Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright © 2013 BSI. All rights reserved. IOSH 2013. Rev 0 The use of standards to tackle emerging information security risks Suzanne Fribbins EMEA Product.

Similar presentations


Presentation on theme: "Copyright © 2013 BSI. All rights reserved. IOSH 2013. Rev 0 The use of standards to tackle emerging information security risks Suzanne Fribbins EMEA Product."— Presentation transcript:

1 Copyright © 2013 BSI. All rights reserved. IOSH Rev 0 The use of standards to tackle emerging information security risks Suzanne Fribbins EMEA Product Marketing Manager - Risk

2 Copyright © 2013 BSI. All rights reserved. 2 Who is BSI? – 10 fast facts Founded in 1901 Standards, assessment, testing, certification, training, software No owners/ shareholders … all profit reinvested into the business Global independent business services organization >2,900 staff and >50% non-UK #1 certification body in the UK, USA National Standards Body in the UK Trained over 73,000 people worldwide in ,000 clients in 150 countries 65 offices located around the world

3 Copyright © 2013 BSI. All rights reserved. 3 The changing information security risk landscape

4 Copyright © 2013 BSI. All rights reserved. 4 The changing information security risk landscape

5 Copyright © 2013 BSI. All rights reserved. 5 New security challenges

6 Copyright © 2013 BSI. All rights reserved. 6 New security challenges

7 Copyright © 2013 BSI. All rights reserved. 7 Key information security statistics Recent government research has found 93% of large organizations and 87% of small businesses suffering a breach last year (up more than 10% on the previous year) And we're starting to see the impact of emerging technologies on information security The 2013 PwC information security breaches survey found: 14% of large organisations had a security breach relating to social networking sites; and 9% had a breach relating to smartphones or tablets 4% of respondents had a security or data breach in the last year relating to one of their cloud computing services Source: 2013 Information Security Breaches Survey2013 Information Security Breaches Survey

8 Copyright © 2013 BSI. All rights reserved. 8 Increasing regulatory compliance Concern about security risks and their impact on citizen data has triggered a wave of regulatory compliance with progressively heavier penalties for personal data breaches Increased ICO activity (34 fines in just over two years) relating to: ing of sensitive personal information to the wrong recipients Mailing sensitive information to the wrong recipient/s Faxing of information to incorrect number/s Personal information mistakenly published on public website/s Loss of unencrypted laptops Loss of unencrypted memory sticks, DVD’s Theft of sensitive paper records from a mobile worker Unsecure disposal of sensitive personal records Sensitive information left on disused IT equipment

9 Copyright © 2013 BSI. All rights reserved. 9 Global growth in certification 9 21% 40% 12%

10 Copyright © 2013 BSI. All rights reserved. 10 Information Security Breaches Survey PwC 76% of large respondents and 36% of smaller organizations have implemented ISO at least partially 85% of large organisations and 61% of small businesses have been asked by their customers to comply with security standards 45% of large organisations have specifically been asked for ISO compliance Source: 2013 Information Security Breaches Survey2013 Information Security Breaches Survey

11 Copyright © 2013 BSI. All rights reserved. 11 What is happening in the ISO suite to address the changing risk landscape? “The ISO 27000s are the ones you want to be looking for” (Paul Simmonds, co-founder of the Jericho Forum, ex-CIO of AstraZeneca, 2011)

12 Copyright © 2013 BSI. All rights reserved. 12 The ISO series

13 Copyright © 2013 BSI. All rights reserved. 13 The ISO series

14 Copyright © 2013 BSI. All rights reserved. 14 The ISO series

15 Copyright © 2013 BSI. All rights reserved. 15 The ISO series

16 Copyright © 2013 BSI. All rights reserved. 16 The ISO series

17 Copyright © 2013 BSI. All rights reserved. 17 Cloud security – how standards can help? Understand the chain of custody risk of the data When you put it into the cloud How the supplier maintains it and backs it up How you can prove your data has been destroyed, if you choose to move to a new supplier

18 Copyright © 2013 BSI. All rights reserved Requirements for an information security management system (revision due 2013, ISO will continue to be the certification standard for Information Security) Code of practice for information security management (revision due 2013)

19 Copyright © 2013 BSI. All rights reserved Requirements for an information security management system Code of practice for information security management Security in cloud computing (due 2014, will include cloud-specific controls, in addition to those recommended in the new ISO Standard is supported by the Cloud Security Alliance)

