1. ISO 27001 Information Security Management System (ISMS)

2. Information Assets Information is an asset
like other important business assets, has value to an organisation and consequently needs to be suitably protected.
What is Information?
Current Business Plans
Future Plans
Intellectual Property (Patents, etc)
Employee Records
Customer Details
Business Partners Records
Financial Records

3. What is Information Security?
Information Security addresses
Confidentiality ( C )
Integrity ( I )
Availability (A)
Also involves
Authenticity
Accountability
Non-repudiation
Reliability

4. Enterprise/Corporate IT Hardware Resources

5. Information Security Risks
The range of risks exists
System failures
Denial of service (DOS) attacks
Misuse of resources
Internet/ /telephone
Damage of reputation
Espionage
Fraud
Viruses/spy-ware etc
Use of unlicensed software

6. Layered Security

7. Security Awareness/Culture
Sunday, April 23, 2017
Security Awareness/Culture
Security is everyone’s responsibility
All levels of management accountable
Everyone should consider in their daily roles
Attitude (willing/aims/wants/targets)
Knowledge (what to do?)
Skill (how to do?)
Security is integrated into all operations
Security performance should be measured
Need to explain:
what the program will be trying to accomplish,
how it will aim to improve the operations of the company, and
how vital the protection of Information Assets really is.
You will need to explain why "Security is everyone's responsibility", and ensure everybody understands it;
explain that even if the company has the latest technological improvements like firewalls, intrusion detection systems, etc., an uneducated staff member could easily endanger sensitive information, and render any technical security measure in place, completely and utterly useless.
Majority of people often tend to think that it is not their responsibility to help improve the security of their company.
Generally people are of the (wrong) opinion that only the IT department or Information Security Office (ISO) can and need to take care of issues like these.
ISMS Awareness

8. Security Awareness Program Flow
Sunday, April 23, 2017
Security Awareness Program Flow
Define
Implement
Elicit
Integrate
Employees
Security Awareness Program
Feedback
Activities
Company Policy
ISMS Awareness

9. Benefits of pursuing certification
Allows organizations to mitigate the risk of IS breaches
Allows organizations to mitigate the impact of IS breaches when they occur
In the event of a security breach, certification should reduce the penalty imposed by regulators
Allows organizations to demonstrate due diligence and due care
to shareholders, customers and business partners
Allows organizations to demonstrate proactive compliance to legal, regulatory and contractual requirements
as opposed to taking a reactive approach
Provides independent third-party validation of an organization’s ISMS

10. Structure of 27000 series 27000 Fundamentals & Vocabulary 27001:ISMS
27005
Risk
Management
27001:ISMS
27002 Code of Practice for ISM
27003 Implementation Guidance
27004 Metrics & Measurement
27006 Guidelines on ISMS accreditation

11. What is ISO 27001? ISO 27001 Part I ISO 27001 Part II
Code of practice for Information Security Management (ISM)
Best practices, guidance, recommendations for
Confidentiality ( C )
Integrity ( I )
Availability ( A )
ISO Part II
Specification for ISM

12. ISO 27001 Overview Mandatory Clauses (4  8)
All clauses should be applied, NO exceptions
Annex (Control Objectives and Controls )
11 Security Domains (A5  A 15)
Layers of security
39 Control Objectives
Statement of desired results or purpose
133 Controls
Policies, procedures, practices, software controls and organizational structure
To provide reasonable assurance that business objectives will be achieved and that undesired events will be prevented or detected and corrected
Exclusions in some controls are possible, if they can be justified???

13. Difference Between 27001:2000 and 27001:2005 Editions? Annex A
2000 Edition (10 sections)
2005 Edition (11 sections)
Security Policy
A5 - Security Policy
Security Organisation
A6 - Organising Information Security
Asset Classification & Control
A7 - Asset Management
Personnel Security
A8 - Human Resources Security
Physical & Environmental Security
A9 - Physical & Environmental Security
Communications & Operations Management
A10 - Communications & Operations Management
Access Control
A11- Access Control
Systems Development & Maintenance
A12 - Information Systems Acquisition, Development and Maintenance
A13 - Information Security Incident Management
Business Continuity Management
A14 - Business Continuity Management
Compliance
A15 - Compliance

