POTENTIAL DIFFERENCES AT RISK ASSESSMENT AND RISK TREATMENT PLANNING BETWEEN ISO/IEC 27001:2005 AND ISO/IEC 27001:2013

Transcription

1 POTENTIAL DIFFERENCES AT RISK ASSESSMENT AND RISK TREATMENT PLANNING BETWEEN ISO/IEC 27001:2005 AND ISO/IEC 27001:2013 Eka Pramudita Purnomo 1) and R. V. Hari Ginardi 2) Master s Program in Management of Technology, Institut Teknologi Sepuluh Nopember Jl. Cokroaminoto 12A, Surabaya, 60264, Indonesia 1) eka.pramudita.purnomo@gmail.com, 2) hari@its.ac.id ABSTRACTS The rapid growth of information technology (IT) also accompanied by the increment of information security incident each year. The need and awareness for organization to implement appropriate information security management system to protect their information assets has also increased in recent years. The most popular information security management system standard is ISO/IEC The newest version of ISO/IEC is 2013 version, and it has some differences at risk assessment process and risk treatment planning between the new version and the old 2005 version. These differences will lead to different results, which information security risk to be controlled and the information security control to be applied may differ on each version. Organizations that implement the newer version may miss the risks that should be controlled based on the 2005 version of ISO/IEC perspective but now didn t have to be controlled anymore, and organization may lose some security control that could be implemented if using the old version. The research is focusing on the risk assessment and risk treatment planning potential differences from each version of ISO/IEC The main difference in risk assessment is the person who assess the risk, the assessment done by asset owners at the 2005 version and by the risk owners in 2013 version. The main difference in risk treatment is the information security control collection offered between the old 2005 version and the new 2013 version, there are some deleted controls and new controls in the new version. The difference implementation was tested at PT Sentra Vidya Utama, an information technology consulting and software development services company that has stood for more than 12 years. The research goal is to get clearer picture about the ISO/IEC version difference at the results that come from risk assessment process and risk treatment planning, and to tell if the old ISO/IEC 27001:2005 version still have benefits to be implemented at the organization. Both versions of the ISO/IEC 27001, either the old 2005 version and the new 2013 version can be applied as an information security management system at PT Sentra Vidya Utama. However, we found quite a lot of differences about the information security risk to be controlled for each ISO/IEC version. The difference perspective of asset owner and risk owner have resulted 83 risks differences of which information security risk to be controlled at PT Sentra Vidya Utama. These also lead to 13 differences of the information security controls to be applied at risk treatment planning from each ISO/IEC version. Both risk assessment and risk treatment planning version of ISO/IEC may be applied together to complement each other s differences, so the company will have more wide options of risk to be controlled and information security controls to be applied. Keywords: ISO/IEC 27001:2005, ISO/IEC 27001:2013, Information Security Management System, Information Security, Risk Assessment, Risk Treatment Planning. A-1-1

2 INTRODUCTION Living in digital era with rapid growth of information technology (IT) also accompanied by the increment of information security incident each year. PricewaterhouseCoopers conduct a information security survey in 2016 which result that there are 38% more security incidents were detected in 2015 than in 2014 and theft of hard intellectual property increased 56% in 2015 than in 2014 (PricewaterhousCoopers, 2016). The impact of security incidents to organization may lead to financial loss or even reputation loss. Therefore, the need and awareness for organization to implement appropriate information security management system to protect their information assets has also increased in recent years. One of the critical success factor for organizing of information security is to have an approach and framework to implementing, maintaining, monitoring, and improving information security that is consistent with the organizational culture (Peltier, 2014). Therefore, using the most popular information security management system standard is ISO/IEC is recommended. ISO/IEC is an international standard about information technology that created by the ISO (the International Organization for Standadization) and IEC (the International Electrotechnical Commision). The first version of ISO/IEC is the 2005 version. The second and the newest version of ISO/IEC is 2013 version. ISO/IEC is the most popular standard for information security management system. ISO/IEC state that the standard is applicable to any type and scale of industry. The flexibility of implementing the information security management system become one of the strongest point in ISO/IEC 27001, which mean that from small company growing to big company, the standard will adapt to the growth. Some research related to implementation of ISO/IEC version have been conducted by Azis Maidy Puspa from Institut Teknologi Sepuluh Nopember at 2011, Aries Fajar Kurnia and Eko Ariefianto from Universitas Indonesia at We still haven t found the research that used the new 2013 version of ISO/IEC in Indonesia. There are some differences between ISO/IEC version and 2013 version such as different requirement, scope and policy, risk assessment and risk treatment. However, in this research, we focus on the differences related to the risk asessment process and risk treatment planning. These differences will lead to different results, which the information security risk to be controlled and the information security control to be applied may vary according to each version. The risk asessment process have main difference at the people who done the risk asessment. In 2005 version, the asset owner is the one who responsible to control the risk and assess the risk related to their asset. However in 2013 version, the risk owner is the one who is responsible. Risk owner means a person or entity with the accountability and authority to manage a risk (ISO/IEC, 2014). An asset owner maybe can determine the risk, however the asset owner may not have the accountability and authority to manage the risk. At risk treatment planning phase, the potential difference differences come from the different collection of information security control from each ISO/IEC version. These differences may lead to missing controls that could have implemented at the organization. The different collection of information security control is caused by deleted controls and new controls in the new 2013 version. Therefore, the research goal is trying to get clearer picture clearer picture about the ISO/IEC version difference at risk assessment and risk treatment planning and to tell if the old ISO/IEC 27001:2005 version still have benefits to be implemented at the A-1-2

