Implementing ISO 27001 In A Cost Effective Way
-
Upload
certification-europe -
Category
Technology
-
view
2.422 -
download
0
description
Transcript of Implementing ISO 27001 In A Cost Effective Way
![Page 1: Implementing ISO 27001 In A Cost Effective Way](https://reader033.fdocuments.net/reader033/viewer/2022061213/547cec87b379596f2b8b50d7/html5/thumbnails/1.jpg)
Helping You Piece IT Together
http://www.bhconsulting.ie [email protected]
Implementing ISO 27001 in a Cost Effective Way
![Page 2: Implementing ISO 27001 In A Cost Effective Way](https://reader033.fdocuments.net/reader033/viewer/2022061213/547cec87b379596f2b8b50d7/html5/thumbnails/2.jpg)
1st Question I’m Asked
2Copyright © BH IT Consulting Ltd www.bhconsulting.ie22nd November 2011
![Page 3: Implementing ISO 27001 In A Cost Effective Way](https://reader033.fdocuments.net/reader033/viewer/2022061213/547cec87b379596f2b8b50d7/html5/thumbnails/3.jpg)
The Challenge
�Certification to ISO 27001
�But Do So
�Cost Effectively
�Using Existing Resources
3Copyright © BH IT Consulting Ltd www.bhconsulting.ie22nd November 2011
![Page 4: Implementing ISO 27001 In A Cost Effective Way](https://reader033.fdocuments.net/reader033/viewer/2022061213/547cec87b379596f2b8b50d7/html5/thumbnails/4.jpg)
The Challenge
22nd November 2011 4Copyright © BH IT Consulting Ltd www.bhconsulting.ie
![Page 5: Implementing ISO 27001 In A Cost Effective Way](https://reader033.fdocuments.net/reader033/viewer/2022061213/547cec87b379596f2b8b50d7/html5/thumbnails/5.jpg)
Get it Wrong ….
22nd November 2011 5Copyright © BH IT Consulting Ltd www.bhconsulting.ie
![Page 6: Implementing ISO 27001 In A Cost Effective Way](https://reader033.fdocuments.net/reader033/viewer/2022061213/547cec87b379596f2b8b50d7/html5/thumbnails/6.jpg)
Remember
22nd November 2011 6Copyright © BH IT Consulting Ltd www.bhconsulting.ie
Risk Assessment & Risk Management is Key
![Page 7: Implementing ISO 27001 In A Cost Effective Way](https://reader033.fdocuments.net/reader033/viewer/2022061213/547cec87b379596f2b8b50d7/html5/thumbnails/7.jpg)
MS Security Assessment Tool
22nd November 2011 7Copyright © BH IT Consulting Ltd www.bhconsulting.ie
� http://technet.microsoft.com/en-us/security/cc185712
![Page 8: Implementing ISO 27001 In A Cost Effective Way](https://reader033.fdocuments.net/reader033/viewer/2022061213/547cec87b379596f2b8b50d7/html5/thumbnails/8.jpg)
MS Security Risk Management Guide
22nd November 2011 8Copyright © BH IT Consulting Ltd www.bhconsulting.ie
![Page 9: Implementing ISO 27001 In A Cost Effective Way](https://reader033.fdocuments.net/reader033/viewer/2022061213/547cec87b379596f2b8b50d7/html5/thumbnails/9.jpg)
Others Available
22nd November 2011 9Copyright © BH IT Consulting Ltd www.bhconsulting.ie
� http://www.enisa.europa.eu/act/rm
![Page 10: Implementing ISO 27001 In A Cost Effective Way](https://reader033.fdocuments.net/reader033/viewer/2022061213/547cec87b379596f2b8b50d7/html5/thumbnails/10.jpg)
ISMS Documentation
22nd November 2011 10Copyright © BH IT Consulting Ltd www.bhconsulting.ie
![Page 11: Implementing ISO 27001 In A Cost Effective Way](https://reader033.fdocuments.net/reader033/viewer/2022061213/547cec87b379596f2b8b50d7/html5/thumbnails/11.jpg)
Appropriate Controls
22nd November 2011 11Copyright © BH IT Consulting Ltd www.bhconsulting.ie
![Page 12: Implementing ISO 27001 In A Cost Effective Way](https://reader033.fdocuments.net/reader033/viewer/2022061213/547cec87b379596f2b8b50d7/html5/thumbnails/12.jpg)
Windows Features
�Encrypting File System
�Windows Firewall
�Windows Backup & Restore Centre
�Windows Users Access Control
�User Rights & Privileges
�Event Logs
