+ All Categories
Home > Documents > Achieving Compliance with ISO 27001, Welcome! · ISO 27001 (formally known as ISO/IEC 27001:2005)...

Achieving Compliance with ISO 27001, Welcome! · ISO 27001 (formally known as ISO/IEC 27001:2005)...

Date post: 09-Apr-2018
Category:
Upload: hoangkien
View: 228 times
Download: 2 times
Share this document with a friend
68
Achieving Compliance with ISO 27001, 20000, and UAE IA Standards José Luis Carrera Jr., CFE, CIA, CRMA Director of Governance, Risk, and Compliance DarkMatter LLC
Transcript
Page 1: Achieving Compliance with ISO 27001, Welcome! · ISO 27001 (formally known as ISO/IEC 27001:2005) is a specification for an information security management system (ISMS). An ISMS

Welcome!Achieving Compliance with ISO 27001,

20000, and UAE IA Standards

José Luis Carrera Jr., CFE, CIA, CRMA

Director of Governance, Risk, and Compliance

DarkMatter LLC

Page 2: Achieving Compliance with ISO 27001, Welcome! · ISO 27001 (formally known as ISO/IEC 27001:2005) is a specification for an information security management system (ISMS). An ISMS

2017 ACFE FRAUD CONFERENCE MIDDLE EAST

THE PALM

DUBAI 29-31 JANUARY 2017

ACHIEVING COMPLIANCE WITH ISO 27001, 20000 AND UAE IA STANDARDS, BUT AVOIDING THE SPEED BUMPS

Page 3: Achieving Compliance with ISO 27001, Welcome! · ISO 27001 (formally known as ISO/IEC 27001:2005) is a specification for an information security management system (ISMS). An ISMS

CONTENTS

01 INTRODUCTION

02 WHO IS DARKMATTER?

03 STANDARDS (ISO 27001, UAE IA, ADSIC)

04 SPEED BUMPS

05 REFERENCES

06 QUESTIONS AND THANK YOU

Page 4: Achieving Compliance with ISO 27001, Welcome! · ISO 27001 (formally known as ISO/IEC 27001:2005) is a specification for an information security management system (ISMS). An ISMS

• This discussion is intended for educational purposes only and does not replace independent

professional judgement in sizing information security governance, risk, and strategy

activities for any given organization. Statements of fact and opinions expressed are those of

the presenter and not DarkMatter LLC AE.

DISCLAIMER

Page 5: Achieving Compliance with ISO 27001, Welcome! · ISO 27001 (formally known as ISO/IEC 27001:2005) is a specification for an information security management system (ISMS). An ISMS

01INTRODUCTION

Page 6: Achieving Compliance with ISO 27001, Welcome! · ISO 27001 (formally known as ISO/IEC 27001:2005) is a specification for an information security management system (ISMS). An ISMS

• Director; Governance, Risk and Compliance

• Wells Fargo; Compliance Consultant, Technology and Operations

• Cricket Communication; Director of Internal Audit

• EY Bahrain; Executive Director, Risk and Advisory Services

• Agility Defense & Government Services, Chief Audit Executive

• PricewaterhouseCoopers, Senior Manager

• Saudi Aramco, Fraud Division and IT Audit Division

• Arizona State University: • Master of Business Administration: International Business and Decision Support Systems

• Arizona State University: • Bachelor of Science: Accounting and Computer Information System

JOSE LUIS CARRERA JR

Page 7: Achieving Compliance with ISO 27001, Welcome! · ISO 27001 (formally known as ISO/IEC 27001:2005) is a specification for an information security management system (ISMS). An ISMS

02WHO IS DARKMATTER

Page 8: Achieving Compliance with ISO 27001, Welcome! · ISO 27001 (formally known as ISO/IEC 27001:2005) is a specification for an information security management system (ISMS). An ISMS

A TRUSTED PARTNER WITHGLOBAL EXPERTISE TO PROVIDE THE ENTIRE SPECTRUM OF CYBERSECURITY SOLUTIONS

Page 9: Achieving Compliance with ISO 27001, Welcome! · ISO 27001 (formally known as ISO/IEC 27001:2005) is a specification for an information security management system (ISMS). An ISMS