14. ISO 27001 Implementation Steps
Decide on the ISMS scope
Approach to risk assessment
Perform GAP Analysis
Selection of controls
Statement of Applicability
Reviewing and Managing the Risks
Ensure management commitment
ISMS internal audits
Measure effectiveness and performance
Update risk treatment plans, procedures and controls

15. Plan-Do-Check-Act (PDCA)
The ISO adopts the “Plan-Do-Check-Act” (PDCA)
Applied to structure all ISMS processes
Plan Do
Check
Act

16. PDCA Model PDCA Model Plan Establish ISMS
Establish ISMS policy, objectives, processes and procedures relevant to managing risk and improving IS to deliver results in accordance with an organization’s overall policies and objectives Do
Implement and operate ISMS
Implement and operate ISMS policy, controls, processes and procedures
Check
Monitor and review ISMS
Asses, and where applicable, measure process performance against ISMS policy, objectives and practical experience and report the results to management for review
Act
Maintain and improve ISMS
Take corrective actions, based on the results of the internal audit and management review or other relevant information, to achieve continual improvement of ISMS

17. ISO 27001 (Requirements) Standard Content
Sunday, April 23, 2017
Introduction
Section 0
Scope
Section 1
Normative references
Section 2
Terms and definitions
Section 3
Plan
Section 4 to plan the establishment of your organization’s ISMS. Do
Section 5 to implement, operate, and maintain your ISMS.
Check
Sections 6 and 7 to monitor, measure, audit, and review your ISMS.
Act
Section 8 to take corrective and preventive actions to improve your ISMS.
Annex A (Clauses A.5 to A.15)
ISMS Awareness

18. ISO 27001 PDCA Approach Plan: Study requirements Draft an IS Policy
Sunday, April 23, 2017
ISO PDCA Approach
Plan:
Study requirements
Draft an IS Policy
Discuss in IS Forum (committee)
Finalize and approve the policy
Establish implementation procedure
Staff awareness/training
Do:
Implement the policy
Check:
Monitor, measure, & audit the process
Act:
Improve the process
ISMS Awareness

19. ISMS Scope Business security policy and plans
Current business operations requirements
Future business plans and requirements
Legislative requirements
Obligations and responsibilities with regard to security contained in SLAs
The business and IT risks and their management

20. A Sample List of IS Policies
Overall ISMS policy
Access control policy
policy
Internet policy
Anti-virus policy
Information classification policy
Use of IT assets policy
Asset disposal policy

21. The C.I.A. triangle is made up of:
Confidentiality
Integrity
Availability
(Over time the list of characteristics has expanded, but these 3 remain central)

22. CIA + Confidentiality Integrity Availability Privacy Identification
Authentication
Authorization
Accountability

23. Confidentiality of information ensures that only those with sufficient privileges may access certain information.
To protect confidentiality of information, a number of measures may be used, including:
 Information classification
 Secure document storage
 Application of general security policies
 Education of information custodians
& end users

24. Integrity is the quality or state of being whole, complete, & uncorrupted.
The integrity of information is threatened
when it is exposed
to corruption, damage, destruction,
or other disruption of its authentic state.
Corruption can occur
while information is being
compiled, stored, or transmitted.

25. Availability is making information accessible to user access
without interference or obstruction
in the required format.
A user in this definition may be either
a person
or another computer system.
Availability means
availability to authorized users.

26. Information is to be used only for purposes known to the data owner.
Privacy
Information is to be used
only
for purposes known to the data owner.
This does not focus
on freedom from observation,
but rather
that information will be used
in ways known to the owner.

27. Information systems possess the characteristic of identification
when they are able
to recognize individual users.
Identification and authentication
are essential to establishing
the level of access or authorization
that an individual is granted.

28. AAA

29. Authentication occurs when a control provides proof
that a user possesses
the identity that he or she claims.

30. After the identity of a user is authenticated,
a process called authorization
provides assurance that the user
(whether a person or a computer)
has been specifically & explicitly authorized
by the proper authority
to access, update, or delete
the contents of an information asset.

31. The characteristic of accountability exists when a control
provides assurance
that every activity undertaken
can be attributed
to a named person or automated process.

32. To review ... CIA + Confidentiality Integrity Availability Privacy
Identification
Authentication
Authorization
Accountability

33. Think about your home computer. How do you secure it?
How do you guarantee
confidentiality, integrity, & availability?

