Sunteți pe pagina 1din 30

Information security

daniel.dresner@ncc.co.uk
daniel.dresner@ncc.co.uk
Information security daniel.dresner@ncc.co.uk © 2 0 0 5 PROVIDING PERSONAL AND PROFESSIONAL DEVLOMENT FOR IT

You can’t undisclose a disclosure 1

You can’t undisclose a disclosure 1 ISO 9001 Act Quality Plan TickIT management Capability systems How
ISO 9001 Act Quality Plan TickIT management Capability systems How do we do it Maturity
ISO
9001
Act
Quality
Plan
TickIT
management
Capability
systems
How do we do it
Maturity
ISO/IEC 15288
better
next time?
Model
What to do?
How to do it?
System
ISO 27001
Life Cycle
EFQM
Information security
Processes
BS 25777
IT service continuity
Excellence
management systems.
Model
Requirements
ISO/IEC 24766
Information technology
Guidelines for requirements
engineering tool capabilities
BS 10008 Evidential
weight and legal admissibility
of electronic information
ISO/IEC 12207
Software
life cycle
BS ISO/IEC 38500
Corporate governance
of information technology
processes
STARTS
Towards
Software
Software
Techniques
Excellence
ISO 15504
e-Government Interoperability
for Reliable,
Software
Framework (e-GIF)
Trusted
Systems
process
assessment
ISO 27005
Information security:
risk management
ISO/IEC 20000
ISO/IEC TR 15443-3
Framework for IT
security assurance:
IT service
management
Analysis of assurance
methods
All business or service processes need the ability to go
through iterative phases of plan-do-check-act. This chart shows
how the top 8 national and international standards (emboldened
text) form part of the best practice framework in information
technology.
This standards framework is the foundation for organisations
to accept the technical standards of particular
technologies including those special to vendors.
ISO/IEC 25000
Quality characteristics
Accredit UK
ISO/IEC 24762
Guidelines for ICT disaster
recovery services
Control
Objectives
for Information
ISO 18019
Guidelines for the design
and Related
and preparation of user
Do
Check
Technology
documentation for
Data
(CobIT)
application software
Protection
9
Did it go according
Act
Do what was
1998
to plan?
planned
© The National Computing Centre 2009
© The National Computing Centre 2008 www.ncc.co.uk
2009 © The National Computing Centre 2008 www.ncc.co.uk • The National Computing Centre • The landscape

• The National Computing Centre

• The landscape of Information Security standards

• Introduce a corporate information security programme step-by-step

• Good practice security controls for information management

2

1 Gerry O’Neill, CEO, IISP

2 1 Gerry O’Neill, CEO, IISP

© The National Computing Centre 2009

ITadviser

Benchmarks

The National Computing Centre Corporate Advisory Service

The National Computing Centre Corporate Advisory Service Home User Small School Intermediary Home University

Home

User

Small School Intermediary Home University Business User User User User User Central Local National Small
Small
School
Intermediary
Home
University
Business
User
User
User
User
User
Central
Local
National
Small
Corporate
Government
Infrastructure
Business
User
User
User
User
User
System
System
System
Technical
Technical
Developer
Analyst
Tester
Support
Support
Human Firewall

Best Practice

Government

Training

Research

Rapid Surveys

Technical

Consultant

3No. The National Computing Centre doesn’t do escrow!

© The National Computing Centre 2009

History (Learning Lessons)

• 1994: Security Breaches Survey

• 1995: DTI Code of Practice/BS 7799

• 1999: BS 7799

Code of practice for information security (the catalogue of controls)

• 2000: ISO 17799 (aka BS 7799 Part 1)

No certificates!

• 2002: BS 7799 Part 2 (Plan-Do-Check-Act)

Specification for and information security management system

• 2005: ISO 17799 (Revised):=27002

• 2005 ISO 27001 (aka BS 7799 Part 2)

4

 

© The National Computing Centre 2009

The landscape of Information Security standards

The landscape of Information Security standards 5 © The National Computing Centre 2009

5

5

© The National Computing Centre 2009

What they really mean

• ISO 27001 (BS 7799 Part 2)

– Information security management system requirements

– Plan-do-check-act

– Like ISO 9001/ISO 20000

– Certification Benchmark

– Like ISO 9001/ISO 20000 – Certification Benchmark • ISO 27002 (ISO 17799; BS 7799 Part
– Like ISO 9001/ISO 20000 – Certification Benchmark • ISO 27002 (ISO 17799; BS 7799 Part

• ISO 27002 (ISO 17799; BS 7799 Part 1)

– Code of practice

– Catalogue of 135 controls!

