Upload
doannhan
View
241
Download
8
Embed Size (px)
Citation preview
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
Compiled by; Mark E.S. Bernard, ISO 27001 Lead Auditor, CISSP, CISM, SABSA-F2, CISA, CRISC, CGEIT
• Introduction• Current Known Threats• Potential Impacts to Enterprise Assets• Legal Risks• Managing Compliance Risks• Preventive Security Measurers• Risk Management Policy• Risk Management Process• Ranking & Prioritization of Risks• Treating Risks • Monitoring Risks • Conclusion
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
Accomplishments:• In 2013 Assisted Provincial Government with Privacy Impact Assessment of External Parties
• In 2013 Assisted Aviation organization with ISO/IEC 27001 Registration/Certification
• In 2013 Facilitated ISO Lead Auditor Training for International Manufacturing and Services Corporation
• In 2013 Assisted Major Bank with Risk Assessment of New Services and Products
• In 2012 Assisted National Legal Firm with ISO/IEC 27001 Reg./Certification
• In 2012 Assisted Executive Relocation Organization to ISO/IEC 27001 Reg./Certification
• In 2012 Assisted Cloud Service Provider of SaaS to achieve ISO/IEC 27001 Reg./Certification
• In 2012 Assisted Global Electronic Solutions Provider ISO/IEC 27001 Reg./Certification
• In 2012 Assisted Nano Technology Manufacturer with ISO/IEC 27001 Reg./Certification
• In 2010/11 Led Cloud Service Provider of PaaS and IaaS in 8 DCs & 4 Continents to ISO 27001 Reg./Cert
• In 2009 Led Provincial Government to become 1st Canadian Public Sector ISO 27001 Reg./Certification
• In 2009 Led Provincial Government On-boarding Project for Oracle ERP Integrated Service Provider
• In 2009 Led Technology and Operations during Negotiated Request for Proposal on behalf of Prov. Gov.
• In 2007 Led Major Credit Union Trade & Wholesale Service to achieve ISO/IEC 27001 Reg./Certification
• In 2006 Led Privacy, Security, and Compliance Office during BC Government, outsourcing to Alternate Service Delivery during migration to
SAP R3 - ERP
Skype; Mark_E_S_Bernard; LinkedIn; http://www.linkedin.com/in/markesbernard
Mark E.S. Bernard, - Information Security /Privacy, GRC Management Consultant
CRISC, CGEIT, CISA, CISM, CISSP, PM, ISO 27001LA, CNA, SABSA-Security Service Management /Architecture, COBiT, ITIL
Mark has 24 years of proven experience within the domain of Information Security, Privacy, Governance, Compliance. Mark has led teams of 30
or more as a Director and Project Manager and managed budgets of $5 Million +. Mark has also provided oversight to 250 contractors and 230 regular
fulltime employees as a senior manager during government outsourcing contract valued at $300 million. Mark skills and experience as a Systems
Engineer, Software Engineer and Network Engineer has provided him an ability to led small and larger contracts for specialized services including ERP
systems like Oracle, SAP, JD Edwards, BPCS, JBA and red team penetration testing. Mark also led his work-stream during Negotiated RFP process,
followed by the on-boarding and knowledge transfer of the exiting Service Provider for a $25 Million Dollar Contract. Mark designed information
security and privacy architecture established information security management systems as program manager based on ISO 27001. Mark Also led the
reengineered IT processes based on Service Manager ITIL/ISO 20000 building in Quality Management ISO 9001 also establishing a Knowledge
Management framework.
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
Registration need not be the final goal however every business can benefit from adopting a management system that provides assurance of information assets in alignment with strategy and tactical business goals while addressing Governance, Risk Management, Compliance Management requirements.
The demand for ISO/IEC 27001:2005 has nearly tripled in six years and the number of countries adopting the Information Security Management System has doubled. ISO/IEC 27001:2005 will soon be releasing its first major revision since the 2005 adoption and if it turns out to be anything like the changes that we've seen in ICFR /ICIF, ISAE 3402 or NIST SP 53 there will be significant improvements to be leveraged.
