Professional Documents
Culture Documents
ManagementSystem
(ISMS)Overview
ArhnelKlydeS.Terroza
May12,2015
1
ArhnelKlydeS.Terroza
CPA,CISA,CISM,CRISC,ISO27001ProvisionalAuditor
InternalAuditoratClarienBankLimited
FormerITRiskandAssuranceManagerwith
Ernst&Young FinancialServicesOrganization
(FSO) Hamilton,BermudaandSanAntonio,TX
CertifiedPublicAccountant(CPA Philippines),
CertifiedInformationSystemsAuditor(CISA),
CertifiedInformationSecurityManager(CISM),
CertifiedinRiskandInformationSystemsControl
(CRISC),andISO27001ProvisionalAuditor
BachelorofScienceinAccountancyfrom
SillimanUniversity(Philippines)
2
AGENDA
WhatisInformationSecurityManagement
System(ISMS)?
Whatarethestandards,laws,and
regulationsouttherethatwillhelpyoubuild
orassessyourInfoSecManagement
Program?
WhatisISO/IEC27001:2013?
WhataretheISO/IEC27001Controls?
WhatarethebenefitsofadoptingISO
27001?
WhydoyouneedtoconductanInfoSec
awarenesssurvey?
3
www.novainfosec.com
4
WhatisISMS?
Partoftheoverallmanagementsystem,basedonabusinessriskapproach,to
establish,implement,operate,monitor,review,maintainandimprove
informationsecurity(ISOdefinition)
Note:Amanagementsystemisasetofinterrelatedorinteractingelementsofan
organizationtoestablishpoliciesandobjectivesandprocessestoachievethoseobjectives.
Thescopeofamanagementsystemmayincludethewholeoftheorganization,specificand
identifiedfunctionsoftheorganization,specificandidentifiedsectionsoftheorganization,
oroneormorefunctionsacrossagroupoforganizations.
Influencedbytheorganizationsneedsandobjectives,securityrequirements,the
processesemployedandthesizeandstructureoftheorganization.
Expectedtochangeovertime.
Aholisticapproachtomanaginginformationsecurity confidentiality,integrity,
andavailabilityofinformationanddata.
5
WhataretheInfoSecrelatedstandards,lawsand
regulations?
ISO27000FamilyofInternationalStandards
ProvidesthebestpracticerecommendationsonInfoSec
management,risksandcontrolswithinthecontextofan
overallISMS.
ISO27000:OverviewandVocabulary(2014)
ISO27001:ISMSRequirements(2013)
ISO27002:CodeofPractice(2013)
ISO27003:ISMSImplementationGuidance(2010)
ISO27004:ISMMeasurement(2009)
ISO27005:InfoSecRiskManagement(2011)
ISO27006:RequirementsforBodiesProvidingAuditand
CertificationofISMS(2011)
ISO27007 27008:GuidelinesforAuditingInfoSec
Controls(2011)
ISO27014:GovernanceofInfoSec(2013)
ISO27015:ISMGuidelinesforFinancialServices(2012)
www.iso.org
6
OtherStandards
PaymentCardIndustryDataSecurity
Standard(PCIDSS)
USNationalInstituteofStandardsand
Technology(NIST)
SecurityandPrivacyControlsforFederal
InformationSystemsandOrganizations
(NISTSpecialPublication80053)
FrameworkforImprovingCritical
InfrastructureCybersecurity
(CybersecurityFramework)
ISACACybersecurityNexus
TheIIAGTAG15:InformationSecurity
Governance(2010)
WhataretheInfoSecrelatedstandards,lawsand
regulations?
Governmentallawsandregulationswith(orwillhave)asignificanteffecton
InfoSec
UKDataProtectionAct1998
TheComputerMisuseAct1990 (UK)
FederalInformationSecurityManagementAct2001(US)
GrammLeachBlileyAct(GLBA)1999(US)
FederalFinancialInstitutionsExaminationCouncils(FFIEC)securityguidelines(US)
SarbanesOxleyAct(SOX)2002(US)
Statesecuritybreachnotificationlaws(e.g.California)(US)
FamilyEducationalRightsandPrivacyAct(US)
HealthInsurancePortabilityandAccountabilityAct(HIPAA)1996(US)
BermudaLaws???
7
WhatisISO/IEC27001:2013?
LeadingInternationalStandardforISMS.Specifiestherequirementsforestablishing,
implementing,maintaining,monitoring,reviewingandcontinuallyimprovingtheISMSwithin
thecontextoftheorganization.IncludesassessmentandtreatmentofInfoSecrisks.