3 organization. Some methods or controls that originally comes from ISO/IEC 27001:2005 but deleted on the new version, may give benefits to the organization. In this paper, an implementation of both version of risk assessment and risk treatment planning is tested at PT Sentra Vidya Utama, an information technology consulting and software development services company that has stood for more than 12 years. The following section of the paper explains the general explanation of ISO/IEC 27001, methodology for implementing and comparing both risk assessment and risk treatment plan, followed by the result of risk assessment and risk treatment plan which are the information security risks to be controlled and differences of information controls to be applied from each version of ISO/IEC and the last section presents the conclusion METHODOLOGY The methodology is simplified from the whloe process of ISO/IEC implementation to focus on the risk assessment and risk treatment process. The following is the research methodology: Information Security Requirement Analysis Information Asset Identification Risk Identification Risk Assessment Based on ISO/IEC 27001:2005 (Asset Owner) Based ISO/IEC 27001:2013 (Risk Owner) Risk Treatment Planning Based on ISO/IEC 27001:2005 Information Security Controls Based ISO/IEC 27001:2013 Information Security Controls Verification of Risk Assessment and Risk Treatment Planning Comparison of Risk Assessment and Risk Treatment Planning Result Figure 1. Research Methodology The first phase is to conduct the information security requirement analysis. The goal of this phase is to identify information assets within the company and the risk related to the information assets. We have conducted interview to the 6 divisions or departments at PT Sentra Vidya Utama (development, IT, finance, marketing, human resource and general). The interview conducted to get the information assets which should be protected at each department and the information security risk related to the assets. The information assets can be a physical information assets (document, computer, information processiong facilities, etc) or non-physical information assets (source code, database, supporting software, etc). The result from the first phase is the list of information assets and list of information security risks related to the assets. The second phase is the risk assessment. Both of the result from the previous phase, will be used for the risk assessment process. The process was conducted on 2 different version of ISO/IEC The first step, the company will determine the aspect and formula A-1-3

4 to be followed to assess the risks. The risk value comes from multiplying the estimated likelihood aspect and impact aspect of the risks. Both of the version of ISO/IEC using the same formula to value the risks. The difference comes when the person who assess the risk is different at each version. At 2005 version the person who do the assessment is asset owner, and at 2013 version the person is risk owner. The company will determine who is the asset owner and the risk owner to assess the risks. After the result of risk assessment, the company determine the value of risk acceptance. Risks with value above the risk acceptace value should be treated using information security controls provided from each version of ISO/IEC The third phase is the risk treatment planning. The company will be provided with series of alternative information security controls from each version of ISO/IEC The company will choose which control option is applicable to the company based on the result of the previous risk asessments. The result of each version of ISO/IEC is a document of statement of applicability. The document is a list of information security controls from each information security controls anternative provided by ISO/IEC with additional information such as which can be applied to the company or rejected to be applied, and the person responsible for the implementation of each acceptable control. The verification process conducted by the company to evaluate once again if the result of the risk assessment and risk treatment planning is accurate and appropriate to the condition in the company. After the result verified, it means that the company agree with the results of risk assessment and risk treatment planning. The last phase is comparing the result of risk asessment and risk treatment planning. The comparison focus on the risk difference that need to be controlled at risk assessment process, and the information security controls differences at risk treatment planning. The following results will show the differences caused by the change in ISO/IEC version to 2013 version. RESULTS At the information security requirement analysis, we have identified and confirmed about 178 information security risks that may happen on the 43 information assets at PT Sentra Vidya Utama. The company determined the aspect to estimate the value of risks are likelihood, financial impact, productivity impact, and reputation impact. For every aspect the asset owner and the risk owner will give a score between 1 to 5, from 1 is the least possible or the smallest impact, and 5 is the most possible or the biggest impact. The formula to estimated the risk value is multiplying the likelihood and average of the impacts (financial impact, productivity impact, and reputation impact). Note: RV L FI PI RI = Risk Value = Likelihood = Financial Impact = Productivity Impact = Reputation Impact (1) The value of risk acceptance that PT Sentra Vidya Utama choose is 2. It means that risks above 2 should be controlled with information security controls from each version of A-1-4

