ISACA GEEK WEEK SECURITY MANAGEMENT TO ENTERPRISE RISK MANAGEMENT USING THE ISO 27001 FRAMEWORK AUGUST 19, 2015
Agenda Coalfire Overview Threat Landscape What is ISO Why ISO ISO Cycle Q&A 2
Presenters Michael Fuller Michael has more than 20 years of business experience in Technology, Operations, Product Development, Marketing, Sales and Finance. He has been a consultant with Coalfire for the past two years and before Coalfire he was Co-Founder and Chief Compliance Officer at CRE Secure Payments, a venture-capital backed company, specializing in securing ecommerce transactions over the internet. In his many previous roles he has worked for Apple Inc, Time Warner and Cox Enterprises Autotrader.com, as well as several global interactive advertising agencies. Michael has worked in 13 countries around the world, has two teenage daughters and holds a Bachelor s Degree in Earth Science from Macquarie University in Sydney, Australia.
Customer Success Story: Identity International, multi-business unit, multi-channel specialty retailer. Challenge Extend successful security / compliance program beyond the cardholder environment, and reduce cyber risk across the enterprise. Approach Develop ISMS, pursue ISO certification Results 40% of security gaps closed within the first six months of the program (including all critical findings); cross-functional participation and support. 4
THREAT LANDSCAPE Our Environment is Changing 5
Cyber Incidents Are On the Rise In 2013, the FBI notified over 3,000 U.S. companies including money center banks, major defense contractors, and leading retailers that they had been the victims of cyber intrusions IBM estimates that over half a billion records of personally identifiable information (names, credit card information, social security numbers, etc.) were stolen in 2014 77% of companies detected a security event in the past 12 months(1) Organizations on average detect 135 cybersecurity incidents each year(1) 7% of U.S. organizations lost $1 million or more and 19% of organizations lost at least $50k in 2013 due to cybercrime incidents(1) 84% of survey respondents believe the number of cyber attacks will increase (2) 75% of survey respondents expect cloud security budgets to increase dramatically(3) 1) Source: PWC, Managing Cyber Risks in an Interconnected World, Sept. 30, 2014 (2) Source: BAE Systems, Business and the Cyber Threat: the Rise of Digital Criminality, February 2014 (3) Source: IBM, 3rd Annual CISO Study, December 2014
Large Data Breaches Over the past 18 months, dozens of major cybersecurity breaches have been announced, collectively affecting hundreds of millions of people.
Increased Government Oversight Over the past 12 months, several Federal, state, and international government agencies have announced specific cybersecurity policies.
Cyber Risk is Now a Matter Corporate Governance Cybersecurity is a management issue, not a technology issue Boards need to understand legal implications of corporate risk Boards need access to cybersecurity expertise at timely and regular intervals Directors should set expectations that management will establish an enterprise-wide cyber-risk management framework with adequate staffing and budget
Cyber Risk Management Process Source: NIST Cybersecurity Framework v1.0
ISO 27001 ISO 27001 is a security management standard that specifies security management best practices and comprehensive security controls following the ISO 27002 best practice guidance. This is a widely-recognized international security standard in which many companies in the US are showing significant interest. Certification in the standard requires: Systematic evaluation of information security risks, taking into account the impact of company threats and vulnerabilities Design and implementation of a comprehensive suite of information security controls and other forms of risk management to address company and architecture security risks. Adoption of an overarching management process to ensure that the information security controls meet the organizations information security needs on an ongoing basis
About ISO 27001 Total worldwide certificates now excess of 20000, with East Asia/Pacific and Europe dominating the pack.
ISO in the US Total growth in US certificates has been consistent, with 566 being issued in 2013.
By Industry Rank Industrial Sectors # Certs 1 Information Technology 5059 2 Other Services 849 3 Construction 396 4 Transport, storage and communication 322 5 Electrical and optical equipment 289 Total number of certifications issued in 2013 by industry sector (data approximate estimate by ISO/IEC) By far, the largest industry sector seeking certification every year has been Information Technology
So why ISO The ISO 27001 Standard provides the company with a solid yet flexible framework for the effective management of a rigorous, ongoing security program. The Information Security Management System (ISMS) required under the standard, defines how the company perpetually manages security in a holistic, comprehensive way. The Standard can apply to any type or size of business, big or small and is not hampered by adherence to externally driven forces such is the case for PCI. Which means the design of the ISMS can be driven entirely by the business needs of the particular company or business. Companies can adopt the standard as the blueprint for its information security program and choose whether they wish to go for full certification or not. Certification by an independent organization accredited as an official Certification Body (CB) such as Coalfire ISO, provides external validation that the organization conforms to the requirements of the international standard. ISO certification is recognized in over 60 countries around the world, in all membership countries of the International Accreditation Forum (IAF)
ISO 27001 Advantages A powerful combination ISO 27001 is not driven solely by external considerations as are standards like PCI Compliance and HIPAA. The combination of the business - driven, risk based management framework of 27001, and the cross over with IT controls required for business and other applicable compliance needs, provides the client with a powerful, organization - wide approach that can be more deeply integrated into client business goals and objectives. Wide applicability. ISO 27001 can be valuable as an operating framework for a small company laying the groundwork for information security in their business, or complex Fortune 500 s designing a sophisticated Risk based management framework for all information security in the company. The standard can be applied to virtually any business vertical, and wherever businesses have a concern about the security of information within the organization whether it relates to internal business assets or external customer information. Building Blocks ISO 27001 provides the blueprint for a risk-based information security management framework that is different from most of the compliance standards currently in use in the US as its scope can be designed entirely by the client based on business needs. The Standard provides rigorous guidance for the management of information security but does not mandate the specific IT controls required.
ISO 27001 Cycle Gap Analysis ISO 27001 Action Plan ISO 27001 Training Formation of ISMS Domain and Control Area Analysis Process Documentation Documentation Review Update and Revise Processes Training on Defined Processes Implementation of Defined Processes Asset Risk Assessment Perform Asset Risk Assessment Identify and Implement Controls Internal Audit Training Internal Audit Readiness Internal Audit Report Closure of findings Certification
ISO 27001 Certification - Cycle Three Year Cycle commencing from initial certification audit First year Initial Certification is in Two Stages: Stage one audit explanation Stage two audit Explanation One year out Surveillance Audit 1 Second year out Surveillance Audit 2 Third Year Full certification audit again, stage one and two.
Wrap-Up Coalfire Overview Threat Landscape What is ISO Why ISO ISO Cycle Q&A
Questions Michael Fuller Director, Coalfire 404-702-2558 Michael.fuller@coalfire.com