ISO/IEC International Information Security Standard ITMS 535 Fall 2012

Transcription

1 2012 ISO/IEC International Information Security Standard ITMS 535 Fall 2012 This paper will discuss the development, contents, and implementation of the ISO International Information Security Standard Kostantinos Sekalias A Illinois Institute of Technology 12/6/2012

2 Table of Contents Introduction... 3 ISO 27001:2005 Review... 4 ISO High Level... 5 ISO Detail Level... 7 ISO mappings to other standards The ISO Certification Process Conclusion References

3 Introduction This paper will discuss "what it means to have data in an ISO/IEC 27001:2005 Data Center", and the activities involved in the processes that initiate, control, and manage this certification. Additionally, the benefits of maintaining the ISO certification will be discussed; and the need for upper management support throughout the entire process. ISO (International Organization for Standardization) is the world s largest developer of voluntary International Standards and these standards are developed through a global consensus. ISO has published over 19,000 International Standards attempting to cover aspects of technology and business. [1] An ISO standard is developed by a panel of experts, within a technical committee. Once the need for a standard has been established, these experts meet to discuss and negotiate a draft standard. As soon as a draft has been developed it is shared with ISO s members who are asked to comment and vote on it. ISO/IEC 27001:2005 applies to many differing types of organizations and specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented Information Security Management System (ISMS) within the perspective of an organization's accepted business risks. It specifies requirements for the implementation of the security controls that are customizable to the needs of organizations or departments within. The standard has been designed to ensure the selection of adequate and proportionate security controls that protect information assets and give confidence to interested parties. There will also be an exploration of the adoption of an ISMS from a standpoint of a strategic decision of an organization's management to satisfy security requirements, controls used, and ensure that the adopted model is scalable over time. The tools developed to comply with this standard will provide a documented means to understanding an organization's information security requirements, managing risks via controls, monitor/review control performance, and to continually improve these tools for efficiency and applicability. 3

4 ISO 27001:2005 Review The abundance of threats to electronic information and the growing collection of regulatory requirements that relate to information protection has significantly increased over the past ten years. The ISO27001 standard is valuable in demonstrating compliance with laws such as SOX, HIPAA, GLBA, PIPEDA, and so on. A fundamental aspect of ISMS is the protection of the information as it relates to availability, confidentiality and integrity of an organization's data. This is the driving focus of this standard which provides a number of benefits to an organization such as: Formulation of security requirements and objectives. Ensuring that security risks are cost effectively managed. Ensuring the compliance with laws and regulations. The implementation and management of controls to ensure that the specific security objectives of an organization are met. Identification and clarification of existing information security management processes. To determine the status of information security management activities. To determine the degree of compliance with the policies, directives and standards adopted by an organization. To provide relevant information about security policies, directives, standards and procedures to trading partners and other organizations with whom they interact for operational or commercial reasons. Implementation of business-enabling information security. To provide relevant information about information security to customers. The need for the ISO standard was recognized as a natural progression from BS in BS7799 was intended as a technology-neutral, vendor-neutral management system that would enable an organization's management to assure itself that its information security measures and arrangements were effective. Compatibility with other ISO standards such as ISO9001 and ISO14001 are encouraged to enable organizations to develop management systems that integrate the requirements of 4

5 each of the management standards that the organization is using and eliminate redundant systems between standards were applicable. The ISO organizations stamp of approval can provide customer reassurance and a competitive advantage to the certified body. ISO High Level An organization's ISMS in compliance with ISO will need to adopt a process approach that emphasizes the importance of understanding an organizations information security requirements, implementing controls for risk management, monitoring the ISMS effectiveness, and commit to continual improvements of ISMS. Figure 1 ( PDCA model ), the "Plan-Do-Check-Act" (PDCA) model adopted within the standard provides a robust model for implementing the principles that govern risk assessment, security design/implementation, and security management/reassessment. Figure 1 ( PDCA model ) In more detail, the PDCA model is designed to guide activities throughout the certification process and can be further explained with the following definitions: Plan - Establish ISMS policy, objectives, processes and procedures relevant to managing risk and improving information security to deliver results in accordance with an organization's overall policies and objectives. Do - Implement and operate the ISMS policy, controls, processes and procedures. 5

