Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright © 2013 BSI. All rights reserved. IOSH 2013. Rev 0 The use of standards to tackle emerging information security risks Suzanne Fribbins EMEA Product.

Published byHalie Scroggins Modified over 9 years ago

Similar presentations

Presentation on theme: "Copyright © 2013 BSI. All rights reserved. IOSH 2013. Rev 0 The use of standards to tackle emerging information security risks Suzanne Fribbins EMEA Product."— Presentation transcript:

1 Copyright © 2013 BSI. All rights reserved. IOSH 2013. Rev 0 The use of standards to tackle emerging information security risks Suzanne Fribbins EMEA Product Marketing Manager - Risk

2 Copyright © 2013 BSI. All rights reserved. 2 Who is BSI? – 10 fast facts Founded in 1901 Standards, assessment, testing, certification, training, software No owners/ shareholders … all profit reinvested into the business Global independent business services organization >2,900 staff and >50% non-UK #1 certification body in the UK, USA National Standards Body in the UK Trained over 73,000 people worldwide in 2012 70,000 clients in 150 countries 65 offices located around the world

3 Copyright © 2013 BSI. All rights reserved. 3 The changing information security risk landscape

4 Copyright © 2013 BSI. All rights reserved. 4 The changing information security risk landscape

5 Copyright © 2013 BSI. All rights reserved. 5 New security challenges

6 Copyright © 2013 BSI. All rights reserved. 6 New security challenges

7 Copyright © 2013 BSI. All rights reserved. 7 Key information security statistics Recent government research has found 93% of large organizations and 87% of small businesses suffering a breach last year (up more than 10% on the previous year) And we're starting to see the impact of emerging technologies on information security The 2013 PwC information security breaches survey found: 14% of large organisations had a security breach relating to social networking sites; and 9% had a breach relating to smartphones or tablets 4% of respondents had a security or data breach in the last year relating to one of their cloud computing services Source: 2013 Information Security Breaches Survey2013 Information Security Breaches Survey

8 Copyright © 2013 BSI. All rights reserved. 8 Increasing regulatory compliance Concern about security risks and their impact on citizen data has triggered a wave of regulatory compliance with progressively heavier penalties for personal data breaches Increased ICO activity (34 fines in just over two years) relating to: Emailing of sensitive personal information to the wrong recipients Mailing sensitive information to the wrong recipient/s Faxing of information to incorrect number/s Personal information mistakenly published on public website/s Loss of unencrypted laptops Loss of unencrypted memory sticks, DVD’s Theft of sensitive paper records from a mobile worker Unsecure disposal of sensitive personal records Sensitive information left on disused IT equipment

9 Copyright © 2013 BSI. All rights reserved. 9 Global growth in certification 9 21% 40% 12%

10 Copyright © 2013 BSI. All rights reserved. 10 Information Security Breaches Survey 2013 - PwC 76% of large respondents and 36% of smaller organizations have implemented ISO 27001 at least partially 85% of large organisations and 61% of small businesses have been asked by their customers to comply with security standards 45% of large organisations have specifically been asked for ISO 27001 compliance Source: 2013 Information Security Breaches Survey2013 Information Security Breaches Survey

11 Copyright © 2013 BSI. All rights reserved. 11 What is happening in the ISO 27000 suite to address the changing risk landscape? “The ISO 27000s are the ones you want to be looking for” (Paul Simmonds, co-founder of the Jericho Forum, ex-CIO of AstraZeneca, 2011)

12 Copyright © 2013 BSI. All rights reserved. 12 The ISO 27000 series

13 Copyright © 2013 BSI. All rights reserved. 13 The ISO 27000 series

14 Copyright © 2013 BSI. All rights reserved. 14 The ISO 27000 series

15 Copyright © 2013 BSI. All rights reserved. 15 The ISO 27000 series

16 Copyright © 2013 BSI. All rights reserved. 16 The ISO 27000 series

17 Copyright © 2013 BSI. All rights reserved. 17 Cloud security – how standards can help? Understand the chain of custody risk of the data When you put it into the cloud How the supplier maintains it and backs it up How you can prove your data has been destroyed, if you choose to move to a new supplier

18 Copyright © 2013 BSI. All rights reserved. 18 27001 27002 Requirements for an information security management system (revision due 2013, ISO 27001 will continue to be the certification standard for Information Security) Code of practice for information security management (revision due 2013)

