Nieuwe versie ISO/IEC 27002

Transcription

1 24 September 2013 Nieuwe versie O/IEC Code of practice for information security management controls Nieuwe titel

2 1 Inhoudsopgave Inleiding Wat is gewijzigd in O/IEC FD 27002:2013? Wat is de impact van deze wijzigingen? Samenvatting Slides zijn in Engels

3 Guidelines Requirements Terminology 2 O/IEC family of standards :2012 MS Overview and vocabulary (freely available) :2005 Information Security Management System (MS) Requirements Requirements for bodies providing audit and certification of MSs : : : : : :2011 TR :2011 Code of practice for info. sec. management MS implementation guidance Info. sec. management measurements Information security risk management Guidelines for MSs auditing Guidance for Auditor on MS Controls

4 Guidelines Requirements Terminology 3 O/IEC family of standards status D :2014 MS Overview and vocabulary (freely available) FD :2013 Information Security Management System (MS) Requirements Requirements for bodies providing audit and certification of MSs :2007 Focus of this talk FD :2013 Code of practice for info. sec. controls :2010 MS implementation guidance :2009 Info. sec. management measurements :2011 Information security risk management :2011 Guidelines for MSs auditing TR :2011 Guidance for Auditor on MS Controls

5 4 O/IEC 27002:2007 Code of practice Set of commonly accepted control objectives (39) and best practice controls (133) for information security management Description of the controls is structured as follows: Control Implementation guidance Other information 11 clauses of O/IEC Security Policy 6. Organizing information security 7. Asset management 8. Human resources security 9. Physical and environmental security 10. Communications and operations management 11. Access control 12. Systems acquisition, development and maintenance 13. Information security incident management 14. Business continuity management 15. Compliance

6 Sector Specific Guidelines Guidelines 5 O/IEC based sector-specific standards FD :2013 Code of practice for information security controls WG1 Roadmap Annex E Annex F Annex E Principles for sector-specific MS standards Annex F Template for sector-specific MS standards :2012 inter-sector and inter-organizational communications :2008 telecommunications (ITU-T X.1051) TR :2012 financial services 5 th WD :201x cloud computing services :2010 healthcare NEN 7510

7 6 Revision O/IEC 27002

8 7 Revision O/IEC Overview More focused on control selection Information technology Security techniques Code of practice for information security management controls Lot of changes to control objectives and controls Text is updated (in particular control objectives, Implementation guidance & Other information) Titles changed Relocation & merging (re-structuring of sections) Removal of outdate ones & Introduction of new ones 2005 FD Clauses Control obj Controls General structure of control description remained Control Implementation guidance Other information

9 8 Revision O/IEC More focused on control selection Some text in O/IEC 27002:2005 is closely associated with: Guidance on the establishment of an MS => also covered in O/IEC Guidance on security risk management (clause 4) => also covered in O/IEC In the revisions the items covered in other 2700x standards are removed. 0.1 Background and context This International Standard is designed for organizations to use as a reference for selecting controls within the process of implementing an Information Security Management System (MS) based on O/IEC 27001[10] or as a guidance document for organizations implementing commonly accepted information security controls. This standard is also intended for use in developing industry- and organization-specific information security management guidelines, taking into consideration their specific information security risk environment(s). O/IEC FD 27002

10 9 Revision O/IEC New structure of clauses, control objectives & controls O/IEC 27002: Security Policy 6. Organizing information security 7. Asset management 8. Human resources security 9. Physical and environmental security 10. Communications and operations management 11. Access control 12. Systems acquisition, development and maintenance 13. Information security incident management 14. Business continuity management 15. Compliance O/IEC FD 27002: Security Policy 6. Organizing information security 7. Human resources security 8. Asset management 9. Access control 10. Cryptography 11. Physical and environmental security 12. Operations security 13. Communications security 14. Systems acquisition, development and maintenance 15. Supplier relationships 16. Information security incident management 17. Information security aspects of business continuity management 18. Compliance

11 10 Revision O/IEC New structure of clauses, control objectives & controls Clauses are highlighted in this talk Clause 6 Clause 12 & 13 Clause 14 O/IEC FD 27002: Security Policy 6. Organizing information security 7. Human resources security 8. Asset management 9. Access control 10. Cryptography 11. Physical and environmental security 12. Operations security 13. Communications security 14. Systems acquisition, development and maintenance 15. Supplier relationships 16. Information security incident management 17. Information security aspects of business continuity management 18. Compliance

12 11 Revision O/IEC Organization of information security 6 Organization of information security 6.1 Internal Organization Management commitment to information security Information security coordination Allocation of information security responsibilities Authorization process for information processing facilities Confidentiality agreements moved to 13 Communications security Contact with authorities Contact with special interest groups Independent review of information security 6.2 External Parties Identification of risks related to external parties Addressing security when dealing with customers E.g. control was covered by O/IEC moved to 18 Compliance Addressing security in third party agreements moved to 15 Supplier relationships O/IEC 27002:2005