20 Copyright © 2013 BSI. All rights reserved. 20 Other standards initiatives

21 Copyright © 2013 BSI. All rights reserved. 21 PAS 555 The focus of PAS 555 is cyber security Looks at cyber security at the organizational level Outcomes based - provides a framework that enables understanding of the broad scope of capabilities required Other standards and guidelines to tackle cyber security risk tend to define good practice as to how effective cyber security might be achieved PAS 555 does not specify such processes or actions

22 Copyright © 2013 BSI. All rights reserved. 22 PAS 555 The focus of PAS 555 is cyber security Looks at cyber security at the organizational level Outcomes based - provides a framework that enables understanding of the broad scope of capabilities required Other standards and guidelines to tackle cyber security risk tend to define good practice as to how effective cyber security might be achieved PAS 555 does not specify such processes or actions

23 Copyright © 2013 BSI. All rights reserved. 23 Cloud Security STAR certification ISO is widely recognised and respected “Users should look for the providers to be certified” (John Pecatore, Gartner Cloud Analyst, 2011) Perception = insufficient focus on detail in certain areas of security for particular sectors ISO is written with expectation that additional controls could be added Developed by CSA, the Cloud Controls Matrix (CCM) bridges this gap, providing focus on critical controls for cloud security In addition, it is felt a pass/fail approach does not allow cloud service purchasers to make informed decisions

24 Copyright © 2013 BSI. All rights reserved. 24 How was the CCM developed? Joint agreement signed between CSA and BSI in August 2012 CCM initially developed by CSA Working group assembled to further develop CCM using a consensus based model Expertise in maturity modelling provided by BSI

25 Copyright © 2013 BSI. All rights reserved. 25 ISO CCM + Maturity Model = STAR STAR Certification STAR Certification

26 Copyright © 2013 BSI. All rights reserved. 26 Cloud controls – what are they about?

27 Copyright © 2013 BSI. All rights reserved. 27 Audience, key drivers, benefits Scheme available to any organization providing cloud services, that has, or is in the process of, certifying to ISO The scope of the ISO certification must not be less than the scope of the STAR certification STAR certification ensures that: Specific issues critical to cloud services have been addressed That this has been independently checked and verified by a third- party Encourages CSP’s to move beyond compliance to continued improvement Management capability model gives management visibility of effectiveness of controls, and allows performance to be benchmarked and improvements tracked year on year

28 Copyright © 2013 BSI. All rights reserved KCCM General Management System Cloud Specific Controls Well MANAGED and FOCUSED system STAR Certification

29 Copyright © 2013 BSI. All rights reserved. 29 STAR Assessor STAR Assessor Approving assessors

30 Copyright © 2013 BSI. All rights reserved. 30 Revision of ISO ISO is “increasingly becoming the lingua franca for information security” Source - Information Security Breaches Survey PwC

31 Copyright © 2013 BSI. All rights reserved. 31 ISO revision: status report ISO 27001:2005 has been undergoing revision. Draft International Standard (DIS) released to the National Standards Bodies on 16 January Consultation closed 23 March Draft International Standard (DIS) passed its DIS ballot at the meeting of the ISO Committee in April. A Final Draft International Standard (FDIS) will follow. Publication is expected toward the end of 2013.

32 Copyright © 2013 BSI. All rights reserved. 32 What can you expect from the new ISO 27001? Standard has been written in accordance with Annex SL Definitions in 2005 version have been removed and relocated to ISO There have been changes to the terminology used Requirements for Management Commitments have been revised and are presented in the Leadership Clause Preventive action has been replaced with “actions to address, risks and opportunities” The risk assessment requirements are more general SOA requirements are similar but with more clarity on the determination of controls by the risk treatment process The new standard puts greater emphasis on setting the objectives, monitoring performance and metrics

33 Copyright © 2013 BSI. All rights reserved. 33 ISO structure

34 Copyright © 2013 BSI. All rights reserved. 34 Controls

35 Copyright © 2013 BSI. All rights reserved. 35 Questions?

36 Copyright © 2013 BSI. All rights reserved. 36 Contact us

37


Download ppt "Copyright © 2013 BSI. All rights reserved. IOSH 2013. Rev 0 The use of standards to tackle emerging information security risks Suzanne Fribbins EMEA Product."

Similar presentations


Ads by Google