ATTACKS ARE GETTING INCREASINGLY COMPLEX AND DAMAGING

Page 10: Achieving Compliance with ISO 27001, Welcome! · ISO 27001 (formally known as ISO/IEC 27001:2005) is a specification for an information security management system (ISMS). An ISMS

GOVERNMENTS AND ENTERPRISES ARE NOT READY TO HANDLE CYBER THREATS

NEARLY TWO-THIRDS OF

ORGANISATIONS DO NOT HAVE WELL-

DEFINED AND AUTOMATED IDENTITY

& ACCESS MANAGEMENT PROGRAMS

37%SAY THAT REAL

TIME INSIGHT ON

CYBER RISK IS

NOT AVAILABLE

“HIGHLY UNLIKELY” THAT

THEIR ORGANISATION

COULD DETECT A

SOPHISTICATED ATTACK

56%OF RESPONDENTS SAY

IT IS “UNLIKELY” OR

42%OF ORGANISATIONS

DO NOT HAVE A

SECURITY

OPERATIONS CENTRE

35–45%OF RESPONDENTS

RATED THEMSELVES

“STILL A LOT

TO IMPROVE””

43%OF ORGANISATIONS’

TOTAL INFORMATION

SECURITY BUDGET

WILL STAY THE SAME

IN THE COMING

12 MONTHS42%

HIGHLY

UNLIKELY

53%OF ORGANISATIONS SAY THATLACK OF SKILLED RESOURCES IS

ONE OF THE MAIN OBSTACLES THAT

CHALLENGE THEIR INFORMATION

SECURITY

Page 11: Achieving Compliance with ISO 27001, Welcome! · ISO 27001 (formally known as ISO/IEC 27001:2005) is a specification for an information security management system (ISMS). An ISMS

WHO WE ARE

UAEHeadquartered

The world’s elite cyber

security talent

Trusted to protect the

nation

Offering the complete

portfolio of cyber security

solutions

Driving & developing

the next generation

cyber solutions

Page 12: Achieving Compliance with ISO 27001, Welcome! · ISO 27001 (formally known as ISO/IEC 27001:2005) is a specification for an information security management system (ISMS). An ISMS

WE HAVE GATHERED THE WORLD’S BESTTALENT…

Harshul JoshiSenior Vice PresidentCyber Governance, Risk &Compliance

Stephen BrennanSenior Vice PresidentCyber Network Defence

Eric EifertSenior Vice PresidentManaged Security Services

Rabih DabboussiSenior Vice President Sales, Marketing & Business Development

Faisal Al BannaiChief Executive Officer

Samer KhalifeChief Financial Officer and Executive Vice President, Business Services

Page 13: Achieving Compliance with ISO 27001, Welcome! · ISO 27001 (formally known as ISO/IEC 27001:2005) is a specification for an information security management system (ISMS). An ISMS

…TO ADDRESS THE MOST ADVANCED CYBER THREATS

GOVERNANCE, RISK &COMPLIANCE

CYBER NETWORK DEFENCE

MANAGED SECURITY SERVICES

SECURE COMMUNICATIONS

INFRASTRUCTURE & SYSTEM INTEGRATION

SMARTSOLUTIONS

PUBLIC KEY INFRASTRUCTURE

PRODUCTS

SOLUTIONS

SERVICES

Page 14: Achieving Compliance with ISO 27001, Welcome! · ISO 27001 (formally known as ISO/IEC 27001:2005) is a specification for an information security management system (ISMS). An ISMS

DARKMATTER CAN SUPPORT COMPLEX NATIONAL CYBER INITIATIVES

Government Secure

Communications

Elite Cyber Academy

Superior Cyber SecurityCentre

Public Key Infrastructure

Smart City Cyber Security

National Crypto Suite

Page 15: Achieving Compliance with ISO 27001, Welcome! · ISO 27001 (formally known as ISO/IEC 27001:2005) is a specification for an information security management system (ISMS). An ISMS

DarkMatter Research Stands at the Forefront of Cyber Security Innovation as Firm Aims to Secure the

Technologies of the Future

DarkMatter, the international Cyber Security firm headquartered in the UAE, has inaugurated its

research and development programme with the signing of a series of agreements with notable top tier

institutions around the world, and the engagement of PhD-level researchers who have been given

ample opportunities to innovate within the organization.

