Implementing ISO 27001 In A Cost Effective Way

25
Helping You Piece IT Together http://www.bhconsulting.ie [email protected] Implementing ISO 27001 in a Cost Effective Way

description

Certification Europe ran an Information Security Breakfast Seminar in November 2011. the main topic of the day was ISO 27001 and the benefits which a company can achieve by implementing ISO 27001 - Information Security Management Systems certification within a company. Brian Honan, CEO of BH Consulting Ltd presented a very interesting and compelling presentation on 'Implementing ISO 27001 In A Cost Effective Way' at the event. The attached slides give a brief synopsis of the overall process. Further details can be found on our our company website http://www.certificationeurope.com and on our You Tube channel http://www.youtube.com/user/CertificationEurope#p/u

Transcript of Implementing ISO 27001 In A Cost Effective Way

Page 1: Implementing ISO 27001 In A Cost Effective Way

Helping You Piece IT Together

http://www.bhconsulting.ie [email protected]

Implementing ISO 27001 in a Cost Effective Way

Page 2: Implementing ISO 27001 In A Cost Effective Way

1st Question I’m Asked

2Copyright © BH IT Consulting Ltd www.bhconsulting.ie22nd November 2011

Page 3: Implementing ISO 27001 In A Cost Effective Way

The Challenge

�Certification to ISO 27001

�But Do So

�Cost Effectively

�Using Existing Resources

3Copyright © BH IT Consulting Ltd www.bhconsulting.ie22nd November 2011

Page 4: Implementing ISO 27001 In A Cost Effective Way

The Challenge

22nd November 2011 4Copyright © BH IT Consulting Ltd www.bhconsulting.ie

Page 5: Implementing ISO 27001 In A Cost Effective Way

Get it Wrong ….

22nd November 2011 5Copyright © BH IT Consulting Ltd www.bhconsulting.ie

Page 6: Implementing ISO 27001 In A Cost Effective Way

Remember

22nd November 2011 6Copyright © BH IT Consulting Ltd www.bhconsulting.ie

Risk Assessment & Risk Management is Key

Page 7: Implementing ISO 27001 In A Cost Effective Way

MS Security Assessment Tool

22nd November 2011 7Copyright © BH IT Consulting Ltd www.bhconsulting.ie

� http://technet.microsoft.com/en-us/security/cc185712

Page 8: Implementing ISO 27001 In A Cost Effective Way

MS Security Risk Management Guide

22nd November 2011 8Copyright © BH IT Consulting Ltd www.bhconsulting.ie

Page 9: Implementing ISO 27001 In A Cost Effective Way

Others Available

22nd November 2011 9Copyright © BH IT Consulting Ltd www.bhconsulting.ie

� http://www.enisa.europa.eu/act/rm

Page 10: Implementing ISO 27001 In A Cost Effective Way

ISMS Documentation

22nd November 2011 10Copyright © BH IT Consulting Ltd www.bhconsulting.ie

Page 11: Implementing ISO 27001 In A Cost Effective Way

Appropriate Controls

22nd November 2011 11Copyright © BH IT Consulting Ltd www.bhconsulting.ie

Page 12: Implementing ISO 27001 In A Cost Effective Way

Windows Features

�Encrypting File System

�Windows Firewall

�Windows Backup & Restore Centre

�Windows Users Access Control

�User Rights & Privileges

�Event Logs

22nd November 2011 12Copyright © BH IT Consulting Ltd www.bhconsulting.ie

Page 13: Implementing ISO 27001 In A Cost Effective Way

Windows Server 2008

�Read-only domain controller

�BitLocker drive encryption

�Server Core

�Network Access Protection

�Routing and Remote Access Service

�Windows Firewall with advanced security

�Active Directory Certificate Services

�Active Directory Rights Management Services

�Group policies

22nd November 2011 13Copyright © BH IT Consulting Ltd www.bhconsulting.ie

Page 14: Implementing ISO 27001 In A Cost Effective Way

Other Free Tools

�Microsoft Windows Server Update Server

�Microsoft Baseline Security Analyzer

�Microsoft Security Risk Management Guide

�Microsoft Security Assessment Tool

�Microsoft CAT.NET

�Microsoft Source Code Analyzer for SQL

Injection

�XSS Detect Beta Code Analysis Tool

�Microsoft Windows SysIntermals

22nd November 2011 14Copyright © BH IT Consulting Ltd www.bhconsulting.ie

Page 15: Implementing ISO 27001 In A Cost Effective Way

Other Resources

�Windows Server 2008 Security Guide

�Windows Server 2003 Security Guide

�Microsoft Threats and Countermeasures Guide

�Microsoft Security Guidance

�Data Encryption Toolkit for Mobile PCs

�Security Monitoring and Attack Detection

Planning Guide

�The Microsoft Security Response Centre Blog

22nd November 2011 15Copyright © BH IT Consulting Ltd www.bhconsulting.ie

Page 16: Implementing ISO 27001 In A Cost Effective Way

Open Source Tools

�Truecrypt

�Nessus

�Nmap

�ASSP (short for "Anti-Spam SMTP Proxy")

