如何在您的組織環境中合規應用ISO/IEC27001 Practical … · The contents of this...

如何在您的組織環境中合規應用ISO/IEC27001 Practical Implementation of ISO/IEC 27001 in Your Environment

Date : 26th Oct , 2016

The contents of this document remain the property of and may not be reproduced in whole or in part without the express permission of the Nexusguard Consulting Ltd. For information please contact with Nexusguard Consulting Ltd

2

AboutMeExperience&Specialities• RonaldisanInformationSecurityProfessionalwhohas18yearsofexperienceinthisbusiness.HisresponsibleAield included Information Security Management, Compliance Audit, Computer Forensics, Anti-Hacking,TrainingandClassicalCryptographer.RonaldhasaoutstandingtrackrecordinInformationTechnologyAieldhas helped enhance the reputations of such Airms and organisations as International Banking, Finances,Government,Education,ManufacturingandLaw’sEnforcementinGreatChinaArea.

• ProfessionalFiled:ComputerForensicinvestigator/ProfessionalLecturer/InformationSecurityandHackingExpert/CreditCardPaymentSecurityProfessional/Inventor/ClassicalCryptographers

• Professionalcertificates:•PaymentCardApplicationSecurityAssessor(PAQSA) •ISO/IEC27001ISMSLeadAuditorCertificate•PCIQualifiedSecurityAssessor(PCIQSA) •ISO/IEC20000ITSMAuditor•PCIApprovedScanningVendors(ASV)

• Membership:• BritishComputerSociety(BCS) • InstituteofElectricalandElectronicsEngineers(IEEE)• ChineseAssociationforCryptologicResearch(CACR)(中 • InternationalRegisterofCertiAicatedAuditors(IRCA)国密码学会) • Hong Kong Information and System Security Professional Associatio

• (HKISSP)InformationSystemSecurityAssociation(ISSA)• PaymentCardIndustryProfessional(PCIP)• International Association for Crypto logic Research

(IACR)• HongKongPublicKeyInfrastructureForum(HKPKI)

n

RonaldPong


3

Practical Implementation of ISO/IEC 27001 in Your Environment

Agenda

•ISO/IEC27000:2014orISO/IEC27001:2013,whatisthedifference?

•ThedifferencebetweenvariousdocumentsinISO/IEC27000:2014series,Howdoweusethem?

•AllyouneedisISO27001,27002,27003,27004and27005

•DoyouknowwhatisthedifferencebetweenVulnerabilityandThreat?

•Processiseverything,whatisyourmajorbusinessprocess?LetuslearnmorefromISO/IEC27005:2011

•DeveloptheThreatModelbasedontheISO/IEC27004Requirement

•UsingISO/IEC27005:2011asImpactAnalysisandRiskAssessmentRequirement

•Q&A


4

ISO/IEC 27000 : 2014 or ISO/IEC 27001:2013, what is the difference?

•ISO/IEC27000ispartofagrowingfamilyofISO/IECInformationSecurity Management Systems (ISMS) standards, the 'ISO/IEC

27000series'.ISO/IEC27000isaninternationalstandardentitled:

Information technology — Security techniques — Information

securitymanagementsystems—Overviewandvocabulary.

•The standardwas developed by sub-committee 27 (SC27) of thefirst Joint Technical Committee (JTC1) of the International

Organization for Standardization and the International

ElectrotechnicalCommission.

•ISO/IEC27000provides:• AnoverviewofandintroductiontotheentireISO/IEC27000family of Information SecurityManagement Systems (ISMS)

standards.

• A glossary or vocabulary of fundamental terms anddefinitionsusedthroughouttheISO/IEC27000family.

27000

Overview*and*Vocabulary

Provides)background,)terms)and)de4initions)applicable)to)the)ISMS)Family)of)Standards

27001

Requirement

27006

Certi<ication*Body*Requirement

27005

Risk*Management

27003

Implementation*

Guidance

27004

Measurements

27002

Code*of*Practice

27007

Audit*Guidenlines

27013

Guideline*on*the*integrated*

implementation*of*ISO/IEC*2000O1*

and*ISO/IEC*27001

27011

Telecommunications*

Organization

27799

Health*Organization

27037

Guidelines for identification, collection and/or acquisition and preservation of digital

evidence

Gen

eral

R

equi

rem

ent

Term

inol

ogy

Gen

eral

Gui

delin

esSe

ctor

-spe

cific

Gud

elin

es


•

5

ISO27001:2013isaninformationsecuritystandardthatwaspublishedonthe25thSeptember2013.It

supersedesISO/IEC27001:2005,andispublishedbytheInternationalOrganizationforStandardization

(ISO)andtheInternationalElectrotechnicalCommission(IEC)underthejointISOandIECsubcommittee,

ISO/IEC JTC 1/SC 27. It is a specification for an information security management system (ISMS).

