Date post: | 09-Apr-2018 |
Category: |
Documents |
Upload: | kunta-kinte |
View: | 218 times |
Download: | 0 times |
of 164
8/7/2019 ISO-IEC_27002_2005
1/164
Principles and fundamentals of security methodologies ofinformation systems - Information Security Policy
M2SSIC-Metz
Pascal Steichen
M2SSIC-Metz () Principles and fundamentals of security methodologies of information systems - Informatio
Pascal Steichen 1 / 38
http://find/http://goback/8/7/2019 ISO-IEC_27002_2005
2/164
1 Information security policy
2 ISO/IEC 27002:2005
3 Control Framework
4 Producing the policy - good practices
5 Conclusion - summary
M2SSIC-Metz () Principles and fundamentals of security methodologies of information systems - Informatio
Pascal Steichen 2 / 38
http://find/http://goback/8/7/2019 ISO-IEC_27002_2005
3/164
Information security policy
Information security policy
To protect its assets (information and systems) on a daily basis an organi-sation has to:
organise its security by documenting the countermeasures or controlsto protect the confidentiality, integrity and availability of the assets, in
a security policy,
M2SSIC-Metz () Principles and fundamentals of security methodologies of information systems - Informatio
Pascal Steichen 3 / 38
http://0.0.105.122:2005/http://13335-1:2004/http://find/http://goback/8/7/2019 ISO-IEC_27002_2005
4/164
Information security policy
Information security policy
To protect its assets (information and systems) on a daily basis an organi-sation has to:
organise its security by documenting the countermeasures or controlsto protect the confidentiality, integrity and availability of the assets, in
a security policy,with the prime goal to manage and reduce its risks.
M2SSIC-Metz () Principles and fundamentals of security methodologies of information systems - InformatioPascal Steichen 3 / 38
I f i i li
http://0.0.105.122:2005/http://13335-1:2004/http://find/http://goback/8/7/2019 ISO-IEC_27002_2005
5/164
Information security policy
Information security policy
To protect its assets (information and systems) on a daily basis an organi-sation has to:
organise its security by documenting the countermeasures or controlsto protect the confidentiality, integrity and availability of the assets, ina security policy,
with the prime goal to manage and reduce its risks.
Asset anything that has value to the organization. ISO/IEC
M2SSIC-Metz () Principles and fundamentals of security methodologies of information systems - InformatioPascal Steichen 3 / 38
I f ti it li
http://13335-1:2004/http://0.0.105.122:2005/http://13335-1:2004/http://find/http://goback/8/7/2019 ISO-IEC_27002_2005
6/164
Information security policy
Information security policy
To protect its assets (information and systems) on a daily basis an organi-sation has to:
organise its security by documenting the countermeasures or controlsto protect the confidentiality, integrity and availability of the assets, ina security policy,
with the prime goal to manage and reduce its risks.
Asset anything that has value to the organization. ISO/IEC
Control means of managing risk, including policies, procedures,
guidelines, practices or organizational structures, which canbe of administrative, technical, management, or legal nature.NOTE: Control is also used as a synonym for safeguard orcountermeasure. ISO/IEC
M2SSIC-Metz () Principles and fundamentals of security methodologies of information systems - InformatioPascal Steichen 3 / 38
Information security policy
http://13335-1:2004/http://0.0.105.122:2005/http://0.0.105.122:2005/http://13335-1:2004/http://find/http://goback/8/7/2019 ISO-IEC_27002_2005
7/164
Information security policy
An information security policy:
defines the business rules, principles and standards defining theorganisations approach to managing information security,- provides
management direction and support for information security inaccordance with business requirements and relevant laws andregulations,
M2SSIC-Metz () Principles and fundamentals of security methodologies of information systems - InformatioPascal Steichen 4 / 38
Information security policy
http://find/http://goback/8/7/2019 ISO-IEC_27002_2005
8/164
Information security policy
An information security policy:
defines the business rules, principles and standards defining theorganisations approach to managing information security,- provides
management direction and support for information security inaccordance with business requirements and relevant laws andregulations,
defines control objectives and controls intended to be implemented tomeet the requirements identified by a risk assessment,
M2SSIC-Metz () Principles and fundamentals of security methodologies of information systems - InformatioPascal Steichen 4 / 38
Information security policy
http://find/http://goback/8/7/2019 ISO-IEC_27002_2005
9/164
Information security policy
An information security policy:
defines the business rules, principles and standards defining theorganisations approach to managing information security,- provides
management direction and support for information security inaccordance with business requirements and relevant laws andregulations,
defines control objectives and controls intended to be implemented tomeet the requirements identified by a risk assessment,
needs approval by the highest level of management.
M2SSIC-Metz () Principles and fundamentals of security methodologies of information systems - InformatioPascal Steichen 4 / 38
Information security policy why is an ISP important ?
http://find/http://goback/8/7/2019 ISO-IEC_27002_2005
10/164
Information security policy why is an ISP important ?
why is an ISP important ?
Because an information security policy:
is reference base for information traitement rules and practices,
M2SSIC-Metz () Principles and fundamentals of security methodologies of information systems - InformatioPascal Steichen 5 / 38
Information security policy why is an ISP important ?
http://find/http://goback/8/7/2019 ISO-IEC_27002_2005
11/164
y p y y p
why is an ISP important ?
Because an information security policy:
is reference base for information traitement rules and practices,
provides management support, and is published and communicated to
all employees and relevant external parties,
M2SSIC-Metz () Principles and fundamentals of security methodologies of information systems - InformatioPascal Steichen 5 / 38
Information security policy why is an ISP important ?
http://find/http://goback/8/7/2019 ISO-IEC_27002_2005
12/164
y p y y p
why is an ISP important ?
Because an information security policy:
is reference base for information traitement rules and practices,
provides management support, and is published and communicated to
all employees and relevant external parties,provides a structured and methodical approach to informationsecurity,
M2SSIC-Metz () Principles and fundamentals of security methodologies of information systems - InformatioPascal Steichen 5 / 38
Information security policy why is an ISP important ?
http://find/http://goback/8/7/2019 ISO-IEC_27002_2005
13/164
y y y
why is an ISP important ?
Because an information security policy:
is reference base for information traitement rules and practices,
provides management support, and is published and communicated to
all employees and relevant external parties,provides a structured and methodical approach to informationsecurity,
integrates the business dimension,
M2SSIC-Metz () Principles and fundamentals of security methodologies of information systems - InformatioPascal Steichen 5 / 38
Information security policy why is an ISP important ?
http://find/http://goback/8/7/2019 ISO-IEC_27002_2005
14/164
why is an ISP important ?
Because an information security policy:
is reference base for information traitement rules and practices,
provides management support, and is published and communicated to
all employees and relevant external parties,provides a structured and methodical approach to informationsecurity,
integrates the business dimension,
takes into account humans, organisational as well as technical aspects,
M2SSIC-Metz () Principles and fundamentals of security methodologies of information systems - InformatioPascal Steichen 5 / 38
Information security policy why is an ISP important ?
http://find/http://goback/8/7/2019 ISO-IEC_27002_2005
15/164
why is an ISP important ?
Because an information security policy:
is reference base for information traitement rules and practices,
provides management support, and is published and communicated to
all employees and relevant external parties,provides a structured and methodical approach to informationsecurity,
integrates the business dimension,
takes into account humans, organisational as well as technical aspects,is based on the real operational situation of the organisation,
M2SSIC-Metz () Principles and fundamentals of security methodologies of information systems - InformatioPascal Steichen 5 / 38
Information security policy why is an ISP important ?
http://find/http://goback/8/7/2019 ISO-IEC_27002_2005
16/164
why is an ISP important ?
Because an information security policy:
is reference base for information traitement rules and practices,
provides management support, and is published and communicated to
all employees and relevant external parties,provides a structured and methodical approach to informationsecurity,
integrates the business dimension,
takes into account humans, organisational as well as technical aspects,is based on the real operational situation of the organisation,
limits costs and optimises ROI.
M2SSIC-Metz () Principles and fundamentals of security methodologies of information systems - InformatioPascal Steichen 5 / 38
Information security policy beforehand...
http://find/http://goback/8/7/2019 ISO-IEC_27002_2005
17/164
beforehand...
It is essential that an organization identifies its security requirements.There are three main sources of security requirements:
One source is derived from assessing risks to the organization :
Risk = Vulnerability * Threat * Impact
M2SSIC-Metz () Principles and fundamentals of security methodologies of information systems - InformatioPascal Steichen 6 / 38
Information security policy beforehand...
http://find/http://goback/8/7/2019 ISO-IEC_27002_2005
18/164
beforehand...