Source: Zawya, 18th of January 2017.Appeared also in: Al Watan Online, Al Watan Print, Al Bayan Online, Al Bayan Print, Middle East Projects, CPI Financial, Emirates News Gazette, Emirates Press Release, Yahoo, Street Insider, Emirates News Wire, Press Arabia, Qatar Press and Dot Emirates.

Page 16: Achieving Compliance with ISO 27001, Welcome! · ISO 27001 (formally known as ISO/IEC 27001:2005) is a specification for an information security management system (ISMS). An ISMS

Global Ties for Cyber Security

The necessity of strong Cyber Security measures is self-evident from the rising number

of Cyber-Attacks. Digital security firm Gemalto estimates that over 700 million data

records were compromised in 2015. Yahoo disclosed in December 2016 that over one

billion email accounts were hacked in 2013, compromising sensitive user information. A

proliferation of Cyber-Attacks is causing increasing damage to companies, governments

and individuals.

Source: Oman Tribune, 26 of January 2017.

How Will Cyber Security Earnings Stack Up?

“Cyber Security really was not a focus for companies before 2015, we are now seeing a

greater push for security and compliance. Now that we are reading more about IOT

(Internet of Things) being compromised, companies are becoming more aware of

security,” said Jason Ford, chief technology officer of BlackMesh, a Cyber Security and

compliance hosting company.

Source: Yahoo, 25th of January 2017.

Page 17: Achieving Compliance with ISO 27001, Welcome! · ISO 27001 (formally known as ISO/IEC 27001:2005) is a specification for an information security management system (ISMS). An ISMS

03STANDARDS (ISO 27001, UAE IA, ADSIC)

Page 18: Achieving Compliance with ISO 27001, Welcome! · ISO 27001 (formally known as ISO/IEC 27001:2005) is a specification for an information security management system (ISMS). An ISMS

STANDARDS

SPEED BUMPS

MITIGATION

SUCCESS!

Page 19: Achieving Compliance with ISO 27001, Welcome! · ISO 27001 (formally known as ISO/IEC 27001:2005) is a specification for an information security management system (ISMS). An ISMS

ISO 27001

Page 20: Achieving Compliance with ISO 27001, Welcome! · ISO 27001 (formally known as ISO/IEC 27001:2005) is a specification for an information security management system (ISMS). An ISMS

5 Key MENA Region Digital Banking Trends in 2017

On the back of increasing Cyber Attacks and breaches in international and regional

financial institutions, Cyber Security will, for the first time in the MENA region, emerge

as one of the top priorities for CEOs and Boards of Directors. Financial institutions that

are ahead of the curve and effectively embed Cyber Security into their risk frameworks

will invest significantly in building the right capabilities and governance structures.

These, in turn, will equip them to preemptively address incidents that could potentially

damage their operations as well as reputation.

Source: Wealth Monitor, 25th of January 2017

Page 21: Achieving Compliance with ISO 27001, Welcome! · ISO 27001 (formally known as ISO/IEC 27001:2005) is a specification for an information security management system (ISMS). An ISMS

ISO 27001 standard was published in October 2005, essentially replacing the old BS7799-2

standard. ISO 27001 (formally known as ISO/IEC 27001:2005) is a specification for an

information security management system (ISMS). An ISMS is a framework of policies and

procedures that include all legal, physical, and technical controls involved in an organization's

information-risk-management processes.

• PDCA, Plan-Do-Check-Act model to structure the processes

• :2013, places more emphasis on measuring and evaluating how well an organization's ISMS

is performing.

ISO 27001:2013

Page 22: Achieving Compliance with ISO 27001, Welcome! · ISO 27001 (formally known as ISO/IEC 27001:2005) is a specification for an information security management system (ISMS). An ISMS

• What three (3) things make up Information Security:

AFTER LUNCH QUESTION

Technology and Processes are as good as the People who use them.

Processes

Technology

People

Page 23: Achieving Compliance with ISO 27001, Welcome! · ISO 27001 (formally known as ISO/IEC 27001:2005) is a specification for an information security management system (ISMS). An ISMS

• What is the weakest LINK in your organizations Information Security Management?

