SlideShare ist ein Scribd-Unternehmen logo

Implementing a Security Framework based on ISO/IEC 27002

P
pgpmikey
1 von 33
Focused on Security. Committed to Success. Implementing a Security Framework Based on ISO/IEC 27002 Presented by: Michael Leung, CRISC, CGEIT, CISM, CISA, CISSP-ISSMP Date: February 24, 2011
Table of Contents Implementing a Security Framework based on ISO/IEC 27002 • Sections of ISO/IEC 27002 Code of Practice • ISO 27002 Scope of Assessment • Maturity Model • Policy Framework & Governance • Benchmarking & Comparison • The Start of the Journey • The Next Steps • Information Security Job Practice Focused on Security. Committed to Success
ISO/IEC 27002 Code of Practice Sections of ISO/IEC 27002 Code of Practice 0 Introduction 1 Scope 2 Terms and Definitions 3 Structure of this Standard 4 Risk Assessment and Treatment 5 Security Policy 6 Organization of Information Security 7 Asset Management 8 Human Resource Security 9 Physical and Environmental Security 10 Communications and Operations Management 11 Access Control 12 Information Systems Acquisition, Development and Maintenance 13 Information Security Incident Management 14 Business Continuity Management 15 Compliance Focused on Security. Committed to Success
ISO 27002 Scope of Assessment Sections of ISO/IEC 27002 Code of Practice 0 Introduction 1 Scope 2 Terms and Definitions 3 Structure of this Standard 4 Risk Assessment and Treatment 5 Security Policy 6 Organization of Information Security 7 Asset Management 8 Human Resource Security 9 Physical and Environmental Security 10 Communications and Operations Management 11 Access Control 12 Information Systems Acquisition, Development and Maintenance 13 Information Security Incident Management 14 Business Continuity Management 15 Compliance Focused on Security. Committed to Success
Maturity Model (ref: COBIT 4.1) Focused on Security. Committed to Success
Maturity Model (ref: COBIT 4.1 Appendix) Maturity Level ISO Maturity Level Status of the Internal Control Environment 0 - Non-existent There is no recognition of the need for internal control. Control is not part of the organization’s culture or mission. There is a high risk of control deficiencies and 0-1 - Practice not yet in existence. incidents. 1 - Initial/ad hoc There is some recognition of the need for internal control. The approach to risk and control requirements is ad hoc and disorganized, without communication or 1-2 - Practice does not fully achieve monitoring. Deficiencies are not identified. Employees are not aware of their ISO objectives; however, responsibilities. efforts are underway. 2 - Repeatable but Controls are in place but are not documented. Their operation is dependent on Intuitive knowledge and motivation of individuals. Effectiveness is not adequately evaluated. Many control weaknesses exist and are not adequately addressed; the impact can 2-3 - Practice achieves ISO be severe. Management actions to resolve control issues are not prioritized or objectives; however, the consistent. Employees may not be aware of their responsibilities. program isn’t documented or 3 - Defined universally effective or Controls are in place and are adequately documented. Operating effectiveness is understood. evaluated on a periodic basis and there is an average number of issues. However, the evaluation process is not documented. Whilst management is able to able to 3-4 - Practice achieves and deal predictably with most control issues, some control weaknesses persist and documents ISO objectives; impacts could still be severe. Employees are aware of their responsibilities for however, the program isn’t control. 4 - Managed & universally effective or There is an effective internal control and risk management environment. A formal, Measureable understood. documented evaluation of controls occurs frequently. Many controls are automated and regularly reviewed. Management is likely to detect most control issues, but not 4-5 - Practice achieves ISO all issues are routinely identified. There is consistent follow-up to address identified objectives, is documented control weaknesses. A limited, tactical us of technology is applied to automate and is universally effective controls. 5 - Optimized and understood. An enterprise wide risk and control program provides continuous and effective control and risk issues resolution. Internal control and risk management are integrated with enterprise practices, supported with automated real-time monitoring with full accountability for control monitoring, risk management and compliance enforcement. Control evaluation is continuous, based on self-assessments and gap Focused on Security. Committed to Success and root cause analyses. Employees are proactively involved in control improvements.
Policy Framework & Governance Information Security Management Policy & Framework Information Security Corporate Policy Table of Contents A. Organization of Information Security B. Asset Management C. Human Resources D. Physical & Environmental Security E. Communications & Operations Management F. Access Control G. Information System Acquisition, Development & Maintenance H. Information Security Incident Management I. Business Continuity Management J. Compliance For Board Approval Focused on Security. Committed to Success
Policy Framework & Governance Corporate Policies - delegation of authority Information from the Board of Directors to Management at Security Corporate the executive level. The high level statement of Policy management’s intent, expectations and direction. Corporate Policies provide the Framework Corporate Polices and Governance of Information Security Board Approval Directives - support the Corporate Policies by providing a more focused, detail of information. Operational Level Standards - are the metrics forming a technical “polices” or standards requirement that must be met in order to meet the terms of the Corporate Policy Sr. Exec Committee or other approval Guidelines - contain information that will be helpful in executing the procedures. Procedures – step by step instructions. Operational Level procedures or guidelines Focused on Security. Committed to Success
Policy Framework & Governance Information Security Corporate Policy Table of Contents A. Organization of Information Security B. Asset Management C. Human Resources Security D. Physical & Environmental Security E. Communications & Operations Management F. Access Control G. Information Systems Acquisition, Development & Maintenance H. Information Security Incident Management I. Business Continuity Management J. Compliance Focused on Security. Committed to Success
Ratings for Benchmarking & Comparison ISO Maturity Model Ratings  Policy  People  Process   Technology  Focused on Security. Committed to Success
Ratings for Benchmarking & Comparison A. Organization of Information Security B. Asset Management C. Human Resources Security D. Physical & Environmental Security E. Communications & Operations Management F. Access Control G. Information Systems Acquisition, Development & Maintenance H. Information Security Incident Management I. Business Continuity Management J. Compliance Focused on Security. Committed to Success
Ratings for Benchmarking & Comparison A. Organization of Information Security – x.x B. Asset Management – x.x C. Human Resources Security - x.x D. Physical & Environmental Security – x.x nl ple E. Communications & Operations Management – x.x am y F. Access Control – x.x Ex G. Information Systems Acquisition, Development & Maintenance – x.x O H. Information Security Incident Management – x.x I. Business Continuity Management – x.x J. Compliance – x.x Focused on Security. Committed to Success
Return on Security Posture Investment (ROSPI) Methodology Internet Security Alliance July 2002/Data from Dr. William M. Hancock Focused on Security. Committed to Success
Focused on Security. Committed to Success. The Start of the Journey • Addressing Other Audits & Assessments • Assessment of Scope – Risk Registrar • Risk Assessment & Treatment • Tracking & Reporting
Addressing Other Audits & Assessments Focused on Security. Committed to Success
Addressing Other Audits & Assessments Focused on Security. Committed to Success
Assessment of Scope – Risk Registrar Focused on Security. Committed to Success
Assessment of Scope – Risk Registrar Risk Assessment & Treatment 4.1 Assessing Security Risks Risk assessments should identify, quantify, and prioritize risks against criteria for risk acceptance and objectives relevant to the organization. 4.2 Treating Security Risks Before considering the treatment of a risk, the organization should decide criteria for determining whether or not risks can be accepted. Risks may be accepted if, for example, it is assessed that the risk is low or that the cost of treatment is not cost-effective for the organization. Such decisions should be recorded. Focused on Security. Committed to Success
