O-ISM3 vs ISO27001

12,767 views

Published on

Published in: Technology
0 Comments
4 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
12,767
On SlideShare
0
From Embeds
0
Number of Embeds
8,384
Actions
Shares
0
Downloads
233
Comments
0
Likes
4
Embeds 0
No embeds

No notes for slide
  • Certification doesn’t guarantee performance. Performance depends on the budget, the capability and the commitment of those involved in running it. Certification only guarantees that the cause of faults is not poor process design.
  • Poor performers and bogus certifications lower the reputation of the certification and damage the reputation of all certificate holders. Bogus certifications arise from choosing scope and controls to be accredited.
  • Poor performers and bogus certifications lower the reputation of the certification and damage the reputation of all certificate holders. Bogus certifications arise from choosing scope and controls to be accredited.
  • Poor performers and bogus certifications lower the reputation of the certification and damage the reputation of all certificate holders. Bogus certifications arise from choosing scope and controls to be accredited.
  • Some threats fall out of the scope of information security: Human error; Incompetence; Fraud; Corruption.
  • Certification guarantees that the cause of poor results is not poor process design. This is equivalent to the Managed level. Using metrics you can bring you security processes all the way to the Optimized level of capability.
  • Achievement of Business Goals rely on market conditions, competition, seasonal changes, costs, pricing, workforce skill, innovation AND It relies as well on Quality Goals and Security Goals. Quality Management is used to maintain and improve business processes output. Security Management is used to keep Quality despite errors, accidents and attacks.
  • Security Goals depend on: Business Needs and Limitations: These are security needs and limitations derived from the organization’s mission and goals. Compliance Needs and Limitations: These are emergent needs and limitations derive from applicable laws and regulations. Technical Needs and Limitations: These are needs and limitations derived from using information technology. Compliance is normally more a limitation or an obligation than a need; on the other hand compliance can improve trust of clients and other third parties in the organization. Technical is normally more a limitation than a need; patching for example is totally unrelated to business, it is related to the way information systems are engineered. Access Control (not mentioned in the slide) is a technical implementation of the business need for information systems to be used for business purposes by authorized users.
  • See previous notes.
  • Business objectives are the specific expression of general business goals.
  • Security objectives are a specific expression of business, compliance and technical needs and limitations.
  • Security Targets are a way to gauge if the management systems is successful or not. Without security targets (that can be considered a way to express risk appetite) it is not possible to tell a successful ISMS from a failed one, as incidents are unavoidable. One incident means the ISMS has failed? Normally no, but How many incidents (and how severe) it takes to declare the ISMS a failure?
  • ISO27001 posture is binary "Do Nothing or Do Everything". Initial investment, that brings the highest return on investment is discouraged this binary posture. If your optimum level of investment requires less controls than 27001, you can't show it because it is not accreditable. If you have limited resources, you can't show you are doing efforts in security. Only with maturity levels it is possible to show progress towards better security management. Maturity levels enable prioritizing investment, as processes are required in order of importance.. Incidents are a fact of life. You can tell if your ISMS is ISO27001 compliant after an audit, but How can you tell if your ISMS is successful?. ISM3 has security targets, when they are met the ISM is successful, otherwise it has failed and remediation action has to be taken. Process based management is aligned with ISO9001 and ITIL. Controls and processes can be audited testing them. For example a control like "No information or information systems should be removed from the premises without authorization" can be audited by trying to remove an information system from the premises without authorization. A process like "Premises access control", with Access granted and Access Denied logs can be audited the same way. Controls don't have a defined output, but processes do. This means processes can be managed using metrics of the outputs. On the other hand a malfunctioning control doesn’t produce information (metrics from the output) necessary to learn what went wrong and take a management decision to fix it
  • With ISM3 the distribution of responsibilities is granular and specific.
