Building and Managing Information Security Frameworks ISO 27001 ...

healthyapricotMechanics

Nov 5, 2013 (4 years and 1 month ago)

113 views

Agenda


What is Compliance?


Risk and Compliance Management


What is a Framework?


ISO 27001/27002 Overview


Audit and Remediate


Improve and Automate

What was Compliance?

What is Compliance?





Compliance should be a
program

based on
defined
requirements


Requirements are fulfilled by a set of
mapped

controls
solving multiple regulatory
compliance issues


The program is embodied by a
framework


Compliance is more about
policy
,
process
and

risk management

than it is about
technology



Risk & Compliance Mgmt

Partners/

Customers

Regulations

Control

Framework

Assessments

Policy

and

Awareness

Audits

Treat

Risks

Improve

Controls

Automate

Process

Risk

Assessment

Risk and Compliance Approaches

Minimal

Sustainable

Optimized


Annual / Project
-
based
Approach


Minimal Repeatability


Only Use Technologies
Where Explicitly
Prescribed in
Standards and
Regulations


Minimal Automation


Proactive / Planned
Approach


Learning Year over Year


Use Technologies to
Reduce Human Factor


Leverage Controls
Automation Whenever
Possible



Regulatory
Requirements are
Mapped to Standards


A Framework is in
Place


Compliance and
Enterprise Risk
Management are
Aligned


Process is Automated

Identify Drivers

Partners/

Customers

Regulations

Risk

Assessment

Identify Drivers




Compliance is
NOT

just about regulatory
compliance. Regulatory compliance is a
driver to the
program
,
controls

and
framework

being put in place.


Managing compliance is fundamentally
about managing risk.


Identify Drivers


Risk Assessment


Identify unique risks and controls
requirements


Partners / Customers


Partners represent potential contractual risk


Customer present privacy concerns


Regulations


regulatory risk is considered
as part of overall risk





Develop Program

Partners/

Customers

Regulations

Control

Framework

Policy

and

Awareness

Risk

Assessment

What is a Control?

*Source: ITGI, COBIT 4.1

Control

is defined as the
policies
,
procedures
,
practices

and
organizational structures

designed to
provide reasonable assurance that
business objectives will be achieved and
undesired events will be prevented or
detected and corrected.


What is a Framework?

A framework

is a set of
controls
and/or

guidance
organized in
categories,
focused on a particular topic
.


A framework is a
structure

upon which
to build
strategy
, reach
objectives

and
monitor
performance
.

Why use a framework?


Enable effective governance


Align with business goals


Standardize process and approach


Enable structured audit and/or
assessment


Control cost


Comply with external requirements



Frameworks and Control Sets


ISO 27001/27002


COBIT


ITIL


NIST


Industry
-
specific


i.e. PCI


Custom


ISO 27001/27002


Information Security Framework


Requirements and guidelines for
development of an ISMS (Information
Security Management System)


Risk Management a key component of
ISMS


Part of ISO 27000 Series of security
standards


A Brief History of ISO 27001

BS 7799
-
1


Code of

Practice

Adopted as
international
standard in 2005

Revised in 2002

BS 7799
-
2


Specification

A Brief History of ISO 27002

BS 7799
-
1


Code of

Practice

Information Technology

Code of Practice for Information
Security Management

Adopted as
international
standard as ISO
17799 in 2000

Revised in 2002

BS 7799
-
2


Specification

Revised in 2005

Renumbered to
27002 in 2007

ISO 27001 and 27002

ISO 27001


Requirements


Auditable


Certification

ISO 27002


Best Practices


More depth in controls
guidance

Shared Control Objectives

ISO 27001


Mgmt Framework


Information Security Management
Systems


Requirements (ISMS)


Process approach


Understand organization’s information security
requirements and the need to establish policy


Implement and operate controls to manage risk, in
context of business risk


Monitor and review


Continuous improvement

ISO 27001

Plan

Do

Check

Act

Establish

ISMS

Implement and

Operate

ISMS

Monitor and

Review

ISMS

Maintain and

Improve

ISMS

ISO 27002


Controls Framework

ISO 27002 Security Control Domains


Risk Assessment and Treatment


Security Policy


Organizing Information Security


Asset Management


Human Resources Security


Physical and Environmental Security


Communications and Operations Management


Access Control


Information Systems Acquisition, Development and Maintenance


Information Security Incident Management


Business Continuity Management


Compliance

Building a Framework

Risk

Assessment &

Treatment

Security

Policy

Organizing

Information

Security

Asset

Management

Human

Resources

Security

Physical and

Environmental

Security

Communications

and Operations

Management

Access

Control

IS

Acquisition,

Development and

Maintenance

Information

Security Incident

Management

Business

Continuity

Management

Compliance

Operational

Controls

Technical

Controls

Management

Controls

Protected
Information

ISO 27002: Code of Practice for
Information Security
Management

Practical Uses for Certification

Regulatory

Compliance

Internal

Compliance

Third Party

Compliance

“Best Practice” approach
to handling sensitive data
and overall security
program

Implement security as an
integrated part of the
business and as a process

Provide proof to partners
of good practices around
data protection. Strengthen
SAS 70 approach.

