Date post: | 21-Dec-2015 |
Category: |
Documents |
View: | 218 times |
Download: | 3 times |
ISO 17799
InfoSec: Can you dig it?
Agenda
1. Introduction and Purpose2. Risk Assessment, Controls and Guiding Principles3. Success Factors4. Examples of it in terms of InfoSec Policy and Organizational
Security5. Implementing an Information Security Management Systems
Environment6. Gaining ISO17799 Certification: A Blue Print7. Using the SANS auditing template8. A risk assessment with ISO17799 Pitfalls9. Conclusion and Questions
Is it ISO or just BS?
International Standard ISO/IEC 17799 was prepared by the British Standards Institution (as BS 7799) and was adopted, under a special “fast-track procedure”, by Joint Technical Committee ISO/IEC JTC 1, Information technology, in parallel with its approval by national bodies of ISO and IEC.
Provides common approaches to manage risks Not applicable to every system and not always
practical in smaller organizations
ISO17799 BS17799
ISO 17799:2000 Code of Practice For
Information Security Management
Best practices framework From 7.2.1, Equipment
siting and protection: Equipment should be sited or protected to reduce the risks from environmental threats….
BS 7799-2:2002 Information Security
Management Systems Specification With Guidance For Use
Auditing specification From 7.2.1, Equipment
shall be sited or protected….
ISO has begun the study period of BS 7799-2:2002 towards adoption
10 Areas: To have and to hold Security policy: Adopting a security process that outlines an organization's
expectations for security, which can then demonstrate management's support and commitment to security.
Security organization: Having a management structure for security, including appointing security coordinators, delegating security management responsibilities and establishing a security incident response process.
Asset classification and control: Conducting a detailed assessment and inventory of an organization's information infrastructure and information assets to determine an appropriate level of security.
Personnel security: Making security a key component of the human resources and business operations. This includes writing security expectations in job responsibilities (IT admins and end users), screening new personnel for criminal histories, using confidentiality agreements when dealing with sensitive information and having a reporting process for security incidents.
Physical and environmental security: Establishing a policy that protects the IT infrastructure, physical plant and employees. This includes controlling building access, having backup power supplies, performing routine equipment maintenance and securing off-site equipment.
10 Areas: To have and to hold
Communications and operations management: Preventing security incidents by implementing preventive measures, such as using antivirus protection, maintaining and monitoring logs, securing remote connections and having incident response procedures.
Access control: Protecting against internal abuses and external intrusions by controlling access to network and application resources through such measures as password management, authentication and event logging.
Systems development and maintenance: Ensuring that security is an integral part of any network deployment or expansion, and that existing systems are properly maintained.
Business continuity management: Planning for disasters--natural and man-made--and recovering from them.
Compliance: Complying with any applicable regulatory and legal requirements, such as the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GLBA) and cryptography export controls.
Need for Security
Establishing Security RequirementsThree main sources
Risk Assessment – identified, evaluated and estimated
Legal, Statutory, Regulatory – contractual requirements the organization must fill
Principle and Objectives – requirements to support operations
Assessing Risks
Risk Assessment Considered on a systematic basis
Business impact to CIA Likelihood of impact – threat vs controls
Guides and determines actions and priorities Process of selecting controls is iterative per business unit and
system Reviews based on
Changing business requirements New threats and vulnerabilities Confirmation that current controls are effective
Assessments performed at a high level and then more specifically for detailed risk.
Selecting Controls
Should be selected based on a cost benefit analysis.Ex. $1000.00 fence around a $50.00 asset.
Reputation should also be a factor in that decision.
InfoSec Guiding Principles
Two Points of View Legislative InfoSec Best Practice
Legislativea) Data protection and privacy of personal
information
b) Safeguarding of organizational records
c) Intellectual property rights
InfoSec Guiding Principles
InfoSec Best Practicesa) Information security policy document b) Allocation of information security
responsibilitiesc) Information security education and training d) Reporting security incidentse) Business continuity management
*Note: These are suggestions and should only be implemented based upon the risk assessment.
Code of Practice
71 Pages of Security Management Goodness
Similar to CISSP and derived partially from TCSEC, Common Criteria. Its apparent in the requirements
Some of it is infeasible and is a utopian organization, politics acceptance changing culture.
