assurance through the iso27002 standard and the us nist
TRANSCRIPT
![Page 1: Assurance through the ISO27002 Standard and the US NIST](https://reader031.vdocuments.us/reader031/viewer/2022012511/6188cad827e9c7195742d4dc/html5/thumbnails/1.jpg)
Assurance through the ISO27002 Standard
and the US NIST Cybersecurity Framework
Keith Price
Principal Consultant
1
![Page 2: Assurance through the ISO27002 Standard and the US NIST](https://reader031.vdocuments.us/reader031/viewer/2022012511/6188cad827e9c7195742d4dc/html5/thumbnails/2.jpg)
About
2
• About me
- Specialise in cybersecurity strategy, architecture, and assessment
- Veteran of the IT industry from networking and telecommunications
to the emergence of the Internet, Internet banking, and IT security
- Work experience in AU, US, UK, Europe
- BBus, MSc, CISSP, CISM, CGEIT
• About Black Swan Group
- Professional services company based in Sydney
- Clients are large and small companies in financial services, state &
federal government, education, property, and more.
![Page 3: Assurance through the ISO27002 Standard and the US NIST](https://reader031.vdocuments.us/reader031/viewer/2022012511/6188cad827e9c7195742d4dc/html5/thumbnails/3.jpg)
All images not created by the author are used
under the “fair use for education” provision.
3
![Page 4: Assurance through the ISO27002 Standard and the US NIST](https://reader031.vdocuments.us/reader031/viewer/2022012511/6188cad827e9c7195742d4dc/html5/thumbnails/4.jpg)
Agenda
• Frameworks versus standards
• COSO Cube
• PCI-DSS
• ISO27001/2
• US NIST Cybersecurity Framework (CSF)
• NIST CSF Informative References
• Center for Internet Security Critical Security Controls
• COBIT 5
• NIST SP 800-53
• Cybersecurity assessment
4
![Page 5: Assurance through the ISO27002 Standard and the US NIST](https://reader031.vdocuments.us/reader031/viewer/2022012511/6188cad827e9c7195742d4dc/html5/thumbnails/5.jpg)
Framework versus Standard
• Framework: A basic structure underlying a
system, concept, or text.
• Standard: Something used as a measure,
norm, or model in comparative evaluations.
5Source: https://www.oxforddictionaries.com/
![Page 6: Assurance through the ISO27002 Standard and the US NIST](https://reader031.vdocuments.us/reader031/viewer/2022012511/6188cad827e9c7195742d4dc/html5/thumbnails/6.jpg)
Frameworks and standards
6Images: Respective organisations
![Page 7: Assurance through the ISO27002 Standard and the US NIST](https://reader031.vdocuments.us/reader031/viewer/2022012511/6188cad827e9c7195742d4dc/html5/thumbnails/7.jpg)
Adoption of security frameworks
7Source: Trends in Security Framework Adoption, Dimensional Research, March 2016
![Page 8: Assurance through the ISO27002 Standard and the US NIST](https://reader031.vdocuments.us/reader031/viewer/2022012511/6188cad827e9c7195742d4dc/html5/thumbnails/8.jpg)
Which one should you use?
8Image: Google Images
![Page 9: Assurance through the ISO27002 Standard and the US NIST](https://reader031.vdocuments.us/reader031/viewer/2022012511/6188cad827e9c7195742d4dc/html5/thumbnails/9.jpg)
CyberRisk
Cyber risk
9
- Customer Records- Access credentials
- Cybercriminals
- Their malware
- People, process or technology weakness
Image: Google Images
![Page 10: Assurance through the ISO27002 Standard and the US NIST](https://reader031.vdocuments.us/reader031/viewer/2022012511/6188cad827e9c7195742d4dc/html5/thumbnails/10.jpg)
Source: Keith Price, Informed from US Dept of Defense
![Page 11: Assurance through the ISO27002 Standard and the US NIST](https://reader031.vdocuments.us/reader031/viewer/2022012511/6188cad827e9c7195742d4dc/html5/thumbnails/11.jpg)
How do you modify risk?
• Control = a measure that is modifying risk
• Controls for information security include any
process, policy, procedure, guideline,
practice or organizational structure, which
can be administrative, technical,
management, or legal in nature which
modify information security risk.
