COMPLIANCE AND CERTIFICATIONS
7CCSMSEM Security Management Dr. Jose M. Such
STOP! – Where are we??
• Topic 1 – Module Intro (structure, functioning, assessment).
• Topic 2 – Security concepts and fundamentals
• Topic 3 – Threat Assessment
• Topic 4 – Vulnerability Assessment
• Topic 5 – Risk Assessment
• Topic 6 – Risk Management
STOP! – Where are we??
• This week:
• Topics 7&10 – Compliance, Audits, Standards (ISO27000-
series), and Certifications
• Topic 12 – Security Economics
• After the reading week:
• Topic 8 – Security Organisation and Policies
• Topic 9 – Security Controls (physical, technical and social)
• Topic 11 – Continuity planning and management
• Topic 13 – Human Factors in Security (usable security, psychology of security, insider threat)
Compliance
• Working in accordance with defined policies, processes, and procedures
• This could:
• cover a major operation such as a whole organisation being compliant with a recognised international standard for information security like ISO27000-series
• or be much more limited with just certain aspects of the operation, or individual users of a specific system, being compliant.
• It also includes if an organisation is meeting the requirements of local laws and regulation.
How do we check compliance?
• Risk assessments for the organisation, critical systems and services.
• Paper evidence that regular risk assessment is taking place
• Risk register to highlight identified risks
• Organisation is aware of the risks and have outlined how they’ll be managed
• Up to date set of security policies with a review process
• “Up to date” might imply that all security policies are compliant with
existing laws
• A register of “exempts” from security policies
• What isn’t covered by policy and a good justification why it is not! (i.e. perhaps it is a personal computer that doesn’t connect to the network)
• Results of threat and vulnerability assessments
• More paper evidence that the security policies and controls are
reviewed regularly
• Reports of breaches/incidents, and plans to address them • Evidence of what has gone wrong and how the corrective actions
Compliance – independent audits
• Compliance does not need to be independently reviewed
• BUT must be independently audited to achieve certification against a standard, legal or regulatory framework.
• If an organisation can self-determine it is following the standard, then is there any benefit in certification?
Why getting officially certified?
• Fresh pair of eyes
• Guide the accredited certification bodies on the formal processes for certifying or registering other organisation’s information security management.
• Forced monitoring / periodic review
• Certification requires periodic reassessment and forces the
organisation to re-look at the standard from time to time. • Public Image for Information Security
• It can be used as branding for the company to attract new customers.
• Requirement by new customers
• Some customers will only use the service of an organisation if it has been officially certified to take information assurance seriously.
Compliance (challenges)
• The requirements from one legislative system may be inconsistent with another, making compliance with all of the relevant laws of multiple jurisdictions difficult.
• If an organisation operates in 2 or more legal jurisdictions, it is likely the same policy / procedure won’t be compatible with all legal jurisdictions!
• E.g. EU’s GDPR and US Data Protection Laws are not directly compatible.
• Understanding legislation can be complex and pieces of the legislation can sometimes conflict with one another.
Compliance (challenges)
• The ISO/IEC 27000 series provides organisations with guidance regarding compliance legal requirements and covers the following areas:
• intellectual property rights;
• protection of organisational records;
• data protection and privacy of personal information;
• prevention of misuse of information processing facilities; • regulation of cryptographic controls.
QUIZ TIME!
Go to: PollEv.com/josesuch498
ISO27000-series Introduction
• ISO27K series provides a family of standards for implementing information security management
• Risk
• Security Control implementation guidance
• ISMS
• An information security management system is a set of policies and
procedures for systematically managing an organization’s digital assets. • Based on Deming’s Plan-Do-Check-Act.
Family of Standards
• 27000 – ISMS overview and vocabulary
• 27001 – ISMS requirements
• 27002 – Code of practice (17799)
• 27003 – ISMS implementation Guide
• 27004 – Information Security Management Metrics
• 27005 – Information Security Risk Management
• 27006 – Requirements for bodies providing audit certification of ISMS
ISO27001–Whatisit?
• The first security standard for commerce – by industry for industry
• A framework for information security “good practice” based on the ISO9000 heritage
• DTI code of practice for Information Security Management
• Recognised Certification Scheme • United Kingdom Accreditation Service
The Information Security Management System
• An information security management system (ISMS) is a set of policies and procedures for systematically managing an organization’s digital assets.