Critical Success Factors
The following is a list of factors which are found to be essential to the implementation of InfoSec at an organization
1. Security policy, objectives and activities that reflect business objectives2. An approach to implementing security that is consistent with the
organizational culture*3. Visible support and commitment from management*4. A good understanding of the security requirements, risk assessment and
risk management5. Effective marketing of security to all managers and employees6. Distribution of guidance on information security policy and standards to all
employees and contractors7. Providing appropriate training and education*8. A comprehensive and balanced system of measurement which is used to
evaluate performance in information security management and feedback suggestions for improvement.
*Most important factors.
A brief peek inside
Information Security Policy Organizational Security
Information Security Policy
To provide management direction and support for information security.
A policy document should be approved by management, published and communicated, as appropriate, to all employees. It should state management commitment and set out the organization’s approach to managing information security.
Policy owner should periodically review the policy; on effectiveness, efficiency and controls.
Information Security Policy
Essential Requirements:Definition of InfoSec, objectives and scope.Management statement of support.Definition of responsibilities of management in
InfoSec.Brief explanation of policies, principles standards
and compliance. References to documents that support the policy
with details for specific systems.
Organizational Security
A management framework should be established to initiate and control the implementation of information security within the organization.
DetailsManagement Information Security Forum
Requires a Champion to lead it. Reviews, Monitors and Approves
Responsibilities, incidents, threats enhancements
Organizational Security
Information security co-ordinationCross functional forum of management reps
(geared at large company) Assigns roles and responsibilities Agrees on methodology and process Supports awareness programs Assures security a place in the SDLC and planning Evaluates implementations of controls Review incidents Give infoSec high visibility
Organizational Security
Allocation of information security responsibilities Assign responsibilities
Ex. Appoint an owner for each information asset and its day-to-day operations. It can then be further delegated, but owner takes responsibility.
Responsibility Clearly identify and define security processes for each system Responsibility should be documented and agreed in some kind
of SLA Clearly define authorization levels.
Organizational Security
Authorization process for information processing facilities A management authorization process for new
information processing facilities should be established. Controls to be considered
User management, hardware and software compatibility, personal information processing facilities
Specialist information security advice Consultation by internal or external security specialists
at the onset of an incident. He/she will coordinate in-house knowledge and experience to ensure consistency.
Organizational Security
Co-operation between organizations Appropriate contacts with law enforcement authorities,
regulatory bodies, information service providers and telecommunications operators should be maintained
Membership of security groups and industry forums should be considered.
Exchanges of security information should be restricted to ensure that confidential information of the organization is not passed to unauthorized persons.
Independent review of information security The Information Security Policy should receive independent
reviews from a third party. (Internal auditor, manager or specializing third party)
Organizational Security
Security of third party access To maintain the security of organizational information
processing facilities and information assets accessed by third parties.
Identification of risks from third party access Two Types
1. Physical access, e.g. to offices, computer rooms, filing cabinets;2. Logical access, e.g. to an organization’s databases, information
systems. Reasons for access
Provide services to an organization and are not located on-site but may be given physical and logical access
Organizational Security
Security requirements in third party contractsGeneral InfoSec policy, Procedures and controls
for asset protection, Integrity and Availability, NDA, liability etc.
OutsourcingTo maintain the security of information when the
responsibility for information processing has been outsourced to another organization.
Organizational Security
Asset classification and control Accountability for assets
To maintain appropriate protection of organizational assets. All major information assets should be accounted for and
have a nominated owner. Accountability ensures appropriate protection is maintained. Owners should be identified for all major assets and the
responsibility for the maintenance of appropriate controls should be assigned.
Responsibility for implementing controls may be delegated. Accountability should remain with the nominated owner of
the asset.
Information Security Management System (ISMS) Manage and maintain secure information system
environment A framework to facilitate a relationship between processes and
products. Implementation and maintenance or process and procedures; and
must address the following, ID InfoSec needs Strategy to meet those needs Measurement of results Improving strategies over time
Approach must be Hollistic Human Technology Process
PDCA Model Applied to ISMS
Plan (establish the ISMS) Establish security policy, objectives, targets, processes and procedures
relevant to managing risk and improving information security to deliver results in accordance with an organization’s overall policies and objectives.
Do (implement and operate the ISMS) Implement and operate the security policy, controls, processes and
procedures. Check (monitor and review the ISMS)
Assess and, where applicable, measure process performance against security policy, objectives and practical experience and report the results to management for review.
Act (maintain and improve the ISMS) Take corrective and preventive actions, based on the results of the
management review, to achieve continual improvement of the ISMS.