It is essential that an organization identifies its security requirements.There are three main sources of security requirements:
One source is derived from assessing risks to the organization :
Risk = Vulnerability * Threat * Impact
Another source is the legal, statutory, regulatory, and contractualrequirements that an organization, its trading partners, contractors,and service providers have to satisfy, and their socio-cultural
environment.
M2SSIC-Metz () Principles and fundamentals of security methodologies of information systems - InformatioPascal Steichen 6 / 38
Information security policy beforehand...
http://find/http://goback/8/7/2019 ISO-IEC_27002_2005
19/164
beforehand...
It is essential that an organization identifies its security requirements.There are three main sources of security requirements:
One source is derived from assessing risks to the organization :
Risk = Vulnerability * Threat * Impact
Another source is the legal, statutory, regulatory, and contractualrequirements that an organization, its trading partners, contractors,and service providers have to satisfy, and their socio-cultural
environment.A further source is the particular set of principles, objectives andbusiness requirements for information processing that an organizationhas developed to support its operations.
M2SSIC-Metz () Principles and fundamentals of security methodologies of information systems - InformatioPascal Steichen 6 / 38
Information security policy beforehand...
http://find/http://goback/8/7/2019 ISO-IEC_27002_2005
20/164
M2SSIC-Metz () Principles and fundamentals of security methodologies of information systems - InformatioPascal Steichen 7 / 38
ISO/IEC 27002:2005
http://find/http://goback/8/7/2019 ISO-IEC_27002_2005
21/164
ISO/IEC 27002:2005
THE reference document about information security policies is the
ISO/IEC 27002:2005 - Information technology Security techniques Code of practice for information security management (formerly known asISO/IEC 17799 and BS7799).
M2SSIC-Metz () Principles and fundamentals of security methodologies of information systems - InformatioPascal Steichen 8 / 38
ISO/IEC 27002:2005 Scope
http://find/http://goback/8/7/2019 ISO-IEC_27002_2005
22/164
Scope
This International Standard establishes guidelines and general principlesfor initiating, implementing, maintaining, and improving informationsecurity management in an organization. The objectives outlined in this
International Standard provide general guidance on the commonlyaccepted goals of information security management.The control objectives and controls of this International Standard areintended to be implemented to meet the requirements identified by a riskassessment. This International Standard may serve as a practical guideline
for developing organizational security standards and effective securitymanagement practices and to help build confidence in inter-organizationalactivities.
M2SSIC-Metz () Principles and fundamentals of security methodologies of information systems - InformatioPascal Steichen 9 / 38
ISO/IEC 27002:2005 Scope
http://find/http://goback/8/7/2019 ISO-IEC_27002_2005
23/164
M2SSIC-Metz () Principles and fundamentals of security methodologies of information systems - InformatioPascal Steichen 10 / 38
ISO/IEC 27002:2005 Security Policy
http://find/http://goback/8/7/2019 ISO-IEC_27002_2005
24/164
Security Policy
The policy document should contain statements concerning:
a definition of information security, its overall objectives and scopeand the importance of security as an enabling mechanism for
information sharing;
M2SSIC-Metz () Principles and fundamentals of security methodologies of information systems - InformatioPascal Steichen 11 / 38
ISO/IEC 27002:2005 Security Policy
http://find/http://goback/8/7/2019 ISO-IEC_27002_2005
25/164
Security Policy
The policy document should contain statements concerning:
a definition of information security, its overall objectives and scopeand the importance of security as an enabling mechanism for
information sharing;
a statement of management intent, supporting the goals andprinciples of information security in line with the business strategyand objectives;
M2SSIC-Metz () Principles and fundamentals of security methodologies of information systems - InformatioPascal Steichen 11 / 38
ISO/IEC 27002:2005 Security Policy
http://find/http://goback/8/7/2019 ISO-IEC_27002_2005
26/164
Security Policy
The policy document should contain statements concerning:
a definition of information security, its overall objectives and scopeand the importance of security as an enabling mechanism for
information sharing;
a statement of management intent, supporting the goals andprinciples of information security in line with the business strategyand objectives;
a framework for setting control objectives and controls, including thestructure of risk assessment and risk management;
M2SSIC-Metz () Principles and fundamentals of security methodologies of information systems - InformatioPascal Steichen 11 / 38
ISO/IEC 27002:2005 Security Policy
http://find/http://goback/8/7/2019 ISO-IEC_27002_2005
27/164
a brief explanation of the security policies, principles, standards, andcompliance requirements of particular importance to the organization
M2SSIC-Metz () Principles and fundamentals of security methodologies of information systems - InformatioPascal Steichen 12 / 38
ISO/IEC 27002:2005 Security Policy
http://find/http://goback/8/7/2019 ISO-IEC_27002_2005
28/164
a brief explanation of the security policies, principles, standards, andcompliance requirements of particular importance to the organization
compliance with legislative, regulatory, and contractual requirements;
M2SSIC-Metz () Principles and fundamentals of security methodologies of information systems - InformatioPascal Steichen 12 / 38
ISO/IEC 27002:2005 Security Policy
http://find/http://goback/8/7/2019 ISO-IEC_27002_2005
29/164
a brief explanation of the security policies, principles, standards, andcompliance requirements of particular importance to the organization
compliance with legislative, regulatory, and contractual requirements;security education, training, and awareness requirements;
M2SSIC-Metz () Principles and fundamentals of security methodologies of information systems - InformatioPascal Steichen 12 / 38
ISO/IEC 27002:2005 Security Policy
http://find/http://goback/8/7/2019 ISO-IEC_27002_2005
30/164
a brief explanation of the security policies, principles, standards, andcompliance requirements of particular importance to the organization
compliance with legislative, regulatory, and contractual requirements;security education, training, and awareness requirements;business continuity management;
M2SSIC-Metz () Principles and fundamentals of security methodologies of information systems - InformatioPascal Steichen 12 / 38
ISO/IEC 27002:2005 Security Policy
http://find/http://goback/8/7/2019 ISO-IEC_27002_2005
31/164
a brief explanation of the security policies, principles, standards, andcompliance requirements of particular importance to the organization
compliance with legislative, regulatory, and contractual requirements;security education, training, and awareness requirements;business continuity management;consequences of information security policy violations;
M2SSIC-Metz () Principles and fundamentals of security methodologies of information systems - InformatioPascal Steichen 12 / 38
ISO/IEC 27002:2005 Security Policy
http://find/http://goback/8/7/2019 ISO-IEC_27002_2005
32/164
a definition of general and specific responsibilities for informationsecurity management, including reporting information securityincidents;
M2SSIC-Metz () Principles and fundamentals of security methodologies of information systems - InformatioPascal Steichen 13 / 38
ISO/IEC 27002:2005 Security Policy
http://find/http://goback/8/7/2019 ISO-IEC_27002_2005
33/164
a definition of general and specific responsibilities for informationsecurity management, including reporting information securityincidents;
references to documentation which may support the policy, e.g. moredetailed security policies and procedures for specific informationsystems or security rules users should comply with.
M2SSIC-Metz () Principles and fundamentals of security methodologies of information systems - InformatioPascal Steichen 13 / 38
ISO/IEC 27002:2005 Security Policy
http://find/http://goback/8/7/2019 ISO-IEC_27002_2005
34/164
a definition of general and specific responsibilities for informationsecurity management, including reporting information securityincidents;
references to documentation which may support the policy, e.g. moredetailed security policies and procedures for specific informationsystems or security rules users should comply with.
and get periodic or if significant changes occur reviews.
