iso / iec 27001:2005 – an intorduction
DESCRIPTION
null Bangalore December 2013 MeetTRANSCRIPT
ISO/IEC 27001:2005 – An Introduction
Rupam Bhattacharya
What is Information?
• Current Business Plans
• Future Plans
• Intellectual Property (Patents, etc)
• Employee Records
• Customer Details
• Business Partners Records
• Financial Records
Enterprise/Corporate IT Hardware Resources
Software & Network Risks
Structure of 27000 series
27000 Fundamentals & Vocabulary
27001:ISMS
27003 Implementation Guidance
27002 Code of Practice for ISM
27004 Metrics & Measurement
27005
Risk Management
27006 Guidelines on ISMS accreditation
ISO 27001:2005
• ISO/IEC 27001:2005 formally specifies a management system that is intended to bring information security under explicit management control.
• Annex (Control Objectives and Controls ) • 11 Security Domains (A5 A 15)
• Layers of security
• 39 Control Objectives • Statement of desired results or purpose
• 133 Controls • Policies, procedures, practices, software controls and organizational
structure
• To provide reasonable assurance that business objectives will be achieved and that undesired events will be prevented or detected and corrected
• Exclusions in some controls are possible, if they can be justified???
Contains
The standard contains 11 domains(apart from introductory sections) • Security policy - management direction • Organization of information security - governance of information security • Asset management - inventory and classification of information assets • Human resources security - security aspects for employees joining, moving and
leaving an organization • Physical and environmental security - protection of the computer facilities • Communications and operations management - management of technical
security controls in systems and networks • Access control - restriction of access rights to networks, systems, applications,
functions and data • Information systems acquisition, development and maintenance - building
security into applications • Information security incident management - anticipating and responding
appropriately to information security breaches • Business continuity management - protecting, maintaining and recovering
business-critical processes and systems • Compliance - ensuring conformance with information security policies,
standards, laws and regulations
The PDCA Cycle
• Plan (establishing the ISMS) • Establish the policy, the ISMS objectives, processes and procedures
related to risk management and the improvement of information security to provide results in line with the global policies and objectives of the organization.
• Do (implementing and workings of the ISMS) • Implement and exploit the ISMS policy, controls, processes and
procedures. • Check (monitoring and review of the ISMS) • Assess and, if applicable, measure the performances of the
processes against the policy, objectives and practical experience and report results to management for review.
• Act (update and improvement of the ISMS) • Undertake corrective and preventive actions, on the basis of the
results of the ISMS internal audit and management review, or other relevant information to continually improve the said system.
A.5 Security Policy
To provide management direction and support for information security in accordance with business requirements and relevant laws and regulations.
• Approved by Management
• Communicated to Employees and relevant external parties
• Reviewed at planned intervals
• Ensure its continuing suitability, adequacy, and effectiveness.
A.6 Organization of Information Security
To manage information security within the organization.
• Management shall actively support security within organization.
• Co-ordinated by representatives from different parts of organization.
• Confidentiality and non-disclosure agreements.
• Appropriate contacts with relevant authorities, security forums and professional associations shall be maintained.
• Independent reviews should be conducted at planned intervals or when significant changes to the security implementation occur.
A.7 Asset Management
Typical policy statements for Asset Management include:
• All assets shall be clearly identified, documented and regularly updated in an asset register
• All assets shall have designated owners and custodians listed in the asset register
• All assets will have the respective CIA (Confidentiality, Integrity and Availability) rating established in the asset register
• All employees shall use company assets according to the acceptable use of assets procedures
• All assets shall be classified according the asset classification guideline of the company
A.8 Human Resource Security
Prior to Employment:
• Define roles and responsibilities.
• Background verification
• Terms and Conditions of employment
During Employment
• Application of security according to roles and responsibilities.
• InfoSec awareness, education and training.
• Disciplinary process for employees who have commited security breach.
Post Termination or Change
• Termination responsibilities
• Return of Assets
• Removal of access rights.
A.9 Physical and Environmental Security
Secure Areas
• Physical security perimeter
• Physical entry controls
• Securing offices, rooms and facilities
• Protecting against external and environmental threats
• Guidelines for working in secure areas
• Public access, delivery and loading areas
Equipment Security
• Equipment sitting, support utilities and cabling security
• Maintenance, secure disposal/re-use and removal.
A.10 Communications and Operations Management
Operational procedures and responsibilities
• Documented operating procedures
• Change management
• Segregation of duties
• Separation of development, test and operational facilities
Third Party Service Delivery Management
• Implement security controls, service definition and delivery levels in agreement.
