20CS024 Ethics in Information Technology
0 likes201 views
The document outlines the ISO 27001 standard for information security management systems (ISMS), explaining its significance, planning process, and benefits for organizations across various sectors. It highlights the necessity for security policies, the risk management approach, and the certification process, emphasizing continuous improvement and compliance with legal obligations. Additionally, it discusses the importance of developing effective information security policies and the role of management in executing these policies.
![Charles Cresson Wood’s Need for
Policy
30
…policies are important reference documents
for internal audits and for the resolution of
legal disputes about management’s due
diligence [and] policy documents can act as
a clear statement of management’s intent…](https://image.slidesharecdn.com/u6-211207091210/85/20CS024-Ethics-in-Information-Technology-30-320.jpg)
20CS024 Ethics in Information Technology
- 1. 20CS2024 Ethics in Information Technology Module 6 Standards for Information Security Management Information. Security Management Systems (ISMS) - ISO 27001 - Framing Security Policy of Organization- Committees- Security Forum, Core Committee, Custodian and Users, Business Continuity Process Team & Procedure- Information Security Auditing Process. IT Security Incidents Dr.A.Kathirvel, Professor, DCSE, KITS kathirvel@karunya.edu
- 2. What is ISMS? • Information Security Management System • Strategic decision of an organization • Design and implementation • Needs and objectives • Security requirements • Processes employed • Size and structure of the organization • Scaled with needs simple situation requires a simple ISMS solution
- 3. What is ISO 270012013? • ISO 27001 Information Security Management Systems is the international best practice standard for information security. • ISO 270012013, the current version of the standard, provides a set of standardized requirements for an information security management system (ISMS). • ISO 27001 certification is suitable for any organization, large or small and in any sector.
- 4. Concept of Information Security • Protecting Information Resources and Systems • Unauthorized Use and Access • Unauthorized Disclosure and Modification • Damage and Destruction
- 5. What is ISO 27001 Planning Process? • Define a security policy. • Define the scope of the ISMS. • Conduct a risk assessment. • Manage identified risks. • Select control objectives and controls to be implemented. • Prepare a statement of applicability.
- 6. Where ISO 27001 standard is applicable? • This standard is applicable in many types of industry and few areas where Certified organizations in ISO 27001 are —Finance and Insurance —Software development —Data processing —Banks and hospitals —Telecommunications —Utilities —Retail Sectors —Manufacturing sector —Various service industries —Transportation sector —Government bodies
- 7. Why ISO 27001 Family Standard? • While the ISO/IEC 27001 document gives general requirements for an ISMS and is the auditable standard for Information Security Management Systems, there are a family of supporting documents behind it that provide guidelines for planning, implementing, and maintaining an effective ISMS. • Below we have listed some of these documents, along with their purpose.
- 8. Requirements of ISO 270012013 ISMS • Highlights and features • Risk management approach • Risk assessment • Risk treatment • Management decision making • Continuous improvement model • Measures of effectiveness • Auditable specification (internal and external ISMS • auditing) • Now under revision
- 9. Requirements of ISO 270012013 Documents • The scope of the ISMS • The ISMS policy • Procedures for document control, internal audits, and procedures for corrective and preventive actions • All other documents, depending on applicable controls • Risk assessment methodology • Risk assessment report • Statement of applicability • Risk treatment plan • Records
- 10. Structure of ISO 270012013 • ISO 27001 is the first Standard to adopt the Annex SL structure. • The 2013 Standard looks very different to the 2005 ver. • To help understand the differences, a cross reference table from between the two versions has been included below. • The structure of the ISO 270012013 is as follows —Planning —Support —Operation —Performance evaluation —Improvement
- 11. Process of ISO 270012013 Certification • ISO 270012013 Certification for Information security management system processes can be established. • The company can select the number of controls as per BS7799 and such controls may be implemented partially or fully and same is written in the certificate after assessing the system by certifying body. —Decision —ISO Management Representative —Gap Analysis and Risk Assessment —Scope Implementation Plan —Employee Introduction
