Strategies for Managing Information Risk Utilizing ISOIEC 2700127002

1
Strategies for Managing Information
Risk-Utilizing ISO/IEC 27001/27002

• Dec 10, 2008

Tom Witwicki Director, Information Security
2
Agenda

• The need for IS Governance
• The ISO Framework
• ISO/IEC 27001
• ISO/IEC 27002
• The Hannaford ISMS Roadmap
• A Controls Framework
• Information Security Organization Mission and
  Structure
• Discussion/Questions/Lessons Learned

3
Information Security Governance

• How can an organization make good decisions about
  information risk?
• Risks identified, mitigated, accepted equals
  security
• Information Security is a business requirement
• CIA Confidentiality, Integrity, Availability
• PCI, HIPAA, SOX, State Privacy Regulations
• Impact of loss of security on an organization is
  extreme
• Damage to brand, share price
• Direct costs
• Litigation Liability
• FTC actions
• Unavailable critical business processes
• Business awareness of impact is key

4
What is the ISO Framework?

• International Organization for Standardization
• Governance - ISO 27001
• Establishing and Operating the ISMS Plan, DO,
  Check, Act
• Management commitment and involvement
• Information Asset Ownership
• Controls ISO 27002
• Deterrent
• Preventative
• Detective
• Corrective
• Recovery
• Compensating
• Available for download as Intellectual Property

5
What is ISO 27001?

• A management process to evaluate, implement and
  maintain an Information Security Management
  System (ISMS).
• An internationally recognized structured
  methodology dedicated to information security.
• A comprehensive set of controls (ISO 27002)
  comprised of best practices in information
  security.
• A standard that can be customized to address the
  level of risk (or vulnerability), that could
  cause negative business impact should it not be
  addressed.
• Certification available

6
Information Security Management System (ISMS)The
Security Program
Do Implement and Operate Controls Measure

• Charge the ISGC (Mission Statement)
• Scope and Boundaries
• Define the ISMS Policy
• Identify a Risk Assessment methodology
• Develop criteria for accepting risks
• Identify Risks (Risk Assessment)
• Analyze and evaluate risks
• Develop Risk Treatment Plan
• Select Control Objectives and Controls
• Prepare a Statement of Applicability

• Implement the Risk Treatment Plan
• Measure the effectiveness of controls
• Implement an Incident Response process

Plan Establish the ISMS
Check Monitor Audit Review
ISO/IEC 270001 Roadmap

• Monitor and review procedures and controls
• Regular reviews of the effectiveness of the ISMS
• Review risk assessments at planned intervals
  taking into account changes in Organization,
  Business process, Technology, Threats, Regulatory
  environment
• Conduct Internal Audits at planned intervals
• Management review of ISMS

• Take corrective action to improve the ISMS
• Take preventative action based on the prioritized
  results of risk assessments in anticipation of
  potential problems

Act Maintain Improve The ISMS
7
Establish the ISMS
Plan

• Charge the ISGC (Mission Statement)
• Scope and Boundaries
• Define the ISMS Policy
• Identify a Risk Assessment methodology
• Develop criteria for accepting risks
• Identify Risks (Risk Assessment)
• Analyze and evaluate risks
• Develop Risk Treatment Plan
• Select Control Objectives and Controls
• Prepare a Statement of Applicability

8
Implement the ISMS
Do

• Implement the Risk Treatment Plan
• Measure the effectiveness of controls
• Implement an Incident Response process

9
Monitor, Audit and Review
Check

• Monitor and review procedures and controls
• Attempted and successful security breaches
• Determine if actions to prevent breaches were
  successful
• Regular reviews of the effectiveness of the ISMS
• Review risk assessments at planned intervals
  taking into account changes in
• Organization
• Business process
• Technology
• Threats
• Regulatory environment
• Conduct Internal Audits at planned intervals
• Management review of ISMS

10
Maintain and Improve
Act

• Take corrective action to improve the ISMS
• Take preventative action based on the prioritized
  results of risk assessments in anticipation of
  potential problems

11
Risk Management Process

• Risk Assessment (awareness)
• Asset discovery
• Threat Identification
• Vulnerability Identification
• Control Analysis
• Likelihood Determination
• Impact analysis
• Risk Determination

12
Risk Management Process

• Risk Treatment Plan
• Control Recommendations to mitigate risk
• Evaluate/Accept Risk
• Risk Mitigation Investments

13
Evaluating Information Risk

• The likelihood of a given threat-sources
  attempting to exercise a given vulnerability
• The magnitude of the impact should a
  threat-source successfully exercise the
  vulnerability
• The adequacy of planned or existing security
  controls for reducing or eliminating risk.