  • ISO27001 example: Confidentiality: LOW Availability: HIGH Integrity: MEDIUM ISM3 example: Invoices should be accessible to the Accountancy department and the Collection department only. Paid Invoices are to be kept for 3 years and destroyed after no more than four years. The system has to register the user account the date and time of creation. The system need to be available 9 to 5 Monday to Friday, with no more than 5 interruptions per week, with a duration of no more than one hour in total, and causing no more 15 Invoices to be re-entered. There must be less than 5 errors per hundred invoices. More than 99,8% of products served must be invoiced. The system is a third party application that which license must be kept current. The invoicing system keeps personal information, according to the law the database must be registered at the Data Protection agency. The system must not be visible to systems from outside the company or have any remote access. The system must be kept in the Data Center under controlled environmental conditions and company safeguards against fire, flood, etc
  • How many controls have to fail before an ISMS is called a failure? If there can be several different reasons, some external for Incidents, Is it possible to tell an ISMS that performs poorly from another that performs correctly?
  • Different accreditable maturity levels can be adequate for organizations with different resources. A maturity level can be used as a way to show progress and a step to achieving higher levels. Early investment in security brings the highest return. A binary compliant / not compliant approach can discourage initial invesment.
  • Maturity levels are design so more important (ROSI wise) processes are in level 1 and so on. This makes easier to prioritize and schedule investment. ISO9001 management principles can be applied to security, as process have defined outputs that can be acted on. Levels 1-3 can be certified the same way ISO9001 management systems are. Level 4 can be certified ISO9001 wise or ISO27001 if ISO27001 requirements are met. Level 5 requires ISM3 Consortium involvement, as metrics are not compulsory for ISO27001. Frequently strict requirements for critical production systems spill all over IT, making management and use of information needlessly more difficult and expensive to use. The environment concept links lifecycles
  • Some threats fall out of the scope of information security: Human error; Incompetence; Fraud; Corruption.
  • O-ISM3 vs ISO27001

    1. 1. What is broken with ISO27001 and how to fix it using
    2. 2. Security Standards Management:  ISM3  Standard of Good Practice for Information Security from ISF.  ISO 27001.  Cobit by ISACA.  IT Baseline Protection by BSI Risk Management  Magerit by Ministerio de Administraciones Públicas (Spain).  OCTAVE by Software Engineering Institute.  May others. Products and Systems Engineering:  SSE-CMM (ISO/IEC 21827: 2002)  ISO15408 Common Criteria
    3. 3. ISMS Certification  Why companies go for ISMS certification?  The main reason is that they want to show they are serious about information security  This doesn’t necessarily mean that they are serious about information security.
    4. 4. ISMS Certification  What is certification good for?  It is a driver for implementation of better ISM practices.
    5. 5. ISMS Certification - Trust  Establishing trust relationships.
    6. 6. ISMS Certification - Trust  A way to evidence the organization's stance on security;  A part of a contract to ensure commitment by one of the parties to security management;  A selling point for vendors;  A possible requirement for outsourcing providers;  A mechanism to ensure mutual understanding of the services obtained from an security outsourcing provider.
    7. 7. ISMS Certification - Trust  Trust relationships with Third Parties, like Partners, Customers and Suppliers.
    8. 8. ISMS Certification - Challenges  Challenges (1/3)  Certification doesn’t guarantee performance. Performance depends on the budget, the capability and the commitment of those involved in running it.  Certification only guarantees that the cause of faults is not poor process design.  Poor performers and bogus certifications lower the reputation of the certification and damage the reputation of all certificate holders.
    9. 9. ISMS Certification - Challenges Specification
    10. 10. ISMS Certification - Challenges Different Implementations
    11. 11. ISMS Certification - Challenges If you get the same certificate
    12. 12. ISMS Certification - Challenges For different implementations
    13. 13. ISMS Certification - Challenges The market reputation you will get is that of the worst implementation
    14. 14. ISMS Certification - Challenges  Challenges (2/3):  Some threats fall out of the scope of information security: – Human error; – Incompetence; – Fraud; – Corruption.
