Best practices for creating safety culture a ghosh arc orlando 2008
Implementing a Security Framework based on ISO/IEC 27002
1. Focused on Security.
Committed to Success.
Implementing a Security Framework
Based on ISO/IEC 27002
Presented by: Michael Leung, CRISC, CGEIT, CISM, CISA, CISSP-ISSMP
Date: February 24, 2011
2. Table of Contents
Implementing a Security Framework based on ISO/IEC 27002
• Sections of ISO/IEC 27002 Code of Practice
• ISO 27002 Scope of Assessment
• Maturity Model
• Policy Framework & Governance
• Benchmarking & Comparison
• The Start of the Journey
• The Next Steps
• Information Security Job Practice
Focused on Security. Committed to Success
3. ISO/IEC 27002 Code of Practice
Sections of ISO/IEC 27002 Code of Practice
0 Introduction
1 Scope
2 Terms and Definitions
3 Structure of this Standard
4 Risk Assessment and Treatment
5 Security Policy
6 Organization of Information Security
7 Asset Management
8 Human Resource Security
9 Physical and Environmental Security
10 Communications and Operations Management
11 Access Control
12 Information Systems Acquisition, Development and Maintenance
13 Information Security Incident Management
14 Business Continuity Management
15 Compliance
Focused on Security. Committed to Success
4. ISO 27002 Scope of Assessment
Sections of ISO/IEC 27002 Code of Practice
0 Introduction
1 Scope
2 Terms and Definitions
3 Structure of this Standard
4 Risk Assessment and Treatment
5 Security Policy
6 Organization of Information Security
7 Asset Management
8 Human Resource Security
9 Physical and Environmental Security
10 Communications and Operations Management
11 Access Control
12 Information Systems Acquisition, Development and Maintenance
13 Information Security Incident Management
14 Business Continuity Management
15 Compliance
Focused on Security. Committed to Success
6. Maturity Model (ref: COBIT 4.1 Appendix)
Maturity Level ISO Maturity Level Status of the Internal Control Environment
0 - Non-existent There is no recognition of the need for internal control. Control is not part of the
organization’s culture or mission. There is a high risk of control deficiencies and
0-1 - Practice not yet in existence. incidents.
1 - Initial/ad hoc There is some recognition of the need for internal control. The approach to risk and
control requirements is ad hoc and disorganized, without communication or
1-2 - Practice does not fully achieve monitoring. Deficiencies are not identified. Employees are not aware of their
ISO objectives; however, responsibilities.
efforts are underway.
2 - Repeatable but Controls are in place but are not documented. Their operation is dependent on
Intuitive knowledge and motivation of individuals. Effectiveness is not adequately evaluated.
Many control weaknesses exist and are not adequately addressed; the impact can
2-3 - Practice achieves ISO be severe. Management actions to resolve control issues are not prioritized or
objectives; however, the consistent. Employees may not be aware of their responsibilities.
program isn’t documented or
3 - Defined universally effective or Controls are in place and are adequately documented. Operating effectiveness is
understood. evaluated on a periodic basis and there is an average number of issues. However,
the evaluation process is not documented. Whilst management is able to able to
3-4 - Practice achieves and deal predictably with most control issues, some control weaknesses persist and
documents ISO objectives; impacts could still be severe. Employees are aware of their responsibilities for
however, the program isn’t control.
4 - Managed & universally effective or There is an effective internal control and risk management environment. A formal,
Measureable understood. documented evaluation of controls occurs frequently. Many controls are automated
and regularly reviewed. Management is likely to detect most control issues, but not
4-5 - Practice achieves ISO all issues are routinely identified. There is consistent follow-up to address identified
objectives, is documented control weaknesses. A limited, tactical us of technology is applied to automate
and is universally effective controls.