13 12 Revision O/IEC Organization of information security 6 Organization of information security 6 Organization of information security 6.1 Internal organization 6.1 Internal Organization Information security roles and responsibilities Management commitment to information security Segregation of duties Information security coordination Contact with authorities Allocation of information security responsibilities Contact with special interest groups Authorization process for information processing Information security in project management facilities 6.2 Mobile devices and teleworking Confidentiality agreements moved Mobile device policy Contact with authorities Teleworking O/IEC FD Contact with special interest groups Independent review of information security 6.2 External Parties Identification of risks related to external parties Addressing security when dealing with customers Addressing security in third party agreements O/IEC 27002:2005 E.g. control was covered by O/IEC Control is from clause 10 Communications and Operations Management Controls in 6.2 are from 11 Access Control

14 13 Revision O/IEC Mobile devices and teleworking moved from Clause 11 to Mobile computing and teleworking Objective: To ensure information security when using mobile computing and teleworking facilities. The protection required should be commensurate with the risks these specific ways of working cause. When using mobile computing the risks of working in an unprotected environment should be considered and appropriate protection applied. In the case of 6.2 teleworking Mobile devices the organization and teleworking should apply protection to the teleworking site and ensure Objective: that suitable To ensure arrangements the security are in of place teleworking for this and way use of working. of mobile devices Mobile Mobile device computing policy and communications Control Control A A policy formal and policy supporting should security be in place, measures and appropriate should be security adopted measures to manage should the risks be adopted introduced to protect by against using the mobile risks devices. of using mobile computing and communication facilities Teleworking Teleworking Control Control A A policy policy, and operational supporting plans security and measures procedures should should be be implemented developed and to protect implemented information accessed, teleworking processed activities. or stored at teleworking sites. O/IEC 27002:2005 O/IEC FD 27002

15 14 10 Communications and Operations Mngt 10.1 Operational procedures and responsibilities 10.2 Third party service delivery management 10.3 System planning and acceptance 10.4 Protection against malicious and mobile code 10.5 Back-up 10.6 Network security management 10.7 Media handling moved to 8 Asset Management 10.8 Exchange of information 10.9 E-commerce services Monitoring Revision O/IEC Operations security & 13 Communications security O/IEC 27002:2005 moved to 15 Supplier relationships moved to 14 System acquisition, development & maintenance moved to 14 System acquisition, development & maintenance Renamed to application services on public networks

16 15 Revision O/IEC Operations security & 13 Communications security 10 Communications and Operations Mngt 10.1 Operational procedures and responsibilities 10.2 Third party service delivery management 10.3 System planning and acceptance moved 10.4 Protection against malicious and mobile code 10.5 Back-up 10.6 Network security management 10.7 Media handling moved to 8 Asset Mngt 10.8 Exchange of information 10.9 E-commerce services moved Monitoring O/IEC 27002: Operations security 12.1 Operational procedures and responsibilities 12.2 Protection from malware 12.3 Backup 12.4 Logging and monitoring 12.5 Control of operational software 12.6 Technical vulnerability management 12.7 Information systems audit considerations 13 Communications security 13.1 Network security management 13.2 Information transfer From 12 From 15 O/IEC FD 27002

17 16 Revision O/IEC System acquisition, development and maintenance Information System acquisition, systems development acquisition, development and maintenance and maintenance 14.1 Security requirements of information systems Security Information requirements security requirements of information analysis systems and specification Correct Securing processing application in services applications public networks Cryptographic Protecting application controls services transactions Security of in system development files and support processes Security Secure development in development policy and support processes Technical System change Vulnerability control procedures Management O/IEC 27002: Technical review of applications after operating platform changes Restrictions on changes to software packages Secure system engineering principles Secure development environment Outsourced development System security testing System acceptance testing 14.3 Test data Protection of test data O/IEC FD From clause 10 Comm. & Oper. Management

18 17 Revision O/IEC My opinion More logical structure for control objectives & controls More up-to-date & less trend specific More to-the-point

19 18 Impact of revision O/IEC 27002

20 19 Impact of revision O/IEC For organisations If O/IEC is used as basis of your Information Security Management, then you will have to choose: Still use the old version not recommended Use other framework up to you Migrate to new version recommended (SoA required for O/IEC certification) O/IEC 27002:2013 New structure Changed controls (obj.) Removed controls New controls (obj.) Impact Update of information security policy documents Review impact of changed text on implemented controls and improve the controls if necessary. Determine if removed controls are implemented and for what risks. Select and implement alternatives. Review risk assessment & risk treatment with the revised O/IEC 27002:2013

21 20 Impact of revision O/IEC On other sector specific guidelines based on O/IEC Sector-specific guidelines that are based O/IEC will be updated O/IEC (inter-sector and inter-organizational communications) O/IEC (telecommunications-sector-specific) O 27799:2008 (health-sector-specific) O/IEC TR 27015:2012 (financial services-sector-specific) draft O/IEC already based on new version (cloud computing services) National specific standards frameworks based O/IEC NEN 7510:2011 Baseline Informatiebeveiliging Rijksdienst (BIR) - Tactisch Normenkader (TNK); 2012 Tactische Baseline Informatiebeveiliging Nederlandse Gemeenten; 2013

22 21 Recap Updating of text; re-structuring of clauses; relocation, merging, removal of controls; and introduction of new controls Expected publication date: November 2013 Impact on existing use of O/IEC 27002:2007

23 22 Questions +31 (0)