• Monitoring and review of third party services
• Managing changes to third party services
Company
A company may want to adopt ISO 27001 for the following reasons:
• It is suitable for protecting critical and sensitive information
• It provides a holistic, risk-based approach to secure information and compliance
• Demonstrates credibility, trust, satisfaction and confidence with stakeholders, partners, citizens and customers
• Demonstrates security status according to internationally accepted criteria
• Creates a market differentiation due to prestige, image and external goodwill
• If a company is certified once, it is accepted globally.
Asset Classification
• CONFIDENTIAL: This category refers to asset information that relates to individuals or is otherwise restricted only to authorized users, and if disclosed outside the company would harm the organization, its customers, or its partners.
• RESTRICTED: The restricted level of asset information pertains to highly sensitive information to the company; which when disclosed would cause substantial damage to the reputation and competitive position of the company in the market.
• INTERNAL: This classification refers to asset information that is potentially available to all personnel within the company, but is not public.
• PUBLIC: This classification refers to asset information that has been published or obtainable from a published source, e.g. the Internet.
User Registration
Typical policy statements can include:
• All users shall have a unique user ID based on a standard naming convention
• A formal authorization process shall be defined and followed for provisioning of user IDs.
• An audit trail shall be kept of all requests to add, modify or delete user accounts/IDs
• User accounts shall be reviewed at regular intervals
• Employee shall sign a privilege form acknowledging their access rights
• Access rights will be revoked for employee changes or leaving jobs
• Privileges shall be allocated to individuals on a ‘need-to-have’ basis.
• A record of all privilege accounts shall be maintained and updated on regular basis
Password Management
Typical organizational password management policies include: • Users shall be forced to change their passwords at the time of first
use • Passwords shall have a minimum length of eight characters • Passwords for all users shall expire in 30/60 days • A record of five previous passwords shall be maintained to prevent
re-use of these passwords • A maximum of three successive login failures shall result in a user’s
account being locked out • Passwords shall not be displayed in clear text when they are being
keyed in • Passwords must include at least one small character (a-z), one
capital character (A-Z) and one numeric character (0 – 9) / one special character (@ # $ & / +)
• All password entry tries shall be logged along with date, time, ip address, machine name, application and user ID for successful, unsuccessful login attempts
Clear Work Environment
Example of clear work environment policies include:
• Critical information shall be protected when not required for use
• Only authorized users shall use the photocopier machines
• All loose documents from employee’s desks shall be confiscated at the end of business day
• A users desktop shall not contain reference to any document directly or indirectly
Operating System and Application Controls Sample operating system and application control policies include:
• All users in the organization shall have a unique ID
• No systems or application details shall be displayed before log-in
• In the condition of log-in failure, the error message shall not indicate which part of the credential is incorrect
• The number of unsuccessful log-in attempts shall be limited to 3/5/6 attempts
• During log-in process, all password entries shall be hidden by a symbol
• The use of system utility program shall be restricted e.g. password utility
• All operating systems and application shall time out due to inactivity in 5/10/15/30 minutes
• All applications shall have dedicated administrative menus to control access rights of users
Network Security
Typical policy statements for Network Security include:
• Appropriate authentication mechanisms shall be used to control the access by remote users.
• Allocation of network access rights shall be provided as per the business and security requirements
• Two-factor authentication shall be used for authenticating users using mobile/remote systems
Benefits
The key benefits of 27001 are:
• It can act as the extension of the current quality system to include security
• It provides an opportunity to identify and manage risks to key information and systems assets
• Provides confidence and assurance to trading partners and clients; acts as a marketing tool
• Allows an independent review and assurance to you on information security practices
Drawbacks
• It has some things that don’t make sense.
• Some controls define almost the same issues causing confusion. Like A.9.2.6 (Secure disposal or re-use of equipment) and A.10.7.2 (Disposal of media)
• Some issues, like relationships with third parties, are scattered around various clauses of Annex A – you can find it in clause A.6.2 (External parties), A.8 (Human resources security) and A.10.2 (Third party service delivery management), and control A.12.5.5 (Outsourced software development)
• Only 6 controls has the word documented in it. Does that mean we can implement all others without documentation?
Changes made in ISO 27001:2013
• No. of sections have increased from 11 to 14.
• Management and Leadership re defined as two separate requirements.
• Section 6: Planning and it’s evaluation
• New chapter added on Performance evaluation
New Controls
• A.6.1.5 Information security in project management
• A.12.6.2 Restrictions on software installation
• A.14.2.1 Secure development policy
• A.14.2.5 Secure system engineering principles
• A.14.2.6 Secure development environment
• A.14.2.8 System security testing
• A.15.1.1 Information security policy for supplier relationships
• A.15.1.3 Information and communication technology supply chain
• A.16.1.4 Assessment of and decision on information security events
• A.16.1.5 Response to information security incidents
• A.17.2.1 Availability of information processing facilities
Summary of sections