Your SlideShare is downloading. ×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Mark E.S. Bernard Defence-in-Depth based on ISO 27001 ISMS

1,652
views

Published on

Multiple Threat Vectors can attack and exploit the same vulnerability in multiple ways making it difficult to take effective corrective action or preventive action. …

Multiple Threat Vectors can attack and exploit the same vulnerability in multiple ways making it difficult to take effective corrective action or preventive action.

Establishing a single point of contact as the Champion for the Enterprise Security Management System is a logical first step and the second step is establishing a central security management system fully integrated within the Enterprise leveraging best practices.

Published in: Business

2 Comments
3 Likes
Statistics
Notes
No Downloads
Views
Total Views
1,652
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
141
Comments
2
Likes
3
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***Compiled by; Mark E.S. Bernard, ISO 27001 Lead Auditor,CISSP, CISM, SABSA-F2, CISA, CRISC, CGEIT
  • 2. • Introduction• Biography• Threats and Vulnerabilities• ISMS Control Matrix & Security Architecture• Defense – In – Depth - Layers 1 – 9 explained• Additional ITIL Controls• Conclusion• Contact information *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 3. Mark is an independent contractor who formerly worked in BC Government as a Director overseeing the Government’s payments systems and public accounts processing in excess of $42 billion annually in payments and as a Compliance manager in the BC Government Security Branch… Mark also spent time over seeing the Privacy and Security programs for EDS Advanced Solutions and Central 1 Credit Union.Mark was recognized by the Premier of New Brunswick for his volunteer work in the KnowledgeIndustry establishing the Atlantic Chapter of the High Technology Crime Investigation Association.Mark is also a regular volunteered with local professional associations for HTCIA, ISACA, ISSA, IIAand FMI. Mark has been published in trade magazines and on the Internet in addition to beingsought after as an expert by local radio, newspapers and television.While working in Toronto Mark volunteer on the annual Toronto Children’s Sick Kids Telethon androad a stationary bike on a marathon Juvenile Diabetes campaign. Mark has also volunteered withlocal Minor Hockey Minor Fastball, Local Elementary School and Middle School, Boys Scots andassisted with raising money for the Mustard Seed Foods bank in conjunction with the annual NHLOld-Timers Challenge In Victoria BC. Mark is continuing to contribute his knowledge throughISACA with the development of Cloud Computing whitepaper and the Canadian StandardsInstitute’s workgroup updating ISO/IEC 27001:2012 – Information Security Management Systemsframework. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 4. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 5. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** Probably the most famous German castle. Neuschwanstein Castle is a 19th-century Gothic Revival palace on a rugged hill above the village of Hohenschwangau near Füssen in southwest Bavaria, Germany.
  • 6. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** Fort Bourtange: Eighty Years War (c. 1568–1648) when William I of Orange wanted to control the only road between Germany and the city of Groningen which was controlled by the Spaniards.
  • 7. Marching and Physical Training: Soldiers were taught to march and they could march at a rapid speed for long intervals. Any army that could be split up by stragglers at the back or soldiers trundling along at differing speeds would be vulnerable to attack.Training of handling weapons: they primarily used wickerwork shields andwooden swords made to standards but twice as heavy. If a soldier could fightwith these heavy dummy weapons then he would be twice as effective withthe standard weaponry. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 8. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** The Roman heavy infantry typically was deployed, as the main body, facing the enemy, in three approximately equal lines, with the cavalry on their wings to prevent them being flanked and light infantry in a screen in front of them to hide changes in deployment strategy. The heavy infantry, harass the enemy forces and, in some cases, drive off units such as elephants that would be a great threat to close-order heavy infantry.
