4RiskManagementShortcutsinanISMS - Svensk energi · 4RiskManagementShortcutsinanISMS!...
Transcript of 4RiskManagementShortcutsinanISMS - Svensk energi · 4RiskManagementShortcutsinanISMS!...
Ledningssystem för informationssäkerhet. 4 Risk Management Shortcuts in an ISMS
Presented by Lars Neupart Founder, CEO of Neupart – The ERP of Security. [email protected] twiBer @neupart
About Neupart • ISO 27001 certified company.
• Provides SecureAware®, an all-‐in-‐one, efficient ISMS solution allowing organizations to automate IT governance, risk and compliance management.
• “The ERP of Security”
• HQ in Denmark, subsidiary in Germany and a 200+ customer portfolio covering a wide range of private enterprises and governmental agencies.
IT GRC = IT Governance,
Risk & Compliance Management
Program
ISMS
• The new ISO 27001
Risk Management
• ISO 27005 Method & Guidance
Lessons Learned
• Running an ISMS
Selected ISO 2700x standards
ISO 27000 • Overview and vocabulary
ISO27001 • InformaQon Security Management Systems – Requirements
ISO27002 • Code of pracQce for informaQon security management
ISO 27003 • ISMS ImplementaQon Guidelines
ISO 27004 • InformaQon Security Management -‐ Measurement
ISO27005 • InformaQon Security Risk Management
ISO27006 • Requirements for bodies providing audit and cerQficaQon
+ + + +
How do you use ISO 27001 today? 1. Do not use 2. Best practice
inspiration 3. We plan to comply; no
certification 4. We plan to certify 5. We are certified
What’s new in the 2013 edition? ISO 27001: • New content, new
requirements numbering • Still short: 9 pages of
requirements to an ISMS • Controls are still listed in
Annex A, and referring to ISO 27002 (the new)
• Maintaining a fair portion of backwards compatibility
2013: Still risk oriented: • The first requirement
in the new ISO 27001 refers to an Enterprise Risk Management Standard: ISO 31000
ISO 31000 Enterprise Risk Management
Plan
Do
Check
Act
Enterprise Risk Management • (ISO 31000)
InformaQon Security Risk Management • (ISO 27005)
ISMS Requirements • (ISO 27001)
27001 News: Not only downside risks • 6.1 Actions to address risks and
opportunities
• Quote ISO 31000: “Organizations of all types and sizes face internal and external factors and influences that make it uncertain whether and when they will achieve their objectives. The effect this uncertainty has on an organization's objectives is “risk”.
Risk Owner • Risk Owner approves risk treatment plan and accepts residual risks • Note: Asset ownership is formally no longer a ISO 27001 requirement, but it’s still in
the annex A Control List. Practically same requirement, as you can’t claim it’s not applicable
Increased flexibility in your choice of risk method
The organization shall define an information security risk assessment process that: 1. establishes and maintains information security risk
criteria, including the risk acceptance criteria; 2. determines the criteria for performing information
security risk assessments; and 3. ensures that repeated information security risk
assessments produce consistent, valid and comparable results.
(section 6.1 )
The organization shall apply an information security risk treatment
process
Treating Risks
Accept Reduce
Share Avoid Treatment opQons according to ISO 27005 (and ISO 27001:2005). ISO 27001:2013, do not require these specific treatment opQons; but you are free to choose these.
SoA closer linked to Risk Treatment
Risk treatment
SoA = Statement
of Applicability
• Select treatment options • Determine controls • Check controls with Annex A,
verify no necessary controls are omitted
• Make SoA and justify exclusions AND inclusions (this is new)
• Clearly worded that you must determine all necessary controls – e.g. – Formal requirements to Swedish
Energy Companies – Regulations
Oh, what happened to PDCA? Plan -‐ Do – Check -‐ Act is still there J.
Now called continual improvement and integrated in the content.
Program
ISMS
• The new ISO 27001
Risk Management
• ISO 27005 Method & Guidance
Lessons Learned
• Running an ISMS
What is ISO 27005?
