Implementing ISO 27001 In A Cost Effective Way

  • 1,898 views
Uploaded on

Certification Europe ran an Information Security Breakfast Seminar in November 2011. the main topic of the day was ISO 27001 and the benefits which a company can achieve by implementing ISO 27001 - …

Certification Europe ran an Information Security Breakfast Seminar in November 2011. the main topic of the day was ISO 27001 and the benefits which a company can achieve by implementing ISO 27001 - Information Security Management Systems certification within a company.

Brian Honan, CEO of BH Consulting Ltd presented a very interesting and compelling presentation on 'Implementing ISO 27001 In A Cost Effective Way' at the event. The attached slides give a brief synopsis of the overall process.

Further details can be found on our our company website http://www.certificationeurope.com and on our You Tube channel http://www.youtube.com/user/CertificationEurope#p/u

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
1,898
On Slideshare
0
From Embeds
0
Number of Embeds
1

Actions

Shares
Downloads
58
Comments
0
Likes
1

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Helping You Piece IT Together Implementing ISO 27001 in a Cost Effective Wayhttp://www.bhconsulting.ie info@bhconsulting.ie
  • 2. 1st Question I’m Asked22nd November 2011 Copyright © BH IT Consulting Ltd www.bhconsulting.ie 2
  • 3. The Challenge Certification to ISO 27001 But Do So Cost Effectively Using Existing Resources22nd November 2011 Copyright © BH IT Consulting Ltd www.bhconsulting.ie 3
  • 4. The Challenge22nd November 2011 Copyright © BH IT Consulting Ltd www.bhconsulting.ie 4
  • 5. Get it Wrong ….22nd November 2011 Copyright © BH IT Consulting Ltd www.bhconsulting.ie 5
  • 6. Remember Risk Assessment & Risk Management is Key22nd November 2011 Copyright © BH IT Consulting Ltd www.bhconsulting.ie 6
  • 7. MS Security Assessment Tool http://technet.microsoft.com/en-us/security/cc18571222nd November 2011 Copyright © BH IT Consulting Ltd www.bhconsulting.ie 7
  • 8. MS Security Risk Management Guide22nd November 2011 Copyright © BH IT Consulting Ltd www.bhconsulting.ie 8
  • 9. Others Available http://www.enisa.europa.eu/act/rm22nd November 2011 Copyright © BH IT Consulting Ltd www.bhconsulting.ie 9
  • 10. ISMS Documentation22nd November 2011 Copyright © BH IT Consulting Ltd www.bhconsulting.ie 10
  • 11. Appropriate Controls22nd November 2011 Copyright © BH IT Consulting Ltd www.bhconsulting.ie 11
  • 12. Windows Features Encrypting File System Windows Firewall Windows Backup & Restore Centre Windows Users Access Control User Rights & Privileges Event Logs22nd November 2011 Copyright © BH IT Consulting Ltd www.bhconsulting.ie 12
  • 13. Windows Server 2008 Read-only domain controller BitLocker drive encryption Server Core Network Access Protection Routing and Remote Access Service Windows Firewall with advanced security Active Directory Certificate Services Active Directory Rights Management Services Group policies22nd November 2011 Copyright © BH IT Consulting Ltd www.bhconsulting.ie 13
  • 14. Other Free Tools Microsoft Windows Server Update Server Microsoft Baseline Security Analyzer Microsoft Security Risk Management Guide Microsoft Security Assessment Tool Microsoft CAT.NET Microsoft Source Code Analyzer for SQL Injection XSS Detect Beta Code Analysis Tool Microsoft Windows SysIntermals22nd November 2011 Copyright © BH IT Consulting Ltd www.bhconsulting.ie 14
  • 15. Other Resources Windows Server 2008 Security Guide Windows Server 2003 Security Guide Microsoft Threats and Countermeasures Guide Microsoft Security Guidance Data Encryption Toolkit for Mobile PCs Security Monitoring and Attack Detection Planning Guide The Microsoft Security Response Centre Blog22nd November 2011 Copyright © BH IT Consulting Ltd www.bhconsulting.ie 15
  • 16. Open Source Tools Truecrypt Nessus Nmap ASSP (short for "Anti-Spam SMTP Proxy") AppArmor Application Firewall Eraser & Wipe (Secure deletion) Untangle & NetCop (web filtering & monitoring) Open Source Tripwire (change detection) Wireshark22nd November 2011 Copyright © BH IT Consulting Ltd www.bhconsulting.ie 16
