Fall June S o f t w a r e I m p r o v e m e n t G r o u p ( S I G )

Transcription

1 June A lightweight, flexible evaluation framework to measure the ISO information security controls Karin Huijben Master Computing Science Radboud University, Nijmegen, The Netherlands Software Improvement Group (SIG)

2 Summary The security of organizational processes is often weak [2] and could be improved by using the ISO standard. In this master thesis project, an ISO compliant, lightweight evaluation framework was created that shows in a short time period how secure organizational processes are in comparison with other organizations. This evaluation could be used in diverse organization sizes and types, but it was specially developed for organizations that produce software and organizations that depend heavily on software. The reason to focus on these organizations is the increasing importance of software in both the society and in the economy in combination with the recent increase in cyber security incidents. During the literature study, seven standards were compared with the ISO to determine which standard should become the basis of the evaluation framework. There were only three with the possibility to be ISO compliant besides the ISO standard itself. The ISO standard was the smallest of the standards as it has the least amount of pages, so the ISO standard was chosen. In addition to the basic requirements for the framework, it was checked if there were other comparable evaluation frameworks. None of those evaluation frameworks met all requirements that was tried to meet. The evaluation framework contains two parts: A questionnaire The rating system The questionnaire was created in three phases: Trial questionnaire Full questionnaire Improved questionnaire The trial questionnaire is a try- out version that covers only a part of the ISO standard. A validation was done inside SIG and the results were promising for further investigation, but the time to fill in the questionnaire was already long. In the second phase, the full questionnaire was designed that covers all ISO control aspects. At the end of the phase, the validations inside SIG with both the employees that have implemented the security controls and the selected consultants were carried out. Both validations were positive, but there were some remarks to improve the questionnaire (e.g. using an introduction for the questionnaire). In the third phase, the full questionnaire was improved by using the feedback of the second phase. The results were promising that the questionnaire could be a SIG service in the future. The rating system converts the answers of the questionnaire to the end results: a star rating from one to five stars and suggested actions to improve the security. Each question has five defined security levels. The star rating is based on a risk profile where each higher security level has to meet a specific compliance percentage of the total number of questions. 2

3 The evaluation framework can be improved with a lifecycle approach depending on the results of previous answers. Additionally it has the ability to be updated with new features and technologies when new standards are released. 3

4 Acknowledgements I would like to express great appreciation to Haiyun Xu, Joost Visser and Erik Poll for their valuable suggestions and constructive criticism during the research process. Furthermore I would like to thank the employees of SIG who helped me with the validation session. The quality of the evaluation framework is improved a lot with the help of your useful feedback. I would also like to thank the two external organizations for helping me with the validation of the evaluation framework. 4

5 Table of contents Summary... 2 Acknowledgements Introduction Problem statement Research definition Context Relevance Previous work Overview Background Standards ISO series NIST Special Publication The 2011 Standard of Good Practice for Information Security steps to cyber security COBIT BSIMM PAS 555: SAS70 and its successors Comparison of standards Evaluation frameworks for ISO Approach of Karabacak Approach of Wright Approach of Bandopadhyay Approach of Praxiom Comparison of evaluation frameworks Construction of the questionnaire Phase 1: the trial questionnaire Development Validation inside SIG Phase 2: the full questionnaire Development Validation inside SIG Validation with consultants Phase 3: the improved questionnaire Processing feedback of validations Validation with external organizations Construction of the rating system The SIG star rating The SIG approach The risk approach The actions for improving the security Discussion Evaluation framework improvement Continuous improvement Event- based improvement Potential risks in the evaluation framework

6 6 Conclusion References Appendix A: Differences of ISO 27002:2005 and ISO 27002: B: Detailed transition table

7 1 Introduction At the start of this chapter, a problem statement is given. This problem statement describes the global security problem and the problem to solve during this research process. Thereupon, the research is introduced including the research questions. Furthermore, the context and the relevance of the master thesis are discussed. In addition, the information about the earlier prototype is given, which forms the starting point for this research. At the end, an overview of the master thesis is presented. 1.1 Problem statement Nowadays many organizations depend heavily on IT systems according to the information security breaches survey 2008 that was carried out for the U.K. Government [1]. This dependence creates an opportunity for large negative effects on the business when a security attack occurs. In case there is no security attack then it will be no problem, but it is shown that a large number of organizations had many security breaches last year [2]. Some examples of possible security breaches are the GGZ Eindhoven case 1, where the employees sent medical data to an IT company, and the famous Edward Snowden case. Security flaws occur often in the system implementation, but it occurs also in how the organization handles sensitive information. Code reviews and using special security tools like Fortify 2 could help to find some of the implementation flaws. It should be noted that only the presence of security flaws could be proven, but not the absence of them. Searching for security flaws in handling information is much harder than the implementation of them. According the survey that is done for the British Department for Business Innovation & Skills, the security of organizational processes is sometimes weak or generally weak [2] (more details see Table 1). This should be improved to a more secure situation. Table 1 10 steps to cyber security' survey results [2] The ten steps Large organizations Small businesses Information risk Some good, some weak Some good, some weak management User education and Some good, some weak Generally weak awareness Home and mobile working Some good, some weak Generally weak Incident management Some good, some weak Generally weak Managing user privileges Some good, some weak Some good, some weak Removable media controls Some good, some weak Generally weak Monitoring Some good, some weak Generally weak Secure configuration Some good, some weak Some good, some weak Malware protection Generally good Some good, some weak