In 2006, the first year of the annual survey, ISO/IEC 27001:2005 certificates at the end of December 2006 totaled 5,797. The number of countries adopting ISO/IEC 27001 totaled 64. At the end of 2010, at least 15,625 certificates had been issued in 117 countries. The 2010 total represents an increase of 2,691 or (+21 %) since December 2009.
In 2006 the top three countries adopting ISO/IEC 27001 included Japan, United Kingdom and India and in 2010 that trend continued. However, the top three countries from December 2009 to 2010 were Japan, China and the Czech Republic.
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
Source: Computer Security Institute 2010/11 Survey
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
Source: Verizon business 2011 Data Breach Investigations Report
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
• Large-scale breaches dropped dramatically while small attacks increased. The report notes there are several possible reasons for this trend, including the fact that small to medium-sized businesses represent prime attack targets for many hackers, who favour highly automated, repeatable attacks against these more vulnerable targets, possibly because criminals are opting to play it safe in light of recent arrests and prosecutions of high-profile hackers.
• Outsiders are responsible for most data breaches. Ninety-two percent of data breaches were caused by external sources. Contrary to the malicious-employee stereotype, insiders were responsible for only 16 percent of attacks. Partner-related attacks continued to decline, and business partners accounted for less than 1 percent of breaches.
• Physical attacks are on the rise. After doubling as a percentage of all breaches in 2009, attacks involving physical actions doubled again in 2010, and included manipulating common credit-card devices such as ATMs, gas pumps and point-of-sale terminals. The data indicates that organized crime groups are responsible for most of these card-skimming schemes.
• Hacking and malware is the most popular attack method. Malware was a factor in about half of the 2010 caseload and was responsible for almost 80 percent of lost data. The most common kinds of malware found in the caseload were those involving sending data to an external entity, opening backdoors, and key logger functionalities.
• Stolen passwords and credentials are out of control. Ineffective, weak or stolen credentials continue to wreak havoc on enterprise security. Failure to change default credentials remains an issue, particularly in the financial services, retail and hospitality industries.
Source: 2010 Cloud Security Alliance Threats
#1: Abuse and Nefarious Use of Cloud Computing #2: Insecure Interfaces and APIs#3: Malicious Insiders#4: Shared Technology Issues #5: Data Loss or Leakage #6: Account or Service Hijacking#7: Unknown Risk Profile
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
Source: 2010 OWSAP Top 10 Web Application Security Risks
A1: Injection A2: Cross-Site Scripting (XSS) A3: Broken Authentication and Session Management A4: Insecure Direct Object References A5: Cross-Site Request Forgery (CSRF) A6: Security Misconfiguration A7: Insecure Cryptographic Storage A8: Failure to Restrict URL Access A9: Insufficient Transport Layer Protection A10: Invalidated Redirects and Forwards
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
Source: ‘The Risk of Insider Fraud’ Ponemon Institute 2011
•Employee-related incidents of fraud, on average, occur weekly in participating organizations.
• Sixty-four percent of the respondents in this study say the risk of insider fraud is very high or
high within their organizations.
• CEO’s and other C-level executives may be ignoring the threat, according to respondents.
• The majority of insider fraud incidents go unpunished, leaving organizations vulnerable to
future such incidents.
• The threat vectors most difficult to secure and safeguard from insider fraud are mobile
devices, outsourced relationships (including cloud providers) and applications.
• The majority of respondents do not believe their organization has the appropriate
technologies to prevent or quickly detect insider fraud, including employees’ misuse of IT
resources.
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
Source: Computer Security Institute 2010/11 Survey
***
THIS
DO
CU
MEN
T IS
CLA
SSIF
IED
FO
R P
UB
LIC
AC
CES
S **
*
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
The Enterprise Risk Management system identifies four major areas of risk within strategic planning,
financial services, compliance management and operations. Generally capital and resources are allocated based on priority determined by the Board of Directors and Executive Team.
There are six major groups of
Enterprise Assets that
contribute to the Enterprise
strategy, people, information,
software, hardware,
telecommunications and
facilities.
The risk associated with each
asset can be assessed and
treated based on Enterprise
Strategic priorities. A risk score
can be calculated for each
product, service channel, and
revenue stream and risk
treatment can be applied again based on strategic priorities.