5 - Optimized and understood. An enterprise wide risk and control program provides continuous and effective
control and risk issues resolution. Internal control and risk management are
integrated with enterprise practices, supported with automated real-time monitoring
with full accountability for control monitoring, risk management and compliance
enforcement. Control evaluation is continuous, based on self-assessments and gap
Focused on Security. Committed to Success and root cause analyses. Employees are proactively involved in control
improvements.
7. Policy Framework & Governance
Information Security
Management Policy
& Framework Information Security Corporate Policy
Table of Contents
A. Organization of Information Security
B. Asset Management
C. Human Resources
D. Physical & Environmental Security
E. Communications & Operations
Management
F. Access Control
G. Information System Acquisition,
Development & Maintenance
H. Information Security Incident
Management
I. Business Continuity Management
J. Compliance
For Board Approval
Focused on Security. Committed to Success
8. Policy Framework & Governance
Corporate Policies - delegation of authority Information
from the Board of Directors to Management at Security
Corporate
the executive level. The high level statement of
Policy
management’s intent, expectations and
direction.
Corporate Policies provide the Framework
Corporate Polices
and Governance of Information Security Board Approval
Directives - support the Corporate Policies by
providing a more focused, detail of information.
Operational Level
Standards - are the metrics forming a technical “polices” or standards
requirement that must be met in order to meet the
terms of the Corporate Policy
Sr. Exec Committee
or other approval
Guidelines - contain information that will be helpful in
executing the procedures.
Procedures – step by step instructions. Operational Level
procedures or guidelines
Focused on Security. Committed to Success
9. Policy Framework & Governance
Information Security Corporate Policy
Table of Contents
A. Organization of Information Security
B. Asset Management
C. Human Resources Security
D. Physical & Environmental Security
E. Communications & Operations Management
F. Access Control
G. Information Systems Acquisition, Development & Maintenance
H. Information Security Incident Management
I. Business Continuity Management
J. Compliance
Focused on Security. Committed to Success
10. Ratings for Benchmarking & Comparison
ISO Maturity Model Ratings
Policy
People
Process
Technology
Focused on Security. Committed to Success
11. Ratings for Benchmarking & Comparison
A. Organization of Information Security
B. Asset Management
C. Human Resources Security
D. Physical & Environmental Security
E. Communications & Operations Management
F. Access Control
G. Information Systems Acquisition, Development & Maintenance
H. Information Security Incident Management
I. Business Continuity Management
J. Compliance
Focused on Security. Committed to Success
12. Ratings for Benchmarking & Comparison
A. Organization of Information Security – x.x
B. Asset Management – x.x
C. Human Resources Security - x.x
D. Physical & Environmental Security – x.x
nl ple
E. Communications & Operations Management – x.x
am
y
F. Access Control – x.x
Ex
G. Information Systems Acquisition,
Development & Maintenance – x.x
O
H. Information Security Incident
Management – x.x
I. Business Continuity Management – x.x
J. Compliance – x.x
Focused on Security. Committed to Success
13. Return on Security Posture Investment
(ROSPI) Methodology
Internet Security Alliance July 2002/Data from Dr. William M. Hancock
Focused on Security. Committed to Success
14. Focused on Security.
Committed to Success.
The Start of the Journey
• Addressing Other Audits & Assessments
• Assessment of Scope – Risk Registrar
• Risk Assessment & Treatment
• Tracking & Reporting
17. Assessment of Scope – Risk Registrar
Focused on Security. Committed to Success
18. Assessment of Scope – Risk Registrar
Risk Assessment & Treatment
4.1 Assessing Security Risks
Risk assessments should identify, quantify, and prioritize risks against criteria for risk
acceptance and objectives relevant to the organization.
4.2 Treating Security Risks
Before considering the treatment of a risk, the organization should decide criteria for determining
whether or not risks can be accepted. Risks may be accepted if, for example, it is assessed that
the risk is low or that the cost of treatment is not cost-effective for the organization. Such
decisions should be recorded.