11Source: ISO27005:2016
![Page 12: Assurance through the ISO27002 Standard and the US NIST](https://reader031.vdocuments.us/reader031/viewer/2022012511/6188cad827e9c7195742d4dc/html5/thumbnails/12.jpg)
Risk equation
12Source: A Controls Factory Approach To Building a Cyber Security Program Based on the NIST Cybersecurity Framework (NCSF) - Larry Wilson & Rick Lemieux October 2016
Risk
ThreatsAsset Value
Controls
Vulnerabilities
Residual Risk+x x
=
x
To reduce cyber risk: reduce vulnerabilities, increase controls
![Page 13: Assurance through the ISO27002 Standard and the US NIST](https://reader031.vdocuments.us/reader031/viewer/2022012511/6188cad827e9c7195742d4dc/html5/thumbnails/13.jpg)
13
COSO: Committee of Sponsoring Organizations of the Treadway Commission
Source: Deloitte – COSO in the Cyber Age 2015
COSO Cube (1985)
1995: AS/NZS 4360 Risk Management (the very first risk management standard)2008: ISO27005 Information Security Risk Management2009: ISO31000 Risk Management (supersedes AS4360)
![Page 14: Assurance through the ISO27002 Standard and the US NIST](https://reader031.vdocuments.us/reader031/viewer/2022012511/6188cad827e9c7195742d4dc/html5/thumbnails/14.jpg)
Payment Card Industry – Data Security
Standard (PCI-DSS)
• Developed to encourage and enhance
cardholder data security
• Provides a baseline of technical and operational
requirements designed to protect account data
The problem: focused on cardholder data security
14
![Page 15: Assurance through the ISO27002 Standard and the US NIST](https://reader031.vdocuments.us/reader031/viewer/2022012511/6188cad827e9c7195742d4dc/html5/thumbnails/15.jpg)
15
![Page 16: Assurance through the ISO27002 Standard and the US NIST](https://reader031.vdocuments.us/reader031/viewer/2022012511/6188cad827e9c7195742d4dc/html5/thumbnails/16.jpg)
16
![Page 17: Assurance through the ISO27002 Standard and the US NIST](https://reader031.vdocuments.us/reader031/viewer/2022012511/6188cad827e9c7195742d4dc/html5/thumbnails/17.jpg)
17
“Designed to use as a reference for selecting controls within the process of implementing an ISMS based on ISO27001.”
“Provides requirements for establishing, implementing, maintaining, and continually improving an ISMS.”
![Page 18: Assurance through the ISO27002 Standard and the US NIST](https://reader031.vdocuments.us/reader031/viewer/2022012511/6188cad827e9c7195742d4dc/html5/thumbnails/18.jpg)
• Information security is achieved through the implementation of an applicable set of controls
• Controls are selected through the risk management process and managed using an ISMS
• Management involves activities to direct, control, and improve the organisation
• A management system uses a framework of resources to achieve an organisation’s objectives
18
Information security management system
Source: ISO27000:2016
![Page 19: Assurance through the ISO27002 Standard and the US NIST](https://reader031.vdocuments.us/reader031/viewer/2022012511/6188cad827e9c7195742d4dc/html5/thumbnails/19.jpg)
ISO27002 clauses 5 – 18 control
categories
• Information security policies
• Organisation of information security
• Human resource security
• Asset management
• Access control
• Cryptography
• Physical and environmental security
• Operations security
• Communications security
• System acquisition, development & maintenance
• Supplier relationships
• Incident management
• Business continuity management
• Compliance
19
![Page 20: Assurance through the ISO27002 Standard and the US NIST](https://reader031.vdocuments.us/reader031/viewer/2022012511/6188cad827e9c7195742d4dc/html5/thumbnails/20.jpg)
20Source: ISO27001:2013
Discusses information security risk treatment
![Page 21: Assurance through the ISO27002 Standard and the US NIST](https://reader031.vdocuments.us/reader031/viewer/2022012511/6188cad827e9c7195742d4dc/html5/thumbnails/21.jpg)
21Source: ISO27002:2013
![Page 22: Assurance through the ISO27002 Standard and the US NIST](https://reader031.vdocuments.us/reader031/viewer/2022012511/6188cad827e9c7195742d4dc/html5/thumbnails/22.jpg)
22Source: Security and Privacy Controls for Information Systems and Organizations, NIST Special Publication 800-53 Revision 5 draft, Aug17
Control families (from SP800-53)
![Page 23: Assurance through the ISO27002 Standard and the US NIST](https://reader031.vdocuments.us/reader031/viewer/2022012511/6188cad827e9c7195742d4dc/html5/thumbnails/23.jpg)
• Framework for Improving Critical Infrastructure Cybersecurity
• “The Framework enables organisations –regardless of size, degree of cybersecurity risk, or cybersecurity sophistication – to apply the principles and best practices of risk management to improving the security and resilience of critical infrastructure.“
23
![Page 24: Assurance through the ISO27002 Standard and the US NIST](https://reader031.vdocuments.us/reader031/viewer/2022012511/6188cad827e9c7195742d4dc/html5/thumbnails/24.jpg)
24Source: US NIST
![Page 25: Assurance through the ISO27002 Standard and the US NIST](https://reader031.vdocuments.us/reader031/viewer/2022012511/6188cad827e9c7195742d4dc/html5/thumbnails/25.jpg)
25Source: NIST CSF
![Page 26: Assurance through the ISO27002 Standard and the US NIST](https://reader031.vdocuments.us/reader031/viewer/2022012511/6188cad827e9c7195742d4dc/html5/thumbnails/26.jpg)
• CCS CSC 1 (was Council on Cyber Security (CCS)), now Center for
Internet Security Critical Security Controls
• COBIT 5 BAI09.01, BAI09.02
• ISA 62443-2-1:2009 4.2.3.4 (Security for Industrial Automation and
Control Systems, Establishing an Industrial Automation and Control
Systems Security Program)
• ISA 62443-3-3:2013 SR 7.8 (Security for Industrial Automation and
Control Systems, System Security Requirements And Security Levels)
• ISO/IEC 27001:2013 A.8.1.1, A.8.1.2
• NIST SP 800-53 Rev. 4 CM-8 (Security and Privacy Controls for
Federal Information Systems and Organizations)26
![Page 27: Assurance through the ISO27002 Standard and the US NIST](https://reader031.vdocuments.us/reader031/viewer/2022012511/6188cad827e9c7195742d4dc/html5/thumbnails/27.jpg)
27Source: A Controls Factory Approach To Building a Cyber Security Program Based on the NIST Cybersecurity Framework (NCSF) - Larry Wilson & Rick Lemieux October 2016
![Page 28: Assurance through the ISO27002 Standard and the US NIST](https://reader031.vdocuments.us/reader031/viewer/2022012511/6188cad827e9c7195742d4dc/html5/thumbnails/28.jpg)
28
The Center for Internet Security was an active participant in the development of the NIST cybersecurity framework.
