Your SlideShare is downloading. ×
ISO 27001 ISMS With Mark E.S. Bernard. Title: Threats, Vulnerabilities, Risks to Enterprise Assets and Legal Obligations.
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

ISO 27001 ISMS With Mark E.S. Bernard. Title: Threats, Vulnerabilities, Risks to Enterprise Assets and Legal Obligations.

2,435
views

Published on

ISO 27001 ISMS With Mark E.S. Bernard. Title: Threats, Vulnerabilities, Risks to enterprise assets and legal obligations. How will iso 27001 – ISMS address these potential issues? Enhancing the …

ISO 27001 ISMS With Mark E.S. Bernard. Title: Threats, Vulnerabilities, Risks to enterprise assets and legal obligations. How will iso 27001 – ISMS address these potential issues? Enhancing the corporate Sustainability – resilience - Trust!

Published in: Business

2 Comments
5 Likes
Statistics
Notes
No Downloads
Views
Total Views
2,435
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
230
Comments
2
Likes
5
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Compiled by; Mark E.S. Bernard, ISO 27001 Lead Auditor,CISSP, CISM, SABSA-F2, CISA, CRISC, CGEIT *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 2. • Introduction • Threats • Potential Impacts • Identifying Threats • Risk Management • Identifying Legal Threats • Compliance Management • Contact Information • Policy, Procedure, Standards*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 3. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 4. Mark E.S. Bernard, CRISC, CGEIT, CISA, CISM, CISSP, PM, ISO 27001, SABSA-F2 Information Security, Privacy, Governance ,Risk Management, ConsultantMark has 22 years of proven experience within the domain of Information Security, Privacy & Governance. Mark has ledteams of 30 or more as a Director and Project Manager and managed budgets of $5 Million +. Mark has also provided oversight as a senior manager during government outsourcing contract valued at $300 million and smaller contracts for specializedservices for ERP systems and security testing. Mark has led his work-stream during RFP process, negotiations, on-boarding,contract renegotiation and as Service Manager. Mark has architected information security and privacy programs based on ISO27001 and reengineered IT processes based on Service Manager ITIL/ISO 20000 building in Quality Management ISO 9001.Mark is a volunteer on the local professional associations for HTCIA, ISACA, ISSA, IIA. Mark has also been published in trademagazines and on the Internet in addition to being sought after as an expert by local radio, news papers and television. Markhas taught as a Professor of a third-year iSeries systems engineering course and led many workshops, led keynote speeches.Mark’s expertise has been applied in a number of verticals including Financial Services, Banking, Insurance, Pharmaceutical,Telecommunications, Technology, Manufacturing and Academia. Some of Mark’s recent project highlights are as follows:Accomplishments:• In 2012 Assisted a Executive Relocation Organization to ISO/IEC 27001 Registration/Certification• In 2012 Assisted a Nanotechnology Fabrication Facility to ISO/IEC 27001 Registration/Certification• In 2012 Assisted a Cloud Software as a Service Provider to ISO/IEC 27001 Registration/Certification• In 2010/11 co-led US based Cloud Service Provider ISO/IEC 27001 Registration/Certification• In 2009 led 1st Canadian Public Sector ISO/IEC 27001 Registration/Certification• In 2009 led On-boarding Project for ERP Service Provider• In 2009 led Technology and Operations work-stream during Negotiated Request for Proposal• In 2007 led 1st Canadian Online banking, Trade & Wholesale Service to ISO/IEC 27001 Registration /Certification• In 2005 led Privacy, Security, and Privacy Compliance work-stream during outsourcing to alternate service delivery organization• In 2002 led Information Security Program development for International Food Manufacturer.• In1999 led Independent Security Assurance Review of financial systems located off shore. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 5. Registration need not be thefinal goal however everybusiness can benefit fromadopting a management systemthat provides assurance ofinformation assets in alignmentwith strategy and tacticalbusiness goals while addressingGovernance, Risk Management,Compliance Managementrequirements. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 6. The demand for ISO/IEC 27001:2005 has nearly tripled in six years and thenumber of countries adopting the Information Security Management System hasdoubled. ISO/IEC 27001:2005 will soon be releasing its first major revision sincethe 2005 adoption and if it turns out to be anything like the changes that weveseen in ICFR /ICIF, ISAE 3402 or NIST SP 53 there will be significant improvementsto be leveraged.In 2006, the first year of the annual survey, ISO/IEC 27001:2005 certificates atthe end of December 2006 totaled 5,797. The number of countries adoptingISO/IEC 27001 totaled 64. At the end of 2010, at least 15,625 certificates hadbeen issued in 117 countries. The 2010 total represents an increase of 2,691 or(+21 %) since December 2009.In 2006 the top three countries adopting ISO/IEC 27001 included Japan, UnitedKingdom and India and in 2010 that trend continued. However, the top threecountries from December 2009 to 2010 were Japan, China and the CzechRepublic. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 7. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 8. Source: Computer Security Institute 2010/11 Survey *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 9. Source: Verizon business 2011 Data Breach Investigations Report• Large-scale breaches dropped dramatically while small attacks increased. The report notes there are several possiblereasons for this trend, including the fact that small to medium-sized businesses represent prime attack targets formany hackers, who favour highly automated, repeatable attacks against these more vulnerable targets, possiblybecause criminals are opting to play it safe in light of recent arrests and prosecutions of high-profile hackers.• Outsiders are responsible for most data breaches. Ninety-two percent of data breaches were caused by externalsources. Contrary to the malicious-employee stereotype, insiders were responsible for only 16 percent of attacks.Partner-related attacks continued to decline, and business partners accounted for less than 1 percent of breaches.• Physical attacks are on the rise. After doubling as a percentage of all breaches in 2009, attacks involving physicalactions doubled again in 2010, and included manipulating common credit-card devices such as ATMs, gas pumps andpoint-of-sale terminals. The data indicates that organized crime groups are responsible for most of these card-skimming schemes.• Hacking and malware is the most popular attack method. Malware was a factor in about half of the 2010 caseloadand was responsible for almost 80 percent of lost data. The most common kinds of malware found in the caseloadwere those involving sending data to an external entity, opening backdoors, and key logger functionalities.• Stolen passwords and credentials are out of control. Ineffective, weak or stolen credentials continue to wreak havocon enterprise security. Failure to change default credentials remains an issue, particularly in the financial services,retail and hospitality industries. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 10. Source: 2010 Cloud Security Alliance Threats#1: Abuse and Nefarious Use of Cloud Computing#2: Insecure Interfaces and APIs#3: Malicious Insiders#4: Shared Technology Issues#5: Data Loss or Leakage#6: Account or Service Hijacking#7: Unknown Risk Profile *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 11. Source: 2010 OWSAP Top 10 Web Application Security RisksA1: InjectionA2: Cross-Site Scripting (XSS)A3: Broken Authentication and Session ManagementA4: Insecure Direct Object ReferencesA5: Cross-Site Request Forgery (CSRF)A6: Security MisconfigurationA7: Insecure Cryptographic StorageA8: Failure to Restrict URL AccessA9: Insufficient Transport Layer ProtectionA10: Invalidated Redirects and Forwards *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 12. Source: ‘The Risk of Insider Fraud’ Ponemon Institute 2011•Employee-related incidents of fraud, on average, occur weekly in participating organizations.• Sixty-four percent of the respondents in this study say the risk of insider fraud is very high orhigh within their organizations.• CEO’s and other C-level executives may be ignoring the threat, according to respondents.• The majority of insider fraud incidents go unpunished, leaving organizations vulnerable tofuture such incidents.• The threat vectors most difficult to secure and safeguard from insider fraud are mobiledevices, outsourced relationships (including cloud providers) and applications.• The majority of respondents do not believe their organization has the appropriatetechnologies to prevent or quickly detect insider fraud, including employees’ misuse of ITresources. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 13. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** Source: Computer Security Institute 2010/11 Survey
  • 14. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 15. The following example is asubset demonstrating thepotential results of anexploited vulnerability within‘People Assets’ and mostcommon Enterprises. Theimpacts are measuredagainst the principles ofinformation security,confidentiality, integrity, andavailability. The severity inthis example is rated high,medium or low to simplifythe message to a broadaudience. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 16. The following example isa subset demonstratingthe potential results of anexploited vulnerabilitywithin ‘Information Assets’and most commonEnterprises. The impactsare measured against theprinciples of informationsecurity, confidentiality,integrity, and availability.The severity in thisexample is rated high,medium or low to simplifythe message to a broadaudience. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 17. The following example is asubset demonstrating thepotential results of anexploited vulnerabilitywithin ‘Software Assets’and most commonEnterprises. The impactsare measured against theprinciples of informationsecurity, confidentiality,integrity, and availability.The severity in thisexample is rated high,medium or low to simplifythe message to a broadaudience. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 18. The following example is asubset demonstrating thepotential results of anexploited vulnerabilitywithin ‘Hardware Assets’and most commonEnterprises. The impactsare measured against theprinciples of informationsecurity, confidentiality,integrity, and availability.The severity in thisexample is rated high,medium or low to simplifythe message to a broadaudience. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 19. The following example is asubset demonstrating thepotential results of anexploited vulnerabilitywithin ‘TelecommunicationAssets’ and most commonEnterprises. The impactsare measured against theprinciples of informationsecurity, confidentiality,integrity, and availability.The severity in thisexample is rated high,medium or low to simplifythe message to a broadaudience. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 20. The following example is asubset demonstrating thepotential results of anexploited vulnerability within‘Facility Assets’ and mostcommon Enterprises. Theimpacts are measuredagainst the principles ofinformation security,confidentiality, integrity, andavailability. The severity inthis example is rated high,medium or low to simplifythe message to a broadaudience. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 21. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 22. We can chooseWe can choose to identify theto respond to the threats andsecurity incident matchingafter the fact? Or vulnerabilitiesbefore a Threat and remediateexploit the known them toVulnerability? acceptable levels. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 23. ISO 27001 hasalreadydevelopedcontrols that aredesigned toremediatecommon orknown threats,vulnerabilitiesand risks. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 24. A close assessmentof the technologystack can easilyidentify vulnerabilitiesthat might be exposedto threats leading torisks. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 25. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 26. The are thousands ofthreats to the Enterprisebut only a small subsetmaintain the potential tonegatively impact theEnterprise, so a 9 pointevaluation of threats isessential to helpestablish a commonthreat index for the riskassessment process. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 27. There are hundreds ofvulnerabilities withinany Enterprise howeveronly a subset will beidentified with amatching threat, so itsvery likely that somevulnerabilities will notbe remediated as theoverall risk rating willrank them below therisk appitie. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 28. ISO 27001 has identifiedthe most common controlsutilized to remediate themost common threats,vulnerabilities and risks tomost Enterprises. Theemphasis of Total QualityManagement is theremediation of those risksbased on a standard seriesof controls listed within theStatement of Applicability. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 29. Within the RiskManagementProcess wesystematicallyidentify andaddress threats,vulnerabilities toEnterprise Assets,and take action tomitigate thoserisks to acceptablelevels. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 30. The Risk Rating helps match actual risks to the risk appetite. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 31. Following theassessment ofthreats,vulnerabilitiesand identificationof risksmanagementmakes a decisionand we beginmonitoring andtracking risks. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 32. In more advancedISMS RiskManagementprograms wemonitor and trackrisks in connectionwith the EnterpriseRisk Managementprogram. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 33. We should notonly track risksinternally asmany risks areshared withexternal vendorsand serviceproviders throughServiceManagementprocesses andService Desk. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 34. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 35. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 36. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 37. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 38. •Health Insurance Portability and Accountability Act (HIPAA)•Health Information Technology for Economic and Clinical Health Act (HITECH Act)•Federal Information Security Management Act (FISMA)•Gramm-Leach-Bliley Act (GLBA)•Payment Card Industry Data Security Standard (PCI-DSS)•Payment Card Industry Payment Application Standard•Sarbanes-Oxley Act (SOX)•U.S. state data breach notification law•International privacy or security laws *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 39. Before we can treat compliance concerns we need to identify, recordand map ISO 27001 controls listed in the Statement of Applicability tospecific legal obligations defined by provisions and clauses withinstatutes, regulations and internal/external facing contracts. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 40. Here is anexample of howISO 27001 –ISMS can easilyand seamlesslyaddress allHIPAA legalrequirements. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 41. When all themapping hasbeen completedapproximately 70of the alreadyexisting 133 ISO27001 controlobjectives will beleveraged toaddress HIPAACompliance. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 42. Within procedureswe can identify andintegrate controlpoints designed toremediate risks. Inthe example I’veidentified threats,risks and controls todemonstrate howrisks controldesigned function. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 43. Within the followingexample I list out thespecific threat,potential impact andmitigating control. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 44. Within this exampleI take the processone step furtherand identify the testscenario designedto verify andvalidate the controldesign. This is arequirement forSOX. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 45. For more information contact Skype; Mark_E_S_Bernard Twitter; @MESB_TechSecureLinkedIn; http://ca.linkedin.com/in/markesbernard *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***

×