AFTER LUNCH QUESTION

YOUR RESOURCES ARE THE WEAKEST LINK IN INFORMATION SECURITY

Page 24: Achieving Compliance with ISO 27001, Welcome! · ISO 27001 (formally known as ISO/IEC 27001:2005) is a specification for an information security management system (ISMS). An ISMS

ISO 27001:2013 RECERTIFICATION - DOMAINS

Page 25: Achieving Compliance with ISO 27001, Welcome! · ISO 27001 (formally known as ISO/IEC 27001:2005) is a specification for an information security management system (ISMS). An ISMS

ISO RECERTIFICATION

• Findings & recommendations

• Mitigation plan

ISO Recertification

• RA update• SOA update• Risk treatment plan

• Information security training & awareness

Internal Audit

Risk Assessment

IS Awareness

• ISMS governance framework• Management review meetings• ISMS framework, methodology, & strategy• Incident management • Effectiveness of controls & KPIs• Documents & records• Physical security• Document handling, including classification, labelling, storing, distribution,

dissemination

• Asset register• Threats & vulnerability• Applicable controls

• Information security guidelines• Best practices• Do’s & dont’s

Page 26: Achieving Compliance with ISO 27001, Welcome! · ISO 27001 (formally known as ISO/IEC 27001:2005) is a specification for an information security management system (ISMS). An ISMS

RECERTIFICATION - DOMAINS

• Gap analysis • State of applicable

controls

• Findings & recommendations

• Mitigation plan

• Identify applicable NESA controls

• Map to standards. ISO controls

• Phased multi-year roadmap

• Support implementation

ISO Recertification

Gap Assessment & Control

Assessment

• RA update• SOA update• Risk treatment plan

• Information security training & awareness

Roadmap Definition & Control

implementation

Applicability Analysis

Internal Audit Risk Assessment IS Awareness

Page 27: Achieving Compliance with ISO 27001, Welcome! · ISO 27001 (formally known as ISO/IEC 27001:2005) is a specification for an information security management system (ISMS). An ISMS

WE HAVE ISMS (PPS) TEMPLATES!

• Acceptable Usage of Information Assets

• Access Control

• Backup

• Business Continuity

• Communication & Operations Management

• Compliance

• Disaster Recovery Business Resumption

• Desktops & Peripherals

• Email & Internet

• Information Exchange

• Information Labelling & Handling

Page 28: Achieving Compliance with ISO 27001, Welcome! · ISO 27001 (formally known as ISO/IEC 27001:2005) is a specification for an information security management system (ISMS). An ISMS

WE HAVE ISMS (PPS) TEMPLATES!

• Information Security Management System

• Mobile Computing

• Non Disclosure Agreements

• Network & Systems

• Personnel Security

• Physical & Environmental Security

• Privacy Policy

• System Development & Maintenance

• User Privilege

• VIP Data Protection

• VIP Logical Access

Page 29: Achieving Compliance with ISO 27001, Welcome! · ISO 27001 (formally known as ISO/IEC 27001:2005) is a specification for an information security management system (ISMS). An ISMS

UAE INFORMATION ASSURANCE STANDARDS

Page 30: Achieving Compliance with ISO 27001, Welcome! · ISO 27001 (formally known as ISO/IEC 27001:2005) is a specification for an information security management system (ISMS). An ISMS

NESA, The National Electronic Security Authority, is a government body tasked with protecting

the UAE’s critical information infrastructure and improving national cybersecurity. To achieve

this, NESA have produced a set of standards and guidance for government entities in critical

sectors. Compliance with these standards is mandatory.

NESA IA STANDARDS

Page 31: Achieving Compliance with ISO 27001, Welcome! · ISO 27001 (formally known as ISO/IEC 27001:2005) is a specification for an information security management system (ISMS). An ISMS

NESA IA STANDARDS

There are 188 controls: 60 are management controls and 128 are technical controls. 35 of the management controls are “always applicable,” none of the technical controls are “always applicable.”

Page 32: Achieving Compliance with ISO 27001, Welcome! · ISO 27001 (formally known as ISO/IEC 27001:2005) is a specification for an information security management system (ISMS). An ISMS

NESA IA CONTROLS OVERVIEW

Communications

Strategy and Planning

Risk Management

AwarenessHuman Resources

Compliance Performance

Asset Management

Physical Sec. Operations

Access Control Third Parties

AcquisitionIncidents

ManagementContinuity

MANAGEMENT CONTROLS

TECHNICAL CONTROLS

NESA IA

Page 33: Achieving Compliance with ISO 27001, Welcome! · ISO 27001 (formally known as ISO/IEC 27001:2005) is a specification for an information security management system (ISMS). An ISMS

NESA IA 15 SECURITY DOMAINS

ENTITY

Data Management

Third Party Security

Physical Security

Security Operations

Security Governance

Risk ManagementStrategy and

Planning

Third Parties

Physical Sec.

