ISO 27001:2005

1

INFORMATION SECURITY MANAGEMENT SYSTEM

ISO/IEC 27001:2005

2

What Is ISO?

The International Organization for Standardization (ISO) is a

worldwide federation of national standards bodies.

Working through Technical Committees, it has developed and

published over 18,000 different ISO standards that are used

internationally for subjects ranging from film speeds to wine glasses

to quality management systems.

The official purpose for the issuance of ISO Standards is to facilitate

world trade through standardization.

3

Standard Organizations

ISO – International Organization for Standardization

IEC – International Electrotechnical Commission

BSI – British Standards Institute

ManagementSystems

ISO 20000-1:2011 Service Management

ISO 22301Business Continuity

Management

ISO 27001-2005InformationSecurityManagement

System

ISO 9001: 2008

Quality Management

System

ISO 31000 Risk Management

4

5

Elements of a Management System

Management Commitment

Top management shall ………….

Participation in Management Reviews

Provide input for continuous improvement

Accountable for resource management

6


Resource Management

Identification of resources including human, technical, information and financial

Identification of roles, accountability and responsibility (RACI)

Competence, awareness & training

7


Management Reviews

Required inputs including reviews of audits, customer feedback, performance measurements, improvements, changes

Required outputs including actions recorded for improvements, documented improvements and the effectiveness of those improvements, additional follow-through of actions identified such as resource needs or completion of changes identified

8


Document & Records Control

Documented procedure for creating, approving, maintaining, protecting archiving and destroying documents & records

Identifying documents of external origin

9


Internal Audit

Document an audit plan

Identify internal auditors, hire or train

Document outputs and act upon findings

Timely reporting

10


Continual Improvement

Organization shall continually improve the effectiveness of the management system through the use of the policy, objectives, audit results, analysis of data, corrective and preventive actions and management review

Corrective/Preventive Actions recorded, planned and updated timely

Good Root Cause methodology

Review of effectiveness of actions taken

ISO 20000, 27001, 9001 Similarities

ISO 20000 ISO 27001 ISO 90014.0 SMS General Requirements

4.0 ISMS5.0 Management Responsibility 4.1 General requirements

4.1.1 Management Commitment

5.1 Management Commitment5.0 Management Commitment

4.3.2 Control of Documents

4.3.2 Control of Documents 4.2.3 Control of Documents

4.3.3 Control of Records 4.3.3. Control of Records 4.2.4 Control of Records

4.4.1 Provision of Resources4.4.2 Human Resources

5.2.1 Provision of Resources5.2.2 Training, Awareness & Competence

6.0 Resource Management

4.5.4.2 Internal Audit 6 Internal ISMS audits 8.1.2 Internal audit

4.5.4.3 Management Review

7 Management Review 5.6 Management Review

4.5.5 Maintain and improve the SMS

8 ISMS improvement 8.4 Continual improvement

12

What is ISO/IEC 27001 Standard

Internationally accepted standard for information security

management

Auditable specification for information security management system

ISO/IEC 27001 is not only an IT standard.

Process, Technology and People Management standard.

Helps to combat fraud and promote secure operations.

Unified standard for security associated with the information life

cycle.

13

History of ISO/IEC 27001 Standard

1992The Department of Trade and Industry (DTI), which is part of the UK Government, publish a 'Code of Practice for Information Security Management'.

1995This document is amended and re-published by the British Standards Institute (BSI) in 1995 as BS7799.

2000In December, BS7799 is again re-published, this time as a fast tracked ISO standard. It becomes ISO 17799 (or more formally, ISO/IEC 17799).

2005A new version of ISO 17799 is published. This includes two new sections, and closer alignment with BS7799-2 processes..

2005The latest version of ISMS is known as ISO/IEC 27001:2005

14

27000 Series of Standards

ISO/IEC publishes two standards that focus on an organization’s ISMS:

• The code of practice standard: ISO/IEC 27002 (ISO/IEC 17799). This standard can be used as a starting point for developing an ISMS. It provides guidance for planning and implementing a program to protect information assets. It also provides a list of controls (safeguards) that you can consider implementing as part of your ISMS.

• The management system standard: ISO/IEC 27001. This standard is the specification for an ISMS. It explains how to apply ISO/IEC 27002 (ISO/IEC 17799). It provides the standard against which certification is performed, including a list of required documents. An organization that seeks certification of its ISMS is examined against this standard.