- 12. Process of ISO 270012013 Certification —ISO Documentation —Documentation Realisation —Internal ISO 27001 Audits —ISO 27001 Certification —Maintaining the ISO 27001 Certification • Key Benefits of ISO 270012013 —Keeps confidential information secure —Provides customers and stakeholders with confidence in how you manage risk —Allows for secure exchange of information —Allows you to ensure you are meeting your legal obligations
- 13. Key Benefits of ISO 270012013 • Helps you to comply with other regulations • Provide you with a competitive advantage • Enhanced customer satisfaction that improves client retention • Consistency in the delivery of your service or product • Manages and minimizes risk exposure • Builds a culture of security • Protects the company, assets, shareholders and directors
- 14. Pg 14 | Security and Privacy Entities • SC 17 Cards and Personal Identification • SC 27 IT Security • SC 37 Biometrics • SC 40 IT Governance
- 15. Pg 15 | JTC 1 Security and Privacy JTC 1 Security focus on areas of IT Security • Technology Mechanisms • Services • Management • Governance • Evaluation Testing • Privacy Technologies
- 16. Security and Privacy Topic Areas Security Evaluation, Testing and Specification (including evaluation criteria for IT security, framework for IT security assurance, methodology for IT security evaluation, cryptographic algorithms and security mechanisms conformance testing, security assessment of operational systems, SSE-CMM, vulnerability disclosure, vulnerability handling processes, physical security attacks, mitigation techniques and security requirements) Information security management system (ISMS) requirements plus ISMS accreditatio n, certificatio n and auditing (including acreddited CB requirements, guidance on ISMS auditong and guidelines for auditors on ISMS controls) Cryptographic and security mechanisms (including encryption, digital signature, authentication mechansisms, data integrity, non-repudiation, key management, prime number generation, random number generation, hash functions) Identity management and privacy technologies (including application specific (e.g. cloud and PII), privacy impact analysis, privcy framework, identity management framework, entity authentication assurance framework,) ISMS sector specific security controls (including application and sector specific e.g. Cloud, Telecoms, Energy, Finance) and sector- specific use of ISMS requirements standard Security services and controls (focusing on contributing to security controls and mechanisms, covering ICT readiness for business continuity, IT network security, 3rd party services, supplier relationships (including Cloud), IDS, incident management, cyber security, application security, disaster recovery, forensics, digital redaction, time- stamping and other areas) ISMS supporting guidance - codes of practice of information security controls, ISMS risk management, ISMS performance evaluation and ISMS implementation guidance Biometrics (including file formats, programming interfaces, data interchange formats, biometric profiles, biometric information protection, biometric authentication) Cards and Personal Identification (including: Physical characteristics, circuit cards, machine readable cards, motor vehicle drivers licence) Governance
- 17. Pg 17 | Key Security Products • ISO/IEC 27001 – Information Security Management System (ISMS) • 27000 Family of Standards • ISO/IEC 18033 – Encryption Algorithms • specifies asymmetric ciphers and symmetric ciphers • ISO/IEC 7811 – Identification Cards • ISO/IEC 2382-37 – Vocabulary • Harmonized vocabulary for biometrics
- 18. Vocabu lary 27000 Risk Manage ment270 05 Implemen tation 27003 27015 Metrics 27004 Control s 27002 27011 27017 27018 27019 27799 ISMS 27001 Audit 27006 27007 27008 27009 27010 27013 31000 20000 -1 Governa nce 27014 27016 27032 27034 Clause 17- 27031 Clause 13.1 - 27033 Clause 16 - 27035 Clause 15 - 27036 Clause 12.4- 27039 Investiga tive 27037 27038 27040 27041 27042 27043 27050 ISO/IEC 27000 family relationship
- 19. Pg 19 | Key Privacy Products • ISO/IEC 29100 – Privacy Framework • Identifies privacy principles • ISO/IEC 29134 – Privacy impact assessment • ISO/IEC 29115 - Entity authentication assurance framework
- 20. Pg 20 | Vertical Topic Areas • Cloud Computing • Accessibility • Health Care • IoT • Societal considerations • Telecom
- 21. Pg 21 | Key Work Products Related to Verticals • Cloud Computing • ITU-T X.1631|ISO/IEC 27017 – Guidelines on Information security controls for the use of cloud computing services based on ISO/IEC 27002 • ISO/IEC 27018 - Code of practice for PII protection in public clouds acting as PII processors • ISO/IEC 27036-4 - Information security for supplier relationships – Part 4: Guidelines for security of cloud services • Health Care • ISO/IEC 27999 • Societal considerations • ISO/IEC 27032 – Guidelines for Cybersecurity • Telecom • ITU-T X.1051|ISO/IEC 27011 - Information security management guidelines for telecommunications organizations based on ISO/IEC 27002
