iso 27000 series
TRANSCRIPT
8/3/2019 Iso 27000 Series
http://slidepdf.com/reader/full/iso-27000-series 1/45
Computer Forensics ISO27001 Secure Mobility Penetration Testing www.sapphire.net
ISO 27000 Series
Information Security Management:‘ISO 27000 series of standards’ development
29 April 2008 – BCS (Jersey)
Vernon Poole – Head of Business Consultancy,Sapphire, UK
8/3/2019 Iso 27000 Series
http://slidepdf.com/reader/full/iso-27000-series 2/45
Computer Forensics ISO27001 Secure Mobility Penetration Testing www.sapphire.net
ISO 27000 Series
Speaker Credentials – Vernon Poole
• Recognised global trainer in Information SecurityManagement for over 15 years
• Member of UK & International 27000 User Groups
• Member of ISACA Global ISO27000 Taskforce
• UK & European CISM trainer
• Head of Business Consultancy at Sapphire – totally independent Information Security ServicesCompany
8/3/2019 Iso 27000 Series
http://slidepdf.com/reader/full/iso-27000-series 3/45
Computer Forensics ISO27001 Secure Mobility Penetration Testing www.sapphire.net
ISO 27000 Series
Agenda
1. Results of a recent Global Survey 2008
2. ISO27000 series developments
3. Move towards ‘Business Resilience’
8/3/2019 Iso 27000 Series
http://slidepdf.com/reader/full/iso-27000-series 4/45
Computer Forensics ISO27001 Secure Mobility Penetration Testing www.sapphire.net
ISO 27000 Series
1. Global Survey 2008 (Certification Europe)
• Respondents : 312 (4 month survey in 2007)
= 10% of certified organisations.
• Sectors : All
• Countries : Ireland; Italy; Hong Kong; Japan; UK & USA
• Coverage :
- Information on organisations & responsible officers
- Information on certification & the challenges
- Information on ongoing maintenance & benefits realised
8/3/2019 Iso 27000 Series
http://slidepdf.com/reader/full/iso-27000-series 5/45
Computer Forensics ISO27001 Secure Mobility Penetration Testing www.sapphire.net
ISO 27000 Series
Who is adopting 27001
Sector %
• IT Services (customer mandate) 23
• Telcos (customer demand) 14
• Public Sector (government drive) 14
• Print Services (APACS influence) 12• Health Services (government drive) 7
• Consultancies (requirement) 6
• Pharmaceuticals 5
• Manufacturing 4
• Financial Services 3
• Construction 2• Legal Services 2
• Other (access to secure networks) 8
8/3/2019 Iso 27000 Series
http://slidepdf.com/reader/full/iso-27000-series 6/45
Computer Forensics ISO27001 Secure Mobility Penetration Testing www.sapphire.net
ISO 27000 Series
Size of Organisation adopting 27001
Size %
• Large (> 500 employees) 38
• Medium (200 – 500 employees) 12
• SMEs (< 200 employees) 50
8/3/2019 Iso 27000 Series
http://slidepdf.com/reader/full/iso-27000-series 7/45
Computer Forensics ISO27001 Secure Mobility Penetration Testing www.sapphire.net
ISO 27000 Series
Who manages the ISMS
Manager %
• Full time manager 12
• Range of responsibility/role 88
- IT Manager 27- Quality Manager 19
- Project Manager 12
- Compliance Manager 8
- BC Manager 8
- Facilities Manager 8
- Other arrangements 6
Demonstrates the challenge of adequate resourcing
8/3/2019 Iso 27000 Series
http://slidepdf.com/reader/full/iso-27000-series 8/45
Computer Forensics ISO27001 Secure Mobility Penetration Testing www.sapphire.net
ISO 27000 Series
Reasons for Adoption
Reason %• Best Practice Standard 90
• Competitive Advantage 80
• Legal/Regulatory Compliance 42
• Tendering Requirement 28
• Customer Mandate 18
• Access to Restricted Networks 18
• Competitors had Certification 8
8/3/2019 Iso 27000 Series
http://slidepdf.com/reader/full/iso-27000-series 9/45
Computer Forensics ISO27001 Secure Mobility Penetration Testing www.sapphire.net
ISO 27000 Series
Main Challenges to Certification
Challenge %
• Cultural Change 56
• Senior Management ‘Buy-In’ 18
• Resources 18
• Maintaining the ISMS 9
• Understanding the Standard 8
8/3/2019 Iso 27000 Series
http://slidepdf.com/reader/full/iso-27000-series 10/45
Computer Forensics ISO27001 Secure Mobility Penetration Testing www.sapphire.net
ISO 27000 Series
Timescale to Certification
Time %
• Within two years 93
• 12 months or less 60
• 6 months or less* 20
* Organisations who were already certified to quality standard – 9001
(80%) or environmental standard – 14001 (12%)
8/3/2019 Iso 27000 Series
http://slidepdf.com/reader/full/iso-27000-series 11/45