19 Copyright © 2013 BSI. All rights reserved. 19 27001 27017 27002 Requirements for an information security management system Code of practice for information security management Security in cloud computing (due 2014, will include cloud-specific controls, in addition to those recommended in the new ISO 27002. Standard is supported by the Cloud Security Alliance)

20 Copyright © 2013 BSI. All rights reserved. 20 Other standards initiatives

21 Copyright © 2013 BSI. All rights reserved. 21 PAS 555 The focus of PAS 555 is cyber security Looks at cyber security at the organizational level Outcomes based - provides a framework that enables understanding of the broad scope of capabilities required Other standards and guidelines to tackle cyber security risk tend to define good practice as to how effective cyber security might be achieved PAS 555 does not specify such processes or actions

22 Copyright © 2013 BSI. All rights reserved. 22 PAS 555 The focus of PAS 555 is cyber security Looks at cyber security at the organizational level Outcomes based - provides a framework that enables understanding of the broad scope of capabilities required Other standards and guidelines to tackle cyber security risk tend to define good practice as to how effective cyber security might be achieved PAS 555 does not specify such processes or actions

23 Copyright © 2013 BSI. All rights reserved. 23 Cloud Security STAR certification ISO 27001 is widely recognised and respected “Users should look for the providers to be 27001 certified” (John Pecatore, Gartner Cloud Analyst, 2011) Perception = insufficient focus on detail in certain areas of security for particular sectors ISO 27001 is written with expectation that additional controls could be added Developed by CSA, the Cloud Controls Matrix (CCM) bridges this gap, providing focus on critical controls for cloud security In addition, it is felt a pass/fail approach does not allow cloud service purchasers to make informed decisions

24 Copyright © 2013 BSI. All rights reserved. 24 How was the CCM developed? Joint agreement signed between CSA and BSI in August 2012 CCM initially developed by CSA Working group assembled to further develop CCM using a consensus based model Expertise in maturity modelling provided by BSI

25 Copyright © 2013 BSI. All rights reserved. 25 ISO 27001 + CCM + Maturity Model = STAR STAR Certification STAR Certification

26 Copyright © 2013 BSI. All rights reserved. 26 Cloud controls – what are they about?

27 Copyright © 2013 BSI. All rights reserved. 27 Audience, key drivers, benefits Scheme available to any organization providing cloud services, that has, or is in the process of, certifying to ISO 27001 The scope of the ISO 27001 certification must not be less than the scope of the STAR certification STAR certification ensures that: Specific issues critical to cloud services have been addressed That this has been independently checked and verified by a third- party Encourages CSP’s to move beyond compliance to continued improvement Management capability model gives management visibility of effectiveness of controls, and allows performance to be benchmarked and improvements tracked year on year

28 Copyright © 2013 BSI. All rights reserved. 28 27KCCM General Management System Cloud Specific Controls Well MANAGED and FOCUSED system STAR Certification

29 Copyright © 2013 BSI. All rights reserved. 29 STAR Assessor STAR Assessor Approving assessors

30 Copyright © 2013 BSI. All rights reserved. 30 Revision of ISO 27001 ISO 27001 is “increasingly becoming the lingua franca for information security” Source - Information Security Breaches Survey 2010 - PwC

31 Copyright © 2013 BSI. All rights reserved. 31 ISO 27001 revision: status report ISO 27001:2005 has been undergoing revision. Draft International Standard (DIS) released to the National Standards Bodies on 16 January 2013. Consultation closed 23 March 2013. Draft International Standard (DIS) passed its DIS ballot at the meeting of the ISO Committee in April. A Final Draft International Standard (FDIS) will follow. Publication is expected toward the end of 2013.