15

27000 Series of Standards

ISO/IEC 27001 - Information security management systems — Requirements

ISO/IEC 27002 - Code of practice for information security management

ISO/IEC 27006 - Guide to the certification/registration process (published in 2007)

ISO/IEC 27000 - Vocabulary for the ISMS standards

ISO/IEC 27003 - ISMS implementation guide

ISO/IEC 27004 - Standard for information security management measurements

ISO/IEC 27005 - Standard for risk management

ISO/IEC 27007 - Guideline for auditing ISMS

ISO/IEC 27011 - Guideline for telecommunications in ISMS

16

Understanding the Standards - Documents

Most standards have at least two supporting documents

Requirements – these are the “shall”s and are required to be implemented unless exclusions can be taken. The auditor can only audit against the “shall”s.

Code of Practice – these are the “should”s and are guidance to assist you in implementation.

Guideline – a fully implementable standard that does not have a “certification scheme”. You can be compliant, but not certified.

17

Stages for Registration

• Submit application to registrar

• Stage 1: Assessment of readiness

• Stage 2: Assessment for registration audit

• Registration/certification awarded for 3 years

• Surveillance audits (at least annually)

• Recertification audit at the end of 3rd year

18

Stages for Registration

• Usually takes 1 or possibly 2 auditors 1 to 3 days

depending on scope, size, locations and personnel

• You will be told whether or not you will be recommended for registration at the completion of the Stage 2 audit

• Certificate usually arrives a 2 – 6 weeks later

• Maintaining your ISO Certification(s) is the first step in continuous improvement

19

Overview of an ISMS

Information security is the protection of information to ensure:

• Confidentiality: ensuring that the information is accessible only to those authorized to access it.

• Integrity: ensuring that the information is accurate and complete and that the information is not modified without authorization.

• Availability: ensuring that the information is accessible to authorized users when required.

Information security is achieved by applying a suitable set of controls (policies, processes, procedures, organizational structures, and software and hardware functions).

20

Elements of Information Security

Information Security is the protection of information and information assets to preserve :

21

What is Information Security Management System

An Information Security Management System (ISMS) is a systematic approach to managing sensitive company information and information entrusted to companies by third parties so that it remains secure. It encompasses people, processes and IT systems. It is an organizational approach to information security.

Building a Information Security Management system is achieved through the “systematic assessment of the systems, technologies and media contained information, appraisal of the loss of information, cost of security breaches, and development & deployment of counter measures to threats.”

22

Process Approach: Plan, Do, Check, Act

Do

Plan

Check

Act

23

Structure of ISO/IEC 27001:2005

• All activities must follow a method. The method is arbitrary but must be well defined and documented.

• A company or organization must document its own security goals. An auditor will verify whether these requirements are fulfilled.

• All security measures used in the ISMS shall be implemented as the result of a risk analysis in order to eliminate or reduce risks to an acceptable level.

• The standard offers a set of security controls. It is up to the organization to choose which controls to implement based on the specific needs of their business.

24

Structure of ISO/IEC 27001:2005

• A process must ensure the continuous verification of all elements of the security system through audits and reviews.

• A process must ensure the continuous improvement of all elements of the information and security management system.

(The ISO/IEC 27001 standard adopts the Plan-Do-Check-Act [PDCA] model as its basis and expects the model will be followed in an ISMS implementation.)

25

Management Commitment

Management must make a commitment to the establishment, implementation, operation, monitoring, review, maintenance, and improvement of the ISMS. Commitment must include activities such as ensuring that the proper resources are available to work on the ISMS and that all employees affected by the ISMS have the proper training, awareness, and competency.

Establishment of the following items demonstrates management commitment:

• An information security policy; this policy can be a standalone document or part of an overall security manual that is used by an organization.

26

Management Commitment (Cont.)

• Information security objectives and plans; again this information can be a standalone document or part of an overall security manual that is used by an organization

• Roles and responsibilities for information security; a list of the roles related to information security should be documented either in the organization’s job description documents or as part of the security manual or ISMS description documents

• Announcement or communication to the organization about the importance of adhering to the information security policy

• Sufficient resources to manage, develop, maintain, and implement the ISMS

27

Management Commitment (Cont.)