Computer Forensics ISO27001 Secure Mobility Penetration Testing www.sapphire.net
ISO 27000 Series
Benefits of Certification
• Established a formal approach to IS
• Raised the internal visibility of IS
• Raised the level of IS awareness
• Proof of robust controls
• Clear focus & control of Risk Management
• Increased customer confidence
• Tangible competitive advantage
• Embedded IS in a process of continuous improvement
8/3/2019 Iso 27000 Series
http://slidepdf.com/reader/full/iso-27000-series 12/45
Computer Forensics ISO27001 Secure Mobility Penetration Testing www.sapphire.net
ISO 27000 Series
Lessons Learnt
Lesson %
• More Senior Management Involvement 33
(awareness & PR campaign)
• More time/resources 17
• Better Risk Management approach 16
• Need to take Ownership 7
• No change to Implementation 27
8/3/2019 Iso 27000 Series
http://slidepdf.com/reader/full/iso-27000-series 13/45
Computer Forensics ISO27001 Secure Mobility Penetration Testing www.sapphire.net
ISO 27000 Series
2. ISO 27000 series developments
Since ISO27001 certifications has reached critical mass (5k+),
future developments will cover three areas:-
1. ISMS family of standards (ISO27000 – ISO27010) – covering specification, metrics, implementation guides,audit guides, risk management
2. Sector specific requirements (ISO27011 – ISO27030)
- Telecos; Healthcare; Automotive; Lotteries
3. Operational guidance (ISO27031 – ISO27059)
8/3/2019 Iso 27000 Series
http://slidepdf.com/reader/full/iso-27000-series 14/45
Computer Forensics ISO27001 Secure Mobility Penetration Testing www.sapphire.net
ISO 27000 Series
1. Future ISMS Standards
• ISO 27000 – Fundamentals and vocabulary (from late 2008)
• ISO 27001 – ISMS requirements – Certification Process (based on ISO 27002)
• ISO 27002 – Code of Practice on IS Management
• ISO 27003 – ISMS Implementation Guidance (from 2009)
• ISO 27004 – ISMS Metrics and measurement (from late 2008)
• ISO 27005 – ISMS Risk Management (from late 2008)
• ISO 27006 – Guidelines on ISMS accreditation (certification bodies)
• ISO 27007 – Guidelines on ISMS Auditing (from 2009)
8/3/2019 Iso 27000 Series
http://slidepdf.com/reader/full/iso-27000-series 15/45
Computer Forensics ISO27001 Secure Mobility Penetration Testing www.sapphire.net
ISO 27000 Series
Structure of 27000 series
27000 Fundamentals & Vocabulary
27001:ISMS
27003 Implementation Guidance
27002 Code of Practice for ISM
27004 Metrics & Measurement
27005
RiskManagement
27006 Guidelines on ISMS accreditation
27007 Guidelines on ISMS Auditing
8/3/2019 Iso 27000 Series
http://slidepdf.com/reader/full/iso-27000-series 16/45
Computer Forensics ISO27001 Secure Mobility Penetration Testing www.sapphire.net
ISO 27000 Series
ISO 27000: Fundamentals & Vocabulary
• Explains the terminology for all the 27000 series family ofstandards – will probably be a free publication (marketing)
• Address global concerns on definitions that vary fromcountry to country – so consistency will be established
• These principles will impact on other standards likeCOBIT(IT Processes) and ITIL (IT Service Delivery) andaims to avoid any confusion
IT Governance Institute produced a report entitled ‘AligningISO 27001, COBIT & ITIL’ (where Sapphire contributed) &
now ISACA has an ISO Taskforce which I sit on for ISO27000
8/3/2019 Iso 27000 Series
http://slidepdf.com/reader/full/iso-27000-series 17/45
Computer Forensics ISO27001 Secure Mobility Penetration Testing www.sapphire.net
ISO 27000 Series
ISO 27001: ISMS Certification
• ISMS certification (formerly BS7799-2) – published Nov 05 – operational from 30 Jan 06onwards
• Clarifies/improves PDCA process requirements
– ISMS scope – approach to risk assessment
– selection of controls
– Statement of Applicability
– reviewing risks
– management commitment
– ISMS internal audits – results of effectiveness & measurements
– Updated risk treatment plan & controls
8/3/2019 Iso 27000 Series
http://slidepdf.com/reader/full/iso-27000-series 18/45
Computer Forensics ISO27001 Secure Mobility Penetration Testing www.sapphire.net
ISO 27000 Series
ISO 27001: Current Global Certification Statistics
• There are 4,500 certifications across 68 countries – withJapan (2550); UK (370);India (430); Taiwan (175); China(110)Germany (90); and then a group of countries(Hungary, Italy, USA, & Korea at 60) – who are leadingthe way.
