Mark E.S. Bernard Defence-in-Depth based on ISO 27001 ISMS

Compiled by; Mark E.S. Bernard, ISO 27001 Lead Auditor, CISSP, CISM, SABSA-F2, CISA, CRISC, CGEIT

*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***

• Introduction

• Biography

• Threats and Vulnerabilities

• ISMS Control Matrix & Security Architecture

• Defense – In – Depth - Layers 1 – 9 explained

• Additional ITIL Controls

• Conclusion

• Contact information



Mark was recognized by the Premier of New Brunswick for his volunteer work in the Knowledge Industry establishing the Atlantic Chapter of the High Technology Crime Investigation Association. Mark is also a regular volunteered with local professional associations for HTCIA, ISACA, ISSA, IIA and FMI. Mark has been published in trade magazines and on the Internet in addition to being sought after as an expert by local radio, newspapers and television. While working in Toronto Mark volunteer on the annual Toronto Children’s Sick Kids Telethon and road a stationary bike on a marathon Juvenile Diabetes campaign. Mark has also volunteered with local Minor Hockey Minor Fastball, Local Elementary School and Middle School, Boys Scots and assisted with raising money for the Mustard Seed Foods bank in conjunction with the annual NHL Old-Timers Challenge In Victoria BC. Mark is continuing to contribute his knowledge through ISACA with the development of Cloud Computing whitepaper and the Canadian Standards Institute’s workgroup updating ISO/IEC 27001:2012 – Information Security Management Systems framework.

Mark is an independent contractor who formerly worked in BC Government as a Director overseeing the Government’s payments systems and public accounts processing in excess of $42 billion annually in payments and as a Compliance manager in the BC Government Security Branch… Mark also spent time over seeing the Privacy and Security programs for EDS Advanced Solutions and Central 1 Credit Union.


Probably the most famous German castle. Neuschwanstein Castle is a 19th-century Gothic Revival palace on a rugged hill above the village of Hohenschwangau near Füssen in southwest Bavaria, Germany.

***

THIS

DO

CU

MEN

T IS

CLA

SSIF

IED

FO

R P

UB

LIC

AC

CES

S **

*

Fort Bourtange: Eighty Years' War (c. 1568–1648) when William I of Orange wanted to control the only road between Germany and the city of Groningen which was controlled by the Spaniards.

***

THIS

DO

CU

MEN

T IS

CLA

SSIF

IED

FO

R P

UB

LIC

AC

CES

S **

*

Training of handling weapons: they primarily used wickerwork shields and wooden swords made to standards but twice as heavy. If a soldier could fight with these heavy dummy weapons then he would be twice as effective with the standard weaponry.

Marching and Physical Training: Soldiers were taught to march and they could march at a rapid speed for long intervals. Any army that could be split up by stragglers at the back or soldiers trundling along at differing speeds would be vulnerable to attack.


The Roman heavy infantry typically was deployed, as the main body, facing the enemy, in three approximately equal lines, with the cavalry on their wings to prevent them being flanked and light infantry in a screen in front of them to hide changes in deployment strategy. The heavy infantry, harass the enemy forces and, in some cases, drive off units such as elephants that would be a great threat to close-order heavy infantry.