6 Check - Monitor and Review the ISMS, by assessing and measuring process performance against the ISMS policy, objectives, and practical experience to report the results to management for review. Act - Maintain and improve the ISMS, by taking corrective/preventive actions to achieve continual improvement of the ISMS. An organization's compliance will need to be demonstrated through documentation that will include records of management decisions that are traceable back to the established policies and that these recorded results are reproducible if audited. The ISMS documentation will need to include ISMS policy and objectives, scope, procedures and controls, risk assessment method/report, and a risk treatment plan. In addition, the organization will need a description of how to measure the effectiveness of any implemented controls and provide the Statement of Applicability. When it comes to the area of "Controlled Documents", there will need to be a method of document establishment and protection that ensures the validity and trust of the ISMS. The organization's management is primarily responsible for this document procedure and it will need to include methods of: Document approval for adequacy prior to use. Review, update, and re-approval of documents as necessary. Ensuring that relevant versions of these documents are readily available for use. Ensuring that documents are identifiable. Ensuring that documents are transferred, stored, and disposed of in accordance with the procedures applicable to their classification. Ensuring that external documents are identified. Ensuring a controlled distribution of any documents. Preventing the unintended use of obsolete documents. The "Control of Records" must also be established and maintained to provide evidence of conformity to requirements and the effective operation of the ISMS in such a way that they remain legible, readily identifiable, and properly stored. 6

7 Training, awareness and competence plays a big role in the implementation and maintenance of this standard in a way that an organization must ensure that all personnel who are assigned responsibilities defined in the ISMS are competent to perform the required tasks. This can be achieved through management's commitment to the following: Determining the necessary competencies for work effecting the ISMS. Providing training or employing personnel with existing competencies in these areas. Maintaining records of education, training, skills, experience and qualifications that effect the ISMS. ISO Detail Level The ISO standard is divided into sections that explain the ISMS framework and Annex attachments that assist in the implementation of control objectives, methods for correlation to the Organization for Economic Co-operation and Development (OECD) guidelines for ISMS, and the correspondence between ISO 9001:2000/ISO 14001:2004. Much of section 0-2 of the ISO standard has been addressed above so this portion of the paper will address sections 3-8 and the Annex portions of the standard. ISO 27001, Section 3 - Terms and definitions This section describes the terms and definitions that are used throughout the document. It assists the readability of the standard by providing a level of context of a word or phrase used throughout the document. An example would be the use of the phrase "residual risk" which can stand for a number of things if not explained. By referencing section 3 of the ISO standard, one would know that this phrase is specific to "the risk remaining after a risk treatment". ISO 27001, Section 4 - Information security management system This section is the work horse of the document and provides the targeted organization the general requirements of establishing and managing the ISMS. It will provide a solid guide to an organization that is in the infancy of a compliant ISMS and also a means for improving an existing system. The following sub-sections include: Section General requirements Section Establishing and managing the ISMS Section Establishing the ISMS Section Implement and operate the ISMS Section Monitor and review the ISMS 7

8 Section Maintain and improve the ISMS Section Documentation requirements Section General Section Control of documents Section Control of records ISO 27001, Section 5 - Management responsibility Because of the level of diligence and dedication needed to implement and maintain a compliant ISMS, a targeted organization's upper management involvement is a major consideration for a successful effort. Section 5 of ISO address this reality of managements portion of the process with the following quote from the standard as an example of the clear mention of management's commitment. "Management shall provide evidence of its commitment to the establishment, implementation, operation, monitoring, review, maintenance and improvement of the ISMS." The following sub-sections include: Section Management commitment Section Resource Management Section Provision of resources Section Training, awareness and competence ISO 27001, Section 6 - Internal ISMS audits This section explains the need for internal audits of the ISMS at planned and consistent intervals to determine the conformity and performance of the system. The audit's criteria, scope frequency and methods shall be defined prior to the audit, and the auditor shall exercise objectivity and observe the results impartially during and after the audit. Auditors shall avoid any conflicts of interests with the standard explicitly stating that "Auditors shall not audit their own work". ISO 19011:2002 is referenced in this section as an additional resource for carrying out the internal audit. ISO 27001, Section 7 - Management review of the ISMS This section explains the responsibility of upper management's review of the entire ISMS at planned intervals (at least once a year), and the review includes identifying opportunities for improvement and adjustment of the ISMS policy to better align with the business objectives of the organization. The following sub-sections include: Section General Section Review input Section Review output 8

9 ISO 27001, Section 8 - ISMS improvement This section explains the responsibility of improving the ISMS on a continual basis to ensure that effectiveness is relevant and that corrective actions to nonconformities are implemented in a timely manner. The following sub-sections include: Section Continual improvement Section Corrective action Section Preventative action ISO 27001, Annex A - Control objectives and controls This section contains the controls objectives used when designing the Statement of Applicability for an organization in conjunction with the results from a risk assessment. Annex A has 11 major areas containing a total of 133 total controls available for compliance. Each control must be considered and a decision made on whether they are applicable to the ISMS scope. The following naming convention used within the standard is hierarchical and included in table-1 shown below. 9