M2SSIC-Metz () Principles and fundamentals of security methodologies of information systems - InformatioPascal Steichen 13 / 38
ISO/IEC 27002:2005 Organizing Information Security
http://find/http://goback/8/7/2019 ISO-IEC_27002_2005
35/164
Organizing Information Security
Management commitment to information security
M2SSIC-Metz () Principles and fundamentals of security methodologies of information systems - InformatioPascal Steichen 14 / 38
ISO/IEC 27002:2005 Organizing Information Security
http://find/http://goback/8/7/2019 ISO-IEC_27002_2005
36/164
Organizing Information Security
Management commitment to information security
Information security co-ordination (CISO/RSSI)
M2SSIC-Metz () Principles and fundamentals of security methodologies of information systems - InformatioPascal Steichen 14 / 38
ISO/IEC 27002:2005 Organizing Information Security
http://find/http://goback/8/7/2019 ISO-IEC_27002_2005
37/164
Organizing Information Security
Management commitment to information security
Information security co-ordination (CISO/RSSI)
Allocation of information security responsibilities (data owners)
M2SSIC-Metz () Principles and fundamentals of security methodologies of information systems - InformatioPascal Steichen 14 / 38
ISO/IEC 27002:2005 Organizing Information Security
http://find/http://goback/8/7/2019 ISO-IEC_27002_2005
38/164
Organizing Information Security
Management commitment to information security
Information security co-ordination (CISO/RSSI)
Allocation of information security responsibilities (data owners)
Confidentiality or non-disclosure agreements (reflecting theorganizations needs)
M2SSIC-Metz () Principles and fundamentals of security methodologies of information systems - InformatioPascal Steichen 14 / 38
ISO/IEC 27002:2005 Organizing Information Security
http://find/http://goback/8/7/2019 ISO-IEC_27002_2005
39/164
Organizing Information Security
Management commitment to information security
Information security co-ordination (CISO/RSSI)
Allocation of information security responsibilities (data owners)
Confidentiality or non-disclosure agreements (reflecting theorganizations needs)
Contact with authorities and special interest groups
M2SSIC-Metz () Principles and fundamentals of security methodologies of information systems - InformatioPascal Steichen 14 / 38
ISO/IEC 27002:2005 Organizing Information Security
http://find/http://goback/8/7/2019 ISO-IEC_27002_2005
40/164
Organizing Information Security
Management commitment to information security
Information security co-ordination (CISO/RSSI)
Allocation of information security responsibilities (data owners)
Confidentiality or non-disclosure agreements (reflecting theorganizations needs)
Contact with authorities and special interest groups
Independent review of information security
M2SSIC-Metz () Principles and fundamentals of security methodologies of information systems - InformatioPascal Steichen 14 / 38
ISO/IEC 27002:2005 Organizing Information Security
http://find/http://goback/8/7/2019 ISO-IEC_27002_2005
41/164
Organizing Information Security
Management commitment to information security
Information security co-ordination (CISO/RSSI)
Allocation of information security responsibilities (data owners)
Confidentiality or non-disclosure agreements (reflecting theorganizations needs)
Contact with authorities and special interest groups
Independent review of information security
External parties (customers, partners, third parties...)
M2SSIC-Metz () Principles and fundamentals of security methodologies of information systems - InformatioPascal Steichen 14 / 38
ISO/IEC 27002:2005 Asset Management
http://find/http://goback/8/7/2019 ISO-IEC_27002_2005
42/164
Asset Management
Responsibility for assets
M2SSIC-Metz () Principles and fundamentals of security methodologies of information systems - InformatioPascal Steichen 15 / 38
ISO/IEC 27002:2005 Asset Management
http://find/http://goback/8/7/2019 ISO-IEC_27002_2005
43/164
Asset Management
Responsibility for assetsInformation classification
M2SSIC-Metz () Principles and fundamentals of security methodologies of information systems - InformatioPascal Steichen 15 / 38
ISO/IEC 27002:2005 Human Resources Security
http://find/http://goback/8/7/2019 ISO-IEC_27002_2005
44/164
Human Resources Security
Roles and responsibilities
M2SSIC-Metz () Principles and fundamentals of security methodologies of information systems - InformatioPascal Steichen 16 / 38
ISO/IEC 27002:2005 Human Resources Security
http://find/http://goback/8/7/2019 ISO-IEC_27002_2005
45/164
Human Resources Security
Roles and responsibilities
Screening
M2SSIC-Metz () Principles and fundamentals of security methodologies of information systems - InformatioPascal Steichen 16 / 38
ISO/IEC 27002:2005 Human Resources Security
http://find/http://goback/8/7/2019 ISO-IEC_27002_2005
46/164
Human Resources Security
Roles and responsibilities
Screening
Terms and conditions of employment
M2SSIC-Metz () Principles and fundamentals of security methodologies of information systems - InformatioPascal Steichen 16 / 38
ISO/IEC 27002:2005 Human Resources Security
http://find/http://goback/8/7/2019 ISO-IEC_27002_2005
47/164
Human Resources Security
Roles and responsibilities
Screening
Terms and conditions of employmentInformation security awareness, education, and training
M2SSIC-Metz () Principles and fundamentals of security methodologies of information systems - InformatioPascal Steichen 16 / 38
ISO/IEC 27002:2005 Human Resources Security
http://find/http://goback/8/7/2019 ISO-IEC_27002_2005
48/164
Human Resources Security
Roles and responsibilities
Screening
Terms and conditions of employmentInformation security awareness, education, and training
Disciplinary process
M2SSIC-Metz () Principles and fundamentals of security methodologies of information systems - InformatioPascal Steichen 16 / 38
http://find/http://goback/8/7/2019 ISO-IEC_27002_2005
49/164
ISO/IEC 27002:2005 Human Resources Security
8/7/2019 ISO-IEC_27002_2005
50/164
Human Resources Security
Roles and responsibilities
Screening
Terms and conditions of employmentInformation security awareness, education, and training
Disciplinary process
Termination
Return of assets
M2SSIC-Metz () Principles and fundamentals of security methodologies of information systems - InformatioPascal Steichen 16 / 38
ISO/IEC 27002:2005 Human Resources Security
http://find/http://goback/8/7/2019 ISO-IEC_27002_2005
51/164
Human Resources Security
Roles and responsibilities
Screening
Terms and conditions of employmentInformation security awareness, education, and training
Disciplinary process
Termination
Return of assetsRemoval of access rights
M2SSIC-Metz () Principles and fundamentals of security methodologies of information systems - InformatioPascal Steichen 16 / 38
ISO/IEC 27002:2005 Physical and Environmental Security
http://find/http://goback/8/7/2019 ISO-IEC_27002_2005
52/164
Physical and Environmental Security
Physical security perimeter and areas
M2SSIC-Metz () Principles and fundamentals of security methodologies of information systems - InformatioPascal Steichen 17 / 38
ISO/IEC 27002:2005 Physical and Environmental Security
http://find/http://goback/8/7/2019 ISO-IEC_27002_2005
53/164
Physical and Environmental Security
Physical security perimeter and areas
Equipment security
M2SSIC-Metz () Principles and fundamentals of security methodologies of information systems - InformatioPascal Steichen 17 / 38
ISO/IEC 27002:2005 Physical and Environmental Security
http://find/http://goback/8/7/2019 ISO-IEC_27002_2005
54/164
Physical and Environmental Security
Physical security perimeter and areas
Equipment securitySecurity of equipment off-premises
M2SSIC-Metz () Principles and fundamentals of security methodologies of information systems - InformatioPascal Steichen 17 / 38
ISO/IEC 27002:2005 Physical and Environmental Security
S
http://find/http://goback/8/7/2019 ISO-IEC_27002_2005
55/164
Physical and Environmental Security
Physical security perimeter and areas
Equipment securitySecurity of equipment off-premisesSecure disposal or re-use of equipment
M2SSIC-Metz () Principles and fundamentals of security methodologies of information systems - InformatioPascal Steichen 17 / 38
ISO/IEC 27002:2005 Communications and Operations Management
C i i d O i M
http://find/http://goback/8/7/2019 ISO-IEC_27002_2005
56/164
Communications and Operations Management
Change management
M2SSIC-Metz () Principles and fundamentals of security methodologies of information systems - InformatioPascal Steichen 18 / 38
ISO/IEC 27002:2005 Communications and Operations Management
C i ti d O ti M t
http://find/http://goback/8/7/2019 ISO-IEC_27002_2005
57/164
Communications and Operations Management
Change managementSeparation of development, test, and operational facilities
M2SSIC-Metz () Principles and fundamentals of security methodologies of information systems - InformatioPascal Steichen 18 / 38
ISO/IEC 27002:2005 Communications and Operations Management
C i ti d O ti M t
http://find/http://goback/8/7/2019 ISO-IEC_27002_2005
58/164
Communications and Operations Management
Change managementSeparation of development, test, and operational facilities
Third party service delivery management
M2SSIC-Metz () Principles and fundamentals of security methodologies of information systems - InformatioPascal Steichen 18 / 38