Organisationswhichmeetthestandardmaygainanofficialcertificationissuedbyanindependentand

accreditedcertificationbodyonsuccessfulcompletionofaformalauditprocess.

ISO/IEC 27000 : 2014 or ISO/IEC 27001:2013, what is the difference?

Information security management systems

10 Requirements

+ Annex A: List of controls and their objectives

114 Requirements


6

Do you know that what is the difference between Vulnerability and Threat ?

Information Security Risk Management

Riskmanagementistheprocessofidentifyingvulnerabilitiesandthreatstotheinformationresourcesusedbyanorganizationinachievingbusinessobjectives,anddecidingwhatcountermeasures,ifany,totake in reducing risk to an acceptable level, based on the value of the information resource to theorganization.-CISA2006ReviewManual•Risk-isthelikelihoodthatsomethingbadwillhappenthatcausesharmtoaninformationalasset(orthelossoftheasset).Vulnerability•Avulnerability isaweaknessthatcouldbeusedtoendangerorcauseharmtoan informationalasset.

Threat•Athreatisanything(manmadeoractofnature)thathasthepotentialtocauseharm.

•ManagementTheterm"management"characterizestheprocessofand/orthepersonnelleadinganddirectingallorpartofanorganization(oftenabusiness)throughthedeploymentandmanipulationofresources(human,capital,natural,intellectualorintangible).•Process•Theprocessofriskmanagementisanongoingiterativeprocess.ItmustberepeatedindeAinitely.

Choiceofcontrol•Controlisusedtomanagerisksmuststrikeabalancebetweenproductivity,cost,effectivenessofthecountermeasure,andthevalueoftheinformationalassetbeingprotected.


7

All you need is ISO 27001, 27002, 27003, 27004 and 27005

MUST MAJOR REFERENCE SUPPORTIVE

• ISO/IEC 27001 — Information technology - Security Techniques - Informationsecuritymanagementsystems

• ISO/IEC 27002 — Code of prac4ce for informa4on securitymanagement

• ISO/IEC 27003 — Information security management system implementa4onguidance

• ISO/IEC 27004 — Information security management —Measurement

• ISO/IEC 27005—Informationsecurityriskmanagement• ISO/IEC 27006 — Requirements for bodies providing audit and certificationofinformationsecuritymanagementsystems

• ISO/IEC 27007—Guidelinesforinformationsecuritymanagement systemsauditing

• ISO/IEC27035—Informationsecurityincidentmanagement• ISO/IEC 27037 — Guidelines for iden4fica4on, collec4on,acquisi4onandpreserva4onofdigitalevidence


8

All you need is ISO 27001, 27002, 27003, 27004 and 27005


9

Process is everything, what is your major business process? Let us learn more from ISO/IEC 27005 : 2011

Scoping is everythingISO 27005 page 28

OBJECTIVE


•

10

Process is everything, what is your major business process? Let us learn more from ISO/IEC 27005 : 2011

The scope and boundaries

•Oheorganizationshoulddefinethescopeandboundariesofinformationsecurityriskmanagement.•The scope of the information security risk management process needs to be deAined to ensure that allrelevant assets are taken into account in the risk assessment. In addition, the boundaries need to beidentiAied [see also ISO/IEC 27001 Clause 4.2.1 a)] to address those risks thatmight arise through theseboundaries.•Informationabouttheorganizationshouldbecollectedtodeterminetheenvironmentitoperatesinanditsrelevancetotheinformationsecurityriskmanagementprocess.•WhendeAiningthescopeandboundaries,theorganizationshouldconsiderthefollowinginformation:•Theorganization'sstrategicbusinessobjectives,strategiesandpolicies•Businessprocesses•Theorganization’sfunctionsandstructure•Legal, regulatory and contractual requirements applicable to the organization The organization'sinformationsecuritypolicy•Theorganization’soverallapproachtoriskmanagement•Informationassets•LocationsoftheorganizationandtheirgeographicalcharacteristicsConstraintsaffectingtheorganization•Expectationofstakeholders•Socio-culturalenvironment•Interfaces(i.e.informationexchangewiththeenvironment)

•Additionally,theorganizationshouldprovidejustiAicationforanyexclusionfromthescope.Examples of the riskmanagement scopemay be an IT application, IT infrastructure, a businessprocess,orade2inedpartofanorganization.

