Date post: | 03-Oct-2018 |
Category: |
Documents |
Upload: | nguyendung |
View: | 219 times |
Download: | 0 times |
April 14, 2010
1
John Snare Chair Standards Australia Committee IT/12/4
ISO/IEC 27001 ISMS
ISO/IEC 27002 (was 17799) Controls
Risk Management (ISO 31000)
Industry Specific Standards Banking, Health, Transport,
Telecommunications
Risk Management implementation guides
Evaluation criteria ISO/IEC 15408
Mechanisms, types of control
Management perspective
Technical perspective
April 14, 2010
2
The need for standards is international Very few national info sec standards
Standards Australia is responsible for Australian input to ISO/IEC standards development committees
Local broadly representative committee of experts prepares by consensus Australian input
ISO/IEC committees meet regularly to consider national body input
Development cycle takes about 3 years based on progressively refined drafts every 6 months or so
This is a surprisingly tricky question!
◦ Hazards? ◦ Resilience? ◦ Business continuity? ◦ US Treadway commission?
April 14, 2010
3
Risk: effect of uncertainty on objectives. o It is often expressed in terms of a combination of
the probability of events and their consequences o Risk Management:
coordinated activities to directand control an organizationwith regard to risk
Business risk Market risk Finance risk Currency risk Project risk Legal risk Security risk …
April 14, 2010
4
Customers Line management Senior management Company Boards Business Partners
Special considerations o outcomes are always negative (there is no
upside) o there are many, many typically
o major effort devoted to preventive controls but recovery controls shouldn’t be neglected
April 14, 2010
5
Principles Framework Process
a. Risk management creates and protects value b. Risk management is an integral part of all organizational
processes c. Risk Management is part of decision making d. Risk management explicitly addresses uncertainty e. Risk management is systematic, structured and timely f. Risk management is based on the best available information g. Risk management is tailored h. Risk management takes human and cultural factors into account i. Risk management is transparent and inclusive j. Risk management is dynamic, iterative, and responsive to change k. Risk management facilitates continual improvement of the
organization
April 14, 2010
6
Mandate & commitment
Implementing risk management 1. Implementing the framework 2. Implementing the processes
Continual improvement
Monitoring & review
Design of framework 1. Understanding the organization & its context 2. Establishing risk management policy 3. Accountability 4. Integration into organizational processes 5. Resources 6. Internal and external communication & reporting mechanisms
IDENTIFY RISKS ANALYSE RISKS
EVALUATE RISKS
Assess Risks
Treat Risks - identify options
- evaluate option - select options - prepare plans - implement plans
Establish Context - internal
- external - risk management - criteria
CO
MM
UN
ICAT
E A
ND
CO
NSU
LT
MO
NIT
OR
AN
D R
EVIE
W
April 14, 2010
7
Plan
Do
Check
Act Development, maintenance,
and improvement
cycle
Monitor and review the ISMS
Implement and operate the ISMS
Maintain and improve the ISMS
Establish the ISMS
Interested Parties
Managed information
security
Information security
requirements and
expectations
Interested Parties
o Establishing and managing an ISMS o Documentation requirements o Management responsibility o Internal audits o Management reviews o Improvement
ISO/IEC 27001 – ISMS Requirements • An infosec risk management system
ISO/IEC 27000 Overview and vocabulary ISO/IEC 27001 Information security management systems – Requirements ISO/IEC 27002 A code of practice for information security management ISO/IEC 27003 Implementation guidance ISO/IEC 27004 Information security management – Measurements ISO/IEC 27005 Information security risk management ISO/IEC 27006 Requirements for ISMS certifying bodies CD 27007 Guidelines for ISMS Auditing WD 27008 Guidance for auditors on ISMS controls WD 27014 Information security governance
April 14, 2010
8
WD 27010 Inter-sector and inter-organizational communications ISO/IEC 27011 Guidelines for telecommunications WD 27013 Integrated implementation of 27001 and 20000-1 WD 27015 Guidelines for the financial and insurance services sector
April 14, 2010
9
ISO/IEC 27002 ◦ Risk assessment & treatment ◦ Security policy ◦ Organisation of information security ◦ Asset management ◦ Human resources security ◦ Physical and environmental security ◦ Communications and operations management ◦ Access control ◦ Information system acquisition, development & maintenance ◦ Information security incident management ◦ Business continuity management ◦ Compliance
FCD 27031 ICT Readiness for Business Continuity CD 27032 Guidelines for cyber security xD 27033 Network security (six parts) xD 27034 Application security (five parts) WD 27035 Information security incident management WD 27036 Security in outsourcing WD 27037 Guidelines for identification, collection and/or
acquisition of digital evidence
April 14, 2010
11
Criteria – often called the ‘common criteria’ Methodology Protection profiles Development of secure systems
With a view to evaluation, or leveraging the common criteria
SSECMM Vulnerability reporting
ICT Readiness for Business Continuity (27031)
Cyber Security (27032)
Selection, deployment & operation of IDS (18043)Information security incident management (27035)
ICT Disaster recovery services (24762)
Network Security (27033 parts 1-7)
ICT Application security (27034 Parts 1-5)Security Information Objects for Access Control (15816)
Security of Outsourcing (27036)
TTP services security(14516, 15945)Time stamping services (29149)
Identification, collection and/or acquisition, and preservation of digital evidence (27037)
Potential or emerging Infosec issues
Known Infosec issues
Infosec breaches &compromises
April 14, 2010
12
Identity Management Framework Authentication assurance Access management
Privacy Framework Architecture Capability maturity model
Biometric template protection Authentication context for biometrics Biometric evaluation
April 14, 2010
13
Tackled in the 27014 project ◦ Aligned with ISO/IEC 38500 (Corporate governance of IT)
Challenges ◦ Governance is as much a buzz-word as defined ◦ The relationship between management and governance ◦ The relationship between risk management and
governance ◦ The relationships between various aspects of governance ◦ Responsibility and accountability
Introduced ISO 31000 (Risk Management) ◦ Principles ◦ Framework ◦ Process
Discussed infosec risk treatment ◦ With emphasis on existing and prospective standards
Touched on governance of infosec ◦ Where the debate about the place of risk management
continues