• Note 1 : current certification figures shows 150organisations being certified per month
• Note 2 : there are by a factor of 25 - organisations whoare compliant
• Certification Website : www.iso27001certificates.com
• There are currently 4,100 ISO27001 certificates
8/3/2019 Iso 27000 Series
http://slidepdf.com/reader/full/iso-27000-series 19/45
Computer Forensics ISO27001 Secure Mobility Penetration Testing www.sapphire.net
ISO 27000 Series
UK Certifications : Sector % Breakdown4%
5%
4%
3%
3%1%2%1%
18%
52%
7%
Healthcare and Social
SectorTelecommunications
Professional Services
Local Government
Central Government
Judicial
Manufacturing/HeavyIndusrty
Utilities
Information Technology
ServicesServices,Sales,LightIndustryFinancial Services
8/3/2019 Iso 27000 Series
http://slidepdf.com/reader/full/iso-27000-series 20/45
Computer Forensics ISO27001 Secure Mobility Penetration Testing www.sapphire.net
ISO 27000 Series
ISO 27002: Code of Practice on IS Management
• 11 sections to protect information assets
(formerly ISO/IEC17799:2005) – April 2007
• Choice of 133 detailed controls (based on a riskassessment process & your environment)
• Enhancements covered :
- external service delivery & provisioning ofoutsourcing
- patch management & current issues
- security prior to, during & on termination of
employment- guidance on risk management, & a section onincident management
- mobile, remote & distributed communications
8/3/2019 Iso 27000 Series
http://slidepdf.com/reader/full/iso-27000-series 21/45
Computer Forensics ISO27001 Secure Mobility Penetration Testing www.sapphire.net
ISO 27000 Series
ISO27002 Developments
ComplianceCompliance
Business Continuity ManagementBusiness Continuity Management
Information Security Incident Management
Information Systems Acquisition,
Development and Maintenance
Systems Development &
Maintenance
Access ControlAccess Control
Communications & Operations ManagementCommunications & Operations
Management
Physical & Environmental SecurityPhysical & Environmental Security
Human Resources SecurityPersonnel Security
Asset ManagementAsset Classification & Control
Organising Information SecuritySecurity Organisation
Security PolicySecurity Policy
11 sections:200510 sections:2000
8/3/2019 Iso 27000 Series
http://slidepdf.com/reader/full/iso-27000-series 22/45
Computer Forensics ISO27001 Secure Mobility Penetration Testing www.sapphire.net
ISO 27000 Series
ISO 27003 : ISMS Implementation Guidelines
• Implementation guidelines to support the newrequirement specification standard
• Annex B of BS7799 Part 2 is the basis:-
- overview
- management responsibilities- governance & regulatory compliance
- personal security & human resources
- asset management
- availability/continuity of business processes
- handling information incidents
- access control- risk management case studies
8/3/2019 Iso 27000 Series
http://slidepdf.com/reader/full/iso-27000-series 23/45
Computer Forensics ISO27001 Secure Mobility Penetration Testing www.sapphire.net
ISO 27000 Series
• Implements PDCA in more detail
– Identification of assets
– Threat identification
– Risk assessment / risk treatment
– Analysis and improvement of controls
• Provides detailed descriptions of each process
• Contains an annex with real world examples.