Scoping is everythingISO 27005 page 28

SCOPING

Financial constraints

Environmental constraints

Time constraints

Constraints related to

methods and Know-How

Organization constraints

Organizational constraints

Operation

Maintenance Human

resources management

Development management

Administrative management


11

Develop the Threat Model based on the ISO/IEC 27004 requirement

MEASUREMENT OF INFORMATION SECURITY MANAGEMENT SYSTEM

HowtoMeasuringtheEffectivenessofSecurityinISO27001ObjectiveofMeasurement•Toshowongoingimprovement;•Toshowcompliance(withStandards,contracts,SLAs,OLAs,etc);•Tojustifyanyfutureexpenditure(newsecuritysoftware,training,people,etc);•ISO27001requiresit.OtherManagementSystemsalsorequireit–ISO9001,ISO20000;•Toidentifywhereimplementedcontrolsarenoteffectiveinmeetingtheirobjectives;•Toprovideconfidencetoseniormanagementandstakeholdersthatimplementedcontrolsareeffective.

So,whichofthe114potentiallyapplicablecontrols(withinISO27001)canbeusedtomeasuresecurity?Well,arguably,allofthem.Inpractice,though,thiswouldinvariablybetooonerousataskandwouldcauseanalreadyoverworkedITDepartmenttocrumbleundertheweightofbureaucracy.Beforeweattempttoanswerthisquestion,then,weshouldalwaysunderstandtherequirementforsuchclarity.•Whyareyoubeingaskedtoprovidesuchinformation?•Whatisthedriver?•Wheredoestherequirementcomefrom?

Otherdriversmayexist,too.ItcouldbethatthecompanyhasjustrealizedthatyoucangetmorefromISO27001,orperhapsit’soperationalriskmanagementsuchasBASEL II, SOX,Turnbull (UKCorporateGovernance)or simplyRegulatoryrequirementsandLegislation that’sdrivingyourbusiness.Eitherway,you’renotalone.Manyorganizations(butnotall)misunderstandthefundamentalconceptsbehindBS7799andISO27001andhavetreateditasamarketingexercise,asopposedtotryingtoachieverealbusinessbeneAitandROI.ISO27001providesmuchmoreclarityandgoesfurtherintowhatshouldbemeasuredforitseffectiveness.Assuch,themuchanticipatedISO27004(guidelinesonhowtomeasureeffectiveness)in2007should Ainallyputanendto this ‘grey’areaandwillhopefullyshedmuchneeded lightonto the typesofcontrols tobemeasuredandwhatresultsweshouldexpect(e.g.IndustryBaseline).


12

MEASUREMENTOFINFORMATIONSECURITYMANAGEMENTSYSTEM


ISO27004Informationtechnology-Securitytechniques-Informationsecurity


13



14



15


In risk assessment methods of this type, actual or proposed physical assets are valued in terms ofreplacement or reconstruction costs (i.e. quantitative measurements). These costs are then convertedonto the same qualitative scale as that used for information (see below). Actual or proposed softwareassetsarevaluedinthesamewayasphysicalassets,withpurchaseorreconstructioncostsidentiAiedandthenconvertedtothesamequalitativescaleasthatusedforinformation.Additionally,ifanyapplicationsoftware is found tohave its own intrinsic requirements for conAidentiality or integrity (for example ifsourcecodeisitselfcommerciallysensitive),itisvaluedinthesamewayasforinformation.•The values for information are obtained by interviewing selected business management (the “data owners”) who can speak authoritatively about the data, to determine the value and sensitivity of the data actually in use, or to be stored, processed or accessed.Theinterviewsfacilitateassessmentofthevalueandsensitivityoftheinformationintermsoftheworstcasescenarios thatcouldbereasonablyexpectedtohappenfromadversebusinessconsequencesduetounauthorizeddisclosure,unauthorized modification,non-availabilityforvaryingtimeperiods,anddestruction.•Thevaluationisaccomplishedusinginformationvaluationguidelines,whichcoversuchissuesas:•Personalsafety•Personalinformation• Legalandregulatoryobligations• Lawenforcement• Commercialandeconomicinterests• Financialloss/disruptionofactivities• Publicorder• Businesspolicyandoperations• LossofgoodwillContractoragreementwithacustomer•

•The guidelines facilitate identification of the values on a numeric scale, such as the 0 to 4 scale shown in the example matrix below,thusenablingtherecognitionofquantitativevalueswherepossibleandlogical,andqualitativevalueswherequantitative valuesarenotpossible,e.g.forendangermentofhumanlife.