ISO/IEC 27002:2005 Communications and Operations Management
Communications and Operations Management
http://find/http://goback/8/7/2019 ISO-IEC_27002_2005
59/164
Communications and Operations Management
Change managementSeparation of development, test, and operational facilities
Third party service delivery management
Protection against malicious and mobile code
M2SSIC-Metz () Principles and fundamentals of security methodologies of information systems - InformatioPascal Steichen 18 / 38
ISO/IEC 27002:2005 Communications and Operations Management
Communications and Operations Management
http://find/http://goback/8/7/2019 ISO-IEC_27002_2005
60/164
Communications and Operations Management
Change management
Separation of development, test, and operational facilities
Third party service delivery management
Protection against malicious and mobile code
Back-up
M2SSIC-Metz () Principles and fundamentals of security methodologies of information systems - InformatioPascal Steichen 18 / 38
ISO/IEC 27002:2005 Communications and Operations Management
Communications and Operations Management
http://find/http://goback/8/7/2019 ISO-IEC_27002_2005
61/164
Communications and Operations Management
Change management
Separation of development, test, and operational facilities
Third party service delivery management
Protection against malicious and mobile code
Back-upNetwork security management
M2SSIC-Metz () Principles and fundamentals of security methodologies of information systems - InformatioPascal Steichen 18 / 38
ISO/IEC 27002:2005 Communications and Operations Management
Communications and Operations Management
http://find/http://goback/8/7/2019 ISO-IEC_27002_2005
62/164
Communications and Operations Management
Change management
Separation of development, test, and operational facilities
Third party service delivery management
Protection against malicious and mobile code
Back-upNetwork security management
Management of removable media
M2SSIC-Metz () Principles and fundamentals of security methodologies of information systems - InformatioPascal Steichen 18 / 38
ISO/IEC 27002:2005 Communications and Operations Management
Communications and Operations Management
http://find/http://goback/8/7/2019 ISO-IEC_27002_2005
63/164
Communications and Operations Management
Change management
Separation of development, test, and operational facilities
Third party service delivery management
Protection against malicious and mobile code
Back-upNetwork security management
Management of removable media
Information exchange policies and procedures
M2SSIC-Metz () Principles and fundamentals of security methodologies of information systems - InformatioPascal Steichen 18 / 38
ISO/IEC 27002:2005 Communications and Operations Management
Communications and Operations Management
http://find/http://goback/8/7/2019 ISO-IEC_27002_2005
64/164
Communications and Operations Management
Change management
Separation of development, test, and operational facilities
Third party service delivery management
Protection against malicious and mobile code
Back-upNetwork security management
Management of removable media
Information exchange policies and procedures
Electronic messaging
M2SSIC-Metz () Principles and fundamentals of security methodologies of information systems - InformatioPascal Steichen 18 / 38
ISO/IEC 27002:2005 Communications and Operations Management
Communications and Operations Management
http://find/http://goback/8/7/2019 ISO-IEC_27002_2005
65/164
p g
Change management
Separation of development, test, and operational facilities
Third party service delivery management
Protection against malicious and mobile code
Back-upNetwork security management
Management of removable media
Information exchange policies and procedures
Electronic messagingOn-Line Transactions
M2SSIC-Metz () Principles and fundamentals of security methodologies of information systems - InformatioPascal Steichen 18 / 38
ISO/IEC 27002:2005 Communications and Operations Management
Communications and Operations Management
http://find/http://goback/8/7/2019 ISO-IEC_27002_2005
66/164
p g
Change management
Separation of development, test, and operational facilities
Third party service delivery management
Protection against malicious and mobile code
Back-upNetwork security management
Management of removable media
Information exchange policies and procedures
Electronic messagingOn-Line Transactions
Publicly available information
M2SSIC-Metz () Principles and fundamentals of security methodologies of information systems - InformatioPascal Steichen 18 / 38
ISO/IEC 27002:2005 Communications and Operations Management
Communications and Operations Management
http://find/http://goback/8/7/2019 ISO-IEC_27002_2005
67/164
Change management
Separation of development, test, and operational facilities
Third party service delivery management
Protection against malicious and mobile code
Back-upNetwork security management
Management of removable media
Information exchange policies and procedures
Electronic messagingOn-Line Transactions
Publicly available information
Monitoring
M2SSIC-Metz () Principles and fundamentals of security methodologies of information systems - InformatioPascal Steichen 18 / 38
ISO/IEC 27002:2005 Access Control
Access Control
http://find/http://goback/8/7/2019 ISO-IEC_27002_2005
68/164
User access management
M2SSIC-Metz () Principles and fundamentals of security methodologies of information systems - InformatioPascal Steichen 19 / 38
ISO/IEC 27002:2005 Access Control
Access Control
http://find/http://goback/8/7/2019 ISO-IEC_27002_2005
69/164
User access management
User password management
M2SSIC-Metz () Principles and fundamentals of security methodologies of information systems - InformatioPascal Steichen 19 / 38
ISO/IEC 27002:2005 Access Control
Access Control
http://find/http://goback/8/7/2019 ISO-IEC_27002_2005
70/164
User access management
User password management
Clear desk and clear screen policy
M2SSIC-Metz () Principles and fundamentals of security methodologies of information systems - InformatioPascal Steichen 19 / 38
ISO/IEC 27002:2005 Access Control
Access Control
http://find/http://goback/8/7/2019 ISO-IEC_27002_2005
71/164
User access management
User password management
Clear desk and clear screen policy
Network access control
M2SSIC-Metz () Principles and fundamentals of security methodologies of information systems - InformatioPascal Steichen 19 / 38
ISO/IEC 27002:2005 Access Control
Access Control
http://find/http://goback/8/7/2019 ISO-IEC_27002_2005
72/164
User access management
User password management
Clear desk and clear screen policy
Network access control
User authentication for external connections
M2SSIC-Metz () Principles and fundamentals of security methodologies of information systems - InformatioPascal Steichen 19 / 38
ISO/IEC 27002:2005 Access Control
Access Control
http://find/http://goback/8/7/2019 ISO-IEC_27002_2005
73/164
User access management
User password management
Clear desk and clear screen policy
Network access control
User authentication for external connectionsSegregation in networks
M2SSIC-Metz () Principles and fundamentals of security methodologies of information systems - InformatioPascal Steichen 19 / 38
ISO/IEC 27002:2005 Access Control
Access Control
http://find/http://goback/8/7/2019 ISO-IEC_27002_2005
74/164
User access management
User password management
Clear desk and clear screen policy
Network access control
User authentication for external connectionsSegregation in networks
Operating system access control
M2SSIC-Metz () Principles and fundamentals of security methodologies of information systems - InformatioPascal Steichen 19 / 38
ISO/IEC 27002:2005 Access Control
Access Control
http://find/http://goback/8/7/2019 ISO-IEC_27002_2005
75/164
User access management
User password management
Clear desk and clear screen policy
Network access control
User authentication for external connectionsSegregation in networks
Operating system access control
User identification and authentication
M2SSIC-Metz () Principles and fundamentals of security methodologies of information systems - InformatioPascal Steichen 19 / 38
ISO/IEC 27002:2005 Access Control
Access Control
http://find/http://goback/8/7/2019 ISO-IEC_27002_2005
76/164
User access management
User password management
Clear desk and clear screen policy
Network access control
User authentication for external connectionsSegregation in networks
Operating system access control
User identification and authentication
Password management system
M2SSIC-Metz () Principles and fundamentals of security methodologies of information systems - InformatioPascal Steichen 19 / 38
ISO/IEC 27002:2005 Access Control
Access Control
http://find/http://goback/8/7/2019 ISO-IEC_27002_2005
77/164
User access management
User password management
Clear desk and clear screen policy
Network access control
User authentication for external connectionsSegregation in networks
Operating system access control
User identification and authentication
Password management systemMobile computing and communications
M2SSIC-Metz () Principles and fundamentals of security methodologies of information systems - InformatioPascal Steichen 19 / 38
ISO/IEC 27002:2005 Information Systems Acquisition, Development and Maintenance
Information Systems Acquisition, Development and Maintenance