In addition, management will participate in the ISMS Plan-Do-Check-Act [PDCA] process, as described in ISO/IEC 27001 by:

• Determining the acceptable level of risk. (Evidence of this activity can be incorporated into the risk assessment documents)

• Conducting management reviews of the ISMS at planned intervals. (Evidence of this activity can be part of the approval process for the documents in the ISMS)

• Ensuring that personnel affected by the ISMS are provided with training, are competent for the roles and responsibilities they are assigned to fulfill, and are aware of those roles and responsibilities. (Evidence of this activity can be through employee training records and employee review documents)

POLICYPOLICY

Establish the context-Define Information Security policy and objectives-ISMS scope and policy-Security Organization-Risk identification and assessment - Identify risks - Analyze risks - Evaluate

Manage the risk- Identify and evaluate options for managing the risks- Select controls and objectives for the treatment and management of risk- Implement selected controls- Statement of applicability

Monitor The ProgressCreate Monitoring RulesMonitor and review ISMS

Improve ISMS - Identify improvements in the ISMS and implement them - Take appropriate Corrective and preventive actions - Communicate and consult (management,stakeholders, users etc.)

ISMS ImplementationISMS Implementation

28

http://www.balancedscorecard.org/images/pdca.gif

http://www.balancedscorecard.org/images/pdca.gif

http://www.qualtech.se/pdca_radar_compressed.gif

29

1. PLAN

“Establish the ISMS”

30

Define the scope of the ISMS

Determine the extent to which you want the ISMS to apply toyour organization

Lists of the areas, locations, assets, and technologies of the organization that will be controlled by the ISMS.

• What areas of your organization will be covered by the ISMS?

• What are the characteristics of those areas; its locations, assets, technologies to be included in the ISMS?

• Will you require your suppliers to abide by your ISMS?

• Are there dependencies on other organizations? Should they be considered?

31

Define the risk assessment approach

Risk assessment is the process of identifying risks by analyzing threats to, impacts on, and vulnerabilities of information and information systems and processing facilities, and the likelihood of their occurrence. Choosing a risk assessment method is one of the most important parts of establishing an ISMS.

To meet the requirements of ISO/IEC 27001, you will need to define and document a method of risk assessment and then use it to assess the risk to your identified information assets, make decisions about which risks are intolerable and therefore need to be mitigated, and manage the residual risks through carefully considered policies, procedures, and controls.

32


ISO/IEC 27001 does not specify the risk assessment method you should use; however, it does state that you must use a method that enables you to complete the following tasks:

Evaluate risk based on levels of Confidentiality, Integrity, and Availability

Set objectives to reduce risk to an acceptable level

Determine criteria for accepting risk

Evaluate risk treatment options

Some risk assessment methods provide a matrix that defines levels ofconfidentiality, integrity, and availability and provide guidance as to when and how those levels should be applied, as shown in the following table:

34


If you are unfamiliar with risk assessment methods, you might want to refer to these published examples:

ISO/IEC 13335 (Management of information and communications technology security)

NIST SP 800-30 (Risk Management Guide for Information Technology Systems) http://csrc.nist.gov/publications/nistpubs/

ISO/IEC 31000:2009

Risk assessment methods that are specific to the industry of your organization

http://csrc.nist.gov/publications/nistpubs/



35

Identify the information assets

To identify risks and the levels of risks associated with the information you want to protect, you first need to make a list of all of your information assets that are covered in the scope of the ISMS.

You should have a list of the information assets to be protected and an owner for each of those assets. You might also want to identify where the information is located and how critical or difficult it would be to replace.

Because you will need this list to document your risk assessment, you might want to group the assets into categories and then make a table of all the assets with columns for assessment information and the controls you choose to apply.

36

Identify the information assets (Cont.)

Example:

37


Identify risks and classify them according to their severity and vulnerability. In addition, you will need to identify the impact that loss of confidentiality, integrity, and availability may have on the assets. Start by identifying actual or potential threats and vulnerabilities for each asset.

A threat is something that could cause harm.

• A declaration of the intent to inflict harm or misery

• Potential to cause an unwanted incident, which may result in harm to a system or organization and its assets

• Intentional, accidental, or man-made act that could inflict harm or a natural disaster

38


Continued:

A vulnerability is a source or situation with a potential for harm

• a broken window; it might encourage harm, such as a break in

A risk is a combination of the likelihood and severity or frequency that a specific threat will occur.

For each asset, you should identify vulnerabilities that might exist for that asset and threats that could result from those vulnerabilities.

39


Example:

40

Perform the risk assessment

After you have identified the risks and the levels of confidentiality, integrity, and availability, you will need to assign values to the risks.

