ISO/IEC 21827 – IT - Systems Security Engineering - Capability Maturity Model ...
ISO/IEC 27011:2008 – IT - Security techniques - Information security ...
Information Security Management & Certification Seminário Modelos de Gestão em Tecnologias de Informação: Gestão de Serviços, da Segurança e da Inovação Guimarães, Portugal 2010-XI-18
Prof. Filipe de Sá-Soares
University of Minho ISSArg – Information Systems Security and Auditing Research Group
[email protected]
Agenda
A View of Information Security Management
Controls
Information Security Standards
ISO/IEC 27001
ISO/IEC 27001 Certification
FSS
2
Dimensions of Information Security
FSS
3
Information Security Management
To maintain the integrity of intra- and inter-dimension (technical, formal, and informal) operations, considering the regulatory framework that the organization must observe Any disagreement between the dimensions can create security problems
Components
FSS
Evaluation Planning Design Implementation
To manage information security is to implement a set of controls
4
Controls
By Type
Regulatory – E.g.: laws, regulations, standards
Informal – E.g.: information security training, information security awareness programs, adoption of good practices in management, development of an organizational culture that promotes information security
Formal – E.g.: information security policies, definition of responsibilities in the realm of information security, rotation of duties, procedure for recruiting and retaining employees, contingency plans
Technical – E.g.: authentication via smart cards or passwords, digital signatures, intrusion detection systems, firewalls, antivirus
FSS
5
Controls (cont)
By Purpose
FSS
Directing – To guide the information security effort. E.g.: information security policies, information assets classification Structuring – To define the information security effort structures of responsibility and authority. E.g.: definition of responsibilities over information resources, definition of responsibilities for the users of those resources, establishment of the duties with responsibility and authority to direct the information security effort Learning – To improve or increase the knowledge about information security effort. E.g.: research and analysis of information security incidents Preventing – To safeguard, dissuade, or block the occurrence of adverse events to the information system. E.g.: logical access controls to the computer network, physical access controls to premises or equipments, backups Detecting – To discover the occurrence of adverse events to the information system. E.g.: antivirus, monitoring of activity and use of systems, report of anomalies or potential security breaches Reacting – To respond to the occurrence of adverse events to the information system. E.g.: antivirus, business continuity procedures, determining liability and imposing sanctions on employees who have not complied with information security rules set by organization
6
Information Security Standards
Regulatory and prescriptive content acknowledged and accepted by stakeholders
Usefulness
Significant number of standards
FSS
Certification Instrument for self-assessment Best practices Increase of security level Communication platform
Economy? Efficiency? Which ones to adopt? Under what circumstances?
7
Classification of Information Security Related Standards
Evaluation
Development
ISO/IEC CD 29100 – IT - Security techniques - Privacy framework ISO/IEC WD 29101 – ITIT- Security techniques - Privacy reference architecture
IT/IS Control/Governance
FSS
To establish the goals and controls required to manage the security security of an organization information system ISO/IEC 27001, …
Privacy
To improve and evaluate the organizational capability in terms of of IT security engineering ISO/IEC 21827 – IT - Systems Security Engineering - Capability Maturity Model (SSE(SSE-CMM)
Management
To specify, examine, and test the security features or properties properties of IT products or systems ISO/IEC 15408 – IT - Security techniques - Evaluation criteria for IT security (CC)
CObIT COSO, CoCo ITIL, ISO/IEC 20000 PRINCE
8
ISO/IEC 27000-series
ISO/IEC 27000:2009 – IT - Security techniques - Information security management systems - Overview and vocabulary
ISO/IEC 27001:2005 – IT - Security techniques - Information security management systems – Requirements
ISO/IEC 27002:2005 – IT - Security techniques - Code of practice for information security management
ISO/IEC 27003:2010 – IT - Security techniques - Information security management system implementation guidance
ISO/IEC 27004:2009 – IT - Security techniques - Information security management - Measurement
ISO/IEC 27005:2008 – IT - Security techniques - Information security risk management
ISO/IEC 27006:2007 – IT - Security techniques - Requirements for bodies providing audit and certification of information information security management systems
ISO/IEC FCD 27007 – IT - Security techniques - Guidelines for Information security management systems auditing
ISO/IEC PDTR 27008 – IT - Security techniques - Guidelines for auditors on ISMS controls
ISO/IEC WD 27010 – Information security management for interinter-organizational communications inter-sector and inter-
ISO/IEC 27011:2008 – IT - Security techniques - Information security management guidelines for telecommunications telecommunications organizations based on ISO/IEC 27002
ISO/IEC WD 27013 – IT - Security techniques - Guidance on the integrated implementation of ISO/IEC 27001 and ISO/IEC 2000020000-1
ISO/IEC WD 27014 – Proposal on an information security governance (ISG) framework
ISO/IEC WD 27015 – Proposal on an information security management guidelines for financial financial and insurance services
ISO/IEC FDIS 27031 – IT - Security techniques - Guidelines for information and communication technology readiness readiness for business continuity
ISO/IEC CD 27032 – Guidelines for cybersecurity
ISO/IEC 27033:2009 – IT - Security techniques - IT Network security
ISO/IEC 27034 – IT - Security techniques - Application security
ISO/IEC FCD 27035 – IT - Security techniques - Information security incident management
ISO/IEC NP 27036 – IT - Security techniques - Guidelines for security of outsourcing
ISO/IEC NP 27037 – Guidelines for identification, collection and/or acquisition and and preservation of digital evidence
…
FSS
9
ISO/IEC 27001
IT - Security techniques - Information security management systems Requirements Standard currently under review
ISO/IEC 27001:2005 specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented Information Security Management System within the context of the organization's overall business risks
It specifies requirements for the implementation of security controls customized to the needs of individual organizations or parts
It covers all types of organizations (commercial enterprises, government agencies, not-for profit organizations, etc.)