34. NSTISSC Security Model
If we extend the relationship among the 3 dimensions represented by the axes, we end up with a 3 × 3 × 3 cube with 27 cells.
Each of these cells represents an area of intersection among these 3 dimensions that must be addressed to secure information systems.
When using this model to design or review any information security program, you must make sure that each of the 27 cells is properly addressed by each of the 3 communities of interest.

35. Two well-known approaches to management: Traditional management theory
using principles of
planning, organizing, staffing, directing, & controlling (POSDC).
Popular management theory
management into planning, organizing, leading, & controlling (POLC).

37. Planning is the process that develops, creates, & implements
strategies
for the accomplishment of objectives.
Three levels of planning:
1. Strategic
2. Tactical
3. Operational

38. with the strategic plan for the whole organization.
In general,
planning begins
with the strategic plan
for the whole organization.
To do this successfully,
an organization must thoroughly define
its goals & objectives.

39. structuring of resources to support the accomplishment of objectives.
Organization:
structuring of resources
to support
the accomplishment of objectives.
Organizing tasks requires determining:
 What is to be done
 In what order
 By whom
 By which methods
 When

40. Leadership encourages the implementation
of the planning and organizing functions,
including supervising
employee behavior, performance, attendance, & attitude.
Leadership generally addresses
the direction and motivation
of the human resource.

41. Control is monitoring progress toward completion
& making necessary adjustments
to achieve the desired objectives.
Controlling function determines
what must be monitored as well
using specific control tools
to gather and evaluate information.

42. Four categories of control tools:
Information
Financial
Operational
Behavioral

43. The Control Process

44. How to Solve Problems Step 1: Recognize & define the problem Step 2:
Gather facts & make assumptions
Step 3: Develop possible solutions
Step 4:
Analyze & compare possible solutions
Step 5:
Select, implement, & evaluate a solution

45. Feasibility Analyses Economic feasibility assesses
costs & benefits of a solution
Technological feasibility assesses
an organization’s ability
to acquire & manage a solution
Behavioral feasibility assesses
whether members of an organization
will support a solution
Operational feasibility assesses
if an organization can integrate a solution

46. Extended characteristics or principles
of infosec management (AKA, the 6 P’s)
Planning
Policy
Programs
Protection
People
Project Management

47. as part of InfoSec management is an extension
1. Planning
as part of InfoSec management
is an extension
of the basic planning model
discussed earlier in this chapter.
Included in the InfoSec planning model
are activities necessary to support
the design, creation, and implementation
of information security strategies
as they exist
within the IT planning environment.

48. Several types of InfoSec plans exist: Incident response
Business continuity
Disaster recovery
Policy
Personnel
Technology rollout
Risk management
Security program,
including education, training, & awareness

49. set of organizational guidelines that dictates certain behavior
2. Policy:
set of organizational guidelines
that dictates certain behavior
within the organization.
In InfoSec, there are
3 general categories of policy:
1. General program policy
(Enterprise Security Policy)
2. An issue-specific security policy (ISSP)
3. System-specific policies (SSSPs)

50. specific entities managed in the information security domain.
3. Programs:
specific entities managed
in the information security domain.
One such entity:
security education training & awareness
(SETA)
program.
Other programs that may emerge include
the physical security program,
complete with fire, physical access,
gates, guards, & so on.

51. Risk management activities, including risk assessment and control,
4. Protection:
Risk management activities,
including risk assessment and control,
as well as protection mechanisms, technologies, & tools.
Each of these mechanisms
represents some aspect
of the management of specific controls
in the overall information security plan.

52. are the most critical link in the information security program.
5. People
are the most critical link
in the information security program.
It is imperative
that managers continuously recognize
the crucial role that people play.
Includes information security personnel and the security of personnel, as well as aspects of the SETA program.

53. 6. Project management discipline should be present throughout
all elements
of the information security program.
This involves:
 Identifying and controlling
the resources applied to the project
 Measuring progress
& adjusting the process
as progress is made toward the goal

54. Communities of interest CIA+
In summation:
Communities of interest
CIA+
Planning, Organizing, Leading, Controlling
Principles of infosec management
(the 6 P’s)