Bestframeworkforcomplyingwithinformationsecuritylegislation.
NotatechnicalstandardthatdescribestheISMSintechnicaldetail.
Doesnotfocusoninformationtechnologyalone,butalsootherimportantbusinessassets,
resources,andprocessesintheorganization.
ISO/IEC27001Evolution
8
Source:www.iso27001security.com
WhatisISO/IEC27001:2013?
WorlddistributionofISO/IEC27001certificatesin2013
2013 22,293(up14%)
2012 19,620
Japan 7,084
India 1,931
UnitedKingdom 1,923
China 1,710
Spain 799
UnitedStates 566
Australia 138
Canada 66
Source:www.iso.org
WhatisISO/IEC27001:2013?
EvolutionofISO/IEC27001certificates
UnitedStates
Source:www.iso.org
UnitedKingdom
ISOdoesnotperformcertification.Organizationslookingtogetcertifiedtoan
ISOstandardmustcontactanindependentcertificationbody.Certification bodies
museusetheISOsCommitteeonConformityAssessment(CASCO)standards
relatedtothecertificationprocess.
10
WhatisISO/IEC27001:2013?
ISO/IEC 27001 - Worldwide total
25,000
Middle East
451
2061
20,000
332
1668
279
1497
218
1328
15,000
10748
206
1303
7394
71
519
5,000
383
5807
7950
5550
6379
4210
3563
,0
11
North America
8788
128
839
1064
1432
112
2006
2007
10422
9665
10,000
Central and
South Asia
4800
5289
435
2172
212
322
329
2008
2009
2010
2011
Source:www.iso.org
Central / South
America
Africa
552
712
2012
2013
WhatisISO/IEC27001:2013?
12
Sources:
http://iaardirectory.jadianonline.com/Directory
http://www.bsiamerica.com
WhatisISO/IEC27001:2013?
Processapproachforestablishing,implementing,operating,monitoring,reviewing,
maintainingandimprovinganorganizationsISMS:
13
WhataretheISO/IEC27001Controls?
Eight(8)mandatoryclauses(controls/controlobjectives)fororganizationsclaiming
conformancetoISO/IEC27001standard:
Clause4 Contextoftheorganization
4.1
4.2
4.3
4.4
Clause5
5.1
5.2
5.3
Clause6
6.1
6.2
14
Understandingtheorganizationanditscontext
Understandingtheneedsandexpectationsofinterestedparties
Determiningthescopeoftheinformationsecuritymanagementsystem
Informationsecuritymanagementsystem
Leadership
Leadershipandcommitment
Policy
Organizationalroles,responsibilitiesandauthorities
Planning
Actionstoaddressrisksandopportunities
Informationsecurityobjectivesandplanningtoachievethem
WhataretheISO/IEC27001Controls?
Eight(8)mandatoryclauses(cont):
Clause7 Support
7.1
7.2
7.3
7.4
7.5
Clause8
8.1
8.2
8.3
Clause9
9.1
9.2
9.3
15
Resources
Competence
Awareness
Communication
Documentedinformation
Operation
Operationalplanningandcontrol
Informationsecurityriskassessment
Informationsecurityrisktreatment
PerformanceEvaluation
Monitoring,measurement,analysisandevaluation
Internalaudit
Managementreview
WhataretheISO/IEC27001Controls?
Eight(8)mandatoryclauses(cont):
Clause10 Improvement
10.1
10.2
Nonconformityandcorrectiveaction
Continualimprovement
Mandatory
ISO/IEC27001:2013ISMSControlPointandControlObjectiveSummary
Reference
Description
ControlTotal
Clause4
Contextoftheorganization
8
Clause5
Leadership
19
Clause6
Planning
39
Clause7
Support
28
Clause8
Operation
9
Clause9
Performanceevaluation
29
Clause10
Improvement
16
TotalControlPoints:
148
16
Source:www.slideshare.net byMarkE.S.Bernard(2013)
WhataretheISO/IEC27001Controls?
14ControlCategories(Domain/ControlArea) DiscretionaryControls(AnnexA)
A.5
Informationsecuritypolicies
A.5.1
A.6
A.6.1
A.6.2
A.7
A.7.1
A.7.2
A.7.3
17
Managementdirectionforinformationsecurity
Organizationofinformationsecurity
Internalorganization
Mobiledevicesandteleworking
Humanresourcesecurity
Priortoemployment
Duringemployment
Terminationandchangeofemployment
WhataretheISO/IEC27001Controls?