5 ISO/IEC The following are the risk asessment comparison results and risk treatment planning comparison results. Risk Assessment Comparison Results Based on the results from the risk assessment results, the first comparison is comparing between the number of risks to be controlled of each risks assessments result. The second comparison is comparing between the top 3 priority risks of each risks assessment results. Figure 2. Risks to be controlled differences between ISO/IEC and 2013 Based on the figure 2 above, the risk assessment result showing the differences occurred on the risks to be controlled between ISO/IEC and 2013 version. There are total of 108 risks to be controlled in 2005 version, 71 risks to be controlled in 2013 version and 48 risks to be controlled on both version. This means that there are 60 risks more that should be controlled according 2005 version and 23 risks more that should be controlled according 2013 version. The differences number of risks to be controlled is quite a lot, and may lead to many uncontrolled risks at the company. Table 1. Top 3 risks priority differences between ISO/IEC and 2013 Risk Priority ISO/IEC:2005 Version ISO/IEC 27001:2013 Version 1 Risk Value 24 (1 risk from Human Resource) - S.17 Loss of electricity at Human Resource Computer Risk Value 10,67 (2 risks from IT) - I.10 Application database broken - I.39 Server component broken 2 Risk Value 22 (1 risk from Finance) - K.19 Human error on creating financial report 3 Risk Value 20 (3 risks from Finance) - K.03, K.07, K.12 Human error on creating financial data (receivable, debt, and daily transaction report) Risk Value 9,33 (2 risks from IT) - I.08 Theft of user and password list - I.37 Unauthrized access to server Risk Value 8 (6 risks from IT, 7 risks from Development) -D.01, D.05, D.09, D.17, D.21, D.25, D.28, I.09, I.26, I.49 Unauthorized access to starting, mid and final development document, product knowledge, progress report, source code, user guide, application database, and backup media. - I.11 Wrong configuration to database - I.38 Loss of electricity at server - I.50 Unintennded change of source code From the table 1 above showing the differences between top 3 risks priority at PT Sentra Vidya Utama. The highest risk value in 2005 version is 24, therefore have a big A-1-5

6 difference of number with the highest risk value which is only 10,67 in 2013 version at PT Sentra Vidya Utama. The top 3 risks to be prioritized between each version also different. In 2013 version the top 3 risks is dominated by IT department related risks, however the top 3 risks in 2005 version is dominated from Human Resource and Finance department. The comparison of the risks to be controlled and top 3 risks priority are showing that the differences perspective of asset owner and risk owner on the risk asessment process may lead to a big difference of risks to be controlled at PT Sentra Vidya Utama. Risk Treatment Planning Comparison Results The comparison is conducted to determine which unique and applicable information security controls at PT Sentra Vidya Utama that 2005 version have but the 2013 version do not have the controls and vice versa. These controls are already confirmed to the company that all of them are applicable to implement. The results below is not showing controls which are not unique and applicable to both version. The unique controls come from the deleted controls in ISO/IEC version and new controls in ISO/IEC version. Table 2. Unique Information Security Controls ISO/IEC Version Control Number Information Security Control Management Commitment to information security Information security coordination Security System Documentation User authentication for external connections Equipment identification in networks Remote diagnostic and configuration port protection Sensitive system isolation From table 2, there are 7 unique information security controls that accepted at PT Sentra Vidya Utama comes from ISO/IEC 2005 version, which all of them are deleted control in the 2013 version. Control number is about management commitment, this control is deleted at 2013 version, but become a requirement in implementation of information security management system in 2013 version. Control number about information security coordination is deleted, however the control is combined with roles and responsibilities control at 2013 version. Controls other than number and 6.12 such as security system documentation, user authentication for external connections, equipment identification in networks, remote diagnostic and configuration port protection, and sensitive system isolation are deleted controls which are not showing anymore at ISO/IEC version. Table 3. Unique Information Security Controls ISO/IEC Version Control Number Information Security Control Restrictions on software installation Secure development policy Secure development environment System security testing Response to information security incidents A-1-6

