Mark E.S. Bernard Cyber Security Defense-In-Depth based on ISO 27001 and ITIL

Like this? Share it with your network

Share

Mark E.S. Bernard Cyber Security Defense-In-Depth based on ISO 27001 and ITIL

  • 18,404 views
Uploaded on

Mark E.S. Bernard Cyber Security Defense-In-Depth based on ISO 27001 and ITIL

Mark E.S. Bernard Cyber Security Defense-In-Depth based on ISO 27001 and ITIL

More in: Business
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
  • Thank you akudrati! Cheers! Mark
    Are you sure you want to
    Your message goes here
  • Thanks Teerapong!
    Are you sure you want to
    Your message goes here
  • Great slide deck, Mark.
    May I suggest some improvements as I'm going through the slide deck? - I discovered that this deck and discussion dated from last year AFTER I wrote my comments hereafter. My apologies and please reframe where needed.

    slide 22: not all the appendix A control objectives are optional, some are mandatory since mentioned in the mandatory part: at least A5, A6, A15. As you know, a slide isolated from its context can start its own life... This is correctly shown in slides 50-56. What I did for the 2005 version was to cross reference the mandatory ISMS clauses to the appendix A clauses.
    slides 28-45 and the discussion of App A controls: might need an update to the 2013 version
    slide 47: clause 1.2 is part of the 2005 version, but not of the 2013 version. Also, this clause has caused a fair amount of confusion that implementing ISO 27001 was simply implementing the appendix A. An issue that has been discussed too often here.
    Slide 92: It might be worthwhile to stress the overlap with the ISO 22301 and the specificities of ISO 27001, especially when converting this deck to the 2013 version of the 27001 standard.
    Also refer to the ISO guidance 27013 for the integration of ISMS and ITSMS.
    If you have any influence in ISO committees, it would be preferable that the 'mess' of 22301/annex SL integration gets cleaned up asap, and that 20000-1 get also a revision with annex SL integration. And indeed, an all comprehensive IT quality standard based on 9001/27001/22301/20000-1 would be greatly appreciated, but where does it end? Some 14001 or 50001 aspects certainly apply too, and the upcoming 45001 as well.
    I really hope that you have the energy to continue this ongoing work.
    Are you sure you want to
    Your message goes here
  • Excellent
    Are you sure you want to
    Your message goes here
  • Great work.
    Are you sure you want to
    Your message goes here
No Downloads

Views

Total Views
18,404
On Slideshare
17,952
From Embeds
452
Number of Embeds
6

Actions

Shares
Downloads
524
Comments
18
Likes
12

Embeds 452

https://twitter.com 364
http://www.scoop.it 69
http://www.linkedin.com 10
https://www.linkedin.com 7
https://abs.twimg.com 1
http://sonar.bottlenose.com 1