Standard

Risk Matrix

High impact, Low

probability risksLow probability (below 50%)High impact (8 and above)

Low impact, Low

probability risksLow probability (below 50%)

Low impact (below 8)

High impact, High

probability risksHigh probability (above 50%)High impact (8 and above)

Low impact, High

probability risksHigh probability (above 50%)

Low impact (below 8)

12

4

0% 100%

IMPACT

IMPACT

PROBABILITY

PROBABILITY


16



17


•For each asset, the relevant vulnerabilities and their corresponding threats are considered. If there is a vulnerability without acorrespondingthreat,orathreatwithoutcorrespondingvulnerability,thereispresentlynorisk(butcareshouldbetakenincasethissituationchanges).NowtheappropriaterowinthematrixisidentiAiedbytheassetvalue,andtheappropriatecolumnisidentiAiedbythelikelihoodofthethreatoccurringandtheeaseofexploitation.Forexample,iftheassethasthevalue3,thethreatis“high”andthevulnerability“low”,themeasureofriskis5.Assumeanassethasavalueof2,e.g.formodiAication,thethreatlevelis“low”andtheease of exploitation is “high”, then the measure of risk is 4. The size of the matrix, in terms of the number of threat likelihoodcategories, ease of exploitation categories and the number of asset valuation categories, can be adjusted to the needs of theorganization.Additionalcolumnsandrowswillnecessitateadditionalriskmeasures.Thevalueofthisapproachisinrankingtheriskstobeaddressed.


18


•AsimilarMatrixasshowninpervious tableresults fromtheconsiderationof the likelihoodofan incidentscenario,mappedagainst theestimatedbusinessimpact.Thelikelihoodofanincidentscenarioisgivenbyathreatexploitingavulnerabilitywithacertainlikelihood.TheTablemapsthislikelihoodagainstthebusinessimpactrelatedtotheincidentscenario.Theresultingriskismeasuredonascaleof0to8thatcanbeevaluatedagainstriskacceptancecriteria.Thisriskscalecouldalsobemappedtoasimpleoverallriskrating,forexampleas:•Lowrisk:0-2•MediumRisk:3-5•HighRisk:6-8


19



20



21

Develop the Threat Model based on the ISO/IEC 27004 requirement with 27005 Risk Assessment Method

RISK ASSEMENT

CONTEXT'ESTABLISHMENT

RISK'IDENTIFICATION

RISK'ESTIMATION

RISK'EVALUATION

RISK'TREATMENT

RISK'ACCEPTENCE

RISK ANALYSISRISK'

COMMUNICATION

RISK'MONITORING'AND'REVIEW

YES

YES

NO

NO

RISK DECISION POINT 1ASSESSMENT SATISFACTORY

RISK DECISION POINT 2TREATMENT SATISFACTORY

END OF FIRST OR SUBSEQUENT ITERACTION

Impactcriteria•ImpactcriteriashouldbedevelopedandspeciAiedintermsofthedegreeofdamageorcoststotheorganizationcausedbyaninformationsecurityeventconsideringthefollowing:•LevelofclassiOicationoftheimpactedinformationasset•Breachesofinformationsecurity(e.g.lossofconOidentiality,integrityandavailability)Impairedoperations(internalorthirdparties)•Lossofbusinessandfinancialvalue•Disruptionofplansanddeadlines•Damageofreputation•Breachesoflegal,regulatoryorcontractualrequirements

•NOTESeealsoISO/IEC27001[Clause4.2.1d)4]concerningtheimpactcriteriaidentiAicationforlossesofconAidentiality,integrityandavailability.


22


RISK ANALYSIS

RISK ASSESSMENT

CONTEXT'ESTABLISHMENT

RISK'IDENTIFICATION

RISK'ESTIMATION

RISK'EVALUATION

RISK'TREATMENT

RISK'ACCEPTANCE

RISK%COMMUNICATION

RISK%MONITORING%AN

D%REVIEW

NONO

YES

YES

NO

Risk%evaluation%criteriaRisk%acceptance%criteriaThe%scope%and%boundariesOrganization%for%information%Security%risk%management

Assets,%Threats,%Vulnerabilities,%Controls

Qualitative%/%Quantitative%estimation

Prioritized%risks%according%to%risk%evaluation%criteria

Risk%Reduction%Risk%Retention%Risk%AvoidanceRisk%Transfer

Monitoring%and%review%of%risk%factorsRisk%Management%monitoring,%reviewing%and%improving


