communication platform

Economy? Efficiency? Which ones to adopt? Under what circumstances?

7

Classification of Information Security Related Standards „

Evaluation „ „

„

Development „ „

„

„

„

ISO/IEC CD 29100 – IT - Security techniques - Privacy framework ISO/IEC WD 29101 – ITIT- Security techniques - Privacy reference architecture

IT/IS Control/Governance „ „ „ „

FSS

To establish the goals and controls required to manage the security security of an organization information system ISO/IEC 27001, …

Privacy „

„

To improve and evaluate the organizational capability in terms of of IT security engineering ISO/IEC 21827 – IT - Systems Security Engineering - Capability Maturity Model (SSE(SSE-CMM)

Management „

„

To specify, examine, and test the security features or properties properties of IT products or systems ISO/IEC 15408 – IT - Security techniques - Evaluation criteria for IT security (CC)

CObIT COSO, CoCo ITIL, ISO/IEC 20000 PRINCE

8

ISO/IEC 27000-series „

ISO/IEC 27000:2009 – IT - Security techniques - Information security management systems - Overview and vocabulary

„

ISO/IEC 27001:2005 – IT - Security techniques - Information security management systems – Requirements

„

ISO/IEC 27002:2005 – IT - Security techniques - Code of practice for information security management

„

ISO/IEC 27003:2010 – IT - Security techniques - Information security management system implementation guidance

„

ISO/IEC 27004:2009 – IT - Security techniques - Information security management - Measurement

„

ISO/IEC 27005:2008 – IT - Security techniques - Information security risk management

„

ISO/IEC 27006:2007 – IT - Security techniques - Requirements for bodies providing audit and certification of information information security management systems

„

ISO/IEC FCD 27007 – IT - Security techniques - Guidelines for Information security management systems auditing

„

ISO/IEC PDTR 27008 – IT - Security techniques - Guidelines for auditors on ISMS controls

„

ISO/IEC WD 27010 – Information security management for interinter-organizational communications inter-sector and inter-

„

ISO/IEC 27011:2008 – IT - Security techniques - Information security management guidelines for telecommunications telecommunications organizations based on ISO/IEC 27002

„

ISO/IEC WD 27013 – IT - Security techniques - Guidance on the integrated implementation of ISO/IEC 27001 and ISO/IEC 2000020000-1

„

ISO/IEC WD 27014 – Proposal on an information security governance (ISG) framework

„

ISO/IEC WD 27015 – Proposal on an information security management guidelines for financial financial and insurance services

„

ISO/IEC FDIS 27031 – IT - Security techniques - Guidelines for information and communication technology readiness readiness for business continuity

„

ISO/IEC CD 27032 – Guidelines for cybersecurity

„

ISO/IEC 27033:2009 – IT - Security techniques - IT Network security

„

ISO/IEC 27034 – IT - Security techniques - Application security

„

ISO/IEC FCD 27035 – IT - Security techniques - Information security incident management

„

ISO/IEC NP 27036 – IT - Security techniques - Guidelines for security of outsourcing

„

ISO/IEC NP 27037 – Guidelines for identification, collection and/or acquisition and and preservation of digital evidence

„



FSS

9

ISO/IEC 27001 „ „

IT - Security techniques - Information security management systems Requirements Standard currently under review

„

ISO/IEC 27001:2005 specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented Information Security Management System within the context of the organization's overall business risks

„

It specifies requirements for the implementation of security controls customized to the needs of individual organizations or parts

„

It covers all types of organizations (commercial enterprises, government agencies, not-for profit organizations, etc.)