- 22. Pg 22 | In Progress and Future Work Areas • Cyber Insurance • Cyber Resilience • Cloud Computing • SLA for security and privacy • Trusted connections and Virtualization • Big Data - Security and Privacy considerations • IoT • Privacy considerations • Identity Management • Security considerations • Privacy implications related to SmartPhone Applications • Privacy • Information Management System • Notices and Consent • De-identification techniques
- 23. Information Security Policy 23 • The success of any information security program lies in policy development • Policy is the essential foundation of an effective information security program • The centrality of information security polices to virtually everything that happens in the information security field • An effective information security training and awareness effort cannot be initiated without writing information security policies
- 24. NIST–Executive guide to the Protection of Information Resources 24 • ―The success of an information resources protection program depends on the policy generated, and on the attitude of management toward securing information on automated systems. • You, the policy maker, set the tone and the emphasis on how important a role information security will have within your agency. • Your primary responsibility is to set the information resource security policy for the organization within the objectives of reduced risk, compliance with laws and regulations and assurance of operational continuity, information integrity, and confidentiality.‖
- 25. Basic Rules in Shaping a Policy 25 • Policy should never conflict with law • Policy must be able to stand up in court, if challenged • Policy must be properly supported and administered • Example: Enron’s dubious business practices and misreporting the financial records - Policy of shredding working papers by accountants
- 26. Why Policy 26 • A quality information security program begins and ends with policy • Although information security policies are the least expensive means of control to execute, they are often the most difficult to implement • Policy controls cost only the time and effort that the management team spends to create, approve and communicate them, and that employees spend integrating the policies into their daily activities • Cost of hiring a consultant is minimal compared to technical controls
- 27. Guidelines for IT policy 27 • All policies must contribute to the success of the organization • Management must ensure the adequate sharing of responsibility for proper use of information systems • End users of information systems should be involved in the steps of policy formulation
- 28. Bull’s Eye Model 28 • Proven mechanism for prioritizing complex changes • Issues are addressed by moving from general to specifics • Focus of systemic solutions instead of individual problems
- 29. Bull’s Eye Model Layers 29 • Policies – the outer layer in the bull’s eye diagram • Networks – the place where threats from public networks meet the organization’s networking infrastructure; in the past, most information security efforts have focused on networks, and until recently information security was often thought to be synonymous with network security • Systems – computers used as servers, desktop computers, and systems used for process control and manufacturing systems • Application – all applications systems, ranging from packed applications such as office automation and e-mail programs, to high-end ERP packages and custom application software developed by the organization
- 30. Charles Cresson Wood’s Need for Policy 30 …policies are important reference documents for internal audits and for the resolution of legal disputes about management’s due diligence [and] policy documents can act as a clear statement of management’s intent…
- 31. Policy, Standards, and Practices • Policy represents the formal statement of the organization’s managerial policy, in case of our focus, the organization’s information security philosophy • Tradition communities of interest use policy to express their views which then becomes the basis of planning, management and maintenance of the information security profile • Policies – set of rules that dictate acceptable and unacceptable behavior within an organization • Policies should not specify the proper operation of equipment or software • Policies must specify the penalties for unacceptable behavior and define an appeals process • To execute the policy, the organization must implement a set of standards that clarify and define exactly what is inappropriate in the workplace and to what degree the org will stop to act the inappropriate behavior • Standard – More detailed statement of what must be done to comply with policy • Technical controls and their associated procedures might be established such that the network blocks access to pornographic websites