Focused on Security. Committed to Success
19. Risk Assessment & Treatment
Residual Risk Rating = Consequence x Likelihood
Low < 5
Med >=5 to <10
High >=10
CONSEQUENCE
The impact on the objectives if the risk occurs.
Level Descriptor Monetary Impact Operational Efficiency Impact Reputation Impact Employee Impact
(incl. Regulatory & Member)
5 Catastrophic Would have significant financial Would have significant and prolonged Key Stakeholders Would result in the
consequences: compromising impact on operations. Processes are (Members/Vendors) loose unexpected loss of multiple
quality of balance sheet and ability irreconcilable resulting in undeliverable confidence in Coast’s ability to (key) staff including
to address capital adequacy customer service. deliver with low likelihood of executive.
requirements. regaining trust.
4 Major The consequences would threaten continued effective provision of services and require top-level management intervention.
3 Moderate Would have some financial Would have some impact on Some stakeholders would lose Would result in the
consequences: threatening operations. Processes would be trust in Coast and likely have unexpected loss of some
budgeted net income, medium term suspended resulting in delayed delivery of some media attention. (key) staff and have an
earnings and planned capital customer service. impact on morale.
expenditures.
2 Minor The consequences would impact the efficiency or effectiveness of some services, but could be dealt with internally.
1 Insignificant Would not have material financial Would have little impact on Few stakeholders, if any, would be Would have negligible
consequence: impacts/losses could operations. Processes would be slightly aware of the incident. impact on staff.
be absorbed in departmental delayed although no delay in delivery of
budgets. customer service
LIKELIHOOD
The probability that a risk event will occur, given current controls in place.
Level Descriptor Description
5 Almost Certain For a pre-defined period of time (e.g. 24 months), the risk event is expected to occur >80% of the time.
4 Likely For a pre-defined period of time (e.g. 24 months), the risk event is expected to occur >60% of the time
3 Possible For a pre-defined period of time (e.g. 24 months), the risk event is expected to occur >30% and <60% of
the time
2 Unlikely For a pre-defined period of time (e.g. 24 months), the risk event is expected to occur <30% of the time
1 Rare For a pre-defined period of time (e.g. 24 months), the risk event is expected to occur <10% of the time
Focused on Security. Committed to Success
22. Tracking & Reporting
A. Organization of Information Security – x.x
B. Asset Management – x.x
C. Human Resources Security - x.x
D. Physical & Environmental Security – x.x
nl le
O mp
E. Communications & Operations Management – x.x
y
F. Access Control – x.x
a
Ex
G. Information Systems Acquisition,
Development & Maintenance – x.x
H. Information Security Incident
Management – x.x
I. Business Continuity Management – x.x
J. Compliance – x.x
Focused on Security. Committed to Success
26. The Next Steps – Program Development
Focused on Security. Committed to Success
27. Information Security Job Practice
Domain 1—Information Security Governance
Establish and maintain a framework to provide assurance that
information security strategies are aligned with business objectives and
consistent with applicable laws and regulations.
Develop an information security strategy aligned with business goals and objectives.
Align information security strategy with corporate governance.
Develop business cases justifying investment in information security.
Identify current and potential legal and regulatory requirements affecting information security.
Identify drivers affecting the organization (e.g., technology, business environment, risk
tolerance, geographic location) and their impact on information security.
Obtain senior management commitment to information security.
Define roles and responsibilities for information security throughout the organization.
Establish internal and external reporting and communication channels that support
information security.
Focused on Security. Committed to Success
28. Information Security Job Practice
Domain 2—Information Risk Management
Identify and manage information security risks to achieve business
objectives.
Establish a process for information asset classification and ownership.
Implement a systematic and structured information risk assessment process.
Ensure that business impact assessments are conducted periodically.
Ensure that threat and vulnerability evaluations are performed on an ongoing basis.
Identify and periodically evaluate information security controls and countermeasures to
mitigate risk to acceptable levels.