Awareness

Compliance Performance

Human Resources

Acquisition

Communications

Access Control

Operations

Asset Management

Continuity

Page 34: Achieving Compliance with ISO 27001, Welcome! · ISO 27001 (formally known as ISO/IEC 27001:2005) is a specification for an information security management system (ISMS). An ISMS

REALITIES OF MODERN THREATS

Page 35: Achieving Compliance with ISO 27001, Welcome! · ISO 27001 (formally known as ISO/IEC 27001:2005) is a specification for an information security management system (ISMS). An ISMS

• Probe (Reconnaissance)

• Weaponization

• Delivery

• Exploitation

• Installation

• C & D

• Action

• Reaction

CARRERA “KILL” SEQUENCE

Page 36: Achieving Compliance with ISO 27001, Welcome! · ISO 27001 (formally known as ISO/IEC 27001:2005) is a specification for an information security management system (ISMS). An ISMS

• Probe & (Reconnaissance)

• Bad guys Goals

–Find target

–Develop plan of attack based on opportunities for exploit

• Weaponization

• Delivery

• Bad guys Goals

–Place delivery mechanism online

–Use social engineering to induce target to access malware or other exploit

CARRERA “KILL” SEQUENCE

Page 37: Achieving Compliance with ISO 27001, Welcome! · ISO 27001 (formally known as ISO/IEC 27001:2005) is a specification for an information security management system (ISMS). An ISMS

• Exploitation & Installation

• Bad guys Goals

–Exploit vulnerabilities on target systems to acquire access

–Elevate user privileges and install persistence payload

• Command & Control

• Bad guys Goals

–Ex-filtrate high-value data as quietly and quickly as possible

–Use compromised system to gain additional access, “steal” computing resources, and/or use in an

attack against someone else

• Action

• Reation

CARRERA “KILL” SEQUENCE

Page 38: Achieving Compliance with ISO 27001, Welcome! · ISO 27001 (formally known as ISO/IEC 27001:2005) is a specification for an information security management system (ISMS). An ISMS

• Probe (Reconnaissance): Intruder selects target, researches it, and attempts to identify vulnerabilities

in the target network.

• Weaponization: Intruder creates remote access malware weapon, such as a virus or worm, tailored to

one or more vulnerabilities.

• Delivery: Intruder transmits weapon to target (e.g., via e-mail attachments, websites or USB drives)

• Exploitation: Malware weapon's program code triggers, which takes action on target network to exploit

vulnerability.

• Installation: Malware weapon installs access point (e.g., "backdoor") usable by intruder.

• Command and Control: Malware enables intruder to have "hands on the keyboard" persistent access to

target network.

• Actions/Reaction: Intruder takes action to achieve their goals, such as data exfiltration, data

destruction, or encryption for ransom.

CARRERA “KILL” SEQUENCE

Page 39: Achieving Compliance with ISO 27001, Welcome! · ISO 27001 (formally known as ISO/IEC 27001:2005) is a specification for an information security management system (ISMS). An ISMS

KILL SEQUENCE MAPPING

Page 40: Achieving Compliance with ISO 27001, Welcome! · ISO 27001 (formally known as ISO/IEC 27001:2005) is a specification for an information security management system (ISMS). An ISMS

• Identify

• Prepare

• Detect

• Respond

• Recover

CARRERAISM RAPID DETECTION MODEL

Page 41: Achieving Compliance with ISO 27001, Welcome! · ISO 27001 (formally known as ISO/IEC 27001:2005) is a specification for an information security management system (ISMS). An ISMS

• COMMON THREAT DETECTION METHODS:

• Traditional tools

• Machine-Readable Threat Intelligence

• Shared INDICATORS 0F COMPPROMISE (IOCs)

– Open IOC

• Find the Evil

– IOCbucket.com

• njrat

• Applying Threat Intelligence

DETECT

Page 42: Achieving Compliance with ISO 27001, Welcome! · ISO 27001 (formally known as ISO/IEC 27001:2005) is a specification for an information security management system (ISMS). An ISMS

