Information Security Strategic Management

Information Security
Strategic Management
Marcelo Martins
linkedin.com/in/marcelomartins

Agenda
§  Overview
§  Risk-based prioritization
§  Roles and responsibilities
§  Framework
§  Monitoring and Measurement
§  Challenges
§  Resources
§  Certification

Overview
Information Security Management
§  Continuous effort with reasonable costs to...
§  Protect information assets
§  Satisfy regulatory requirements
§  Reduce risks and legal exposures
§  Support business functions
§  Usually, information security is seen as an
impediment to conclude the work
§  Compliance helps to boost security
§  But compliance ≠ security

Overview
§  Compliance isn’t security. Why?
§  Depends on certification scope
§  Physical environments
§  Processes
§  Depends on relationship with other business areas/
partners
§  Depends on business threats
§  Different regulation for different threats
¨  e.g.: PCI-DSS and HITECH

Overview
§  Compliance isn’t security. Why?
§  BS ISO/IEC 27001:2013
§  “This publication does not purport to include all the necessary
provisions of a contract. Users are responsible for its correct
application.”
§  “Compliance with a British Standard cannot confer
immunity from legal obligations.”

§  Additional reading
§  Compliance isn’t security
§  “According to the 2012 "HIMSS Analytics Report: Security of
Patient Data," increasingly strict regulation and increased
compliance from providers haven't slowed an increase in
breaches over the past six years.”
¨  http://www.csoonline.com/article/704577/compliance-isn-t-security-
but-companies-still-pretend-it-is-according-to-survey
Overview

§  “Yet, respondents to the survey, which included CIOs,
compliance officers and HIMs, expressed confidence that they
are better prepared for attempted data theft -- in spite of
evidence to the contrary -- because they are in better
compliance with regulations like the Health Information
Technology for Economic and Clinical Health (HITECH) Act of
2009.”
§  “The results of that are predictable. The number of
organizations reporting breaches went from 13 percent in 2008
to 19 percent in 2010 to 27 percent in the past year [2011].”
Overview

§  “But, the survey did [find] some organizational flaws as well,
specifically in confusion over who is really responsible for
data security. The respondents' answers ranged through CIO,
CSO, CEO, HIM and chief compliance officer.”
Overview
CSO: Chief Security Officer
HIM: Health Information Management

The Pessimist CSO
§  The new hat: the Pessimist CSO
§  You should assume that
§  Your technology won’t help you
§  Your users will go behind your back
§  You are the next target

The Pessimist CSO
§  Pessimism vs. optimism
§  Abigail Hazlett, PhD.
§  Social Psychology, Northwestern University
Thesis: “Hoping for the Best or Preparing for the Worst?
Regulatory Focus and Preferences for Optimism and Pessimism
in Predicting Personal Outcomes”
¨  http://psychcentral.com/blog/archives/2011/03/17/pessimism-vs-
optimism/

The Pessimist CSO
§  Pessimism vs. optimism
§  Abigail Hazlett, PhD.
§  “To cope with this unpredictability some of us choose to think
optimistically because it helps motivate us to try, try again. For
others a pessimistic mindset performs the same function. By
thinking about what might go wrong it helps protect us against
when things do go wrong.”
§  “In two initial studies optimists were found to have a ‘promotion
focus’. In other words they preferred to think about how they
could advance and grow. Pessimists, meanwhile, were more
preoccupied with security and safety.”

The Pessimist CSO
§  Pessimists Make Better Leaders
§  Psychology Today: “Having realistic expectations may
actually be a recipe for happiness”
§  Wikipedia: “Pessimism is a state of mind in which one
anticipates negative outcomes...”
§  The Uses and Abuses of Optimism and Pessimism
§  http://www.psychologytoday.com/articles/201110/the-uses-and-
abuses-optimism-and-pessimism
¨  Ctrl+F: “And pessimism?”

The Pessimist CSO
§  Pessimists Make Better Leaders
§  The Uses and Abuses of Optimism and Pessimism
§  “And pessimism? When is it useful? Surprisingly, it can be most
helpful at the moments when we might seem to have the least
to feel pessimistic about. When we've been successful before
and have a realistic expectation of being successful again, we
may be lulled into laziness and overconfidence. Pessimism can
give us the push that we need to try our best. This
phenomenon, known as "defensive pessimism," involves
imagining all the things that might go wrong in the future. It
spurs us to take action to head off the potential
catastrophes we conjure and prevent them from happening.
(…)”

The Pessimist CSO
It’s just a matter
of point of view

Risk-based prioritization
§  Risk/reward equation
§  Estimate your reward
§  Estimate the risks involved
§  Determinate your risk appetite
§  Define roles and responsibilities
§  Build a Risk Assumption Model
§  Make Risk Management a business process

Risk Quantification
Loss
Expectancy
Control
Cost
Exposure
Factor

§  EF (Exposure Factor)
§  EF is a percentage of the asset affected by a single occurrence of
the incident and is used when the asset sustains damage.
§  For example, in case of fire, it is possible to estimate that 90% of the asset
will be destroyed. In this case, EF is 90% (0,9)
§  SLE (Single Loss Expectancy)
§  SLE is the expected loss in case of risk materialization
with business impact
§  Depending on the threat EF may not be taken into consideration
SLE = Financial value of the asset x EF
or
SLE = Loss caused by the threat

§  ARO (Annualized Rate of Occurrence)
§  ARO is the number of occurrences of a security incident
in a given period (usually defined as a year, as the name
implies)
§  ALE (Annualized Loss Expectancy)
§  ALE amounts to loss caused by a single occurrence times
the number of occurrences in a year period
ARO = Number of occurrences / evaluated period
ALE = SLE x ARO

§  BIA (Business Impact Analysis)
§  Determinate critical processes
§  Determinate the critical business processes, disruption impact
and estimated unavailability, that shall reflect the Maximum
Tolerable Downtime (MTD) for the mission of the Organization
§  Identify necessary resources
§  Necessary resources to restart operations, including
environment, personnel, equipment, software, information, etc.
§  Identify recovery priorities
§  Resources shall be related to business processes and priority
levels may be established for recovery

Assets
Process or
system
Business
objective
Billing
e-Commerce Email

Acceptable
Risk
Controlable
Risk
Unacceptable
Risk

There are known knowns; there are things we know
that we know. There are known unknowns; that is to
say, there are things that we now know we don't know.
But there are also unknown unknowns – there are
things we do not know we don’t know. (…) it is the
latter category that tend to be the difficult ones.
— Donald Rumsfeld
United States Secretary of Defense,12.02.2002
It ain’t what you don’t know that gets you into trouble.
It’s what you know for sure that just ain’t so.
— Mark Twain

Unknown unknowns
Known unknowns
Known knowns
You know, but
that just ain’t so
Absolut truth
Questions
Knowledge

Executive
leadership
Risk Assumption Model
Department
Business
Unit
Impact
Likelihood
Insignificant Minor Major Disastrous
InsignificantUnlikelyLikelyAlmostCertain
PII disclosed
Rogue WiFi
Website
defacement
Server unavailable
Missing
contractual clauses
Example

Agenda
§  Overview
§  Risk-based prioritization
§  Roles and responsibilities
§  Framework
§  Measurement
§  Challenges
§  Resources
§  Certification