Risk Assessment & Treatment  Residual Risk Rating = Consequence x Likelihood  Low < 5  Med >=5 to <10  High >=10 CONSEQUENCE The impact on the objectives if the risk occurs. Level Descriptor Monetary Impact Operational Efficiency Impact Reputation Impact Employee Impact (incl. Regulatory & Member) 5 Catastrophic Would have significant financial Would have significant and prolonged Key Stakeholders Would result in the consequences: compromising impact on operations. Processes are (Members/Vendors) loose unexpected loss of multiple quality of balance sheet and ability irreconcilable resulting in undeliverable confidence in Coast’s ability to (key) staff including to address capital adequacy customer service. deliver with low likelihood of executive. requirements. regaining trust. 4 Major The consequences would threaten continued effective provision of services and require top-level management intervention. 3 Moderate Would have some financial Would have some impact on Some stakeholders would lose Would result in the consequences: threatening operations. Processes would be trust in Coast and likely have unexpected loss of some budgeted net income, medium term suspended resulting in delayed delivery of some media attention. (key) staff and have an earnings and planned capital customer service. impact on morale. expenditures. 2 Minor The consequences would impact the efficiency or effectiveness of some services, but could be dealt with internally. 1 Insignificant Would not have material financial Would have little impact on Few stakeholders, if any, would be Would have negligible consequence: impacts/losses could operations. Processes would be slightly aware of the incident. impact on staff. be absorbed in departmental delayed although no delay in delivery of budgets. customer service LIKELIHOOD The probability that a risk event will occur, given current controls in place. Level Descriptor Description 5 Almost Certain For a pre-defined period of time (e.g. 24 months), the risk event is expected to occur >80% of the time. 4 Likely For a pre-defined period of time (e.g. 24 months), the risk event is expected to occur >60% of the time 3 Possible For a pre-defined period of time (e.g. 24 months), the risk event is expected to occur >30% and <60% of the time 2 Unlikely For a pre-defined period of time (e.g. 24 months), the risk event is expected to occur <30% of the time 1 Rare For a pre-defined period of time (e.g. 24 months), the risk event is expected to occur <10% of the time Focused on Security. Committed to Success
Tracking & Reporting Focused on Security. Committed to Success
Tracking & Reporting Focused on Security. Committed to Success
Tracking & Reporting A. Organization of Information Security – x.x B. Asset Management – x.x C. Human Resources Security - x.x D. Physical & Environmental Security – x.x nl le O mp E. Communications & Operations Management – x.x y F. Access Control – x.x a Ex G. Information Systems Acquisition, Development & Maintenance – x.x H. Information Security Incident Management – x.x I. Business Continuity Management – x.x J. Compliance – x.x Focused on Security. Committed to Success
The Next Steps… Focused on Security. Committed to Success
...The Next Steps “The @*%!'s chess, it ain't checkers!” - Alonzo Harris (Denzel Washington) Focused on Security. Committed to Success
The Next Steps… Focused on Security. Committed to Success
The Next Steps – Program Development Focused on Security. Committed to Success
Information Security Job Practice Domain 1—Information Security Governance Establish and maintain a framework to provide assurance that information security strategies are aligned with business objectives and consistent with applicable laws and regulations.  Develop an information security strategy aligned with business goals and objectives.  Align information security strategy with corporate governance.  Develop business cases justifying investment in information security.  Identify current and potential legal and regulatory requirements affecting information security.  Identify drivers affecting the organization (e.g., technology, business environment, risk tolerance, geographic location) and their impact on information security.  Obtain senior management commitment to information security.  Define roles and responsibilities for information security throughout the organization.  Establish internal and external reporting and communication channels that support information security. Focused on Security. Committed to Success
Information Security Job Practice Domain 2—Information Risk Management Identify and manage information security risks to achieve business objectives.  Establish a process for information asset classification and ownership.  Implement a systematic and structured information risk assessment process.  Ensure that business impact assessments are conducted periodically.  Ensure that threat and vulnerability evaluations are performed on an ongoing basis.  Identify and periodically evaluate information security controls and countermeasures to mitigate risk to acceptable levels.  Integrate risk, threat and vulnerability identification and management into life cycle processes (e.g., development, procurement and employment life cycles).  Report significant changes in information risk to appropriate levels of management for acceptance on both a periodic and event-driven basis. Focused on Security. Committed to Success
Information Security Job Practice Domain 3—Information Security Program Development Create and maintain a program to implement the information security strategy.  Develop and maintain plans to implement the information security strategy.  Specify the activities to be performed within the information security program.  Ensure alignment between the information security program and other assurance functions (e.g., physical, HR, quality, IT).  Identify internal and external resources (e.g., finances, people, equipment, systems) required to execute the information security program).  Ensure the development of information security architectures (e.g., people, processes, technology).  Establish, communicate and maintain information security policies that support the security strategy.  Design and develop a program for information security awareness, training and education.  Ensure the development, communication and maintenance of standards, procedures and other documentation (e.g., guidelines, baselines, codes of conduct) that support information security policies.  Integrate information security requirements into the organization's processes (e.g., change control, mergers and acquisitions) and life cycle activities (e.g., development, employment, procurement).  Develop a process to integrate information security controls into contracts (e.g., with joint ventures, outsourced providers, business partners, customers, third parties).  Establish metrics to evaluate the effectiveness of the information security program. Focused on Security. Committed to Success
Information Security Job Practice Domain 4—Information Security Program Management Oversee and direct information security activities to execute the information security program.  Manage internal and external resources (e.g., finances, people, equipment, systems) required to execute the information security program.  Ensure that processes and procedures are performed in compliance with the organization’s information security policies and standards.  Ensure that the information security controls agreed to in contracts (e.g., with joint ventures, outsourced providers, business partners, customers, third parties) are performed.  Ensure that information security is an integral part of the systems development process.  Ensure that information security is maintained throughout the organization's processes (e.g., change control, mergers and acquisitions) and life cycle activities (e.g., development, employment, procurement).  Provide information security advice and guidance (e.g., risk analysis, control selection) to the organization.  Provide information security awareness, training and education to stakeholders (e.g., business process owners, users, information technology).  Monitor, measure, test and report on the effectiveness and efficiency of information security controls and compliance with information security policies.  Ensure that noncompliance issues and other variances are resolved in a timely manner. Focused on Security. Committed to Success
Information Security Job Practice Domain 5—Incident Management & Response Plan, develop and manage a capability to detect, respond to and recover from information security incidents.  Develop and implement processes for detecting, identifying, analyzing and responding to information security incidents.  Establish escalation and communication processes and lines of authority.  Develop plans to respond to and document information security incidents.  Establish the capability to investigate information security incidents (e.g., forensics, evidence collection and preservation, log analysis, interviewing).  Develop a process to communicate with internal parties and external organizations (e.g., media, law enforcement, customers).  Integrate information security incident response plans with the organization’s Disaster Recovery (DR) and Business Continuity Plan (BCP).  Organize, train and equip teams to respond to information security incidents.  Periodically test and refine information security incident response plans.  Manage the response to information security incidents.  Conduct reviews to identify causes of information security incidents, develop corrective actions and reassess risk. Focused on Security. Committed to Success
CISM: Information Security Job Practice • The CISM certification program is developed specifically for experienced information security managers and those who have information security management responsibilities. • The management-focused CISM is a unique certification for individuals who design, build and manage enterprise information security programs. The CISM certification promotes international practices and individuals earning the CISM become part of an elite peer network, attaining a one-of-a-kind credential. Focused on Security. Committed to Success
Thank You! Michael Leung CRISC, CGEIT, CISM, CISA, CISSP-ISSMP ISACA Vancouver Chapter www.isaca-vancouver.org Focused on Security. Committed to Success