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
The following example is a
subset demonstrating the
potential results of an
exploited vulnerability within
‘People Assets’ and most
common Enterprises. The
impacts are measured
against the principles of
information security,
confidentiality, integrity, and
availability. The severity in
this example is rated high,
medium or low to simplify
the message to a broad
audience.
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
The following example is
a subset demonstrating
the potential results of an
exploited vulnerability
within ‘Information Assets’
and most common
Enterprises. The impacts
are measured against the
principles of information
security, confidentiality,
integrity, and availability.
The severity in this
example is rated high,
medium or low to simplify
the message to a broad
audience.
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
The following example is a
subset demonstrating the
potential results of an
exploited vulnerability
within ‘Software Assets’
and most common
Enterprises. The impacts
are measured against the
principles of information
security, confidentiality,
integrity, and availability.
The severity in this
example is rated high,
medium or low to simplify
the message to a broad
audience.
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
The following example is a
subset demonstrating the
potential results of an
exploited vulnerability
within ‘Hardware Assets’
and most common
Enterprises. The impacts
are measured against the
principles of information
security, confidentiality,
integrity, and availability.
The severity in this
example is rated high,
medium or low to simplify
the message to a broad
audience.
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
The following example is a
subset demonstrating the
potential results of an
exploited vulnerability
within ‘Telecommunication
Assets’ and most common
Enterprises. The impacts
are measured against the
principles of information
security, confidentiality,
integrity, and availability.
The severity in this
example is rated high,
medium or low to simplify
the message to a broad
audience.
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
The following example is a
subset demonstrating the
potential results of an
exploited vulnerability within
‘Facility Assets’ and most
common Enterprises. The
impacts are measured
against the principles of
information security,
confidentiality, integrity, and
availability. The severity in
this example is rated high,
medium or low to simplify
the message to a broad
audience.
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
Here is an
example of how
ISO 27001 – ISMS
can easily and
seamlessly
address all HIPA
Act legal
requirements.
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
When all the
mapping has
been completed
approximately 70
of the already
existing 133 ISO
27001 control
objectives will be
leveraged to
address HIPAA
Compliance.
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
Compliance
Management can
be broken down
into 4 general
categories statutes,
regulations, internal
facing and external
facing.
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
• Health Insurance Portability and Accountability Act (HIPAA)
• Health Information Technology for Economic and Clinical Health Act (HITECH Act)
• Federal Information Security Management Act (FISMA)
• Gramm-Leach-Bliley Act (GLBA)
• Payment Card Industry Data Security Standard (PCI-DSS)
• Payment Card Industry Payment Application Standard
• Sarbanes-Oxley Act (SOX)
• U.S. state data breach notification law
• International privacy or security laws
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
Before we can treat compliance concerns we need to identify, record
and map ISO 27001 controls listed in the Statement of Applicability to
specific legal obligations defined by provisions and clauses within
statutes, regulations and internal/external facing contracts.
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
We can choose
to respond to the
security incident
after the fact? Or
before a Threat
exploit the known
Vulnerability?
We can choose
to identify the
threats and
matching
vulnerabilities
and remediate
them to
acceptable
levels.
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
ISO 27001 has
already developed
controls that are
designed to
remediate
common or known
threats,
vulnerabilities and
risks.
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
A close assessment
of the technology
stack can easily
identify vulnerabilities
that might be exposed
to threats leading to
risks.
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
Risk Management Goals
• To assess risks to Information Assets and System Resources
• To state the goals of the RM, along with the desired security level to be attained, consistent
with the Enterprise’s risk appetite and Information Assets sensitivity
• To identify vulnerabilities within the infrastructure and facilitate the decision making
process by determining the likelihood and impact based on motive and opportunity
• To identify potential impacts should a threat agent successfully exploit the identified
vulnerability further impacting the Information Assets and System Resource and business
functions supported along with applications, expressed in terms of confidentiality, integrity
and availability and
• To provide recommendations that will mitigate and/or eliminate risk to acceptable levels.
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
Risk Acceptance Criteria: There are three possible Risk Acceptance Criteria scenarios that
management can choose from based on the results of a Risk Assessment and the overall Risk
Rating include the following:
• Management can choose to accept the risk in which case they do nothing to remediate
it. They should understand that they will be held accountable for any security incident,
however the risk of a security may not be a concern to management and thus they tend
to accept low risks as part of normal daily operations.