ISO 27000 Series of Standards


ISO/IEC 27000:2009
-

Overview and vocabulary


ISO/IEC 27001:2005
-

Requirements


ISO/IEC 27002:2005
-

Code of Practice


ISO/IEC 27003
-

ISMS Implementation Guidance*


ISO/IEC 27004
-

Measurement*


ISO/IEC 27005:2008
-

Risk Management


ISO/IEC 27006:2007
-

Auditor Requirements


ISO/IEC 27007
-

ISMS Audit Guidelines*


*In Development

Frameworks Comparison

Framework

Strengths

Focus

COBIT

Strong mappings


Support of ISACA

Availability

IT Governance


Audit

ISO
27001/27002

Global Acceptance

Certification

Information Security
Management System

ITIL

IT Service Management

Certification

IT Service
Management

NIST 800
-
53

Detailed, granular

Tiered controls

Free

Information Systems

FISMA

Controls Mapping

Framework of Controls

PCI

GLBA

SOX

PCI

Corporate Policy

PCI Data Security Standard

1. Install and maintain a firewall configuration to
protect data

2. Do not use vendor
-
supplied defaults for system
passwords and other security parameters

3. Protect stored data

4. Encrypt transmission of cardholder data and
sensitive information across public networks

5. Use and regularly update anti
-
virus software

6. Develop and maintain secure systems and
applications

7. Restrict access to data by business need to know

8. Assign a unique ID to each person with computer
access…

Controls Mapping

Framework of Controls

PCI

GLBA

SOX

Corporate Policy

GLBA

SOX

Policy

Controls Mapping

Framework of Controls

Benefits:

Alignment of corporate
policy

Custom interpretation of
regulations

PCI

GLBA

SOX

Single assessment effort
provides complete view

Policy

Logging and Monitoring

PCI


Requirement 10

ISO 17799


Section 10.10

Audit and Remediate

Partners/

Customers

Regulations

Control

Framework

Assessments

Policy

and

Awareness

Audits

Treat

Risks

Risk

Assessment

Organization Example

Internal
Audit

COBIT

ITIL

IT Service Desk

ISO 27001/27002

Information Security

CMMi

Software Delivery

Controls Alignment

How aligned are your controls?



Assessment

(Information
Security, IT Risk
Management)

Internal Audit

(IT/Financial Audit)

External Audit

(Regulatory and
Non
-
Regulatory)

Remediation Priorities


Where are our greatest
risks
?


What
controls

are we fulfilling?


How many compliance
requirements

are
we solving?



Improve and Automate

Partners/

Customers

Regulations

Control

Framework

Assessments

Policy

and

Awareness

Audits

Treat

Risks

Improve

Controls

Automate

Process

Risk

Assessment

Controls Hierarchy

Manual

Require human
intervention


Vs.

Automated

Rely on computers to
reduce human
intervention

Detective

Preventive

Designed to search for and
identify errors after they
have occurred


Designed to discourage or
preempt errors or
irregularities from
occurring

Vs.

Automated and Preventive

Logging and Monitoring

Not Efficient

Efficient

Reviewing logs for
incidents

An
automated
method of
detecting incidents

Not Effective

Effective

Missing the incident due to
human error


Preventing

the incident
from occurring in the first
place

Automate the Process


How do you currently measure
compliance?


Reduce documents, spreadsheets and
other forms of manual measurement


Create dashboard approach


Governance, Risk and Compliance
toolsets


GRC Automation

Enterprise

Multi
-
Function

Single Function


Enterprise Scope


Highly Configurable


Multiple Functions (Risk,
Compliance, Policy)


Sophisticated Workflow


Functionality More Limited


More “out of the box”


Modest Workflow


Specific Process


Specific Standard or
Regulation


Simple Workflow

Questions?

Evan Tegethoff

Director, Risk and Compliance
Management

etegethoff@accuvant.com