Empfohlen

ISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewShankar Subramaniyan
 
2022 Webinar - ISO 27001 Certification.pdf
2022 Webinar - ISO 27001 Certification.pdf2022 Webinar - ISO 27001 Certification.pdf
2022 Webinar - ISO 27001 Certification.pdfControlCase
 
ISO 27001:2022 Introduction
ISO 27001:2022 IntroductionISO 27001:2022 Introduction
ISO 27001:2022 IntroductionAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
Cybersecurity Frameworks for DMZCON23 230905.pdf
Cybersecurity Frameworks for DMZCON23 230905.pdfCybersecurity Frameworks for DMZCON23 230905.pdf
Cybersecurity Frameworks for DMZCON23 230905.pdfAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
cyberedu_module_4_cybersecurite_organisation_02_2017.pptx
cyberedu_module_4_cybersecurite_organisation_02_2017.pptxcyberedu_module_4_cybersecurite_organisation_02_2017.pptx
cyberedu_module_4_cybersecurite_organisation_02_2017.pptxJean-Michel Razafindrabe
 
Project plan for ISO 27001
Project plan for ISO 27001Project plan for ISO 27001
Project plan for ISO 27001technakama
 
27001.pptx
27001.pptx27001.pptx
27001.pptxAvniJain836319
 
Privacy Trends: Key practical steps on ISO/IEC 27701:2019 implementation
Privacy Trends: Key practical steps on ISO/IEC 27701:2019 implementationPrivacy Trends: Key practical steps on ISO/IEC 27701:2019 implementation
Privacy Trends: Key practical steps on ISO/IEC 27701:2019 implementationPECB
 

Empfohlen

ISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewShankar Subramaniyan
 
2022 Webinar - ISO 27001 Certification.pdf
2022 Webinar - ISO 27001 Certification.pdf2022 Webinar - ISO 27001 Certification.pdf
2022 Webinar - ISO 27001 Certification.pdfControlCase
 
ISO 27001:2022 Introduction
ISO 27001:2022 IntroductionISO 27001:2022 Introduction
ISO 27001:2022 IntroductionAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
Cybersecurity Frameworks for DMZCON23 230905.pdf
Cybersecurity Frameworks for DMZCON23 230905.pdfCybersecurity Frameworks for DMZCON23 230905.pdf
Cybersecurity Frameworks for DMZCON23 230905.pdfAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
cyberedu_module_4_cybersecurite_organisation_02_2017.pptx
cyberedu_module_4_cybersecurite_organisation_02_2017.pptxcyberedu_module_4_cybersecurite_organisation_02_2017.pptx
cyberedu_module_4_cybersecurite_organisation_02_2017.pptxJean-Michel Razafindrabe
 
Project plan for ISO 27001
Project plan for ISO 27001Project plan for ISO 27001
Project plan for ISO 27001technakama
 
27001.pptx
27001.pptx27001.pptx
27001.pptxAvniJain836319
 
Privacy Trends: Key practical steps on ISO/IEC 27701:2019 implementation
Privacy Trends: Key practical steps on ISO/IEC 27701:2019 implementationPrivacy Trends: Key practical steps on ISO/IEC 27701:2019 implementation
Privacy Trends: Key practical steps on ISO/IEC 27701:2019 implementationPECB
 
ISO 27001:2022 What has changed.pdf
ISO 27001:2022 What has changed.pdfISO 27001:2022 What has changed.pdf
ISO 27001:2022 What has changed.pdfAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?PECB
 
Why ISO27001 For My Organisation
Why ISO27001 For My OrganisationWhy ISO27001 For My Organisation
Why ISO27001 For My OrganisationVigilant Software
 
Overview of ISO 27001 ISMS
Overview of ISO 27001 ISMSOverview of ISO 27001 ISMS
Overview of ISO 27001 ISMSAkhil Garg
 
Quick Guide to ISO/IEC 27701 - The Newest Privacy Information Standard
Quick Guide to ISO/IEC 27701 - The Newest Privacy Information StandardQuick Guide to ISO/IEC 27701 - The Newest Privacy Information Standard
Quick Guide to ISO/IEC 27701 - The Newest Privacy Information StandardPECB
 
SOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations CenterSOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations CenterMichael Nickle
 
ISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdfISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdfControlCase
 
Iso iec 27001 foundation training course by interprom
Iso iec 27001 foundation training course by interpromIso iec 27001 foundation training course by interprom
Iso iec 27001 foundation training course by interpromMart Rovers
 
ISO 27001 - Information Security Management System
ISO 27001 - Information Security Management SystemISO 27001 - Information Security Management System
ISO 27001 - Information Security Management SystemMuhammad Faisal Naqvi, CISSP, CISA, AMBCI, ITIL, ISMS LA n Master
 
How can the ISO 27701 help to design, implement, operate and improve a privac...
How can the ISO 27701 help to design, implement, operate and improve a privac...How can the ISO 27701 help to design, implement, operate and improve a privac...
How can the ISO 27701 help to design, implement, operate and improve a privac...Hernan Huwyler, MBA CPA
 
Iso 27001 awareness
Iso 27001 awarenessIso 27001 awareness
Iso 27001 awarenessÃsħâr Ãâlâm
 
Roadmap to security operations excellence
Roadmap to security operations excellenceRoadmap to security operations excellence
Roadmap to security operations excellenceErik Taavila
 
ISO 27001_2022 What has changed 2.0 for ISACA.pdf
ISO 27001_2022 What has changed 2.0 for ISACA.pdfISO 27001_2022 What has changed 2.0 for ISACA.pdf
ISO 27001_2022 What has changed 2.0 for ISACA.pdfAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
What is iso 27001 isms
What is iso 27001 ismsWhat is iso 27001 isms
What is iso 27001 ismsCraig Willetts ISO Expert
 
