Docstoc

ISO 27001 presentation

Document Sample
ISO 27001 presentation Powered By Docstoc
					ISO 27001:2005

Information Security Management System

ISO 27001:2005

INFOSISTEM Security Day

Croatia, upravljanje informatičkom sigurnošću, sigurnost informacijskih sustava, prezentacija, Hrvatska, informatička, informacijska, sigurnosti informacija

www.adriakon.hr

ISO 27001:2005

Information Security Management System

Vladimir Prodan, BSEE
Microsoft Certified System Engineer TŐV Lead Auditor ISO 9001 SGS Lead Auditor ISO 27001

c 2006

1

ISO 27001:2005

Information Security Management System

Information Security Management System ISO/IEC 17799 and BS 7799-2 and ISO 27001 77991989 – BS PD 0003, A code of practice for information security management 1995 – Updated and re-issued as BS 7799 re1998 – Part 2 of BS 7799 issued 1999 – First major revision to BS 7799-1 77992000 – ISO 17799 was identical in technical content to BS7799-1 BS77992002 – Major revision to BS 7799-2 77992005 – ISO 27001

BS 7799-1 = 7799BS 7799-2 = 7799-

ISO 17799 ISO 27001

ISO 27001:2005

Information Security Management System

4 Information security management system 4.1 General requirements requirements 4.2 Establishing and managing the ISMS 4.2.1 Establish the ISMS ANNEX A 4.2.2 Implement and operate the ISMS 4.2.3 Monitor and review the ISMS 4.2.4 Maintain and improve the ISMS 4.3 Documentation requirements 4.3.1 General ISO 9001 4.3.2 Control of documents ISO 14001 4.3.3 Control of records

c 2006

2

ISO 27001:2005

Information Security Management System

5 Management responsibility 5.1 Management commitment 5.2 Resource management 5.2.1 Provision of resources resources 5.2.2 Training, awareness and competence 6 Internal ISMS audit audit 7 Management review of the ISMS 7.1 General 7.2 Review input 7.3 Review output 8 ISMS improvement improvement 8.1 Continual improvement improvement ISO 9001 8.2 Corrective action ISO 14001 8.3 Preventive action Annex A Control objectives and controls

ISO 27001:2005

Information Security Management System

Aneks A
5 6 6.1 6.2 7 7.1 7.2 8 8.1 8.2 8.3 9 9.1 9.2 10 10.1 10.2 10.3 10.4

Engl. Security Policy Organization of information security Internal organization External parties Asset management Responsibility for assets Information classification Human resources security Prior to employment During employment Termination or change of employment Physical and environmental security Secure areas Equipment security Communications and operations management Operational procedures and responsibilities Third party service delivery management System planning and acceptance Protection against malicious software

c 2006

3

ISO 27001:2005
10.5 10.6 10.7 10.8 10.9 10.1 11 11.1 11.2 11.3 11.4 11.5 11.6 11.7 12 12.1 12.2 12.3 12.4 12.5 Back-up Back-

Information Security Management System

Network Security management Media handling Exchange of information Electronic commerce services Monitoring Access Control Business requirement for access control User access management User responsibilities Network access control Operating system access control Application and information access control Mobile computing and teleworking Information systems acquisition, development and maintenance acquisition, Security requirements of information systems Correct processing in applications Cryptographic controls Security of system files Security in development and support processes

ISO 27001:2005
12.6 13 13.1 13.2 14 14.1 15 15.1 15.2 15.3

Information Security Management System

Technical Vulnerability Management Information security incident management Reporting information security events and weaknesses Management of information security incidents and improvements Business continuity management Information security aspects of business continuity management Compliance Compliance with legal requirements Compliance with security policies and standards, and technical standards, compliance Information systems audit considerations

c 2006

4

ISMS Policy

1.3

ISO 27001:2005
Manage ment repres entative, ISFG 1.2

Information Security Management System
2.1 4.1 WI ISMS responsibil ities ISMS Manual Rec- Evaluation of HW

1.3

ISMS Policy
2.2 WI Defining and co m municating of confidentiality

4.2

Scope of ISMS

1.1

1.2

Management representative, ISFG Scope of ISMS

ISMS Manual
QP PGZ 01 Risk evaluation

Rec- Evaluation of HW

Rec- Evaluation of Network and com m.

