2 How to establish security requirements General - backgroundHow to establish security requirementsRisk assessmentsLegal, statutory requirementsBusiness requirements for Information processingSelect controls from a standardControls to be considered to be common practiceInformation security policyAllocation of responsibilitiesAwareness and trainingTechnical vulnerability managementIncident reporting
3 Critical Success factors for addressing InfoSec in organisations Info sec policy, objectivesArchitectural approachManagement commitment / supportUnderstand info sec requirementsBudget for info secAwareness and trainingEffective incident reporting systemMeasurement system
4 12 Key control areas Risk assessment and treatment Information Security policyOrganization / management of Info SecAssets classification and control (management)Human resources securityPhysical and environmental securityCommunications and operations managementAccess controlInformation Systems acquisition, development and maintenanceInformation Security Incident ManagementBusiness Continuity ManagementCompliance
5 5. Security policy INFORMATION SECURITY POLICY Objective: To provide management direction and support for information security.Information Security Policy DocumentControl …should state mngt commitmentImplementation guidance….definitionOther information: ….distributionReview of the Information Security Policy
6 Security policy Information security policy d) a brief explanation of the security policies, principles, standards and compliance requirements of particular importance to the organization, for example:1) compliance with legislative and contractual requirements;2) security education requirements;3) prevention and detection of viruses and other malicious software;4) business continuity management;5) consequences of security policy violations;e) a definition of general and specific responsibilities for information security management, including reporting security incidents;
7 Security policy Information security policy f) references to documentation which may support the policy, e.g. more detailed security policies and procedures for specific information systems or security rules users should comply with.This policy should be communicated throughout the organization to users in a form that is relevant, accessible and understandable to the intended reader.
8 Organization Information Security INTERNAL ORGANIZATIONObjective: To manage information security within the organizationestablish management frameworkmanagement with leadership toapprove the information security policy,assign security rolesco-ordinate implementation of securityEstablish a source of specialist information security advice if neededneed multi-disciplinary approach to information security
9 Organization Information Security INTERNAL ORGANIZATIONManagement commitment to information securityInformation security co-ordination.Allocation of information security responsibilitiesAuthorization process for information processing facilitiesConfidentiality agreementsContact with authoritiesContact with special interest groupsIndependent review of information security......EXTERNAL PARTIESIdentification of risks related to external partiesAddressing security when dealing with customersAddressing security in third party agreements
10 Asset Management RESPONSIBILITY FOR ASSETS Inventory of assets Objective: To achieve and maintain appropriate protection of organizational assets.-> be accounted for, have ownerassign responsibility for maintenance of appropriate controlsmay delegate responsibility for implementing controlsOwners should be identified for all assets and the responsibility for the maintenance of appropriate controls should be assigned.Inventory of assetsOwnership of assetsAcceptable use of assets
11 Asset Management INFORMATION CLASSIFICATION Classification guidelines Objective: To ensure that information receives an appropriate level of protection.Classify information to indicateneed,prioritiesdegree of protectionvarying degrees of sensitivity, criticalitydefine appropriate set of protection levels, communicate need for special handing measures.Classification guidelinesInformation labelling and handling
12 Human Resources Security PRIOR TO EMPLOYMENTObjective: To ensure that employees, contractors and third party users understand their responsibilities, and are suitable for the roles they are considered for, and to reduce the risk of theft, fraud or misuse of facilities.Address security responsibilities at the requirement stage, include in contracts, monitored during employmentscreen potential recruits adequately (sensitive jobs)All to sign confidentiality agreement.Roles and responsibilitiesScreeningTerms and conditions of employment
13 Human Resources Security DURING EMPLOYMENTObjective: To ensure that employees, contractors and third party users are aware of information security threats and concerns, their responsibilities and liabilities, and are equipped to support organizational security policy in the course of their normal work, and to reduce the risk of human error.An adequate level of awareness, education, and training in security procedures and the correct use of information processing facilities should be provided…Management responsibilitiesInformation security awareness, education, and trainingDisciplinary process
14 Human Resources Security TERMINATION OR CHANGE OF EMPLOYMENTObjective: To ensure that employees, contractors and third party users exit an organization or change employment in an orderly manner.Change of responsibilities and employments within an organization should be managed.Termination responsibilitiesReturn of assetsRemoval of access rights
15 Physical and environmental security SECURE AREASObjective: To prevent unauthorized access, damage and interference to business premises and information.house critical/sensitive business information processing facilities in secure areas,physically protected from unauthorized access or damage or interference.The protection should be commensurate with the identified risks.clear desk and clear screen policy
16 Physical and environmental security EQUIPMENT SECURITYObjective: To prevent loss, damage or compromise of assets and interruption to business activities.Protect equipment physically from security threats and environmental hazards.to reduce risk of unauthorized access to data, to protect against loss or damage.also consider equipment siting and disposalSpecial controls to safeguard e.g. electrical supply
17 Communications and operations management OPERATIONAL PROCEDURES AND RESPONSIBILITIESObjective: To ensure the correct and secure operation of information processing facilities.Establish responsibilities and procedures for management and operation of all information processing facilities.development of operating instructions and incident response proceduresImplement segregation of duties to reduce risk of negligent or deliberate system misuse
18 Communications and operations management Operational Procedures and ResponsibilitiesThird Party Service Delivery ManagementSystem Planning and AcceptanceProtection Against Malicious and Mobile CodeBack-UpNetwork Security ManagementMedia HandlingExchange of InformationElectronic Commerce ServicesMonitoring
19 BUSINESS REQUIREMENTS FOR ACCESS CONTROL Objective: To control access to information.Control access to information, and business processes on basis of business and security requirements.take account of policies for information dissemination and authorization.