http://find/http://goback/8/7/2019 ISO-IEC_27002_2005
78/164
Security requirements analysis and specification
M2SSIC-Metz () Principles and fundamentals of security methodologies of information systems - InformatioPascal Steichen 20 / 38
ISO/IEC 27002:2005 Information Systems Acquisition, Development and Maintenance
Information Systems Acquisition, Development and Maintenance
http://find/http://goback/8/7/2019 ISO-IEC_27002_2005
79/164
Security requirements analysis and specification
Correct processing in applications
M2SSIC-Metz () Principles and fundamentals of security methodologies of information systems - InformatioPascal Steichen 20 / 38
ISO/IEC 27002:2005 Information Systems Acquisition, Development and Maintenance
Information Systems Acquisition, Development and Maintenance
http://find/http://goback/8/7/2019 ISO-IEC_27002_2005
80/164
Security requirements analysis and specification
Correct processing in applications
Cryptographic controls
M2SSIC-Metz () Principles and fundamentals of security methodologies of information systems - InformatioPascal Steichen 20 / 38
ISO/IEC 27002:2005 Information Systems Acquisition, Development and Maintenance
Information Systems Acquisition, Development and Maintenance
http://find/http://goback/8/7/2019 ISO-IEC_27002_2005
81/164
Security requirements analysis and specification
Correct processing in applications
Cryptographic controls
Security in development and support processes
M2SSIC-Metz () Principles and fundamentals of security methodologies of information systems - InformatioPascal Steichen 20 / 38 ISO/IEC 27002:2005 Information Systems Acquisition, Development and Maintenance
Information Systems Acquisition, Development and Maintenance
http://find/http://goback/8/7/2019 ISO-IEC_27002_2005
82/164
Security requirements analysis and specification
Correct processing in applications
Cryptographic controls
Security in development and support processes
Technical Vulnerability Management
M2SSIC-Metz () Principles and fundamentals of security methodologies of information systems - InformatioPascal Steichen 20 / 38 ISO/IEC 27002:2005 Information Security Incident Management
Information Security Incident Management
http://find/http://goback/8/7/2019 ISO-IEC_27002_2005
83/164
Reporting information security events and weaknesses
M2SSIC-Metz () Principles and fundamentals of security methodologies of information systems - InformatioPascal Steichen 21 / 38 ISO/IEC 27002:2005 Information Security Incident Management
Information Security Incident Management
http://find/http://goback/8/7/2019 ISO-IEC_27002_2005
84/164
Reporting information security events and weaknesses
Management of information security incidents and improvements
M2SSIC-Metz () Principles and fundamentals of security methodologies of information systems - InformatioPascal Steichen 21 / 38 ISO/IEC 27002:2005 Business Continuity Management
Business Continuity Management
http://find/http://goback/8/7/2019 ISO-IEC_27002_2005
85/164
Developing and implementing continuity plans including information
security
M2SSIC-Metz () Principles and fundamentals of security methodologies of information systems - InformatioPascal Steichen 22 / 38
http://find/http://goback/8/7/2019 ISO-IEC_27002_2005
86/164
ISO/IEC 27002:2005 Compliance
Compliance
8/7/2019 ISO-IEC_27002_2005
87/164
Compliance with legal requirements
M2SSIC-Metz () Principles and fundamentals of security methodologies of information systems - InformatioPascal Steichen 23 / 38 ISO/IEC 27002:2005 Compliance
Compliance
http://find/http://goback/8/7/2019 ISO-IEC_27002_2005
88/164
Compliance with legal requirements
Intellectual property rights (IPR)
M2SSIC-Metz () Principles and fundamentals of security methodologies of information systems - InformatioPascal Steichen 23 / 38 ISO/IEC 27002:2005 Compliance
Compliance
http://find/http://goback/8/7/2019 ISO-IEC_27002_2005
89/164
Compliance with legal requirements
Intellectual property rights (IPR)Data protection and privacy of personal information
M2SSIC-Metz () Principles and fundamentals of security methodologies of information systems - InformatioPascal Steichen 23 / 38 ISO/IEC 27002:2005 Compliance
Compliance
http://find/http://goback/8/7/2019 ISO-IEC_27002_2005
90/164
Compliance with legal requirements
Intellectual property rights (IPR)Data protection and privacy of personal information
Compliance with security policies and standards and technicalcompliance
M2SSIC Metz () Principles and fundamentals of security methodologies of information systems InformatioPascal Steichen 23 / 38 ISO/IEC 27002:2005 Compliance
Compliance
http://find/http://goback/8/7/2019 ISO-IEC_27002_2005
91/164
Compliance with legal requirements
Intellectual property rights (IPR)Data protection and privacy of personal information
Compliance with security policies and standards and technicalcompliance
Information systems audit
M2SSIC Metz () Principles and fundamentals of security methodologies of information systems InformatioPascal Steichen 23 / 38 Control Framework
Control Framework
http://find/http://goback/8/7/2019 ISO-IEC_27002_2005
92/164
The control framework provides the routine response to known risks aspart of the information security process, by combining the following, tomitigate those known risks to an acceptable level:
security policies,
M2SSIC Metz () Principles and fundamentals of security methodologies of information systems InformatioPascal Steichen 24 / 38 Control Framework
Control Framework
http://find/http://goback/8/7/2019 ISO-IEC_27002_2005
93/164
The control framework provides the routine response to known risks aspart of the information security process, by combining the following, tomitigate those known risks to an acceptable level:
security policies,procedures,
M2SSIC Metz () Principles and fundamentals of security methodologies of information systems InformatioPascal Steichen 24 / 38 Control Framework
Control Framework
http://find/http://goback/8/7/2019 ISO-IEC_27002_2005
94/164
The control framework provides the routine response to known risks aspart of the information security process, by combining the following, tomitigate those known risks to an acceptable level:
security policies,procedures,
standards
M2SSIC Metz () Principles and fundamentals of security methodologies of information systems InformatioPascal Steichen 24 / 38 Control Framework
Control Framework
http://find/http://goback/8/7/2019 ISO-IEC_27002_2005
95/164
The control framework provides the routine response to known risks aspart of the information security process, by combining the following, tomitigate those known risks to an acceptable level:
security policies,procedures,
standards
and architecture
M2SSIC Metz () Principles and fundamentals of security methodologies of information systems InformatioPascal Steichen 24 / 38 Control Framework
http://find/http://goback/8/7/2019 ISO-IEC_27002_2005
96/164
The meaning of acceptable will vary from organisation to organisation:
there is no preset control framework for your organisation,
M2SSIC Metz () Principles and fundamentals of security methodologies of information systems InformatioPascal Steichen 25 / 38 Control Framework
http://find/http://goback/8/7/2019 ISO-IEC_27002_2005
97/164
The meaning of acceptable will vary from organisation to organisation:
there is no preset control framework for your organisation,
ISO/IEC 27002:2005 (or others) are only guides that need to beadapted.
M2SSIC M t () P i i l s d f d t ls f s it th d l i s f i f ti s st s I f tiP s l St i h 25 / 38 Control Framework
http://find/http://goback/8/7/2019 ISO-IEC_27002_2005
98/164
A typical control framework can be broken down into the followingcomponents:
The Policies (policy statements).
M2SSIC M t () P i i l d f d t l f it th d l i f i f ti t I f tiP l St i h 26 / 38 Control Framework
http://find/http://goback/8/7/2019 ISO-IEC_27002_2005
99/164
A typical control framework can be broken down into the followingcomponents:
The Policies (policy statements).
The Procedures.
M2SSIC M t () P i i l d f d t l f it th d l i f i f ti t I f tiP l St i h 26 / 38 Control Framework
http://find/http://goback/8/7/2019 ISO-IEC_27002_2005
100/164
A typical control framework can be broken down into the followingcomponents:
The Policies (policy statements).
The Procedures.
(Guidelines & Work instructions)
M2SSIC M t () P i i l d f d t l f it th d l i f i f ti t I f tiP l St i h 26 / 38 Control Framework
http://find/http://goback/8/7/2019 ISO-IEC_27002_2005
101/164
A typical control framework can be broken down into the followingcomponents:
The Policies (policy statements).
The Procedures.
(Guidelines & Work instructions)
The Standards.
M2SSIC M () P i i l d f d l f i h d l i f i f i I f iP l S i h 26 / 38 Control Framework
http://find/http://goback/8/7/2019 ISO-IEC_27002_2005
102/164
A typical control framework can be broken down into the followingcomponents:
The Policies (policy statements).
The Procedures.
(Guidelines & Work instructions)
The Standards.
(Security architectures).
M2SSIC M () P i i l d f d l f i h d l i f i f i I f iP l S i h 26 / 38 Control Framework
http://find/http://goback/8/7/2019 ISO-IEC_27002_2005
103/164
A typical control framework can be broken down into the followingcomponents:
The Policies (policy statements).
The Procedures.
(Guidelines & Work instructions)
The Standards.
(Security architectures).
Other documentation.
