Information security management best practice
Download as PPTX, PDF2 likes2,393 views
The document discusses ISO/IEC 17799, an international standard for information security management that provides guidelines and best practices for organizations aiming to enhance their security frameworks. It outlines the history, core domains, implementation considerations, and benefits of adopting ISO/IEC 17799, as well as the certification process that attests to an organization's compliance. Additionally, it highlights the costs associated with obtaining certification and the economic advantages derived from effective information security management.
Information security management best practice
- 1. Management Best Practice Based on ISO/IEC 17799 By René Saint-Germain Presented By : Parves Kamal
- 2. Management Best Practice Based on ISO/IEC 17799 Agenda: Get To know The Author What is ISO 17799? Background on ISO 17799 The Ten Domains of ISO/IEC 17799 Implementation Considerations Certification Process Benefits of Implementing the ISO/IEC 17799/BS 7799 Framework Survey How much It Cost References Questions? 2
- 3. Author’s Background Article was published In July 2005 At : Information Management Journal;Jul/Aug2005, Vol. 39 Issue 4, p60 René Saint-Germain has expertise in the implementation of governance and IT compliance frameworks (ISO 9001, ISO 20000, ISO 27001, ISO 27002, ISO 27005, ISO 22301, SOX, ITIL, COBIT). As member of the International Committee for the development of security standards (CS27), he had participated in the development of ISO 27001 and others ISO 27000 family standards. Current Position: Training and Audit Manager at Altirian Scheme Committee Member at PECB Lead Auditor at Bureau Veritas 3
- 4. What is ISO 17799 ISO 17799 is an internationally recognized Information Security Management Standard, first published by the International Organization for Standardization, or ISO (www.iso.ch), in December 2000. ISO 17799 is high level, broad in scope, and conceptual in nature. ISO 17799 is not: A technical standard Product or technology driven An equipment evaluation methodology such as the Common Criteria/ISO 15408 4
- 5. Background on ISO 17799 ISO 17799 is a direct descendant of the British Standard Institute (BSI) Information Security Management standard BS 7799. British Standard (BS) 7799 from the British Standards Institution (BSI) was first published in 1995 to provide guidance and best practices in information security The original standard ("Part 1") was revised and released in 1999. Adopted by ISO as ISO 17799 in 2000, In 2005 BS17799 part 1 was revised and in 2007 incorporated as ISO/IEC 27002 After wide consultation, it was determined that there was a need for a "specification" that could be audited against or used as a baseline. Thus, in 1998 a second part ("Part 2") was released, which was a specification for an Information Security Management System. BS 7799 Part 2 was adopted by ISO as ISO/IEC 27001 in November 2005 5
- 6. The Ten Domains of ISO/IEC 17799 6 The Ten Domains of ISO/IEC 17799
- 7. The Ten Domains of ISO/IEC 17799 Security Policy Security Policy control addresses management support, commitment, and direction in accomplishing information security goals, including: Information Security Policy document – a set of implementation- independent, conceptual information security policy statements governing the security goals of the organization. Ownership and review – Ongoing management commitment to information security is established by assigning ownership and review schedules for the Information Security Policy document. 7
- 8. The Ten Domains of ISO/IEC 17799 Organizational Security Organizational Security control addresses the need for a management framework that creates, sustains, and manages the security infrastructure, including: Information System Security Officer (ISSO) – acts as a central point of contact for information security issues, direction, and decisions. Information Security responsibilities – individual information security responsibilities are unambiguously allocated and detailed within job descriptions. Authorization processes – ensures that security considerations are evaluated and approvals obtained for new and modified information processing systems. Third-party access – mechanisms to govern third-party interaction within the organization based on business requirements. Outsourcing – organizational outsourcing arrangements should have clear contractual security requirements. 8
- 9. The Ten Domains of ISO/IEC 17799 Asset Classification and Control Asset Classification and Control addresses the ability of the security infrastructure to protect organizational assets, including: Accountability and inventory – Mechanisms to maintain an accurate inventory of assets, and establish ownership and stewardship of all assets. Classification – Mechanisms to classify assets based on business impact. Labeling – Labeling standards to indicate whether it is sensitive or critical. Handling – Handling standards; which is appropriate for copy, store, transmit or destruction of the information asset based on asset classification. 9