Source: A Controls Factory Approach To Building a Cyber Security Program Based on the NIST Cybersecurity Framework (NCSF) - Larry Wilson & Rick Lemieux October 2016
![Page 29: Assurance through the ISO27002 Standard and the US NIST](https://reader031.vdocuments.us/reader031/viewer/2022012511/6188cad827e9c7195742d4dc/html5/thumbnails/29.jpg)
COBIT 5 BAI09.01, BAI09.02
29Source: COBIT 5
![Page 30: Assurance through the ISO27002 Standard and the US NIST](https://reader031.vdocuments.us/reader031/viewer/2022012511/6188cad827e9c7195742d4dc/html5/thumbnails/30.jpg)
30
![Page 31: Assurance through the ISO27002 Standard and the US NIST](https://reader031.vdocuments.us/reader031/viewer/2022012511/6188cad827e9c7195742d4dc/html5/thumbnails/31.jpg)
Security for Industrial Automation and
Control Systems
31
![Page 32: Assurance through the ISO27002 Standard and the US NIST](https://reader031.vdocuments.us/reader031/viewer/2022012511/6188cad827e9c7195742d4dc/html5/thumbnails/32.jpg)
ISO/IEC 27001:2013 A.8.1.1, A.8.1.2
32
![Page 33: Assurance through the ISO27002 Standard and the US NIST](https://reader031.vdocuments.us/reader031/viewer/2022012511/6188cad827e9c7195742d4dc/html5/thumbnails/33.jpg)
Source: A Controls Factory Approach To Building a Cyber Security Program Based on the NIST Cybersecurity Framework (NCSF) - Larry Wilson & Rick Lemieux October 2016
PR.DS-2 Data in transit is protected
![Page 34: Assurance through the ISO27002 Standard and the US NIST](https://reader031.vdocuments.us/reader031/viewer/2022012511/6188cad827e9c7195742d4dc/html5/thumbnails/34.jpg)
NIST SP800-53 Rev. 4 CM-8
34
![Page 35: Assurance through the ISO27002 Standard and the US NIST](https://reader031.vdocuments.us/reader031/viewer/2022012511/6188cad827e9c7195742d4dc/html5/thumbnails/35.jpg)
35
![Page 36: Assurance through the ISO27002 Standard and the US NIST](https://reader031.vdocuments.us/reader031/viewer/2022012511/6188cad827e9c7195742d4dc/html5/thumbnails/36.jpg)
Recommendation
36Images: Respective organisations
![Page 37: Assurance through the ISO27002 Standard and the US NIST](https://reader031.vdocuments.us/reader031/viewer/2022012511/6188cad827e9c7195742d4dc/html5/thumbnails/37.jpg)
RACI from ISACA’s COBIT 5
37
![Page 38: Assurance through the ISO27002 Standard and the US NIST](https://reader031.vdocuments.us/reader031/viewer/2022012511/6188cad827e9c7195742d4dc/html5/thumbnails/38.jpg)
RACI from ISACA’s Risk IT
38
Risk IT RE3 Maintain risk profile: Maintain an up-to-date and complete inventory of known risks and attributes (e.g., expected frequency, potential impact, disposition), IT resources, capabilities and controls as understood in the context of business products, services and processes.
![Page 39: Assurance through the ISO27002 Standard and the US NIST](https://reader031.vdocuments.us/reader031/viewer/2022012511/6188cad827e9c7195742d4dc/html5/thumbnails/39.jpg)
39