PDCA Model Applied to ISMS
ISMS
Defining Scope and Relationships
Identifying Intangible Assets
ISMS
Process ISMS – security policy forms the basis of the process Two phase approach
Planning Implementation – the controls or guidelines as provided by ISO17799.
Assess whether the guidelines apply Third party audit
First step: pick a process Implement process ex. New employee screening Then check to see if all new employees are screened
Second step: check for compliance Plan-Do-Check-Act Iterative process that requires feedback Must be tailored to fit
ISMS
Product ISMSEvaluation of software products
Third party eval Software is subject to detailed series of tests Ex. TCSEC B2
For example, Class B2: ‘Structured Protection’ Trusted Oracle8i was evaluated EAL4 under the
Common Criteria (CC 2002)
ISMS Certified product categories – protection class/control area
ISMS – Protection Classes Implementation of the controls in each one of the ten
sections of ISO17799. You can define 4 classes of protection
Class 1: Inadequate protectionSections of a code-of-practice will be classified in this class if no effort was made by the organization to implement any of the recommended controls for their specific requirements. This is the lowest class. Certified products Do not have any influence on the classification of sections on this level.
Class 2: Minimal protectionIf minimal effort was put into implementing some of the recommended controls, it will be possible to classify some sections in this class. The same requirement as for Class 1 is applicable for the code-of-practice controls in some of the sections. Certified products do not have any influence on the classification of sections on this level either.
ISMS Class 3: Reasonable protection
The same requirement as for Class 2 is applicable for the code-of-practice controls in some of the sections. The majority of the sections must satisfy additional requirements based on implemented processes and procedures to prove that the recommended controls from the code-of-practice are implemented on a reasonable level. Some sections have an additional requirement for certified products to be used.
Class 4: Adequate protectionFor a section to be classified as adequately protected, it must be verifiable that considerable effort was made to implement the complete set of recommended controls for the section. This implies full compliance to a code-of practice for that specific section. Furthermore, the majority of sections have an additional requirement that certified products, in all the product categories, must be implemented to illustrate adequate protection. If there are no related product categories for an ISO17799 section, it is possible for that section to advance to this class in the absence of certified products.
ISMS Illustration of protection classes
ISO17799 A Blue Print
1. Client board decides to implement2. Senior Management must visually
commit to adopting the standard3. Decide InfoSec Policy4. InfoSec policy once adopted must
be furnished to all trained employees
5. Senior Mngmt then decides which business units will be offered up for certification
6. The orgs scope fo rthis project produces an SMS Scope Doc
7. The Risk Assessment (RA) is carried out for the Scope Doc(ID asset , threat , vuln.).= RA doc
8. Org decides risk approach and determines acceptable degree of risk
9. Org must decide to how to manage the id’d risk so that residual deg. of risk is within acceptable limits.
10. Once action, accountability and ownership are established, it is documented
11. Controls to required to reduce risk to acceptable levels are identified.
12. Controls selected from ISO17799 and documented
13. Selected controls must be traceable to the risk they address. This is documented in the Statement of Acceptibality (SoA)
Achieving ISO Compliance
ISO17799 A Blue Print
Sans Auditing Template
10 Areas of Audit1. Security Policy2. Organizational Security3. Asset Classification and Control4. Personnel Security5. Physical and Environmental Security6. Communications and Operations Management7. Access Control8. System Development and Maintenance9. Business Continuity Planning10. Compliance
36 Control Objectives 127 Controls
Sans Auditing Template
ISO17799: The world is not enough The standard's flexibility, however, is also its Achilles' heel. Critics
say ISO 17799 is too vague and too loosely structured to have any real value. In some cases, they charge, the standard could inadvertently give an organization a false sense of security.
Lawrence Walsh, Information Security Magazine Mile Wide and an Inch Deep
BSI says 7799 was never intended to be a technical standard. Unlike other security standards--such as the Commonly Accepted Security Practices and Regulations (CASPR) or ISO 15408/Common Criteria--ISO 17799 provides a broad, nontechnical framework for protecting information in any form.
No certification portion as in PII of BS17799 Meant for any organization: rarely is that possible Rarely attempts to provide guidance in evaluating or understanding
existing security measures. Doesn’t discuss pro’s and con’s of different controls No common sense advice (don’t enable all defaults) Expensive and short on methodology
Future of ISO17799
Most U.S. public companies will need to seriously manage the security of their information assets Tangible and intangible People, process, technology
ISO 17799 compliance will be necessary to play in many markets for U.S. information-intensive businesses
ISO 17799 certification will be a discriminator
Questions