• Management may choose to remediate the risk in which case management takes some
sort of corrective and/or preventive action to mitigate and/or eliminate the risk from the
Enterprise’s environment.
• Management may also choose to transfer the risk in which case management has
chosen to outsource the process causing the risk and/or purchase insurance to cover the
potential damages caused by the realization of a risk.
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
Temporary ISMS Exemption Application
There may be occasions where compliance is not possible during a particular period of time and an exemption
from compliance is this best method of identifying those occasions and following up to ensure that they are
closed. During these instances it is important to identify the manager responsible for these security gaps and have
them sign off. This will not only help the Enterprise’s security office to document gaps but also to identify the
responsible party who will ensure that they are closed. The following information is required for the Temporary
Exemption Form to be completed:
• Exemption period - From-To
• ISMS policy, procedure or standard reference ID
• Reason for Exemption Application
• Department or division unit affected
• Information system affected
• Network location affected
• Rational by not granting this application:
a). would adversely affect the accomplishment of Enterprise’s business
b). would cause a major adverse financial impact
• Rational explanation
• Signature of Responsible Manager and date
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
Where possible and
practical
organizations need
to integrate the Risk
Management
decision tool within
existing business
processes. The
Control Self
Assessment
technique is an
excellent approach
to RM integration.
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
The ‘optimal’ time to
initiate the RM
process with SDLC
is during the
creation of the
systems definition
and functional
design criteria or
during development
and acquisition.
•Identify Assets in Scope: in this work task we document department name, asset owner and
asset name.
•Identify Threats: in this work task we document threat(s) to asset(s) in scope of the risk
analysis as defined within the RA worksheet including the threat identification, description,
and rating.
•Identify Business Impact: in this work step we clarify the business perspective for
confidentiality, integrity and availability based on a ‘high’, ‘medium’ or ‘low’ impact to
regular business processes.
•Identify Vulnerabilities: in this work task we document vulnerabilities associated with the
asset in scope for risk analysis as defined in RA worksheet including the vulnerability
identification, description, and rating.
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
•Control Selection: in this work task we list the existing controls for further consideration
during the preparation of remediation activities designed to lower the overall risk rating. It is
possible that existing controls may be implemented incorrectly or suffer from other deficiency
that if corrected would eliminate the need for additional controls.
•Risk Assessment: in the work task we calculate the overall risk rating, calculated sum of the
threat and CIA business impact ratings multiplied by business impact rating multiplied by
vulnerability rating.
•Recommendations: in this work task we identify the manager who has been assigned the
responsibility of facilitating the risk mitigation activity, the date of expected delivery and the
current status of progress in the resolution process.
•Report to Management: in this work task we identify and report to management the planned
targets for risk mitigation expressed in terms of high, medium, and low impacts to
confidentiality, integrity and availability. These values are rolled up into an overall revised
‘Residual Risk Rating’.
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
The Corrective Action and Preventive
Action plans are important pieces of the
evidence based Quality Management
component of Risk Management.
The CA or PA can be initiated together or
completely separate from one another.
CAPA reports will be audited and include
specific information like the date, source
of nonconformity, who’s responsible for
taking action and the date it will be
completed. The Root-Cause must also be
documented.
Once the CAPA has been completed it
must be independently validated.
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
Risk Treatment Plans
are defined by
Corrective Action
plans and Preventive
Action plans. The
RTP is basically a
rolled up dashboard
utilized for tracking
and monitoring CAPA
by ISMS Governance
Committee.
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
Following the
assessment of
threats,
vulnerabilities
and identification
of risks
management
makes a decision
and we begin
monitoring and
tracking risks.
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
In more advanced
ISMS Risk
Management
programs we
monitor and track
risks in connection
with the Enterprise
Risk Management
program.
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
We should not
only track risks
internally as
many risks are
shared with
external vendors
and service
providers through
Service
Management
processes and
Service Desk.
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
Risk Management is a useful process that should be
seamlessly integrated within every business process to help
support and facilitate management decisions.
Need help with your Risk Management adoption or
integration project please contact me, thanks.
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
For more information contact Skype; Mark_E_S_Bernard
Twitter; @MESB_TechSecureLinkedIn; http://ca.linkedin.com/in/markesbernard