• Probably available at 2009
ISO 27003 : ISMS Implementation Guidelines
8/3/2019 Iso 27000 Series
http://slidepdf.com/reader/full/iso-27000-series 24/45
Computer Forensics ISO27001 Secure Mobility Penetration Testing www.sapphire.net
ISO 27000 Series
ISO 27004 :Metrics & Measurement
The objectives:
• evaluate effectiveness of IS controls & objectives
• evaluate effectiveness of ISMS (sustainability)
• provide IS indicators to assist management review
• facilitate improvement of IS• provide input for IS audits;
• communicate effectiveness of ISM
• input into risk management process
• output for internal comparison & benchmarking
i.e how to measure the processes & controls(performance targets; what to measure; how tomeasure; when to measure)
8/3/2019 Iso 27000 Series
http://slidepdf.com/reader/full/iso-27000-series 25/45
Computer Forensics ISO27001 Secure Mobility Penetration Testing www.sapphire.net
ISO 27000 Series
ISO 27005: ISMS Risk Management
• A new standard on ‘Information Security Risk Management’
– an ISO version of BS7799 Part 3 (March 06)
(seeks to address information security risks within the
wider context of business risks)
• Will also incorporate ISO/IEC 13335 MICTS Part 2
& AS/NZS 4360
• In final draft version
8/3/2019 Iso 27000 Series
http://slidepdf.com/reader/full/iso-27000-series 26/45
8/3/2019 Iso 27000 Series
http://slidepdf.com/reader/full/iso-27000-series 27/45
Computer Forensics ISO27001 Secure Mobility Penetration Testing www.sapphire.net
ISO 27000 Series
ISO 27006: Guidelines on ISMS Accreditation
• EA7/03 guidance (Feb 2002) to certification bodies – was now outdated
• Need for increased rigour & evidence from
certifying bodies that the organisations going forcertification are ‘fit for purpose’ i.e. a robust ISMSframework is not only well established (meetingbusiness needs) but it is communicated & workingin practice
• Operational from Jan 2007 January 2007
8/3/2019 Iso 27000 Series
http://slidepdf.com/reader/full/iso-27000-series 28/45
Computer Forensics ISO27001 Secure Mobility Penetration Testing www.sapphire.net
ISO 27000 Series
What is in ISO/IEC 27006?
• General requirements – guidance on ‘impartiality’
• Organisational structure – apply ISO/IEC 17021
• Resource requirements
– management competence; subcontracting etc
• Information requirements – guidance on certification issues
• Process requirements
– guidance on ISMS audits
3 new annexes (analysis of ISMS complexity; example areas of auditorcompetence; audit time calculations)
8/3/2019 Iso 27000 Series
http://slidepdf.com/reader/full/iso-27000-series 29/45
Computer Forensics ISO27001 Secure Mobility Penetration Testing www.sapphire.net
ISO 27000 Series
ISO 27007: Guidelines on ISMS Auditing
• Guidance for audit & accredited certification bodiesauditing ISMS
• It will draw heavily on ISO 19011:2002
(auditing quality & environmental management systems)
• Early stage of development: JTC1/SC27 is seekingagreement from national standards bodies on theproposed scope
• Publication date will not be until 2009
8/3/2019 Iso 27000 Series
http://slidepdf.com/reader/full/iso-27000-series 30/45
Computer Forensics ISO27001 Secure Mobility Penetration Testing www.sapphire.net
ISO 27000 Series
2. Future Developments – Sector specific standards
• Telecoms (Global) – ISO 27011
• Healthcare (UK) – ISO 27799
• Automotive (Germany;Korea;Sweden)
• Lottery (WLA – World Lottery Association)
Following slides outlines their progress
8/3/2019 Iso 27000 Series
http://slidepdf.com/reader/full/iso-27000-series 31/45
Computer Forensics ISO27001 Secure Mobility Penetration Testing www.sapphire.net
ISO 27000 Series
ISO 27011: ISM Guidelines for Telecommunications
• This implementation guide is being developed jointly by ITU/ISO(publication date – 2009).