  • 9. • Compliance Management• Risk Management• Identity Management• Authorization Management• Accountability Management• Availability Management• Configuration Management• Incident Management*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 10. • Security Policy• Information Security Org• Asset Management• Human Resources• Physical & Environmental Security• Communications & Operations Management• Access Control• Information System Acquisition, Development & Maintenance• Information Security Incident Management• Business Continuity Management• Compliance *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 11. All Credits Scott Adams*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 12. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 13. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** Source: Computer Security Institute 2010/11 Survey
  • 14. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** Source: Computer Security Institute 2010/11 Survey
  • 15. Source: Computer Security Institute 2010/11 Survey*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 16. Source: Verizon business 2011 Data Breach Investigations Report• Large-scale breaches dropped dramatically while small attacks increased. The report notes there are severalpossible reasons for this trend, including the fact that small to medium-sized businesses represent prime attacktargets for many hackers, who favor highly automated, repeatable attacks against these more vulnerabletargets, possibly because criminals are opting to play it safe in light of recent arrests and prosecutions of high-profile hackers.• Outsiders are responsible for most data breaches. Ninety-two percent of data breaches were caused byexternal sources. Contrary to the malicious-employee stereotype, insiders were responsible for only 16 percentof attacks. Partner-related attacks continued to decline, and business partners accounted for less than 1percent of breaches.• Physical attacks are on the rise. After doubling as a percentage of all breaches in 2009, attacks involvingphysical actions doubled again in 2010, and included manipulating common credit-card devices such as ATMs,gas pumps and point-of-sale terminals. The data indicates that organized crime groups are responsible for mostof these card-skimming schemes.• Hacking and malware is the most popular attack method. Malware was a factor in about half of the 2010caseload and was responsible for almost 80 percent of lost data. The most common kinds of malware found inthe caseload were those involving sending data to an external entity, opening backdoors, and key loggerfunctionalities.• Stolen passwords and credentials are out of control. Ineffective, weak or stolen credentials continue to wreakhavoc on enterprise security. Failure to change default credentials remains an issue, particularly in the financialservices, retail and hospitality industries. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 17. Source: 2010 Cloud Security Alliance Threats Threat statistics#1: Abuse and Nefarious Use of Cloud Computing#2: Insecure Interfaces and APIs#3: Malicious Insiders#4: Shared Technology Issues#5: Data Loss or Leakage#6: Account or Service Hijacking#7: Unknown Risk Profile *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 18. Source: 2010 OWSAP Top 10 Web Application Security Risks Threat statisticsA1: InjectionA2: Cross-Site Scripting (XSS)A3: Broken Authentication and Session ManagementA4: Insecure Direct Object ReferencesA5: Cross-Site Request Forgery (CSRF)A6: Security Mis-configurationA7: Insecure Cryptographic StorageA8: Failure to Restrict URL AccessA9: Insufficient Transport Layer ProtectionA10: Invalidated Redirects and Forwards *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 19. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** Source: Computer Security Institute 2010/11 Survey
  • 20. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 21. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 22. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 23. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 24. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 25. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 26. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 27. Risk Assessment – Threats: Risk Assessment – Vulnerabilities:• Malware 67% • Inadequate governance• Fraudulent Phishing 39% • Inadequate security policy • Inadequate risk management methodology• Laptop or mobile computer theft or lost 34% • Inadequate security training/awareness• Bots Zombies within the Infrastructure 29% • Inadequate security architecture• Insider abuse email and Internet 25% • Inadequate monitoring or surveillance capabilities • Inadequate incident response procedures • Inadequate vulnerability assessment methodologies *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 28. Clause 4 Information security management systemThe organization shall establish, implement, operate,monitor, review, maintain and improve a documentedISMS within the context of the organization’s overallbusiness activities and the risks it faces. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 29. 4.2.1 Establish the ISMS a) Define the scope and boundaries b) Define an ISMS policy c) Define the risk assessment approach d) Identify the risks e) Analyse and evaluate the risks. f) Identify and evaluate options for the treatment of risks. g) Select control objectives and controls for the treatment of risks. h) Obtain management approval of the proposed residual risks. i) Obtain management authorization to implement /operate ISMS. j) Prepare a Statement of Applicability. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 30. 