22nd November 2011 12Copyright © BH IT Consulting Ltd www.bhconsulting.ie
![Page 13: Implementing ISO 27001 In A Cost Effective Way](https://reader033.fdocuments.net/reader033/viewer/2022061213/547cec87b379596f2b8b50d7/html5/thumbnails/13.jpg)
Windows Server 2008
�Read-only domain controller
�BitLocker drive encryption
�Server Core
�Network Access Protection
�Routing and Remote Access Service
�Windows Firewall with advanced security
�Active Directory Certificate Services
�Active Directory Rights Management Services
�Group policies
22nd November 2011 13Copyright © BH IT Consulting Ltd www.bhconsulting.ie
![Page 14: Implementing ISO 27001 In A Cost Effective Way](https://reader033.fdocuments.net/reader033/viewer/2022061213/547cec87b379596f2b8b50d7/html5/thumbnails/14.jpg)
Other Free Tools
�Microsoft Windows Server Update Server
�Microsoft Baseline Security Analyzer
�Microsoft Security Risk Management Guide
�Microsoft Security Assessment Tool
�Microsoft CAT.NET
�Microsoft Source Code Analyzer for SQL
Injection
�XSS Detect Beta Code Analysis Tool
�Microsoft Windows SysIntermals
22nd November 2011 14Copyright © BH IT Consulting Ltd www.bhconsulting.ie
![Page 15: Implementing ISO 27001 In A Cost Effective Way](https://reader033.fdocuments.net/reader033/viewer/2022061213/547cec87b379596f2b8b50d7/html5/thumbnails/15.jpg)
Other Resources
�Windows Server 2008 Security Guide
�Windows Server 2003 Security Guide
�Microsoft Threats and Countermeasures Guide
�Microsoft Security Guidance
�Data Encryption Toolkit for Mobile PCs
�Security Monitoring and Attack Detection
Planning Guide
�The Microsoft Security Response Centre Blog
22nd November 2011 15Copyright © BH IT Consulting Ltd www.bhconsulting.ie
![Page 16: Implementing ISO 27001 In A Cost Effective Way](https://reader033.fdocuments.net/reader033/viewer/2022061213/547cec87b379596f2b8b50d7/html5/thumbnails/16.jpg)
Open Source Tools
�Truecrypt
�Nessus
�Nmap
�ASSP (short for "Anti-Spam SMTP Proxy")
�AppArmor Application Firewall
�Eraser & Wipe (Secure deletion)
�Untangle & NetCop (web filtering & monitoring)
�Open Source Tripwire (change detection)
�Wireshark
22nd November 2011 16Copyright © BH IT Consulting Ltd www.bhconsulting.ie
![Page 17: Implementing ISO 27001 In A Cost Effective Way](https://reader033.fdocuments.net/reader033/viewer/2022061213/547cec87b379596f2b8b50d7/html5/thumbnails/17.jpg)
�Nagios – Network Management
�OpenNMS – Event Management
�OTRS – Help Desk Management
�RTIR – Incident Response Management
�MetaSploit
�Burp Suite
�OSSIM: the Open Source Security Information
Manager
�BackTrack – Suite of Security Tools
22nd November 2011 17Copyright © BH IT Consulting Ltd www.bhconsulting.ie
Open Source Tools
![Page 18: Implementing ISO 27001 In A Cost Effective Way](https://reader033.fdocuments.net/reader033/viewer/2022061213/547cec87b379596f2b8b50d7/html5/thumbnails/18.jpg)
A.10.5 - Backup
ISO clause/control Ref Explanation Controls
Information back-up A.10.5.1
Regular back-ups of essential information assets and software shall be taken and tested regularly.
You could configure the back-up features within Microsoft® Windows and Windows Server® 2008 to regularly back up critical system and data files.
22nd November 2011 18Copyright © BH IT Consulting Ltd www.bhconsulting.ie
![Page 19: Implementing ISO 27001 In A Cost Effective Way](https://reader033.fdocuments.net/reader033/viewer/2022061213/547cec87b379596f2b8b50d7/html5/thumbnails/19.jpg)
A.11.3 User responsibilities
ISO clause/control Ref Explanation Controls
Password use A.11.3.1
All users will be required to follow good
security practices when selecting and
using passwords.