Roles and responsibilities
§  Have the right mix of people on your team
§  Members of the core security team
§  Need to have a risk/reward frame of mind
§  An exceptional set of skills
§  Be good at risk assessments
§  Understand the business and its processes
§  Should be able to partner with the business, offer alternatives and
speak to issues beyond those associated with security
§  They are not easy to find
§  It’s usually a matter of training them, and mentoring is often the
best way to go about it
§  Choosing the wrong people can cost a lot
§  They can take an inordinate amount of time to do the work;
§  Or at worst, cause you to redo their work

§  “Information security is rarely a part of general
management expertise or education.”
§  “(…) it may be useful to make an effort to educate
senior management in the areas of regulatory
compliance and the organization's dependence on its
information assets. It may also be useful to
document risks and potential impacts faced by the
organization, making sure senior management is
informed of the results and finds them acceptable.”
ISACA CISM Review Manual 2009, Section 4.5

§  Information Security Manager
§  Board of Directors
§  Executive Management
§  Steering Committee
§  IT Unit
§  Business Unit Managers
§  HR
§  Legal

§  Develop the program
§  A security strategy with senior management acceptance and
support
§  A security strategy intrinsically linked with business objectives
§  Security policies that are complete and consistent with strategy
§  Clear assignment of roles and responsibilities
§  Information assets that have been identified and classified by
criticality and sensitivity
§  Tested functional, incident and emergency response capabilities
§  Tested business continuity/disaster recovery plans
§  Appropriate security approval in change management
processes
§  …

§  Responsibilities
§  Develop and manage the security program
§  Educate and direct senior management
§  Be familiarized with the standards (e.g.: ISO 27000 family)
§  Have knowledge of risk management
§  Take into consideration several different technologies
§  Maintain relationship with other groups
§  ISO/IEC 27001:2013
§  A.6.1.1 Information security roles and responsibilities
¨  All information security responsibilities shall be defined and allocated

Information
Security
Management
Incident
Response activities
Business
Continuity
Management
Risk Management

§  The information security manager should clearly define the
roles, responsibilities, scope and activities of the information
security steering committee.
-- ISACA CISM Manual 2009

Information
Security
Manager
Steering
Committee
Senior
Management
Security
Stakeholders

Strategy
Policy
Awareness
Implement.
Monitoring
Compliance
Manager writes and
publishes
Source: ISACA CISM Manual
Manager conducts
classes and publishes
announcements
Information Security Manager
monitors industry practices
and makes recommendations
is the point of escalation for
issues that may require
investigation
reviews critical configuration on a
periodic basis, and maintains
metrics on security configuration
and logs of user activities
contributes to secure
architecture, design and
engineering strategy

Executive Management
(Information Security Management)
External
Stakeholders
Assure
Communicate
Evaluate
Direct Monitor
Strategy, Policy Proposals Performance
Governing
Body
Figure 2 – Governance process of information security
Source: ISO/IEC 27014:2013

§  IS Manager, managerial skills
§  Budget and financial management
§  Licensing (annuity)
§  Training (budget surplus)
§  Team management
§  Project and program management
§  Operation and services management
§  Metrics implementation
§  IT life cycle management

§  Board of Directors
§  Knowledge of information assets and their criticality on the
business (through Risk Analysis and Business Impact Analysis)
§  Definition/validation of key assets that must be protected
§  SOX: audit committee for financial controls
§  Leadership through information security examples
§  Integration and cooperation with business processes owners

§  Secure necessary funds for IS-related activities
§  Determinate the level of involvement in information security
(called tone at the top, is reflected in organization culture), and
how risk management will permeate business processes, a non-
official indicator
§  Receives guidance from Information Security Manager
§  ISO/IEC 27001:2013
¨  A.5.1 Management direction for information security
¨  To provide management direction and support for information security in
accordance with business requirements and relevant laws and
regulations.

Tone at the top
§  ISO/IEC 27001:2013
§  5.1 Leadership and commitment
¨  Top management shall demonstrate leadership and commitment
with respect to the information security management system
§  5.3 Organization roles, responsibilities and authorities
¨  Top management shall ensure that the responsibilities and
authorities for roles relevant to information security are assigned and
communicated.

§  ISO/IEC 27001:2013
§  A.5.1.1 Policies for information security
¨  A set of policies for information security shall be defined, approved
by management, published and communicated to employees and
relevant external parties.
§  ISO/IEC 27005:2011
§  Section 6, page 9
¨  The risk acceptance activity has to ensure residual risks are
explicitly accepted by the managers of the organization. This is
especially important in a situation where the implementation of
controls is omitted or postponed, e.g. due to cost.

§  ISO/IEC 27014:2013 — Information technology —
Security techniques — Governance of information
security
§  Section 5.3.3 Direct
¨  “Direct” is the governance process, by which the governing body gives
direction about the information security objectives and strategy that need
to be implemented.
¨  To accomplish the “Direct” process, the governing body should:
¨  determine the organisation’s risk appetite,
¨  approve the information security strategy and policy,
¨  allocate adequate investment and resources.
¨  To accomplish the “Direct” process, executive management should:,
¨  develop and implement information security strategy and policy,
¨  align information security objectives with business objectives,
¨  promote a positive information security culture.

§  Make sure all stakeholders are involved
§  Consensus when defining priorities and tackling risks
§  Communication and alignment of security with business
objectives
§  Roles and responsibilities assigned by the Information Security
Manager, to avoid extra topics

§  ISO/IEC 27005:2011
§  Section 7.2.4, page 11
¨  Risk acceptance criteria may differ according to how long the risk is
expected to exist, e.g. the risk may be associated with a temporary
or short term activity. Risk acceptance criteria should be set up
considering the following:
¨  Business criteria
¨  Legal and regulatory aspects
¨  Operations
¨  Technology
¨  Finance
¨  Social and humanitarian factors

§  ISO/IEC 27005:2011
§  B.1.1 The identification of primary assets
¨  To describe the scope more accurately, this activity consists in
identifying the primary assets (business processes and activities,
information). This identification is carried out by a mixed work group
representative of the process (managers, information systems
specialists and users).

§  IT Unit
§  Information Security Manager should develop a good
relationship with IT
§  Information Security Manager shall comply with IS
standards but trying to achieve performance and
efficiency (IT)
§  There should be privilege segregation between IT and IS
§  Usually, IT designs, implements and operates security
controls (IT Security)

§  Business Unit Managers
§  Implement business operations according to information
security requirements
§  Escalate security incidents
§  Shall be members of Steering Committee
§  Make sure IS requirements were taken into consideration since
the beginning of product development
§  Relationship
§  Information Security Manager should keep in touch with
Business Unit Manager to make sure IS will be involved on
product development

§  Human Resources
§  Run educational programmes
§  Propagate security policies
§  Relationship
§  IS Manager should keep in touch with HR (and Legal) and get
them involved in case of employee monitoring and resources
abuse suspects
§  ISO/IEC 27001:2013
§  A.7.2.2 Information security awareness, education and training
¨  Management shall require all employees and contractors to apply
information security in accordance with the established policies and
procedures of the organization.