4.2.2 Implement and operate the ISMS a) Formulate a risk treatment plan b) Implement the risk treatment plan c) Implement controls d) Define how to measure the effectiveness e) Implement training and awareness f) Manage operation of the ISMS g) Manage resources for the ISMS h) Implement procedures and controls (produce comparable and reproducible results) *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 31. 4.2.3 Monitor and review the ISMS a) Execute monitoring and reviewing procedures 1) promptly detect errors 2) promptly identify security breaches and incidents 3) determine if the ISMS is performing as expected 4) help detect security events 5) determine if breach resolution actions were effective b) Undertake regular reviews of the ISMS c) Measure the effectiveness of controls d) Review risk assessments at planned intervals e) Conduct internal ISMS audits f) Undertake a management review of the ISMS g) Update security plans h) Record actions and events *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 32. 4.2.4 Maintain and improve the ISMS a) Implement the identified improvements b) Take appropriate corrective and preventive actions c) Communicate the actions and improvements d) Ensure that the improvements achieve their intended objectives *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 33. 4.3 Documentation requirements a) documented ISMS policy b) the scope c) procedures and controls d) the risk assessment methodology e) the risk assessment report f) the risk treatment plan g) documented procedures needed for planning, operation and control h) records required by this International Standard i) the Statement of Applicability *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 34. 4.3.2 Control of documents a) approve documents b) review and update documents as necessary c) ensure that the current revision status are verified d) ensure that relevant documents are available e) ensure that documents remain legible f) ensure that documents are available to those who need them, and are transferred, stored and ultimately disposed of in accordance with the procedures applicable to their classification; g) ensure that documents of external origin are identified h) ensure that the distribution of documentation is controlled i) prevent the unintended use of obsolete documents *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 35. 4.3.3 Control of records •Records shall be maintained in accordance with legal obligations defined by statutes, regulations and contracts •Records shall be maintained to provide evidence of conformity •Records shall be protected and controlled in accordance with legal obligations •Records shall remain legible, readily identifiable and retrievable. •Records shall be retained and processed in accordance with legal obligations •Records shall be archived in accordance with legal obligations •Records shall be destroyed in accordance with legal obligations *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 36. 5 Management responsibility5.1 Management commitment a) establishing the policy b) ensuring that objectives and plans are established c) establishing roles and responsibilities d) communicating to the organization e) providing sufficient resources f) deciding the criteria for accepting risks & acceptable levels of risk g) ensuring that internal audits are conducted h) conducting management reviews *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 37. Roles and Responsibilities: • ISMS Consultant • ISMS Manager • ISMS Analyst • ISMS Auditor • Executives • Managers • Subject Matter Experts • External Parties • Customers *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 38. 5.2 Resource management5.2.1 Provision of resources a) establishing the policy b) ensuring that objectives and plans are established c) establishing roles and responsibilities d) communicating to the organization e) providing sufficient resources f) deciding the criteria for accepting risks & acceptable levels of risk g) ensuring that internal audits are conducted h) conducting management reviews *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 39. 5.2.2 Training, awareness and competence a) determining the necessary competencies for personnel b) providing training or taking other actions c) evaluating the effectiveness of the actions taken d) maintaining records of education, training, skills, experience and qualifications *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 40. 6 Internal ISMS audits a) conform to the requirements of this International Standard and relevant legislation or regulations; b) conform to the identified information security requirements; c) are effectively implemented and maintained; and d) perform as expected. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 41. 7 Management review of the ISMS (input) a) results of ISMS audits b) feedback from interested parties c) techniques, products or procedures used to improve the ISMS d) status of preventive and corrective actions e) vulnerabilities or threats not adequately addressed f) results from effectiveness measurements g) follow-up actions from previous management reviews h) any changes that could affect the ISMS i) recommendations for improvement *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 42. 7 Management review of the ISMS (output)a) Improvement of the ISMS b) Update of the risk assessment and risk treatment plan c) Modification of procedures and controls due to internal or external events such as: 1) business requirements 2) security requirements 3) business processes effecting the existing business requirements 4) regulatory or legal requirements 5) contractual obligations 6) levels of risk and/or criteria for accepting risks d) Resource needs e) Improvement to how the effectiveness of controls is being measured *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 43. 