- 32. 32 Policy, Standards, and Practices (Contd)
- 33. Type of InfoSec policies 33 • Based on NIST Special Publication 800-14, the three types of information security policies are – Enterprise information security program policy – Issue-specific security policies – System-specific security policies • The usual procedure – First – creation of the enterprise information security policy – the highest level of policy – Next – general policies are met by developing issue- and system-specific policies
- 34. Enterprise Information Security Policy (EISP) 34 • EISP sets the strategic direction, scope, and tone for all of an organization’s security efforts • EISP assigns responsibilities for the various areas of information security including maintenance of information security policies and the practices and responsibilities of other users. • EISP guides the development, implementation, and management requirements of the information security program • EISP should directly support the mission and vision statements
- 35. Integrating an Organization’s Mission and Objectives into the EISP 35 • EISP plays a number of vital roles • One of the important role is to state the importance of InfoSec to the organization’s mission and objectives. • InfoSec strategic planning derives from IT strategic planning which is itself derived from the organization’s strategic planning • Policy will become confusing if EISP does not directly reflect the above association
- 36. EISP Elements 36 • An overview of the corporate philosophy on security • Information on the structure of the InfoSec organization and individuals who fulfill the InfoSec role • Fully articulated responsibilities for security that are shared by all members of the organization • Fully articulated responsibilities for security that are unique to each role within the organization
- 37. Components of a good EISP 37 • Statement of Purpose • Information Technology Security Elements • Need for Information Technology Security • Information Technology Security Responsibilities and Roles • Reference to Other Information Technology Standards and Guidelines
- 38. Issue-Specific Security Policy (ISSP) 38 • Provides a common understanding of the purposes for which an employee can and cannot use a technology – Should not be presented as a foundation for legal prosecution • Protects both the employee and organization from inefficiency and ambiguity
- 39. Effective ISSP 39 • Articulates expectations for use of technology- based system • Identifies the processes and authorities that provide documented control • Indemnifies the organization against liability for an employee’s inappropriate or illegal use of the system
- 40. ISSP Topics 40 • Use of Internet, e-mail, phone, and office equipment • Incident response • Disaster/business continuity planning • Minimum system configuration requirements • Prohibitions against hacking/testing security controls • Home use of company-owned systems • Use of personal equipment on company networks
- 41. ISSP Components 41 • Statement of Purpose – Outlines scope and applicability: what is the purpose and who is responsible for implementation • Authorized Uses – Users have no particular rights of use, outside that specified in the policy • Prohibited Uses – Common prohibitions: criminal use, personal use, disruptive use, and offensive materials • Systems Management – Users relationship to systems management – Outline users’ and administrators’ responsibilities • Violations of Policy – Penalties specified for each kind of violation – Procedures for (often anonymously) reporting policy violation • Policy Review/Modification • Limitations of Liability
- 42. 42 • Three common approaches for creating/managing ISSP – Create individual independent ISSP documents, tailored for specific issues – Create a single ISSP document covering all issues – Create a modular ISSP document unifying overall policy creation/management while addressing specific details with respect to individual issues ISSP Implementation
- 43. 43 System Specific Security Policy (SysSPs) • SysSPs provide guidance and procedures for configuring specific systems, technologies, and applications – Intrusion detection systems – Firewall configuration – Workstation configuration • SysSPs are most often technical in nature, but can also be managerial – Guiding technology application to enforce higher level policy (e.g. firewall to restrict Internet access)
- 44. Guidelines for Effective Policy • Developed using industry-accepted practices • Distributed using all appropriate methods • Reviewed or read by all employees • Understood by all employees • Formally agreed to by act or assertion • Uniformly applied and enforced 44