A threat based risk management guidance
Reduce Likelihood Proactive
Security IT Security Policy Compliance & Awareness Change Management Operating Procedures Access Control Monitoring System Redundancy Firewall Antivirus
Reactive Security
Reduce Consequence
IT Service Continuity Teams IT Service Continuity Strategy
IT Service Continuity Plans Disaster Recovery Procedures
Emergency Operations Flexibility
Standby Equipment Virtualization
Backup
IT Risk Management -‐ Explained
Risk
Prioritization
Incident Likelihood
Incident Consequence
Threat Frequency
Threat Effect
Threats
Preventive Measures
Corrective Measures
Threats
Not all assets burn (hint: link your threats to asset types)
Vulnerability & control environment assessment
AdministraQve Measures
Physical / Technical Measures
PrevenQve Measures
CorrecQve Measures
Firewalls AnQvirus
Server Clusters
RAID Backup/Restore Standby
Equipment VirtualizaQon
Security Policy
System DocumentaQon
Awareness
Compliance Checks
Alarm System
Fire Suppression
Logging Change
Management
IT Service ConQnuity Plan
Disaster Recovery Procedures
Business ConQnuity Strategy
Redundancy
Access Control System
Standby Site
Server snapshots
RecommendaQon: Base assessments on a maturity level scale
Monitoring
Assess how well your controls addresses relevant threats
Assets: Dependency Hierarchy Business Impact values are inherited downwards
Vulnerability values are inherited upwards
Server 01 Virtual Server
SAN 01 Data Staorage
HP DL380 Hardware unit
Data Center Oslo Datacenter
Finance DB Database
ERP IT Service
Dynamics AOS Business system
HP DL380 Hardware unit
Server 02 Virtual Server
Finance
Business Process
Business Impact Assessment ISO 27005: Estimate the business impact from breaches on CIA (confidentiality, integrity, availability) • Financial terms
– Revenue, cash flow, costs, liabilities • Non-‐financial terms:
– Image, non-‐compliance, competitiveness, service level
Comparing ISO 27005, NIST SP800-‐30 ISO 27005 NIST SP800-‐30
Context establishment
Identification of assets System Characterization Identification of threats Threat Identification
Identification of existing controls Vulnerability Identification Identification of vulnerabilities Control Analysis Identification of consequences
Assessment of consequences Likelihood Determination
Assessment of incident likelihood Impact Analysis Risk estimation Risk Determination
Risk evaluation
Risk treatment Control Recommendations Risk acceptance
Risk communication Results Documentation
Program
ISMS
• The new ISO 27001
Risk Management
• ISO 27005 Method & Guidance
Lessons Learned
• Running an ISMS
How to make an ISMS efficient?
Sharing our ISO 27001 ISMS lessons learned
Our most important lesson Our mistake over 9 years: • Our ISMS grew too big • High on maintenance • Harder to comply with
Better to simplify than to add (simple does not always mean easy)
Neuparts 4 responsible short-‐cuts. They also apply to the 2013 edition J
Assess your most important assets first (you can add more
later)
1: Not all assets
Do not use complete threat catalogue on each of your assets (relevant threats
depends on asset type)
2: Not all threats
• Inheritance: Business impact values inherits downwards
• Vulnerability scores inherits upwards
• Asset dependencies / Hierarchy
3: Inheritance
• Make overall assessment first – refine later
• Example: Assess threats combined first – individually later
4: Fewer assessments
Keep it simple:
Risk Management =
Risk Assessments +
Risk Treatment
Risk Management • Risk Owner • (Assets) • Threats • Business Impact
Assessment • Vulnerability Assessment • Reporting & evaluating • Treating (Accept, Reduce, Share,
Avoid)
Webinar for EBITS members • Hands-‐on Risk Assessment Demo for EBITS members, December 5, 14:00. https://attendee.gotowebinar.com/register/4824545226932596993
• Other educational webinars are at www.neupart.se/evenemang – Risk Management: Risk Assesments, Risk Treatment – Compliance Management: ISO 27001 and regulations
INFORMATION SECURITY MANAGEMENT
Extra
Examples
SecureAware ISMS – main features
• Risk Treatment Management • Business Impact Assessment • Visual Asset Management • Vendor Risk Assessment • Cloud Service Provider Assessment • Risk ReporQng
IT Risk Management
• ISO 22301 / BS 25999 • Templates • IT Service ConQnuity Plans • Disaster Recovery Plans • Business ConQnuity Plans • Workflow to update your plans, to test and pracQce your plans • Access your data with our without SecureAware
IT Disaster Recovery / BCP
• Policy Management • Compliance Mapping • Workflow Management • ConQnual Improvement Process (PDCA) • Internal Audit • Phishing Test & Awareness Quizzes • Data ProtecQon
ISO 27001
SecureAware Risk Management
Exempel: Hotkatalog
Exempel: Sårbarhetsutvärdering
Exempel: Business Impact Assessment
Exempel: Risköversikt
Exempel: Riskhantering
Webinar for EBITS members • Hands-‐on Risk Assessment Demo for EBITS members, December 5, 14:00. https://attendee.gotowebinar.com/register/4824545226932596993
• Other educational webinars are at www.neupart.se/evenemang – Risk Management: Risk Assesments, Risk Treatment – Compliance Management: ISO 27001 and regulations