• COMMON THREAT DETECTION METHODS:

• Next-generation threat detection (behavioral)

• Cb

– Bad guys often repeat behavioral patterns, such as:

• Naming conventions

• Working directories used to copy files

• Methods of using built-in system commands and utilities

• Security analytics

• Service providers

DETECT

Page 43: Achieving Compliance with ISO 27001, Welcome! · ISO 27001 (formally known as ISO/IEC 27001:2005) is a specification for an information security management system (ISMS). An ISMS

• Validate

• To triage an alert and determine whether it is a false positive or a valid threat, analysts can:– Use leads in the alert (IP addresses, DNS hostnames, machine names)– Pivot to view related SIEM information in the SIEM– Review netflow data and live response data from the suspected endpoints

• Record the time between validation and containment and track this time across incidents as a time-to-contain metric.

• Contain

RECOVER

Page 44: Achieving Compliance with ISO 27001, Welcome! · ISO 27001 (formally known as ISO/IEC 27001:2005) is a specification for an information security management system (ISMS). An ISMS

• Memory Analysis

• Volatility 2.4

• Redline

• Network Forensics

• Damballa

• Wireshark

RECOVER

Page 45: Achieving Compliance with ISO 27001, Welcome! · ISO 27001 (formally known as ISO/IEC 27001:2005) is a specification for an information security management system (ISMS). An ISMS

M3 Awareness and Training

MANAGEMENT CONTROL

Control # Control Name Control Priority

M3.1.1AWARENESS AND TRAINING POLICY

The entity shall develop and maintain an awareness and training policy.

P2

M3.1.1.1The awareness and training policy shall be appropriate to the purpose of the entity.

M3.1.1.2The awareness and training policy shall provide the framework for setting awareness and training objectives.

M3.1.1.3The awareness and training policy shall facilitate the implementation of the associated controls.

M3.1.1.4The awareness and training policy shall outline the roles and responsibilities of providers and recipients of awareness and training activities.

Page 46: Achieving Compliance with ISO 27001, Welcome! · ISO 27001 (formally known as ISO/IEC 27001:2005) is a specification for an information security management system (ISMS). An ISMS

T5 Access Control

TECHNICAL CONTROL

Control # Control Name Control Priority

T5.1 ACCESS CONTROL POLICY

T5.1.1ACCESS CONTROL POLICY

The entity shall establish an access control policy based on business and security requirements.

P2

T5.1.1.1The access control policy shall be appropriate to the purpose of the entity.

T5.1.1.2The access control policy shall include statement of the management commitment, purpose, objective and scope of the policy.

T5.1.1.3The access control policy shall outline the roles and responsibilities for granting and denying access.

T5.1.1.4The access control policy shall provide the framework for the protection of mobile devices against prevailing risks, including users owned devices.

Page 47: Achieving Compliance with ISO 27001, Welcome! · ISO 27001 (formally known as ISO/IEC 27001:2005) is a specification for an information security management system (ISMS). An ISMS

T5 Access Control

TECHNICAL CONTROL

Control # Control Name Control Priority

T5.1 ACCESS CONTROL POLICY

T5.1.1ACCESS CONTROL POLICY

The entity shall establish an access control policy based on business and security requirements.

P2

T5.1.1.5The access control policy shall provide the framework to protect information from unauthorized access and grant access to the appropriate users and mobile devices.

T5.1.1.6The access control policy shall be documented and communicated to all users.

T5.1.1.7The access control policy shall be read and acknowledged formally by all users.

T5.1.1.8The access control policy shall be maintained, reviewed, and updated at planned intervals or if significant changes occur.

Page 48: Achieving Compliance with ISO 27001, Welcome! · ISO 27001 (formally known as ISO/IEC 27001:2005) is a specification for an information security management system (ISMS). An ISMS

• In my opinion there are several stages to achieving and maintaining compliance to the

NESA UAE IAS:

• Risk assessment

• GAP assessment and continual audit self-assessment

• Implementation

• Training

• Annual compliance audits

SPEED BUMP AVOIDANCE

Page 49: Achieving Compliance with ISO 27001, Welcome! · ISO 27001 (formally known as ISO/IEC 27001:2005) is a specification for an information security management system (ISMS). An ISMS