14ControlCategories(Domain/ControlArea) DiscretionaryControls(AnnexA)
A.8
Assetmanagement
A.8.1
A.8.2
A.8.3
A.9
A.9.1
A.9.2
A.9.3
A.9.4
A.10
A.10.1
18
Responsibilityforassets
Informationclassification
MediaHandling
Accesscontrol
Businessrequirementsofaccesscontrol
Useraccessmanagement
Userresponsibilities
Systemandapplicationaccesscontrol
Cryptography
Cryptographiccontrols
WhataretheISO/IEC27001Controls?
14ControlCategories(Domain/ControlArea) DiscretionaryControls(AnnexA)
A.11
Physicalandenvironmentalsecurity
A.11.1
A.11.2
A.12
19
A.12.1
A.12.2
A.12.3
A.12.4
A.12.5
A.12.6
A.12.7
Secureareas
Equipment
Operationssecurity
Operationalproceduresandresponsibilities
Protectionfrommalware
Backup
Loggingandmonitoring
Controlofoperationalsoftware
Technicalvulnerabilitymanagement
Informationsystemsauditconsiderations
WhataretheISO/IEC27001Controls?
14ControlCategories(Domain/ControlArea) DiscretionaryControls(AnnexA)
A.13
Communicationssecurity
A.13.1
A.13.2
A.14
A.14.1
A.14.2
A.14.3
A.15
A.15.1
A.15.2
A.16
A.16.1
20
Networksecuritymanagement
Informationtransfer
Systemacquisition,developmentandmaintenance
Securityrequirementsofinformationsystems
Securityindevelopmentandsupportprocesses
Testdata
Supplierrelationships
Informationsecurityinsupplierrelationships
Supplierservicedeliverymanagement
Informationsecurityincidentmanagement
Managementofinformationsecurityincidentsandimprovements
WhataretheISO/IEC27001Controls?
14ControlCategories(Domain/ControlArea) DiscretionaryControls(AnnexA)
A.17
Informationsecurityaspectsofbusinesscontinuitymanagement
A.17.1
A.17.2
Informationsecuritycontinuity
Redundancies
A.18
A.18.1
A.18.2
Compliance
Compliancewithlegalandcontractualrequirements
Informationsecurityreviews
ISO/IEC27002:2013isabetterreferenceforselectingcontrolswhenimplementinganISMS
basedonISO/IEC27001:2013,eitherforcertificationpurposesoralignmenttoaleading
standard.Oritcouldsimplybeusedasaguidancedocumentforimplementingcommonly
acceptedinformationsecuritycontrols.
21
WhataretheISO/IEC27001Controls?
Discretionary
ISO/IEC27001:2013ISMSControlPointandControlObjectiveSummary
Reference
Description
ControlTotal
A5
Informationsecuritypolicies
2
A6
Organizationofinformationsecurity
7
A7
Humanresourcesecurity
6
A8
Assetmanagement
10
A9
Accesscontrol
13
A10
Cryptography
2
A11
Physicalandenvironmentalsecurity
15
A12
Operationssecurity
14
A13
Communicationssecurity
7
A14
Systemacquisition,developmentandmaintenance
13
A15
Supplierrelationships
5
A16
Informationsecurityincidentmanagement
7
A17
Informationsecurityaspectsofbusinesscontinuitymanagement
4
A18
Compliance
8
Source:www.slideshare.net byMarkE.S.Bernard(2013) Source:MarkE.S.Bernard
TotalControlPoints:
113
22
WhatarethebenefitsofISO/IEC27001:2013?
Bestframeworkforcomplyingwithinformationsecuritylegal,regulatoryand
contractualrequirements
Betterorganizationalimagebecauseofthecertificateissuedbyacertification
body
Provesthatseniormanagementarecommittedtothesecurityofthe
organization,includingcustomersinformation
Focusedonreducingtherisksforinformationthatisvaluablefortheorganization
Providesacommongoal
Optimizedoperationswithintheorganizationbecauseofclearlydefined
responsibilitiesandbusinessprocesses
Buildsacultureofsecurity
23
WhatarethebenefitsofISO/IEC27001:2013?
BSIStudyonISO27001
87%ofrespondentsstatedthatimplementingISO/IEC27001hadapositiveorvery
positiveoutcome
Abilitytomeetcompliancerequirementsincreasedfor60%oforganizations
Numberofsecurityincidentsdecreasedfor39%
DowntimeofITsystemsdecreasedfor39%
Abilitytorespondtotendersincreasedfor43%
Relativecompetitivepositionincreasedfor47%
51%sawanincreaseinexternalcustomersatisfactionfollowingtheimplementationof
anISMS
40%sawanincreaseininternalcustomersatisfaction
66%notedanincreaseinthequalitycontrolofinformationsecurityprocessesand
proceduresand40%decreaseinrisk
24
Sources:http://www.bsiamerica.com
WhydoyouneedtoconductanInfoSecawareness
survey?
