Assurance through the ISO27002 Standard and the US NIST Cybersecurity Framework Keith Price Principal Consultant 1
About About me - Specialise in cybersecurity strategy, architecture, and assessment - Veteran of the IT industry from networking and telecommunications to the emergence of the Internet, Internet banking, and IT security - Work experience in AU, US, UK, Europe - BBus, MSc, CISSP, CISM, CGEIT About Black Swan Group - Professional services company based in Sydney - Clients are large and small companies in financial services, state & federal government, education, property, and more. 2
All images not created by the author are used under the fair use for education provision. 3
Agenda Frameworks versus standards COSO Cube PCI-DSS ISO27001/2 US NIST Cybersecurity Framework (CSF) NIST CSF Informative References Center for Internet Security Critical Security Controls COBIT 5 NIST SP 800-53 Cybersecurity assessment 4
Framework versus Standard Framework: A basic structure underlying a system, concept, or text. Standard: Something used as a measure, norm, or model in comparative evaluations. Source: https://www.oxforddictionaries.com/ 5
Frameworks and standards Images: Respective organisations 6
Adoption of security frameworks Source: Trends in Security Framework Adoption, Dimensional Research, March 2016 7
Which one should you use? Image: Google Images 8
Cyber risk - Cybercriminals - Their malware - Customer Records - Access credentials Cyber Risk - People, process or technology weakness Image: Google Images 9
Source: Keith Price, Informed from US Dept of Defense
How do you modify risk? Control = a measure that is modifying risk Controls for information security include any process, policy, procedure, guideline, practice or organizational structure, which can be administrative, technical, management, or legal in nature which modify information security risk. Source: ISO27005:2016 11
Risk equation Threats x Vulnerabilities x Asset Value Risk = + Residual Risk Controls To reduce cyber risk: reduce vulnerabilities, increase controls Source: A Controls Factory Approach To Building a Cyber Security Program Based on the NIST Cybersecurity Framework (NCSF) - Larry Wilson & Rick Lemieux October 2016 12
COSO: Committee of Sponsoring Organizations of the Treadway Commission COSO Cube (1985) Source: Deloitte COSO in the Cyber Age 2015 1995: AS/NZS 4360 Risk Management (the very first risk management standard) 2008: ISO27005 Information Security Risk Management 2009: ISO31000 Risk Management (supersedes AS4360) 13
Payment Card Industry Data Security Standard (PCI-DSS) Developed to encourage and enhance cardholder data security Provides a baseline of technical and operational requirements designed to protect account data The problem: focused on cardholder data security 14
15
16
Provides requirements for establishing, implementing, maintaining, and continually improving an ISMS. Designed to use as a reference for selecting controls within the process of implementing an ISMS based on ISO27001. 17
Information security management system Information security is achieved through the implementation of an applicable set of controls Controls are selected through the risk management process and managed using an ISMS Management involves activities to direct, control, and improve the organisation A management system uses a framework of resources to achieve an organisation s objectives Source: ISO27000:2016 18
ISO27002 clauses 5 18 control categories Information security policies Organisation of information security Human resource security Asset management Access control Cryptography Physical and environmental security Operations security Communications security System acquisition, development & maintenance Supplier relationships Incident management Business continuity management Compliance 19
Discusses information security risk treatment Source: ISO27001:2013 20
Source: ISO27002:2013 21
Control families (from SP800-53) Source: Security and Privacy Controls for Information Systems and Organizations, NIST Special Publication 800-53 Revision 5 draft, Aug17 22
Framework for Improving Critical Infrastructure Cybersecurity The Framework enables organisations regardless of size, degree of cybersecurity risk, or cybersecurity sophistication to apply the principles and best practices of risk management to improving the security and resilience of critical infrastructure. 23
Source: US NIST 24
Source: NIST CSF 25
CCS CSC 1 (was Council on Cyber Security (CCS)), now Center for Internet Security Critical Security Controls COBIT 5 BAI09.01, BAI09.02 ISA 62443-2-1:2009 4.2.3.4 (Security for Industrial Automation and Control Systems, Establishing an Industrial Automation and Control Systems Security Program) ISA 62443-3-3:2013 SR 7.8 (Security for Industrial Automation and Control Systems, System Security Requirements And Security Levels) ISO/IEC 27001:2013 A.8.1.1, A.8.1.2 NIST SP 800-53 Rev. 4 CM-8 (Security and Privacy Controls for Federal Information Systems and Organizations) 26
Source: A Controls Factory Approach To Building a Cyber Security Program Based on the NIST Cybersecurity Framework (NCSF) - Larry Wilson & Rick Lemieux October 2016 27
The Center for Internet Security was an active participant in the development of the NIST cybersecurity framework. Source: A Controls Factory Approach To Building a Cyber Security Program Based on the NIST Cybersecurity Framework (NCSF) - Larry Wilson & Rick Lemieux October 2016 28
COBIT 5 BAI09.01, BAI09.02 Source: COBIT 5 29
30
Security for Industrial Automation and Control Systems 31
ISO/IEC 27001:2013 A.8.1.1, A.8.1.2 32
PR.DS-2 Data in transit is protected Source: A Controls Factory Approach To Building a Cyber Security Program Based on the NIST Cybersecurity Framework (NCSF) - Larry Wilson & Rick Lemieux October 2016
NIST SP800-53 Rev. 4 CM-8 34
35
Recommendation Images: Respective organisations 36
RACI from ISACA s COBIT 5 37
RACI from ISACA s Risk IT Risk IT RE3 Maintain risk profile: Maintain an up-to-date and complete inventory of known risks and attributes (e.g., expected frequency, potential impact, disposition), IT resources, capabilities and controls as understood in the context of business products, services and processes. 38
39