The values will help you determine if the risk is tolerable or not and whether you need to implement a control to either eliminate or reduce the risk.

To assign values to risks, you need to consider:

• The value of the asset being protected

• The frequency with which the threat or vulnerability might occur

• The damage that the risk might inflict on the company or its customers or partners

41

Perform the risk assessment

Note:

Be sure to refer to your Risk Assessment Methodology document to determine the implication of a certain risk value. To keep your ISMS manageable, your Risk Assessment Methodology might specify that only risks with a value of Medium or High will require a control in your ISMS. Based on your business needs and industry standards, risk will be assigned appropriate values.

43

Select controls

For the risks that you’ve determined to be intolerable, you must take one of the following actions:

• Decide to accept the risk actions are not possible because they are out of your control (such

as natural disaster or political uprising) or are too expensive

• Transfer the risk purchase insurance against the risk, subcontract the activity so that

the risk is passed on to the subcontractor, etc.

• Reduce the risk to an acceptable level through the use of controls

To reduce the risk, you should evaluate and identify appropriate controls. These controls might be controls that your organization already has in place or controls that are defined in the ISO/IEC 27002 (ISO/IEC 17799) standard.

44

Select controls (Cont.)

Note:

An examination of the controls that you already have in place against the standard and then using the results to identify what controls are missing is commonly called a “gap analysis”

46

Statement of Applicability (SoA)

The Statement of Applicability (SoA) documents the control objectives and controls selected from Annex A.

The SoA is usually a large table in which each control from Annex A of ISO/IEC 27001 is listed with its description and corresponding columns that indicate:

• whether that control was adopted by the organization

• the justification for adopting or not adopting the control

• a reference to the location where the organization’s procedure for using that control is documented.

48

2. DO

“Implement and Operate the ISMS”

49

Risk Treatment Plan (RTP)

The risk treatment plan is the immediate output of the Risk Assessment. It defines how, based on the criteria established by senior management, each risk is to be handled. The options are to:

1. Knowingly accept the risk as it falls within the organization's "risk appetite", in other words management deem the risk acceptable, compared to the cost of improving controls to mitigate it

2. Implement a suitable control or combination of controls to reduce (mitigate) the risk to a more acceptable level.

3. Avoid the risk (i.e. do not undertake the associated business activity)

4. Transfer the risk to another organization (e.g. through insurance or by contractual arrangements with a business partner)

50

Risk Treatment Plan (RTP)

The Risk Treatment Plan is the process of managing control implementation and should include what to do, how to do it, when to do it and who should do it.

• Control Selection output of the Risk Assessment

• Risks

• Tasks

• Assigned responsibility to a person

• Scheduled timeline

• Completion Date

51

Implementing controls through policies, processes and procedures

For each control that is defined, there must be corresponding statements of policy or in some cases a detailed procedure. The procedure and policies are used by affected personnel so they understand their roles and so that the control can be implemented consistently. The documentation of the policy and procedures is a requirement of ISO/IEC 27001.

The number of policies, procedures, and records that you will require as part of your ISMS will depend on a number of factors, including the number of assets you need to protect and the complexity of the controls you need to implement.

52

Training and awareness program

Adequate resources (people, time, money) should be allocated to the operation of the ISMS and all security controls. The staff who must work within the ISMS (maintaining it and its documentation and implementing its controls) must receive appropriate training. The success of the training program should be monitored to ensure that it is effective. Therefore, in addition to the training program, you should also establish a plan for howyou will determine the effectiveness of the training.

Requirements:• A list of the employees who will work within the ISMS• All of the ISMS procedures to use for identifying what type of training is

needed and which members of the staff or interested parties will require training

• Management agreement to the resource allocation and the training plans

53

Training and awareness program

If you want your personnel to implement all the new policies and procedures, first you have to explain to them why they are necessary, and train your people to be able to perform as expected. The absence of these activities is the second most common reason for ISO 27001 project failure.

Specific documentation is not required in the ISO/IEC standards. However, to provide evidence that resource planning and training has taken place, you should have some documentation that shows who has received training and what training they have received. In addition, you might want to include a section for each employee that lists what training they should be given. Also, you will probably have some type of procedure for determining how many people, how much money, and how much time needs to beallocated to the implementation and maintenance of your ISMS. It’s possible that this procedure already exists as part of your business operating procedures or that you will want to add an ISMS section to that existing documentation.