– Pick and mix using ISO 27001

– No certificates!

Catalogue of 135 controls! – Pick and mix using ISO 27001 – No certificates! 6 ©

6

6

© The National Computing Centre 2009

Preventive

action

Customer

feedback

Product realisation

Design and development review

Quality

policy

Responsibility, authority and communication

Measurement

Resource

management

Purchasing

Human

resources

7 A taxonomy of treatment (not a wish list)

7 A taxonomy of treatment ( not a wish list)

© The National Computing Centre 2009

Plan TickIT nt SO/IEC 15288 What to do? How to do it? System Life Cycle
Plan
TickIT
nt
SO/IEC 15288
What to do?
How to do it?
System
Life Cycle
BS 25777
urity
Processes
IT service continuity
stems.
ts
BS 10008 Evidential
ight and legal admissibility
ISO/IEC 12207
of electronic information Software
life cycle
BS ISO/IEC 38500 processes
Corporate governance
of information technology STARTS
Software
Techniques
e-Government Interoperability for Reliable,
Framework (e-GIF)
Trusted
Systems
ISO 27005
Information security:
risk management
ses need the ability to go ISO/IEC 20000
o-check-act. This chart shows IT service
tional standards (emboldened management
ce framework in information
gy.
ISO/IEC 25000
foundation for Quality organisations characteristics
andards of particular
se special to vendors.
ISO/IEC 24762
Guidelines for ICT disaster
recovery services
ISO 18019
elines for the design
preparation of user
ocumentation for
Do
plication software
8
Do what was
planned
© The National Computing Centre 2008 www.ncc.co.uk

© The National Computing Centre 2009

ISO/IEC 27001 in 13 Steps

ISO/IEC 27001 in 13 Steps © 2 0 0 5 PROVIDING PERSONAL AND PROFESSIONAL DEVLOMENT FOR
ISO/IEC 27001 in 13 Steps © 2 0 0 5 PROVIDING PERSONAL AND PROFESSIONAL DEVLOMENT FOR

Project plan

(1) Senior management acceptance and endorsement of security (2) Information security organisation and infrastructure (3) High level security policy (4) Staff training and education – creating security awareness (5) Identify and classify the assets (6) Risk assessment

(7)

Risk treatment plan

(8)

Security standards

(9)

document (control measures) Statement of

applicability (10) System security plans and procedures (11) Monitor and review the ISMS performance

(12) Maintain the ISMS; continuous improvement (13) Extending the scope

(12) Maintain the ISMS; continuous improvement (13) Extending the scope 10 © The National Computing Centre

10

10

© The National Computing Centre 2009

Project plan

(1) Senior management acceptance and endorsement of security (2) Information security organisation and infrastructure (3) High level security policy (4) Staff training and education – creating security awareness (5) Identify and classify the assets (6) Risk assessment

(7)

Risk treatment plan Security standards document (control measures) Statement of

(12) Maintain the ISMS; continuous improvement (13) Extending the scope

(8) (9) applicability (10) System security plans and procedures (11) Monitor and review the ISMS
(8)
(9)
applicability
(10) System security plans
and procedures
(11) Monitor and review the
ISMS performance

11

11

© The National Computing Centre 2009

Project plan

(1) Senior management acceptance and endorsement of security (2) Information security organisation and infrastructure (3) High level security policy (4) Staff training and education – creating security awareness (5) Identify and classify the assets (6) Risk assessment

(7)

Risk treatment plan

(8)

Security standards

(9)

document (control measures) Statement of

applicability (10) System security plans and procedures (11) Monitor and review the ISMS performance

(12) Maintain the ISMS; continuous improvement (13) Extending the scope

(12) Maintain the ISMS; continuous improvement (13) Extending the scope 12 © The National Computing Centre