§  Human Resources
§  ISO/IEC 27001:2013
§  A.7 Human resources security
¨  A.7.1 Prior to employment
¨  A.7.2 During employment
¨  A.7.3 Termination or change of employment

§  Legal
§  Shall be represented in Steering Committee
§  Shall be contacted when there is compliance, liability,
corporate responsibility or due diligence involved

§  ISO/IEC 27010:2015 - Information security
management for inter-sector and inter-organizational
communications
§  Section 4.1, Introduction
§  ISO/IEC 27002:2013 defines controls that cover the exchange
of information between organizations on a bilateral basis, and
also controls for the general distribution of publicly available
information. However, in some circumstances there exists a
need to share information within a community of organizations
where the information is sensitive in some way and cannot be
made publicly available other than to members of the
community.

Agenda
§  Framework
§  What is a framework?
§  Control categories
§  European Union frameworks
§  UK and US laws
§  ISO 27000 family framework

Framework
§  What is a framework?
§  NIST Cybersecurity Framework
§  Framework for Improving Critical Infrastructure Cybersecurity
¨  “(…) Cybersecurity Framework – a set of industry standards and
best practices to help organizations manage cybersecurity risks.”
¨  “‘prioritized, flexible, repeatable, performance-based, and cost-
effective approach’ to manage cybersecurity risk for those
processes, information, and systems directly involved in the delivery
of critical infrastructure services.”
§  https://www.nist.gov/cyberframework

Framework
Vulnerabilities
Countermeasures
Assets
The elements of risk and their relationships according to ISO 15408:2005
Owners
Attack Vectors
Risks
reduce
to
value
to
that
increase
impose
that may be
reduced by
that may
possess
leading to
may be aware of
that
exploit
wish to minimise
use
give rise to
based on
(set of)
Security Context
wish to abuse and/or may damage
Threat agents
Threats

Framework
§  Control categories
§  Preventive
§  Inhibits attempts to violate security policy and includes such controls as
access control enforcement, encryption and authentication
§  Detective
§  Warn of violations or attempted violations of security policy and include
such controls as audit trails, intrusion detection methods and checksums
§  Corrective
§  Remediate vulnerabilities. backup restore procedures are a corrective
measure
§  Compensatory
§  Compensate for increased risk by adding controls steps that mitigate a risk;
for example, adding a challenge response component to weak access
controls can compensate for the deficiency
§  Deterrent
§  Provide warnings that can deter potential compromises; for example,
warning banners on login screens or offering rewards for the arrest of
hackers

Framework
§  Threats and Vulnerabilities Taxonomy
§  ENISA
§  Threat Taxonomy: A tool for structuring threat information
¨  https://www.enisa.europa.eu/topics/threat-risk-management/threats-and-trends/
enisa-threat-landscape/etl2015/enisa-threat-taxonomy-a-tool-for-structuring-
threat-information
§  NIST
§  SP 800-30 Revision 1, Guide for Conducting Risk Assessments
¨  http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-30r1.pdf
§  CMU/SEI
§  A Taxonomy of Operational Cyber Security Risks
¨  http://resources.sei.cmu.edu/asset_files/TechnicalNote/2010_004_001_15200.pdf
§  ISO/IEC 27005:2011
§  Annex C (informative)
§  NASA
§  IT Threats and Vulnerabilities
¨  http://www.hq.nasa.gov/security/it_threats_vulnerabilities.htm

Framework
§  European Union
§  Cybersecurity Strategy Framework
§  The Directive on security of network and information systems
(NIS Directive)
¨  https://ec.europa.eu/digital-single-market/en/network-and-
information-security-nis-directive
§  ENISA
¨  http://www.enisa.europa.eu/
§  CERT-EU
¨  https://cert.europa.eu/cert/plainedition/en/cert_about.html
§  Data Protection Framework
§  ePrivacy Directive
¨  https://ec.europa.eu/digital-single-market/en/online-privacy
§  General Data Protection Regulation
¨  http://ec.europa.eu/justice/data-protection/reform/index_en.htm

Framework
§  ENISA - European Union Agency for Network and
§  Information security and privacy standards for SMEs
§  https://www.enisa.europa.eu/publications/standardisation-for-smes/
§  Governance framework for European standardisation
§  https://www.enisa.europa.eu/publications/policy-industry-research
§  Definition of Cybersecurity - Gaps and overlaps in
standardisation
§  https://www.enisa.europa.eu/publications/definition-of-cybersecurity
§  Risk Management - Principles and Inventories for Risk
Management / Risk Assessment methods and tools
§  https://www.enisa.europa.eu/publications/risk-management-
principles-and-inventories-for-risk-management-risk-assessment-
methods-and-tools/

Framework
§  UK Laws
§  Telecommunications Regulations Act 1998
§  Data Protection Act 1998
§  Computer Misuse Act 1990
§  The Human Rights Act 1998
§  The Regulation of Investigatory Powers Act (RIPA) 2000
§  The Copyright, Designs and Patent Act 1998
§  The Freedom of Information Act 2000 (public sector)
§  Privacy and Electronic Communications Regulations 2003
§  Terrorism Act 2006
§  US Laws
§  Gramm-Leach-Bliley Act (GLBA)
§  The Health Insurance Portability and Availability Act (HIPAA)
§  The Californian Senate Bill 1386
§  Online Personal Protection Act
§  Sarbanes-Oxley Act (SOX)
§  Federal Information Security Management Act (FISMA)
Laws affect the
application of
frameworks and
standards

Framework
§  ISO/IEC 27001
§  Will support information security for the next decade
§  Works in sync with ISO 9001, ISO 14001, ISO/IEC
20000-1 among others for a better integration of
management systems
§  Implements Plan-Do-Check-Act (PDCA) model
§  Aligned with OECD recommendations for digital security
risk management

Framework
§  Organisation for Economic Co-operation and
Development (OECD)
§  Digital Security Risk Management for Economic and
Social Prosperity (2015)
§  http://www.oecd.org/sti/ieconomy/digital-security-risk-
management.htm

Framework
§  ISO/IEC 27001/2
§  A brief history
1995
BS7799-1
BS7799-2
2000
ISO/IEC
17799
2005
•  ISO/IEC
17799
•  ISO/IEC
27001
•  ISO/IEC
27002
2013
ISO/IEC
27001
ISO/IEC
27002
BS stands for
British Standard

Framework
§  ISO/IEC 27001/2
§  A brief history
It was... It became...
BS7799-1 ISO/IEC 27002 Code of practice
BS7799-2 ISO/IEC 27001 Requirements
BS7799-3 ISO/IEC 27003 Implementation Guide
ISO/IEC 17799:2005 (cancelled by ISO/IEC 27002:2005)

Framework
§  ISO - International Organization for Standardization
§  www.iso.org
§  (IOS in English, OIN in French for Organisation internationale
de normalisation), our founders decided to give it the short form
ISO. ISO is derived from the Greek isos, meaning equal.
§  IEC - International Electrotechnical Commission
§  www.iec.ch
§  The IEC is one of three global sister organizations (IEC, ISO,
ITU) that develop International Standards for the world.
§  TR: Technical Report (ISO)
§  An informative document containing information of a different
kind from that normally published in a normative document

Framework
Measurement
(27004)
ISMS
(27001,
27002)
Governance
of IS
(27014)
Risk Mgmt.
(27005)
BCM
(27031)
Incident
Mgmt.
(27035)
Implement.
Guidance
(27003)

Framework
ISMS
(27000, 27001, 27002, 27003,
27004, 27005, 27014, 27031,
27035)
ISMS Audit
Guidelines
(27007)
Certification
Body Req.
(27006)
Guidelines for
Auditors on IS
Controls
(27008)