7 Control Number Information Security Control Availability of information processing facilities From table 3, there are 6 unique information security controls that accepted at PT Sentra Vidya Utama comes from ISO/IEC 2013 version, which all of them are new controls in the 2013 version. Control number is additional control to restrict the usage of software on user. Control number , and are additional controls to support information security at development environment. Control number is additional control to build an appropriate action procedure for events that categorized as information security incidents. And control number is additional control for having a redundant asset to replace the facilities when incident occurred. Both of ISO/IEC version show some differences at risk treatment planning. There are some unique applicable controls which only exist in 2013 version or 2005 version. PT Sentra Vidya Utama give respond that both unique controls can be implemented. The unique information security controls is acceptable and can be implemented without having bad impact to other controls. As long as the information security controls can be implemented to control the risks, then the company is willing to implement it. CONCLUSIONS AND RECOMMENDATIONS Based on the result of all research process, this research concluded that the differences occurred from implementation of risk assessment and risk treatment planning of ISO/IEC and 2013 version have lead the company to lose some risks to be controlled and information security controls to be applied. From the total of 178 risks that exists at PT Sentra Vidya Utama, there are 83 differences of risks to be controlled founded at risk assessment result from both version. The different perspective of asset owner and risk owner have lead to many uncontrolled risks that could be controlled at each version. At risk treatment planning, there are 13 differences controls that can be applied at the company. Those controls are unique and applicable information security controls that come from the deleted controls or new controls in 2013 version. Both unique controls from each version can be implemented at the company. Combining both of the role of asset owner and risk owner to do the risk assessment, and combining collection of control from 2005 version and 2013 version for risk treatment planning is acceptable implementation at PT Sentra Vidya Utama. Recommendations for future research: based on the research we conducted, combining the method of risk assessment and information security controls at both version of ISO/IEC and 2013 version should be applicable for another research. This is also means that information security control which comes from other standards should be also considered to complement the ISO/IEC 27001, further research that combining the method or controls from another standards is preferable. A-1-7

8 REFERENCES Ariefianto, E. (2006). Perencanaan Tata Kelola Keamanan Informasi Berdasarkan ISMS ISO Studi Kasus Pusat Komunikasi Departemen Luar Negeri RI. Jakarta: Universitas Indonesia. ISO/IEC (2005). ISO/IEC 27000: Information Technology - Security Techniques - Information Security Management Systems - Overview and Vocabulary. 2nd edition. Switzerland: ISO/IEC. ISO/IEC (2005). ISO/IEC 27001: Information Technology - Security Techniques - Information Security Management Systems - Requirement. 1st edition. Switzerland: ISO/IEC. ISO/IEC (2010). ISO/IEC 27003: Information Technology - Security Techniques - Information Security Management System Implementation Guidance. 1st edition. Switzerland: ISO/IEC ISO/IE (2011). ISO/IEC 27005: Information Technology - Security Technique - Information Security Risk Management. 1st edition. Switzerland: ISO/IEC. ISO/IEC (2013). ISO/IEC 27001: Information technology - Security techniques - Information security management systems - Requirement. 2nd edition. Switzerland: International Organization for Standardization. ISO/IEC (2013). ISO/IEC 27002: Information Security - Security Techniques - Code of Practice for Information Security Controls. 2nd edition. Switzerland: ISO/IEC. ISO/IEC (2014) ISO/IEC Information technology Security techniques - Information security management systems - Overview and vocabulary. 3rd edition. Switzerland: ISO/IEC. Kurnia, A. F. (2006). Perencanaan Kebijakan Keamanan Informasi Berdasarkan Informaton Security Management System (ISMS) ISO Studi Kasus Bank Xyz. Jakarta: Universitas Indonesia. Peltier, T. R. (2014). Information Security Fundamentals. 2nd edition. Boca Raton: CRC Press. Puspa, A. M (2011). Perancangan Sistem Manajemen Sekuritas Informasi (SMSI) Berdasarkan ISO/IEC Surabaya: Institut Teknologi Sepuluh Nopember. PricewaterhouseCoopers. (2016). Global State Of Information Security Survey PricewaterhouseCoopers A-1-8