2.1

WI ISMS responsibilities
2.3

4.1
4.3 WI Defining and co municati ng of non allowed activit ies

1.1

QP PGZ 01 Risk evaluation
QP PGZ 02 Reporting and statistics

Rec- Evaluation of Network and comm. Rec- Evaluation of SW

2.2

Rec- Evaluation of SW

WI Defining and communicating 4.2 of confidentiality WI Defining and comunicating 4.3 of non allowed activities
2.4 WI Infor mation clasif ication

4.4

2.3

Rec – Evaluation of supplie r

WI Information clasification
2.4
2.5

4.4
WI Back-up

4.5

Review of risk m anage ment

1.4

1.4

Review of risk management

QP PGZ 02 Reporting and statistics QP PGZ 03 Incident handling
QP PGZ 03 Incident handling

Rec – Evaluation of supplier Rec – Evaluation of users Rec - Evaluation of infrastructure
Rec – Evaluation of users

WI Back-up
2.5

4.5
4.6 WI Secure ar eas - rules

WI Secure areas - rules
2.6

4.6
4.6a

2.6

Rec - Evaluation of infrast ructure

WI Third party - access and protocols WI Antivirus and spyware protection
2.7

4.6a 4.7

WI Thi rd part y - acc ess and protocols

4.7

Rec –Evaluation of power supplies

2.7

WI Antivirus and spy ware protection

Rec –Evaluation of power suppli es

5.2

Rec–Occupation health and safety hazard
Rec–Occupation hea lth and safety haza rd

2.8

WI External communication WI Internal project and process communication WI New equipement and technology validation
2.9 2.8

4.8
4.8 WI External co mmu nication

4.9
4.9

Management Review of ISMS
5.2 Manage ment Review of ISMS

QP QAM 0801 Internal audit * QP QAM 0802 Non conformities *
QP QAM 0801 Internal audit *

2.9 Rec – Evaluation of incidents

4.10 4.11

WI Internal p roject a nd process co m munication

4.10

Rec-Evaluation of legal2.10 requrements
Rec – Evaluation of incidents

WI Personel validation WI Emergency protocols
2.10

WI New equipe ment and technology validation

4.12
4.11

Rec-Risk analysis PSK QAM 0803 Corrective and preventive activities *
QP QAM 0802 Non confor mities *

2.11

Rec-Evaluation of le gal requre ments

WI Suppliers - contracts and protocols WI Suppliers: Annexes, opening and closing activities
2.11

4.13 4.13a

WI Personel validati on

4.12

3.1

Rec- List of legal reqirements
Rec-Risk ana lysis

WI Emergenc y proto cols

4.13

WI Evaluation of statistical data

5.1

3.2
PSK QAM 0803 Corre ctive and preventive act ivities *

R -Internal organisational documentation
Rec- List of le gal reqire ments

WI Coordination of multiuser 4.14 activities WI Licencing
4.15

WI Suppliers - contr acts and protocols

4.13a

WI Suppliers: Annexes, opening and closing activities

3.1

WI Instalation and testing

4.16
4.14

5.1

WI Evaluation of statistical data

R -Inte rnal or ganisational documentatio n

WI ISMS 4.17 Documentation and records WI Bussiness continuity
4.18

WI Coordinati on of multiuse r activities

3.2

Example 1: unstructured system – before ISO 27001

4.15

WI Licencing

4.16

ISO 27001:2005

Information Security Management System

STRUCTURED SYSTEM - records: records:
Information security policy IT Resources Use Policy Electronic mail policy Confidentiality statment policy ... ISMS Objectives Statement of Applicability Risk assesment Risk treatment plan Statistics Nonconf. and corr. act. list – intern. audit Nonconf. corr. act. intern. Nonconf. and corr. act. list - process Nonconf. corr. act. List of preventive acivities Annual revision Annual revision - questionnaire Annual revision - summary overview ...

c 2006

5

ISO 27001:2005

Information Security Management System

STRUCTURE OF DOCUMENTATION ISO 27001: 27001: ISMS Policy and Objectives ISMS Manual “Declaration” Declaration” “Constitution” Constitution”

Procedures Instructions – DRP - BCP Informations - guidelines Evidence, monitoring, analyses Evidence, monitoring,

“Legislation” Legislation” “Rules” Rules” “Documents and records” records”

ISO 27001:2005

Information Security Management System

Supporting tools: tools:

c 2006

6

ISO 27001:2005

Information Security Management System

Filter activities based on user Filter activities based on user who is logged to application. who is logged to application. (my tasks – active tasks) (my tasks – active tasks)

Filter activities based on type ofFilter activities based on type activity (incident, solution, of activity risk etc…) (incident, solution, risk etc…)