FSS
10
ISO/IEC 27001
ISO/IEC 27001:2005 is intended to be suitable for several different types of use, including the following:
FSS
(cont)
use within organizations to formulate security requirements and objectives; use within organizations as a way to ensure that security risks are cost effectively managed; use within organizations to ensure compliance with laws and regulations; use within an organization as a process framework for the implementation and management of controls to ensure that the specific security objectives of an organization are met; definition of new information security management processes; identification and clarification of existing information security management processes; use by the management of organizations to determine the status of information security management activities; use by the internal and external auditors of organizations to determine the degree of compliance with the policies, directives and standards adopted by an organization; use by organizations to provide relevant information about information security policies, directives, standards and procedures to trading partners and other organizations with whom they interact for operational or commercial reasons; implementation of business-enabling information security; use by organizations to provide relevant information about information security to customers.
11
ISO/IEC 27001
(cont)
Based on PDCA Process Model
FSS
PLAN – Section 4 expects you to plan the establishment of your organization organization’’s ISMS DO – Section 5 expects you to implement, operate, and maintain your ISMS CHECK – Sections 6 and 7 expect you to monitor, measure, audit, and review review your ISMS ACT – Section 8 expects you to take corrective and preventive actions actions and continually improve your ISMS
12
ISO/IEC 27001 Certificates
International Register of ISMS Certificates
6942 certificates worldwide (October 2010) 3657
Japan India
509
China
495 454
United Kingdom
376
Taiwan 144
Germany
106
Korea USA
96
Czeck Republic
95
Hungary
71
...
... 55
Spain ... Portugal
FSS
... 3
13
ISO/IEC 27001 Benefits (Exploratory Study of ISSArg)
Assurance of customers’ data security
Recording of organizational actions
Better organization of information security procedures
Market differentiation
Competitive advantage
Regulation of internal processes
Improvement of company image
Increase of market share
Usefulness of certification to meet new legal requirements
Marketing argument
Productivity improvement
Organization tranquility
Improvement of business continuity
Lowering the risk of business
Value added to product
Improvement of business processes and people behavior
Reduction of spam
FSS
14
ISO/IEC 27001 Driving Factors (Exploratory Study of ISSArg)
Ensuring the security of customers’ data
Organization of work
Support and awareness of top management
External visibility of information security efforts
Match of organizational resources to certification requirements
Transformation of business requirements
Team spirit
Concern with internal security
Governance of the certification process
Security awareness of organization
Experience in performing certification processes
Security training
Pressures from new customers
Internal communication of certification goals
Perceived benefits of compliance with regulation
Clear certification goals
Youth employees
Enhancement of compliance with security rules and best practices
Motivated employees
Adequacy of the standard to the organization
Creation of a “sense of urgency”
Possibility of extending the scope of certification
FSS
15
ISO/IEC 27001 Restraining Factors (Exploratory Study of ISSArg)
Resistance to change by employees
Bureaucracy during the certification process
Cost of implementation
Time to break-even
Financial situation of the organization
Change of customers’ habits
Complexity of the standard
Loss of motivation of employees
Lengthening the time of IT applications development
Increased workload
Loss of performance of IT applications
Inflexibility in work routines
Lack of human resources
Access to certain information once allowed is now forbidden
Availability of human resources
Abrupt change in the way of working
Lack of interest of market and customers
Maintaining the “spirit prior to certification”
Difficulty in classifying information
Cost of information security training
Difficulty of adapting existing IT systems to the requirements of the standard
Constraint to innovation
Shortage of ISO/IEC 27001 experts in Portugal
Difficulty in satisfying the requirements of the standard
Dimension of the Portuguese information security services market
FSS
16
Information Security Management & Certification Seminário Modelos de Gestão em Tecnologias de Informação: Gestão de Serviços, da Segurança e da Inovação Guimarães, Portugal 2010-XI-18
Prof. Filipe de Sá-Soares
University of Minho ISSArg – Information Systems Security and Auditing Research Group
[email protected]