14
Risk Evaluation and Acceptance Criteria

• NIST Special Publication 800-30 Risk Management
  Guide
• Information Risk evaluation and Acceptance
  defined
• High (Executive Committee)
• Medium (Info Security Governance Committee)
• Low (Business Owner or CISO)

15
ISO 27002 Controls

• 11 Security Control Clauses
• 49 Control Categories
• Control Objective
• 133 total controls
• Controls selected based on
• Assessment of Risk
• Business objectives
• Legal, regulatory, contractual obligations
• Function of a control to mitigate risk
• Deterrent
• Preventative
• Detective
• Corrective
• Recovery
• Compensating

16
Controls Rationalization

• ISO 27002 becomes the overarching control
  framework
• Regulatory requirements map to ISO
• New requirements potentially satisfied with
  existing controls
• Simplifies auditing and control testing
• Example

17
5 Information Security PolicyTop Level

• 5.1 Information Security Policy
• Objective To provide management direction and
  support for information security in accordance
  with business requirements and relevant laws and
  regulations. Management should set a clear
  policy direction in line with business objectives
  and demonstrate support for, and commitment to,
  information security through the issue and
  maintenance of an information security policy
  across the organization.

18
5 Security Policy

• 5.1.1 Information security policy document
• Control
• An information security policy document should be
  approved by management, and published and
  communicated to all employees and relevant
  external parties.
• Implementation guidance
• The information security policy document should
  state management commitment and set out the
  organizations approach to managing information
  security. The policy document should contain
  statements concerning
• a) a definition of information security, its
  overall objectives and scope and the importance
  of security as an enabling mechanism for
  information sharing (see introduction)
• b) a statement of management intent, supporting
  the goals and principles of information security
  in line with the business strategy and
  objectives
• c) a framework for setting control objectives and
  controls, including the structure of risk
• assessment and risk management

19
5.1.1 (Continued)

• d) a brief explanation of the security policies,
  principles, standards, and compliance
• requirements of particular importance to the
  organization, including
• 1) compliance with legislative, regulatory, and
  contractual requirements
• 2) security education, training, and awareness
  requirements
• 3) business continuity management
• 4) consequences of information security policy
  violations
• e) a definition of general and specific
  responsibilities for information security
  management,
• including reporting information security
  incidents
• f) references to documentation which may support
  the policy, e.g. more detailed security
• policies and procedures for specific information
  systems or security rules users should
• comply with.
• This information security policy should be
  communicated throughout the organization to users
  in a form that is relevant, accessible and
  understandable to the intended reader.

20
6 Organization of information security

• 6.1 Internal organization
• Objective To manage information security within
  the organization
• 6.2 External parties
• Objective To maintain the security of the
  organizations information and information
  processing facilities that are accessed,
  processed, communicated to, or managed by
  external parties.

21
Critical Roles and Responsibilities

• Governance Committee and Chair
• Data Owner (Business Owner)
• Data Custodian
• Privacy Officer
• CISO
• IT
• Internal Audit
• All employees

22
7 Asset Management

• 7.1 Responsibility for assets
• Objective To achieve and maintain appropriate
  protection of organizational assets
• 7.2 Information classification
• Objective To ensure that information receives an
  appropriate level of protection.

23
7 Asset Management

• 7.1 Responsibility for assets
• Objective To achieve and maintain appropriate
  protection of organizational assets.
• All assets should be accounted for and have a
  nominated owner.
• Owners should be identified for all assets and
  the responsibility for the maintenance of
  appropriate
• controls should be assigned. The implementation
  of specific controls may be delegated by the
  owner
• as appropriate but the owner remains responsible
  for the proper protection of the assets.