M2SSIC-Metz () Principles and fundamentals of security methodologies of information systems - InformatioPascal Steichen 26 / 38
Control Framework Policy statements
Policy statements
http://find/http://goback/8/7/2019 ISO-IEC_27002_2005
104/164
These are the highlevel (strategic) documents generally addressing anumber of controls (often structured accoring to the 11 chapters of the27002), spread across various areas of activity.Example: Acces control Policy (chap. 11 of 27002)
M2SSIC-Metz () Principles and fundamentals of security methodologies of information systems - InformatioPascal Steichen 27 / 38
Control Framework Procedures
Procedures
http://find/http://goback/8/7/2019 ISO-IEC_27002_2005
105/164
Procedures further detail aspects of the policy statements describing
realistic processes
Example: Remote Access Control Procedure (part of chap. 11.4 of 27002)
M2SSIC-Metz () Principles and fundamentals of security methodologies of information systems - InformatioPascal Steichen 28 / 38
Control Framework Procedures
Procedures
http://find/http://goback/8/7/2019 ISO-IEC_27002_2005
106/164
Procedures further detail aspects of the policy statements describing
realistic processes
covering daily management activities
Example: Remote Access Control Procedure (part of chap. 11.4 of 27002)
M2SSIC-Metz () Principles and fundamentals of security methodologies of information systems - InformatioPascal Steichen 28 / 38
Control Framework Procedures
Procedures
http://find/http://goback/8/7/2019 ISO-IEC_27002_2005
107/164
Procedures further detail aspects of the policy statements describing
realistic processes
covering daily management activitiesand defining responsabilities.
Example: Remote Access Control Procedure (part of chap. 11.4 of 27002)
M2SSIC-Metz () Principles and fundamentals of security methodologies of information systems - InformatioPascal Steichen 28 / 38
Control Framework Guidelines & Work instructions
Guidelines & Work instructions
http://find/http://goback/8/7/2019 ISO-IEC_27002_2005
108/164
Sometimes, procedures dont provide enough detail to get the job done.This is particularly true for highly complex tasks that require detailedstep-by-step instructions.
Work instructions provide more detail. As a consequence, such instructionsare often tightly bound to a particular implementation.Guidelines are useful for providing advice in a less formal way - there is norequirement to sign-off guidelines.Example: Acces Control Instructions for mobile devices
M2SSIC-Metz () Principles and fundamentals of security methodologies of information systems - InformatioPascal Steichen 29 / 38
Control Framework Standards
Standards
http://find/http://goback/8/7/2019 ISO-IEC_27002_2005
109/164
Information security standards translate policy/procedure requirements
into operational instructions.Example: List of authorized remote access mechanisms/tools
M2SSIC-Metz () Principles and fundamentals of security methodologies of information systems - InformatioPascal Steichen 30 / 38
Control Framework Security architectures
Security architectures
http://find/http://goback/8/7/2019 ISO-IEC_27002_2005
110/164
Most medium and large organisation have a complex IT infrastructurethat has evolved over time.
Example: Remote Acces Architecture
M2SSIC-Metz () Principles and fundamentals of security methodologies of information systems - InformatioPascal Steichen 31 / 38
Control Framework Security architectures
Security architectures
http://find/http://goback/8/7/2019 ISO-IEC_27002_2005
111/164
Most medium and large organisation have a complex IT infrastructurethat has evolved over time.
Each of these systems has an associated security model.
Example: Remote Acces Architecture
M2SSIC-Metz () Principles and fundamentals of security methodologies of information systems - InformatioPascal Steichen 31 / 38
Control Framework Security architectures
Security architectures
http://find/http://goback/8/7/2019 ISO-IEC_27002_2005
112/164
Most medium and large organisation have a complex IT infrastructurethat has evolved over time.
Each of these systems has an associated security model.The goal of a security architecture is to combine processes and toolsinto a framework that mitigates risk.
Example: Remote Acces Architecture
M2SSIC-Metz () Principles and fundamentals of security methodologies of information systems - InformatioPascal Steichen 31 / 38
Control Framework Other documentation
Other documentation
http://find/http://goback/8/7/2019 ISO-IEC_27002_2005
113/164
Examples of the types of documents that the department will be involvedwith include:
Legal & regulatory documentation, including contracts
M2SSIC-Metz () Principles and fundamentals of security methodologies of information systems - InformatioPascal Steichen 32 / 38
Control Framework Other documentation
Other documentation
http://find/http://goback/8/7/2019 ISO-IEC_27002_2005
114/164
Examples of the types of documents that the department will be involvedwith include:
Legal & regulatory documentation, including contracts
Security monitoring data and security reports
M2SSIC-Metz () Principles and fundamentals of security methodologies of information systems - InformatioPascal Steichen 32 / 38
Control Framework Other documentation
Other documentation
http://find/http://goback/8/7/2019 ISO-IEC_27002_2005
115/164
Examples of the types of documents that the department will be involvedwith include:
Legal & regulatory documentation, including contracts
Security monitoring data and security reports
Log files, acces control lists (physical and/or logical)
M2SSIC-Metz () Principles and fundamentals of security methodologies of information systems - InformatioPascal Steichen 32 / 38
Control Framework Other documentation
Other documentation
http://find/http://goback/8/7/2019 ISO-IEC_27002_2005
116/164
Examples of the types of documents that the department will be involvedwith include:
Legal & regulatory documentation, including contracts
Security monitoring data and security reports
Log files, acces control lists (physical and/or logical)
Project plans and status reports
M2SSIC-Metz () Principles and fundamentals of security methodologies of information systems - InformatioPascal Steichen 32 / 38
Control Framework Other documentation
Other documentation
http://find/http://goback/8/7/2019 ISO-IEC_27002_2005
117/164
Examples of the types of documents that the department will be involvedwith include:
Legal & regulatory documentation, including contracts
Security monitoring data and security reports
Log files, acces control lists (physical and/or logical)
Project plans and status reports
Financial plans and budgets
M2SSIC-Metz () Principles and fundamentals of security methodologies of information systems - InformatioPascal Steichen 32 / 38
Control Framework Other documentation
Other documentation
http://find/http://goback/8/7/2019 ISO-IEC_27002_2005
118/164
Examples of the types of documents that the department will be involvedwith include:
Legal & regulatory documentation, including contracts
Security monitoring data and security reports
Log files, acces control lists (physical and/or logical)
Project plans and status reports
Financial plans and budgets
Vendor-related documentation and licences
M2SSIC-Metz () Principles and fundamentals of security methodologies of information systems - InformatioPascal Steichen 32 / 38
Control Framework Other documentation
Other documentation
http://find/http://goback/8/7/2019 ISO-IEC_27002_2005
119/164
Examples of the types of documents that the department will be involvedwith include:
Legal & regulatory documentation, including contracts
Security monitoring data and security reports
Log files, acces control lists (physical and/or logical)
Project plans and status reports
Financial plans and budgets
Vendor-related documentation and licences
Documentation owned by other operational units
M2SSIC-Metz () Principles and fundamentals of security methodologies of information systems - InformatioPascal Steichen 32 / 38
Control Framework DOs and DONTs
DOs and DONTs
DO:
http://find/http://goback/8/7/2019 ISO-IEC_27002_2005
120/164
M2SSIC-Metz () Principles and fundamentals of security methodologies of information systems - InformatioPascal Steichen 33 / 38
Control Framework DOs and DONTs
DOs and DONTs
DO:
http://find/http://goback/8/7/2019 ISO-IEC_27002_2005
121/164
Keep the volume of documentation down to a strict minimum.
M2SSIC-Metz () Principles and fundamentals of security methodologies of information systems - InformatioPascal Steichen 33 / 38
Control Framework DOs and DONTs
DOs and DONTs
DO:
http://find/http://goback/8/7/2019 ISO-IEC_27002_2005
122/164
Keep the volume of documentation down to a strict minimum.Check regularly to see that documentation is being used.
M2SSIC-Metz () Principles and fundamentals of security methodologies of information systems - InformatioPascal Steichen 33 / 38
Control Framework DOs and DONTs
DOs and DONTs
DO:
http://find/http://goback/8/7/2019 ISO-IEC_27002_2005
123/164
Keep the volume of documentation down to a strict minimum.Check regularly to see that documentation is being used.Ensure that documents are reviewed and approved by all concernedparties.
M2SSIC-Metz () Principles and fundamentals of security methodologies of information systems - InformatioPascal Steichen 33 / 38
Control Framework DOs and DONTs
DOs and DONTs
DO:
K h l f d d
http://find/http://goback/8/7/2019 ISO-IEC_27002_2005
124/164
Keep the volume of documentation down to a strict minimum.Check regularly to see that documentation is being used.Ensure that documents are reviewed and approved by all concernedparties.Take time to organise the way documents are stored and retrieved
M2SSIC-Metz () Principles and fundamentals of security methodologies of information systems - InformatioPascal Steichen 33 / 38
Control Framework DOs and DONTs
DOs and DONTs
DO:
K h l f d i d i i i
http://find/http://goback/8/7/2019 ISO-IEC_27002_2005
125/164
Keep the volume of documentation down to a strict minimum.Check regularly to see that documentation is being used.Ensure that documents are reviewed and approved by all concernedparties.Take time to organise the way documents are stored and retrieved
create a well-structured set of directories.