10 ISO/IEC (Annex A) CONTROLS A.5 Security Policy A.5.1 Information security policy A Information security policy document A Review of the information security policy A.6 Organization of information security A.6.1 Internal A Management commitment to information security A Information security coordination A Allocation of information security responsibilities A Authorization process for information processing facilities A Confidentiality agreements A Contact with authorities A Contact with special interest groups A Independent review of information security A.6.2 External Parties A Identification of risks related to external parties A Addressing security when dealing with customers A Addressing security in third party agreements A.7 Asset Management A.7.1 Responsibility for assets A Inventory of assets A Ownership of assets A Acceptable use of assets A.7.2 Information Classification A Classification Guidelines A Information labeling and handling A.8 Human Resources Security A.8.1 Prior to Employment A Roles and Responsibilities A Screening A Terms and conditions of employment A.8.2 During employment A Management responsibilities A Awareness, education, and training A Disciplinary process A.8.3 Termination or change of employment A Termination responsibilities A Return of assets A Removal of access rights A.9 Physical and environmental security A.9.1 Secure areas A Physical security perimeter A Physical entry controls A Securing offices, rooms, facilities A Protecting against external and environmental threats A Working in secure areas A Public access, delivery and loading areas A.9.2 Equipment security A Equipment siting and protection A Supporting utilities A Cabling security A Equipment maintenance A Security of equipment off-premises A Secure disposal or re-use of equipment A Removal of property A.10 Communications and operations management A.10.1 Operational procedures and responsibilities A Documented operating procedures A Change management A Segregation of duties A Separation of development, test and operational facilities A.10.2 Third party service delivery management A Service delivery A Monitoring and review of third party services A Managing changes to third party services A.10.3 System planning and acceptance A Capacity management A System acceptance A.10.4 Protection against malicious and mobile code A Controls against malicious code A Controls against mobile code A.10.5 Back-up A Information back-up A.10.6 Network security management A Network controls A Security of network services A.10.7 Media handling A Management of removable media A Disposal of media A Information handling procedures A Security of system documentation A.10.8 Exchange of information A Information exchange policies and procedures A Exchange agreements A Physical media in transit A Electronic messaging A Business information systems A.10.9 Electronic commerce services A Electronic commerce A On-line transactions A Publicly available information A Monitoring A Audit logging A Monitoring system use A Protection of log information A Administrator and operator logs A Fault logging A Clock synchronization A.11 Access Control A.11.1 Business requirement for access control A Access control policy A.11.2 User access management A User registration A Privilege management A User password management A Review of user access rights A 11.3 User responsibilities A Password use A Unattended user equipment A Clear desk and clear screen policy A.11.4 Network access control A Policy on use of network services A User authentication for external connections A Equipment identification in networks A Remote diagnostic and configuration port protection A Segregation in networks A Network connection control A Network routing control A 11.5 Operating system access control A Secure log-on procedures A User identification and authentication A Password management system A Use of system utilities A Session time-out A Limitation of connection time A.11.6 Application and information access control

11 A Information access restriction A Sensitive system isolation A.11.7 Mobile computing and teleworking A Mobile computing and communications A Teleworking A.12 Information systems acquisition, development and maintenance A.12.1 Security requirements of information systems A Security requirements analysis and specification A.12.2 Correct processing in applications A Input data validation A Control of internal processing A Message integrity A Output data validation A.12.3 Cryptographic controls A Policy on the use of cryptographic controls A Key management A.12.4 Security of system files A Control of operational software A Protection of system test data A Access control to program source code A.12.5 Security in development and support processes A Change control procedures A Technical review of applications after operating system changes A Restrictions on changes to software packages A Information leakage A Outsourced software development A.12.6 Technical Vulnerability Management A Control of technical vulnerabilities A.13 Information security incident management A.13.1 Reporting information security events and weaknesses A Reporting information security events A Reporting security weaknesses A.13.2 Management of information security incidents and improvements A Responsibilities and procedures A Learning from information security incidents A Collection of evidence A.14 Business continuity management A.14.1 Information security aspects of business continuity management A Including information security in the business continuity management process A Business continuity and risk assessment A Developing and implementing continuity plans including information security A Business continuity planning framework A Testing, maintaining and reassessing business continuity plans A.15 Compliance A.15.1 Compliance with legal requirements A Identification of applicable legislation A Intellectual property rights (IPR) A Protection of organizational records A Data protection and privacy of personal information A Prevention of misuse of information processing facilities A Regulation of cryptographic controls A.15.2 Compliance with security policies and standards, and technical compliance A Compliance with security policies and standards A Technical compliance checking A.15.3 Information systems audit considerations A Information systems audit controls A Protection of information systems audit tools Table 1 (ISO 27001:2005 Annex A) 11