***

THIS

DO

CU

MEN

T IS

CLA

SSIF

IED

FO

R P

UB

LIC

AC

CES

S **

*

• Compliance Management

• Risk Management

• Identity Management

• Authorization Management

• Accountability Management

• Availability Management

• Configuration Management

• Incident Management


• Security Policy

• Information Security Org

• Asset Management

• Human Resources

• Physical & Environmental Security

• Communications & Operations Management

• Access Control

• Information System Acquisition, Development & Maintenance

• Information Security Incident Management

• Business Continuity Management

• Compliance *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***

All Credits Scott Adams



Source: Computer Security Institute 2010/11 Survey

***

THIS

DO

CU

MEN

T IS

CLA

SSIF

IED

FO

R P

UB

LIC

AC

CES

S **

*

***

THIS

DO

CU

MEN

T IS

CLA

SSIF

IED

FO

R P

UB

LIC

AC

CES

S **

*




Source: Verizon business 2011 Data Breach Investigations Report


• Large-scale breaches dropped dramatically while small attacks increased. The report notes there are several possible reasons for this trend, including the fact that small to medium-sized businesses represent prime attack targets for many hackers, who favor highly automated, repeatable attacks against these more vulnerable targets, possibly because criminals are opting to play it safe in light of recent arrests and prosecutions of high-profile hackers. • Outsiders are responsible for most data breaches. Ninety-two percent of data breaches were caused by external sources. Contrary to the malicious-employee stereotype, insiders were responsible for only 16 percent of attacks. Partner-related attacks continued to decline, and business partners accounted for less than 1 percent of breaches. • Physical attacks are on the rise. After doubling as a percentage of all breaches in 2009, attacks involving physical actions doubled again in 2010, and included manipulating common credit-card devices such as ATMs, gas pumps and point-of-sale terminals. The data indicates that organized crime groups are responsible for most of these card-skimming schemes. • Hacking and malware is the most popular attack method. Malware was a factor in about half of the 2010 caseload and was responsible for almost 80 percent of lost data. The most common kinds of malware found in the caseload were those involving sending data to an external entity, opening backdoors, and key logger functionalities. • Stolen passwords and credentials are out of control. Ineffective, weak or stolen credentials continue to wreak havoc on enterprise security. Failure to change default credentials remains an issue, particularly in the financial services, retail and hospitality industries.

Source: 2010 Cloud Security Alliance Threats Threat statistics


#1: Abuse and Nefarious Use of Cloud Computing #2: Insecure Interfaces and APIs #3: Malicious Insiders #4: Shared Technology Issues #5: Data Loss or Leakage #6: Account or Service Hijacking #7: Unknown Risk Profile

Source: 2010 OWSAP Top 10 Web Application Security Risks Threat statistics


A1: Injection A2: Cross-Site Scripting (XSS) A3: Broken Authentication and Session Management A4: Insecure Direct Object References A5: Cross-Site Request Forgery (CSRF) A6: Security Mis-configuration A7: Insecure Cryptographic Storage A8: Failure to Restrict URL Access A9: Insufficient Transport Layer Protection A10: Invalidated Redirects and Forwards

***

THIS

DO

CU

MEN

T IS

CLA

SSIF

IED

FO

R P

UB

LIC

AC

CES

S **

*










Risk Assessment – Threats: • Malware 67% • Fraudulent Phishing 39% • Laptop or mobile computer theft or lost 34% • Bots Zombies within the Infrastructure 29% • Insider abuse email and Internet 25%

Risk Assessment – Vulnerabilities: • Inadequate governance • Inadequate security policy • Inadequate risk management methodology • Inadequate security training/awareness • Inadequate security architecture • Inadequate monitoring or surveillance capabilities • Inadequate incident response procedures • Inadequate vulnerability assessment methodologies


Clause 4 Information security management system

The organization shall establish, implement, operate,

monitor, review, maintain and improve a documented

ISMS within the context of the organization’s overall

business activities and the risks it faces.


4.2.1 Establish the ISMS

a) Define the scope and boundaries

b) Define an ISMS policy

c) Define the risk assessment approach

d) Identify the risks

e) Analyse and evaluate the risks.

f) Identify and evaluate options for the treatment of risks.

g) Select control objectives and controls for the treatment of risks.

h) Obtain management approval of the proposed residual risks.

i) Obtain management authorization to implement /operate ISMS.

j) Prepare a Statement of Applicability.


4.2.2 Implement and operate the ISMS

a) Formulate a risk treatment plan

b) Implement the risk treatment plan

c) Implement controls

d) Define how to measure the effectiveness

e) Implement training and awareness

f) Manage operation of the ISMS

g) Manage resources for the ISMS

h) Implement procedures and controls

(produce comparable and reproducible results)


4.2.3 Monitor and review the ISMS a) Execute monitoring and reviewing procedures

1) promptly detect errors

2) promptly identify security breaches and incidents

3) determine if the ISMS is performing as expected

4) help detect security events

5) determine if breach resolution actions were effective

b) Undertake regular reviews of the ISMS

c) Measure the effectiveness of controls

d) Review risk assessments at planned intervals

e) Conduct internal ISMS audits

f) Undertake a management review of the ISMS

g) Update security plans

h) Record actions and events


4.2.4 Maintain and improve the ISMS a) Implement the identified improvements b) Take appropriate corrective and preventive actions c) Communicate the actions and improvements d) Ensure that the improvements achieve their intended objectives


