Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
iFour ConsultancyAnnexure A Control: 12 – Operations Security
A 12.4 Logging and Monitoring
 Objective: To record events and secure evidence.
 Security event logging and monitoring i...
A 12.4.1 Event logging
 Control: Event logs recording user activities, exceptions, faults and information
security events...
A12.4.2 Protection of log information
ISO for Software Outsourcing Companies in India
 Control: Logging facilities and lo...
Control: System administrator and system operator activities shall be logged
and the logs protected and regularly reviewe...
A 12.4.4 Clock Synchronization
 Control: The clocks of all relevant information processing systems within an
organization...
A 12.5 Control of operational software
 Objective: To ensure the integrity of operational systems.
 ISO 27001:2013 class...
 Objective: To prevent exploitation of technical vulnerabilities.
 A vulnerability is “a weakness of an asset or control...
 Control:
 Information about technical vulnerabilities of information systems being used shall be obtained
in a timely f...
 Control: Rules governing the installation of software by users shall be established and
implemented.
 Here are some of ...
 Objective: To minimize the impact of audit activities on operational systems.
 ISO 27001:2013 classifies it into:
A 12...
References
 https://www.sans.org/reading-room/whitepapers/iso17799/security-controls-
service-management-33558
 http://a...
Upcoming SlideShare
Loading in …5
×

ISO 27001 2013 A12 Operations Security Part 2 - by Software development company in india

This presentation focuses on the annexure controls of ISO 27001:2013 standards. The annexure control A12 relates to 'Operations Security'. - by Software development company in india http://www.ifourtechnolab.com/

  • Be the first to comment

  • Be the first to like this

ISO 27001 2013 A12 Operations Security Part 2 - by Software development company in india

