1. ISO/IEC 27001:2005 An Intorduction Rupam Bhattacharya

2. What is Information? Current Business Plans Future Plans Intellectual Property (Patents, etc) Employee Records Customer Details Business Partners Records Financial Records 3. Enterprise/Corporate IT Hardware Resources 4. Software & Network Risks 5. Structure of 27000 series 27000 Fundamentals & Vocabulary 27001:ISMS 27005 Risk Management27002 Code of Practice for ISM 27003 Implementation Guidance27004 Metrics & Measurement 27006 Guidelines on ISMS accreditation 6. ISO 27001:2005 ISO/IEC 27001:2005 formally specifies a management system that is intended to bring information security under explicit management control. Annex (Control Objectives and Controls ) 11 Security Domains (A5 A 15) Layers of security 39 Control Objectives Statement of desired results or purpose 133 Controls Policies, procedures, practices, software controls and organizational structure To provide reasonable assurance that business objectives will be achieved and that undesired events will be prevented or detected and corrected Exclusions in some controls are possible, if they can be justified??? 7. Contains The standard contains 11 domains(apart from introductory sections) Security policy - management direction Organization of information security - governance of information security Asset management - inventory and classification of information assets Human resources security - security aspects for employees joining, moving and leaving an organization Physical and environmental security - protection of the computer facilities Communications and operations management - management of technical security controls in systems and networks Access control - restriction of access rights to networks, systems, applications, functions and data Information systems acquisition, development and maintenance - building security into applications Information security incident management - anticipating and responding appropriately to information security breaches Business continuity management - protecting, maintaining and recovering business-critical processes and systems Compliance - ensuring conformance with information security policies, standards, laws and regulations 8. The PDCA Cycle Plan (establishing the ISMS) Establish the policy, the ISMS objectives, processes and procedures related to risk management and the improvement of information security to provide results in line with the global policies and objectives of the organization. Do (implementing and workings of the ISMS) Implement and exploit the ISMS policy, controls, processes and procedures. Check (monitoring and review of the ISMS) Assess and, if applicable, measure the performances of the processes against the policy, objectives and practical experience and report results to management for review. Act (update and improvement of the ISMS) Undertake corrective and preventive actions, on the basis of the results of the ISMS internal audit and management review, or other relevant information to continually improve the said system. 9. A.5 Security Policy To provide management direction and support for information security in accordance with business requirements and relevant laws and regulations. Approved by Management Communicated to Employees and relevant external parties Reviewed at planned intervals Ensure its continuing suitability, adequacy, and effectiveness. 10. A.6 Organization of Information Security To manage information security within the organization. Management shall actively support security within organization. Co-ordinated by representatives from different parts of organization. Confidentiality and non-disclosure agreements. Appropriate contacts with relevant authorities, security forums and professional associations shall be maintained. Independent reviews should be conducted at planned intervals or when significant changes to the security implementation occur. 11. A.7 Asset Management Typical policy statements for Asset Management include: All assets shall be clearly identified, documented and regularly updated in an asset register All assets shall have designated owners and custodians listed in the asset register All assets will have the respective CIA (Confidentiality, Integrity and Availability) rating established in the asset register All employees shall use company assets according to the acceptable use of assets procedures All assets shall be classified according the asset classification guideline of the company 12. A.8 Human Resource Security Prior to Employment: Define roles and responsibilities. Background verification Terms and Conditions of employment During Employment Application of security according to roles and responsibilities. InfoSec awareness, education and training. Disciplinary process for employees who have commited security breach. Post Termination or Change Termination responsibilities Return of Assets Removal of access rights. 13. A.9 Physical and Environmental Security Secure Areas Physical security perimeter Physical entry controls Securing offices, rooms and facilities Protecting against external and environmental threats Guidelines for working in secure areas Public access, delivery and loading areas Equipment Security Equipment sitting, support utilities and cabling security Maintenance, secure disposal/re-use and removal. 14. A.10 Communications and Operations Management Operational procedures and responsibilities Documented operating procedures Change management Segregation of duties Separation of development, test and operational facilities Third Party Service Delivery Management Implement security controls, service definition and delivery levels in agreement. Monitoring and review of third party services Managing changes to third party services 15. Company A company may want to adopt ISO 27001 for the following reasons: It is suitable for protecting critical and sensitive information It provides a holistic, risk-based approach to secure information and compliance Demonstrates credibility, trust, satisfaction and confidence with stakeholders, partners, citizens and customers Demonstrates security status according to internationally accepted criteria Creates a market differentiation due to prestige, image and external goodwill If a company is certified once, it is accepted globally. 