In today's digital age, cybersecurity is more critical than ever. Hence, it is crucial to stay informed and prepared.
Amongst others, the webinar covers:
• ISO/IEC 27032:2023 and ISO/IEC 27701 and their key components
• The standard’s alignment
• Emerging Cybersecurity Threats
• What is new to the ISO/IEC 27032:2023
Presenters:
Madhu Maganti
Madhu is a goal-oriented cybersecurity/IT advisory leader with more than 20 years of comprehensive experience leading high-performance teams with a proven track record of continuous improvement toward objectives. He is highly knowledgeable in both technical and business principles and processes.
Madhu specializes in cybersecurity risk assessments, enterprise risk management, regulatory compliance, Sarbanes-Oxley (SOX) compliance and system and organization controls (SOC) reporting.
Jeffrey Crump
Mr. Jeffrey Crump is the Principal Consultant at Arizona-based Cyber Security Training and Consulting LLC and a graduate of the Certified NIS 2 Directive Lead Implementer course. He is a Certified CMMC Assessor, Certified CMMC Professional, and Instructor. Mr. Crump is also the author of Cyber Crisis Management Planning: How to reduce cyber risk and increase organizational resilience. His book has been expanded into a triad of certification courses on cyber crisis planning, exercises, and leadership.
Date: October 25, 2023
-------------------------------------------------------------------------------
Find out more about ISO training and certification services
Training: https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27001
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27032
Webinars: https://pecb.com/webinars
Article: https://pecb.com/article
Whitepaper: https://pecb.com/whitepaper
-------------------------------------------------------------------------------
For more information about PECB:
Website: https://pecb.com/
LinkedIn: https://www.linkedin.com/company/pecb/
Facebook: https://www.facebook.com/PECBInternational/
Slideshare: http://www.slideshare.net/PECBCERTIFICATION
YouTube video: https://youtu.be/a21uasr8aLs
4. Madhu Maganti
Partner, Risk Advisory
Baker Tilly US LLP
Madhu.Maganti@bakertilly.com
+1.346.201.6024
• 20+ years of experience helping companies
with implementing Cybersecurity and
Compliance Programs
• Partner-in-charge on risk-based engagements,
including cybersecurity risk assessments,
HIPAA compliance, GDPR/CCPA compliance,
SOX compliance, business process
improvement, SOC-2 attestation and other
information security related services
• Managed end-to-end NIST/ISO assessments for
clients across various industries
• Initiated the SOX IT program for a Fortune 50
organization while developing strong audit
tools for increased productivity and efficiency
• Designed patent-pending tools that have saved
a Fortune 50 organization over $100 million
year over year
5. MGM Resorts
Threat actors were able to
exfiltrate information,
including names, phone
numbers, addresses,
Social Security numbers,
driver's license numbers,
and passport numbers.
Data Points
Operational Impact 10-day Outage
Financial Impact US$ 100M
Attack
Sophistication
Low
6. CaaS
The illegal marketplace
‘RaidForums’ has been
shut down and its
infrastructure seized as a
result of OPERATION
TOURNIQUET, a complex
law enforcement effort
coordinated by Europol to
support independent
investigations of the
United States, United
Kingdom, Sweden,
Portugal, and Romania.
The forum’s administrator
and two of his
accomplices have also
been arrested.
7. How 27032 and 27701 and their supporting controls align
High-Level Relationships
ISO/IEC
27032
ISO/IEC
27701
Partial
ISO/IEC 27002
8. What’s the Difference?
ISO 27032 and ISO 27701
ISO/IEC 27032:2023 (Internet Security) and
ISO/IEC 27701:2019 (Privacy Information
Management) are two unique frameworks
designed to expand an organization’s risk-
based management approach beyond what is
defined in ISO/IEC 27001.
ISO/IEC
27032:2023
ISO/IEC
27701:2019
Certification Available? ✘ ✔
Compliance Driven? ✘ ~
Expands on 27001? ✔ ✔
Coverage areas:
IS Management ✘ ✘
Data Privacy ✘ ✔
Internet Security ✔ ✘
Risk Assessment ~ ~
9. Purpose:
• To enhance security at organizations who use the internet
to conduct business
Coverage:
• Cites 50 controls from ISO 27002, including 25
organizational controls, 2 people-related controls, and 23
technological controls.
• Controls are broken into the following categories: Secure
Coding, Network Monitoring and Response, Server-level,
Application-level, Endpoint-level.
Risk Assessment:
• Provides information and refers to ISO 27005.
Purpose:
• To provide guidance on creating a Privacy Information
Management System (PIMS)
Coverage:
• 135 controls which extend or modify controls defined in
ISO 27001, and 49 new controls pertaining to PII.
