2. Standards
ISO 27000 – principles and vocabulary
ISO 27001 – ISMS requirements (BS7799 – Part 2)
ISO 27002 – (ISO/ IEC 17799:2005)
ISO 27003 – ISMS Implementation guidelines
ISO 27004 – ISMS Metrics and measurement
ISO 27005 – ISMS Risk Management
ISO 27031 - ICT readiness for business continuity
BS25999 – Business Continuity Management
4. British Standard BS25999
The BCM Lifecycle: BS 25999-1 2006
BCM
Programme
Management
Understanding
the organization
Determining
BCM
strategy
Developing &
implementing
BCM response
Exercising,
maintaining
& reviewing
5. High level BC &
Security policy
management
technical risk
assets
threats
vulnerability
influence
Possibility of
occurence
Non-technical
Risk
management
Implement of
plan
Policy Driven Process
6. ISO 27004 : Metrics & Measurement
ISO/IEC has a new project to develop an
ISMS Metrics and Measurements Standard
This development is aimed at addressing
how to measure the effectiveness of ISMS
implementations (processes and controls)
Performance targets
What to measure
How to measure
When to measure
7. ISO 27005: ISMS Risk Management
A new standard on ‘Information Security Risk
Management’
This standard is being drawn up by the DTI/Cabinet
Office – with significant input from CSIA (central
Sponsor for Information Assurance)
Will be linked to MITS-2 - a new management standard
for ICT risk management
Leverages ISO13335-4
8. Organizational
Operational
1. Security
policy
2. Organizating
security
3. Asset
Management
7. Access
control
4. HR security
5. Physical and
environmental
security
8. Systems
development
and
maintenance
6.
Communicati
ons and
operations
management
9. Business
continuity
management
10.
Compliance
11.
Incidence
Managment
11 Key contexts ISO27001
9. Asset Identification
and Valuation
Identification of
Vulnerabilities Identification of
Threats
Evaluation of Impacts
Business Risks
Review of existing
security controls
Risk Assessment
Rating/ranking of Risks
Risk Management
Identification of
new security
controls
Policy and
Procedures
Implementation and
Risk Reduction
Risk Acceptance
(Residual risk)
Gap analysis
Degree of Assurance
Risk Assessment & Mgmt Process
10. Quantitative Risk Analysis
2 fundamental elements
probability of event
likely loss
Annual Loss Expectancy, ALE’ or ‘Estimated Annual
Cost, EAC’
ALE or EAC calculated by multiplying the potential
loss by the probability
Rank events in order of risk & make priorities
Problem with risk analysis:
associated with the unreliability & inaccuracy of the data
Probability not precise
Controls and countermeasures often tackle interrelated events
11. Qualitative Risk Analysis
Most widely used approach to risk analysis
Probability data NOT required
Make use of the following interrelated elements:
Threats: things that can go wrong or can ‘attack’ the system.
E.g. fire or fraud
Vulnerabilities: make a system more prone to attack
E.g. a vulnerability for fire would be the presence of inflammable
materials (e.g. paper)
Impact: loss as a result of threats.
E.g. loss of reputation and interruption of business activity.
16. 16
Complexity: Increased Risk
“The Future of digital systems is
complexity, and complexity is the
worst enemy of security.”