- 10. The Ten Domains of ISO/IEC 17799 Personnel Security Personnel Security control addresses an organization’s ability to mitigate risk inherent in human interactions, including: Personnel screening –Ascertain the qualification and suitability of all personnel with access to organizational assets. This framework may be based on job descriptions and/or asset classification. Security responsibilities – Personnel should be clearly informed of their information security responsibilities, including codes of conduct and non- disclosure agreements. Terms and conditions of employment – Personnel should be clearly informed of their information security responsibilities as a condition of employment. Training – A mandatory information security awareness training program is conducted for all employees, including new hires and established employees. Recourse – A formal process to deal with violation of information security policies. 10
- 11. The Ten Domains of ISO/IEC 17799 Physical and Environmental Security Physical and Environmental Security control addresses risk inherent to organizational premises, including: Location – Organizational premises should be analyzed for environmental hazards. Physical security perimeter – The premises security perimeter should be clearly defined and physically sound. A given premises may have multiple zones based on classification level or other organizational requirements. Access control – Breaches in the physical security perimeter should have appropriate entry/exit controls commensurate with their classification level. Equipment – Equipment should be sited within the premises to ensure physical and environmental integrity and availability. Asset transfer – Mechanisms to track entry and exit of assets through the security perimeter. 11
- 12. The Ten Domains of ISO/IEC 17799 Communications and Operations Management Communication and Operations Management control addresses an organization’s ability to ensure correct and secure operation of its assets, including: Operational procedures – Comprehensive set of procedures, in support of organizational standards and policies. Change control – Process to manage change and configuration control, including change management of the Information Security Management System. Incident management – Mechanism to ensure timely and effective response to any security incidents. Segregation of duties – Segregation and rotation of duties minimize the potential for collusion and uncontrolled exposure. Capacity planning – Mechanism to monitor and project organizational capacity to ensure uninterrupted availability. 12
- 13. The Ten Domains of ISO/IEC 17799 General – Policies and standards, such as utilization of shredding equipment, secure storage, and “cleandesk” principles, should exist to govern operational security within the workspace. System acceptance – Methodology to evaluate system changes to ensure continued confidentiality, integrity, and availability. Malicious code - Controls to mitigate risk from introduction of malicious code. Housekeeping – Policies, standards, guidelines, and procedures to address routine housekeeping activities such as backup schedules and logging. Network management - Controls to govern the secure operation of the networking infrastructure. Media handling – Controls to govern secure handling and disposal of information storage media and documentation. 13
- 14. The Ten Domains of ISO/IEC 17799 Access Control Access Control addresses an organization’s ability to control access to assets based on business and security requirements, including User management – mechanisms to: Register and deregister users Control and review access and privileges Manage passwords Network access control – policy on usage of network services, including mechanisms (when appropriate) to: Authenticate nodes Authenticate external users Define routing Control network device security Maintain the security of network services 14
- 15. The Ten Domains of ISO/IEC 17799 Host access control – Mechanisms (when appropriate) to: Automatically identify terminals Securely log-on Authenticate users Manage passwords Secure system utilities Furnish user duress capability, such as “panic buttons” Enable terminal, user, or connection timeouts Application access control – Limits access to applications based on user or application authorization levels. Access monitoring – Mechanisms to monitor system access and system use to detect unauthorized activities. Mobile computing – Policies and standards to address asset protection, secure access, and user responsibilities. 15
- 16. The Ten Domains of ISO/IEC 17799 System Development and Maintenance Security should ideally be built at the time of inception of a system. Hence security requirements should be identified and agreed prior to the development of information systems. System security requirements – Incorporates information security considerations in the specifications of any system development or procurement. Application security requirements – Incorporates information security considerations in the specification of any application development or procurement. Cryptography – Policies, standards, and procedures governing the usage and maintenance of cryptographic controls. System Integrity – Mechanisms to control access to, and verify integrity of, operational software and data, including a process to track, evaluate, and incorporate asset upgrades and patches. Development security – Integrates change control and technical reviews into development process. 16