Integrate risk, threat and vulnerability identification and management into life cycle processes
(e.g., development, procurement and employment life cycles).
Report significant changes in information risk to appropriate levels of management for
acceptance on both a periodic and event-driven basis.
Focused on Security. Committed to Success
29. Information Security Job Practice
Domain 3—Information Security Program Development
Create and maintain a program to implement the information security
strategy.
Develop and maintain plans to implement the information security strategy.
Specify the activities to be performed within the information security program.
Ensure alignment between the information security program and other assurance functions (e.g., physical, HR, quality,
IT).
Identify internal and external resources (e.g., finances, people, equipment, systems) required to execute the
information security program).
Ensure the development of information security architectures (e.g., people, processes, technology).
Establish, communicate and maintain information security policies that support the security strategy.
Design and develop a program for information security awareness, training and education.
Ensure the development, communication and maintenance of standards, procedures and other documentation (e.g.,
guidelines, baselines, codes of conduct) that support information security policies.
Integrate information security requirements into the organization's processes (e.g., change control, mergers and
acquisitions) and life cycle activities (e.g., development, employment, procurement).
Develop a process to integrate information security controls into contracts (e.g., with joint ventures,
outsourced providers, business partners, customers, third parties).
Establish metrics to evaluate the effectiveness of the information security program.
Focused on Security. Committed to Success
30. Information Security Job Practice
Domain 4—Information Security Program Management
Oversee and direct information security activities to execute the
information security program.
Manage internal and external resources (e.g., finances, people, equipment, systems) required to execute the
information security program.
Ensure that processes and procedures are performed in compliance with the organization’s information
security policies and standards.
Ensure that the information security controls agreed to in contracts (e.g., with joint ventures, outsourced
providers, business partners, customers, third parties) are performed.
Ensure that information security is an integral part of the systems development process.
Ensure that information security is maintained throughout the organization's processes (e.g., change control,
mergers and acquisitions) and life cycle activities (e.g., development, employment, procurement).
Provide information security advice and guidance (e.g., risk analysis, control selection) to the organization.
Provide information security awareness, training and education to stakeholders (e.g., business process
owners, users, information technology).
Monitor, measure, test and report on the effectiveness and efficiency of information security
controls and compliance with information security policies.
Ensure that noncompliance issues and other variances are resolved in a timely manner.
Focused on Security. Committed to Success
31. Information Security Job Practice
Domain 5—Incident Management & Response
Plan, develop and manage a capability to detect, respond to and
recover from information security incidents.
Develop and implement processes for detecting, identifying, analyzing and responding to information
security incidents.
Establish escalation and communication processes and lines of authority.
Develop plans to respond to and document information security incidents.
Establish the capability to investigate information security incidents (e.g., forensics, evidence collection and
preservation, log analysis, interviewing).
Develop a process to communicate with internal parties and external organizations (e.g., media, law
enforcement, customers).
Integrate information security incident response plans with the organization’s Disaster Recovery (DR) and
Business Continuity Plan (BCP).
Organize, train and equip teams to respond to information security incidents.
Periodically test and refine information security incident response plans.
Manage the response to information security incidents.
Conduct reviews to identify causes of information security incidents, develop corrective
actions and reassess risk.
Focused on Security. Committed to Success
32. CISM: Information Security Job Practice
• The CISM certification program is developed specifically for
experienced information security managers and those who have
information security management responsibilities.
• The management-focused CISM is a unique certification for
individuals who design, build and manage enterprise information
security programs. The CISM certification promotes international
practices and individuals earning the CISM become part of an elite
peer network, attaining a one-of-a-kind credential.
Focused on Security. Committed to Success
33. Thank You!
Michael Leung
CRISC, CGEIT, CISM, CISA, CISSP-ISSMP
ISACA Vancouver Chapter
www.isaca-vancouver.org
Focused on Security. Committed to Success