4.3 Documentation requirements a) documented ISMS policy b) the scope c) procedures and controls d) the risk assessment methodology e) the risk assessment report f) the risk treatment plan g) documented procedures needed for planning, operation and control h) records required by this International Standard i) the Statement of Applicability


4.3.2 Control of documents a) approve documents b) review and update documents as necessary c) ensure that the current revision status are verified d) ensure that relevant documents are available e) ensure that documents remain legible f) ensure that documents are available to those who need them, and are transferred, stored and ultimately disposed of in accordance with the procedures applicable to their classification; g) ensure that documents of external origin are identified h) ensure that the distribution of documentation is controlled i) prevent the unintended use of obsolete documents


4.3.3 Control of records

•Records shall be maintained in accordance with legal obligations

defined by statutes, regulations and contracts

•Records shall be maintained to provide evidence of conformity

•Records shall be protected and controlled in accordance with legal

obligations

•Records shall remain legible, readily identifiable and retrievable.

•Records shall be retained and processed in accordance with legal

obligations

•Records shall be archived in accordance with legal obligations

•Records shall be destroyed in accordance with legal obligations


5 Management responsibility

5.1 Management commitment

a) establishing the policy

b) ensuring that objectives and plans are established

c) establishing roles and responsibilities

d) communicating to the organization

e) providing sufficient resources

f) deciding the criteria for accepting risks & acceptable levels of risk

g) ensuring that internal audits are conducted

h) conducting management reviews


Roles and Responsibilities:

• ISMS Consultant

• ISMS Manager

• ISMS Analyst

• ISMS Auditor

• Executives

• Managers

• Subject Matter Experts

• External Parties

• Customers


5.2 Resource management

5.2.1 Provision of resources

a) establishing the policy

b) ensuring that objectives and plans are established

c) establishing roles and responsibilities

d) communicating to the organization

e) providing sufficient resources

f) deciding the criteria for accepting risks & acceptable levels of risk

g) ensuring that internal audits are conducted

h) conducting management reviews


5.2.2 Training, awareness and competence

a) determining the necessary competencies for personnel

b) providing training or taking other actions

c) evaluating the effectiveness of the actions taken

d) maintaining records of education, training, skills, experience

and qualifications


6 Internal ISMS audits

a) conform to the requirements of this International Standard

and relevant legislation or regulations;

b) conform to the identified information security requirements;

c) are effectively implemented and maintained; and

d) perform as expected.


7 Management review of the ISMS (input)

a) results of ISMS audits

b) feedback from interested parties

c) techniques, products or procedures used to improve the ISMS

d) status of preventive and corrective actions

e) vulnerabilities or threats not adequately addressed

f) results from effectiveness measurements

g) follow-up actions from previous management reviews

h) any changes that could affect the ISMS

i) recommendations for improvement


7 Management review of the ISMS (output)

a) Improvement of the ISMS

b) Update of the risk assessment and risk treatment plan

c) Modification of procedures and controls due to internal or

external events such as:

1) business requirements

2) security requirements

3) business processes effecting the existing business

requirements

4) regulatory or legal requirements

5) contractual obligations

6) levels of risk and/or criteria for accepting risks

d) Resource needs

e) Improvement to how the effectiveness of controls is being

measured


8 ISMS improvement 8.1 Continual improvement

The organization shall continually improve the effectiveness of the ISMS through the use of the information security policy, information security objectives, audit results, analysis of monitored events, corrective and preventive actions and management review


8 ISMS improvement 8.2 Corrective action

a) identifying nonconformities

b) determining the causes of nonconformities

c) evaluating the need for actions to ensure that nonconformities do not

recur

d) determining and implementing the corrective action needed

e) recording results of action taken

f) reviewing of corrective action taken


8 ISMS improvement 8.3 Preventive action

a) identifying potential nonconformities and their causes

b) evaluating the need for action to prevent occurrence of

nonconformities

c) determining and implementing preventive action needed

d) recording results of action taken

e) reviewing of preventive action taken



Exclusions Please note clause 1.2 - Any exclusion of controls found to be necessary to satisfy the risk acceptance criteria needs to be justified and evidence needs to be provided that the associated risks have been accepted by accountable persons. Where any controls are excluded, claims of conformity to this International Standard are not acceptable unless such exclusions do not affect the organization’s ability, and/or responsibility, to provide information security that meets the security requirements determined by risk assessment and applicable legal or regulatory requirements.