54

ISMS operation

This is the part where ISO 27001 becomes an everyday routine in your organization. The crucial word here is: “records”. Auditors love records – without records you will find it very hard to prove that some activity has really been done. But records should help you in the first place – using them you can monitor what is happening – you will actually know with certainty whether your employees (and suppliers) are performing their tasks as required.

55

Incidents management

The first goal of the incident management process is to restore a normal service operation as quickly as possible and to minimize the impact on business operations, thus ensuring that the best possible levels of service quality and availability are maintained.

ITIL v3 terminology defines an incident as:

An unplanned interruption to an IT Service or a reduction in the Quality of an IT Service. Failure of a Configuration Item that has not yet impacted Service is also an Incident.

ISO 20000 defines an incident as:

Any event which is not part of the standard operation of a service and which causes or may cause an interruption to, or a reduction in, the quality of that service.

56

Incidents management (Cont.)

Activities of Incident Management:

• Identification - detect or report the incident

• Registration - the incident is registered in a ICM System

• Categorization - the incident is categorized by priority , SLA etc. attributes defined above

• Prioritization - the incident is prioritized for better utilization of the resources and the Support Staff time

• Diagnosis - reveal the full symptom of the incident

• Escalation - should the Support Staff need support from other organizational units

57


Continued:

• Investigation and diagnosis - if no existing solution from the past could be found the incident is investigated and root cause found

• Resolution and recovery - once the solution is found the incident is resolved

• Incident closure - the registry entry of the incident in the ICM System is closed by providing the end-status of the incident

58


Incident Management according to ISO 27001 standard:

A.13.2 Management of information security incidents and improvements

Objective: To ensure a consistent and effective approach is applied to the management of information security incidents.

A.13.2.1 Responsibilities and procedures

Management responsibilities and procedures shall be established to ensure a quick, effective, and orderly response to information security incidents.

59


A.13.2.2 Learning from information security incidents

There shall be mechanisms in place to enable the types, volumes, and costs of information security incidents to be quantified and monitored.

A.13.2.3 Collection of evidence

Where a follow-up action against a person or organization after an information security incident involves legal action (either civil or criminal), evidence shall be collected, retained, and presented to conform to the rules for evidence laid down in the relevant jurisdiction(s).

60

3. CHECK

“Monitor and Review the ISMS”

61

Monitor and measure

To ensure that the ISMS is effective and remains current, suitable, adequate, and effective, ISO/IEC 27001 requires:

• Management to review the ISMS at planned intervals. The review must include assessing opportunities for improvement, and the need for changes to the ISMS, including the security policy and security objectives, with specific attention to previous corrective or preventative actions and their effectiveness.

• Periodic internal audits

The results of the reviews and audits must be documented and records related to the reviews and audits must be maintained.

62

Audit

To perform internal audits on a periodic basis, you need to define the scope, criteria, frequency, and methods. You also need the procedure (which should have been written beforehand) that identifies the responsibilities and requirements for planning and conducting the audits, and for reporting results and maintaining records.

The results of an internal audit should result in identification of nonconformities and their related corrective actions or preventative actions. ISO/IEC 27001 lists the activity and record requirements related to corrective and preventative actions.

63

Review

Management does not have to configure your firewall, but it must know what is going on in the ISMS, i.e. if everyone performed his or her duties, if the ISMS is achieving desired results etc. Based on that, the management must make some crucial decisions.

The results of a management review should include decisions and actions related to:

• Improvements to the ISMS

• Modification of procedures that effect information security at all levels within the organization

• Resource needs

64

4. ACT

“Maintain and Improve the ISMS”

65

Corrective/Preventative action

The purpose of the management system is to ensure that everything that is wrong (so-called “non-conformities”) is corrected, or hopefully prevented.

Therefore, ISO 27001 requires that corrective and preventive actions are done systematically, which means that the root cause of a non-conformity must be identified, and then resolved and verified. Hence it is known exactly where problems (nonconformities) are to be reported, who needs to review them and make a decision on how to resolve them, who is responsible for eliminating them, etc.

66

Corrective action

Who can initiate corrective actions?Anyone in the company can raise a corrective action, and the same goes for your partners and suppliers who have a role in your ISMS. A corrective action may be raised because of an internal audit report or because of the results of testing and exercising, but also because someone thought of a better way to write the policies and procedures.

Required documentsYou should have the following documents regarding your corrective actions:• Corrective action procedure – this procedure defines the basic rules for

resolving corrective actions – how to raise one, where are they documented, who has to make which decisions, how to control their execution, etc.

