Docstoc

Risk Management Iso 27002

Document Sample
Risk Management Iso 27002 Powered By Docstoc
					       Agenda

•   What is Compliance?
•   Risk and Compliance Management
•   What is a Framework?
•   ISO 27001/27002 Overview
•   Audit and Remediate
•   Improve and Automate
What was Compliance?
       What is Compliance?
• Compliance should be a program based on
  defined requirements
• Requirements are fulfilled by a set of
  mapped controls solving multiple regulatory
  compliance issues
• The program is embodied by a framework
• Compliance is more about policy, process
  and risk management than it is about
  technology
Risk & Compliance Mgmt


         Regulations Control
                     Framework
     Partners/
     Customers
                             Policy
  Risk                        and
  Assessment              Awareness


     Automate                 Assessments
     Process
                            Audits
           Improve Treat
           Controls Risks
       Risk and Compliance Approaches

      Minimal                 Sustainable                Optimized
• Annual / Project-based   • Proactive / Planned     • Regulatory
  Approach                   Approach                  Requirements are
• Minimal Repeatability    • Learning Year over Year Mapped to Standards
• Only Use Technologies    • Use Technologies to     • A Framework is in
  Where Explicitly           Reduce Human Factor       Place
  Prescribed in            • Leverage Controls       • Compliance and
  Standards and              Automation Whenever       Enterprise Risk
  Regulations                Possible                  Management are
• Minimal Automation                                   Aligned
                                                     • Process is Automated
Identify Drivers


        Regulations
     Partners/
     Customers
   Risk
   Assessment
    Identify Drivers

Compliance is NOT just about regulatory
 compliance. Regulatory compliance is a
   driver to the program, controls and
      framework being put in place.

Managing compliance is fundamentally
        about managing risk.
       Identify Drivers

• Risk Assessment
  – Identify unique risks and controls
    requirements
• Partners / Customers
  – Partners represent potential contractual risk
  – Customer present privacy concerns
• Regulations – regulatory risk is considered
  as part of overall risk
Develop Program


         Regulations Control
                     Framework
     Partners/
     Customers
                             Policy
  Risk                        and
  Assessment              Awareness
    What is a Control?

   Control is defined as the policies,
      procedures, practices and
 organizational structures designed to
   provide reasonable assurance that
business objectives will be achieved and
  undesired events will be prevented or
        detected and corrected.

                         *Source: ITGI, COBIT 4.1
   What is a Framework?

A framework is a set of controls and/or
  guidance organized in categories,
     focused on a particular topic.

A framework is a structure upon which
to build strategy, reach objectives and
          monitor performance.
     Why use a framework?

• Enable effective governance
• Align with business goals
• Standardize process and approach
• Enable structured audit and/or
  assessment
• Control cost
• Comply with external requirements
      Frameworks and Control Sets

•   ISO 27001/27002
•   COBIT
•   ITIL
•   NIST
•   Industry-specific – i.e. PCI
•   Custom
     ISO 27001/27002

• Information Security Framework
• Requirements and guidelines for
  development of an ISMS (Information
  Security Management System)
• Risk Management a key component of
  ISMS
• Part of ISO 27000 Series of security
  standards
              A Brief History of ISO 27001

  BS 7799-1

   Code of
   Practice



  BS 7799-2          Adopted as
                    international
                  standard in 2005
Specification

Revised in 2002
              A Brief History of ISO 27002
                     Adopted as
                    international
  BS 7799-1       standard as ISO
                   17799 in 2000
   Code of
   Practice       Revised in 2005
                  Renumbered to
                   27002 in 2007

  BS 7799-2

Specification
                                        Information Technology

Revised in 2002                     Code of Practice for Information
                                        Security Management
ISO 27001 and 27002
                      ISO 27001
                      •Requirements
                      •Auditable
                      •Certification


    Shared Control Objectives



                      ISO 27002
                      •Best Practices
                      •More depth in controls
                       guidance
    ISO 27001 – Mgmt Framework
• Information Security Management
  Systems – Requirements (ISMS)
  – Process approach
    • Understand organization’s information security
      requirements and the need to establish policy
    • Implement and operate controls to manage risk, in
      context of business risk
    • Monitor and review
    • Continuous improvement
          ISO 27001
                      Plan
                     Establish
                       ISMS



      Maintain and                 Implement and
Act     Improve                       Operate      Do
         ISMS                           ISMS


                     Monitor and
                       Review
                        ISMS

                       Check
       ISO 27002 – Controls Framework

ISO 27002 Security Control Domains
Risk Assessment and Treatment
Security Policy
Organizing Information Security
Asset Management
Human Resources Security
Physical and Environmental Security
Communications and Operations Management
Access Control
Information Systems Acquisition, Development and Maintenance
Information Security Incident Management
Business Continuity Management
Compliance
Building a Framework
                                          Risk
                                      Assessment &
                                       Treatment
                                                        Security
                         Compliance
                                                         Policy



         Business                                                   Organizing
        Continuity                                                 Information
       Management                                                    Security

                     Management                         Operational
                      Controls                           Controls
   Information                         Protected                            Asset
 Security Incident
                                      Information                        Management
   Management