�AppArmor Application Firewall

�Eraser & Wipe (Secure deletion)

�Untangle & NetCop (web filtering & monitoring)

�Open Source Tripwire (change detection)

�Wireshark

22nd November 2011 16Copyright © BH IT Consulting Ltd www.bhconsulting.ie

Page 17: Implementing ISO 27001 In A Cost Effective Way

�Nagios – Network Management

�OpenNMS – Event Management

�OTRS – Help Desk Management

�RTIR – Incident Response Management

�MetaSploit

�Burp Suite

�OSSIM: the Open Source Security Information

Manager

�BackTrack – Suite of Security Tools

22nd November 2011 17Copyright © BH IT Consulting Ltd www.bhconsulting.ie

Open Source Tools

Page 18: Implementing ISO 27001 In A Cost Effective Way

A.10.5 - Backup

ISO clause/control Ref Explanation Controls

Information back-up A.10.5.1

Regular back-ups of essential information assets and software shall be taken and tested regularly.

You could configure the back-up features within Microsoft® Windows and Windows Server® 2008 to regularly back up critical system and data files.

22nd November 2011 18Copyright © BH IT Consulting Ltd www.bhconsulting.ie

Page 19: Implementing ISO 27001 In A Cost Effective Way

A.11.3 User responsibilities

ISO clause/control Ref Explanation Controls

Password use A.11.3.1

All users will be required to follow good

security practices when selecting and

using passwords.

Use Group Policies to enforce strong

passwords.

Unattended user equipment A.11.3.2

Unattended equipment will be given

appropriate protection from

unauthorised access.

Use Group Policies to enforce a

password-protected screensaver after

a predetermined time of inactivity.

Configure the system to force users

off the system should their idle time

exceed a preset time limit.

You can also configure the system to

only allow users to log on to the

network at certain times of the day.

Once those times expire, the system

can forcibly log the user out of the

system.

Clear desk and clear screen policy A.11.3.3

To reduce the risk of unauthorised

access, and loss of and damage to

information assets, the company should

have a clear desk and clear screen

policy.

Configure the system to force users

off the system should their idle time

exceed a preset time limit.

22nd November 2011 19Copyright © BH IT Consulting Ltd www.bhconsulting.ie

Page 20: Implementing ISO 27001 In A Cost Effective Way

A.10.10 Monitoring

ISO clause/control Ref Explanation Controls

Audit logging A.10.10.1

Security-relevant events will be

recorded in audit logs which will

be retained for an agreed period for use in future investigations and monitoring access.

Ensure that audit logging is turned on.

Use Microsoft® SPIDER to ensure that all relevant systems have logging turned on.

Monitoring system use A.10.10.2

The use of information processing

facilities shall be monitored and the results reviewed regularly.

Use Microsoft® to detect any critical events within the audit logs.

Protection of log information A.10.10.3

Log information and logging systems shall be protected from unauthorised access and alteration.

Ensure that appropriate permissions are set on the folders that store the log files to protect them.

Restrict access to the log files to those authorised to view them.

Servers should be configured to shut down should the security log become full.

Administrator and operator logs

A.10.10.4Operational staff will maintain a log of their activities which will be regularly independently checked.

Use IIS server to log all operator and admin staff activity.

Fault logging A.10.10.5All faults will be reported and recorded and corrective action taken.

Use IIS server to host a help-desk-type facility to record all faults.

Clock synchronisation A.10.10.6To ensure accurate recording of events, computer clocks shall be synchronised.

Configure one server on your network to be your internal time server. Ensure that server is synchronising with a reputable external network time server. Configure all other servers and critical network devices to source their time from your internal network time server.

22nd November 2011 20Copyright © BH IT Consulting Ltd www.bhconsulting.ie

Page 21: Implementing ISO 27001 In A Cost Effective Way

Security Awareness

22nd November 2011 21Copyright © BH IT Consulting Ltd www.bhconsulting.ie

� http://www.enisa.europa.eu/act/ar

Page 22: Implementing ISO 27001 In A Cost Effective Way

Remember

Page 23: Implementing ISO 27001 In A Cost Effective Way

Instead of …

22nd November 2011 23Copyright © BH IT Consulting Ltd www.bhconsulting.ie

Page 24: Implementing ISO 27001 In A Cost Effective Way

Become an ISO 27001

22nd November 2011 24Copyright © BH IT Consulting Ltd www.bhconsulting.ie

Page 25: Implementing ISO 27001 In A Cost Effective Way

Questions

[email protected]

www.bhconsulting.ie

www.twitter.com/brianhonan

www.bhconsulting.ie/securitywatch

Tel : +353 – 1 - 4404065