    15. 15. ISMS Certification - Challenges
    16. 16. ISMS Certification – Challenges  Challenges (3/3):  Certification alone doesn’t take capability levels beyond “Managed”: – Undefined. The process might be used, but it is not defined. – Defined. The process is documented and used. – Managed. The process is Defined and the results of the process are used to fix and improve the process. – Controlled. The process is Managed and milestones and need of resources is accurately predicted. – Optimized. The process is Controlled and improvement leads to a saving in resources.
    17. 17. ISMS Certification - Summary  Certification doesn’t guarantee performance.  Bad performers damage the reputation of all certificate holders.
    18. 18. Traditional approach to security: “We want to prevent attacks from succeeding”. With this approach, to be secure means to be invulnerable. An incident is any loss of confidentiality, integrity or availability. You look at a piece of data and think: Is it confidential, has it got integrity, is it available?
    19. 19. ISM3 Approach “We want to guarantee that our business goals are met”. With this approach, to be secure means to be reliable, despite attacks, accidents and errors. An incident is a failure to meet a security objective resulting from accidents, errors or attacks. Using ISM3 you look at a piece of data and think: What properties of this data must be protected for it to have business value?
    20. 20. Comparison Traditional: The Invoicing Database Confidentiality is HIGH, Availability: HIGH, Integrity is MEDIUM. ISM3: Invoices should be accessible to the Accountancy department and the Collection department only - Paid Invoices are to be kept for 3 years and destroyed after no more than four years - The system has to register the user account, the date and time of invoice creation. - The system needs to be available 9 to 5 Monday to Friday, with no more than 5 interruptions per week, with a duration of no more than one hour in total, and causing no more 15 Invoices to be re-entered. - There must be less than 5 errors per hundred invoices. - More than 99,8% of products served must be invoiced. - The system is a third party application that which license must be kept current. - The invoicing system keeps personal information, according to the law the database must be registered at the Data Protection agency. -The system must not be visible to systems from outside the company or have any remote access. - The system must be kept in the Data Center under controlled environmental conditions and company safeguards against fire, flood, etc
    21. 21. ISM3 Business Focus Business Goals Security Goals Quality Goals
    22. 22. ISM3 Business Focus Security Goals Business Needs and Limitations Compliance Needs and Limitations Technical Needs and Limitations Business Goals Security Goals Quality Goals
    23. 23. ISM3 Business Focus  Business Goals – Fundamental to the existence of an organization. Resilience depends on security objectives.  Security Objectives are derived from business, compliance and technical needs and limitations. This are the goals of the ISM.  Security Targets measure the achievement of security objectives in business terms.
    24. 24. ISM3 - What needs protection?  Business Objectives examples:  Paying taxes in time;  Invoice all products and services provided;  Keep any records needed to pass successfully any audit, like a tax audit or a software licenses audit.  Security Objectives.  Security Targets.
    25. 25. ISM3 - What protection is needed?  Business Objectives.  Security Objectives examples:  Business needs and limitations: “Secrets should be accessible to authorized users only”  Compliance needs and limitations: “Repositories with Personal information have to be registered with the Data Protection agency”  Technical needs and limitations: “Systems are as free of weaknesses as possible”  Security Targets.
    26. 26. ISM3 - Is protection successful?  Business Objectives.  Security Objectives.  Security Targets examples.  Business targets: “Less than 2 secrets revealed every year, accounting for less than 0.1% of the value of the company”  Compliance targets: “Fewer than one incident every two years where a Repository is not registered”  Technical targets: “Medium update level in the DMZ environment below 3 days”
    27. 27. ISM3 - Continuous Improvement What you can’t measure you can’t manage. What you can’t manage you can’t improve. ISM3 uses PDCA per process & Metrics for continuous improvement.
    28. 28. ISM3 - Continuous Improvement Security Targets. Process Management Metrics:  Activity.  Coverage.  Update.  Availability.