12 ISO 27001, Annex B - OECD principles and ISO 27001:2005 Annex B contains a table briefly showing which parts of this standard satisfy 7 key principles laid out in the OECD Guidelines for the Security of Information Systems and Networks. The table maps out the OECD principle to a corresponding PDCA phase of the ISMS process as follows: Awareness OCED principle Participants should be aware of the need for security of information systems and networks and what they can do to enhance security. Responsibility All participants are responsible for the security of information systems and networks. Response Participants should act in a timely and co-operative manner to prevent, detect and respond to security incidents. ISMS process and PDCA phase This principle maps to sections and Part of the DO phase. This principle maps to sections and 5.1. Part of the DO phase. This principle maps to sections 4.2.3, Part of the Check phase. Also maps to sections and Part of the Plan and ACT phases Risk Assessment This principle maps to sections 4.2.1, and 6-7. Participants should conduct risk assessments. Security design and implementation Participants should incorporate security as an essential element of information systems and networks. Security management Participants should adopt a comprehensive approach to security management. Reassessment Participants should review and reassess the security of information systems and networks, and make appropriate modifications to security policies, practices, measures and procedures. Table 2 (ISO 27001, Annex B) Part of the Plan and Do phases This principle maps the entire comprehensive ISO document. Part of the Plan, Do, Check, and ACT phases This principle maps the entire comprehensive ISO document. Part of the Plan, Do, Check, and ACT phases This principle maps sections and Part of the Check, and ACT phases.

13 ISO 27001, Annex C - Correspondence between ISO 9001:200, ISO 14001:2004 and ISO 27001:2005 The standard shares the same basic structure of other management systems standards, meaning that an organization which implements any one should be familiar with concepts such as PDCA, records and audits. Table C.1 within the standard shows how ISO aligns with a number of other standards from ISO, including ISO 9001 (quality management) and ISO (environmental management). ISO mappings to other standards The ISO standard does indeed specify certain mandatory additional documents explicitly. However, in other areas it is more vague and, in practice, other documents are commonly demanded, including certain items which provide the auditors with evidence or proof that the ISMS is operating as intended. Figure-2 provides an idea of contributing ISO standards that assist in certification process detail. Figure 2 (Flow chart of contributing standards) 13

14 The ISO Certification Process An ISMS may be certified compliant with ISO/IEC by a number of Accredited Registrars worldwide. Certification aligned with any of the recognized national representative of ISO/IEC by an accredited certification body is functionally equivalent to certification aligned with ISO/IEC itself. The process starts when the target organization makes the decision to move forward with the certification process. At this point, it is also important to ensure management's commitment and then assign responsibilities for the project itself. An organizational top level policy can then be developed and published and will usually be supported by subordinate policies. Scoping is the next stage is particularly critical because it will define which part(s) of the organization will be covered by the ISMS. Typically, it will define the location, assets and technology to be included for the certification. A risk assessment will then be undertaken, to determine the organization's risk exposure/profile, and identify the best route to address this acceptance. A part of this process will be the selection of the appropriate controls with respect to those outlined in the ISO standard with reference to ISO The justification for each decision is then recorded in a Statement of Applicability (SOA). The controls themselves should then be implemented as appropriate. Figure 2 is a high level flow chart of the certification process that considers inputs, the process, and the deliverables necessary to achieve the end result. 14

15 Inputs Processes Deliverables Company Wide Consensus to implement ISO ISMS Framework Management Commitment and assign High Level Project Responsibilities Define Information Security Policy Security Policy Documents Define Scope of ISMS ISMS Scope Document Identify major threats, risks, impacts and vulnerabilities Perform Risk Assessment of the ISMS Scope Risk Assessment Document Company s risk management approach Identify how to manage Risks from the Assessment Risk Management Document Controls and Guideance from ISO 27001, Annex A and ISO Select Appropriate Objectives and Controls to be implemented Statement of Applicability (SoA) Document Implement Controls Prepare and Undergo ISO Certification Take corrective action NO Certified? Yes ISO Certificate Granted Figure 3 (ISO Certification Flow Chart) 15