Framework
§  Business Continuity Management and Incident
Management
BCM
Requirements
(22301)
BCM Guidelines
(IT) (27031)
Incident Mgmt.
(27035)
IT SMS Req.
(20000-1)
ISMS+IT SMS
(27013)
DRS
(27462)

Framework
ISO 27001
Incident
Management
ISO 20000-1
Incident
Management
Service and Security
Incident Management
Source: ISO/IEC 27013:2015 - Information technology -- Security techniques -- Guidance on the integrated
implementation of ISO/IEC 27001 and ISO/IEC 20000-1

Framework
•  27000 – Overview and vocabulary
Vocabulary
standard
•  27001 – Information security management systems - Requirements
•  27006 – Requirements for bodies providing audit and certification of information security
management systems
•  27009 - Information technology -- Security techniques -- Sector-specific application of
ISO/IEC 27001 -- Requirements
Requirement
standards
•  27002 – Code of practice for information security controls
•  27003 – Information security management system implementation guidance
•  27004 – Information security management - Measurement
•  27005 – Information security risk management
•  27007 – Guidelines for information security management systems auditing
•  TR 27008 – ISMS Controls Audit Guidelines
•  27013 – Guidance on the integrated implementation of ISO/IEC 27001 and ISO/IEC
20000-1
•  27014 – Governance of information security
•  TR 27016 – Information security management – Organizational economics
Guideline
standards

Framework
• 27010 – Information security management guidelines for inter-sector and inter-
organizational communications
• 27011 – Information security management guidelines for telecommunications
organizations based on ISO/IEC 27002
• TR 27015 – Information security management guidelines for financial services
• TS 27017 – Guidelines on information security controls for the use of cloud
computing services based on ISO/IEC 27002
• 27018 - Information technology -- Security techniques -- Code of practice for
protection of personally identifiable information (PII) in public clouds acting as PII
processors
• TR 27019 - Information technology -- Security techniques -- Information security
management guidelines based on ISO/IEC 27002 for process control systems
specific to the energy utility industry
Sector-specific
guideline
standards
• 2703x
• 2704x
Control-specific
guideline
standards

Framework
§  Well-known ISO security standards
ISO/IEC 27001:2013 Information technology -- Security techniques -- Information security management systems --
Requirements
ISO/IEC 27002:2013 Information technology -- Security techniques -- Code of practice for information security controls
ISO/IEC 27003:2010 Information technology -- Security techniques -- Information security management system
implementation guidance
ISO/IEC 27004:2016 Information technology -- Security techniques -- Information security management -- Monitoring,
measurement, analysis and evaluation
ISO/IEC 27005:2011 Information technology -- Security techniques -- Information security risk management
ISO/IEC 27014:2013 Information technology -- Security techniques -- Governance of information security
ISO/IEC 27031:2011 Information technology -- Security techniques -- Guidelines for information and communication
technology readiness for business continuity
ISO/IEC 27035-1:2016 Information technology -- Security techniques -- Information security incident management -- Part 1:
Principles of incident management
ISO/IEC 27035-2:2016 Information technology -- Security techniques -- Information security incident management -- Part 2:
Guidelines to plan and prepare for incident response

Framework
Risk
Management
ISO 31000:2009 Risk management -- Principles and
guidelines
ISO/TR 31004:2013 Risk management -- Guidance for
the implementation of ISO 31000
IEC 31010:2009 Risk management -- Risk
assessment techniques
ISO Guide 73:2009 Risk management --Vocabulary
§  ISO 31000
§  “(…) ISO 31000 cannot be used for certification
purposes, but does provide guidance for internal or
external audit programmes.” -- iso.org

Framework
Societal
Security
ISO/IEC
22301:2012
Societal security -- Business
continuity management systems
--- Requirements
ISO/IEC
22313:2012
– Guidance
ISO/TS
22318:2015
-- Guidelines for supply chain
continuity
ISO/IEC
22399:2007
Societal security - Guideline for
incident preparedness and
operational continuity
management

Framework
ISO/IEC
27009:2016
Information technology -- Security techniques -- Sector-specific
application of ISO/IEC 27001 -- Requirements
ISO/IEC
27015:2012
Information technology -- Security techniques -- Information
security management guidelines for financial services
ISO/IEC
27011:2016
Information technology -- Security techniques -- Code of
practice for Information security controls based on ISO/IEC
27002 for telecommunications organizations
ISO/IEC TR
27019:2013
security management guidelines based on ISO/IEC 27002 for
process control systems specific to the energy utility industry

Framework
ISO/IEC
27016:2014
Information technology -- Security techniques --
Information security management -- Organizational
economics
ISO/IEC
27017:2015
practice for information security controls based on ISO/
IEC 27002 for cloud services
ISO/IEC
27018:2014
practice for protection of personally identifiable
information (PII) in public clouds acting as PII processors
ISO
27799:2016
Health informatics -- Information security management in
health using ISO/IEC 27002

Framework
ISO/IEC
27032:2012
Guidelines for Cybersecurity, preserving the confidentiality, integrity
and availability of information in Cyberspace
ISO/IEC
27033-1:2015
Information technology -- Security techniques -- Network security
-- Part 1: Overview and concepts
ISO/IEC
27033-2:2012
-- Part 2: Guidelines for the design and implementation of network
security
ISO/IEC
27033-3:2010
-- Part 3: Reference networking scenarios -- Threats, design
techniques and control issues
ISO/IEC
27033-4:2014
-- Part 4: Securing communications between networks using
security gateways

Framework
ISO/IEC
27033-5:2013
-- Part 5: Securing communications across networks usingVirtual
Private Networks (VPNs)
ISO/IEC
27033-6:2016
-- Part 6: Securing wireless IP network access
ISO/IEC
27034-1:2011
Information technology -- Security techniques -- Application
security -- Part 1: Overview and concepts
ISO/IEC
27034-2:2015
security -- Part 2: Organization normative framework
ISO/IEC
27034-6:2016
security -- Part 6: Case studies

Framework
ISO/IEC
27036-1:2014
security for supplier relationships -- Part 1: Overview and concepts
ISO/IEC
27036-2:2014
security for supplier relationships -- Part 2: Requirements
ISO/IEC
27036-3:2013
security for supplier relationships -- Part 3: Guidelines for
information and communication technology supply chain security
ISO/IEC
27036-4:2016
security for supplier relationships -- Part 4: Guidelines for security
of cloud services

Framework
ISO/IEC
27037:2012
Guidelines for identification, collection, acquisition and
preservation of digital evidence
ISO/IEC
27038:2014
Specification for digital redaction
ISO/IEC
27039:2015
Selection, deployment and operations of intrusion
detection and prevention systems (IDPS)
ISO/IEC
27040:2015
Storage security

Framework
ISO/IEC
27041:2015
Guidance on assuring suitability and adequacy of
incident investigative method
ISO/IEC
27042:2015
Guidelines for the analysis and interpretation of digital
evidence
ISO/IEC
27043:2015
Incident investigation principles and processes
ISO/IEC
27050-1:2016
Electronic discovery -- Part 1: Overview and concepts