16. Asset Classification CONFIDENTIAL: This category refers to asset information that relates to individuals or is otherwise restricted only to authorized users, and if disclosed outside the company would harm the organization, its customers, or its partners. RESTRICTED: The restricted level of asset information pertains to highly sensitive information to the company; which when disclosed would cause substantial damage to the reputation and competitive position of the company in the market. INTERNAL: This classification refers to asset information that is potentially available to all personnel within the company, but is not public. PUBLIC: This classification refers to asset information that has been published or obtainable from a published source, e.g. the Internet. 17. User Registration Typical policy statements can include: All users shall have a unique user ID based on a standard naming convention A formal authorization process shall be defined and followed for provisioning of user IDs. An audit trail shall be kept of all requests to add, modify or delete user accounts/IDs User accounts shall be reviewed at regular intervals Employee shall sign a privilege form acknowledging their access rights Access rights will be revoked for employee changes or leaving jobs Privileges shall be allocated to individuals on a need-to-have basis. A record of all privilege accounts shall be maintained and updated on regular basis 18. Password Management Typical organizational password management policies include: Users shall be forced to change their passwords at the time of first use Passwords shall have a minimum length of eight characters Passwords for all users shall expire in 30/60 days A record of five previous passwords shall be maintained to prevent re-use of these passwords A maximum of three successive login failures shall result in a users account being locked out Passwords shall not be displayed in clear text when they are being keyed in Passwords must include at least one small character (a-z), one capital character (A-Z) and one numeric character (0 9) / one special character (@ # $ & / +) All password entry tries shall be logged along with date, time, ip address, machine name, application and user ID for successful, unsuccessful login attempts 19. Clear Work Environment Example of clear work environment policies include: Critical information shall be protected when not required for use Only authorized users shall use the photocopier machines All loose documents from employees desks shall be confiscated at the end of business day A users desktop shall not contain reference to any document directly or indirectly 20. Operating System and Application Controls Sample operating system and application control policies include: All users in the organization shall have a unique ID No systems or application details shall be displayed before log-in In the condition of log-in failure, the error message shall not indicate which part of the credential is incorrect The number of unsuccessful log-in attempts shall be limited to 3/5/6 attempts During log-in process, all password entries shall be hidden by a symbol The use of system utility program shall be restricted e.g. password utility All operating systems and application shall time out due to inactivity in 5/10/15/30 minutes All applications shall have dedicated administrative menus to control access rights of users 21. Network Security Typical policy statements for Network Security include: Appropriate authentication mechanisms shall be used to control the access by remote users. Allocation of network access rights shall be provided as per the business and security requirements Two-factor authentication shall be used for authenticating users using mobile/remote systems 22. Benefits The key benefits of 27001 are: It can act as the extension of the current quality system to include security It provides an opportunity to identify and manage risks to key information and systems assets Provides confidence and assurance to trading partners and clients; acts as a marketing tool Allows an independent review and assurance to you on information security practices 23. Drawbacks It has some things that dont make sense. Some controls define almost the same issues causing confusion. Like A.9.2.6 (Secure disposal or re-use of equipment) and A.10.7.2 (Disposal of media) Some issues, like relationships with third parties, are scattered around various clauses of Annex A you can find it in clause A.6.2 (External parties), A.8 (Human resources security) and A.10.2 (Third party service delivery management), and control A.12.5.5 (Outsourced software development) Only 6 controls has the word documented in it. Does that mean we can implement all others without documentation? 24. Changes made in ISO 27001:2013 No. of sections have increased from 11 to 14. Management and Leadership re defined as two separate requirements. Section 6: Planning and its evaluation New chapter added on Performance evaluation 25. New Controls A.6.1.5 Information security in project management A.12.6.2 Restrictions on software installation A.14.2.1 Secure development policy A.14.2.5 Secure system engineering principles A.14.2.6 Secure development environment A.14.2.8 System security testing A.15.1.1 Information security policy for supplier relationships A.15.1.3 Information and communication technology supply chain A.16.1.4 Assessment of and decision on information security events A.16.1.5 Response to information security incidents A.17.2.1 Availability of information processing facilities 26. Summary of sections