ABU DHABI SYSTEMS & INFORMATION CENTRE (ADSIC)

Page 50: Achieving Compliance with ISO 27001, Welcome! · ISO 27001 (formally known as ISO/IEC 27001:2005) is a specification for an information security management system (ISMS). An ISMS

“To develop, drive and support the various initiatives within the Abu Dhabi Government service

transformation programme, the Abu Dhabi Systems & Information Centre (ADSIC) was created

as Committee in October 2005 by Executive Council Decree No. 33, and established as a

Centre in December 2008 by Law No. 18. The Centre is considered as the governmental party

that owns the IT agenda of the Emirate, and has the authority to practice the following

competences:

• Supervise the implementation of the e-Government program in ADGEs.

• Sponsor initiatives and mature assets and competencies that it deems of critical importance

for the e-Government project.

• Propose policies and technology standards for government and relevant entities to achieve

a comprehensive quality in reaching the highest levels of efficiency, confidentiality, and

safety in the e-Government project.”

ABU DHABI SYSTEMS & INFORMATION CENTRE

Page 51: Achieving Compliance with ISO 27001, Welcome! · ISO 27001 (formally known as ISO/IEC 27001:2005) is a specification for an information security management system (ISMS). An ISMS

• “Propose policies and technology standards for government and relevant entities to achieve

a comprehensive quality in reaching the highest levels of efficiency, confidentiality, and

safety in the e-Government project.

• Issue rules and guidelines regarding the implementation of IT policies and the technical

specifications, and communicate them to all the Government entities.

• Submit the guidelines to the Council regarding the IT sector and the e-Government.

• The mandate translates into the mission of government modernization at large:

• Performance improvement

• Process simplification

• Use of IT”

ADSIC

Page 52: Achieving Compliance with ISO 27001, Welcome! · ISO 27001 (formally known as ISO/IEC 27001:2005) is a specification for an information security management system (ISMS). An ISMS

ADSIC

Page 53: Achieving Compliance with ISO 27001, Welcome! · ISO 27001 (formally known as ISO/IEC 27001:2005) is a specification for an information security management system (ISMS). An ISMS

• Regional

• Leverage standards

• “One piece of evidence, can work for two standards”

• Pssst….39 P1 NESA IA Controls

ADSIC

Page 54: Achieving Compliance with ISO 27001, Welcome! · ISO 27001 (formally known as ISO/IEC 27001:2005) is a specification for an information security management system (ISMS). An ISMS

ISO 20000

Page 55: Achieving Compliance with ISO 27001, Welcome! · ISO 27001 (formally known as ISO/IEC 27001:2005) is a specification for an information security management system (ISMS). An ISMS

ISO/IEC 20000 is a global standard that describes the requirements for an information

technology service management (ITSM) system. The standard was developed to mirror the

best practices described within the IT Infrastructure Library (ITIL) framework.

• ISO/IEC 20000 adopts a PDCA (Plan, Do, Check, Act) Deming lifecycle, similar to other

ISO norms. This can also be observed parallel to a 7-Step CSI improvement process in ITIL

CSI. Processes are organized into groups: Service Delivery, Relationship, Resolution, and

Control. PDCA, Plan-Do-Check-Act model to structure the processes.

• ISO/IEC 20000 provides strict requirements (WHAT) and a simple code of practice (HOW).

The story is further expanded by ITIL experience and best practice framework as a detailed

guidance about processes and functions. At the base are basic in-house procedures and

work instructions, from core business and other implemented standards/methodologies

(ISO, PMI…).

ISO 20000:2011

Page 56: Achieving Compliance with ISO 27001, Welcome! · ISO 27001 (formally known as ISO/IEC 27001:2005) is a specification for an information security management system (ISMS). An ISMS

• ISO 20000 promotes the "adoption of an integrated process approach to effectively deliver

managed services to meet the business and customer requirements."