20 USER ACCESS MANAGEMENT Access controlUSER ACCESS MANAGEMENTObjective: To prevent unauthorized access to information systems.Need formal procedures to control allocation of access rights to information systems and services.initial registration of new users to final de-registration of users who no longer require accesscontrol allocation of privileged access rights
21 USER RESPONSIBILITIES Objective: To prevent unauthorized user access. Access controlUSER RESPONSIBILITIESObjective: To prevent unauthorized user access.co-operation of authorized users is essential for effective security.make users aware of responsibilities e.g. passwords use and security of user equipment.
22 NETWORK ACCESS CONTROL Objective: Protection of networked services. Control access to internal and external networked servicesto ensure that network users do not compromise the security of network services have:appropriate interfacesappropriate authentication mechanismscontrol of user access
23 OPERATING SYSTEM ACCESS CONTROL APPLICATION AND INFORMATION ACCESS CONTROLMOBILE COMPUTING AND TELEWORKING
24 INFORMATION SYSTEMS ACQUISITION, DEVELOPMENT AND MAINTENANCE SECURITY REQUIREMENTS OF INFORMATION SYSTEMSObjective: To ensure that security is built into information systems.includes infrastructure, business applications and user-developed applications.Identify and justify all security requirements during requirements phase agree and document (before development)
25 INFORMATION SYSTEMS ACQUISITION, DEVELOPMENT AND MAINTENANCE SECURITY IN DEVELOPMENT AND SUPPORT PROCESSESObjective: To maintain the security of application system software and information.strictly control project and support environments.Managers responsible for application systems also responsible for the security of the project or support environment.TECHNICAL VULNERABILITY MANAGEMENT
26 INFORMATION SECURITY INCIDENT MANAGEMENT REPORTING INFORMATION SECURITY EVENTS AND WEAKNESSESReporting information security eventsReporting security weaknessesMANAGEMENT OF INFORMATION SECURITY INCIDENTS AND IMPROVEMENTSResponsibilities and proceduresLearning from information security incidentsCollection of evidence
27 Business continuity management INFORMATION SECURITY ASPECTS OF BUSINESS CONTINUITY MANAGEMENTObjective: To counteract interruptions to business activities and to protect critical business processes from the effects of major failures or disasters.Business continuity management: to reduce disruption from disasters/security failures to acceptable levelAnalyze consequences of disasters, security failures and loss of service.Develop and implement contingency plansMaintain and practice plans.
28 COMPLIANCE WITH LEGAL REQUIREMENTS Objective: To avoid breaches of any criminal and civil law, statutory, regulatory or contractual obligations and of any security requirements.may be statutory, regulatory and contractual security requirements for design, operation, use and management of information systems.Seek advice on specific legal requirements from the organization's legal advisers
29 ComplianceCOMPLIANCE WITH SECURITY POLICIES AND STANDARDS AND TECHNICAL COMPLIANCEObjective: To ensure compliance of systems with organizational security policies and standards.Review security of information systems regularly.Perform reviews against appropriate security policies and technical platformsaudit information systems for compliance with security implementation standards.
30 INFORMATION SYSTEMS AUDIT CONSIDERATIONS ComplianceINFORMATION SYSTEMS AUDIT CONSIDERATIONSObjective: To maximize the effectiveness of and to minimize interference to/from the system audit process.controls to safeguard operational systems and audit tools during system audits.Protect integrity and prevent misuse of audit tools.