24
7 Asset Management

• 7.1.2 Ownership of assets
• Control
• All information and assets associated with
  information processing facilities should be
  owned by a designated part of the organization.
• Implementation guidance
• The asset owner should be responsible for
• a) ensuring that information and assets
  associated with information processing facilities
  are appropriately classified
• b) defining and periodically reviewing access
  restrictions and classifications, taking into
  account applicable access control policies.
• The term owner identifies an individual or
  entity that has approved management
  responsibility for controlling the production,
  development, maintenance, use and security of the
  assets.

25
7 Asset Management

• 7.2 Information classification
• Objective To ensure that information receives an
  appropriate level of protection.
• Information should be classified to indicate the
  need, priorities, and expected degree of
  protection when handling the information.
• Information has varying degrees of sensitivity
  and criticality. Some items may require an
  additional
• level of protection or special handling. An
  information classification scheme should be used
  to define
• an appropriate set of protection levels and
  communicate the need for special handling
  measures.

26
8 Human Resources Security

• 8.1 Prior to employment
• Objective To ensure that employees, contractors
  and third party users understand their
  responsibilities, and are suitable for the roles
  they are considered for, and to reduce the risk
  of theft, fraud or misuse of facilities.
• 8.2 During employment
• Objective To ensure that all employees,
  contractors and third party users are aware of
  information security threats and concerns, their
  responsibilities and liabilities, and are
  equipped to support organizational security
  policy in the course of their normal work, and to
  reduce the risk of human error.
• 8.3 Termination or change of employment
• Objective To ensure that employees, contractors
  and third party users exit an organization or
  change employment in an orderly manner.

27
9 Physical and Environmental Security

• 9.1 Secure areas
• Objective To prevent unauthorized physical
  access, damage and interference to the
  organizations premises and information.
• 9.2 Equipment security
• Objective To prevent loss, damage, theft or
  compromise of assets and interruption to the
  organizations activities

28
10 Communications and operations management

• 10.1 Operational procedures and responsibilities
• Objective To ensure the correct and secure
  operation of information processing facilities.
• 10.2 Third party service delivery management
• Objective To implement and maintain the
  appropriate level of information security and
  service delivery in line with third party service
  delivery agreements.
• 10.3 System planning and acceptance
• Objective To minimize the risk of systems
  failures.

29
10 Communications and operations management
(cont.)

• 10.4 Protection against malicious and mobile code
• Objective To protect the integrity of software
  and information.
• 10.5 Back-up
• Objective To maintain the integrity and
  availability of information and information
  processing facilities.
• 10.6 Network security management
• Objective To ensure the protection of
  information in networks and the protection of the
  supporting infrastructure
• 10.7 Media handling
• Objective To prevent unauthorized disclosure,
  modification, removal or destruction of assets,
  and interruption to business activities.

30
10 Communications and operations management
(cont.)

• 10.8 Exchange of information
• Objective To maintain the security of
  information and software exchanged within an
  organization and with any external entity.
• 10.9 Electronic commerce services
• Objective To ensure the security of electronic
  commerce services, and their secure use.
• 10.10 Monitoring
• Objective To detect unauthorized information
  processing activities.

31
11 Access Control

• 11.1 Business requirement for access control
• Objective To control access to information.
• 11.2 User access management
• Objective To ensure authorized user access and
  to prevent unauthorized access to information
  systems.
• 11.3 User responsibilities
• Objective To prevent unauthorized user access,
  and compromise or theft of information and
  information processing facilities.
• 11.4 Network access control
• Objective To prevent unauthorized access to
  networked services.

32
11 Access Control (Cont.)

• 11.5 Operating system access control
• Objective To prevent unauthorized access to
  operating systems.
• 11.6 Application and information access control
• Objective To prevent unauthorized access to
  information held in application systems.
• 11.7 Mobile computing and teleworking
• Objective To ensure information security when
  using mobile computing and teleworking facilities.