  • 17. Open Source Tools Nagios – Network Management OpenNMS – Event Management OTRS – Help Desk Management RTIR – Incident Response Management MetaSploit Burp Suite OSSIM: the Open Source Security Information Manager BackTrack – Suite of Security Tools22nd November 2011 Copyright © BH IT Consulting Ltd www.bhconsulting.ie 17
  • 18. A.10.5 - Backup ISO clause/control Ref Explanation Controls You could configure the back-up features Regular back-ups of within Microsoft® essential information Windows and Information back-up A.10.5.1 assets and software Windows Server® shall be taken and 2008 to regularly back tested regularly. up critical system and data files.22nd November 2011 Copyright © BH IT Consulting Ltd www.bhconsulting.ie 18
  • 19. A.11.3 User responsibilitiesISO clause/control Ref Explanation Controls All users will be required to follow good Use Group Policies to enforce strongPassword use A.11.3.1 security practices when selecting and passwords. using passwords. Use Group Policies to enforce a password-protected screensaver after a predetermined time of inactivity. Configure the system to force users off the system should their idle time Unattended equipment will be given exceed a preset time limit.Unattended user equipment A.11.3.2 appropriate protection from unauthorised access. You can also configure the system to only allow users to log on to the network at certain times of the day. Once those times expire, the system can forcibly log the user out of the system. To reduce the risk of unauthorised access, and loss of and damage to Configure the system to force usersClear desk and clear screen policy A.11.3.3 information assets, the company should off the system should their idle time have a clear desk and clear screen exceed a preset time limit. policy. 22nd November 2011 Copyright © BH IT Consulting Ltd www.bhconsulting.ie 19
  • 20. A.10.10 Monitoring ISO clause/control Ref Explanation Controls Security-relevant events will be Ensure that audit logging is turned on. recorded in audit logs which will Audit logging A.10.10.1 be retained for an agreed period Use Microsoft® SPIDER to ensure that all relevant systems have for use in future investigations logging turned on. and monitoring access. The use of information processing Monitoring system use A.10.10.2 facilities shall be monitored and Use Microsoft® to detect any critical events within the audit logs. the results reviewed regularly. Ensure that appropriate permissions are set on the folders that store the log files to protect them. Log information and logging systems shall be protected from Protection of log information A.10.10.3 Restrict access to the log files to those authorised to view them. unauthorised access and alteration. Servers should be configured to shut down should the security log become full. Operational staff will maintain a Administrator and operator A.10.10.4 log of their activities which will be Use IIS server to log all operator and admin staff activity. logs regularly independently checked. All faults will be reported and Fault logging A.10.10.5 recorded and corrective action Use IIS server to host a help-desk-type facility to record all faults. taken. Configure one server on your network to be your internal time To ensure accurate recording of server. Ensure that server is synchronising with a reputable Clock synchronisation A.10.10.6 events, computer clocks shall be external network time server. Configure all other servers and synchronised. critical network devices to source their time from your internal network time server.22nd November 2011 Copyright © BH IT Consulting Ltd www.bhconsulting.ie 20
  • 21. Security Awareness http://www.enisa.europa.eu/act/ar22nd November 2011 Copyright © BH IT Consulting Ltd www.bhconsulting.ie 21
  • 22. Remember
  • 23. Instead of …22nd November 2011 Copyright © BH IT Consulting Ltd www.bhconsulting.ie 23
  • 24. Become an ISO 2700122nd November 2011 Copyright © BH IT Consulting Ltd www.bhconsulting.ie 24
  • 25. Questions Brian.honan@bhconsulting.ie www.bhconsulting.ie www.twitter.com/brianhonanwww.bhconsulting.ie/securitywatch Tel : +353 – 1 - 4404065