Framework
PWI NP WD CD DIS FDIS IS
PWI Preliminary Work Item Stage where initial feasibility is assessed
NP New Proposal Stage where formal scoping takes place
WD Working Draft The developmental phase
CD Committee Draft The quality control stage
FCD Final Committee Draft Ready for final approval
DIS Draft International
Standard
International bodies vote formally on a
Standard, submitting comments
FDIS Final Distribution
International Standard
Standard is ready to publish
IS International Standard The Standard is published
ISO Deliverables: http://www.iso.org/iso/home/standards_development/deliverables-all.htm

Framework
ISO/IEC
27034-3
DIS Information technology -- Application
security -- Part 3:Application security
management process
ISO/IEC
27034-5
DIS Information technology -- Security techniques
-- Application security -- Part 5: Protocols and
application security controls data structure
ISO/IEC
27034-7
DIS Information technology -- Security techniques
-- Application security -- Part 7:Application
security assurance prediction model
§  Under development

Framework
Security techniques — Guidelines for information
security management systems auditing
§  5.4.2.1 Defining the objectives, scope and criteria for an
individual audit (Practical help – Examples of audit
criteria)
§  4) measurement of the effectiveness of the implemented
controls, and that these measurements have been applied as
defined to measure control effectiveness (see ISO/IEC 27004);
§  Annex A
§  Optional additional standards can be used to guide the auditee
or auditor. These are listed as “Relevant Standards” in the
tables below. Auditors are reminded to base nonconformities
solely on the audit criteria and the requirements of ISO/IEC
27001.

Framework
§  Technical committee: development of standards
§  ISO/IEC JTC 1/SC 27 IT Security techniques
§  http://www.iso.org/iso/home/standards_development/
list_of_iso_technical_committees/iso_technical_committee.htm?
commid=45306

Monitoring and Measurement
§  Why do we measure performance?
§  NIST SP 800-55 Revision 1, Performance
Measurement Guide for Information Security
§  Information security measures are used to facilitate decision
making and improve performance and accountability
through the collection, analysis, and reporting of relevant
performance-related data. The purpose of measuring
performance is to monitor the status of measured activities and
facilitate improvement in those activities by applying
corrective actions based on observed measurements.

§  Why do we measure performance?
§  NIST SP 800-55 Revision 1, Performance
Measurement Guide for Information Security
§  Information security measures must yield quantifiable
information for comparison purposes, apply formulas for
analysis, and track changes using the same points of reference.
Percentages or averages are most common. Absolute numbers
are sometimes useful, depending on the activity that is being
measured.

§  Measurement is important to
§  Increase accountability
§  Demonstrate compliance with laws, rules and regulation
§  Provide quantifiable inputs for resource allocation
decisions
§  Demonstrate and improve the effectiveness of information
security investments
§  Maximize the effectiveness of the framework and its
resources

§  Attributes of good measurement
§  Manageable
§  Ready to be collected, stored, compiled and analyzed
§  Meaningful
§  Shall make sense for the receiver and be relevant to the objectives
§  Actionable
§  Shall point in the right direction
§  Unambiguous
§  Confuse information is useless
§  Reliable
§  Wrong target is worse than no target at all
§  Timely
§  Shall be available when needed

§  CMU/SEI - The ROI of Security
§  Stephanie Losi
§  http://resources.sei.cmu.edu/asset_files/Newsletter/
2007_102_001_413946.pdf
§  ENISA: Introduction to Return on Security Investment
§  http://www.enisa.europa.eu/activities/cert/other-work/
introduction-to-return-on-security-investment

§  ISO/IEC 27001:2013
§  9.1 Monitoring, measurement, analysis and evaluation
§  The organization shall determine:
¨  a) what needs to be monitored and measured, including information
security processes and controls;
¨  b) the methods for monitoring, measurement, analysis and
evaluation, as applicable, to ensure valid results;
¨  NOTE The methods selected should produce comparable and
reproducible results to be considered valid.
Requirement

Security techniques — Information security
management — Measurement
§  Section 0.1 General
§  The Information Security Measurement Programme will
assist management in identifying and evaluating noncompliant
and ineffective ISMS processes and controls and prioritizing
actions associated with improvement or changing these
processes and/or controls.
§  It may also assist the organization in demonstrating ISO/IEC
27001 compliance and provide additional evidence for
management review and information security risk management
processes.

§  ISO/IEC 27001:2013
§  6.2 Information security objectives and planning to
achieve them
§  The organization shall establish information security objectives
at relevant functions and levels. The information security
objectives shall:
¨  b) be measurable (if practicable);
§  9.1 Monitoring, measurement, analysis and evaluation
§  The organization shall evaluate the information security
performance and the effectiveness of the information security
management system.
Requirement

§  ISO/IEC 27004:2009
§  Section 6.1 Management Responsibilities, Overview
§  Management is responsible for establishing the Information
Security Measurement Programme, involving relevant
stakeholders (see 7.5.8) in the measurement activities,
accepting measurement results as an input into management
review and using measurement result in improvement activities
within the ISMS.
Management
responsibilities

§  Measuring Organizational Awareness
§  ISO/IEC 27004:2009, Section 6.3 Measurement training,
awareness, and competence
§  Management should ensure that:
¨  a) The stakeholders (see 7.5.8) are trained adequately for achieving
their roles and responsibilities in the implemented Information
Security Measurement Programme, and appropriately qualified to
perform their roles and responsibilities; and
¨  b) The stakeholders understand that their duties include making
suggestions for improvements in the implemented Information
Security Measurement Programme.
Management
responsibilities

Security techniques — Governance of information
security
§  Section 5.3.4 Monitor
§  “Monitor” is the governance process that enables the governing
body to assess the achievement of strategic objectives.
§  To accomplish the “Monitor” process, the governing body should:
¨  assess the effectiveness of information security management activities,
§  To accomplish the “Monitor” process, executive management
should:
¨  select appropriate performance metrics from a business perspective,
¨  provide feedback on information security performance results to the
governing body including performance of action previously identified by
governing body and their impacts on the organisation
Responsibilities

Executive Management
(Information Security Management)
External
Stakeholders
Assure
Communicate
Evaluate
Direct Monitor
Strategy, Policy Proposals Performance
Governing
Body
Figure 2 – Governance process of information security

§  ISO/IEC 27001:2013
§  6 Planning
§  6.1 Actions to address risks and opportunities
¨  When planning for the information security management system, the
organization shall consider the issues referred to in 4.1 and the
requirements referred to in 4.2 and determine the risks and
opportunities that need to be addressed to:
¨  6.1.1 General
¨  e) how to
¨  1) integrate and implement the actions into its information security
management system processes; and
¨  2) evaluate the effectiveness of these actions.
Process Input

§  ISO/IEC 27001:2013
§  9.3 Management review
§  Top management shall review the organization’s information
security management system at planned intervals to ensure its
continuing suitability, adequacy and effectiveness.
§  The management review shall include consideration of:
§  c) feedback on the information security performance, including
trends in:
¨  2) monitoring and measurement results;
§  e) results of risk assessment and status of risk treatment plan;
Process Output

§  ISO/IEC 27001:2013
§  9.3 Management review
§  The management review shall include consideration of:
§  f) opportunities for continual improvement.
¨  The outputs of the management review shall include decisions
related to continual improvement opportunities and any needs for
changes to the information security management system.
¨  The organization shall retain documented information as evidence of
the results of management reviews.
Process Output

§  ISO/IEC 27004:2009
§  Section 10 Information Security Measurement
Programme Evaluation and Improvement, Overview
§  Management should specify the frequency of such evaluation,
plan periodic revisions and establish the mechanisms for
making such revisions possible (see clause 7.2 of ISO/IEC
27001:2005).
Improvement

§  Measuring Information Security Risk and Loss
§  The technical vulnerability management approach poses
the following questions:
§  How many technical or operational vulnerabilities exist?
§  How many have been resolved?
§  What is the average time to resolve them?
§  How many recurred?
§  How many systems (critical or otherwise) are impacted by
them?
§  How many have the potential for external exploit?
§  How many have the potential for gross compromise (e.g.,
remote privileged code execution, unauthorized administrative
access, bulk exposure of sensitive printed information)?