Risk Assessment – Vulnerabilities: • Inadequate governance process • Inadequate security policy • Inadequate risk assessment methodology • Inadequate security training/awareness • Inadequate security architecture • Inadequate monitoring or surveillance capabilities • Inadequate incident response procedures • Inadequate vulnerability assessment methodologies


A.5 Security policy A.5.1 Information security policy

A.5.1.1 Information security policy document A.5.1.2 Review of the information security policy


A.6 Organization of information security A.6.1 Internal organization

A.6.1.1 Management commitment to information security A.6.1.2 Information security coordination A.6.1.3 Allocation of information security responsibilities A.6.1.4 Authorization process for information processing facilities A.6.1.5 Confidentiality agreements A.6.1.6 Contact with authorities A.6.1.7 Contact with special interest groups A.6.1.8 Independent review of information security


A.6 Organization of information security A.6.2 External parties

A.6.2.1 Identification of risks related to external parties A.6.2.2 Addressing security when dealing with customers A.6.2.3 Addressing security in third party agreements


A.7 Asset management A.7.1 Responsibility for assets

A.7.1.1 Inventory of assets A.7.1.2 Ownership of assets A.7.1.3 Acceptable use of assets

A.7.2 Information classification

A.7.2.1 Classification guidelines A.7.2.2 Information labeling and handling


A.15 Compliance A.15.1 Compliance with legal requirements

A.15.1.1 Identification of applicable legislation A.15.1.2 Intellectual property rights (IPR) A.15.1.3 Protection of organizational records A.15.1.4 Data protection and privacy of personal information A.15.1.5 Prevention of misuse of information processing facilities A.15.1.6 Regulation of cryptographic controls

A.15.2 Compliance with security policies and standards, and technical compliance

A.15.2.1 Compliance with security policies and standards A.15.2.2 Technical compliance checking


A.15.3 Information systems audit considerations A.15.3.1 Information systems audit controls A.15.3.2 Protection of information systems audit tools







A.8 Human resources security A.8.1 Prior to employment

A.8.1.1 Roles and responsibilities A.8.1.2 Screening A.8.1.3 Terms and conditions of employment

A.8.2 During employment

A.8.2.1 Management responsibilities A.8.2.2 Information security awareness, education and training A.8.2.3 Disciplinary process


A.8.3 Termination or change of employment A.8.3.1 Termination responsibilities A.8.3.2 Return of assets A.8.3.3 Removal of access rights







A.13.1 Reporting information security events and weaknesses A.13.1.1 Reporting information security events A.13.1.2 Reporting security weaknesses

A.13.2 Management of information security incidents and improvements

A.13.2.1 Responsibilities and procedures A.13.2.2 Learning from information security incidents A.13.2.3 Collection of evidence







A.11 Access control A.11.1 Business requirement for access control

A.11.1.1 Access control policy A.11.2 User access management

A.11.2.1 User registration A.11.2.2 Privilege management A.11.2.3 User password management A.11.2.4 Review of user access rights


A.11.3 User responsibilities A.11.3.1 Password use A.11.3.2 Unattended user equipment A.11.3.3 Clear desk and clear screen policy

A.11.4 Network access control

A.11.4.1 Policy on use of network services A.11.4.2 User authentication for external connections A.11.4.3 Equipment identification in networks A.11.4.4 Remote diagnostic and configuration port protection A.11.4.5 Segregation in networks A.11.4.6 Network connection control A.11.4.7 Network routing control


A.11.5 Operating system access control A.11.5.1 Secure log-on procedures A.11.5.2 User identification and authentication A.11.5.3 Password management system A.11.5.4 Use of system utilities A.11.5.5 Session time-out A.11.5.6 Limitation of connection time

A.11.6 Application and information access control

A.11.6.1 Information access restriction A.11.6.2 Sensitive system isolation







A.9 Physical and environmental security A.9.1 Secure areas A.9.1.1 Physical security perimeter A.9.1.2 Physical entry controls A.9.1.3 Securing offices, rooms and facilities A.9.1.4 Protecting against external and environmental threats A.9.1.5 Working in secure areas A.9.1.6 Public access, delivery and loading areas


A.9.2 Equipment security A.9.2.1 Equipment sitting and protection A.9.2.2 Supporting utilities A.9.2.3 Cabling security A.9.2.4 Equipment maintenance A.9.2.5 Security of equipment off premises A.9.2.6 Secure disposal or re-use of equipment A.9.2.7 Removal of property