• ITU-T recommendation(2004/5) based on the following standards:
- X.800 & X.805 Security architectures- ISO 9001/ 14001Quality/environmental management- ISO 27001 & ISO 27002- ISO Guide 73:2002 Risk management
• The summary stated:“Information & supporting processes, teleco facilities, networks & lines are important business assets. To appropriately manage these assets & to successfully continue their business activities, ISM is extremely necessary”.
8/3/2019 Iso 27000 Series
http://slidepdf.com/reader/full/iso-27000-series 32/45
Computer Forensics ISO27001 Secure Mobility Penetration Testing www.sapphire.net
ISO 27000 Series
ISO 27799 : Security Management in Health using ISO27002(draft)
• This standard is being developed by ISO committeeTC215 – Health Informatics covering healthcareinformation (data models, communications for medicaldevices, health cards, e-prescribing etc)
• The standard views information security in an informationgovernance context (where 25 threats are addressed)
• The standard is independently of the ISO/IEC committeeJTC1/SC27 responsible for the other ISO27000 standards,
& is not entirely aligned (numbering system may change)
8/3/2019 Iso 27000 Series
http://slidepdf.com/reader/full/iso-27000-series 33/45
Computer Forensics ISO27001 Secure Mobility Penetration Testing www.sapphire.net
ISO 27000 Series
3.Detailed ISO Operational Guides being considered
• ISO 27031 : ICT readiness for Business Continuity
• ISO 27032 : Guidelines for Cyber security
• ISO 27033 : IT Network Security
• ISO 27034 : Guidelines for Application Security
No publication dates yet for these specific guides
8/3/2019 Iso 27000 Series
http://slidepdf.com/reader/full/iso-27000-series 34/45
Computer Forensics ISO27001 Secure Mobility Penetration Testing www.sapphire.net
ISO 27000 Series
ISO 27031: ICT readiness for Business Continuity
• This standard may be based on a Singaporean BC/DRstandard SS507 & incorporate parts of BS25999.
• SS507:2004 “a basis to certify & differentiate BC/DRservice providers, help selection & provides quality
assurance (inc. best practices to mitigate outsourcingrisks).”
• Singapore was first country to introduce a certificationprogram for service providers – it specifies stringentrequirements (inc. asset management; third party vendor
management; outsourcing arrangements; privacy &confidentiality)
8/3/2019 Iso 27000 Series
http://slidepdf.com/reader/full/iso-27000-series 35/45
Computer Forensics ISO27001 Secure Mobility Penetration Testing www.sapphire.net
ISO 27000 Series
ISO 27032 : Guidelines for Cyber security
• Currently in development phase (WD – working draft)
8/3/2019 Iso 27000 Series
http://slidepdf.com/reader/full/iso-27000-series 36/45
Computer Forensics ISO27001 Secure Mobility Penetration Testing www.sapphire.net
ISO 27000 Series
ISO 27033 : IT Network Security
• This standard has been proposed as the new name for theexisting standard ISO/IEC 18028:2006.
• The proposed standard will have seven parts:
1. Guidelines for network security2. Guidelines for design/implementation of network security3. Reference networking scenarios4. Securing communications between networks using gateways5. Securing remote access
6. Securing communications across networks using VPNs7. Guidelines for securing mobile communications
8/3/2019 Iso 27000 Series
http://slidepdf.com/reader/full/iso-27000-series 37/45
Computer Forensics ISO27001 Secure Mobility Penetration Testing www.sapphire.net
ISO 27000 Series
ISO 27034 : Guidelines for Application Security
• Objective : to develop security guidance for application design &programming. This multi-part standard will provide guidance oninformation security controls relating to the application systems lifesystem in a business organization
• Currently, Part 1 is in development phase (WD – working draft)
8/3/2019 Iso 27000 Series
http://slidepdf.com/reader/full/iso-27000-series 38/45
Computer Forensics ISO27001 Secure Mobility Penetration Testing www.sapphire.net
ISO 27000 Series
3. What is Business Resilience
• Operational Risk is the risk that results from:
- failed internal processes
- accidental or deliberate actions of people
- problems with systems & technology
- external events
• Business resilience is the organisation’s ability to sustain itsbusiness mission in the face of these risks.
It depends on effective management of all the risks above – thisencompasses IS; BCM & IT Operations Management.