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***Compiled by; Mark E.S. Bernard, ISO 27001 Lead Auditor,CISSP, CISM, SABSA-F2, CISA, CRISC, CGEIT
  • 2. • Introduction• Layer 1 - ISMS causes 4 – 8• Layer 2 - Policy, Organizational Design, Legal Obligations, AssetManagement• Layer 3 - Human Resources• Layer 4 - Incident Management• Layer 5 - Access Control• Layer 6 - Physical & Environmental• Layer 7 - Information Systems Acquisition, Development &Maintenance• Layer 8 - Communications and Operations Management• Layer 9 - Business Continuity Management• ITIL – ICT, ISMS, DiD – Operational Integration *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 3. Mark is an independent contractor who formerly worked in BC Government as a Director overseeing the Government’s payments systems and public accounts processing in excess of $42 billion annually in payments to firemen, judges, social service clients etc… Mark also spent time over seeing the privacy and security programs for BC Government Revenue Service & Small Business and Central 1 credit Union.When Mark is a volunteer and was recognized by the Premier of New Brunswick for his work inthe Knowledge Industry establishing the Atlantic Chapter of the High technology CrimeInvestigation Association. Mark has also volunteered with local professional associations forHTCIA, ISACA, ISSA, IIA and FMI. Mark has also been published in trade magazines and on theInternet in addition to being sought after as an expert by local radio, newspapers and television.In Toronto Mark volunteer on the annual Toronto Children’s Sick Kids Telethon and road astationary bike on a marathon Juvenile Diabetes campaign. Mark has also volunteered with localMinor Hockey, Minor Fastball, Elementary School, Middle School, Boys Scots and assisted withraising money for the Food bank in conjunction with the annual NHL Old-Timers Challenge. Markis continuing to contribute his knowledge through ISACA with the development of CloudComputing whitepaper and the Canadian Standards Institute’s workgroup updating ISO/IEC27001:2012 – Information Security Management Systems framework. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 4. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 5. Probably the most famous German castle. Neuschwanstein Castle is a19th-century Gothic Revival palace on a rugged hill above the villageof Hohenschwangau near Füssen in southwest Bavaria, Germany. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 6. Fort Bourtange: Eighty Years War (c. 1568–1648) when William I ofOrange wanted to control the only road between Germany and thecity of Groningen which was controlled by the Spaniards. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 7. Marching and Physical Training: Soldiers were taught to march and they could march at a rapid speed for long intervals. Any army that could be split up by stragglers at the back or soldiers trundling along at differing speeds would be vulnerable to attack.Training of handling weapons: they primarily used wickerwork shields andwooden swords made to standards but twice as heavy. If a soldier could fightwith these heavy dummy weapons then he would be twice as effective withthe standard weaponry. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 8. The Roman heavy infantry typically was deployed, as the main body, facing theenemy, in three approximately equal lines, with the cavalry on their wings toprevent them being flanked and light infantry in a screen in front of them to hidechanges in deployment strategy. The heavy infantry, harass the enemy forces and,in some cases, drive off units such as elephants that would be a great threat toclose-order heavy infantry. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 9. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 10. • Compliance Management• Risk Management• Identity Management• Authorization Management• Accountability Management• Availability Management• Configuration Management• Incident Management*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 11. • Security Policy• Information Security Org• Asset Management• Human Resources• Physical & Environmental Security• Communications & Operations Management• Access Control• Information System Acquisition, Development & Maintenance• Information Security Incident Management• Business Continuity Management• Compliance *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 12. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 13. Source: Computer Security Institute 2010/11 Survey *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 14. Source: Computer Security Institute 2010/11 Survey*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 15. Source: Computer Security Institute 2010/11 Survey*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 16. • Large-scale breaches dropped dramatically while small attacks increased. The report notes there are severalpossible reasons for this trend, including the fact that small to medium-sized businesses represent prime attacktargets for many hackers, who favor highly automated, repeatable attacks against these more vulnerabletargets, possibly because criminals are opting to play it safe in light of recent arrests and prosecutions of high-profile hackers.• Outsiders are responsible for most data breaches. Ninety-two percent of data breaches were caused byexternal sources. Contrary to the malicious-employee stereotype, insiders were responsible for only 16 percentof attacks. Partner-related attacks continued to decline, and business partners accounted for less than 1percent of breaches.• Physical attacks are on the rise. After doubling as a percentage of all breaches in 2009, attacks involvingphysical actions doubled again in 2010, and included manipulating common credit-card devices such as ATMs,gas pumps and point-of-sale terminals. The data indicates that organized crime groups are responsible for mostof these card-skimming schemes.• Hacking and malware is the most popular attack method. Malware was a factor in about half of the 2010caseload and was responsible for almost 80 percent of lost data. The most common kinds of malware found inthe caseload were those involving sending data to an external entity, opening backdoors, and key loggerfunctionalities.• Stolen passwords and credentials are out of control. Ineffective, weak or stolen credentials continue to wreakhavoc on enterprise security. Failure to change default credentials remains an issue, particularly in the financialservices, retail and hospitality industries. Source: Verizon business 2011 Data Breach Investigations Report *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 17. #1: Abuse and Nefarious Use of Cloud Computing#2: Insecure Interfaces and APIs#3: Malicious Insiders#4: Shared Technology Issues#5: Data Loss or Leakage#6: Account or Service Hijacking#7: Unknown Risk Profile Source: 2010 Cloud Security Alliance Threats Threat statistics *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 18. A1: InjectionA2: Cross-Site Scripting (XSS)A3: Broken Authentication and Session ManagementA4: Insecure Direct Object ReferencesA5: Cross-Site Request Forgery (CSRF)A6: Security Mis-configurationA7: Insecure Cryptographic StorageA8: Failure to Restrict URL AccessA9: Insufficient Transport Layer ProtectionA10: Invalidated Redirects and Forwards Source: 2010 OWSAP Top 10 Web Application Security Risks Threat statistics *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 19. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***Source: Computer Security Institute 2010/11 Survey