• Corrective actions – these are the records of actual nonconformities, decisions and activities made to resolve them.

67

Preventative action

Preventive actions are steps that are taken to avoid potential nonconformities and make improvements. Preventive actions address potential nonconformities (problems), ones that haven't yet occurred. Preventive actions prevent the occurrence of problems by removing their causes. In general, the preventive action process can be thought of as a risk management process.

68

CA/PA according to ISO 27001 standard

8.2 Corrective action

The organization shall take action to eliminate the cause of nonconformities with the ISMS requirements in order to prevent recurrence. The documented procedure for corrective action shall define requirements for:

a) identifying nonconformitiesb) determining the causes of nonconformitiesc) evaluating the need for actions to ensure that nonconformities do not recurd) determining and implementing the corrective action needede) recording results of action takenf) reviewing of corrective action taken

69

CA/PA according to ISO 27001 standard

8.3 Preventive action

The organization shall determine action to eliminate the cause of potential nonconformities with the ISMS requirements in order to prevent their occurrence. Preventive actions taken shall be appropriate to the impact of the potential problems. The documented procedure for preventive action shall define requirements for:

a) identifying potential nonconformities and their causesb) evaluating the need for action to prevent occurrence of nonconformitiesc) determining and implementing preventive action neededd) recording results of action takene) reviewing of preventive action taken

70

Review

The point of clause 7.3 in ISO 27001 is to ask your executives to make crucial decisions that will have a major impact on your ISMS. And this has to be done in a systematic way.

For instance, your information security may need a larger budget, or your existing alternative location may not be appropriate – all such issues need decisions from the top, and management review is exactly the place to make such decisions. You can consider this management review to be nothing more than a regular meeting of your top executives with a specific topic: “Information Security”.

The minimum is to perform management review once a year, or more often if any major change happens that can influence information security.

71

Review

What is to be discussed at the management review:

Your executives need to make at least the following decisions: whether the ISMS has fulfilled its objectives, which improvements are needed, changes to the scope, approval of the required resources, modification to the main documents

You can use this requirement of ISO 27001 to do much more than mere compliance. Use it for building a relationship with your decision makers!

72

Close the PDCA cycle

The "Plan Do Check Act" (PDCA) is a closed cycle, meaning that it will never end.

Done with your ISMS implementation? Sorry, there’s no such thing as “finished” in the PDCA cycle. Because of the very nature of a continuous improvement process - it will never be finished. Celebrate your success, and then go back and keep tweaking it. You will keep tweaking your original goals, amend them, and work to get closer and closer.

73

ISO/IEC 27001:2005 Checklist

The information security Management Program should include:

Define Scope and Boundaries of the ISMS

Define the Security Policy

Define a Risk Assessment Approach of Organisation

Identify the Information Assets and their Risks

Analyze and Evaluate the Risks

Identify and Evaluate options for Treatment of Risk

Select Control Objectives and Controls for treating Risks (Annexure A)

74


Continued:

Formulate Risk Treatment Plan and Implement RTP Plan

Implement Control to meet Control Objectives

Define how to measure effectiveness of the Controls

Implement Training and Awareness Program

Implement of procedures and other controls capable of detection of Security Events / Incidents.

Promptly Detect errors in result of Processing

75


Continued:

Identify Security Breaches and Incidents

Regular Reviews of Effectiveness of the ISMS

Measure the Effectiveness

Review Risk assessment at planned intervals

Conduct Internal Audits

Implement the identified improvements

Take appropriate corrective and Preventive actions

76

Some of the Controls Recommended by the Standard

Technology Process

People

- System Security- UTM. Firewalls- IDS/IPS- Data Center - Physical Security- Vulnerability Assmt- Penetration Testing- Application

Security- Secure SDLC- SIM/SIEM- Managed Services

- Risk Management- Asset Management- Data Classification- Info Rights Mgt- Data Leak Prevention- Access Management- Change Management- Patch Management- Configuration Mgmt- Incident Response- Incident

Management- Business

Continuity

- Training - Awareness- HR Policies- Background Checks- Roles / responsibilities- Mobile Computing- Social Engineering- Social Networking- Acceptable Use- Policies- Performance Mgt

77

Control Objectives / Controls (Annexure A)

Overall the “Annexure A” can be put in:Domain Areas – 11Control Objectives – 39Controls – 133

78

A.5 Security policy

A.5.1 Information security policy

Control Objective:

To provide management direction and support for information security in accordance with business requirements and relevant laws and regulations.