  1. 1. iFour ConsultancyAnnexure A Control: 12 – Operations Security
  2. 2. A 12.4 Logging and Monitoring  Objective: To record events and secure evidence.  Security event logging and monitoring is examining electronic audit logs for indications that  Unauthorized security-related activities have been attempted or performed on a system or application that  Processes  Transmits  Stores confidential information.  Event logging and monitoring assists organizations to determine what has been recorded on their systems for follow-up investigation and if necessary remediation.  ISO 27001:2013 standard classifies this control into 4 subsections:  A 12.4.1: Event Logging  A 12.4.2: Protection of log information  A 12.4.3: Administrator and Operator logs  A 12.4.4: Clock synchronization Software solution company in Indiahttp://www.ifourtechnolab.com
  3. 3. A 12.4.1 Event logging  Control: Event logs recording user activities, exceptions, faults and information security events shall be produced, kept and regularly reviewed.  Register information about access and actions of users, errors, events, etc. in information systems.  Send the logs generated by each one of these to a central server.  Configure a syslog server which allows you to centralize all the logs on a unique server. Syslog server is standard for message logging and can operate over a network with a client-server application structure. Software solution company in Indiahttp://www.ifourtechnolab.com
  4. 4. A12.4.2 Protection of log information ISO for Software Outsourcing Companies in India  Control: Logging facilities and log information shall be protected against tampering and unauthorized access.  The logs must be protected, because they cannot be removed or modified by unauthorized persons.  Encrypt the event log archive files to ensure the log data is secured for future forensic analysis, compliance and internal audits by hashing and time stamping the log data.  Securely store the archived log data files by employing hashing and time stamping techniques Software solution company in Indiahttp://www.ifourtechnolab.com
  5. 5. Control: System administrator and system operator activities shall be logged and the logs protected and regularly reviewed. Systems should register information about all users, regardless of the privileges that they have on the systems. PUMA (Privileged user monitoring and audit) reports These are the solutions that closely monitor the user activity of system administrators and operators and give you detailed security reports for any specific period of time. All audit trails should be captured to ensure that the log files that capture the activities of system administrators and system operators are protected from unauthorized access and threats. A 12.4.3 Administrator and Operator logs Software solution company in Indiahttp://www.ifourtechnolab.com
  6. 6. A 12.4.4 Clock Synchronization  Control: The clocks of all relevant information processing systems within an organization or security domain shall be synchronized to a single reference time source.  Synchronized clocks are essential for investigating events across multiple systems in the infrastructure.  If system clocks are not synchronized it may be difficult to determine whether two events are related.  For example an event on one system triggers a failure on second system but the clock on the first system is behind. In this case the event that triggered the failure will appear to have occurred after the failure.  Clock synchronization is important as accurate timestamps on audit log data is critical for troubleshooting, for event correlation and for use as evidence in legal or disciplinary cases. ISO for Software Outsourcing Companies in India Software solution company in Indiahttp://www.ifourtechnolab.com
  7. 7. A 12.5 Control of operational software  Objective: To ensure the integrity of operational systems.  ISO 27001:2013 classifies it into: A 12.5.1: Installation of software on operational systems  A 12.5.1 – Control: Procedures shall be implemented to control the installation of software on operational systems.  Whether there are any controls in place for the implementation of software on operational systems. This is to minimize the risk of corruption of operational systems. Software solution company in Indiahttp://www.ifourtechnolab.com
  8. 8.  Objective: To prevent exploitation of technical vulnerabilities.  A vulnerability is “a weakness of an asset or control that could potentially be exploited by one or more threats”.  ISO 27001:2013 standard classifies this into: A 12.6.1: Management of technical vulnerabilities A 12.6.2: Restrictions on software installation  All of the hardware and software on the organization’s network should be scanned using a vulnerability scanner To identify weaknesses in the configuration of systems To determine if any systems are missing important patches, or softwares such as anti- virus software. A 12.6 Technical Vulnerability Management ISO for Software Outsourcing Companies in India
  9. 9.  Control:  Information about technical vulnerabilities of information systems being used shall be obtained in a timely fashion.  The organization’s exposure to such vulnerabilities should be evaluated and appropriate measures must be taken to address the associated risk.  A 12.6.1 looks into 3 targets:  Timely identification of vulnerabilities: the sooner you discover a vulnerability, the more time you will have to correct it.  Assessment of organization’s exposure to a vulnerability: A risk assessment should be done to identify and prioritize those vulnerabilities that are more critical to your assets and business.  Proper measures considering the associated risks: Risk treatment plan - think about the actions and allocation of the resources you have to deal with them. A 12.6.1 Management of technical vulnerabilities ISO for Software Outsourcing Companies in India
  10. 10.  Control: Rules governing the installation of software by users shall be established and implemented.  Here are some of the examples of such rules:  Employees can not download software from the Internet, or bring software from home without authorization. It is prohibited.  When an employee detects the need for use of a particular software, a request needs to be transmitted to the IT department. The request can be stored as a record or as evidence.  If the software costs money, an analysis should be made as to whether there is another similar tool on the market that is cheaper or even free.  Top management should participate in the decision on the acquisition of new software.  Once the decision has been made, the IT department will proceed to include the software in their inventory and will install the software. A 12.6.2 Restrictions on software installation Software solution company in Indiahttp://www.ifourtechnolab.com
  11. 11.  Objective: To minimize the impact of audit activities on operational systems.  ISO 27001:2013 classifies it into: A 12.7.1: Information systems audit controls  A 12.7.1: Control – Audit requirements and activities involving verification of operational systems shall be carefully planned and agreed to minimize disruptions to business processes.  So it looks into: Planning and controlling how the audit activities are carried out. Minimizing the impact of audit activities on day-to-day operations. A 12.7 Information systems audit considerations ISO for Software Outsourcing Companies in India
  12. 12. References  https://www.sans.org/reading-room/whitepapers/iso17799/security-controls- service-management-33558  http://advisera.com/27001academy/blog/2015/11/23/logging-and-monitoring- according-to-iso-27001-a-12-4/  https://www.manageengine.com/products/eventlog/iso-27001-compliance- audit.html  http://advisera.com/27001academy/blog/2016/02/08/implementing-restrictions- on-software-installation-using-iso-27001-control-a-12-6-2/  http://advisera.com/27001academy/blog/2015/10/12/how-to-manage-technical- vulnerabilities-according-to-iso-27001-control-a-12-6-1/  http://www.praxiom.com/iso-27002.htm Software solution company in Indiahttp://www.ifourtechnolab.com

    Be the first to comment

    Login to see the comments

This presentation focuses on the annexure controls of ISO 27001:2013 standards. The annexure control A12 relates to 'Operations Security'. - by Software development company in india http://www.ifourtechnolab.com/

Views

Total views

3,632

On Slideshare

0

From embeds

0

Number of embeds

13

Actions

Downloads

161

Shares

0

Comments

0

Likes

0

×