33
12 Information systems acquisition, development
and maintenance

• 12.1 Security requirements of information systems
• Objective To ensure that security is an integral
  part of information systems.
• 12.2 Correct processing in applications
• Objective To prevent errors, loss, unauthorized
  modification or misuse of information in
  applications.
• 12.3 Cryptographic controls
• Objective To protect the confidentiality,
  authenticity or integrity of information by
  cryptographic means.

34
12 Information systems acquisition, development
and maintenance (Cont.)

• 12.4 Security of system files
• Objective To ensure the security of system
  files.
• 12.5 Security in development and support
  processes
• Objective To maintain the security of
  application system software and information.
• 12.6 Technical Vulnerability Management
• Objective To reduce risks resulting from
  exploitation of published technical
  vulnerabilities.

35
13 Information security incident management

• 13.1 Reporting information security events and
  weaknesses
• Objective To ensure information security events
  and weaknesses associated with information
  systems are
• communicated in a manner allowing timely
  corrective action to be taken.
• 13.2 Management of information security incidents
  and improvements
• Objective To ensure a consistent and effective
  approach is applied to the management of
  information security incidents.

36
14 Business continuity management

• 14.1 Information security aspects of business
  continuity management
• Objective To counteract interruptions to
  business activities and to protect critical
  business processes from the effects of major
  failures of information systems or disasters and
  to ensure their timely resumption.

37
15 Compliance

• 15.1 Compliance with legal requirements
• Objective To avoid breaches of any law,
  statutory, regulatory or contractual obligations,
  and of any security requirements.
• 15.2 Compliance with security policies and
  standards, and technical compliance
• Objective To ensure compliance of systems with
  organizational security policies and standards.
• 15.3 Information systems audit considerations
• Objective To maximize the effectiveness of and
  to minimize interference to/from the information
  systems audit process.

38
Information Security Organization and Structure

• Its all about ability to execute
• Muti-disciplinary approach involving
  collaboration and cooperation
• Organization segregation of control execution
  from control requirements and approvals
• Control executors accountable for control
  execution
• Oversight responsibility where does Information
  Security report?

39
Business Governance
Information Security Program
Internal Audit

• Information Risk Mgt
• Security Policy
• Risk Assessments
• Security Assurance
• Monitoring and Response
• Vulnerability Mgt
• Identity Mgt
• External Compliance
• PCI,SOX,HIPAA,PII

• Control Implementation
• Access Administration
• Patching
• Anti-virus
• Baseline Configurations
• Firewall rules
• Application Security Stds

• Policy
• Controls
• Compliance

Information Security
IT
40
Information Security Functions

• Chief Information Security Officer
• Information Security Office
• Compliance Management
• Identity Management
• Security Configuration Management
• Risk Assessment
• Security Education, Awareness and Training (SETA)
• Security Operations
• SOC/NOC Coordination
• Incident Response
• Security Integrated Process Team Management
• Compliance
• PII, HIPPA, and PCI compliance policy
• Controls compliance program

41
Information Security Office (ISO)

• Enterprise Security Mgt
• Security Architecture
• System Accreditation
• Access and Identity Management
• Physical Security requirements
• Risk Management
• Security Assurance
• Application Vulnerability Mgt
• Risk Assessment execution
• 3rd Party Risk Management
• Security Education, Awareness and Training
• Disaster Recovery/BCP

42
Security Operations Center (SOC)

• Security Monitoring
• Monitoring and alerting
• Intrusion Detection
• Policy violations
• Anti-Virus monitoring
• Log Analysis
• Incident Response
• Incident Response Plan
• Incident Response Team Mgt
• Management reporting
• Security Engineering
• Vulnerability/Penetration testing
• Vulnerability remediation
• Policy violation remediation
• Network Integrity mgt
• Technology control effectiveness

43
Information Security Compliance (ISC)

• Security Policies and Compliance
• PCI, HIPAA, SOX, Privacy
• ISO 27001/ISO 27002
• IT Operational Controls Compliance
• Vulnerability Management
• Baseline Configuration
• Policy/Standards/Process Compliance
• Audit/Assessment Mgt
• Compliance evidence
• Management Response
• Remediation Mgt
• Document Mgt

44
Discussion

• Lessons Learned
• Going Forward
• Your Experience?
• Governance
• ISO
• Other security frameworks