Whatisaninformationsecurityawarenessprogram?
Promotesriskandsecurityawareculture.
Helpsinmanagingsecurityincidents,compliancerisks,andfinanciallosses.
e.g.Phishingexercises,newsletters,posters
Whatarethebenefitsofconductinganinformationsecurityawarenesssurvey?
Providesvisibilityintoorganizationalbehaviorwithrespecttoinformationsecurity.
Datacollectedcanbeusedtoidentifyareasofpossibleimprovementandriskreduction.
Initialsurveycanprovideabaselineofsecurityawarenessoftheorganization;when
appliedovertime,canindicateprogressorchallengesintheinfosec awarenessprogram.
HelpstheInfoSecTeamandHumanResourcesgainadegreeofunderstandingof
personnelsattitudesandhabitsrelatedtoinformationsecuritywithinthecontextoftheir
daytodayactivities
25
WhydoyouneedtoconductanInfoSecawareness
survey?
Misconceptionofawarenesssurvey
InformationsecurityawarenesssurveyisnotintendedtoassesstheorganizationsISMS
Howtodeploysurveys
Onlinesurveytools(e.g.SurveyMonkey)
Traditionalmail
Howtoanalyzedatafromthesurvey?
Quantitative aggregateresponsestoaquestion.
Qualitative openendedquestionscanprovidequalitativedata.Comparisonofresults
acrossdepartments,roles,anddemographics(e.g.tenurewithinthecompany)
Note:Howyouanalyzedatedependsonwhatquestionsareincluded
26
WhydoyouneedtoconductanInfoSecawareness
survey?
Cananoverallriskbeconcludedfromthesurvey?
Questionscanbedesignedinsuchamannerthatanswersareassignedariskscore.
Forexample,eachquestionresponseareassignedariskvalueofonetofive onebeinglowestriskvalue
andfiveasthehighestriskvalue
Resultsofthesurveycanbesuedtodeterminetheoverallriskscoreoftheorganization
Forexample:
RiskScore
Low(25 39)
Description
Usersareawareofgoodsecurityprinciplesandthreats,havebeenproperlytrained,andcomply
withtheOrganizationssecuritypoliciesandstandards.
Elevated(40 59)
UsershavealreadybeentrainedontheOrganizationssecuritypoliciesandstandards,theyare
awareofthreats,butmaynotfollowgoodsecurityprinciplesandcontrols.
Moderate(60 79)
Usersareawareofthreatsandknowtheyshouldfollowgoodsecurityprinciplesandcontrols,
butneedtrainingontheOrganizationssecuritypoliciesandstandards.Theyalsomaynotknow
howtoidentifyorreportasecurityevent.
Significant(80 99)
Usersarenotawareofgoodsecurityprinciplesorthreatsnoraretheyawareoforcompliant
withtheOrganizationssecuritypoliciesandstandards.
High(100andhigher) Usersarenotawareofthreatsanddisregardknownsecuritypoliciesandstandardsordonot
comply.Theyarelikelytoengageinactivitiesorpracticesthatareeasilyattackedandexploited.
27
SUMMARY
Anorganizationneedstoundertakethefollowingstepsinestablishing,monitoring,
maintainingandimprovingitsISMS:
Identifyinformationassetsandtheirassociatedinformationsecurity
requirements
Assessinformationsecurityrisksandtreatinformationsecurityrisks[toan
acceptablelevel]
Selectandimplementrelevantcontrolstomanageunacceptablerisks[orto
reduceriskstoacceptablelevels]
Monitor,maintainandimprovetheeffectivenessofcontrolsassociatedwiththe
organizationsinformationassets
28
SUMMARY
AdoptionofanISMSshouldbeastrategicdecisionforanorganization.
ISMSisaholisticapproachtomanaginginformationsecurity confidentiality,
integrity,andavailabilityofinformationanddata.
Lawsandregulationsarecontinuingtoevolvetoaddressinformationsecurityrisk
andprivacy.ISO/IEC27001:2013isthebestframeworkforcomplyingwith
informationsecuritylegislation.
ISO/IEC27001:2013isnotatechnicalstandardforITonly.
Increasingtrendinadoptingaholisticapproach(usingISO/IEC27001:2013)in
managinginformationsecurityrisks.
Organizationsneedtoconductaninformationsecurityawarenesssurvey.
29
Questions
30