8 ISMS improvement8.1 Continual improvement The organization shall continually improve the effectiveness of the ISMS through the use of the information security policy, information security objectives, audit results, analysis of monitored events, corrective and preventive actions and management review *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 44. 8 ISMS improvement8.2 Corrective action a) identifying nonconformities b) determining the causes of nonconformities c) evaluating the need for actions to ensure that nonconformities do not recur d) determining and implementing the corrective action needed e) recording results of action taken f) reviewing of corrective action taken *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 45. 8 ISMS improvement8.3 Preventive action a) identifying potential nonconformities and their causes b) evaluating the need for action to prevent occurrence of nonconformities c) determining and implementing preventive action needed d) recording results of action taken e) reviewing of preventive action taken *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 46. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 47. ExclusionsPlease note clause 1.2 - Any exclusion of controls found to benecessary to satisfy the risk acceptance criteria needs to bejustified and evidence needs to be provided that the associatedrisks have been accepted by accountable persons.Where any controls are excluded, claims of conformity to thisInternational Standard are not acceptable unless suchexclusions do not affect the organization’s ability, and/orresponsibility, to provide information security that meets thesecurity requirements determined by risk assessment andapplicable legal or regulatory requirements. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 48. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 49. Risk Assessment – Threats: Risk Assessment – Vulnerabilities:• Malware 67% • Inadequate governance process• Fraudulent Phishing 39% • Inadequate security policy • Inadequate risk assessment methodology• Laptop or mobile computer theft or lost 34% • Inadequate security training/awareness• Bots Zombies within the Infrastructure 29% • Inadequate security architecture• Insider abuse email and Internet 25% • Inadequate monitoring or surveillance capabilities • Inadequate incident response procedures • Inadequate vulnerability assessment methodologies *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 50. A.5 Security policyA.5.1 Information security policy A.5.1.1 Information security policy document A.5.1.2 Review of the information security policy *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 51. A.6 Organization of information securityA.6.1 Internal organization A.6.1.1 Management commitment to information security A.6.1.2 Information security coordination A.6.1.3 Allocation of information security responsibilities A.6.1.4 Authorization process for information processing facilities A.6.1.5 Confidentiality agreements A.6.1.6 Contact with authorities A.6.1.7 Contact with special interest groups A.6.1.8 Independent review of information security *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 52. A.6 Organization of information securityA.6.2 External parties A.6.2.1 Identification of risks related to external parties A.6.2.2 Addressing security when dealing with customers A.6.2.3 Addressing security in third party agreements *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 53. A.7 Asset managementA.7.1 Responsibility for assets A.7.1.1 Inventory of assets A.7.1.2 Ownership of assets A.7.1.3 Acceptable use of assetsA.7.2 Information classification A.7.2.1 Classification guidelines A.7.2.2 Information labeling and handling *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 54. A.15 ComplianceA.15.1 Compliance with legal requirements A.15.1.1 Identification of applicable legislation A.15.1.2 Intellectual property rights (IPR) A.15.1.3 Protection of organizational records A.15.1.4 Data protection and privacy of personal information A.15.1.5 Prevention of misuse of information processing facilities A.15.1.6 Regulation of cryptographic controlsA.15.2 Compliance with security policies and standards, and technicalcompliance A.15.2.1 Compliance with security policies and standards A.15.2.2 Technical compliance checking *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 55. A.15.3 Information systems audit considerations A.15.3.1 Information systems audit controls A.15.3.2 Protection of information systems audit tools *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 56. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 57. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 58. Risk Assessment – Threats: Risk Assessment – Vulnerabilities:• Malware 67% • Inadequate governance process• Fraudulent Phishing 39% • Inadequate security policy • Inadequate risk assessment methodology• Laptop or mobile computer theft or lost 34% • Inadequate security training/awareness• Bots Zombies within the Infrastructure 29% • Inadequate security architecture• Insider abuse email and Internet 25% • Inadequate monitoring or surveillance capabilities • Inadequate incident response procedures • Inadequate vulnerability assessment methodologies *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 59. A.8 Human resources securityA.8.1 Prior to employment A.8.1.1 Roles and responsibilities A.8.1.2 Screening A.8.1.3 Terms and conditions of employmentA.8.2 During employment A.8.2.1 Management responsibilities A.8.2.2 Information security awareness, education and training A.8.2.3 Disciplinary process *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 60. A.8.3 Termination or change of employment A.8.3.1 Termination responsibilities A.8.3.2 Return of assets A.8.3.3 Removal of access rights *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 61. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 62. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 63. Risk Assessment – Threats: Risk Assessment – Vulnerabilities:• Malware 67% • Inadequate governance process• Fraudulent Phishing 39% • Inadequate security policy • Inadequate risk assessment methodology• Laptop or mobile computer theft or lost 34% • Inadequate security training/awareness• Bots Zombies within the Infrastructure 29% • Inadequate security architecture• Insider abuse email and Internet 25% • Inadequate monitoring or surveillance capabilities • Inadequate incident response procedures • Inadequate vulnerability assessment methodologies *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 64. A.13.1 Reporting information security events and weaknesses A.13.1.1 Reporting information security events A.13.1.2 Reporting security weaknessesA.13.2 Management of information security incidents andimprovements A.13.2.1 Responsibilities and procedures A.13.2.2 Learning from information security incidents A.13.2.3 Collection of evidence *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 65. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 66. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 67. Risk Assessment – Threats: Risk Assessment – Vulnerabilities:• Malware 67% • Inadequate governance process• Fraudulent Phishing 39% • Inadequate security policy • Inadequate risk assessment methodology• Laptop or mobile computer theft or lost 34% • Inadequate security training/awareness• Bots Zombies within the Infrastructure 29% • Inadequate security architecture• Insider abuse email and Internet 25% • Inadequate monitoring or surveillance capabilities • Inadequate incident response procedures • Inadequate vulnerability assessment methodologies *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 68. A.11 Access controlA.11.1 Business requirement for access control A.11.1.1 Access control policyA.11.2 User access management A.11.2.1 User registration A.11.2.2 Privilege management A.11.2.3 User password management A.11.2.4 Review of user access rights *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 69. A.11.3 User responsibilities A.11.3.1 Password use A.11.3.2 Unattended user equipment A.11.3.3 Clear desk and clear screen policyA.11.4 Network access control A.11.4.1 Policy on use of network services A.11.4.2 User authentication for external connections A.11.4.3 Equipment identification in networks A.11.4.4 Remote diagnostic and configuration port protection A.11.4.5 Segregation in networks A.11.4.6 Network connection control A.11.4.7 Network routing control *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 70. A.11.5 Operating system access control A.11.5.1 Secure log-on procedures A.11.5.2 User identification and authentication A.11.5.3 Password management system A.11.5.4 Use of system utilities A.11.5.5 Session time-out A.11.5.6 Limitation of connection timeA.11.6 Application and information access control A.11.6.1 Information access restriction A.11.6.2 Sensitive system isolation *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 71. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 72. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 73. Risk Assessment – Threats: Risk Assessment – Vulnerabilities:• Malware 67% • Inadequate governance process• Fraudulent Phishing 39% • Inadequate security policy • Inadequate risk assessment methodology• Laptop or mobile computer theft or lost 34% • Inadequate security training/awareness• Bots Zombies within the Infrastructure 29% • Inadequate security architecture• Insider abuse email and Internet 25% • Inadequate monitoring or surveillance capabilities • Inadequate incident response procedures • Inadequate vulnerability assessment methodologies *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 74. A.9 Physical and environmental security A.9.1 Secure areas A.9.1.1 Physical security perimeter A.9.1.2 Physical entry controls A.9.1.3 Securing offices, rooms and facilities A.9.1.4 Protecting against external and environmental threats A.9.1.5 Working in secure areas A.9.1.6 Public access, delivery and loading areas *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 75. A.9.2 Equipment security A.9.2.1 Equipment sitting and protection A.9.2.2 Supporting utilities A.9.2.3 Cabling security A.9.2.4 Equipment maintenance A.9.2.5 Security of equipment off premises A.9.2.6 Secure disposal or re-use of equipment A.9.2.7 Removal of property *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 76. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 77. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 78. Risk Assessment – Threats: Risk Assessment – Vulnerabilities:• Malware 67% • Inadequate governance process• Fraudulent Phishing 39% • Inadequate security policy • Inadequate risk assessment methodology• Laptop or mobile computer theft or lost 34% • Inadequate security training/awareness• Bots Zombies within the Infrastructure 29% • Inadequate security architecture• Insider abuse email and Internet 25% • Inadequate monitoring or surveillance capabilities • Inadequate incident response procedures • Inadequate vulnerability assessment methodologies *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 79. A.12 Information systems acquisition, development andmaintenanceA.12.1 Security requirements of information systems A.12.1.1 Security requirements analysis and specificationA.12.2 Correct processing in applications A.12.2.1 Input data validation A.12.2.2 Control of internal processing A.12.2.3 Message integrity A.12.2.4 Output data validation *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 80. A.12.3 Cryptographic controls A.12.3.1 Policy on the use of cryptographic controls A.12.3.2 Key managementA.12.4 Security of system files A.12.4.1 Control of operational software A.12.4.2 Protection of system test data A.12.4.3 Access control to program source code *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 81. A.12.5 Security in development and support processes A.12.5.1 Change control procedures A.12.5.2 Technical review of applications after operating system changes A.12.5.3 Restrictions on changes to software packages A.12.5.4 Information leakage A.12.5.5 Outsourced software developmentA.12.6 Technical Vulnerability Management A.12.6.1 Control of technical vulnerabilities *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 82. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 83. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 84. Risk Assessment – Threats: Risk Assessment – Vulnerabilities:• Malware 67% • Inadequate governance process• Fraudulent Phishing 39% • Inadequate security policy • Inadequate risk assessment methodology• Laptop or mobile computer theft or lost 34% • Inadequate security training/awareness• Bots Zombies within the Infrastructure 29% • Inadequate security architecture• Insider abuse email and Internet 25% • Inadequate monitoring or surveillance capabilities • Inadequate incident response procedures • Inadequate vulnerability assessment methodologies *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 85. A.10 Communications and operations managementA.10.1 Operational procedures and responsibilities A.10.1.1 Documented operating procedures A.10.1.2 Change management A.10.1.3 Segregation of duties A.10.1.4 Separation of development, test and operational facilitiesA.10.2 Third party service delivery management A.10.2.1 Service delivery A.10.2.2 Monitoring and review of third party services A.10.2.3 Managing changes to third party services A.10.3 System planning and acceptance A.10.3.1 Capacity management A.10.3.2 System acceptance *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 86. A.10.4 Protection against malicious and mobile code A.10.4.1 Controls against malicious code A.10.4.2 Controls against mobile codeA.10.5 Back-up A.10.5.1 Information back-upA.10.6 Network security management A.10.6.1 Network controls A.10.6.2 Security of network servicesA.10.7 Media handling A.10.7.1 Management of removable media A.10.7.2 Disposal of media A.10.7.3 Information handling procedures A.10.7.4 Security of system documentation *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 87. A.10.8 Exchange of information A.10.8.1 Information exchange policies and procedures A.10.8.2 Exchange agreements A.10.8.3 Physical media in transit A.10.8.4 Electronic messaging A.10.8.5 Business information systemsA.10.9 Electronic commerce services A.10.9.1 Electronic commerce A.10.9.2 On-line transactions A.10.9.3 Publicly available information *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 88. A.10.10 Monitoring A.10.10.1 Audit logging A.10.10.2 Monitoring system use A.10.10.3 Protection of log information A.10.10.4 Administrator and operator logs A.10.10.5 Fault logging A.10.10.6 Clock synchronization *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 89. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 90. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 91. Risk Assessment – Threats: Risk Assessment – Vulnerabilities:• Malware 67% • Inadequate governance process• Fraudulent Phishing 39% • Inadequate security policy • Inadequate risk assessment methodology• Laptop or mobile computer theft or lost 34% • Inadequate security training/awareness• Bots Zombies within the Infrastructure 29% • Inadequate security architecture• Insider abuse email and Internet 25% • Inadequate monitoring or surveillance capabilities • Inadequate incident response procedures • Inadequate vulnerability assessment methodologies *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 92. A.14 Business continuity managementA.14.1 Information security aspects of business continuitymanagement A.14.1.1 Including information security in the business continuity management process A.14.1.2 Business continuity and risk assessment A.14.1.3 Developing and implementing continuity plans including Information security A.14.1.4 Business continuity planning framework A.14.1.5 Testing, maintaining and reassessing business continuity plans *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 93. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 94. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 95. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 96. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 97. Multiple Threat Vectors canattack and exploit the samevulnerability in multipleways making it difficult totake effective correctiveaction or preventive action.Establishing a single point ofcontact as the Champion forthe Enterprise SecurityManagement System is alogical first step and thesecond step is establishing acentral security managementsystem fully integratedwithin the Enterpriseleveraging best practices. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 98. The ISMS mitigates threats byapplying a strategy that deploysa reduced set of controls in amatrix effect which addressesspecific security weaknesses.This security tactic is responsiblefor the ISMS Defense-in-Depththat can be more effective thanany other approach.Currently there is no othersecurity framework availablethat is internationally acceptedother than the ISMS. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 99. DiD is an important information security framework utilized to provide assurance to our customers, shareholders and partners. A crucial aspect of managing the DiD is theactive engagement of managers and employeeswho have been assigned specific accountabilitiesand responsibilities for various aspects of ISMS. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 100. If you have questions please contact ……. Mark E.S. Bernard Skype; Mark_E_S_Bernard Twitter; @MESB_TechSecureLinkedIn; http://ca.linkedin.com/in/markesbernard *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***