- 17. The Ten Domains of ISO/IEC 17799 Business Continuity Management Business Continuity Management control addresses an organization’s ability to counteract interruptions to normal operations, including: Business continuity planning – Business continuity strategy based on a business impact analysis. Business continuity testing – Testing and documentation of business continuity strategy. Business continuity maintenance – Identifies ownership of business continuity strategy as well as ongoing re-assessment and maintenance. 17
- 18. The Ten Domains of ISO/IEC 17799 Compliance Compliance control addresses an organization’s ability to remain in compliance with regulatory, statutory, contractual, and security requirements, including: Legal requirements – awareness of: software copyright Intellectual property rights Safeguarding of organizational records Data protection and privacy of personal Information. Prevention of misuse Regulation of cryptography Collection of evidence 18
- 19. Implementation Considerations 19 Uses of the ISO/IEC 17799 Standard
- 20. Certification Process Organizations that base information security management systems (ISMS) on BS 7799 specifications can apply to become certified. What is an ISMS? Framework to manage the security risks within an organization An organization that obtains certification is said to be ISO/IEC 17799 compliant and BS 7799 certified. To guide organizations through this process, BS 7799 uses the Plan-Do-Check-Act (PDCA) model Once an organization has developed, implemented, and documented its ISMS, an accredited certification body carries out a third-party audit 20
- 22. Benefits of Implementing the ISO/IEC 17799/BS 7799 Framework BS 7799 certification serves as a public statement of an organization’s ability to manage information security. It demonstrates to partners and clients that the organization has implemented adequate information security and business continuity controls. It also demonstrates the organization’s commitment to ensuring that its information security management system and security policies continue to evolve and adapt to changing risk exposures Certification is a mark of distinction that sets organizations apart from their competition and provides partners, shareholders, and clients with greater confidence. ISO/IEC 17799 compliant organizations are exposed, these organizations will spend less money recovering from security incidents, which may also translate into lower insurance premiums 22
- 23. Survey 23
- 24. Survey 24
- 25. Survey25
- 26. Survey 26
- 27. Survey 27
- 28. How much It Cost A copy of 17799 is available through the ISO Web site (www.iso.org) roughly $150, But that $150 investment is only a fraction of the cost of security assessments, penetration testing, auditors and consultants, which can run into the hundreds of thousands--if not millions--of dollars. This is why organizations with a solid working knowledge of their security threats have a better shot at using the standard. 28
- 29. References IT Governance: Data Security & BS 7799/ISO 17799 by Alan Calder and Steve Watkins 2002 ISO/IEC 17799:2000(E) Code of Practice for Information Security Management Geneva: ISO 2000 www.iso.ch BS 7799-2:2002 Information Security Management Systems – Specification with Guidance for Use. London: BSi, September 2002 www.bsi-global.com http://www.bsmreview.com/security_best_practice_survey.shtml http://www.gta.ufrj.br/ensino/cpe728/03_ins_info_security_iso_17799_110 1.pdf http://www.gta.ufrj.br/ensino/cpe728/03_ins_info_security_iso_17799_110 1.pdf http://www.openmpe.com/cslproceed/HPW04CD/papers/3353.pdf 29
- 30. 30
- 31. 31
Editor's Notes
- #5: Common Criteria provides assurance that the process of specification, implementation and evaluation of a computer security product has been conducted in a rigorous and standard and repeatable manner at a level that is commensurate with the target environment for use
- #24: ITIL (IT Infrastructure Library): Provides recommendations for a wide range of IT operations and service delivery best practices including security management. ITIL’s information security recommendations are based heavily on ISO/IEC 17999 and emphasize information confidentiality, integrity and availability. ISO/IEC 17799/27002 (Information technology - Security techniques - Code of practice for information security management): Provides information security specialists with specialized recommendations for risk assessment, physical and information security policy, governance, development, compliance and access control. Originally labeled as ISO/IEC 17799, this set of best practices was renumbered as ISO/IEC 27002 in July 2007. COBIT (Control Objectives for Information and related Technology): Provides 210 control objectives applied to 34 high-level IT processes, categorized in four domains: Planning and Organization, Acquisition and Implementation, Delivery and Support, and Monitoring. COBIT recommendations include issues related to ensuring effectiveness and value of IT as well as information security and process governance.