12

12

© The National Computing Centre 2009

Project plan

(1) Senior management acceptance and endorsement of security (2) Information security organisation and infrastructure (3) High level security policy (4) Staff training and education – creating security awareness (5) Identify and classify the assets (6) Risk assessment

(7) (8) Risk treatment plan Security standards document (control (9) measures) Statement of applicability (10)
(7)
(8)
Risk treatment plan
Security standards
document (control
(9)
measures)
Statement of
applicability
(10) System security plans
and
procedures
(11) Monitor and review the
ISMS performance
(12) Maintain the ISMS;
continuous
improvement
(13) Extending the scope

13

13

© The National Computing Centre 2009

Project plan

(1) Senior management acceptance and endorsement of security (2) Information security organisation and infrastructure (3) High level security policy (4) Staff training and education – creating security awareness (5) Identify and classify the assets (6) Risk assessment

(7) (8) (9) Risk treatment plan Security standards document (control measures) Statement of applicability (10)
(7)
(8)
(9)
Risk treatment plan
Security standards
document (control
measures)
Statement of
applicability
(10) System security plans
and procedures
(11) Monitor and review the
ISMS performance
(12) Maintain the ISMS;
continuous
improvement
(13) Extending the scope

14

14

© The National Computing Centre 2009

15 © The National Computing Centre 2009

15

15

© The National Computing Centre 2009

Project plan

(7)
(7)
Project plan (7) (1) Senior management acceptance and endorsement of security (2) Information security organisation and

(1) Senior management acceptance and endorsement of security (2) Information security organisation and infrastructure (3) High level security policy (4) Staff training and education – creating security awareness (5) Identify and classify the assets (6) Risk assessment

Risk treatment plan Security standards document (control measures) Statement of

(9)

applicability (10) System security plans and procedures (11) Monitor and review the ISMS performance

(12) Maintain the ISMS; continuous improvement (13) Extending the scope

(12) Maintain the ISMS; continuous improvement (13) Extending the scope 16 © The National Computing Centre

16

16

© The National Computing Centre 2009

Project plan

(1) Senior management acceptance and endorsement of security (2) Information security organisation and infrastructure (3) High level security policy (4) Staff training and education – creating security awareness (5) Identify and classify the assets (6) Risk assessment

Risk treatment plan Security standards document (control measures) Statement of
Risk treatment plan
Security standards
document (control
measures)
Statement of

(12) Maintain the ISMS; continuous improvement (13) Extending the scope

(7)

(8)

(9)

applicability (10) System security plans and procedures (11) Monitor and review the ISMS performance

17

17

© The National Computing Centre 2009

Project plan

(1) Senior management acceptance and endorsement of security (2) Information security organisation and infrastructure
(1) Senior management
acceptance and
endorsement of security
(2) Information security
organisation and
infrastructure
(3) High level security
policy
(4) Staff training and
education – creating
security awareness
(5) Identify and classify the
assets
(6) Risk assessment

(7)

Risk treatment plan

(8)

Security standards

(9)

document (control measures) Statement of

applicability (10) System security plans and procedures (11) Monitor and review the ISMS performance

(12) Maintain the ISMS; continuous improvement (13) Extending the scope

18

18

© The National Computing Centre 2009

Project plan

(1) Senior management acceptance and endorsement of security (2) Information security organisation and infrastructure (3) High level security policy (4) Staff training and education – creating security awareness (5) Identify and classify the assets (6) Risk assessment

(4) Staff training and education – creating security awareness (5) Identify and classify the assets (6)

(7)

Risk treatment plan

(8)

Security standards

(9)

document (control measures) Statement of

applicability (10) System security plans and procedures (11) Monitor and review the ISMS performance

(12) Maintain the ISMS; continuous improvement (13) Extending the scope

19

19

© The National Computing Centre 2009

Project plan

(1) Senior management acceptance and endorsement of security (2) Information security organisation and infrastructure (3) High level security policy (4) Staff training and education – creating security awareness (5) Identify and classify the assets (6) Risk assessment

(4) Staff training and education – creating security awareness (5) Identify and classify the assets (6)

(7)

