Assurance through the ISO27002 Standard and the US NIST Cybersecurity Framework. Keith Price Principal Consultant

Transcription

1 Assurance through the ISO27002 Standard and the US NIST Cybersecurity Framework Keith Price Principal Consultant 1

2 About About me - Specialise in cybersecurity strategy, architecture, and assessment - Veteran of the IT industry from networking and telecommunications to the emergence of the Internet, Internet banking, and IT security - Work experience in AU, US, UK, Europe - BBus, MSc, CISSP, CISM, CGEIT About Black Swan Group - Professional services company based in Sydney - Clients are large and small companies in financial services, state & federal government, education, property, and more. 2

3 All images not created by the author are used under the fair use for education provision. 3

4 Agenda Frameworks versus standards COSO Cube PCI-DSS ISO27001/2 US NIST Cybersecurity Framework (CSF) NIST CSF Informative References Center for Internet Security Critical Security Controls COBIT 5 NIST SP Cybersecurity assessment 4

5 Framework versus Standard Framework: A basic structure underlying a system, concept, or text. Standard: Something used as a measure, norm, or model in comparative evaluations. Source: 5

6 Frameworks and standards Images: Respective organisations 6

7 Adoption of security frameworks Source: Trends in Security Framework Adoption, Dimensional Research, March

8 Which one should you use? Image: Google Images 8

9 Cyber risk - Cybercriminals - Their malware - Customer Records - Access credentials Cyber Risk - People, process or technology weakness Image: Google Images 9

10 Source: Keith Price, Informed from US Dept of Defense

11 How do you modify risk? Control = a measure that is modifying risk Controls for information security include any process, policy, procedure, guideline, practice or organizational structure, which can be administrative, technical, management, or legal in nature which modify information security risk. Source: ISO27005:

12 Risk equation Threats x Vulnerabilities x Asset Value Risk = + Residual Risk Controls To reduce cyber risk: reduce vulnerabilities, increase controls Source: A Controls Factory Approach To Building a Cyber Security Program Based on the NIST Cybersecurity Framework (NCSF) - Larry Wilson & Rick Lemieux October

13 COSO: Committee of Sponsoring Organizations of the Treadway Commission COSO Cube (1985) Source: Deloitte COSO in the Cyber Age : AS/NZS 4360 Risk Management (the very first risk management standard) 2008: ISO27005 Information Security Risk Management 2009: ISO31000 Risk Management (supersedes AS4360) 13

14 Payment Card Industry Data Security Standard (PCI-DSS) Developed to encourage and enhance cardholder data security Provides a baseline of technical and operational requirements designed to protect account data The problem: focused on cardholder data security 14

15 15

16 16

17 Provides requirements for establishing, implementing, maintaining, and continually improving an ISMS. Designed to use as a reference for selecting controls within the process of implementing an ISMS based on ISO

18 Information security management system Information security is achieved through the implementation of an applicable set of controls Controls are selected through the risk management process and managed using an ISMS Management involves activities to direct, control, and improve the organisation A management system uses a framework of resources to achieve an organisation s objectives Source: ISO27000:

19 ISO27002 clauses 5 18 control categories Information security policies Organisation of information security Human resource security Asset management Access control Cryptography Physical and environmental security Operations security Communications security System acquisition, development & maintenance Supplier relationships Incident management Business continuity management Compliance 19

20 Discusses information security risk treatment Source: ISO27001:

21 Source: ISO27002:

22 Control families (from SP800-53) Source: Security and Privacy Controls for Information Systems and Organizations, NIST Special Publication Revision 5 draft, Aug17 22

23 Framework for Improving Critical Infrastructure Cybersecurity The Framework enables organisations regardless of size, degree of cybersecurity risk, or cybersecurity sophistication to apply the principles and best practices of risk management to improving the security and resilience of critical infrastructure. 23

24 Source: US NIST 24

25 Source: NIST CSF 25

26 CCS CSC 1 (was Council on Cyber Security (CCS)), now Center for Internet Security Critical Security Controls COBIT 5 BAI09.01, BAI09.02 ISA : (Security for Industrial Automation and Control Systems, Establishing an Industrial Automation and Control Systems Security Program) ISA :2013 SR 7.8 (Security for Industrial Automation and Control Systems, System Security Requirements And Security Levels) ISO/IEC 27001:2013 A.8.1.1, A NIST SP Rev. 4 CM-8 (Security and Privacy Controls for Federal Information Systems and Organizations) 26

27 Source: A Controls Factory Approach To Building a Cyber Security Program Based on the NIST Cybersecurity Framework (NCSF) - Larry Wilson & Rick Lemieux October

28 The Center for Internet Security was an active participant in the development of the NIST cybersecurity framework. Source: A Controls Factory Approach To Building a Cyber Security Program Based on the NIST Cybersecurity Framework (NCSF) - Larry Wilson & Rick Lemieux October

29 COBIT 5 BAI09.01, BAI09.02 Source: COBIT 5 29

30 30

31 Security for Industrial Automation and Control Systems 31

32 ISO/IEC 27001:2013 A.8.1.1, A

33 PR.DS-2 Data in transit is protected Source: A Controls Factory Approach To Building a Cyber Security Program Based on the NIST Cybersecurity Framework (NCSF) - Larry Wilson & Rick Lemieux October 2016

34 NIST SP Rev. 4 CM-8 34

35 35

36 Recommendation Images: Respective organisations 36

37 RACI from ISACA s COBIT 5 37

38 RACI from ISACA s Risk IT Risk IT RE3 Maintain risk profile: Maintain an up-to-date and complete inventory of known risks and attributes (e.g., expected frequency, potential impact, disposition), IT resources, capabilities and controls as understood in the context of business products, services and processes. 38

39 39