• Business resilience is therefore a challenging emergent concept
8/3/2019 Iso 27000 Series
http://slidepdf.com/reader/full/iso-27000-series 39/45
Computer Forensics ISO27001 Secure Mobility Penetration Testing www.sapphire.net
ISO 27000 Series
3. Business Resilience
From Information Security to Resilience
• Managing impact/consequences
• IS defined as a desired state
• IS is balanced between cost/risk
• Managing threats/vulnerabilities
• No articulation of desired state
•Throw technology to the problems
ISO 27000 S i
8/3/2019 Iso 27000 Series
http://slidepdf.com/reader/full/iso-27000-series 40/45
Computer Forensics ISO27001 Secure Mobility Penetration Testing www.sapphire.net
ISO 27000 Series
3. What is Business Resilience
• Origins: ‘resiliency engineering’ – to design, develop, implement &manage the protection & sustainability of business critical:-
1. Services – both internal/external activities for strategic benefit
2. Processes – steps to achieve the business mission
3. Assets – ‘people, information, technology, facilities’:
: People – human capital – influences process delivery
: Information – influences access/availability
: Technology – tools to accomplish business mission
: Facilities – physical places where other objects ‘live’
• Aim: to protect these business critical objects from disruption
ISO 27000 Series
8/3/2019 Iso 27000 Series
http://slidepdf.com/reader/full/iso-27000-series 41/45
Computer Forensics ISO27001 Secure Mobility Penetration Testing www.sapphire.net
ISO 27000 Series
3. Business Resilience – in Practice
PEOPLE INFORMATION
TECHNOLOGY FACILITIES
BUSINESS PROCESSES
Relies on the
Actions ofRequires &Creates
Is Supported by Is Performed in
ISO 27000 Series
8/3/2019 Iso 27000 Series
http://slidepdf.com/reader/full/iso-27000-series 42/45
Computer Forensics ISO27001 Secure Mobility Penetration Testing www.sapphire.net
ISO 27000 Series
3. Business Resilience – the Challenge
Balancing Risks and Resilience
Co-operation FocusInformation Security Focus
ASSET
Protect Sustain
Manage Risk
Manage the condition Manage the consequence
ISO 27000 Series
8/3/2019 Iso 27000 Series
http://slidepdf.com/reader/full/iso-27000-series 43/45
Computer Forensics ISO27001 Secure Mobility Penetration Testing www.sapphire.net
ISO 27000 Series
3. Business Resilience – how mature are you?
FORMAL(Risk Driven)
PARTIAL(Vulnerability Driven)
IDEAL(BusinessDriven)
EVENT DRIVEN
PLANNED
ACTIVELY MANAGED
AND CONTROLLED
• Technical Problem
• Owned by IT
• Expense Driven• Practice Centric
• IS & Survival
• Business Problem• Owned by Business
• Investment Driven
• Process Centric• Business Resilience
IRREGULAR & REACTIVE
SYSTEMATIC & ADAPTIVE
ISO 27000 Series
8/3/2019 Iso 27000 Series
http://slidepdf.com/reader/full/iso-27000-series 44/45
Computer Forensics ISO27001 Secure Mobility Penetration Testing www.sapphire.net
ISO 27000 Series
3. Business Resilience – Categories
There are in four categories:1. Corporate Ownership/Management (7 areas):
enterprise focus that risk management activities need
2. Business Foundations (6 areas):
implement resilience for information assets, businessprocesses & services – foundation for protection &sustainability of assets
3. Operational Resilience (11 areas):
resiliency of people, information, technology, & facilitiesassets
4. Continuous Monitoring (2 areas):
measuring, managing & improving the resiliency process
ISO 27000 Series
8/3/2019 Iso 27000 Series
http://slidepdf.com/reader/full/iso-27000-series 45/45
Computer Forensics ISO27001 Secure Mobility Penetration Testing www.sapphire.net
ISO 27000 Series
Thank You for Your Time !! Any Questions ??
Vernon Poole – [email protected]
TECHNICAL CONSULTANCY
Content Security
Policy ComplianceApplication FirewallsEnd Point Security
High AvailabilityRemote Access SSL VPNStrong Authentication
FORENSICS
Computer ForensicsData Recovery
Forensic Email ArchivingForensic Training
BUSINESS CONSULTANCY
ISO27001ISO27002CLAS
BCP/DRBusiness Resilience
BUSINESS ASSURANCE
Penetration Testing
Vulnerability AssessmentsStrategic Support AgreementsSecurity Audits