ISO 20000:2011

Page 57: Achieving Compliance with ISO 27001, Welcome! · ISO 27001 (formally known as ISO/IEC 27001:2005) is a specification for an information security management system (ISMS). An ISMS

• Critical foundation

• Risk assessment

• Organizational business services

• IT service catalogue

• Map business and IT services

• “Lone assets”

• One to many, many to one

SPEED BUMP AVOIDANCE

Page 58: Achieving Compliance with ISO 27001, Welcome! · ISO 27001 (formally known as ISO/IEC 27001:2005) is a specification for an information security management system (ISMS). An ISMS

COMPARISON

Page 59: Achieving Compliance with ISO 27001, Welcome! · ISO 27001 (formally known as ISO/IEC 27001:2005) is a specification for an information security management system (ISMS). An ISMS
Page 60: Achieving Compliance with ISO 27001, Welcome! · ISO 27001 (formally known as ISO/IEC 27001:2005) is a specification for an information security management system (ISMS). An ISMS

04SPEED BUMPS

Page 61: Achieving Compliance with ISO 27001, Welcome! · ISO 27001 (formally known as ISO/IEC 27001:2005) is a specification for an information security management system (ISMS). An ISMS

• Scope and objective

• Must be defined and agreed upon

• Mitigation of prior internal audits, risk assessments, penetration testing, and/or

vulnerability assessments

• Mitigation should be completed within 12 months, if possible

• Documentation availability and quality of documentation

• Substance versus form

SPEED BUMPS

Page 62: Achieving Compliance with ISO 27001, Welcome! · ISO 27001 (formally known as ISO/IEC 27001:2005) is a specification for an information security management system (ISMS). An ISMS

• Cultural sensitivity

• We live in and work in a multicultural environment

• Service-level and operation-level agreements

• Service-level agreements: key performance indicators• Operation-level agreements: Are “they” meeting expectation?

• “Lost in Translation”

• Frequency of control versus “we’ve done it”

• Evidence, evidence, evidence

SPEED BUMPS

Page 63: Achieving Compliance with ISO 27001, Welcome! · ISO 27001 (formally known as ISO/IEC 27001:2005) is a specification for an information security management system (ISMS). An ISMS

05REFERENCES

Page 64: Achieving Compliance with ISO 27001, Welcome! · ISO 27001 (formally known as ISO/IEC 27001:2005) is a specification for an information security management system (ISMS). An ISMS

• www.darkmatter.ae

• http://www.iso.org/iso/home.html

• https://adsic.abudhabi.ae/adsic/faces/en/home?_afrLoop=13103778143901525#!%40%40

%3F_afrLoop%3D13103778143901525%26_adf.ctrl-state%3D1b7dnt22c7_49

• NIST SP 800-53 Rev. 4: NIST Special Publication 800-53 Revision 4, Security and Privacy

Controls for Federal Information Systems and Organizations, April 2013 (including updates

as of January 15, 2014). http://dx.doi.org/10.6028/NIST.SP.800 53r4

• http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf

• http://www.fda.gov/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/uc

m077812.htm

• http://www.pwc.com/gx/en/issues/cyber-security/information-security-survey.html

REFERENCE

Page 65: Achieving Compliance with ISO 27001, Welcome! · ISO 27001 (formally known as ISO/IEC 27001:2005) is a specification for an information security management system (ISMS). An ISMS

• Control Objectives for Information and Related Technology (COBIT):

http://www.isaca.org/COBIT/Pages/default.aspx

• Council on CyberSecurity (CCS) Top 20 Critical Security Controls (CSC):

http://www.counciloncybersecurity.org

• ANSI/ISA-62443-2-1 (99.02.01)-2009, Security for Industrial Automation and Control

Systems: Establishing an Industrial Automation and Control Systems Security Program:

http://www.isa.org/Template.cfm?Section=Standards8&Template=/Ecommerce/ProductDis

play.cfm&ProductID=10243

REFERENCE

Page 66: Achieving Compliance with ISO 27001, Welcome! · ISO 27001 (formally known as ISO/IEC 27001:2005) is a specification for an information security management system (ISMS). An ISMS

QUESTIONS

06

Page 67: Achieving Compliance with ISO 27001, Welcome! · ISO 27001 (formally known as ISO/IEC 27001:2005) is a specification for an information security management system (ISMS). An ISMS

THANK YOU

Page 68: Achieving Compliance with ISO 27001, Welcome! · ISO 27001 (formally known as ISO/IEC 27001:2005) is a specification for an information security management system (ISMS). An ISMS

Welcome!Achieving Compliance with ISO 27001,

20000, and UAE IA Standards

José Luis Carrera Jr., CFE, CIA, CRMA

Director of Governance, Risk, and Compliance

DarkMatter LLC


Recommended