Use Group Policies to enforce strong
passwords.
Unattended user equipment A.11.3.2
Unattended equipment will be given
appropriate protection from
unauthorised access.
Use Group Policies to enforce a
password-protected screensaver after
a predetermined time of inactivity.
Configure the system to force users
off the system should their idle time
exceed a preset time limit.
You can also configure the system to
only allow users to log on to the
network at certain times of the day.
Once those times expire, the system
can forcibly log the user out of the
system.
Clear desk and clear screen policy A.11.3.3
To reduce the risk of unauthorised
access, and loss of and damage to
information assets, the company should
have a clear desk and clear screen
policy.
Configure the system to force users
off the system should their idle time
exceed a preset time limit.
22nd November 2011 19Copyright © BH IT Consulting Ltd www.bhconsulting.ie
![Page 20: Implementing ISO 27001 In A Cost Effective Way](https://reader033.fdocuments.net/reader033/viewer/2022061213/547cec87b379596f2b8b50d7/html5/thumbnails/20.jpg)
A.10.10 Monitoring
ISO clause/control Ref Explanation Controls
Audit logging A.10.10.1
Security-relevant events will be
recorded in audit logs which will
be retained for an agreed period for use in future investigations and monitoring access.
Ensure that audit logging is turned on.
Use Microsoft® SPIDER to ensure that all relevant systems have logging turned on.
Monitoring system use A.10.10.2
The use of information processing
facilities shall be monitored and the results reviewed regularly.
Use Microsoft® to detect any critical events within the audit logs.
Protection of log information A.10.10.3
Log information and logging systems shall be protected from unauthorised access and alteration.
Ensure that appropriate permissions are set on the folders that store the log files to protect them.
Restrict access to the log files to those authorised to view them.
Servers should be configured to shut down should the security log become full.
Administrator and operator logs
A.10.10.4Operational staff will maintain a log of their activities which will be regularly independently checked.
Use IIS server to log all operator and admin staff activity.
Fault logging A.10.10.5All faults will be reported and recorded and corrective action taken.
Use IIS server to host a help-desk-type facility to record all faults.
Clock synchronisation A.10.10.6To ensure accurate recording of events, computer clocks shall be synchronised.
Configure one server on your network to be your internal time server. Ensure that server is synchronising with a reputable external network time server. Configure all other servers and critical network devices to source their time from your internal network time server.
22nd November 2011 20Copyright © BH IT Consulting Ltd www.bhconsulting.ie
![Page 21: Implementing ISO 27001 In A Cost Effective Way](https://reader033.fdocuments.net/reader033/viewer/2022061213/547cec87b379596f2b8b50d7/html5/thumbnails/21.jpg)
Security Awareness
22nd November 2011 21Copyright © BH IT Consulting Ltd www.bhconsulting.ie
� http://www.enisa.europa.eu/act/ar
![Page 22: Implementing ISO 27001 In A Cost Effective Way](https://reader033.fdocuments.net/reader033/viewer/2022061213/547cec87b379596f2b8b50d7/html5/thumbnails/22.jpg)
Remember
![Page 23: Implementing ISO 27001 In A Cost Effective Way](https://reader033.fdocuments.net/reader033/viewer/2022061213/547cec87b379596f2b8b50d7/html5/thumbnails/23.jpg)
Instead of …
22nd November 2011 23Copyright © BH IT Consulting Ltd www.bhconsulting.ie
![Page 24: Implementing ISO 27001 In A Cost Effective Way](https://reader033.fdocuments.net/reader033/viewer/2022061213/547cec87b379596f2b8b50d7/html5/thumbnails/24.jpg)
Become an ISO 27001
22nd November 2011 24Copyright © BH IT Consulting Ltd www.bhconsulting.ie
![Page 25: Implementing ISO 27001 In A Cost Effective Way](https://reader033.fdocuments.net/reader033/viewer/2022061213/547cec87b379596f2b8b50d7/html5/thumbnails/25.jpg)
Questions
www.bhconsulting.ie
www.twitter.com/brianhonan
www.bhconsulting.ie/securitywatch
Tel : +353 – 1 - 4404065