M2SSIC-Metz () Principles and fundamentals of security methodologies of information systems - InformatioPascal Steichen 33 / 38
Control Framework DOs and DONTs
DOs and DONTs
DO:
K h l f d i d i i i
http://find/http://goback/8/7/2019 ISO-IEC_27002_2005
126/164
Keep the volume of documentation down to a strict minimum.Check regularly to see that documentation is being used.Ensure that documents are reviewed and approved by all concernedparties.Take time to organise the way documents are stored and retrieved
create a well-structured set of directories.DONT:
M2SSIC-Metz () Principles and fundamentals of security methodologies of information systems - InformatioPascal Steichen 33 / 38
Control Framework DOs and DONTs
DOs and DONTs
DO:
K th l f d t ti d t t i t i i
http://find/http://goback/8/7/2019 ISO-IEC_27002_2005
127/164
Keep the volume of documentation down to a strict minimum.Check regularly to see that documentation is being used.Ensure that documents are reviewed and approved by all concernedparties.Take time to organise the way documents are stored and retrieved
create a well-structured set of directories.DONT:
Try to document everything.
M2SSIC-Metz () Principles and fundamentals of security methodologies of information systems - InformatioPascal Steichen 33 / 38
Control Framework DOs and DONTs
DOs and DONTs
DO:
K th l f d t ti d t t i t i i
http://find/http://goback/8/7/2019 ISO-IEC_27002_2005
128/164
Keep the volume of documentation down to a strict minimum.Check regularly to see that documentation is being used.Ensure that documents are reviewed and approved by all concernedparties.Take time to organise the way documents are stored and retrieved
create a well-structured set of directories.DONT:
Try to document everything.Document material that is already in user guides (e.g. successive screenshots).
M2SSIC-Metz () Principles and fundamentals of security methodologies of information systems - InformatioPascal Steichen 33 / 38
Control Framework DOs and DONTs
DOs and DONTs
DO:
Keep the volume of documentation down to a strict minimum
http://find/http://goback/8/7/2019 ISO-IEC_27002_2005
129/164
Keep the volume of documentation down to a strict minimum.Check regularly to see that documentation is being used.Ensure that documents are reviewed and approved by all concernedparties.Take time to organise the way documents are stored and retrieved
create a well-structured set of directories.DONT:
Try to document everything.Document material that is already in user guides (e.g. successive screenshots).
Try to have sign-off on everything! Restrict yourself to approving keydocuments.
M2SSIC-Metz () Principles and fundamentals of security methodologies of information systems - InformatioPascal Steichen 33 / 38
Control Framework DOs and DONTs
DOs and DONTs
DO:
Keep the volume of documentation down to a strict minimum
http://find/http://goback/8/7/2019 ISO-IEC_27002_2005
130/164
Keep the volume of documentation down to a strict minimum.Check regularly to see that documentation is being used.Ensure that documents are reviewed and approved by all concernedparties.Take time to organise the way documents are stored and retrieved
create a well-structured set of directories.DONT:
Try to document everything.Document material that is already in user guides (e.g. successive screenshots).
Try to have sign-off on everything! Restrict yourself to approving keydocuments.Use documents to communicate when you should be talkingface-to-face.
M2SSIC-Metz () Principles and fundamentals of security methodologies of information systems - InformatioPascal Steichen 33 / 38
Producing the policy - good practices
Producing the policy - good practices
http://find/http://goback/8/7/2019 ISO-IEC_27002_2005
131/164
Dont Become a Paper Dragon
M2SSIC-Metz () Principles and fundamentals of security methodologies of information systems - InformatioPascal Steichen 34 / 38
Producing the policy - good practices
Producing the policy - good practices
http://find/http://goback/8/7/2019 ISO-IEC_27002_2005
132/164
Dont Become a Paper Dragon
Involving The Right People
M2SSIC-Metz () Principles and fundamentals of security methodologies of information systems - InformatioPascal Steichen 34 / 38
Producing the policy - good practices
Producing the policy - good practices
http://find/http://goback/8/7/2019 ISO-IEC_27002_2005
133/164
Dont Become a Paper Dragon
Involving The Right People
it is important to involve all concerned parties from the start.
M2SSIC-Metz () Principles and fundamentals of security methodologies of information systems - InformatioPascal Steichen 34 / 38
Producing the policy - good practices
Producing the policy - good practices
http://find/http://goback/8/7/2019 ISO-IEC_27002_2005
134/164
Dont Become a Paper Dragon
Involving The Right People
it is important to involve all concerned parties from the start.Policies must respect the company culture
M2SSIC-Metz () Principles and fundamentals of security methodologies of information systems - InformatioPascal Steichen 34 / 38
Producing the policy - good practices
NEVER develop policy statements in isolation
http://find/http://goback/8/7/2019 ISO-IEC_27002_2005
135/164
NEVER develop policy statements in isolation.
M2SSIC-Metz () Principles and fundamentals of security methodologies of information systems - InformatioPascal Steichen 35 / 38
Producing the policy - good practices
NEVER develop policy statements in isolation
http://find/http://goback/8/7/2019 ISO-IEC_27002_2005
136/164
NEVER develop policy statements in isolation.Consider working in an iterative fashion, asking for feedback at eachstep.
M2SSIC-Metz () Principles and fundamentals of security methodologies of information systems - InformatioPascal Steichen 35 / 38
http://find/http://goback/8/7/2019 ISO-IEC_27002_2005
137/164
Producing the policy - good practices
NEVER develop policy statements in isolation.
8/7/2019 ISO-IEC_27002_2005
138/164
NEVER develop policy statements in isolation.Consider working in an iterative fashion, asking for feedback at eachstep.
Using skeleton documents can be very effective.Start with section titles and a rough description of what needs to go in
each section.
M2SSIC-Metz () Principles and fundamentals of security methodologies of information systems - InformatioPascal Steichen 35 / 38
Producing the policy - good practices
NEVER develop policy statements in isolation.C id ki i i i f hi ki f f db k h
http://find/http://goback/8/7/2019 ISO-IEC_27002_2005
139/164
p p yConsider working in an iterative fashion, asking for feedback at eachstep.
Using skeleton documents can be very effective.Start with section titles and a rough description of what needs to go in
each section.Circulate for comments and suggestions.
M2SSIC-Metz () Principles and fundamentals of security methodologies of information systems - InformatioPascal Steichen 35 / 38
Producing the policy - good practices
NEVER develop policy statements in isolation.C id ki i i i f hi ki f f db k h
http://find/http://goback/8/7/2019 ISO-IEC_27002_2005
140/164
p p yConsider working in an iterative fashion, asking for feedback at eachstep.
Using skeleton documents can be very effective.Start with section titles and a rough description of what needs to go in
each section.Circulate for comments and suggestions.Flesh the policy out section by section.
M2SSIC-Metz () Principles and fundamentals of security methodologies of information systems - InformatioPascal Steichen 35 / 38
Producing the policy - good practices
NEVER develop policy statements in isolation.C id ki i it ti f hi ki f f db k t h
http://find/http://goback/8/7/2019 ISO-IEC_27002_2005
141/164
p p yConsider working in an iterative fashion, asking for feedback at eachstep.
Using skeleton documents can be very effective.Start with section titles and a rough description of what needs to go in
each section.Circulate for comments and suggestions.Flesh the policy out section by section.Use open questions and provide alternatives.
M2SSIC-Metz () Principles and fundamentals of security methodologies of information systems - InformatioPascal Steichen 35 / 38
Producing the policy - good practices
NEVER develop policy statements in isolation.C id ki i it ti f hi ki f f db k t h
http://find/http://goback/8/7/2019 ISO-IEC_27002_2005
142/164
p p yConsider working in an iterative fashion, asking for feedback at eachstep.
Using skeleton documents can be very effective.Start with section titles and a rough description of what needs to go in
each section.Circulate for comments and suggestions.Flesh the policy out section by section.Use open questions and provide alternatives.Listen to peoples objections and encourage them to identify solutionsto their own issues.