       IS Acquisition,                                                  Human
      Development and                                                  Resources
        Maintenance                                                     Security
                                      Technical
                                       Controls         Physical and
                          Access
                                                       Environmental
                          Control     Communications      Security             ISO 27002: Code of Practice for
                                      and Operations                           Information Security
                                       Management                              Management
    Practical Uses for Certification

                     “Best Practice” approach
Regulatory           to handling sensitive data
Compliance              and overall security
                              program



 Internal             Implement security as an
Compliance              integrated part of the
                     business and as a process


                      Provide proof to partners
Third Party           of good practices around
Compliance           data protection. Strengthen
                          SAS 70 approach.
        ISO 27000 Series of Standards

•   ISO/IEC 27000:2009 - Overview and vocabulary
•   ISO/IEC 27001:2005 - Requirements
•   ISO/IEC 27002:2005 - Code of Practice
•   ISO/IEC 27003 - ISMS Implementation Guidance*
•   ISO/IEC 27004 - Measurement*
•   ISO/IEC 27005:2008 - Risk Management
•   ISO/IEC 27006:2007 - Auditor Requirements
•   ISO/IEC 27007 - ISMS Audit Guidelines*
                                *In Development
        Frameworks Comparison

Framework         Strengths                       Focus
COBIT           Strong mappings             IT Governance
                Support of ISACA                     Audit
                   Availability
ISO             Global Acceptance      Information Security
27001/27002        Certification      Management System
ITIL          IT Service Management             IT Service
                    Certification             Management
NIST 800-53     Detailed, granular    Information Systems
                 Tiered controls                   FISMA
                       Free
                        Controls Mapping
                        PCI
                                             PCI Data Security Standard
Framework of Controls




                                  1. Install and maintain a firewall configuration to
                                  protect data
                                                 Corporate Policy
                                  2. Do not use vendor-supplied defaults for system
                                  passwords and other security parameters
                                                            SOX
                                  3. Protect stored data

                                                           GLBA
                                  4. Encrypt transmission of cardholder data and
                                  sensitive information across public networks

                                                            PCI
                                  5. Use and regularly update anti-virus software
                                  6. Develop and maintain secure systems and
                                  applications
                                  7. Restrict access to data by business need to know
                                  8. Assign a unique ID to each person with computer
                                  access…
                        Controls Mapping
                        PCI GLBA SOX   Policy
Framework of Controls




                                                Corporate Policy
                                                     SOX
                                                     GLBA
                        Controls Mapping
                        PCI GLBA SOX Policy
                                              Benefits:
Framework of Controls




                                              Alignment of corporate
                                              policy
                                              Custom interpretation of
                                              regulations

                                              Single assessment effort
                                              provides complete view
         Logging and Monitoring
PCI – Requirement 10




                        ISO 17799 – Section 10.10
Audit and Remediate


         Regulations Control
                     Framework
     Partners/
     Customers
                             Policy
  Risk                        and
  Assessment              Awareness

                             Assessments

                           Audits
                   Treat
                   Risks
   Organization Example
IT Service Desk

                            Information Security

        ITIL             ISO 27001/27002




     Software Delivery                     Internal
                                            Audit
           CMMi
                                           COBIT
         Controls Alignment

      How aligned are your controls?


 Assessment          Internal Audit        External Audit

 (Information       (IT/Financial Audit)   (Regulatory and
Security, IT Risk                          Non-Regulatory)
 Management)
     Remediation Priorities

• Where are our greatest risks?
• What controls are we fulfilling?
• How many compliance requirements are
  we solving?
Improve and Automate


         Regulations Control
                     Framework
     Partners/
     Customers
                             Policy
  Risk                        and
  Assessment              Awareness


     Automate                 Assessments
     Process
                            Audits
           Improve Treat
           Controls Risks
        Controls Hierarchy

         Manual                         Automated

     Require human            Vs.    Rely on computers to
      intervention                      reduce human
                                          intervention


       Detective                          Preventive

Designed to search for and          Designed to discourage or
 identify errors after they   Vs.       preempt errors or
      have occurred                     irregularities from
                                             occurring
        Automated and Preventive
            Logging and Monitoring


     Not Efficient                   Efficient

    Reviewing logs for        An automated method of
        incidents                detecting incidents


     Not Effective                    Effective

Missing the incident due to    Preventing the incident
       human error            from occurring in the first
                                       place
      Automate the Process

• How do you currently measure
  compliance?
• Reduce documents, spreadsheets and
  other forms of manual measurement
• Create dashboard approach
• Governance, Risk and Compliance
  toolsets
    GRC Automation
                  •Enterprise Scope
                  •Highly Configurable
  Enterprise      •Multiple Functions (Risk,
                   Compliance, Policy)
                  •Sophisticated Workflow

                  •Functionality More Limited
Multi-Function    •More “out of the box”
                  •Modest Workflow


                  •Specific Process
Single Function   •Specific Standard or
                   Regulation
                  •Simple Workflow
Questions?




          Evan Tegethoff

   Director, Risk and Compliance
              Management

      etegethoff@accuvant.com

				
DOCUMENT INFO
Description: Risk Management Iso 27002 document sample