    29. 29.  ISM3 can be used for a better ISO27001 Implementation or alone.  Example for Patching of Critical Systems 12.5.2 Technical review of applications after operating system changes: When operating systems are changed, business critical applications shall be reviewed and tested to ensure there is no adverse impact on organizational operations or security. ISM3 & ISO27001
    30. 30. Process OSP-5 Environment Patching Description This process covers the on-going update of services to prevent incidents related to known weaknesses. Rationale Patching prevents incidents arising from the exploitation of known weaknesses in services. Documentation OSP-051-Services Update Level Report Template, OSP-052-Services Patching Management Procedure Inputs Inventory of Assets, Alerts and Fixes Report Work Products Up to date services in every environment, Services Update Level Report. Activity Number of Work Products submitted, Number of patching updates in information systems Scope Percentage of information systems covered by the process Update Time since last Work Products submission Mean time between Work Products submissions Update level, calculated as follows: 1. Every information system update level is equal to the sum of the number of days old that are all the security patches pending to app ly. 2. The environment update level is equal to the sum of the individual update levels, divided by the number of information systems. The lower this metric, the better. This metric allows checking of the progress of the patching process, and comparison of the update level of different environments. Availability Percentage of time the patching systems are available ISM3 Guidance on Patching of Systems
    31. 31. Process OSP-5 Environment Patching Description This process covers the on-going update of services to prevent incidents related to known weaknesses. Rationale Patching prevents incidents arising from the exploitation of known weaknesses in services. Documentation OSP-051-Services Update Level Report Template, OSP-052-Services Patching Management Procedure Inputs Inventory of Assets, Alerts and Fixes Report Work Products Up to date services in every environment, Services Update Level Report. Activity Number of Work Products submitted, Number of patching updates in information systems Scope Percentage of information systems covered by the process Update Time since last Work Products submission Mean time between Work Products submissions Update level, calculated as follows: 1. Every information system update level is equal to the sum of the number of days old that are all the security patches pending to app ly. 2. The environment update level is equal to the sum of the individual update levels, divided by the number of information systems. The lower this metric, the better. This metric allows checking of the progress of the patching process, and comparison of the update level of different environments. Availability Percentage of time the patching systems are available WHAT WHY METRICS METRICS METRICS METRICS RESULTS INPUTS DOCUMENTS ID ISM3 Guidance (Explained)
    32. 32. ISM3 compared to ISO27001 Criteria ISM3 ISO27001 Maturity Levels Five No Organizational Model Process owner Customer Roles Responsibilities TPSRSR Processes Management / Not Management Link between Business Goals and Information Security Information qualities: - Access Control - Durability - Quality - Priority - Compliance - Technical Security Objectives - Attacks - Errors - Accidents Security Targets Incident: Breach of a security objective Information qualities - Confidentiality - Availability - Integrity - Attacks Incident: Breach of CIA.
    33. 33. ISM3 compared to ISO27001 Criteria ISM3 ISO27001 Security Processes Selection Suited to Security Objectives and Targets Types of assessment: -Threat Assessment; - Vulnerability Assessment; - Business Impact Analysis; - Risk Assessment; - ROSI Analysis. Controls not adopted have to be justified for successful accreditation. - Risk Assessment Success criteria Yes No Paradigm Process based Controls based Use of PDCA Pre process basis Whole ISMS basis Improvement Cycle Continuous using metrics Discrete, with long Audit - Risk Assessment cycles. Outsourcing Metrics can be used to create SLAs, KGIs, KPIs No support Approach Top-Down Botton-up
    34. 34. ISM3 compared to ISO27001 Criteria ISM3 ISO27001 Goal Achievable Security / Maximize ROSI Rationale specified per process Absolute Security / Invulnerability Rationale not specified Inputs Yes No Outputs Yes No Metrics Security Targets Scope Availability Activity Update No Accreditable Yes, ISO9001 and ISO27001 (level 4&5) compatible Yes Distribution of responsibilities Strategic Tactical Operational Process owner example No References Rich in references to best practices None
    35. 35. ISM3 compared to ISO27001 1. Incidents Happen, ISO27001 or no ISO27001. 2. Security is a negative result (No Incidents equals Security). 3. But if just One Incident happening meant the ISMS has Failed, then all ISO27001 would be Failures. 4. How can you tell a successful ISO27001 from a failed one? Can that depend on a single Incident? How many Incidents are too many? 5. How can you improve cost-effectively an ISMS if you don’t know when good is good enough?