FSS

10

ISO/IEC 27001 „

ISO/IEC 27001:2005 is intended to be suitable for several different types of use, including the following: „ „ „ „ „ „ „ „ „

„ „

FSS

(cont)

use within organizations to formulate security requirements and objectives; use within organizations as a way to ensure that security risks are cost effectively managed; use within organizations to ensure compliance with laws and regulations; use within an organization as a process framework for the implementation and management of controls to ensure that the specific security objectives of an organization are met; definition of new information security management processes; identification and clarification of existing information security management processes; use by the management of organizations to determine the status of information security management activities; use by the internal and external auditors of organizations to determine the degree of compliance with the policies, directives and standards adopted by an organization; use by organizations to provide relevant information about information security policies, directives, standards and procedures to trading partners and other organizations with whom they interact for operational or commercial reasons; implementation of business-enabling information security; use by organizations to provide relevant information about information security to customers.

11

ISO/IEC 27001 „

(cont)

Based on PDCA Process Model „ „ „ „

FSS

PLAN – Section 4 expects you to plan the establishment of your organization organization’’s ISMS DO – Section 5 expects you to implement, operate, and maintain your ISMS CHECK – Sections 6 and 7 expect you to monitor, measure, audit, and review review your ISMS ACT – Section 8 expects you to take corrective and preventive actions actions and continually improve your ISMS

12

ISO/IEC 27001 Certificates „

International Register of ISMS Certificates

„

6942 certificates worldwide (October 2010) 3657

Japan India

509

China

495 454

United Kingdom

376

Taiwan 144

Germany

106

Korea USA

96

Czeck Republic

95

Hungary

71

...

... 55

Spain ... Portugal

FSS

... 3

13

ISO/IEC 27001 Benefits (Exploratory Study of ISSArg)

„

Assurance of customers’ data security

„

Recording of organizational actions

„

Better organization of information security procedures

„

Market differentiation

„

Competitive advantage

„

Regulation of internal processes

„

Improvement of company image

„

„

Increase of market share

Usefulness of certification to meet new legal requirements

„

Marketing argument

„

Productivity improvement

„

Organization tranquility

„

Improvement of business continuity

„

Lowering the risk of business

„

Value added to product

„

Improvement of business processes and people behavior

„

Reduction of spam

FSS

14

ISO/IEC 27001 Driving Factors (Exploratory Study of ISSArg)

„

Ensuring the security of customers’ data

„

Organization of work

„

Support and awareness of top management

„

„

External visibility of information security efforts

Match of organizational resources to certification requirements

„

Transformation of business requirements

„

Team spirit

„

Concern with internal security

„

Governance of the certification process

„

Security awareness of organization

„

Experience in performing certification processes

„

Security training

„

Pressures from new customers

„

Internal communication of certification goals

„

Perceived benefits of compliance with regulation

„

Clear certification goals

„

„

Youth employees

Enhancement of compliance with security rules and best practices

„

Motivated employees

„

Adequacy of the standard to the organization

„

Creation of a “sense of urgency”

„

Possibility of extending the scope of certification

FSS

15

ISO/IEC 27001 Restraining Factors (Exploratory Study of ISSArg)

„

Resistance to change by employees

„

Bureaucracy during the certification process

„

Cost of implementation

„

Time to break-even

„

Financial situation of the organization

„

Change of customers’ habits

„

Complexity of the standard

„

„

Loss of motivation of employees

Lengthening the time of IT applications development

„

Increased workload

„

Loss of performance of IT applications

„

Inflexibility in work routines

„

„

Lack of human resources

Access to certain information once allowed is now forbidden

„

Availability of human resources

„

Abrupt change in the way of working

„

Lack of interest of market and customers

„

Maintaining the “spirit prior to certification”

„

Difficulty in classifying information

„

Cost of information security training

„

Difficulty of adapting existing IT systems to the requirements of the standard

„

Constraint to innovation

„

Shortage of ISO/IEC 27001 experts in Portugal

Difficulty in satisfying the requirements of the standard

„

Dimension of the Portuguese information security services market

„

FSS

16

Information Security Management & Certification Seminário Modelos de Gestão em Tecnologias de Informação: Gestão de Serviços, da Segurança e da Inovação Guimarães, Portugal 2010-XI-18

Prof. Filipe de Sá-Soares

University of Minho ISSArg – Information Systems Security and Auditing Research Group [email protected]