Controls:• Information security policy document• Review of the information security policy

79

A.6 Organisation of Information Security

A.6.1 Internal organization

Control Objective:

To Manage Information Security within the Organization.

Controls:• Management commitment to information security• Information security co-ordination• Allocation of information security responsibilities• Authorization process for information processing facilities• Confidentiality agreements• Contact with authorities• Independent review of information security

80

A.6 Organisation of Information Security

A.6.2 External parties

Control Objective:

To maintain the security of organizational information and information processing facilities that are accessed processed, communicated to, or managed by external parties

Controls:• Identification of risks related to external parties• Addressing security when dealing with customers• Addressing security in third party agreements

81

A.7 Asset Management

A.7.1 Responsibility of Assets

Control Objective:

To achieve and maintain appropriate protection of organizational assets

Controls:• Inventory of assets• Ownership of assets• Acceptable use of assets

82

A.7 Asset Management

A.7.2 Information classification

Control Objective: To ensure that information receives an appropriate level of protection

Controls:• Classification guidelines• Information labeling and handling

83

A.8 Human Resource Security

A.8.1 Prior to employment

Control Objective:

To ensure that employees, contractors and third party users understand their responsibilities, and are the roles they are considered for, and to reduce the risk of theft, fraud or misuse of facilities

Controls:• Roles and responsibilities• Screening• Terms and conditions of employment

84


A.8.2 During employment

Control Objective:

To ensure that all employees, contractors and third party users are aware of information security threats and concerns, their responsibilities and liabilities and are equipped to support organizational security policy in the course of their normal work and to reduce the risk of human error.

Controls:• Management Responsibilities• Information security awareness, education and training• Disciplinary process

85


A.8.3 Termination or change of employment

Control Objective:

To ensure that employees, contractors and third party users exit an organization or change employment in an orderly manner.

Controls:• Termination responsibilities• Return of assets• Removal of access rights

86

A.9 Physical and Environmental Security

A.9.1 Secure areas

Control Objective:

To prevent unauthorized physical access, damage and interference to the organization's premises and information.

Controls:• Physical security perimeter• Physical entry controls• Securing offices, rooms and facilities• Protecting against external and environmental threats• Working in secure areas• Public access, delivery and loading areas

87

A.9 Physical and Environmental Security

A.9.2 Equipment security

Control Objective:

To prevent loss, damage, theft or compromise of assets and interruption to the organization's activities

Controls:• Equipment sitting and protection• Supporting utilities• Cabling security• Equipment maintenance• Security of equipment off-premises• Secure disposal or re-use of equipment• Removal of property

88

A.10 Communications and operations management

A.10.1 Operational procedures and responsibilities

Control Objective:

To ensure the correct and secure operation of information processing facilities.

Controls:• Documented operating procedures• Change management• Segregation of duties• Separation of development, test and operational facilities

89


A.10.2 Third party service delivery management

Control Objective:

To implement and maintain the appropriate level of information security and service delivery in line with third party service delivery agreements

Controls:• Service delivery• Monitoring and review of third party services• Managing changes to third party services• Capacity management• System acceptance

90


A.10.3 System planning and acceptance

Control Objective:

To minimize the risk of systems failures

Controls:• Capacity management• System acceptance

91


A.10.4 Protection against malicious and mobile code

Control Objective:

To protect the integrity of software and information

Controls:• Controls against malicious code• Controls against mobile code

92


A.10.5 Back-up

Control Objective:

To maintain the integrity and availability of information and information processing facilities

Controls:• Information Back-up

93


A.10.6 Network security management

Control Objective:

To ensure the protection of information in networks and the protection of the supporting infrastructure

Controls:• Network controls• Security of network services

94


A.10.7 Media handling

Control Objective:

To protect unauthorized disclosure, modification, removal or destruction of assets, and interruption to business activities

Controls:• Management of removable media• Disposal of media• Information handling procedures• Security of system documentation

95


A.10.8 Exchange of information

Control Objective:

To maintain the security of information and software exchanged within an organization and with any external entity

Controls:• Information exchange policies and procedures• Exchange agreements• Physical media in transit• Electronic messaging• Business information systems

96


A.10.9 Electronic commerce services

Control Objective:

To ensure the security of electronic commerce services and their secure use.