§  The risk management approach is concerned with the
following questions:
§  How many high-, medium- and low-risk issues are unresolved?
What is the aggregate annual loss expectancy (ALE)?
§  How many were resolved during the reporting period? If
available, what is the aggregate ALE that has been eliminated?
§  How many were completely eliminated vs. partially mitigated vs.
transferred?
§  How many were accepted because no mitigation nor
compensation method was tenable?
§  How many remain open because of inaction or lack of
cooperation?

§  The loss prevention approach is concerned with the
following questions:
§  Were there loss events during the reporting period? What is the
aggregate loss including investigation, recovery, data
reconstruction and customer relationship management?
§  How many events were preventable (i.e., risk or vulnerability
identified prior to the loss event)?
§  What was the average amount of time taken to identify loss
incidents? To initiate incident response procedures? To isolate
incidents from other systems? To contain event losses?

§  Qualitative measures
§  Do risk management activities occur as scheduled?
§  Have incident response and business continuity plans been
tested?
§  Are asset inventories, custodianships, valuations and risk
analyses up to date?
§  Is there consensus among information security stakeholders as
to acceptable levels of risk to the organization?
§  Do executive management oversight and review activities occur
as planned?

§  Measuring Support of Organizational Objectives
§  Qualitative measures may be revised by Steering
Committee
§  Is there documented correlation between key organizational
milestones and the objectives of the information security
management program?
§  How many information security objectives were
successfully completed in support of organizational goals?
§  Were there organizational goals that were not fulfilled
because information security objectives were not met?
§  How strong is consensus among business units, executive
management and other information security stakeholders that
program objectives are complete and appropriate?

§  Measuring Compliance
§  Anything less than 100% compliance is unacceptable
when piloting passenger jets or operating nuclear power
plants since impacts are likely to be catastrophic and
unacceptable
§  For any activity that is not life or organization-threatening,
the cost of compliance efforts must be weighted against
the benefits and potential impacts

§  Measuring Effectiveness of Technical Security
Architecture
§  Quantitative Metrics
§  Probe and attack attempts repelled by network access control
devices; qualify by asset or resource targeted source geography
and attack type
§  Probe and attack attempts detected by intrusion detection systems
(IDS) on internal networks; qualify by internal vs. external source,
resource targeted and attack type
§  Number and type of actual compromises; qualify by attack severity,
attack type, impact severity and source of attack
§  Statistics on viruses, worms and other malware identified and
neutralized; qualify by impact potential, severity of larger Internet
outbreaks and malware vector
§  Amount of downtime attributable to security flaws and unpatched
systems
§  Number of messages processed sessions examined and kilobytes
(KB) of data examined by IDS

§  Measuring Effectiveness of Technical Security
Architecture
§  Qualitative Metrics
§  Individual technical mechanisms have been tested to verify
control objectives and policy enforcement.
§  The security architecture is constructed of appropriate controls
in a layered fashion.
§  Control mechanisms are properly configured and monitored in
real-time, self-protection implemented and information security
personnel alerted to faults.
§  All critical systems stream events to information security
personnel or to event analysis automation tools for real-time
threat detection.

§  Support material
§  ETSI GS ISI
§  http://www.etsi.org/technologies-clusters/technologies/
information-security-indicators
§  001-1: Information Security Indicators (ISI); Indicators (INC);
Part 1: A full set of operational indicators for organizations
to use to benchmark their security posture
¨  http://www.etsi.org/deliver/etsi_gs/ISI/001_099/00101/01.01.02_60/
gs_ISI00101v010102p.pdf
§  001-2: Information Security Indicators (ISI); Indicators (INC);
Part 2: Guide to select operational indicators based on the
full set given in part 1
¨  http://www.etsi.org/deliver/etsi_gs/ISI/001_099/00102/01.01.02_60/
gs_ISI00102v010102p.pdf

Challenges
§  Inadequate Management Support
§  No compulsory requirement to address information
security and therefore, often view it as a marginally
important issue that adds cost with little value
§  These views often reflect misunderstanding of the
organization's dependence on information systems,
the threat and risk environment, or the impact that the
organization faces or may be unknowingly experiencing
§  There are always cultural and organization challenges in
any job function and he path is not cleared for the
information security manager simply by virtue of gaining
senior management support
Source: ISACA CISM Review Manual

§  Inadequate Management Support
§  Strategies
§  Utilize resources, such as industry statistics, organizational
impact and dependency analyses, and reviews of common
threats to the organization's specific information processing
systems.
§  In addition, management may require guidance in what is
expected of them and approaches that industry peers are taking
to address information security. Even if initial education does not
result in immediate strengthening of support, ongoing education
should still be conducted to develop awareness of security
needs.
Challenges

§  Inadequate Funding
§  Management not recognizing the value of security
investments
§  Security being viewed as a low-value cost centre
§  Management not conceptually understanding where
existing money is going
§  The organizational need for a security investment not
being understood
§  The need for more awareness of industry trends in
security investment
Challenges

§  Inadequate Funding
§  Strategies
§  Leveraging the budgets of other organizational units (e.g.,
product development, internal audit, information systems) to
implement needed security program components
§  Improving the efficiency of existing information security program
components
§  Working with the information security steering committee to
reprioritize security resource assignments and providing senior
management with analysis of what security components will
become underresourced and the risk implications
Challenges

Resources
Policies
Standards
Procedures
Guidelines

Resources
§  Policies
§  A policy that is not understood or accepted is not likely to
be followed
§  Most people are willing to live within the boundaries if
they know what they are
§  Policies and their related standards must be openly
published and made readily accessible to the impacted
community and their managers.

Resources
§  Standards
§  Standards set the allowable boundaries and requirements
for people, processes and technology
§  To be relevant, standards must be set at the strategic,
management and operational levels
§  Standards may need to be changed in response to
changing threats, new technologies, additional regulatory
requirements or when baselines no longer provide
adequate levels of protection

Resources
§  Procedures
§  It is essential that all important processes throughout the
enterprise are documented in procedures reviewed to
ensure compliance with standards
§  Procedures must be clear and unambiguous, and terms
must be exact. For example, the words "must," "shall" and
"will" shall be used for any task that is mandatory
§  The words "should" must be used to mean a preferred
action that is not mandatory. The term "may" or "can"
must only be used to denote a purely discretionary action

Resources
§  Guidelines
§  Guidelines should contain information that will be helpful
in executing the procedures
§  This can include dependencies, suggestions and
examples, narrative clarifying the procedures, background
information that may be useful, tools that can be used,
etc.