32 Copyright © 2013 BSI. All rights reserved. 32 What can you expect from the new ISO 27001? Standard has been written in accordance with Annex SL Definitions in 2005 version have been removed and relocated to ISO 27000 There have been changes to the terminology used Requirements for Management Commitments have been revised and are presented in the Leadership Clause Preventive action has been replaced with “actions to address, risks and opportunities” The risk assessment requirements are more general SOA requirements are similar but with more clarity on the determination of controls by the risk treatment process The new standard puts greater emphasis on setting the objectives, monitoring performance and metrics

33 Copyright © 2013 BSI. All rights reserved. 33 ISO 27001 structure

34 Copyright © 2013 BSI. All rights reserved. 34 Controls

35 Copyright © 2013 BSI. All rights reserved. 35 Questions?

36 Copyright © 2013 BSI. All rights reserved. 36 Contact us

37

Download ppt "Copyright © 2013 BSI. All rights reserved. IOSH 2013. Rev 0 The use of standards to tackle emerging information security risks Suzanne Fribbins EMEA Product."

Similar presentations

Requirements Engineering Processes – 2

Requirements Engineering Processes – 2
1

1
Copyright © 2003 Pearson Education, Inc. Slide 1 Computer Systems Organization & Architecture Chapters 8-12 John D. Carpinelli.

Copyright © 2003 Pearson Education, Inc. Slide 1 Computer Systems Organization & Architecture Chapters 8-12 John D. Carpinelli.
Chapter 1 The Study of Body Function Image PowerPoint

Chapter 1 The Study of Body Function Image PowerPoint
Processes and Operating Systems

Processes and Operating Systems
Copyright © 2011, Elsevier Inc. All rights reserved. Chapter 6 Author: Julia Richards and R. Scott Hawley.

Copyright © 2011, Elsevier Inc. All rights reserved. Chapter 6 Author: Julia Richards and R. Scott Hawley.
Author: Julia Richards and R. Scott Hawley

Author: Julia Richards and R. Scott Hawley
1 Copyright © 2013 Elsevier Inc. All rights reserved. Appendix 01.

1 Copyright © 2013 Elsevier Inc. All rights reserved. Appendix 01.
1 Copyright © 2013 Elsevier Inc. All rights reserved. Chapter 3 CPUs.

1 Copyright © 2013 Elsevier Inc. All rights reserved. Chapter 3 CPUs.
Properties Use, share, or modify this drill on mathematic properties. There is too much material for a single class, so you’ll have to select for your.

Properties Use, share, or modify this drill on mathematic properties. There is too much material for a single class, so you’ll have to select for your.
Membership & Roster Maintenance Officers Training Workshop September 2012 Kevin Shanahan 1.

Membership & Roster Maintenance Officers Training Workshop September 2012 Kevin Shanahan 1.
September 2013 ASTM Officers Training Workshop September 2013 ASTM Officers Training Workshop ASTM Member Website Tools September 2013 ASTM Officers Training.

September 2013 ASTM Officers Training Workshop September 2013 ASTM Officers Training Workshop ASTM Member Website Tools September 2013 ASTM Officers Training.
International Organization International Organization

International Organization International Organization
UNITED NATIONS Shipment Details Report – January 2006.

UNITED NATIONS Shipment Details Report – January 2006.
1 RA I Sub-Regional Training Seminar on CLIMAT&CLIMAT TEMP Reporting Casablanca, Morocco, 20 – 22 December 2005 Status of observing programmes in RA I.

1 RA I Sub-Regional Training Seminar on CLIMAT&CLIMAT TEMP Reporting Casablanca, Morocco, 20 – 22 December 2005 Status of observing programmes in RA I.
Exit a Customer Chapter 8. Exit a Customer 8-2 Objectives Perform exit summary process consisting of the following steps: Review service records Close.

Exit a Customer Chapter 8. Exit a Customer 8-2 Objectives Perform exit summary process consisting of the following steps: Review service records Close.
Create an Application Title 1Y - Youth Chapter 5.

Create an Application Title 1Y - Youth Chapter 5.
Create an Application Title 1A - Adult Chapter 3.

Create an Application Title 1A - Adult Chapter 3.
Process a Customer Chapter 2. Process a Customer 2-2 Objectives Understand what defines a Customer Learn how to check for an existing Customer Learn how.

Process a Customer Chapter 2. Process a Customer 2-2 Objectives Understand what defines a Customer Learn how to check for an existing Customer Learn how.
Custom Statutory Programs Chapter 3. Customary Statutory Programs and Titles 3-2 Objectives Add Local Statutory Programs Create Customer Application For.

Custom Statutory Programs Chapter 3. Customary Statutory Programs and Titles 3-2 Objectives Add Local Statutory Programs Create Customer Application For.

Similar presentations

Ads by Google