SOC 2 Compliance and Certification
SOC 2 Compliance and CertificationSOC 2 Compliance and Certification
SOC 2 Compliance and CertificationControlCase
 
ISO 27001 2013 isms final overview
ISO 27001 2013 isms final overviewISO 27001 2013 isms final overview
ISO 27001 2013 isms final overviewNaresh Rao
 
ISO 27001 Benefits
ISO 27001 BenefitsISO 27001 Benefits
ISO 27001 BenefitsDejan Kosutic
 
NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity frameworkShriya Rai
 
NQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation GuideNQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation GuideNQA
 
ISO 27001
ISO 27001ISO 27001
ISO 27001n|u - The Open Security Community
 
ISO/IEC 27001:2005 naar ISO 27001:2013 Checklist
ISO/IEC 27001:2005 naar ISO 27001:2013 ChecklistISO/IEC 27001:2005 naar ISO 27001:2013 Checklist
ISO/IEC 27001:2005 naar ISO 27001:2013 ChecklistLloyd's Register Quality Assurance Nederland
 
Use of the COBIT Security Baseline
Use of the COBIT Security BaselineUse of the COBIT Security Baseline
Use of the COBIT Security BaselineBarry Caplin
 

Weitere ähnliche Inhalte

Was ist angesagt?

ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?PECB
 
Why ISO27001 For My Organisation
Why ISO27001 For My OrganisationWhy ISO27001 For My Organisation
Why ISO27001 For My OrganisationVigilant Software
 
Overview of ISO 27001 ISMS
Overview of ISO 27001 ISMSOverview of ISO 27001 ISMS
Overview of ISO 27001 ISMSAkhil Garg
 
Quick Guide to ISO/IEC 27701 - The Newest Privacy Information Standard
Quick Guide to ISO/IEC 27701 - The Newest Privacy Information StandardQuick Guide to ISO/IEC 27701 - The Newest Privacy Information Standard
Quick Guide to ISO/IEC 27701 - The Newest Privacy Information StandardPECB
 
SOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations CenterSOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations CenterMichael Nickle
 
ISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdfISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdfControlCase
 
Iso iec 27001 foundation training course by interprom
Iso iec 27001 foundation training course by interpromIso iec 27001 foundation training course by interprom
Iso iec 27001 foundation training course by interpromMart Rovers
 
How can the ISO 27701 help to design, implement, operate and improve a privac...
How can the ISO 27701 help to design, implement, operate and improve a privac...How can the ISO 27701 help to design, implement, operate and improve a privac...
How can the ISO 27701 help to design, implement, operate and improve a privac...Hernan Huwyler, MBA CPA
 
Roadmap to security operations excellence
Roadmap to security operations excellenceRoadmap to security operations excellence
Roadmap to security operations excellenceErik Taavila
 
SOC 2 Compliance and Certification
SOC 2 Compliance and CertificationSOC 2 Compliance and Certification
SOC 2 Compliance and CertificationControlCase
 
ISO 27001 2013 isms final overview
ISO 27001 2013 isms final overviewISO 27001 2013 isms final overview
ISO 27001 2013 isms final overviewNaresh Rao
 
NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity frameworkShriya Rai
 
NQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation GuideNQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation GuideNQA
 

Was ist angesagt? (20)

ISO 27001:2022 What has changed.pdf
ISO 27001:2022 What has changed.pdfISO 27001:2022 What has changed.pdf
ISO 27001:2022 What has changed.pdf
 
ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?
 
Why ISO27001 For My Organisation
Why ISO27001 For My OrganisationWhy ISO27001 For My Organisation
Why ISO27001 For My Organisation
 
Overview of ISO 27001 ISMS
Overview of ISO 27001 ISMSOverview of ISO 27001 ISMS
Overview of ISO 27001 ISMS
 
Quick Guide to ISO/IEC 27701 - The Newest Privacy Information Standard
Quick Guide to ISO/IEC 27701 - The Newest Privacy Information StandardQuick Guide to ISO/IEC 27701 - The Newest Privacy Information Standard
Quick Guide to ISO/IEC 27701 - The Newest Privacy Information Standard
 
SOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations CenterSOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations Center
 
ISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdfISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdf
 
Iso iec 27001 foundation training course by interprom
Iso iec 27001 foundation training course by interpromIso iec 27001 foundation training course by interprom
Iso iec 27001 foundation training course by interprom
 
ISO 27001 - Information Security Management System
ISO 27001 - Information Security Management SystemISO 27001 - Information Security Management System
ISO 27001 - Information Security Management System
 
How can the ISO 27701 help to design, implement, operate and improve a privac...
How can the ISO 27701 help to design, implement, operate and improve a privac...How can the ISO 27701 help to design, implement, operate and improve a privac...
How can the ISO 27701 help to design, implement, operate and improve a privac...
 
Iso 27001 awareness
Iso 27001 awarenessIso 27001 awareness
Iso 27001 awareness
 
Roadmap to security operations excellence
Roadmap to security operations excellenceRoadmap to security operations excellence
Roadmap to security operations excellence
 
ISO 27001_2022 What has changed 2.0 for ISACA.pdf
ISO 27001_2022 What has changed 2.0 for ISACA.pdfISO 27001_2022 What has changed 2.0 for ISACA.pdf
ISO 27001_2022 What has changed 2.0 for ISACA.pdf
 
What is iso 27001 isms
What is iso 27001 ismsWhat is iso 27001 isms
What is iso 27001 isms
 
SOC 2 Compliance and Certification
SOC 2 Compliance and CertificationSOC 2 Compliance and Certification
SOC 2 Compliance and Certification
 
ISO 27001 2013 isms final overview
ISO 27001 2013 isms final overviewISO 27001 2013 isms final overview
ISO 27001 2013 isms final overview
 
ISO 27001 Benefits
ISO 27001 BenefitsISO 27001 Benefits
ISO 27001 Benefits
 
NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity framework
 
NQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation GuideNQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation Guide
 
ISO 27001
ISO 27001ISO 27001
ISO 27001
 

Andere mochten auch

Use of the COBIT Security Baseline
Use of the COBIT Security BaselineUse of the COBIT Security Baseline
Use of the COBIT Security BaselineBarry Caplin
 
ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview Ahmed Riad .
 