• Controls are broken into the following 5 subcategories:
Security Management, Information Security Risk
Management, Information Security, Information Security
Incident Management, and Business Continuity
Management
Risk Assessment:
• References ISO 27001 and GDPR, but does not contain
additional information.
Key Components
ISO 27032 and ISO 27701
ISO/IEC
27032:2023
ISO/IEC
27701:2019
10. Key Changes from 2012 to 2023
What’s New in ISO 27032?
The scope of the standard has been
restricted to primarily cover Internet
Security.
Subject matter has been updated to
reflect the current threat landscape.
Additional guidance on conducting
risk assessments and mitigating
risks has been included.
Included controls have been
mapped back to ISO 27002 in Annex
A.
Significant change in document structure, condensing the framework from 54 distinct
sections to 41
11. July 2022 till June 2023
Incidents by Threat Type
Source: ENISA Threat Landscape 2023
12. Identify lowest common denominator
Standards Alignment: Step 1
ISO/IEC
27032:2023
Controls for Internet Security ISO/IEC 27002 Controls
Policies for Internet security Policies for information security | Management responsibilities
Access control Access control | Identity management | Access rights | Privileged access rights |
Use of privileged utility programs
Education, awareness and training Information security awareness, education and training
Security incident management Threat intelligence | Information security incident management planning and
preparation | Assessment and decision on information security events | Response
to information security incidents | Learning from information security incidents |
Collection of evidence | Information security event reporting
Asset management Inventory of information and other associated assets | Acceptable use of
information and other associated assets | Return of assets | Classification of
information
13. Identify lowest common denominator
Standards Alignment: Step 1
ISO/IEC
27032:2023
Controls for Internet Security ISO/IEC 27002 Controls
Supplier management Information security in supplier relationships | Addressing information security
within supplier agreements | Managing information security in the ICT supply chain
| Monitoring, review, and change management of supplier services | Information
security for use of cloud services
Business continuity over the Internet Information security during disruption | ICT readiness for business continuity |
Information backup | Redundancy of information processing facilities
Privacy protection over the Internet Privacy and protection of PII | Data masking
Vulnerability management Management of technical vulnerabilities | Configuration management | Installation
of software on operational systems
Network management Monitoring activities | Network security | Security of network services | Segregation
of networks
Protection against malware Protection against malware
14. New US Department of Defense supply chain security program
Supplier/Supply Chain Spotlight: CMMC
Single use animation rights
granted to PECB by Cyber
Security Training and
Consulting LLC
15. Identify lowest common denominator
Standards Alignment: Step 1
ISO/IEC
27032:2023
Controls for Internet Security ISO/IEC 27002 Controls
Change management Change management
Identification of applicable legislation and
compliance requirements
Collection of evidence | Legal, statutory, regulatory and contractual requirements |
Protection of records
Use of cryptography Use of cryptography
Application security for Internet-facing
applications
Web filtering | Use of cryptography | Secure development life cycle | Application
security requirements | Secure system architecture and engineering principles |
Secure coding | Security testing in development and acceptance
Endpoint device management User endpoint devices | Configuration management
Monitoring Logging | Monitoring activities
16. Endpoint
Risk
Pre-installed systems on
Chinese Android
smartphones have raised
concerns due to
dangerous privileges
granted to vendor and
third-party applications.
Criminal enterprises have
also infected millions of
devices worldwide, turning
them into mobile proxies
for fraudulent activities
and generating illicit
revenue.
17. Identify lowest common denominator
Standards Alignment: Step 1
ISO/IEC 27001 Controls Remarks
Context of the organization Additional PIMS-specific requirements
Leadership No additional PIMS-specific requirements
Planning Additional PIMS-specific requirements
Support No additional PIMS-specific requirements
Operation No additional PIMS-specific requirements
Performance evaluation No additional PIMS-specific requirements
Improvement No additional PIMS-specific requirements
ISO/IEC
27701:2019
NOTE: The requirements of ISO/IEC 27001:2013 mentioning “information security” shall be extended to the protection of privacy as
potentially affected by the processing of PII.
NOTE: In practice, where “information security” is used in ISO/IEC 27001:2013, “information security and privacy” applies instead.