  • 20. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 21. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 22. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 23. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 24. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 25. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 26. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 27. Risk Assessment – Threats: Risk Assessment – Vulnerabilities:• Malware 67% • Inadequate governance• Fraudulent Phishing 39% • Inadequate security policy • Inadequate risk management methodology• Laptop or mobile computer theft or lost 34% • Inadequate security training/awareness• Bots Zombies within the Infrastructure 29% • Inadequate security architecture• Insider abuse email and Internet 25% • Inadequate monitoring or surveillance capabilities • Inadequate incident response procedures • Inadequate vulnerability assessment methodologies *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 28. Clause 4 Information security management systemThe organization shall establish, implement, operate,monitor, review, maintain and improve a documentedISMS within the context of the organization’s overallbusiness activities and the risks it faces. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 29. 4.2.1 Establish the ISMS a) Define the scope and boundaries b) Define an ISMS policy c) Define the risk assessment approach d) Identify the risks e) Analyse and evaluate the risks. f) Identify and evaluate options for the treatment of risks. g) Select control objectives and controls for the treatment of risks. h) Obtain management approval of the proposed residual risks. i) Obtain management authorization to implement /operate ISMS. j) Prepare a Statement of Applicability. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 30. 4.2.2 Implement and operate the ISMS a) Formulate a risk treatment plan b) Implement the risk treatment plan c) Implement controls d) Define how to measure the effectiveness e) Implement training and awareness f) Manage operation of the ISMS g) Manage resources for the ISMS h) Implement procedures and controls (produce comparable and reproducible results) *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 31. 4.2.3 Monitor and review the ISMS a) Execute monitoring and reviewing procedures 1) promptly detect errors 2) promptly identify security breaches and incidents 3) determine if the ISMS is performing as expected 4) help detect security events 5) determine if breach resolution actions were effective b) Undertake regular reviews of the ISMS c) Measure the effectiveness of controls d) Review risk assessments at planned intervals e) Conduct internal ISMS audits f) Undertake a management review of the ISMS g) Update security plans h) Record actions and events *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 32. 4.2.4 Maintain and improve the ISMS a) Implement the identified improvements b) Take appropriate corrective and preventive actions c) Communicate the actions and improvements d) Ensure that the improvements achieve their intended objectives *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 33. 4.3 Documentation requirements a) documented ISMS policy b) the scope c) procedures and controls d) the risk assessment methodology e) the risk assessment report f) the risk treatment plan g) documented procedures needed for planning, operation and control h) records required by this International Standard i) the Statement of Applicability *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 34. 4.3.2 Control of documents a) approve documents b) review and update documents as necessary c) ensure that the current revision status are verified d) ensure that relevant documents are available e) ensure that documents remain legible f) ensure that documents are available to those who need them, and are transferred, stored and ultimately disposed of in accordance with the procedures applicable to their classification; g) ensure that documents of external origin are identified h) ensure that the distribution of documentation is controlled i) prevent the unintended use of obsolete documents *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 35. 4.3.3 Control of records •Records shall be maintained in accordance with legal obligations defined by statutes, regulations and contracts •Records shall be maintained to provide evidence of conformity •Records shall be protected and controlled in accordance with legal obligations •Records shall remain legible, readily identifiable and retrievable. •Records shall be retained and processed in accordance with legal obligations •Records shall be archived in accordance with legal obligations •Records shall be destroyed in accordance with legal obligations *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 36. 5 Management responsibility5.1 Management commitment a) establishing the policy b) ensuring that objectives and plans are established c) establishing roles and responsibilities d) communicating to the organization e) providing sufficient resources f) deciding the criteria for accepting risks & acceptable levels of risk g) ensuring that internal audits are conducted h) conducting management reviews *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 37. Roles and Responsibilities: • ISMS Consultant • ISMS Manager • ISMS Analyst • ISMS Auditor • Executives • Managers • Subject Matter Experts • External Parties • Customers *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 38. 5.2 Resource management5.2.1 Provision of resources a) establishing the policy b) ensuring that objectives and plans are established c) establishing roles and responsibilities d) communicating to the organization e) providing sufficient resources f) deciding the criteria for accepting risks & acceptable levels of risk g) ensuring that internal audits are conducted h) conducting management reviews *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 39. 5.2.2 Training, awareness and competence a) determining the necessary competencies for personnel b) providing training or taking other actions c) evaluating the effectiveness of the actions taken d) maintaining records of education, training, skills, experience and qualifications *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 40. 6 Internal ISMS audits a) conform to the requirements of this International Standard and relevant legislation or regulations; b) conform to the identified information security requirements; c) are effectively implemented and maintained; and d) perform as expected. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 41. 7 Management review of the ISMS (input) a) results of ISMS audits b) feedback from interested parties c) techniques, products or procedures used to improve the ISMS d) status of preventive and corrective actions e) vulnerabilities or threats not adequately addressed f) results from effectiveness measurements g) follow-up actions from previous management reviews h) any changes that could affect the ISMS i) recommendations for improvement *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 42. 7 Management review of the ISMS (output)a) Improvement of the ISMS b) Update of the risk assessment and risk treatment plan c) Modification of procedures and controls due to internal or external events such as: 1) business requirements 2) security requirements 3) business processes effecting the existing business requirements 4) regulatory or legal requirements 5) contractual obligations 6) levels of risk and/or criteria for accepting risks d) Resource needs e) Improvement to how the effectiveness of controls is being measured *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 43. 8 ISMS improvement8.1 Continual improvement The organization shall continually improve the effectiveness of the ISMS through the use of the information security policy, information security objectives, audit results, analysis of monitored events, corrective and preventive actions and management review *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 44. 8 ISMS improvement8.2 Corrective action a) identifying nonconformities b) determining the causes of nonconformities c) evaluating the need for actions to ensure that nonconformities do not recur d) determining and implementing the corrective action needed e) recording results of action taken f) reviewing of corrective action taken *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 45. 8 ISMS improvement8.3 Preventive action a) identifying potential nonconformities and their causes b) evaluating the need for action to prevent occurrence of nonconformities c) determining and implementing preventive action needed d) recording results of action taken e) reviewing of preventive action taken *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 46. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 47. ExclusionsPlease note clause 1.2 - Any exclusion of controls found to benecessary to satisfy the risk acceptance criteria needs to bejustified and evidence needs to be provided that the associatedrisks have been accepted by accountable persons.Where any controls are excluded, claims of conformity to thisInternational Standard are not acceptable unless suchexclusions do not affect the organization’s ability, and/orresponsibility, to provide information security that meets thesecurity requirements determined by risk assessment andapplicable legal or regulatory requirements. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 48. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 49. Risk Assessment – Threats: Risk Assessment – Vulnerabilities:• Malware 67% • Inadequate governance process• Fraudulent Phishing 39% • Inadequate security policy • Inadequate risk assessment methodology• Laptop or mobile computer theft or lost 34% • Inadequate security training/awareness• Bots Zombies within the Infrastructure 29% • Inadequate security architecture• Insider abuse email and Internet 25% • Inadequate monitoring or surveillance capabilities • Inadequate incident response procedures • Inadequate vulnerability assessment methodologies *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 50. A.5 Security policyA.5.1 Information security policy A.5.1.1 Information security policy document A.5.1.2 Review of the information security policy *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 51. A.6 Organization of information securityA.6.1 Internal organization A.6.1.1 Management commitment to information security A.6.1.2 Information security coordination A.6.1.3 Allocation of information security responsibilities A.6.1.4 Authorization process for information processing facilities A.6.1.5 Confidentiality agreements A.6.1.6 Contact with authorities A.6.1.7 Contact with special interest groups A.6.1.8 Independent review of information security *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 52. A.6 Organization of information securityA.6.2 External parties A.6.2.1 Identification of risks related to external parties A.6.2.2 Addressing security when dealing with customers A.6.2.3 Addressing security in third party agreements *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 53. A.7 Asset managementA.7.1 Responsibility for assets A.7.1.1 Inventory of assets A.7.1.2 Ownership of assets A.7.1.3 Acceptable use of assetsA.7.2 Information classification A.7.2.1 Classification guidelines A.7.2.2 Information labeling and handling *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 54. A.15 ComplianceA.15.1 Compliance with legal requirements A.15.1.1 Identification of applicable legislation A.15.1.2 Intellectual property rights (IPR) A.15.1.3 Protection of organizational records A.15.1.4 Data protection and privacy of personal information A.15.1.5 Prevention of misuse of information processing facilities A.15.1.6 Regulation of cryptographic controlsA.15.2 Compliance with security policies and standards, and technicalcompliance A.15.2.1 Compliance with security policies and standards A.15.2.2 Technical compliance checking *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 55. A.15.3 Information systems audit considerations A.15.3.1 Information systems audit controls A.15.3.2 Protection of information systems audit tools *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 56. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 57. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 58. Risk Assessment – Threats: Risk Assessment – Vulnerabilities:• Malware 67% • Inadequate governance process• Fraudulent Phishing 39% • Inadequate security policy • Inadequate risk assessment methodology• Laptop or mobile computer theft or lost 34% • Inadequate security training/awareness• Bots Zombies within the Infrastructure 29% • Inadequate security architecture• Insider abuse email and Internet 25% • Inadequate monitoring or surveillance capabilities • Inadequate incident response procedures • Inadequate vulnerability assessment methodologies *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 59. A.8 Human resources securityA.8.1 Prior to employment A.8.1.1 Roles and responsibilities A.8.1.2 Screening A.8.1.3 Terms and conditions of employmentA.8.2 During employment A.8.2.1 Management responsibilities A.8.2.2 Information security awareness, education and training A.8.2.3 Disciplinary process *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 60. A.8.3 Termination or change of employment A.8.3.1 Termination responsibilities A.8.3.2 Return of assets A.8.3.3 Removal of access rights *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 61. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 62. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 63. Risk Assessment – Threats: Risk Assessment – Vulnerabilities:• Malware 67% • Inadequate governance process• Fraudulent Phishing 39% • Inadequate security policy • Inadequate risk assessment methodology• Laptop or mobile computer theft or lost 34% • Inadequate security training/awareness• Bots Zombies within the Infrastructure 29% • Inadequate security architecture• Insider abuse email and Internet 25% • Inadequate monitoring or surveillance capabilities • Inadequate incident response procedures • Inadequate vulnerability assessment methodologies *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 64. A.13.1 Reporting information security events and weaknesses A.13.1.1 Reporting information security events A.13.1.2 Reporting security weaknessesA.13.2 Management of information security incidents andimprovements A.13.2.1 Responsibilities and procedures A.13.2.2 Learning from information security incidents A.13.2.3 Collection of evidence *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 65. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 66. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 67. Risk Assessment – Threats: Risk Assessment – Vulnerabilities:• Malware 67% • Inadequate governance process• Fraudulent Phishing 39% • Inadequate security policy • Inadequate risk assessment methodology• Laptop or mobile computer theft or lost 34% • Inadequate security training/awareness• Bots Zombies within the Infrastructure 29% • Inadequate security architecture• Insider abuse email and Internet 25% • Inadequate monitoring or surveillance capabilities • Inadequate incident response procedures • Inadequate vulnerability assessment methodologies *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 68. A.11 Access controlA.11.1 Business requirement for access control A.11.1.1 Access control policyA.11.2 User access management A.11.2.1 User registration A.11.2.2 Privilege management A.11.2.3 User password management A.11.2.4 Review of user access rights *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 69. A.11.3 User responsibilities A.11.3.1 Password use A.11.3.2 Unattended user equipment A.11.3.3 Clear desk and clear screen policyA.11.4 Network access control A.11.4.1 Policy on use of network services A.11.4.2 User authentication for external connections A.11.4.3 Equipment identification in networks A.11.4.4 Remote diagnostic and configuration port protection A.11.4.5 Segregation in networks A.11.4.6 Network connection control A.11.4.7 Network routing control *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 70. A.11.5 Operating system access control A.11.5.1 Secure log-on procedures A.11.5.2 User identification and authentication A.11.5.3 Password management system A.11.5.4 Use of system utilities A.11.5.5 Session time-out A.11.5.6 Limitation of connection timeA.11.6 Application and information access control A.11.6.1 Information access restriction A.11.6.2 Sensitive system isolation *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 71. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 72. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 73. Risk Assessment – Threats: Risk Assessment – Vulnerabilities:• Malware 67% • Inadequate governance process• Fraudulent Phishing 39% • Inadequate security policy • Inadequate risk assessment methodology• Laptop or mobile computer theft or lost 34% • Inadequate security training/awareness• Bots Zombies within the Infrastructure 29% • Inadequate security architecture• Insider abuse email and Internet 25% • Inadequate monitoring or surveillance capabilities • Inadequate incident response procedures • Inadequate vulnerability assessment methodologies *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 74. A.9 Physical and environmental security A.9.1 Secure areas A.9.1.1 Physical security perimeter A.9.1.2 Physical entry controls A.9.1.3 Securing offices, rooms and facilities A.9.1.4 Protecting against external and environmental threats A.9.1.5 Working in secure areas A.9.1.6 Public access, delivery and loading areas *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 75. A.9.2 Equipment security A.9.2.1 Equipment sitting and protection A.9.2.2 Supporting utilities A.9.2.3 Cabling security A.9.2.4 Equipment maintenance A.9.2.5 Security of equipment off premises A.9.2.6 Secure disposal or re-use of equipment A.9.2.7 Removal of property *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 76. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 77. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 78. Risk Assessment – Threats: Risk Assessment – Vulnerabilities:• Malware 67% • Inadequate governance process• Fraudulent Phishing 39% • Inadequate security policy • Inadequate risk assessment methodology• Laptop or mobile computer theft or lost 34% • Inadequate security training/awareness• Bots Zombies within the Infrastructure 29% • Inadequate security architecture• Insider abuse email and Internet 25% • Inadequate monitoring or surveillance capabilities • Inadequate incident response procedures • Inadequate vulnerability assessment methodologies *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 79. A.12 Information systems acquisition, development andmaintenanceA.12.1 Security requirements of information systems A.12.1.1 Security requirements analysis and specificationA.12.2 Correct processing in applications A.12.2.1 Input data validation A.12.2.2 Control of internal processing A.12.2.3 Message integrity A.12.2.4 Output data validation *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 80. A.12.3 Cryptographic controls A.12.3.1 Policy on the use of cryptographic controls A.12.3.2 Key managementA.12.4 Security of system files A.12.4.1 Control of operational software A.12.4.2 Protection of system test data A.12.4.3 Access control to program source code *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 81. A.12.5 Security in development and support processes A.12.5.1 Change control procedures A.12.5.2 Technical review of applications after operating system changes A.12.5.3 Restrictions on changes to software packages A.12.5.4 Information leakage A.12.5.5 Outsourced software developmentA.12.6 Technical Vulnerability Management A.12.6.1 Control of technical vulnerabilities *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 82. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 83. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 84. Risk Assessment – Threats: Risk Assessment – Vulnerabilities:• Malware 67% • Inadequate governance process• Fraudulent Phishing 39% • Inadequate security policy • Inadequate risk assessment methodology• Laptop or mobile computer theft or lost 34% • Inadequate security training/awareness• Bots Zombies within the Infrastructure 29% • Inadequate security architecture• Insider abuse email and Internet 25% • Inadequate monitoring or surveillance capabilities • Inadequate incident response procedures • Inadequate vulnerability assessment methodologies *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 85. A.10 Communications and operations managementA.10.1 Operational procedures and responsibilities A.10.1.1 Documented operating procedures A.10.1.2 Change management A.10.1.3 Segregation of duties A.10.1.4 Separation of development, test and operational facilitiesA.10.2 Third party service delivery management A.10.2.1 Service delivery A.10.2.2 Monitoring and review of third party services A.10.2.3 Managing changes to third party services A.10.3 System planning and acceptance A.10.3.1 Capacity management A.10.3.2 System acceptance *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 86. A.10.4 Protection against malicious and mobile code A.10.4.1 Controls against malicious code A.10.4.2 Controls against mobile codeA.10.5 Back-up A.10.5.1 Information back-upA.10.6 Network security management A.10.6.1 Network controls A.10.6.2 Security of network servicesA.10.7 Media handling A.10.7.1 Management of removable media A.10.7.2 Disposal of media A.10.7.3 Information handling procedures A.10.7.4 Security of system documentation *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 87. A.10.8 Exchange of information A.10.8.1 Information exchange policies and procedures A.10.8.2 Exchange agreements A.10.8.3 Physical media in transit A.10.8.4 Electronic messaging A.10.8.5 Business information systemsA.10.9 Electronic commerce services A.10.9.1 Electronic commerce A.10.9.2 On-line transactions A.10.9.3 Publicly available information *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 88. A.10.10 Monitoring A.10.10.1 Audit logging A.10.10.2 Monitoring system use A.10.10.3 Protection of log information A.10.10.4 Administrator and operator logs A.10.10.5 Fault logging A.10.10.6 Clock synchronization *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 89. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 90. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 91. Risk Assessment – Threats: Risk Assessment – Vulnerabilities:• Malware 67% • Inadequate governance process• Fraudulent Phishing 39% • Inadequate security policy • Inadequate risk assessment methodology• Laptop or mobile computer theft or lost 34% • Inadequate security training/awareness• Bots Zombies within the Infrastructure 29% • Inadequate security architecture• Insider abuse email and Internet 25% • Inadequate monitoring or surveillance capabilities • Inadequate incident response procedures • Inadequate vulnerability assessment methodologies *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 92. A.14 Business continuity managementA.14.1 Information security aspects of business continuitymanagement A.14.1.1 Including information security in the business continuity management process A.14.1.2 Business continuity and risk assessment A.14.1.3 Developing and implementing continuity plans including Information security A.14.1.4 Business continuity planning framework A.14.1.5 Testing, maintaining and reassessing business continuity plans *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 93. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 94. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 95. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 96. Goals*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 97. ISMS Goals• Reduce risks and threats to the Confidentiality, Integrity and Availability of the organizationsInformation Assets and System Resources by providing policies, practices and standardsdesigned to mitigate or eliminate all known risks and threats.• Improve the effectiveness and efficiency of Information Security Management byimplementing a world class best practice and framework for consistent, concise informationsecurity administration.• Improve effectiveness and efficiencies of existing information security mechanisms byformalizing new practices to monitor compliance and maintain sensitive data awareness.• Improve reassurance testing and validation outcomes by Internal Audit and External Auditorsto further assure senior management and shareholders that Information Assets and SystemResources are secure.• Reduce the likelihood that an accidental incident originating from staff could have an adverseaffect on organizational reputation or liabilities potentially leading to financial losses, byproviding an ongoing information security program. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 98. ITSM GoalsIT Security Management has two primary objectives that fitperfectly with the ISMS Goals: 1). To meet the security requirements of SLA’s and external requirements further to contracts, legislation and external imposed policies. 2). To provide a basic level of security, independent of external requirements. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 99. Quality Management *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 100. Quality ManagementQuality Management for IT services is a systematic way of ensuring that all theactivities necessary to design, develop, implement and maintain IT services satisfy therequirements of the organization and its employees while providing assurance thatstrategic and tactical activities are carried out cost-effectively. “Quote” ‘We have learned to live in a world of mistakes and defective products as if they were necessary to life. It is time to adopt a new philosophy...’ (W. Edwards Deming, 1900–1993) *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 101. Quality ManagementExcerpts from Deming’s 14 points relevant to Service Management:- break down barriers between departments (improves communications and management)-management must learn their responsibilities, and take on leadership (process improvementrequires commitment from the top; good leaders motivate people to improve themselves andtherefore the image of the organization)-improve constantly (a central theme for service managers is continual improvement; this is also atheme for Quality Management. A process led approach is key to achieve this target)-institute a programme of education and self-improvement (learning and improving skills havebeen the focus of Service Management for many years)-training on the job (linked to continual improvement)-transformation is everyones job (the emphasis being on teamwork and understanding). *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 102. Quality ManagementDeming’s 14 point Service Management guidelines focuse on 4 repetitive activities, whichare Plan – Do – Check – Act. Through the establishment of a common theme “continuousimprovement”. These activities are easily identifiable within both the ITSM and ISMSframeworks and can also be linked in to the Capability Maturity Model. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 103. PDCA‘PLAN – DO – CHECK – ACT’ *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 104. Plan-Do-Check-Act The PDCA Methodology is an iterative process modelInterested Parties PLAN STEP #1 Interested Parties Design & Plan Information Security STEP #4 Program ACT DO Lead Corrective, Maintain & Improve Preventative, and Information Security STEP #2 Continuous Improvement Program action plans Information CHECK Managed Security Monitor, Audit, Information requirements & Review Information Security Security Program STEP #3 expectations Design, plan and initiate the information security program. These activities including creating a strategy, PLAN socialization concepts, creating policies, goals, objectives and practices as necessary to manage risk. DO Execute and control the information security strategy including the integration into organizational practices. Facilitate semi-annual audits to determine conformance to the statement of applicability and identify CHECK opportunities for improvement. Wherever appropriate develop and integrate performance matrices which support information security program goals and objectives. Upon the discovery of nonconformities and/or opportunities create and track corrective, preventive, and continuous improvement action plans. Present findings from internal/external audit and risk assessments to ACT the Management Review Committee for decisions regarding the acceptance, rejection, or transfer of risk and the commitment of resources and capital to facilitate subsequent efforts. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 105. ITIL – IT Security Management (ITSM)*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** Customer defines business requirements SLA/Security Chapter Reporting According to Agreement between SLA, OLA, UC customer and provider IT Service Provider implements SLA Security requirements MAINTAIN: STEP #1 PLAN: Plan * Learn * Service Level Agreements * Improve * Underpinning Contracts * Plan * Operational Level Agreements * Implement * Internal Policies STEP #4 STEP #2 Act CONTROL: * Organize . * Create Management Framework * Allocate Responsibilities . Do EVALUATE: IMPLEMENT: * Internal audits * Improve awareness * External audits * Classification and management * Self Assessments resources * Security incidents * Personal Security * Physical Security STEP #3 * Security management of hardware, networks, applications, etc… * Access Control Check * Resolve security incidents
  • 106. Information Security Management System (ISMS) STEP #1 ISMS AUDIT PROCESS STATEMENT ISMS ISO27K OF Risk Assessment AUDIT APPLICABILITY*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** Plan Strategies Statutory, include: Regulator (1). Control Self- ISMS RECORD Registry Assessment MANAGEMENT (2). Privacy YES Impact CONFORMITY Assessment, RECORDS/ STEP #2 Contract (3). Threat-Risk EVIDENCE Registry Assessment, NO (4). OCTAVE NO AUDIT Do THREAT/RISK REPORT ASSESSMENT InfoSec Management Review YES Committee ASSET Human RISK RA REPORT INVENTORY Resources ASSESSMENT DATA Manager SENSITIVITY VP Finance, Property Administration Manager, PARTNER/ VP of Product CUSTOMER Development, FEEDBACK Director of Technical BUSINESS ISMS MANAGEMENT Operations, PLANS REVIEW PROCESS Director of LEGISLATIVE Product CHANGES STEP #3 MANAGEMENT Development, REVIEW VP of Payment Meeting ISMS EXTERNAL Services, Minutes INPUT Check Director of Online Banking Services, NO Director of ACCEPT, RISK Internal Audit. REJECT OR TREATMENT TRANSFER PLAN RISK A YES CORRECTIVE CONTINUOUS OR IMPROVEMENT B A: Integrated into PREVENTATIVE PROGRAM the ITIL Incident ACTION and Problem B: Integrated Management into the project STEP #4 processes, Management Project Dashboards Management, ACTION PLANS/ Service Desk, PROJECT Act Human PLANS Resources, Systems Development,
  • 107. ISMS / ITSM“under the covers”*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 108. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 109. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 110. Program “Inputs” *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 111. Program “Inputs”ITSM: Inputs: SLA, OLA, Information Security Policy, Statutes, RegulationsISMS: Inputs: a) Improve the effectiveness of ISMS; b) Update the risk assessment and risk treatment plan; c) Modification of practices and controls that effect information security, as necessary, to respond to internal or external events that may impact the ISMS, including changes to: 1) business requirements; 2) security requirements; 3) business processes effecting the existing business requirements; 4) regulatory or legal requirements; 5) contractual obligations; and, 6) levels of risk and/or criteria for accepting risks; d) Resource needs; e) Improvement on how the effectiveness of controls is being measured. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 112. Program “Outputs” *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 113. Program “Outputs”ITSM: Outputs: SLA status pertaining to Security Management Metrics,Exceptions, routine security planning, ISMS Management Review CommitteeISMS: Outputs:a) results of ISMS audits and reviews;b) feedback from interested parties;c) techniques, products or procedures, which could be used in the organization toimprove the ISMS performance and effectiveness;d) status of preventive and corrective actions;e) vulnerabilities or threats not adequately addressed in the previous risk assessment;f) results from effectiveness measurements;g) follow-up actions from previous management reviews;h) any changes that could affect the ISMS; and,i) recommendations for improvement. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 114. CYBERSECURITYProgram ‘Integration’with operational level processes *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 115. ITSM Integration Points • Configuration Management • Incident Management • Problem Management • Change Management • Release Management • Capacity Management • Availability Management • IT Service Continuity Management • Service Level Management*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 116. Configuration ManagementITSM: Integration: The creation and maintenance of classified ConfigurationItems (CI). This classification links the CI with specified security practices and standards.This classification takes into consideration requirements for confidentiality, integrity andavailability based on business requirements for compliance with statutory, regulatoryand contractual obligations. These requirements are determined as the result of riskassessments like the TRA, PIA and BIAISMS: Integration: A.7.1.1 All assets shall be clearly identified and aninventory of all important assets drawn up and maintained. A.7.2.1 Information shallbe classified in terms of its value, legal requirements, sensitivity and criticality to theorganization. A.7.2.2 An appropriate set of procedures for information labelling andhandling shall be developed and implemented in accordance with the classificationscheme adopted by the organization. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 117. Configuration ManagementPeople - Staff and managers, particularly those in key knowledge management rolessuch as senior/executive managers, software architects/developers/testers, systemsmanagers, security administrators, operators, legal and regulatory compliancepeople.......Information - Personal, financial, legal, research and development, strategic andcommercial, email, voicemail, databases, personal and shared drives, backuptapes/CDs/DVDs and digital archives, encryption keys, Personal, financial, legal.......Software - In-house/custom-written systems, client software (including shared orsingle-user ‘End User Computing’ desktop applications), ’commercial off-the-shelf’(COTS), ERP, MIS, databases, software utilities/tools, eBusiness applications,middleware.... *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 118. Configuration ManagementHardware - "Computing and storage devices e.g. desktops, workstations, laptops,handhelds, servers, mainframes, modems and line terminators, communications devices(network nodes), printers/copiers/FAX machines and multifunction devices.Telecommunications - "Fiber Internet Connection, DSL Internet Connection, GeneralPacket Radio Service (GPRS), Gateway GPRS Support Node (GGSN), Protocol/PortSummary (- UDP 9000 (MO, MT), - UDP 53248 (MT), - FTP 21 (MO), - SSH 22 (MT), -HTTP 8005 (MT), - TCP 1225, 1121, 2189 (MO), - UDP 1120, 1121, 2188 (MO), - Unicom -IDC - ASN: 4808), Wireless Devices (GPRS, Public), Wireless Carriers, Internet ServiceProviders.Facilities - IT buildings, data centers, server/computer rooms, LAN/wiring closets,offices, desks/drawers/filing cabinets, media storage rooms..... *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 119. Corrective/Preventative Actions 110 incidents of which the majority impacted the information security principle “availability”. Confidentiality was no surprise only impacting 7% of all tickets. Even though the numbers are usually low within this category, events affecting ”confidentiality” typically result in the biggest headaches. The real surprise was the high rate of incidents impacting the information security principle “integrity”. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 120. Incident ManagementITSM: Integration: Incident Management is animportant process for reporting security incidents. Informationsecurity incidents are not clearly understood by most businesspeople, so its very likely the information security incidents may behandled through a different practice other than incidentmanagement. It is therefore essential that Incident Managementrecognize security incidents as such. Any incident that mayinterfere with achieving the SLA security requirements is classifiedas a security incident by ITSM. It is useful to include a descriptionin the SLA of the type of incidents to be considered as securityincidents. In addition, any incident that interferes with achievingthe basic internal security level is also classified as a securityincident. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 121. Incident ManagementISMS: Integration: A.13.1.1 Information security events shall be reportedthrough appropriate management channels as quickly as possible. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 122. Problem Management ITSM: Integration: Problem Management is responsible for identifying and solving structural security failings. The resolution of a problem could introduce a new security risk which is why, Problem Management must involve Security Management during the resolution of the problem. This certification should be based on compliance with the SLA and organizational security requirements.*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 123. Corrective/Preventative ManagementITSM: Integration:Corrective action - 8.2 The documented procedure for corrective action shall definerequirements for:a) identifying nonconformities;b) determining the causes of nonconformities;c) evaluating the need for actions to ensure that nonconformities do not recur;d) determining and implementing the corrective action needed;e) recording results of action taken (see 4.3.3); andf) reviewing of corrective action taken.Preventive action - 8.3 The documented procedure for preventive action shall definerequirements for:a) identifying potential nonconformities and their causes;b) evaluating the need for action to prevent occurrence of nonconformities;c) determining and implementing preventive action needed;d) recording results of action taken (see 4.3.3); and e) reviewing of preventive action taken. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 124. Corrective/Preventative ManagementITSM: Integration: 8.2 Corrective action and 8.3 Preventive action *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 125. Continuous ImprovementDept “A” Risk is measured in terms of High, Med, Low Dept “E” Impact is accessed against the principles of information security, Confidentiality, Integrity and/or AvailabilityDept “B” Dept “C” Dept “D” 23 Active Projects Monitored *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 126. Continuous Improvement Risk is measured in terms of High, Med, Low Impact is accessed against the principles of information security, Confidentiality, Integrity and/or AvailabilityProject Managers facilitate a control selfassessment and the security and privacy officefollows up.If the balance between the number of activeprojects and impact/risk is relative thengenerally projects continue without directinvolvement of the security and privacy office. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 127. Continuous Improvement However, if the balance between the number of active projects and impact/risk appears out of balance then the security and privacy office will get involved.*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 128. Change Management ITSM: Integration: Change Management activities are often closely associated with security because Change Management and Security Management are interdependent. There are a number of standard operations to ensure that this security is maintained including the Request For Change (RFC) associated with governance for acceptance. The RFC should also include a proposal for dealing with security issues and based on the SLA requirements Preferably, the Security Manager (and possibly the customer’s Security Officer) should be a member of the Change Advisory Board (CAB).*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 129. Change Management ISMS: Integration: A.10.1.2 Changes to information processing facilities and systems shall be controlled. Information Security Business Driver; we have an opportunity and/or our “Purpose” partners and clients have Why are we collecting the requested a new function or Manual information? feature….. Operation Request access to classified information assets “Protection” Facilitate Risk Assessment select & implement Decision Process C1 safeguards Maintain Record of distribution Access (add, R1 i.e. email Parallel information collection change, delete) record, courier receipt CP1NO Paper Transfer a Remove Document Optical Mobile Electronic Are we removing Remove Notify manager Digital video phone YES remove classified username from scanner fax computer phone interface access? Authorization camera information an authorized list Parallel information collection NO 1b C3 R3 1g C2 R2 C4 R4 1a CREATE Assign or modify What level of Apply document DISPOSE Has the appropriate Release SECURE YES the level of authorization has Validate control security manager approved? information authorization been assigned standards RECYCLE 1d 1h SHARE CP2 DELETE C5 R5 C1 R1 - RBAC 1e D= Declassified Release method Notify user MIGRATE ? AUDIT O= Operational (ftp, email, mail, 1i Manager to - Workgroups Information 1f C= Confidential hardcopy) review annually Authorization - SOD asset P= Private CONSOLIDATE 1c List ADD DISCLOSE USELegend: C: Control TS: Test Plan INTERFACE ARCHIVE CHANGE R: Risk T: Tools Page Data Control Risk Tools Activity Decision Document Interface CP: Communications Plan Connect Store Management INFORMATION SECURITY *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 130. Release ManagementITSM: Integration: All new versions of software, hardware, datacommunications equipment, etc… should be controlled and rolled out by ReleaseManagement. This process will ensure that: * The correct hardware and software are used * The hardware and software are tested before use * The introduction is correctly authorized using change control * The software is legal * The software is free from viruses and that viruses are not introduced during distribution * The version numbers are known and recorded in the CMDB by Configuration Management * The rollout is managed effectively *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 131. Release ManagementISMS: Integration: A.10.1.2 Changes to information processing facilities andsystems shall be controlled. A.10.1.4 Development, test and operational facilitiesshall be separated to reduce the risks of unauthorized access or changes to theoperational system. Request access to classified information assets C1 Maintain Record of distribution Access (add, R1 i.e. email change, delete) record, courier receipt CP1 NO Transfer a Remove Notify manager Are we removing Remove YES remove classified username from access? Authorization information an authorized list NO 1b C3 R3 1g C2 R2 C4 R4 1a Assign or modify What level of Apply document Has the appropriate Release YES the level of authorization has Validate control security manager approved? information authorization been assigned standards 1d 1h CP2 C5 R5 C1 R1 - RBAC 1e D= Declassified Release method O= Operational Notify user Manager to - Workgroups (ftp, email, mail, 1i Information 1f C= Confidential hardcopy) review annually Authorization - SOD asset P= Private 1c List Legend: C: Control TS: Test Plan R: Risk T: Tools Page Data Control Risk Tools Activity Decision Document Interface CP: Communications Plan Connect Store Management *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 132. Availability ManagementITSM: Integration: Availability Management addresses the technical availability of ITcomponents in relationship to the availability of the service. The quality of availability is assured bycontinuity, maintainability and resilience. Availability Management is the most important processrelated to the information security principle, availability and the availability of information assets.As many security measures benefit both availability and the security principles confidentiality andintegrity, effective coordination of measures between Availability Management, IT ServiceContinuity Management, and Security Management is essential. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 133. Capacity ManagementITSM: Integration: Capacity Management is responsible for the best use of IT resources,as agreed with the customer. The performance requirements are based on the qualitative andquantitative standards defined by Service Level Management. Almost all the activities of CapacityManagement affect availability and therefore also Security Management. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 134. Capacity ManagementISMS: Integration: A.10.10.5 Faults shall be logged, analyzed, and appropriate actiontaken. A.14.1.1 A managed process shall be developed and maintained for business continuitythroughout the organization that addresses the information security requirements needed forthe organizations business continuity. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 135. IT Service Continuity ManagementITSM: Integration: IT ServiceContinuity Management ensures that theimpact of any contingencies is limited to thelevel agreed with the customer.Contingencies need not necessarily turn intodisasters. The major activities and defined,maintained, implemented, and testing thecontingency plan, and taking preventativeaction. Because of security aspects, thereare ties with Security Management. On theother hand, failure to fulfill basic securityrequirements may be considered itselfcontingency. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 136. Business Continuity Consumer & Your Business Your Service Business 764536748 BOB Providers GTH4567Requirements Information DataBase ` CUSTOMER NBMJRL9087 12343536475 MARY SERVICE REQUIRES INFORMATION TO FUNCTION BUSINESS DRIVERS “CUSTOMERS DEMAND = REQUIREMENTS = TECHNOLOGY + TELECOMMUNICATIONS To deliver these + BUSINESS SYSTEMS NEW SERVICES AND services we’ll need + HARDWARE IMPROVEMENTS TO specific information EXISTING SERVICES” gathered and stored, + SKILLED LABOR maintained, processed and exchangedTo deliver these services we’ll need business systems created in a program language to ensure consistent andeffective processing. We’ll also need reliable hardware and telecommunication suitable for the requirements andskilled people/resources to write code, trouble shoot administered security, patching/fixes, configure systems,configures communications, build in redundancy *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 137. Service Level ManagementITSM: Integration: Service Level Management ensures that agreements about services to be provided to customers are defined and achieved. The Service Level Agreements should also address security measures. The objective is to optimize the level of service provided. Service Level Management includes a number of related security activities, in which Security Management plays an important role: (a). Identification of the security needs of the customers. Naturally, determining the security needs is the responsibility of the customer as these needs are based on their business interests verifying the feasibility of the customer’s security requirements (b). Proposing, discussing and defining the security level of IT services in the SLA Identifying, developing and defining the internal security requirements for IT services through OLA (c). Monitoring the security standards defined within OLA (d). Reporting on the IT services provided *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 138. Service ProvidersOrganizational Security and Privacy group will assist Managers by reviewing and recommendingamendments to contracts and agreements to ensure they address information security and privacyobligations as outlined within data protection statutes (PIP Act, PIPED Act, and FOIPP Act). Some ofthese provisions may include the following: • Physical and Environmental Security• Disclosure of Personal Information • Security standards for sensitive Databases• Annual Compliance Certificate • Transmission and Back-ups of Personal Information• Ownership and Control of Personal Information • Information handling for Database/Media• Privacy Strategy/Plan • System Logs, Audit Logs• Training/Awareness • Breach or Demand Notification• Risk Assessments (PIA, TRA, CSA) • Security Controls for Authorized Personnel• Testing and Development Work • Agreements with contractors/service providers• Removal of Personal Information • US based companies• Destruction of sensitive information and media • Sensitive information sharingContaining sensitive information • Collection of Personal Information • Non-Compliance Reports Organizational Service Executives Security and Managers Providers Privacy *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 139. Service Catalogue*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 140. SLA, OLA, and UC*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 141. Key Performance Indicators• If the risk rating equals “High” for Internet facing system then “Immediate” action is require.• If the risk rating is “high” for an internal system then a resolution must be applied within “7 days”, allother systems must be have 60 days to remediate;• If the risk rating equals “Medium” for Internet facing systems then remediation is required within “7days”.• If the risk rating is “Medium” for an Internal system then remediation is required within “60 days”. Allother systems have a 90 day time span to remediate gaps in security;• If the risk rating is “Low” for Internet facing system then remediation is required within “30 days”.• If the risk rating is “Low” for an Internal system then remediation is required within “180 days”.• All other systems have up to 18 months for remediation or until the next maintenance cycle,whichever is first. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 142. Contractual ObligationsISMS: Integration: A.15.1.1 All relevant statutory, regulatory and contractual requirementsand the organizations approach to meet these requirements shall be explicitly defined, documented,and kept up to date for each information system and the organization. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 143. Customer Service ReportsITSM: Integration: Customer Service Reports must be provided at theintervals agreed in the SLA. These reports compare the agreed service levels and theservice levels that were actually measured. Examples include the following: * availability and downtime during a specific period * average response times during peak periods * transaction rates during peak periods * number of functional areas * frequency and duration of service degradation * average number of users at peak periods * number of successful and unsuccessful attempts to circumvent security * proportion of service capacity used * number of completed and open changes * cost of service provided *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 144. External ReportsISMS: Integration: Statement of Applicability, Compliance Management, RiskTreatment Plan, etc…. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 145. Management ReportsITSM: Integration: Management reports, in contrast to service level reports,are not for the customer, but to control or manage the internal process. The maycontain metrics about actual service levels supported, and trends such as: * total number of SLA in the pool * number of time SLA was not fulfilled * cost of measuring and monitoring the SLA * customer satisfaction, based on survey/complaints * statistics about incidents, problems, and changes * progress of continuous improvement action plans *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 146. Internal ReportsISMS: Integration: Compliance Management, Asset Management, RiskTreatment Management, Continuous Improvement, TRA, PIA, CSA, etc… *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 147. Multiple Threat Vectors canattack and exploit the samevulnerability in multiple waysmaking it difficult to takeeffective corrective action orpreventive action. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 148. The ISMS mitigates threats byapplying a strategy that deploysa reduced set of controls in amatrix effect which addressesspecific security weaknesses.This CyberSecurity TacticalManager is responsible for theDefense-in-Depth , properlyexecuted is will be more effectivethan any other approach.Currently there is no othersecurity framework availablethat is internationally acceptedother than the ISMS. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 149. CyberSecurity is important and the ISO/IEC 27001 ISMS - framework can be utilized to provide assurance to customers, shareholders and partners. A crucial aspect of managing CyberSecurity effectively is theactive engagement of managers and employees, especially those who have been assigned specific accountabilities and responsibilities for various aspects of CyberSecurity. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 150. If you have questions please contact ……. Mark E.S. Bernard Skype; Mark_E_S_Bernard Twitter; @MESB_TechSecureLinkedIn; http://ca.linkedin.com/in/markesbernard *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***