Controls:• Electronic commerce• On-line transactions• Publicly available information

97


A.10.10 Monitoring

Control Objective:

To detect unauthorized information processing activities.

Controls:• Audit logging• Monitoring system use• Protection of log information• Administrator and operator logs• Fault logging• Clock synchronization

98

A.11 Access Control

A.11.1 Business requirement for access control

Control Objective:

To control access to information

Controls:• Access control policy

99

A.11 Access Control

A.11.2 User access management

Control Objective:

To ensure authorized user access and to prevent unauthorized access to information systems

Controls:• User registration• Privilege management• User password management• Review of user access rights

100

A.11 Access Control

A.11.3 User responsibilities

Control Objective:

To prevent unauthorized user access and compromise or theft of information and information processing facilities

Controls:• Password use• Unattended user equipment• Clear desk and clear screen policy

101

A.11 Access Control

A.11.4 Network access control

Control Objective:

To prevent unauthorized access to networked services

Controls:• Policy on the use of network services• User authentication for external connections• Equipment identification in networks• Remote diagnostic and configuration port protection• Segregation in networks• Network connection control• Network routing control

102

A.11 Access Control

A.11.5 Operating system access control

Control Objective:

To prevent unauthorized access to operating systems

Controls:• Secure log-on procedures• User identification and authentication• Password management system• Use of system utilities• Session time-out• Limitation of connection time

103

A.11 Access Control

A.11.6 Application and information access control

Control Objective:

To prevent unauthorized access to information held in application systems

Controls:• Information access restriction• Sensitive system isolation

104

A.11 Access Control

A.11.7 Mobile computing and teleworking

Control Objective:

To ensure information security when using mobile computing and teleworking facilities

Controls:• Mobile computing and communications• Teleworking

105

A.12 Information systems acquisition, development and maintenance

A.12.1 Security requirements of information systems

Control Objective:

To ensure that security is an integral part of information systems.

Controls:Security requirements analysis and specification

106


A.12.2 Correct processing in applications

Control Objective:

To prevent errors, loss, unauthorized modification or misuse of information in applications.

Controls:• Input data validation• Control of internal processing• Message integrity• Output data validation

107


A.12.3 Cryptographic controls

Control Objective:

To protect the confidentiality, authenticity or integrity of information by cryptographic means.

Controls:• Policy on the use of cryptographic controls• Key management

108


A.12.4 Security of system files

Control Objective:

To ensure the security of system files

Controls:• Control of operational software• Protection of system test data• Access control to program source code

109


A.12.5 Security in development and support processes

Control Objective:

To maintain the security of application system software and information

Controls:• Change control procedures• Technical review of applications after operating system

changes• Restrictions on changes to software packages• Information leakage• Outsourced software development

110


A.12.6 Technical Vulnerability Management

Control Objective:

To reduce risks resulting from exploitation of published technical vulnerabilities

Controls:• Control of technical vulnerabilities

111

A.13 Information security incident management

A.13.1 Reporting information security events and weaknesses

Control Objective:

To ensure information security events and weakness associated with information systems are communicated in a manner allowing timely action to be taken.

Controls:• Reporting information security events• Reporting security weakness

112

A.13 Information security incident management

A.13.2 Management of information security incidents and improvements

Control Objective:

To ensure a consistent and effective approach is applied to the management of information security incidents

Controls:• Responsibilities and procedures• Learning from information security incidents• Collection of evidence

113

A.14 Business Continuity Management

A.14.1 Information security aspects of business continuity mgmt.

Control Objective:

To counteract interruptions to business activities and to protect critical business process from the effects of major failures of information systems or disasters to ensure their timely resumption.

Controls:• Including information security in the BCM process• Business continuity and risk assessment• Developing and implementing continuity plans including

information security• Business continuity planning framework• Testing ,maintaining and reassessing BC plans

114

A.15 Compliance

A.15.1 Compliance with legal requirements

Control Objective:

To avoid breaches of any law, statutory, regulatory or contractual obligations and of any security requirements

Controls:• Identification of applicable legislation• Intellectual property rights(IPR)• Protection of organizational records• Data protection and privacy of personal information• Prevention of misuse of information processing facilities• Regulation of cryptographic controls

115

A.15 Compliance

A.15.2 Compliance with security policies and standards, and technical compliance

Control Objective:

To ensure compliance of systems with organizational security policies and standards

Controls:• Compliance with security policies and standards• Technical compliance checking• Information systems audit controls• Protection of information system audit tools

116

Any questions?