18. Identify lowest common denominator
Standards Alignment: Step 1
ISO/IEC 27002 Controls Remarks
Information security policies Additional guidance
Organization of information security Additional guidance
Human resource security Additional guidance
Asset management Additional guidance
Access control Additional guidance
Cryptography Additional guidance
Physical and environmental security Additional guidance
Operations security Additional guidance
ISO/IEC
27701:2019
19. Identify lowest common denominator
Standards Alignment: Step 1
ISO/IEC 27002 Controls Remarks
System acquisition, development and
maintenance
Additional guidance
Supplier relationships Additional guidance
Information security incident management Additional guidance
Information security aspects of business
continuity management
No PIMS-specific guidance
Compliance Additional guidance
ISO/IEC
27701:2019
20. Control commonalities and differences
Standards Alignment: Step 2
ISO/IEC 27002 Controls:
Policies for Internet security
Access control
Security incident management
Asset management
Supplier management
Business continuity over the Internet
Identification of applicable legislation and compliance requirements
Use of cryptography
• Education, awareness and training
• Privacy protection over the Internet
• Vulnerability management
• Network management
• Protection against malware
• Application security for Internet-facing applications
• Endpoint device management
• Monitoring
• Change management
ISO/IEC 27002 Controls:
Information security policies
Access control
Information security incident management
Asset management
Supplier relationships
Information security aspects of business continuity management
Compliance
Cryptography
• Organization of information security
• Human resource security
• Physical and environmental security
• Operations security
• Communications security
• System acquisition, development and maintenance
ISO/IEC
27032:2023
ISO/IEC
27701:2019
21. Harmonized
Approach
• Know your
requirements
• Identify opportunities
for harmonization,
reciprocity and non-
duplication
• Security objectives: CIA
triad
• Operational elements:
people, process and
technology
22. What to look out for
Emerging Cybersecurity Threats
Ransomware:
Attackers are transitioning towards stealing your data instead of just encrypting it,
threatening to leak sensitive information if payment is not received.
Supply Chain Vulnerabilities:
Attackers are focusing additional effort on compromising vendors used for day-
to-day activities as a way of breaching multiple organizations in one fell swoop.
Increased Reliance on Cloud Computing
As cloud computing and SaaS platforms continue to grow in popularity, many
users are just “transferring” risks as opposed to truly mitigating them.
Several threat actors further professionalized their Crimeware-As-a-Service programs. They not only used novel tactics and methods to infiltrate environments but also delved into alternative approaches to pressure and extort victims, all the while advancing their illicit enterprises.
Launched in 2015, RaidForums was considered one of the world’s biggest hacking forums with a community of over half a million users. This marketplace had made a name for itself by selling access to high-profile database leaks belonging to a number of US corporations across different industries. These contained information for millions of credit cards, bank account numbers and routing information, and the usernames and associated passwords needed to access online accounts.
These datasets were obtained from data breaches and other exploits carried out in recent years.
Operation TOURNIQUET, coordinated at the international level by Europol’s European Cybercrime Centre, was the culmination of a year of meticulous planning between the law enforcement authorities involved in preparation for the action.
The domain and its contents were seized by the Federal Bureau of Investigation on April 12, 2022 after a month of downtime, in collaboration with the United States Secret Service, the United States Department of Justice, and a variety of other national and international law enforcement agencies.
Data compromise increased in 2023. There was a rise in data compromises leading up to 2021, and although this trend remained relatively stable in 2022, it began to increase once more in 2023.
Information manipulation is a key element of Russia’s war of aggression against Ukraine. Information manipulation has been an essential and well-established component of Russia’s security strategies. The number of analyzed events for the reporting period has also grown significantly.
(New Policies Needed): There has been a Surge in AI Chatbots impacting the cybersecurity threat landscape. The disruptive impact and the exponential adoption of generative artificial intelligence chatbots such as OpenAI ChatGPT, Microsoft Bing and Google Bard are changing the way in which we work, live and play, all built around data sharing and analysis.
(Old Tricks Never Die – Security Awareness): Phishing is once again the most common vector for initial access. But a new model of social engineering is also emerging, an approach that consists of deceiving victims in the physical world.
While classic mobile malware (e.g banking trojan) has witnessed a decline, adware remains a prevalent threat to mobile devices. However, the use of commercial spyware has been increasing, driven by advanced zero-click exploits that enable surveillance without user interaction. Notable incidents include the Pegasus Project, which exposed the widespread abuse of spyware by the NSO Group.
Pre-installed systems on Chinese Android smartphones have raised concerns due to dangerous privileges granted to vendor and third-party applications. Data leakage and tracking risks pose a threat to users' privacy and security, even beyond China's borders. Criminal enterprises have also infected millions of devices worldwide, turning them into mobile proxies for fraudulent activities and generating illicit revenue.
The Lithuanian National Cyber Security Centre (NCSC) in 2021 published a security assessment of three recent-model Chinese-made smartphones.
The Xiaomi phone includes software modules specifically designed to leak data to Chinese authorities and to censor media related to topics the Chinese government considers sensitive. The Huawei phone replaces the standard Google Play application store with third-party substitutes the NCSC found to harbor sketchy, potentially malicious repackaging of common applications.
Threat groups have an increased interest in supply chain attacks and exhibit an increasing capability by using employees as entry points. Threat actors will continue to target employees with elevated privileges, such as developers or system administrators