This presentation focuses on the annexure controls of ISO 27001:2013 standards. The annexure control A12 relates to 'Operations Security'. - by Software development company in india http://www.ifourtechnolab.com/
2. A 12.4 Logging and Monitoring
Objective: To record events and secure evidence.
Security event logging and monitoring is examining electronic audit logs for indications that
Unauthorized security-related activities have been attempted or performed on a system or application
that
Processes
Transmits
Stores
confidential information.
Event logging and monitoring assists organizations to determine what has been recorded on their
systems for follow-up investigation and if necessary remediation.
ISO 27001:2013 standard classifies this control into 4 subsections:
A 12.4.1: Event Logging
A 12.4.2: Protection of log information
A 12.4.3: Administrator and Operator logs
A 12.4.4: Clock synchronization
Software solution company in Indiahttp://www.ifourtechnolab.com
3. A 12.4.1 Event logging
Control: Event logs recording user activities, exceptions, faults and information
security events shall be produced, kept and regularly reviewed.
Register information about access and actions of users, errors, events, etc. in
information systems.
Send the logs generated by each one of these to a central server.
Configure a syslog server which allows you to centralize all the logs on a unique
server.
Syslog server is standard for message logging and can operate over a network with a
client-server application structure.
Software solution company in Indiahttp://www.ifourtechnolab.com
4. A12.4.2 Protection of log information
ISO for Software Outsourcing Companies in India
Control: Logging facilities and log information shall be protected against tampering
and unauthorized access.
The logs must be protected, because they cannot be removed or modified by
unauthorized persons.
Encrypt the event log archive files to ensure the log data is secured for future
forensic analysis, compliance and internal audits by hashing and time stamping the
log data.
Securely store the archived log data files by employing hashing and time stamping
techniques
Software solution company in Indiahttp://www.ifourtechnolab.com
5. Control: System administrator and system operator activities shall be logged
and the logs protected and regularly reviewed.
Systems should register information about all users, regardless of the
privileges that they have on the systems.
PUMA (Privileged user monitoring and audit) reports
These are the solutions that closely monitor the user activity of system
administrators and operators and give you detailed security reports for any
specific period of time.
All audit trails should be captured to ensure that the log files that capture the
activities of system administrators and system operators are protected from
unauthorized access and threats.
A 12.4.3 Administrator and Operator logs
Software solution company in Indiahttp://www.ifourtechnolab.com
6. A 12.4.4 Clock Synchronization
Control: The clocks of all relevant information processing systems within an
organization or security domain shall be synchronized to a single reference time
source.
Synchronized clocks are essential for investigating events across multiple systems in
the infrastructure.
If system clocks are not synchronized it may be difficult to determine whether two events
are related.
For example an event on one system triggers a failure on second system but the clock on the first
system is behind. In this case the event that triggered the failure will appear to have occurred
after the failure.
Clock synchronization is important as accurate timestamps on audit log data is critical for
troubleshooting, for event correlation and for use as evidence in legal or disciplinary cases.
ISO for Software Outsourcing Companies in India Software solution company in Indiahttp://www.ifourtechnolab.com
7. A 12.5 Control of operational software
Objective: To ensure the integrity of operational systems.
ISO 27001:2013 classifies it into:
A 12.5.1: Installation of software on operational systems
A 12.5.1 – Control: Procedures shall be implemented to control the installation of
software on operational systems.
Whether there are any controls in place for the implementation of software on
operational systems. This is to minimize the risk of corruption of operational
systems.
Software solution company in Indiahttp://www.ifourtechnolab.com
8. Objective: To prevent exploitation of technical vulnerabilities.
A vulnerability is “a weakness of an asset or control that could potentially be
exploited by one or more threats”.
ISO 27001:2013 standard classifies this into:
A 12.6.1: Management of technical vulnerabilities
A 12.6.2: Restrictions on software installation
All of the hardware and software on the organization’s network should be scanned
using a vulnerability scanner
To identify weaknesses in the configuration of systems
To determine if any systems are missing important patches, or softwares such as anti-
virus software.
A 12.6 Technical Vulnerability Management
ISO for Software Outsourcing Companies in India
9. Control:
Information about technical vulnerabilities of information systems being used shall be obtained
in a timely fashion.
The organization’s exposure to such vulnerabilities should be evaluated and appropriate
measures must be taken to address the associated risk.
A 12.6.1 looks into 3 targets:
Timely identification of vulnerabilities: the sooner you discover a vulnerability, the more time
you will have to correct it.
Assessment of organization’s exposure to a vulnerability: A risk assessment should be done to
identify and prioritize those vulnerabilities that are more critical to your assets and business.
Proper measures considering the associated risks: Risk treatment plan - think about the actions
and allocation of the resources you have to deal with them.
A 12.6.1 Management of technical vulnerabilities
ISO for Software Outsourcing Companies in India
10. Control: Rules governing the installation of software by users shall be established and
implemented.
Here are some of the examples of such rules:
Employees can not download software from the Internet, or bring software from home without
authorization. It is prohibited.
When an employee detects the need for use of a particular software, a request needs to be
transmitted to the IT department. The request can be stored as a record or as evidence.
If the software costs money, an analysis should be made as to whether there is another similar
tool on the market that is cheaper or even free.
Top management should participate in the decision on the acquisition of new software.
Once the decision has been made, the IT department will proceed to include the software in
their inventory and will install the software.
A 12.6.2 Restrictions on software installation
Software solution company in Indiahttp://www.ifourtechnolab.com
11. Objective: To minimize the impact of audit activities on operational systems.
ISO 27001:2013 classifies it into:
A 12.7.1: Information systems audit controls
A 12.7.1: Control – Audit requirements and activities involving verification of
operational systems shall be carefully planned and agreed to minimize disruptions
to business processes.
So it looks into:
Planning and controlling how the audit activities are carried out.
Minimizing the impact of audit activities on day-to-day operations.
A 12.7 Information systems audit considerations
ISO for Software Outsourcing Companies in India