23



24


Riskacceptancecriteria•Risk acceptance criteria should be developed and speciAied. Risk acceptance criteria often depend on the organization's policies, goals,objectivesandtheinterestsofstakeholders.Anorganizationshoulddefineitsownscalesforlevelsofriskacceptance.Thefollowingshouldbeconsideredduringdevelopment:•Riskacceptance criteriamay includemultiple thresholds,withadesired target level of risk, butprovision for seniormanagers toaccept risksabovethislevelunderdefinedcircumstances•Riskacceptancecriteriamaybeexpressedastheratioofestimatedprofit(orotherbusinessbenefit)totheestimatedrisk•Differentriskacceptancecriteriamayapplytodifferentclassesofrisk,e.g.risksthatcouldresultinnon-compliancewithregulationsorlawsmaynotbeaccepted,whileacceptanceofhighrisksmaybeallowedifthisisspecifiedasacontractualrequirement•Risk acceptance criteria may include requirements for future additional treatment, e.g. a risk may be accepted if there is approval andcommitmenttotakeactiontoreduceittoanacceptablelevelwithinadefinedtimeperiod

•Riskacceptancecriteriamaydifferaccordingtohowlongtheriskisexpectedtoexist,e.g.theriskmaybeassociatedwithatemporaryorshorttermactivity.Riskacceptancecriteriashouldbesetupconsideringthefollowing:•Businesscriteria•Legalandregulatoryaspects•Operations•Technology•Finance•Socialandhumanitarianfactors•NOTE:Riskacceptancecriteriacorrespondto“criteriaforacceptingrisksandidentifytheacceptablelevelofrisk”speciAiedinISO/IEC27001Clause4.2.1c)2).


25

How about 27002 and 27003 ?

• Howtoestablishsecurityrequirements• It is essential that anorganisation identiAies its security requirements.Thereare threemainsourcesofsecurityrequirements.1. One source is derived from assessing risks to the organisation, taking into account theorganisation’soverallbusinessstrategyandobjectives.Throughariskassessment,threatstoassetsare identiOied, vulnerability toand likelihoodofoccurrence isevaluatedandpotentialimpactisestimated.

2. Another source is the legal, statutory, regulatory, and contractual requirements that anorganisation,itstradingpartners,contractors,andserviceprovidershavetosatisfy,andtheirsocio-culturalenvironment.

3. A further source is the particular set of principles, objectives and business requirements forinformationprocessingthatanorganisationhasdevelopedtosupportitsoperations.

• Assessingsecurityrisks• SecurityrequirementsareidentiAiedbyamethodicalassessmentofsecurityrisks.Expenditureon controls needs to be balanced against the business harm likely to result from securityfailures.

• The results of the risk assessment will help to guide and determine the appropriatemanagement action and priorities for managing information security risks, and forimplementingcontrolsselectedtoprotectagainsttheserisks.

• RiskassessmentshouldberepeatedperiodicallytoaddressanychangesthatmightinAluencethe risk assessment results.More information about the assessmentof security risks canbefoundinclause4.1“Assessingsecurityrisks”.

ocument remain the property of and may not be reproduced in whole or in part without the express permission of the Nexusguard Consulting Ltd. For information please contact with Nexusguard Consulting Ltd

26

How about 27002 and 27003 ?

The contents of this d

• Selectingcontrols•Once security requirements and riskshavebeen identiAied anddecisions forthe treatment of risks have been made, appropriate controls should beselectedandimplementedtoensurerisksarereducedtoanacceptable level.Controlscanbeselectedfromthisstandardorfromothercontrolsets,ornewcontrolscanbedesignedtomeetspeciAicneedsasappropriate.Theselection 26

ofsecuritycontrols isdependentuponorganisationaldecisionsbasedonthecriteria for risk acceptance, risk treatment options, and the general riskmanagementapproachappliedtotheorganisation,andshouldalsobesubjecttoallrelevantnationalandinternationallegislationandregulations.• Someofthecontrolsinthisstandardcanbeconsideredasguidingprinciplesfor information securitymanagement and applicable formost organisations.They are explained in more detail below under the heading “Informationsecuritystartingpoint”.•More information about selecting controls and other risk treatment optionscanbefoundinclause4.2"Treatingsecurityrisks".


27

How about 27006 and 27007?


28



29



30

Q&A

如何在您的組織環境中合規應用ISO/IEC27001 Practical … · The contents of this...

Documents

Transcript of 如何在您的組織環境中合規應用ISO/IEC27001 Practical … · The contents of this...