Detailed form of activity Detailed form of activity

ISO 27001:2005

Information Security Management System

RISK
Risk Management

Risk Assessment Risk Analysis Risk Evaluation Risk Acceptance Risk Treatment

c 2006

7

ISO 27001:2005

Information Security Management System

Risk Assessment & Management
Risk assessment
Risk Defined

No Defined Risk

Risk analysis

Risk Estimated

Risk manegement

Probability

Not acceptable Risk

Managing Risk

Value of the lost

ISO 27001:2005

Information Security Management System

• Risk management • Data recovery • Business continuity plan

c 2006

8

ISO 27001:2005

Information Security Management System

ISO 13335 “Guidelines for the Management of Information Security” Security” ISO 13569 “Banking and Related Financial Services – Information Security Guidelines” Guidelines” ISO 15408 “Evaluation Criteria for IT Security (Common Criteria)” Criteria)

USA NIST’s 800 Series NIST’ USA GAO’s Federal Information Systems Controls Audit Manual GAO’ (FISCAM) FISCAM) German BSI “IT Baseline Protection Manual” Manual”

ISF’s Standard of Good Practice ISF’ SEI’s OCTAVE SEI’ SEI’s SW-CMM SEI’ SWISACA’s COBIT ISACA’ FFIEC IT Examination Handbooks ISSA’s GAISP ISSA’ …

ISO 27001:2005

Information Security Management System

RISK – ASPECTS – EVALUATION

- usual omission

Importance (1-10): (1- 10): Back-up Antivirus Confidentiality Back1. Production company 2. Newspaper or publishing 3. Retail 4. Financial 5. Tourism
…, real-time systems,… realsystems,

5 8 5 5 3

3 8 3-8 33 7

8 8 5 9 9

c 2006

9

ISO 27001:2005

Information Security Management System

RISK HW Influence: Influence:

primary selection
Intereseted parties: parties:
Complaint (user, ...) user, Juridical or media response Unknown

Limited to workplace Inside company Wide area Expences in planed framework Additional or external help necesary

Legislative requirements: requirements:
Clear Possibile Unknown Absence

Self assesment: assesment:
Importance significant Unknown importance Internal supervision suficient External help necesarily

Importance: Importance:
For ISMS team For user For department For company

ISO 27001:2005

Information Security Management System

RISK SOFTWARE ... -Office application -E-mail -Internet -Applications -System SW ... ... -Viruses -Spyware -Use errors -Entry errors -Unauthorised instalations -Unauthorised use of assets -Confidentiality -Passwords -Web -Interanet ...

c 2006

10

ISO 27001:2005

Information Security Management System

RISK - SUPPLIERS

Data/Activities/Equipment Data/ Activities/ Contract terms Response procedures Supplier risk evaluation Failure delay – in time Failure delay – in value Incident procedures Authorised personnel list Access restriciton Contract termination protocols

ISO 27001:2005

Information Security Management System

RISK - other ... -Fire -Flood -Theft -Energetics and infrastructure -Interferences and obstructions -Unauthorised access -Third party failure (suppliers,…) suppliers,…) ...

c 2006

11

ISO 27001:2005

Information Security Management System

LEGAL ASPECTS: ASPECTS:
Internal: Internal: - confidentiality – code of conduct (personnel) personnel) - data structures (officialy, internal, public) officialy, internal, public) - qualification – evaluation of personnel Suppliers: Suppliers: - confidentiality – rules - access and assets rights - transition period (contract termination) (contract termination) - error,malfunction or incident responibilities Third party: party: - confidentiality – rules - qualification – evaluation of personnel Legal requirements: ... requirements:

ISO 27001:2005

Information Security Management System

Information security is not a condition but a process. process.
% 30 20 10 INCIDENT TYPE unadequate organisation, ignorance, … users error (virus, e-mail, …) organisational communication problems - new technologies new technologies and transition stages suppliers and third parties equipment (*) energetisc and infrastructure intentional external threat IMPROVEMENTS organisational educational technologies, org., edu. technologies legal, org. technologies org., tech. edu., org., tech., leg.

10 10 9 8 3

c 2006

12

ISO 27001:2005

Information Security Management System

AVAILABILITY, CONFIDENTIALITY, INTEGRITY: AVAILABILITY, CONFIDENTIALITY, INTEGRITY:

Tool for decreasing information security risk by use of various metodologies and technologies. technologies.

c 2006

13


				
DOCUMENT INFO
Shared By:
Stats:
views:4173
posted:11/29/2008
language:English
pages:13