• The ISMS is a key feature of ISO27001 – the code of practice for information security management
• ISO2001 specifies the ISMS. This is the basis for formal certification
• The ISMS defines all the controls and procedures required to maintain security throughout the organisation
• It further defines the methods used to manage these controls
• This enables the organisation to demonstrate compliance with best practices and corporate objectives
ISO 27001: ISMS Requirements
• Provide the requirements on how to bring information under a single management structure
• Avoids point and fragmented solutions • Examines a specific scope
• These requirements can be audited • This is where the compliance comes from
What is management required to do?
• Provide a systematic approach to infosec risk management
• Examine threats, vulnerabilities and impacts
• Design and implement a suite of countermeasures to deal with unacceptable risks
• Other forms of risk treatment may also be developed
• Adopt an overarching management approach • Provide continual feedback PDCA
Compliance (again)
• 27001 is the basis for compliance testing • Specifies the types of controls that can be used
• 27002 broadly specifies the generic guidance on controls that can be put in place to manage security
• This is done within the context of CIA-N and other sec properties • Specific controls are not mandated
• Therefore 27001 compliance means that the management process is in place
• Does not certify the state of security
• Management also defines the scope of the compliance
ISO27002
• Defines guidance on the implementation of security controls
• Specifically mandated controls are not used • Identify best practice to achieve goals
• Why no mandate
• Expected to take a risk assessment and select appropriate controls • Generic good advice can be tailored for the organisation
• Open ended means that the standard stays relevant
• Impossible to enumerate all controls
ISO27005-Risk Management
• ISO27002 provides a generic risk assessment framework
• 27005, published in 2008, provides guidance on implementing a risk management system to specifically support 27001 ISMS
• Does not recommend a methodology
• Is this really appropriate?
• Risk estimation does not equal risk management
What is Compliance with 27001 really about?
• It is a management system for information security
• Certification focuses on assessing the effectiveness of this management system
• It is NOT an IT security review or vulnerability assessment, and it shouldn’t be seen as such
What is Compliance with 27001 really about?
• About Risk Management
• Taking a risk based approach to information security
• Treating risk appropriately
• Ensuring there is a systematic, rigorous, repeatable framework in place.
The ISMS Concept
Plan: establish the ISMS
Establish security policy, objectives, processes and procedures relevant to managing risk and improving information security to deliver results in accordance
Plan
• Establish the ISMS
Check: monitor and review ISMS Assess, and where applicable, measure process performance against security policy, objectives and practical experience and report results to management for review
with an organisations overall policies and objectives
Act
• Maintain and Improve the ISMS
Do
Do: implement and operate ISMS
Implement and operate the security policy, controls processes and procedures.
Check
• Monitor and Review the ISMS
• Implement and Operate ISMS
Act: maintain and improve ISMS Take corrective and preventative actions, based on the results of the management review to achieve continual improvement of the ISMS
Model ISO 27001 Compliant ISMS
ISMS document Set
• Organisational Sec Policy
• Risk Management Docs
• Statement of Applicability
• Asset Registers
• Policies, procedures
and standards
applicable to scope
• SLAs, Contracts and
other evidence
Driven by Process documentation
Business Processes
Events
• Security Incidents • Suspected
weaknesses
• Malfunctions
• Audit observations
• Testing findings
• Spot check findings
Evidential documentation
Review and update ISMS
Recording and analysis
Report(s) into forum
Assurance
• Anybody can say they comply with any standard
• Objective assurance of compliance with ISO 27001
• Demonstrating that you are doing what you have said you will do • Ensuring that staff are aware of policy and their responsibilities
• Monitoring, managing and learning from incidents
• Testing business continuity plans
• Making steady progress with a security improvement plan • Maintain evidence of compliance (3 months)
What goes wrong?
• Lack of senior management commitment
• Lack of clear scope or scope too broad
• Key security roles absent or unclear
• No demonstrable understanding of the value of information
• No (or Inappropriate) risk assessment/risk treatment
• Lack of rigour/formality in processes
• Inadequate funding
Benefits of ISO27001
• A Certified Effective ISMS • Justified security controls
• Appropriate policies and procedures • Good Security awareness
• Auditable and being audited
• Reduced operational risk
• A single risk framework for many security initiatives • Increased business efficiency
• Including control of outsourcing
• Assurance to outsiders
• Controls in third party contracts
QUIZ TIME!
Go to: PollEv.com/josesuch498