M2SSIC-Metz () Principles and fundamentals of security methodologies of information systems - InformatioPascal Steichen 35 / 38
Producing the policy - good practices
Planning - Producing a policy statement is a strategic objective.
http://find/http://goback/8/7/2019 ISO-IEC_27002_2005
143/164
M2SSIC-Metz () Principles and fundamentals of security methodologies of information systems - InformatioPascal Steichen 36 / 38
Producing the policy - good practices
Planning - Producing a policy statement is a strategic objective.The different types of activity need to be identified, prioritised andestimated.
http://find/http://goback/8/7/2019 ISO-IEC_27002_2005
144/164
M2SSIC-Metz () Principles and fundamentals of security methodologies of information systems - InformatioPascal Steichen 36 / 38
Producing the policy - good practices
Planning - Producing a policy statement is a strategic objective.The different types of activity need to be identified, prioritised andestimated.
Roles and responsibilities for the project need to be defined and agreedwith those concerned
http://find/http://goback/8/7/2019 ISO-IEC_27002_2005
145/164
with those concerned.
M2SSIC-Metz () Principles and fundamentals of security methodologies of information systems - InformatioPascal Steichen 36 / 38
Producing the policy - good practices
Planning - Producing a policy statement is a strategic objective.The different types of activity need to be identified, prioritised andestimated.
Roles and responsibilities for the project need to be defined and agreedwith those concerned
http://find/http://goback/8/7/2019 ISO-IEC_27002_2005
146/164
with those concerned.Resources from other areas need to be reserved in advance.
M2SSIC-Metz () Principles and fundamentals of security methodologies of information systems - InformatioPascal Steichen 36 / 38
Producing the policy - good practices
Planning - Producing a policy statement is a strategic objective.The different types of activity need to be identified, prioritised andestimated.
Roles and responsibilities for the project need to be defined and agreedwith those concerned
http://find/http://goback/8/7/2019 ISO-IEC_27002_2005
147/164
with those concerned.Resources from other areas need to be reserved in advance.Dependencies and possible contention for resources need to beidentified up front.
M2SSIC-Metz () Principles and fundamentals of security methodologies of information systems - InformatioPascal Steichen 36 / 38
Producing the policy - good practices
Planning - Producing a policy statement is a strategic objective.The different types of activity need to be identified, prioritised andestimated.
Roles and responsibilities for the project need to be defined and agreedwith those concerned.
http://find/http://goback/8/7/2019 ISO-IEC_27002_2005
148/164
with those concerned.Resources from other areas need to be reserved in advance.Dependencies and possible contention for resources need to beidentified up front.
Decision points need to be clearly identified.
M2SSIC-Metz () Principles and fundamentals of security methodologies of information systems - InformatioPascal Steichen 36 / 38
http://find/http://goback/8/7/2019 ISO-IEC_27002_2005
149/164
Producing the policy - good practices
Planning - Producing a policy statement is a strategic objective.The different types of activity need to be identified, prioritised andestimated.
Roles and responsibilities for the project need to be defined and agreedwith those concerned.
8/7/2019 ISO-IEC_27002_2005
150/164
Resources from other areas need to be reserved in advance.Dependencies and possible contention for resources need to beidentified up front.
Decision points need to be clearly identified.This should all be summarised in a formal project plan.
Aim for milestones at regular intervals to show progress.
M2SSIC-Metz () Principles and fundamentals of security methodologies of information systems - InformatioPascal Steichen 36 / 38
Producing the policy - good practices
Planning - Producing a policy statement is a strategic objective.The different types of activity need to be identified, prioritised andestimated.
Roles and responsibilities for the project need to be defined and agreedwith those concerned.
http://find/http://goback/8/7/2019 ISO-IEC_27002_2005
151/164
Resources from other areas need to be reserved in advance.Dependencies and possible contention for resources need to beidentified up front.
Decision points need to be clearly identified.This should all be summarised in a formal project plan.
Aim for milestones at regular intervals to show progress.Sign-Off is Critical
M2SSIC-Metz () Principles and fundamentals of security methodologies of information systems - InformatioPascal Steichen 36 / 38
Producing the policy - good practices
Planning - Producing a policy statement is a strategic objective.The different types of activity need to be identified, prioritised andestimated.
Roles and responsibilities for the project need to be defined and agreedwith those concerned.
http://find/http://goback/8/7/2019 ISO-IEC_27002_2005
152/164
Resources from other areas need to be reserved in advance.Dependencies and possible contention for resources need to beidentified up front.Decision points need to be clearly identified.This should all be summarised in a formal project plan.
Aim for milestones at regular intervals to show progress.Sign-Off is Critical
Management Sign-Off: It is a good idea to include a statement fromthe executive board that supports the policy and explains anyconsequences of not adhering to it.
M2SSIC-Metz () Principles and fundamentals of security methodologies of information systems - InformatioPascal Steichen 36 / 38
http://find/http://goback/8/7/2019 ISO-IEC_27002_2005
153/164
Producing the policy - good practices
Publication
8/7/2019 ISO-IEC_27002_2005
154/164
Publication
M2SSIC-Metz () Principles and fundamentals of security methodologies of information systems - InformatioPascal Steichen 37 / 38
Producing the policy - good practices
Publication
http://find/http://goback/8/7/2019 ISO-IEC_27002_2005
155/164
Publication
Diffusion
M2SSIC-Metz () Principles and fundamentals of security methodologies of information systems - InformatioPascal Steichen 37 / 38
Producing the policy - good practices
Publication
http://find/http://goback/8/7/2019 ISO-IEC_27002_2005
156/164
Publication
Diffusion
Publish on the company intranet
M2SSIC-Metz () Principles and fundamentals of security methodologies of information systems - InformatioPascal Steichen 37 / 38
Producing the policy - good practices
Publication
http://find/http://goback/8/7/2019 ISO-IEC_27002_2005
157/164
Publication
Diffusion
Publish on the company intranetUse mouse mats, posters, ...
M2SSIC-Metz () Principles and fundamentals of security methodologies of information systems - InformatioPascal Steichen 37 / 38
Producing the policy - good practices
Publication
http://find/http://goback/8/7/2019 ISO-IEC_27002_2005
158/164
Publication
Diffusion
Publish on the company intranetUse mouse mats, posters, ...Think about interactive methods.
M2SSIC-Metz () Principles and fundamentals of security methodologies of information systems - InformatioPascal Steichen 37 / 38
Producing the policy - good practices
Publication
http://find/http://goback/8/7/2019 ISO-IEC_27002_2005
159/164
Diffusion
Publish on the company intranetUse mouse mats, posters, ...Think about interactive methods.
Prepare via awareness raising actions
M2SSIC-Metz () Principles and fundamentals of security methodologies of information systems - InformatioPascal Steichen 37 / 38
Conclusion - summary
Conclusion - summary
A global information security process/approach can follow these steps:
http://find/http://goback/8/7/2019 ISO-IEC_27002_2005
160/164
1 Risk assessment/analysis
M2SSIC-Metz () Principles and fundamentals of security methodologies of information systems - InformatioPascal Steichen 38 / 38
Conclusion - summary
Conclusion - summary
A global information security process/approach can follow these steps:
http://find/http://goback/8/7/2019 ISO-IEC_27002_2005
161/164
1 Risk assessment/analysis
2 Awareness raising campaign
M2SSIC-Metz () Principles and fundamentals of security methodologies of information systems - InformatioPascal Steichen 38 / 38
Conclusion - summary
Conclusion - summary
A global information security process/approach can follow these steps:
/
http://find/http://goback/8/7/2019 ISO-IEC_27002_2005
162/164
1 Risk assessment/analysis
2 Awareness raising campaign
3
Security policy
M2SSIC-Metz () Principles and fundamentals of security methodologies of information systems - InformatioPascal Steichen 38 / 38
Conclusion - summary
Conclusion - summary
A global information security process/approach can follow these steps:
Ri k / l i
http://find/http://goback/8/7/2019 ISO-IEC_27002_2005
163/164
1 Risk assessment/analysis
2 Awareness raising campaign
3
Security policy4 ISMS (Information Security Managment System)
M2SSIC-Metz () Principles and fundamentals of security methodologies of information systems - InformatioPascal Steichen 38 / 38
Conclusion - summary
Conclusion - summary
A global information security process/approach can follow these steps:
Ri k / l i
http://find/http://goback/8/7/2019 ISO-IEC_27002_2005
164/164
1 Risk assessment/analysis
2 Awareness raising campaign
3
Security policy4 ISMS (Information Security Managment System)
5 ISMS - Certification
M2SSIC-Metz () Principles and fundamentals of security methodologies of information systems - InformatioPascal Steichen 38 / 38
http://find/http://goback/