Risk treatment plan

(8)

Security standards

(9)

document (control measures) Statement of

applicability (10) System security plans and procedures (11) Monitor and review the ISMS performance

(12) Maintain the ISMS; continuous improvement (13) Extending the scope

20

20

© The National Computing Centre 2009

Project plan

(1) Senior management acceptance and endorsement of security (2) Information security organisation and infrastructure (3) High level security policy (4) Staff training and education – creating security awareness (5) Identify and classify the assets (6) Risk assessment

(7)

Risk treatment plan

(8)

Security standards

(9)

document (control measures) Statement of

applicability (10) System security plans and procedures (11) Monitor and review the ISMS performance

(12) Maintain the ISMS; continuous improvement (13) Extending the scope

21

21

© The National Computing Centre 2009

Security

Incidents

Security

Incidents

How much risk can we accept for each asset?
How much risk can
we accept for each
asset?
How serious are the threats to our assets?
How serious
are the
threats to
our assets?

(10) System security plans and procedures

4. Security Controls

Update

How is risk kept to acceptable levels?
How is risk
kept to
acceptable
levels?

5. Applicability

Which assets are protected by which controls?
Which assets
are protected
by which
controls?

Invoke

What are the priorities for the business?
What are the
priorities for
the business?

3. Risk Assessment

What is our commitment to security?
What is our
commitment
to security?

Test

2. Policy

What level of risk can we accept?
What level of
risk can we
accept?
Asset ownership?
Asset
ownership?

Reappraise

Security

Incidents

1. Scope

Management

What assets are we protecting? Controlled Cost 6. Business Continuity 22 7. Processes Are we
What assets
are we
protecting?
Controlled
Cost
6. Business
Continuity
22
7. Processes
Are we
achieving set
service level
How do we do all this?
How do we
do all this?
measures?
measures?

© The National Computing Centre 2009

Project plan

(1) Senior management acceptance and endorsement of security (2) Information security organisation and infrastructure (3) High level security policy (4) Staff training and education – creating security awareness (5) Identify and classify the assets (6) Risk assessment

(4) Staff training and education – creating security awareness (5) Identify and classify the assets (6)

(7)

Risk treatment plan

(8)

Security standards

(9)

document (control measures) Statement of

applicability (10) System security plans and procedures (11) Monitor and review the ISMS performance

(12) Maintain the ISMS; continuous improvement (13) Extending the scope 23
(12) Maintain the ISMS;
continuous
improvement
(13) Extending the scope
23

© The National Computing Centre 2009

Project plan

content (1) Senior management acceptance and endorsement of security (2) Information security organisation and (7)
content
(1) Senior management
acceptance and
endorsement of security
(2) Information security
organisation and
(7)
(8)
(9)
Risk treatment plan
Security standards
document (control
measures)
Statement of
time
applicability
(10) System security plans
and procedures
(11) Monitor and review the
ISMS performance
(5) Identify and classify the
quality
assets
(6) Risk assessment
(12) Maintain the ISMS;
continuous
improvement
(13) Extending the scope
cost

24

24

© The National Computing Centre 2009

Project plan

(1) Senior management acceptance and endorsement of security (2) Information security organisation and infrastructure
(1) Senior management
acceptance and
endorsement of security
(2) Information security
organisation and
infrastructure
(3) High level security
policy
(4) Staff training and
education – creating
security awareness
(5) Identify and classify the
assets
(6) Risk assessment
(7)
(8)
(9)
Risk treatment plan
Security standards
document (control
measures)
Statement of
applicability
(10) System security plans
and procedures
(11) Monitor and review the
ISMS performance
(12) Maintain the ISMS;
continuous
improvement
(13) Extending the scope
25

© The National Computing Centre 2009

15.1.3 Protection of organizational records (ISO/IEC 27002:2007) • Categorise records – manage according to impact
15.1.3 Protection of organizational records
(ISO/IEC 27002:2007)
• Categorise records – manage according to impact level
• Protect against deterioration
– Long term storage - use paper and microfiche (encrypt?!)
• Guide retention, storage media type, handling, and disposal
to meet business, statutory, regulatory or contractual
requirements
• Keep inventory of sources of key information
• Implement procedures (with/without technology) to protect
records and information from:
– Loss
– Destruction
– Falsification.
• Store cryptographic keys and programs to enable decryption
• See ISO 15489-1
keys and programs to enable decryption • See ISO 15489-1 2 6 ISMS=RMS ISMS ≠ IT