16 Below are some additional steps when planning, implementing, and maintaining the ISO certification process. Each step requires detailed attention and understandable documentation of its completion for the added value of intention. Vulnerability assessment and penetration test of key applications and systems - This provides concrete evidence and results of the condition of the exiting ISMS. Secure Data Flow Diagram (SDFD) - This provides evidence that key client risks are being mitigated to an acceptable level by reasonable and an appropriate security design. A secure dtat flow diagram could be integral to risk assessment and scoping, the facilitates risk identification, and evidence of a secure design. Testing data flow would verify that confidentiality of information is achieved. Preliminary Project Plan - This provides high level preparation for compliance/certification, communicates a plan & progress towards critical requirements. Define ISMS Scope - This will logically and physically limit the scope of the ISMS to the maximum extent possible consistent with initiative's objectives. Also, it optimizes the likelihood of the project's success by avoiding scope creep. As an example, the ISMS scope can be implemented for a department, for one floor of an organization, or for the entire or section of an organization. A discussion with senior management will decide the areas where the ISMS practices would be implement. This has to be clearly defined in your Information Security Policy document, and a discussion with the team members will ensure the understanding of the processes involved when carrying out the implementation tasks Risk Assessment - This identifies major risks (& impacts) that the ISMS intended to mitigate. Risk Treatment Plan - This will establish acceptance criteria and define treatments for all key risks. Conduct Gap Assessment - This includes documentation review and surveys to determine where risk treatment gaps exist in the ISMS. 16

17 Prioritized Roadmap (Remediation Plan) - This will develop a workable plan based on a number of factors including risk, ease of mitigation to an acceptable level, client concerns, reusability/commonality, resource and skill set, availability, and other initiatives. Execute the Plan - This includes correction of design deficiencies, close compliance gaps, update/create necessary documentation, and implement new controls. Monitor the Environment - Integral to ISO is the ongoing monitoring of the ISMS. This includes the fine-tuning of control design/output to facilitate monitoring. Respond to Incidents - Integral to is confirmable incident response. This includes regulation of the incident response processes to facilitate ISMS improvements. Implement Continuous Improvement Principles - Integral to is demonstrable Continuous Improvement. This includes monitoring and incident response evolution of the control environment in a verifiable manner. While there are many significant advantages to implementing 27001, the certification advantage that is the most important is reducing risk and simplifying the ISMS. Below are the audit activities that must be conducted to ensure initial and continual compliance. Pre-Certification Audit - This is a informal pre-audit structured in accordance with certification audit. Certification Audit - This is an ISO certification audit conducted by certification body resulting in issuance/denial of the ISO certificate. Surveillance Audit (Year 2) - This is a mini-audit conducted by the certification body to validate ISMS effectiveness. ISMS scope extension can be possible at this point. Triennial Audit (Every 3rd year) - This is a re-certification audit conducted by certification body. 17

18 Conclusion Organizations can specify the scope of their ISO/IEC certification as generally or as specific as they wish. Understanding the scoping documents plus the Statement of Applicability (SoA) is therefore crucial if an organization intends to attach any meaning to their certificates. As an example. if the SoA emphasizes that antivirus controls are not necessary, the certification body will have checked that statement but will not have certified the antivirus controls. Certification is entirely optional but is increasingly being demanded from suppliers and business partners of organizations that are concerned about information security. Certification of ISO/IEC brings a number of benefits above and beyond simple compliance, in much the same way that an ISO 9000-series certificate says more than the actual quality management system. Independent assessment necessarily brings some strictness and formality to the implementation process (implying improvements to information security and all the benefits that brings through risk reduction), and invariably requires management approval. The certificate has marketing potential and should help assure most business partners of the organization s status with respect to information security without the necessity of conducting their own security reviews. 18

19 References How does ISO develop standards? (2012). Retrieved November 27, 2012 from Information technology -- Security techniques -- Information security management systems -- Requirements (2012). Retrieved November 26th, 2012 from Calder, A. (2006) Implementing Information Security Based on ISO 27001/ISO 17799: A Management Guide. Van Haren Publishing, Jun 30, ISO 27001: Information Security Management System (2012). APB Consultant. Retrieved November 29th, 2012 from ( ISO/IEC FDIS 27001:2005: Information technology - Security techniques - Information security management systems - Requirements. ISO 19011:2002: Guidelines for quality and/or environmental management systems auditing DSTI/ICCP/REG(2003)5/REV1: DIRECTORATE FOR SCIENCE, TECHNOLOGY AND INDUSTRYCOMMITTEE FOR INFORMATION, COMPUTER AND COMMUNICATIONS POLICY Humphreys, T., Plate, A. (2005) Guidelines on Requirements and Preparation for ISMS Certification based on ISO/IEC BSI British Standards Institution, Oct 4,