John Snare Chair Standards Australia Committee IT/12/4 ISO/IEC 27001 ISMS Management perspective Risk Management (ISO 31000) Industry Specific Standards Banking, Health, Transport, Telecommunications ISO/IEC 27002 (was 17799) Controls Risk Management implementation guides Evaluation criteria ISO/IEC 15408 Mechanisms, types of control Technical perspective 1
The need for standards is international Very few national info sec standards Standards Australia is responsible for Australian input to ISO/IEC standards development committees Local broadly representative committee of experts prepares by consensus Australian input ISO/IEC committees meet regularly to consider national body input Development cycle takes about 3 years based on progressively refined drafts every 6 months or so This is a surprisingly tricky question! Hazards? Resilience? Business continuity? US Treadway commission? 2
Risk: effect of uncertainty on objectives. o o It is often expressed in terms of a combination of the probability of events and their consequences Risk Management: coordinated activities to direct and control an organization with regard to risk Business risk Market risk Finance risk Currency risk Project risk Legal risk Security risk 3
Customers Line management Senior management Company Boards Business Partners Special considerations o o o outcomes are always negative (there is no upside) there are many, many typically major effort devoted to preventive controls but recovery controls shouldn t be neglected 4
Principles Framework Process a. Risk management creates and protects value b. Risk management is an integral part of all organizational processes c. Risk Management is part of decision making d. Risk management explicitly addresses uncertainty e. Risk management is systematic, structured and timely f. Risk management is based on the best available information g. Risk management is tailored h. Risk management takes human and cultural factors into account i. Risk management is transparent and inclusive j. Risk management is dynamic, iterative, and responsive to change k. Risk management facilitates continual improvement of the organization 5
Mandate & commitment Design of framework 1. Understanding the organization & its context 2. Establishing risk management policy 3. Accountability 4. Integration into organizational processes 5. Resources 6. Internal and external communication & reporting mechanisms Continual improvement Implementing risk management 1. Implementing the framework 2. Implementing the processes Monitoring & review COMMUNICATE AND CONSULT Establish Context Assess Risks Treat Risks - internal - external - risk management - criteria IDENTIFY RISKS ANALYSE RISKS EVALUATE RISKS - identify options - evaluate option - select options - prepare plans - implement plans MONITOR AND REVIEW 6
ISO/IEC 27001 ISMS Requirements An infosec risk management system Plan o Establishing and managing an ISMS o Documentation requirements o Management responsibility o Internal audits o Management reviews o Improvement Interested Parties Information security requirements and expectations Do Implement and operate the ISMS Establish the ISMS Development, maintenance, and improvement cycle Monitor and review the ISMS Check Maintain and improve the ISMS Act Interested Parties Managed information security ISO/IEC 27000 Overview and vocabulary ISO/IEC 27001 Information security management systems Requirements ISO/IEC 27002 A code of practice for information security management ISO/IEC 27003 Implementation guidance ISO/IEC 27004 Information security management Measurements ISO/IEC 27005 Information security risk management ISO/IEC 27006 Requirements for ISMS certifying bodies CD 27007 Guidelines for ISMS Auditing WD 27008 Guidance for auditors on ISMS controls WD 27014 Information security governance 7
April 14, 2010 WD 27010 ISO/IEC 27011 WD 27013 WD 27015 Inter-sector and inter-organizational communications Guidelines for telecommunications Integrated implementation of 27001 and 20000-1 Guidelines for the financial and insurance services sector 8
ISO/IEC 27002 Risk assessment & treatment Security policy Organisation of information security Asset management Human resources security Physical and environmental security Communications and operations management Access control Information system acquisition, development & maintenance Information security incident management Business continuity management Compliance FCD 27031 ICT Readiness for Business Continuity CD 27032 Guidelines for cyber security xd 27033 Network security (six parts) xd 27034 Application security (five parts) WD 27035 Information security incident management WD 27036 Security in outsourcing WD 27037 Guidelines for identification, collection and/or acquisition of digital evidence 9
10
Criteria often called the common criteria Methodology Protection profiles Development of secure systems With a view to evaluation, or leveraging the common criteria SSECMM Vulnerability reporting ICT Readiness for Business Continuity (27031) Cyber Security (27032) Selection, deployment & operation of IDS (18043) Information security incident management (27035) Potential or emerging Infosec issues ICT Disaster recovery services (24762) Network Security (27033 parts 1-7) ICT Application security (27034 Parts 1-5) Security Information Objects for Access Control (15816) Security of Outsourcing (27036) TTP services security(14516, 15945) Time stamping services (29149) Identification, collection and/or acquisition, and preservation of digital evidence (27037) Known Infosec issues Infosec breaches & compromises 11
Identity Management Framework Authentication assurance Access management Privacy Framework Architecture Capability maturity model Biometric template protection Authentication context for biometrics Biometric evaluation 12
Tackled in the 27014 project Aligned with ISO/IEC 38500 (Corporate governance of IT) Challenges Governance is as much a buzz-word as defined The relationship between management and governance The relationship between risk management and governance The relationships between various aspects of governance Responsibility and accountability Introduced ISO 31000 (Risk Management) Principles Framework Process Discussed infosec risk treatment With emphasis on existing and prospective standards Touched on governance of infosec Where the debate about the place of risk management continues 13