CCSO Preliminary Cybersecurity Framework and ISO 27001

3,629 views

Published on

CCSO Preliminary Cybersecurity Framework and ISO 27001

Published in: Business
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
3,629
On SlideShare
0
From Embeds
0
Number of Embeds
130
Actions
Shares
0
Downloads
92
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

CCSO Preliminary Cybersecurity Framework and ISO 27001

  1. 1. Recently the United States Government published a document titled “Preliminary CyberSecurity Framework”. I have reviewed the document and mapped it to ISO/IEC 27001:2013 ISMS to demonstrate how easily this internationally accepted standard can be used to establish a Cyber Security Program. ISO 27001 comprises 261 controls points and in comparison exceeds the “Preliminary CyberSecurity Framework” by introducing missing basic security controls that should be part of any initial Cyber Security Program. This information has been shared freely by Mark E.S. Bernard. If you find it useful please acknowledge this contribution. If you would like additional information or assistance with the customization and implementation of a balanced risk management process for your security program then please contact Mark @ 604-349-6557 or mesbernard@gmail.com IDENTIFY (ID)  Asset Management (AM): The personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to business objectives and the organization’s risk strategy. ISO/IEC 27001:2013 clause A.8 Assets Management.  Business Environment (BE): The organization’s mission, objectives, stakeholders, and activities are understood and prioritized, and inform cybersecurity roles, responsibilities, and risk decisions. ISO/IEC 27001:2013 clause 4. Context of the Organization and clause 5. Leadership.  Governance (GV): The policies, procedures, and processes to manage and monitor the organization’s regulatory, legal, risk, environmental, and operational requirements are understood and inform the management of cybersecurity risk. ISO/IEC 27001:2013 clause A.5 Information Security Policies.  Risk Assessment (RA): The organization understands the cybersecurity risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals. ISO/IEC 27001:2013 clauses 8.2 Risk Assessment, 8.3 Risk Treatment, ISO/IEC 31000 Risk Management.  Risk Management Strategy (RM): The organization’s priorities, constraints, risk tolerances, and assumptions are established and used to support operational risk decisions. ISO/IEC 27001:2013 clauses 6.2 Planning, ISO/IEC 31000 Risk Management. PROTECT (PR)  Access Control (AC): Access to information resources and associated facilities are limited to authorized users, processes or devices (including other information systems), and to authorized activities and transactions. ISO/IEC 27001:2013 clause A.9. Access Control.
  2. 2. This information has been shared freely by Mark E.S. Bernard. If you find it useful please acknowledge this contribution. If you would like additional information or assistance with the customization and implementation of a balanced risk management process for your security program then please contact Mark @ 604-349-6557 or mesbernard@gmail.com  Awareness and Training (AT): The organization’s personnel and partners are adequately trained to perform their information security- related duties and responsibilities consistent with related policies, procedures, and agreements. ISO/IEC 27001:2013 clauses 7.1. Resources, 7.2. Competency, 7.3. Communications.  Data Security (DS): Information and records (data) are managed consistent with the organization’s risk strategy to protect the confidentiality, integrity, and availability of information. ISO/IEC 27001:2013 clause A.8.1. Information Classification, A.8.2. Information Labeling, and A.8.3. Information Handling.  Information Protection Processes and Procedures (IP): Security policy (that addresses purpose, scope, roles, responsibilities, management commitment, and coordination among organizational entities), processes, and procedures are maintained and used to manage protection of information systems and assets. ISO/IEC 27001:2013 clauses 4. Context of the Organization and 5. Leadership.  Maintenance (MA): Maintenance and repairs of operational and information system components is performed consistent with policies and procedures. ISO/IEC 27001:2013 clause A.14. System Acquisition, Development and Maintenance.  Protective Technology (PT): Technical security solutions are managed to ensure the security and resilience of systems and assets, consistent with related policies, procedures, and agreements. ISO/IEC 27001:2013 clauses 8.2 Risk Assessment, 8.3 Risk Treatment, ISO/IEC 31000 Risk Management. DETECT (DE)  Anomalies and Events (AE): Anomalous activity is detected in a timely manner and the potential impact of events is understood. ISO/IEC 27001:2013 clause A.16. Incident Management and clause A.12.4. Logging and Monitoring.  Security Continuous Monitoring (CM): The information system and assets are monitored to identify cybersecurity events and verify the effectiveness of protective measures. ISO/IEC 27001:2013 clauses A.12.4. Logging and Monitoring.  Detection Processes (DP): Detection processes and procedures are maintained and tested to ensure timely and adequate awareness of anomalous events. ISO/IEC 27001:2013 clause A.14.2.8. System Security Testing, and clause A.18.2. Information Security Review.
  3. 3. This information has been shared freely by Mark E.S. Bernard. If you find it useful please acknowledge this contribution. If you would like additional information or assistance with the customization and implementation of a balanced risk management process for your security program then please contact Mark @ 604-349-6557 or mesbernard@gmail.com RESPOND (RS)  Response Planning (RP): Response processes and procedures are maintained and tested to ensure timely response of detected cybersecurity events. ISO/IEC 27001:2013 clause A.16. Incident Management.  Communications (CO): Response activities are coordinated with internal and external stakeholders, as appropriate, to include external support from federal, state, and local law enforcement agencies. ISO/IEC 27001:2013 clauses A.16.1.4. Assessment of and decision on information security events and clause A.16.1.5. Response to information security incidents.  Analysis (AN): Analysis is conducted to ensure adequate response and support recovery activities. ISO/IEC 27001:2013 clauses A.16.1.6. Learning from Information Security Incidents.  Mitigation (MI): Activities are performed to prevent expansion of an event, mitigate its effects, and eradicate the incident. ISO/IEC 27001:2013 clauses A.16.1.4. Assessment of and decision on information security events and clause A.16.1.5. Response to information security incidents.  Improvements (IM): Organizational response activities are improved by incorporating lessons learned from current and previous detection/response activities. ISO/IEC 27001:2013 clauses A.16.1.6. Learning from Information Security Incidents. RECOVER (RC)  Recovery Planning (RP): Recovery processes and procedures are maintained and tested to ensure timely restoration of systems or assets affected by cybersecurity events. ISO/IEC 27001:2013 clauses A.17. Information Security Continuity.  Improvements (IM): Recovery planning and processes are improved by incorporating lessons learned into future activities. ISO/IEC 27001:2013 clauses 5.1. Leadership and Commitment - (g). Promoting continual improvement and clause A.17. Information Security Continuity.  Communications (CO): Restoration activities are coordinated with internal and external parties, such as coordinating centers, Internet Service Providers, owners of attacking systems, victims, other CSIRTs, and vendors. ISO/IEC 27001:2013 clause 7.4. Communication, clause A.5.1.1. Clause A.8.1.4, A.9.2.6, A.13.2, A.15.2. Supplier Service Delivery Management.

×