    36. 36. ISM3 Flexibility  ISM3 is adaptable to organizations with different missions and contexts.  ISM3 is adaptable to organizations with different resources.  Security investment is driven by business need.  Some organizations may not have a huge budget for Information Security ( 20 / 80 Rule).  Maturity levels describe different levels of sophistication of ISM systems.  Organizations can identify appropriate processes, choose a level suitable for them, and show implementation progress.
    37. 37. ISM3 Maturity Levels Security Investment & Risk Level 0 Level 1 Level 2 Level 3 Level 4 Level 5 Security Investment Risk Risk Reduction/ Extra Security Investment (Qualitative Graphic. Risk Reduction / Extra Security Investment, scaled x40 for readability)
    38. 38. ISM3 Maturity Levels (examples)  ISM3 Level 1 - Significant risk reduction from technical threats, for a minimum investment in essential ISM processes.  For organizations with low Information Security Targets in low risk environments.  ISM3 Level 3 - Highest risk reduction from technical threats, for a significant investment in Information Security processes.  For organizations with high Information Security Targets in normal or high-risk environments.  ISM3 Level 5 - Highest risk reduction from technical and internal threats, for a high and optimized investment in Information Security processes.  For organizations affected by specific requirements (such as utilities, and financial institutions) with high Information Security Targets in normal or high-risk environments.
    39. 39. Reporting Strategic Managers Tactical Managers Operational Managers Stakeholders Report Report Report Responsibilities Distribution
    40. 40.  Deal with broad goals, coordination and provision of resources;  Deals with the design and implementation of the ISM system, specific goals and management of resources;  Deals with achieving defined goals by means of technical processes. Strategic Practices Tactical Practices Operational Practices Responsibilities Distribution
    41. 41. Strategic Practices Tactical Practices Operational Practices Generic Practices Specific Goals Specific Goals Specific Goals Generic Goals Direct and Provide Implement and Optimize Support Responsibilities Distribution
    42. 42. Advantages of ISM3 Maturity Levels make easier to prioritize and optimize investment in information security. ISO9001 compatible certifications; Some companies can't make big investments. It is well known that 20% of investment can give 80% of the results, but there is no way to show this. ISM3 levels 1 to 3 can help here. It scales to small and big organizations. The use of separate process in every environment prevents using procedures for restrictive environments all over the organization.
    43. 43. Advantages of ISM3 It supports explicitly the outsourcing of security management and operations processes. The results for each process are defined and the responsibilities to perform each process are defined too.  It provides metrics, that help to manage the processes, measure the success and improve the ISM system. It is possible to achieve capability levels beyond Managed. It provides Information Security Governance guidance.
    44. 44. Summary  Business Focused  Manageable (with Metrics)  Compatible (ITIL, ISO27001, ISO9001, CobIT)  Adaptable  Flexible  Open Standard, readily available  Rich in implementation guidance
    45. 45. Information Security that makes Business Sense inovement.es/oism3 Web www.inovement.es Video Blog youtube.com/user/vaceituno Blog ism3.com Twitter twitter.com/vaceituno Presentations slideshare.net/vaceituno/presentations Articles slideshare.net/vaceituno/documents
    46. 46. ISMS Certification You can check the information security management methodology ISM3 at: www.ISM3.com THANKS

    ×