ISO 27002 2013 Atualizações / mudanças
ISO 27002 2013 Atualizações / mudanças ISO 27002 2013 Atualizações / mudanças
ISO 27002 2013 Atualizações / mudanças Fernando Palma
 
Mr. ahmed obaid the ceo guide to implement iso 27001
Mr. ahmed obaid the ceo guide to implement iso 27001Mr. ahmed obaid the ceo guide to implement iso 27001
Mr. ahmed obaid the ceo guide to implement iso 27001qualitysummit
 
Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005ControlCase
 
Certified ISO 27005 Risk Manager - Four Page Brochure
Certified ISO 27005 Risk Manager - Four Page BrochureCertified ISO 27005 Risk Manager - Four Page Brochure
Certified ISO 27005 Risk Manager - Four Page BrochurePECB
 
Iso 27002 certification_in_noida
Iso 27002 certification_in_noidaIso 27002 certification_in_noida
Iso 27002 certification_in_noidaElite Certication
 
SAPience UserDay 2015 TheValueChain UMICORE sap_building_blocks
SAPience UserDay 2015 TheValueChain UMICORE sap_building_blocksSAPience UserDay 2015 TheValueChain UMICORE sap_building_blocks
SAPience UserDay 2015 TheValueChain UMICORE sap_building_blocksTheValueChain
 
20111010 The National Security Framework of Spain for Guide Share Europe, in ...
20111010 The National Security Framework of Spain for Guide Share Europe, in ...20111010 The National Security Framework of Spain for Guide Share Europe, in ...
20111010 The National Security Framework of Spain for Guide Share Europe, in ...Miguel A. Amutio
 
Dragan Jovičić, PwC Srbija: „Važnost ISMS-a u e-Business-u“
Dragan Jovičić, PwC Srbija: „Važnost ISMS-a u e-Business-u“Dragan Jovičić, PwC Srbija: „Važnost ISMS-a u e-Business-u“
Dragan Jovičić, PwC Srbija: „Važnost ISMS-a u e-Business-u“goranvranic
 
Vojkan Vasković, Fakultet organizacionih nauka Beograd: „Plaćanja preko Inter...
Vojkan Vasković, Fakultet organizacionih nauka Beograd: „Plaćanja preko Inter...Vojkan Vasković, Fakultet organizacionih nauka Beograd: „Plaćanja preko Inter...
Vojkan Vasković, Fakultet organizacionih nauka Beograd: „Plaćanja preko Inter...goranvranic
 
Zlatibor integracija iso27001 i iso20000
Zlatibor integracija iso27001 i iso20000Zlatibor integracija iso27001 i iso20000
Zlatibor integracija iso27001 i iso20000Dejan Jeremic
 
Adelsberger zdenko implementacija iso27001 2013
Adelsberger zdenko implementacija iso27001 2013Adelsberger zdenko implementacija iso27001 2013
Adelsberger zdenko implementacija iso27001 2013Dejan Jeremic
 
PECB Webinar: The alignment of Information Security in Service Management
PECB Webinar: The alignment of Information Security in Service ManagementPECB Webinar: The alignment of Information Security in Service Management
PECB Webinar: The alignment of Information Security in Service ManagementPECB
 

Andere mochten auch (20)

ISO/IEC 27001:2005 naar ISO 27001:2013 Checklist
ISO/IEC 27001:2005 naar ISO 27001:2013 ChecklistISO/IEC 27001:2005 naar ISO 27001:2013 Checklist
ISO/IEC 27001:2005 naar ISO 27001:2013 Checklist
 
Use of the COBIT Security Baseline
Use of the COBIT Security BaselineUse of the COBIT Security Baseline
Use of the COBIT Security Baseline
 
ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview
 
ISO 27002 2013 Atualizações / mudanças
ISO 27002 2013 Atualizações / mudanças ISO 27002 2013 Atualizações / mudanças
ISO 27002 2013 Atualizações / mudanças
 
Mr. ahmed obaid the ceo guide to implement iso 27001
Mr. ahmed obaid the ceo guide to implement iso 27001Mr. ahmed obaid the ceo guide to implement iso 27001
Mr. ahmed obaid the ceo guide to implement iso 27001
 
Iso 27002-2013
Iso 27002-2013Iso 27002-2013
Iso 27002-2013
 
Infosec Audit Lecture_4
Infosec Audit Lecture_4Infosec Audit Lecture_4
Infosec Audit Lecture_4
 
Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005
 
Certified ISO 27005 Risk Manager - Four Page Brochure
Certified ISO 27005 Risk Manager - Four Page BrochureCertified ISO 27005 Risk Manager - Four Page Brochure
Certified ISO 27005 Risk Manager - Four Page Brochure
 
Iso 27002 certification_in_noida
Iso 27002 certification_in_noidaIso 27002 certification_in_noida
Iso 27002 certification_in_noida
 
SAPience UserDay 2015 TheValueChain UMICORE sap_building_blocks
SAPience UserDay 2015 TheValueChain UMICORE sap_building_blocksSAPience UserDay 2015 TheValueChain UMICORE sap_building_blocks
SAPience UserDay 2015 TheValueChain UMICORE sap_building_blocks
 
20111010 The National Security Framework of Spain for Guide Share Europe, in ...
20111010 The National Security Framework of Spain for Guide Share Europe, in ...20111010 The National Security Framework of Spain for Guide Share Europe, in ...
20111010 The National Security Framework of Spain for Guide Share Europe, in ...
 
Upravljanje imovinom
Upravljanje imovinom Upravljanje imovinom
Upravljanje imovinom
 
Dragan Jovičić, PwC Srbija: „Važnost ISMS-a u e-Business-u“
Dragan Jovičić, PwC Srbija: „Važnost ISMS-a u e-Business-u“Dragan Jovičić, PwC Srbija: „Važnost ISMS-a u e-Business-u“
Dragan Jovičić, PwC Srbija: „Važnost ISMS-a u e-Business-u“
 
Vojkan Vasković, Fakultet organizacionih nauka Beograd: „Plaćanja preko Inter...
Vojkan Vasković, Fakultet organizacionih nauka Beograd: „Plaćanja preko Inter...Vojkan Vasković, Fakultet organizacionih nauka Beograd: „Plaćanja preko Inter...
Vojkan Vasković, Fakultet organizacionih nauka Beograd: „Plaćanja preko Inter...
 
Zlatibor integracija iso27001 i iso20000
Zlatibor integracija iso27001 i iso20000Zlatibor integracija iso27001 i iso20000
Zlatibor integracija iso27001 i iso20000
 
Adelsberger zdenko implementacija iso27001 2013
Adelsberger zdenko implementacija iso27001 2013Adelsberger zdenko implementacija iso27001 2013
Adelsberger zdenko implementacija iso27001 2013
 
Pregled standarda kvaliteta
Pregled standarda kvalitetaPregled standarda kvaliteta
Pregled standarda kvaliteta
 
3 1 standardi iso
3 1 standardi iso3 1 standardi iso
3 1 standardi iso
 
PECB Webinar: The alignment of Information Security in Service Management
PECB Webinar: The alignment of Information Security in Service ManagementPECB Webinar: The alignment of Information Security in Service Management
PECB Webinar: The alignment of Information Security in Service Management
 

Ähnlich wie Implementing a Security Framework based on ISO/IEC 27002

Information Governance
Information GovernanceInformation Governance
Information GovernanceVicky Makhija
 
Valiente Balancing It SecurityCompliance, Complexity & Cost
Valiente Balancing It SecurityCompliance, Complexity & CostValiente Balancing It SecurityCompliance, Complexity & Cost
Valiente Balancing It SecurityCompliance, Complexity & CostGuardEra Access Solutions, Inc.
 