26

ISMS=RMS

ISMSIT

© The National Computing Centre 2009

Final thought

• 2008

• 2008

• 2008
Final thought • 2008 – The year of lost data (UK) • 2009 – The year
Final thought • 2008 – The year of lost data (UK) • 2009 – The year

– The year of lost data (UK)

• 2009

– The year of encryption

• 2010

– The year of lost encryption keys

• Think:

Retrieval and retention not loss

27

Good security is an enabler

27 Good security is an enabler

© The National Computing Centre 2009

You can’t undisclose a disclosure

You can’t undisclose a disclosure ISO 9001 Act Quality Plan TickIT management Capability systems How do
ISO 9001 Act Quality Plan TickIT management Capability systems How do we do it Maturity
ISO
9001
Act
Quality
Plan
TickIT
management
Capability
systems
How do we do it
Maturity
ISO/IEC 15288
better
next time?
Model
What to do?
How to do it?
System
ISO 27001
Life Cycle
EFQM
Information security
Processes
BS 25777
IT service continuity
Excellence
management systems.
Model
Requirements
ISO/IEC 24766
Information technology
Guidelines for requirements
engineering tool capabilities
BS 10008 Evidential
weight and legal admissibility
of electronic information
ISO/IEC 12207
Software
life cycle
BS ISO/IEC 38500
Corporate governance
of information technology
processes
STARTS
Towards
Software
Software
Techniques
Excellence
ISO 15504
e-Government Interoperability
for Reliable,
Software
Framework (e-GIF)
Trusted
Systems
process
assessment
ISO 27005
Information security:
risk management
ISO/IEC 20000
ISO/IEC TR 15443-3
Framework for IT
security assurance:
IT service
management
Analysis of assurance
methods
All business or service processes need the ability to go
through iterative phases of plan-do-check-act. This chart shows
how the top 8 national and international standards (emboldened
text) form part of the best practice framework in information
technology.
This standards framework is the foundation for organisations
to accept the technical standards of particular
technologies including those special to vendors.
ISO/IEC 25000
Quality characteristics
Accredit UK
ISO/IEC 24762
Guidelines for ICT disaster
recovery services
Control
Objectives
for Information
ISO 18019
Guidelines for the design
and Related
and preparation of user
Do
Check
Technology
documentation for
Data
(CobIT)
application software
Protection
9
Did it go according
Act
Do what was
1998
to plan?
planned
© The National Computing Centre 2009
© The National Computing Centre 2008 www.ncc.co.uk
2009 © The National Computing Centre 2008 www.ncc.co.uk • The National Computing Centre • The landscape

• The National Computing Centre

• The landscape of Information Security standards

• Introduce a corporate information security programme step-by-step

• Good practice security controls for information management

28

28

© The National Computing Centre 2009

PAS 77:2006 IT Service continuity 29 © The National Computing Centre 2009
PAS 77:2006 IT Service continuity 29 © The National Computing Centre 2009
PAS 77:2006 IT Service continuity 29 © The National Computing Centre 2009
PAS 77:2006 IT Service continuity 29 © The National Computing Centre 2009
PAS 77:2006 IT Service continuity 29 © The National Computing Centre 2009
PAS 77:2006 IT Service continuity 29 © The National Computing Centre 2009
PAS 77:2006 IT Service continuity 29 © The National Computing Centre 2009
PAS 77:2006 IT Service continuity 29 © The National Computing Centre 2009
PAS 77:2006 IT Service continuity 29 © The National Computing Centre 2009
PAS 77:2006 IT Service continuity 29 © The National Computing Centre 2009
PAS 77:2006 IT Service continuity 29 © The National Computing Centre 2009
PAS 77:2006 IT Service continuity 29
PAS 77:2006
IT Service continuity
29

© The National Computing Centre 2009

30 © The National Computing Centre 2009

30

30

© The National Computing Centre 2009