Implementing ISO 27001 In A Cost Effective Way

Helping You Piece IT Together

http://www.bhconsulting.ie [email protected]

Implementing ISO 27001 in a Cost Effective Way

1st Question I’m Asked

2Copyright © BH IT Consulting Ltd www.bhconsulting.ie22nd November 2011

The Challenge

�Certification to ISO 27001

�But Do So

�Cost Effectively

�Using Existing Resources

3Copyright © BH IT Consulting Ltd www.bhconsulting.ie22nd November 2011

The Challenge

22nd November 2011 4Copyright © BH IT Consulting Ltd www.bhconsulting.ie

Get it Wrong ….


Remember


Risk Assessment & Risk Management is Key

MS Security Assessment Tool


� http://technet.microsoft.com/en-us/security/cc185712

MS Security Risk Management Guide


Others Available


� http://www.enisa.europa.eu/act/rm

ISMS Documentation


Appropriate Controls


Windows Features

�Encrypting File System

�Windows Firewall

�Windows Backup & Restore Centre

�Windows Users Access Control

�User Rights & Privileges

�Event Logs


Windows Server 2008

�Read-only domain controller

�BitLocker drive encryption

�Server Core

�Network Access Protection

�Routing and Remote Access Service

�Windows Firewall with advanced security

�Active Directory Certificate Services

�Active Directory Rights Management Services

�Group policies


Other Free Tools

�Microsoft Windows Server Update Server

�Microsoft Baseline Security Analyzer

�Microsoft Security Risk Management Guide

�Microsoft Security Assessment Tool

�Microsoft CAT.NET

�Microsoft Source Code Analyzer for SQL

Injection

�XSS Detect Beta Code Analysis Tool

�Microsoft Windows SysIntermals


Other Resources

�Windows Server 2008 Security Guide

�Windows Server 2003 Security Guide

�Microsoft Threats and Countermeasures Guide

�Microsoft Security Guidance

�Data Encryption Toolkit for Mobile PCs

�Security Monitoring and Attack Detection

Planning Guide

�The Microsoft Security Response Centre Blog


Open Source Tools

�Truecrypt

�Nessus

�Nmap

�ASSP (short for "Anti-Spam SMTP Proxy")

�AppArmor Application Firewall

�Eraser & Wipe (Secure deletion)

�Untangle & NetCop (web filtering & monitoring)

�Open Source Tripwire (change detection)

�Wireshark


�Nagios – Network Management

�OpenNMS – Event Management

�OTRS – Help Desk Management

�RTIR – Incident Response Management

�MetaSploit

�Burp Suite

�OSSIM: the Open Source Security Information

Manager

�BackTrack – Suite of Security Tools


Open Source Tools

A.10.5 - Backup

ISO clause/control Ref Explanation Controls

Information back-up A.10.5.1

Regular back-ups of essential information assets and software shall be taken and tested regularly.

You could configure the back-up features within Microsoft® Windows and Windows Server® 2008 to regularly back up critical system and data files.


A.11.3 User responsibilities


Password use A.11.3.1

All users will be required to follow good

security practices when selecting and

using passwords.

Use Group Policies to enforce strong

passwords.

Unattended user equipment A.11.3.2

Unattended equipment will be given

appropriate protection from

unauthorised access.

Use Group Policies to enforce a

password-protected screensaver after

a predetermined time of inactivity.

Configure the system to force users

off the system should their idle time

exceed a preset time limit.

You can also configure the system to

only allow users to log on to the

network at certain times of the day.

Once those times expire, the system

can forcibly log the user out of the

system.

Clear desk and clear screen policy A.11.3.3

To reduce the risk of unauthorised

access, and loss of and damage to

information assets, the company should

have a clear desk and clear screen

policy.

Configure the system to force users

off the system should their idle time

exceed a preset time limit.


A.10.10 Monitoring


Audit logging A.10.10.1

Security-relevant events will be

recorded in audit logs which will

be retained for an agreed period for use in future investigations and monitoring access.

Ensure that audit logging is turned on.

Use Microsoft® SPIDER to ensure that all relevant systems have logging turned on.

Monitoring system use A.10.10.2

The use of information processing

facilities shall be monitored and the results reviewed regularly.

Use Microsoft® to detect any critical events within the audit logs.

Protection of log information A.10.10.3

Log information and logging systems shall be protected from unauthorised access and alteration.

Ensure that appropriate permissions are set on the folders that store the log files to protect them.

Restrict access to the log files to those authorised to view them.

Servers should be configured to shut down should the security log become full.

Administrator and operator logs

A.10.10.4Operational staff will maintain a log of their activities which will be regularly independently checked.

Use IIS server to log all operator and admin staff activity.

Fault logging A.10.10.5All faults will be reported and recorded and corrective action taken.

Use IIS server to host a help-desk-type facility to record all faults.

Clock synchronisation A.10.10.6To ensure accurate recording of events, computer clocks shall be synchronised.

Configure one server on your network to be your internal time server. Ensure that server is synchronising with a reputable external network time server. Configure all other servers and critical network devices to source their time from your internal network time server.


Security Awareness


� http://www.enisa.europa.eu/act/ar

Remember

Instead of …


Become an ISO 27001


Questions

[email protected]

www.bhconsulting.ie

www.twitter.com/brianhonan

www.bhconsulting.ie/securitywatch

Tel : +353 – 1 - 4404065

Implementing ISO 27001 In A Cost Effective Way

Technology

Transcript of Implementing ISO 27001 In A Cost Effective Way