Information Security Management Systems(ISMS) By Dr Wafula
Information Security Management Systems(ISMS) By Dr WafulaInformation Security Management Systems(ISMS) By Dr Wafula
Information Security Management Systems(ISMS) By Dr WafulaDiscover JKUAT
 
HIPAA HITECH Express Security Privacy Webinar
HIPAA HITECH Express Security Privacy WebinarHIPAA HITECH Express Security Privacy Webinar
HIPAA HITECH Express Security Privacy WebinarCompliancy Group
 
GDPR compliance and information security: Reducing data breach risks
GDPR compliance and information security: Reducing data breach risksGDPR compliance and information security: Reducing data breach risks
GDPR compliance and information security: Reducing data breach risksIT Governance Ltd
 
Information security governance
Information security governanceInformation security governance
Information security governanceKoen Maris
 
Solve the exercise in security management.pdf
Solve the exercise in security management.pdfSolve the exercise in security management.pdf
Solve the exercise in security management.pdfsdfghj21
 
Security Maturity Assessment
Security Maturity AssessmentSecurity Maturity Assessment
Security Maturity AssessmentClaude Baudoin
 
Canga.m.wood.j
Canga.m.wood.jCanga.m.wood.j
Canga.m.wood.jNASAPMC
 
D1 security and risk management v1.62
D1 security and risk management v1.62D1 security and risk management v1.62
D1 security and risk management v1.62AlliedConSapCourses
 
Vic ohs greglazzo_safteyleadership_080804
Vic ohs greglazzo_safteyleadership_080804Vic ohs greglazzo_safteyleadership_080804
Vic ohs greglazzo_safteyleadership_080804agungsuryairawan
 
Expert letter kp is for security management
Expert letter kp is for security managementExpert letter kp is for security management
Expert letter kp is for security managementTiniey Cayang
 
Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001PECB
 
ISMS Requirements
ISMS RequirementsISMS Requirements
ISMS Requirementshumanus2
 
A to Z of Information Security Management
A to Z of Information Security ManagementA to Z of Information Security Management
A to Z of Information Security ManagementMark Conway
 
Best practices for creating safety culture a ghosh arc orlando 2008
Best practices for creating safety culture a ghosh arc orlando 2008Best practices for creating safety culture a ghosh arc orlando 2008
Best practices for creating safety culture a ghosh arc orlando 2008ARC Advisory Group
 

Ähnlich wie Implementing a Security Framework based on ISO/IEC 27002 (20)

Information Governance
Information GovernanceInformation Governance
Information Governance
 
CISSP Summary V1.1
CISSP Summary V1.1CISSP Summary V1.1
CISSP Summary V1.1
 
Valiente Balancing It SecurityCompliance, Complexity & Cost
Valiente Balancing It SecurityCompliance, Complexity & CostValiente Balancing It SecurityCompliance, Complexity & Cost
Valiente Balancing It SecurityCompliance, Complexity & Cost
 
Information Security Management Systems(ISMS) By Dr Wafula
Information Security Management Systems(ISMS) By Dr WafulaInformation Security Management Systems(ISMS) By Dr Wafula
Information Security Management Systems(ISMS) By Dr Wafula
 
HIPAA HITECH Express Security Privacy Webinar
HIPAA HITECH Express Security Privacy WebinarHIPAA HITECH Express Security Privacy Webinar
HIPAA HITECH Express Security Privacy Webinar
 
GDPR compliance and information security: Reducing data breach risks
GDPR compliance and information security: Reducing data breach risksGDPR compliance and information security: Reducing data breach risks
GDPR compliance and information security: Reducing data breach risks
 
Information security governance
Information security governanceInformation security governance
Information security governance
 
Solve the exercise in security management.pdf
Solve the exercise in security management.pdfSolve the exercise in security management.pdf
Solve the exercise in security management.pdf
 
Security Maturity Assessment
Security Maturity AssessmentSecurity Maturity Assessment
Security Maturity Assessment
 
MAPPING_ISO27001_TO_COBIT4.1
MAPPING_ISO27001_TO_COBIT4.1MAPPING_ISO27001_TO_COBIT4.1
MAPPING_ISO27001_TO_COBIT4.1
 
Canga.m.wood.j
Canga.m.wood.jCanga.m.wood.j
Canga.m.wood.j
 
D1 security and risk management v1.62
D1 security and risk management v1.62D1 security and risk management v1.62
D1 security and risk management v1.62
 
Handling risk
Handling riskHandling risk
Handling risk
 
Vic ohs greglazzo_safteyleadership_080804
Vic ohs greglazzo_safteyleadership_080804Vic ohs greglazzo_safteyleadership_080804
Vic ohs greglazzo_safteyleadership_080804
 
Ebsl Technologies It Operations Internal Presentation
Ebsl Technologies It Operations Internal PresentationEbsl Technologies It Operations Internal Presentation
Ebsl Technologies It Operations Internal Presentation
 
Expert letter kp is for security management
Expert letter kp is for security managementExpert letter kp is for security management
Expert letter kp is for security management
 
Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001
 
ISMS Requirements
ISMS RequirementsISMS Requirements
ISMS Requirements
 
A to Z of Information Security Management
A to Z of Information Security ManagementA to Z of Information Security Management
A to Z of Information Security Management
 
Best practices for creating safety culture a ghosh arc orlando 2008
Best practices for creating safety culture a ghosh arc orlando 2008Best practices for creating safety culture a ghosh arc orlando 2008
Best practices for creating safety culture a ghosh arc orlando 2008
 