Resources
§  Awareness and Education
§  Who is the intended audience (senior management,
business managers, IT staff, users)?
§  What is the intended message (policies, procedures,
recent events)?
§  What is the intended result (improved policy compliance,
behavioral change, better practices)?
§  What communication method will be used (computer-
based training [CBT], all-hands meeting, intranet,
newsletters, etc.)?
§  What is the organizational structure and culture?

Certification
§  Management Systems
§  ISO 9001:2015
§  QMS (Quality)
§  ISO 14001:2015
§  EMS (Environment)
§  ISO/IEC 20000-1:2011
§  IT SMS (IT Services)
§  ISO/IEC 27001:2013
§  ISMS (Information Security)
§  ISO 22301:2012
§  BCMS (Business Continuity)
§  ISO 50001:2011
§  EnMS (Energy)
Complete list: http://www.iso.org/iso/home/standards/management-standards/mss-list.htm

Certification
§  ISO/IEC 27001 certification benefits
§  Allows senior management to demonstrate due diligence
§  Encourages
§  Efficient management of security costs
§  Compliance with laws and regulation
§  Interoperability with partners due to a common set of guidance
§  Increases IS awareness among employees, customers,
vendors, etc.
§  Increases the alignment between IS and business
§  Provides a process framework for IS implementation
§  Helps to determinate IS status and compliance level with
standards and policies

Certification
§  ISO/IEC 27001:2013
§  Cost of certification may vary due to
§  The size of the Organization and the physical/logical scope of
certification
§  Current maturity level of ISMS
§  The gap between current state and desired state of controls
§  Internal capacity to develop the ISMS and close identified gaps
§  How quickly the certificate is necessary

Certification
§  ISO/IEC 27001:2013
§  There are now 114 controls in 14 groups and 35 control objectives; the
2005 standard had 133 controls in 11 groups
§  A.5: Information security policies (2 controls)
§  A.6: Organization of information security (7 controls)
§  A.7: HR security (6 controls that are applied before, during, or after employment)
§  A.8: Asset management (10 controls)
§  A.9: Access control (14 controls)
§  A.10: Cryptography (2 controls)
§  A.11: Physical and environmental security (15 controls)
§  A.12: Operations security (14 controls)
§  A.13: Communications security (7 controls)
§  A.14: System acquisition, development and maintenance (13 controls)
§  A.15: Supplier relationships (5 controls)
§  A.16: Information security incident management (7 controls)
§  A.17: Information security aspects of business continuity mgmt. (4 controls)
§  A.18: Compliance; with internal requirements, such as policies, and with
external requirements, such as laws (8 controls)

Certification
§  ISO/IEC 27001:2013
§  Proposed phases of implementation
§  Phase 1: Scope definition, Risk assessment, Risk Treatment
Plan, Gap assessment, Remediation plan for implementation in
Phase 2, Statement of Applicability, selection of the ISO
certification body
§  Phase 2: Gap resolution, ISMS development, risk management
committee, incident response, ISMS internal audit
§  Phase 3: Independent tests of the ISMS against the
requirements specified in ISO/IEC 27001 (certification)
§  Phase 4: Follow-up reviews and period audits

Certification
§  Project (ISO/IEC 27003:2010)
§  Scope (ISO/IEC 27001:2013 4.3)
§  Risk assessment methodology (ISO/IEC 27001:2013 6.1.2)
§  ISO/IEC 27005:2011
§  Statement of Applicability (ISO/IEC 27001:2013 6.1.3(d))
§  ISO/IEC 27001:2013 Annex A
§  Security Policy (ISO/IEC 27001:2013 A.5)
§  Metrics (ISO/IEC 27001:2013 9.1(a) and 9.1(b))
§  ISO/IEC 27004:2016
§  Incident Management (ISO/IEC 27001:2013 A.16)
§  ISO/IEC 27035-1:2016 and ISO/IEC 27035-2:2016
§  Continuity Management (ISO/IEC 27001:2013 A.17)
§  ISO/IEC 27031:2011
§  ...
§  Audit (Guidelines: ISO/IEC 27007:2011)

Certification
§  ISO/IEC 27001:2013
§  Section 4.4 Information security management system
§  The organization shall establish, implement, maintain and
continually improve an information security management
system, in accordance with the requirements of this
International Standard.

•  Continual monitoring
and reviewing of risks
•  Maintain and improve
the Information
Security Risk
Management Process
•  Implementation of risk
treatment plan
•  Establishing the context
•  Risk assessment
•  Developing risk
treatment plan
•  Risk acceptance
Plan Do
CheckAct
Certification
ISO/IEC 27005:2011 — Information technology — Security techniques — Information security risk management

Certification
ISO/IEC 27003:2010 Overview, Figure 1 – ISMS project phases
Obtaining management
approval for initiating an
ISMS project
Defining ISMS
scope,
boundaries
and ISMS
policy
Conducting
information
security
requirements
analysis
Conducting
risk
assessment
and planning
risk treatment
Design the
ISMS5 6 7 8 9
Management
approval for
initiating ISMS
Project
The ISMS Scope
and boundaries
ISMS Policy
Information
security
requirements
Information
assets
Results from
information
security
assessment
Written notice of
management approval
for implementing the
ISMS
Risk treatment
plan
SoA, including the
control objectives
and the selected
controls
Final ISMS project
implementation
plan
Timeline

Certification
§  ISO/IEC 27003:2010
§  Section 5.1 Overview of obtaining management approval
for initiating an ISMS project
§  NOTE The output from Clause 5 (Documented management
commitment to plan and implement an ISMS) and one of the
outputs of Clause 7 (Document summarization of the
information security status) are not requirements of ISO/IEC
27001:2005. However, the outputs from these activities are
recommended input to other activities described in this
document.
ISO/IEC 27003:2010 (latest version)
references ISO/IEC 27001:2005
(superseded)

Certification
§  ISO/IEC 27001:2013
§  Section 4.3 Determining the scope of the information
security management system
§  The organization shall determine the boundaries and
applicability of the information security management system to
establish its scope.
(…)
§  The scope shall be available as documented information.

Certification
§  ISO/IEC 27001:2013
§  Section 5.2 Policy
§  Top management shall establish an information security policy
that:
§  a) is appropriate to the purpose of the organization;
§  b) includes information security objectives (see 6.2) or provides
the framework for setting information security objectives;
(…)
§  e) be available as documented information;

Certification
Security techniques — Information security risk
management
Primary assets are of two types:
§  1 - Business processes (or sub-processes) and activities, for
example
¨  Processes whose loss or degradation make it impossible to carry out
the mission of the organization
¨  Processes that contain secret processes or processes involving
proprietary technology
¨  Processes that, if modified, can greatly affect the accomplishment of
the organization's mission
¨  Processes that are necessary for the organization to comply with
contractual, legal or regulatory requirements

Certification
Security techniques — Information security risk
management
§  2 – Information
More generally, primary information mainly comprises:
¨  Vital information for the exercise of the organization's mission or
business
¨  Personal information, as can be defined specifically in the sense of
the national laws regarding privacy
¨  Strategic information required for achieving objectives determined by
the strategic orientations
¨  High-cost information whose gathering, storage, processing and
transmission require a long time and/or involve a high acquisition
cost

Certification
Security techniques — Guidelines for information
security management systems auditing
§  ISO/IEC 27001 does not state which risk assessment
approach should be employed and any approach is
acceptable as long as it meets the requirements in ISO/
IEC 27001.
§  ISO/IEC 27005 provides guidance on risk assessment
and risk management. The auditor should be aware that
there are quantitative and qualitative methods, or any
combination of the two, for risk assessment, and that it is
up to the organization to decide which approach to use.