- 45. Developing Information Security Policy • Investigation Phase • Analysis Phase • Design Phase • Implementation Phase • Maintenance Phase 45
- 46. Investigation Phase • Support from senior management • Support and active involvement of IT management • Clear articulation of goals • Participation by the affected communities of interest • Detailed outline of the scope of the policy development project 46
- 47. Analysis Phase • The analysis phase should produce the following: —A new or recent risk assessment or IT audit documenting the information security needs of the organization. —Gathering of key reference materials – including any existing policies 47 Design Phase • Users or organization members acknowledge they have received and read the policy —Signature and date on a form —Banner screen with a warning
- 48. Implementation Phase • Policy development team writes policies • Resources: —The Web —Government sites such as NIST —Professional literature —Peer networks —Professional consultants 48 Maintenance Phase • Policy development team responsible for monitoring, maintaining, and modifying the policy
- 49. Policy Distribution • Hand policy to employees • Post policy on a public bulletin board • E-mail/ Intranet • Document management system • Policy Reading —Barriers to employees’ reading policies • Literacy:14%of American adults scored ―below basic‖ level in prose literacy • Language: non-English speaking residents • Policy Comprehension —Language - At a reasonable reading level • With minimal technical jargon and management terminology —Understanding of issues - Quizzes 49
- 50. Policy Compliance • Policies must be agreed to by act or affirmation • Corporations incorporate policy confirmation statements into employment contracts, annual evaluations • Policy Enforcement • Uniform and impartial enforcement – must be able to withstand external scrutiny • High standards of due care with regard to policy mgt. – to defend against claims made by terminated emp. • Automated Tools • VigilEnt Policy Center – centralized policy approval &imp. —Manage the approval process, Reduces need to distribute paper copies & Manage policy acknowledgement forms 50
- 51. VigilEnt Policy Center Architecture 51 Company Intranet User Site VPC Server Administration Site Users view policies and quizzes. User information to the company intranet. Policy docs and quizzes and news items to the Intranet. Administrators receive policy docs and quizzes. Administrators publish policy docs and quizzes. VPC server sends published policy docs and quizzes to the server for distribution to the user sites. Users read policy docs and complete quizzes.
- 52. Policy Management • Policy administrator • Review schedule • Review procedures and practices • Policy and revision dates • Policy administrator —Champion —Mid-level staff member —Solicits input from business and information security communities —Makes sure policy document and subsequent revisions are distributed 52
- 53. Review Schedule • Periodically reviewed for currency, accuracy, and modified to keep current - Organized schedule of review & review/year —Solicit input from representatives of all affected parties, management, and staff • Review Procedures and Practices —Easy submission of recommendations —All comments examined & Mgt approved changes implemented • Policy and Revision Date —Often published without a date • Legal issue – are employees ―complying with an out-of-date policy —Should include date of origin, revision dates • don’t use ―today’s date‖ in the document —Sunset clause (expiration date) 53
- 54. Information Securities Policy Made Easy Approach • Gather key reference materials • Develop a framework for policies • Prepare a coverage matrix • Make critical systems design decisions • Structure review, approval, and enforcement processes • Next Steps —Post policies —Develop a self-assessment questionnaire —Develop revised user ID issuance forms —Develop agreement to comply with InfoSec policies form —Develop tests to determine if workers understand policies 54
- 55. Information Securities Policy Made Easy Approach • Next steps (continued) —Assign information security coordinators —Train information security coordinators —Prepare and deliver a basic information security training course —Develop application-specific information security policies —Develop a conceptual hierarchy of information security requirements —Assign information ownership and custodianship —Establish an information security management committee —Develop an information security architecture document —Automate policy enforcement through policy servers 55
- 56. Final Note • Policies are a countermeasure to protect assets from threats —Policies exist to inform employees of acceptable (unacceptable) behavior —Are meant to improve employee productivity and prevent potentially embarrassing situations —Communicate penalties for noncompliance 56
- 57. Questions?