Implementing a Security Framework based on ISO/IEC 27002

  • 1. Focused on Security. Committed to Success. Implementing a Security Framework Based on ISO/IEC 27002 Presented by: Michael Leung, CRISC, CGEIT, CISM, CISA, CISSP-ISSMP Date: February 24, 2011
  • 2. Table of Contents Implementing a Security Framework based on ISO/IEC 27002 • Sections of ISO/IEC 27002 Code of Practice • ISO 27002 Scope of Assessment • Maturity Model • Policy Framework & Governance • Benchmarking & Comparison • The Start of the Journey • The Next Steps • Information Security Job Practice Focused on Security. Committed to Success
  • 3. ISO/IEC 27002 Code of Practice Sections of ISO/IEC 27002 Code of Practice 0 Introduction 1 Scope 2 Terms and Definitions 3 Structure of this Standard 4 Risk Assessment and Treatment 5 Security Policy 6 Organization of Information Security 7 Asset Management 8 Human Resource Security 9 Physical and Environmental Security 10 Communications and Operations Management 11 Access Control 12 Information Systems Acquisition, Development and Maintenance 13 Information Security Incident Management 14 Business Continuity Management 15 Compliance Focused on Security. Committed to Success
  • 4. ISO 27002 Scope of Assessment Sections of ISO/IEC 27002 Code of Practice 0 Introduction 1 Scope 2 Terms and Definitions 3 Structure of this Standard 4 Risk Assessment and Treatment 5 Security Policy 6 Organization of Information Security 7 Asset Management 8 Human Resource Security 9 Physical and Environmental Security 10 Communications and Operations Management 11 Access Control 12 Information Systems Acquisition, Development and Maintenance 13 Information Security Incident Management 14 Business Continuity Management 15 Compliance Focused on Security. Committed to Success
  • 5. Maturity Model (ref: COBIT 4.1) Focused on Security. Committed to Success
  • 6. Maturity Model (ref: COBIT 4.1 Appendix) Maturity Level ISO Maturity Level Status of the Internal Control Environment 0 - Non-existent There is no recognition of the need for internal control. Control is not part of the organization’s culture or mission. There is a high risk of control deficiencies and 0-1 - Practice not yet in existence. incidents. 1 - Initial/ad hoc There is some recognition of the need for internal control. The approach to risk and control requirements is ad hoc and disorganized, without communication or 1-2 - Practice does not fully achieve monitoring. Deficiencies are not identified. Employees are not aware of their ISO objectives; however, responsibilities. efforts are underway. 2 - Repeatable but Controls are in place but are not documented. Their operation is dependent on Intuitive knowledge and motivation of individuals. Effectiveness is not adequately evaluated. Many control weaknesses exist and are not adequately addressed; the impact can 2-3 - Practice achieves ISO be severe. Management actions to resolve control issues are not prioritized or objectives; however, the consistent. Employees may not be aware of their responsibilities. program isn’t documented or 3 - Defined universally effective or Controls are in place and are adequately documented. Operating effectiveness is understood. evaluated on a periodic basis and there is an average number of issues. However, the evaluation process is not documented. Whilst management is able to able to 3-4 - Practice achieves and deal predictably with most control issues, some control weaknesses persist and documents ISO objectives; impacts could still be severe. Employees are aware of their responsibilities for however, the program isn’t control. 4 - Managed & universally effective or There is an effective internal control and risk management environment. A formal, Measureable understood. documented evaluation of controls occurs frequently. Many controls are automated and regularly reviewed. Management is likely to detect most control issues, but not 4-5 - Practice achieves ISO all issues are routinely identified. There is consistent follow-up to address identified objectives, is documented control weaknesses. A limited, tactical us of technology is applied to automate and is universally effective controls. 5 - Optimized and understood. An enterprise wide risk and control program provides continuous and effective control and risk issues resolution. Internal control and risk management are integrated with enterprise practices, supported with automated real-time monitoring with full accountability for control monitoring, risk management and compliance enforcement. Control evaluation is continuous, based on self-assessments and gap Focused on Security. Committed to Success and root cause analyses. Employees are proactively involved in control improvements.
  • 7. Policy Framework & Governance Information Security Management Policy & Framework Information Security Corporate Policy Table of Contents A. Organization of Information Security B. Asset Management C. Human Resources D. Physical & Environmental Security E. Communications & Operations Management F. Access Control G. Information System Acquisition, Development & Maintenance H. Information Security Incident Management I. Business Continuity Management J. Compliance For Board Approval Focused on Security. Committed to Success
  • 8. Policy Framework & Governance Corporate Policies - delegation of authority Information from the Board of Directors to Management at Security Corporate the executive level. The high level statement of Policy management’s intent, expectations and direction. Corporate Policies provide the Framework Corporate Polices and Governance of Information Security Board Approval Directives - support the Corporate Policies by providing a more focused, detail of information. Operational Level Standards - are the metrics forming a technical “polices” or standards requirement that must be met in order to meet the terms of the Corporate Policy Sr. Exec Committee or other approval Guidelines - contain information that will be helpful in executing the procedures. Procedures – step by step instructions. Operational Level procedures or guidelines Focused on Security. Committed to Success
  • 9. Policy Framework & Governance Information Security Corporate Policy Table of Contents A. Organization of Information Security B. Asset Management C. Human Resources Security D. Physical & Environmental Security E. Communications & Operations Management F. Access Control G. Information Systems Acquisition, Development & Maintenance H. Information Security Incident Management I. Business Continuity Management J. Compliance Focused on Security. Committed to Success
  • 10. Ratings for Benchmarking & Comparison ISO Maturity Model Ratings  Policy  People  Process   Technology  Focused on Security. Committed to Success
  • 11. Ratings for Benchmarking & Comparison A. Organization of Information Security B. Asset Management C. Human Resources Security D. Physical & Environmental Security E. Communications & Operations Management F. Access Control G. Information Systems Acquisition, Development & Maintenance H. Information Security Incident Management I. Business Continuity Management J. Compliance Focused on Security. Committed to Success
  • 12. Ratings for Benchmarking & Comparison A. Organization of Information Security – x.x B. Asset Management – x.x C. Human Resources Security - x.x D. Physical & Environmental Security – x.x nl ple E. Communications & Operations Management – x.x am y F. Access Control – x.x Ex G. Information Systems Acquisition, Development & Maintenance – x.x O H. Information Security Incident Management – x.x I. Business Continuity Management – x.x J. Compliance – x.x Focused on Security. Committed to Success
  • 13. Return on Security Posture Investment (ROSPI) Methodology Internet Security Alliance July 2002/Data from Dr. William M. Hancock Focused on Security. Committed to Success
  • 14. Focused on Security. Committed to Success. The Start of the Journey • Addressing Other Audits & Assessments • Assessment of Scope – Risk Registrar • Risk Assessment & Treatment • Tracking & Reporting
  • 15. Addressing Other Audits & Assessments Focused on Security. Committed to Success
  • 16. Addressing Other Audits & Assessments Focused on Security. Committed to Success
  • 17. Assessment of Scope – Risk Registrar Focused on Security. Committed to Success
  • 18. Assessment of Scope – Risk Registrar Risk Assessment & Treatment 4.1 Assessing Security Risks Risk assessments should identify, quantify, and prioritize risks against criteria for risk acceptance and objectives relevant to the organization. 4.2 Treating Security Risks Before considering the treatment of a risk, the organization should decide criteria for determining whether or not risks can be accepted. Risks may be accepted if, for example, it is assessed that the risk is low or that the cost of treatment is not cost-effective for the organization. Such decisions should be recorded. Focused on Security. Committed to Success