Certification
Risk treatment
options
Risk modification Implement controls
Risk avoidance
Cancel the
operation
Risk sharing Buy insurance
Risk retention “I’m feeling lucky”

CertificationReduceRisk
•  There is no
“zero risk”.
•  To cancel the
operation avoids
the risk but may
not be the best
option.
•  The objective is
to make money
with adequate
risks.
TransferRisk
•  Insurance won’t
transfer risk. It
will only transfer
risk of financial
losses.
•  Health
insurance won’t
transfer death
risk. Life
insurance? Not
a chance.
•  Control cost is
the cost of
insurance.
AcceptRisk
•  May not be so
bad. Depends
on factors and
costs.
•  A soccer coach
knows there is
about 50/50
chance of
winning the
match, even
managing the
stronger team.
•  Risk is inherent
to business.

Certification
Risk treatment
options
Risk
modification
Risk avoidance Risk sharing Risk retention
Residual risk
ISO/IEC 27005:2011 - The risk treatment activity

Certification
§  ISO/IEC 27001:2013
§  Section 6.1.3 Information security risk treatment
§  The organization shall define and apply an information security
risk treatment process to:
(…)
§  d) produce a Statement of Applicability that contains the
necessary controls (see 6.1.3 b) and c)) and justification for
inclusions, whether they are implemented or not, and the
justification for exclusions of controls from Annex A;
(…)
§  The organization shall retain documented information about the
information security risk treatment process.
§  NOTE The information security risk assessment and treatment
process in this International Standard aligns with the principles
and generic guidelines provided in ISO 31000[5].

Certification
§  Statement of Applicability (SoA)
§  Example
Clause
No Control Applicable
(Y/N)
Reason for
selection /
justification for
exclusion
Control objective Current status
of control
A.5 Information security policies
A.5.1 Management direction for information security
A.5.1.1
Policies for information
security

A.5.1.2
Review of the policies for
information security

... ...

Certification
§  Audit and Certification
§  ISO/IEC 27003:2010
§  Annex C - Information about Internal Auditing
¨  In an ISMS audit, auditing results should be determined based
on evidence. Therefore, some suitable length of time during the
ISMS operations should be allocated to collecting suitable
evidence.

Certification
§  ISO/IEC 27007:2011
§  6.2.3.1 Determining the feasibility of the audit
¨  Before the audit commences, the auditee should be asked whether
any ISMS records are unavailable for review by the audit team, e.g.
because they contain confidential or sensitive information.
¨  The person responsible for managing the audit programme should
determine whether the ISMS can be adequately audited in the
absence of these records.
¨  If the conclusion is that it is not possible to adequately audit the
ISMS without reviewing the identified records, the person should
advise the auditee that the audit cannot take place until appropriate
access arrangements are granted and an alternative could be
proposed to or by the auditee.

Certification
§  ISO/IEC 27007:2011 – Annex A: Practice Guidance for ISMS
Auditing
§  Annex A - A.1 ISMS scope, policy and risk assessment approach (ISO/IEC
27001 4.1 & 4.2.1a) to c))
§  Audit evidence includes:
¨  Scope of the ISMS (4.3.1 b));
¨  Organization chart;
¨  Organization strategy;
¨  Business policy statement, business processes and activities;
¨  Documentation of roles and responsibilities;
¨  Network configuration;
¨  Sites information, including a list of branches, business, offices and facilities, and
their floor layouts;
¨  Interfaces and dependencies that the business activities carried out in the scope
of the ISMS have with those outside the scope;
¨  Relevant laws, regulations and contracts;
¨  Primary assets information;
¨  ISMS policy document.
{ ISO/IEC 27007:2011 (latest version)
(superseded)

Certification
§  ISO/IEC 27007:2011
§  Annex A - A.2 Risk identification, analysis and evaluation, and
risk treatment option identification and evaluation (ISO/IEC
27001 4.2.1d)～f))
¨  Inventory of assets;
¨  Documents for the risk assessment methodology;
¨  Risk assessment reports.
{
(superseded)

Certification
§  ISO/IEC 27007:2011
§  Annex A - A.4 Implementation and operation of the ISMS (4.2.2)
¨  Risk treatment plan and progress records on the plan projects;
¨  Documented procedures and records for control effectiveness
measurements.{
(superseded)

Certification
§  Certification Body Requirements
§  Analyse the requirements from
§  ISO/IEC 27006:2015 - Information technology -- Security techniques --
Requirements for bodies providing audit and certification of information
security management systems
§  ISO/IEC 17021:2015 - Conformity assessment -- Requirements for bodies
providing audit and certification of management systems -- Part 1:
Requirements
§  ISO: Certification…
§  “ISO does not perform certification”
§  http://www.iso.org/iso/home/standards/certification.htm
§  IAF
§  UKAS
¨  https://www.ukas.com/search-accredited-organisations/
§  ANAB
¨  http://anab.org/accredited-organizations/
§  INMETRO
¨  http://www.inmetro.gov.br/organismos/index.asp

References
§  NIST Special Publications (SP)
§  http://csrc.nist.gov/publications/PubsSPs.html
§  800-30 Rev. 1 - Guide for Conducting Risk Assessments
(referenced by ISO/IEC 27005:2011)
§  800-55 Rev. 1 - Performance Measurement Guide for
Information Security (referenced by ISO/IEC 27004:2009)
§  800-12, An Introduction to Computer Security: The NIST
Handbook (referenced by ISO/IEC 27005:2011)

References
§  Cloud Security
§  NIST SP: http://csrc.nist.gov/publications/PubsSPs.html
§  800-146 - Cloud Computing Synopsis and Recommendations
§  800-145 - The NIST Definition of Cloud Computing
§  800-144 - Guidelines on Security and Privacy in Public Cloud
Computing
§  800-125 - Guide to Security for Full Virtualization Technologies
§  Cloud Security Alliance: Security Guidance
§  https://cloudsecurityalliance.org/guidance/
§  ENISA Cloud Computing Risk Assessment
§  http://www.enisa.europa.eu/activities/risk-management/files/
deliverables/cloud-computing-risk-assessment

Conclusion
§  The primary objectives
§  Align information security objectives with business
objectives
§  Define roles and responsibilities
§  Integrate controls in a framework
§  Structure policies, standards, procedures e guidelines
§  Implement ISMS according to the compliance framework
of ISO/IEC 27001
§  Define an ISMS measurement programme
§  Improve the ISMS according to measurement results

Conclusion
§  Organizations must be cyber threat driven not
compliance driven
§  Many organizations still continue to be compliance driven
as the major driver for their security practices and
safeguards
§  Many organizations do the minimum necessary to meet
regulatory or other industry compliance requirements
§  Several of the financial institutions breached in the last
couple of years were PCI compliant, yet they were still
breached

Information Security Strategic Management

More Related Content

What's hot

Viewers also liked

Similar to Information Security Strategic Management

More from Marcelo Martins

Recently uploaded

Information Security Strategic Management

Editor's Notes