A.12 Information systems acquisition, development and maintenance A.12.1 Security requirements of information systems

A.12.1.1 Security requirements analysis and specification A.12.2 Correct processing in applications

A.12.2.1 Input data validation A.12.2.2 Control of internal processing A.12.2.3 Message integrity A.12.2.4 Output data validation


A.12.3 Cryptographic controls A.12.3.1 Policy on the use of cryptographic controls A.12.3.2 Key management

A.12.4 Security of system files

A.12.4.1 Control of operational software A.12.4.2 Protection of system test data A.12.4.3 Access control to program source code


A.12.5 Security in development and support processes A.12.5.1 Change control procedures A.12.5.2 Technical review of applications after operating system changes A.12.5.3 Restrictions on changes to software packages A.12.5.4 Information leakage A.12.5.5 Outsourced software development

A.12.6 Technical Vulnerability Management

A.12.6.1 Control of technical vulnerabilities







A.10 Communications and operations management A.10.1 Operational procedures and responsibilities

A.10.1.1 Documented operating procedures A.10.1.2 Change management A.10.1.3 Segregation of duties A.10.1.4 Separation of development, test and operational facilities

A.10.2 Third party service delivery management

A.10.2.1 Service delivery A.10.2.2 Monitoring and review of third party services A.10.2.3 Managing changes to third party services

A.10.3 System planning and acceptance A.10.3.1 Capacity management A.10.3.2 System acceptance


A.10.4 Protection against malicious and mobile code A.10.4.1 Controls against malicious code A.10.4.2 Controls against mobile code

A.10.5 Back-up

A.10.5.1 Information back-up

A.10.6 Network security management

A.10.6.1 Network controls A.10.6.2 Security of network services

A.10.7 Media handling

A.10.7.1 Management of removable media A.10.7.2 Disposal of media A.10.7.3 Information handling procedures A.10.7.4 Security of system documentation


A.10.8 Exchange of information A.10.8.1 Information exchange policies and procedures A.10.8.2 Exchange agreements A.10.8.3 Physical media in transit A.10.8.4 Electronic messaging A.10.8.5 Business information systems

A.10.9 Electronic commerce services

A.10.9.1 Electronic commerce A.10.9.2 On-line transactions A.10.9.3 Publicly available information


A.10.10 Monitoring A.10.10.1 Audit logging A.10.10.2 Monitoring system use A.10.10.3 Protection of log information A.10.10.4 Administrator and operator logs A.10.10.5 Fault logging A.10.10.6 Clock synchronization






A.14 Business continuity management

A.14.1 Information security aspects of business continuity

management

A.14.1.1 Including information security in the business

continuity management process

A.14.1.2 Business continuity and risk assessment

A.14.1.3 Developing and implementing continuity plans

including Information security

A.14.1.4 Business continuity planning framework

A.14.1.5 Testing, maintaining and reassessing business

continuity plans



***

THIS

DO

CU

MEN

T IS

CLA

SSIF

IED

FO

R P

UB

LIC

AC

CES

S **

*

***

THIS

DO

CU

MEN

T IS

CLA

SSIF

IED

FO

R P

UB

LIC

AC

CES

S **

*



Multiple Threat Vectors can

attack and exploit the same

vulnerability in multiple

ways making it difficult to

take effective corrective

action or preventive action.

Establishing a single point of

contact as the Champion for

the Enterprise Security

Management System is a

logical first step and the

second step is establishing a

central security management

system fully integrated

within the Enterprise

leveraging best practices.


The ISMS mitigates threats by

applying a strategy that deploys

a reduced set of controls in a

matrix effect which addresses

specific security weaknesses.

This security tactic is responsible

for the ISMS Defense-in-Depth

that can be more effective than

any other approach.

Currently there is no other

security framework available

that is internationally accepted

other than the ISMS.

DiD is an important information security framework utilized to provide assurance to our

customers, shareholders and partners.

A crucial aspect of managing the DiD is the active engagement of managers and employees who have been assigned specific accountabilities and responsibilities for various aspects of ISMS.


If you have questions please contact …….


Mark E.S. Bernard Skype; Mark_E_S_Bernard

Twitter; @MESB_TechSecure LinkedIn; http://ca.linkedin.com/in/markesbernard