Bruce Schneier
Crypto-Gram Newsletter, March 2000
17. 17
More complexity more Security Flaws
Complexity & Reliability Risk
1 – 10 Simple procedure, little risk
11- 20 More Complex, moderate risk
21 – 50 Complex , high risk
>50 Untestable, VERY HIGH RISK
Complexity & Bad Fix Probability
Essential Complexity (Un-structuredness) &
Maintainability (future Reliability) Risk
1 – 4 Structured, little risk
> 4 Unstructured, High Risk
Structural Analysis … Providing Actionable Metrics
Complexity and Risk
20. Can you afford it?
eBay
12 June 1999 outage: 22 hrs.
Operating System failure
Cost: $3 million to $5 million
revenue hit
26% decline in stock price
AT&T
13 April 1998 outage: 6 to 26 hrs.
Software Upgrade
Cost: $40 million in rebates
Forced to file SLAs with the FCC
(frame relay)
MCI
August 1999 frame relay outage:
10 days
Software Upgrade
Cost: Up to 20 days free service
to 3,000 enterprises
Hershey Foods
September 1999 system failures
Application Rollout
Cost: delayed shipments; 12%
decrease in 3Q99 sales; 19%
drop in net income from 3Q98
Dev. Bank of Singapore
1 July 1999 to August 1999:
Processing Errors
Incorrect debiting of POS due
to a system overload
Cost: Embarrassment/loss of
integrity; interest charges
Charles Schwab & Co.
24 February 1999 through 21 April
1999: 4 outages of at least 4 hrs.
Upgrades/Operator Errors
Cost: ???; Announced that it had
made a $70 million new
infrastructure investment.
Causes of Unplanned
Application Downtime
Operator
Errors
40%
Application
Failures
40%
Technology
Failures
20%
22. Impact of Disaster
22
Productivity:
Number of employees x
impacted x hours out x
burdened hours = ?
productivity/
employees
$millions
minutes daystime
$impact$billions
Revenue:
Direct loss, compensatory
payment, lost future
revenues, billing losses and
investment losses
direct financial/
customer
Damaged reputation:
Customers, competitors gain
advantage, suppliers,
financial markets, business
partners
damaged
reputation
Governance &
performance:
Revenue recognition, cash
flow, credit rating, stock
price, regulatory fines
Governance
Performance
constant
increase
Indirect impact of downtime can be
far more severe and unpredictable
exponential
increase
26. Processes - Business Continuity Mgmt
Business Continuity
Assessments / Audits
Risk Analysis
Business Impact
Analysis
Continuity Strategies
Business Continuity
Testing
Awareness and
Training
30. Risk = Application Prioritization
Application
Priority
Rating
Recovery RequirementsRecovery Time Objective
AAA 0–6 Hours
Disaster Recovery needed: Restoration
at a geographically remote data center.
Local Fail over should also be considered
AA 6–12 Hours
Disaster Recovery needed: Restoration
at a geographically remote data center.
Local Fail over should also be considered.
A 12–24 Hours
Disaster Recovery needed: Restoration
at a geographically remote data center.
Local Fail over should also be considered.
B 24-48 Hours
Fail over Local,
Disaster Recovery
C 48–96 Hours Scheduled/Delayed Recovery
D Recovery in 1 Week Scheduled/Delayed Recovery
E
Recovery when
Resources Permit
Scheduled/Delayed Recovery
35. Response and Risk approach
Risk Management and Business Controls
Events
Incidents
Crises
Impact Monitor & resolve the
“critical few” with crisis
management team
Assess impact of events &
implement appropriate controls
Monitor & resolve at
appropriate level using
processesIncident Management
Process
Crisis Management
Process
37. Social Engineering Risk
… 70 percent of those asked said they would
reveal their computer passwords for a …
Schrage, Michael. 2005. Retrieved from
http://www.technologyreview.com/articles/05/03/issue/review_password.asp?p=1
Bar of chocolate
38. Framework must address Risk
Threats Vulnerabilities
Controls Risks Assets
Security
Requirements
Business
Impact
exploit
exposeincreaseincrease
increase have
protect against
met by indicate
reduce
39. 39
0 5 10 15 20 25 30
Number of Responses (n=35)
Unauthorized manipulation of components, switches,
breakers, etc. from the SCADA system
Denial of service to SCADA system
Disaster Recovery
Software / patch management
Operating system vulnerabilities
Vandalism or sabotage (electronic)
Computer viruses, worms, Trojan horses, zero day attacks
Remote access/VPN
SCADA Security Survey – May 2005
Example: Top SCADA Risks
40. Integration of Logical and Physical
Business Security Management
Physical
Security
Management
ICT
Security
Management