  • 19. Risk Assessment & Treatment  Residual Risk Rating = Consequence x Likelihood  Low < 5  Med >=5 to <10  High >=10 CONSEQUENCE The impact on the objectives if the risk occurs. Level Descriptor Monetary Impact Operational Efficiency Impact Reputation Impact Employee Impact (incl. Regulatory & Member) 5 Catastrophic Would have significant financial Would have significant and prolonged Key Stakeholders Would result in the consequences: compromising impact on operations. Processes are (Members/Vendors) loose unexpected loss of multiple quality of balance sheet and ability irreconcilable resulting in undeliverable confidence in Coast’s ability to (key) staff including to address capital adequacy customer service. deliver with low likelihood of executive. requirements. regaining trust. 4 Major The consequences would threaten continued effective provision of services and require top-level management intervention. 3 Moderate Would have some financial Would have some impact on Some stakeholders would lose Would result in the consequences: threatening operations. Processes would be trust in Coast and likely have unexpected loss of some budgeted net income, medium term suspended resulting in delayed delivery of some media attention. (key) staff and have an earnings and planned capital customer service. impact on morale. expenditures. 2 Minor The consequences would impact the efficiency or effectiveness of some services, but could be dealt with internally. 1 Insignificant Would not have material financial Would have little impact on Few stakeholders, if any, would be Would have negligible consequence: impacts/losses could operations. Processes would be slightly aware of the incident. impact on staff. be absorbed in departmental delayed although no delay in delivery of budgets. customer service LIKELIHOOD The probability that a risk event will occur, given current controls in place. Level Descriptor Description 5 Almost Certain For a pre-defined period of time (e.g. 24 months), the risk event is expected to occur >80% of the time. 4 Likely For a pre-defined period of time (e.g. 24 months), the risk event is expected to occur >60% of the time 3 Possible For a pre-defined period of time (e.g. 24 months), the risk event is expected to occur >30% and <60% of the time 2 Unlikely For a pre-defined period of time (e.g. 24 months), the risk event is expected to occur <30% of the time 1 Rare For a pre-defined period of time (e.g. 24 months), the risk event is expected to occur <10% of the time Focused on Security. Committed to Success
  • 20. Tracking & Reporting Focused on Security. Committed to Success
  • 21. Tracking & Reporting Focused on Security. Committed to Success
  • 22. Tracking & Reporting A. Organization of Information Security – x.x B. Asset Management – x.x C. Human Resources Security - x.x D. Physical & Environmental Security – x.x nl le O mp E. Communications & Operations Management – x.x y F. Access Control – x.x a Ex G. Information Systems Acquisition, Development & Maintenance – x.x H. Information Security Incident Management – x.x I. Business Continuity Management – x.x J. Compliance – x.x Focused on Security. Committed to Success
  • 23. The Next Steps… Focused on Security. Committed to Success
  • 24. ...The Next Steps “The @*%!'s chess, it ain't checkers!” - Alonzo Harris (Denzel Washington) Focused on Security. Committed to Success
  • 25. The Next Steps… Focused on Security. Committed to Success
  • 26. The Next Steps – Program Development Focused on Security. Committed to Success
  • 27. Information Security Job Practice Domain 1—Information Security Governance Establish and maintain a framework to provide assurance that information security strategies are aligned with business objectives and consistent with applicable laws and regulations.  Develop an information security strategy aligned with business goals and objectives.  Align information security strategy with corporate governance.  Develop business cases justifying investment in information security.  Identify current and potential legal and regulatory requirements affecting information security.  Identify drivers affecting the organization (e.g., technology, business environment, risk tolerance, geographic location) and their impact on information security.  Obtain senior management commitment to information security.  Define roles and responsibilities for information security throughout the organization.  Establish internal and external reporting and communication channels that support information security. Focused on Security. Committed to Success
  • 28. Information Security Job Practice Domain 2—Information Risk Management Identify and manage information security risks to achieve business objectives.  Establish a process for information asset classification and ownership.  Implement a systematic and structured information risk assessment process.  Ensure that business impact assessments are conducted periodically.  Ensure that threat and vulnerability evaluations are performed on an ongoing basis.  Identify and periodically evaluate information security controls and countermeasures to mitigate risk to acceptable levels.  Integrate risk, threat and vulnerability identification and management into life cycle processes (e.g., development, procurement and employment life cycles).  Report significant changes in information risk to appropriate levels of management for acceptance on both a periodic and event-driven basis. Focused on Security. Committed to Success
  • 29. Information Security Job Practice Domain 3—Information Security Program Development Create and maintain a program to implement the information security strategy.  Develop and maintain plans to implement the information security strategy.  Specify the activities to be performed within the information security program.  Ensure alignment between the information security program and other assurance functions (e.g., physical, HR, quality, IT).  Identify internal and external resources (e.g., finances, people, equipment, systems) required to execute the information security program).  Ensure the development of information security architectures (e.g., people, processes, technology).  Establish, communicate and maintain information security policies that support the security strategy.  Design and develop a program for information security awareness, training and education.  Ensure the development, communication and maintenance of standards, procedures and other documentation (e.g., guidelines, baselines, codes of conduct) that support information security policies.  Integrate information security requirements into the organization's processes (e.g., change control, mergers and acquisitions) and life cycle activities (e.g., development, employment, procurement).  Develop a process to integrate information security controls into contracts (e.g., with joint ventures, outsourced providers, business partners, customers, third parties).  Establish metrics to evaluate the effectiveness of the information security program. Focused on Security. Committed to Success
  • 30. Information Security Job Practice Domain 4—Information Security Program Management Oversee and direct information security activities to execute the information security program.  Manage internal and external resources (e.g., finances, people, equipment, systems) required to execute the information security program.  Ensure that processes and procedures are performed in compliance with the organization’s information security policies and standards.  Ensure that the information security controls agreed to in contracts (e.g., with joint ventures, outsourced providers, business partners, customers, third parties) are performed.  Ensure that information security is an integral part of the systems development process.  Ensure that information security is maintained throughout the organization's processes (e.g., change control, mergers and acquisitions) and life cycle activities (e.g., development, employment, procurement).  Provide information security advice and guidance (e.g., risk analysis, control selection) to the organization.  Provide information security awareness, training and education to stakeholders (e.g., business process owners, users, information technology).  Monitor, measure, test and report on the effectiveness and efficiency of information security controls and compliance with information security policies.  Ensure that noncompliance issues and other variances are resolved in a timely manner. Focused on Security. Committed to Success
  • 31. Information Security Job Practice Domain 5—Incident Management & Response Plan, develop and manage a capability to detect, respond to and recover from information security incidents.  Develop and implement processes for detecting, identifying, analyzing and responding to information security incidents.  Establish escalation and communication processes and lines of authority.  Develop plans to respond to and document information security incidents.  Establish the capability to investigate information security incidents (e.g., forensics, evidence collection and preservation, log analysis, interviewing).  Develop a process to communicate with internal parties and external organizations (e.g., media, law enforcement, customers).  Integrate information security incident response plans with the organization’s Disaster Recovery (DR) and Business Continuity Plan (BCP).  Organize, train and equip teams to respond to information security incidents.  Periodically test and refine information security incident response plans.  Manage the response to information security incidents.  Conduct reviews to identify causes of information security incidents, develop corrective actions and reassess risk. Focused on Security. Committed to Success
  • 32. CISM: Information Security Job Practice • The CISM certification program is developed specifically for experienced information security managers and those who have information security management responsibilities. • The management-focused CISM is a unique certification for individuals who design, build and manage enterprise information security programs. The CISM certification promotes international practices and individuals earning the CISM become part of an elite peer network, attaining a one-of-a-kind credential. Focused on Security. Committed to Success
  • 33. Thank You! Michael Leung CRISC, CGEIT, CISM, CISA, CISSP-ISSMP ISACA Vancouver Chapter www.isaca-vancouver.org Focused on Security. Committed to Success