8 Network security Generally weak Generally weak A possible way to improve the security around the organizational processes is to use the ISO 27001:2013 and the associated ISO 27002:2013 standard. These two standards describe an Information Security Management System (ISMS) where an organization can manage the processes seriously and helps to improve securing the actions and environment around the organizational processes. 1.2 Research definition Many organizations encounter problems to implement the ISO standard due to the large amount of information. This information does not tell exact what an organization has to do and it is made for organizations in general. This means that the organizations have to determine which processes, actions and controls are applicable to them. After implementing the required ISMS and the associated security controls, many organizations try to get an ISO certificate. This certification process requires high effort from an organization. Organizations could question themselves: how could the organizations know if they have implemented ISO controls well enough in a short time with low costs? Currently, the Software Improvement Group (SIG) uses a simple checklist as an assistant tool during the Security Risk Assessment (SecRA) for the organisational process security. In a SecRA, a system is investigated to find possible vulnerabilities and security risks [42]. Hereby, the investigation is carried out from several perspectives such as the architecture and source code perspective. To obtain a more comprehensive and focused check on organisational process security, a new evaluation framework is formulated. This master thesis framework is based on the total 114 controls defined in the ISO 27002:2013 standard and it will be used for Information Security Process Assessments (ISPA) of SIG. The master thesis framework targets mainly on software development companies or companies rely heavily on software systems. The new evaluation framework contains two parts, which are shown in Figure 1. In this master thesis, the questionnaire and the rating system are created. Questionnaire session Input: Information of organization Output: Answers of questionnaire Rating system Input: Answers of questionnaire Output: SIG star rating, actions,... Figure 1 Evaluation framework 8

9 The following requirements are defined for the new framework: Lightweight: The evaluation framework has to be understandable for anyone and it have to be easily checkable in a short time. Flexible: The evaluation framework can be adjusted to different situations. The different situations are for example quick, detailed or special- focus scanning in both small as large organizations. Measurable: The evaluation framework contains the ISO controls with some checkpoints that can measure the ISO control in an objective way. ISO compliant: The evaluation framework is based on ISO 27002, so it could be used to check the large amount of implemented security aspects in the company. Market conformity: The result of the evaluation framework shows if the organization has a better or worse security control implementation compared with other organizations. In this research a special focus is getting a basic evaluation framework to measure the ISO controls. The research question is formulated based on this measuring focus. How can the security of the organizational processes be measured in a flexible and lightweight way? For this main research question, several sub questions are brought forward: How can each ISO 27002:2013 control specifically be measured? Which ISO 27002:2013 controls have priority? How can the ISO 27002:2013 controls be grouped? Which security risks are not taken into consideration in the evaluation framework? How can the number of checkpoints be reduced to an acceptable amount? 1.3 Context The Software Improvement Group (SIG) 3 provides objective advice about IT systems for clients based on their static analysis tool. This static analysis tool performs an analysis on several code metrics such as code complexity. SIG divides possible services into 4 groups, which are shown in Figure 2. The current service that uses the static analysis tool is based on the ISO standard [45]. The ISO standard describes system and software quality models. As can been seen in the figure, this service is part of modeling & measurement in the development of a product. One aspect mentioned in the ISO standard is security. Currently SIG provides Security Risk Assessment (SecRA) services, and SIG aims at extending their services with what they call an Information Security Process Assessment (ISPA). This ISPA consists of an analysis on the security in organizational processes based on ISO

10 2 Existing approaches to IT security Rapid increases of attacks and reports of security incidents leave organizations worried about how secure their systems are. Security control is hard to attain both in terms of processes and products. Figure 1. shows an overview of the variety of existing approaches to security. MS-SDL OpenSAMM BSIMM process models process management systems NEN 7510 ISO SAS 70 development Common Criteria ISO OWASP ASVS modeling & measurement CVSS product testing & monitoring operations intrusion detection CWE/SANS Top-25 penetration testing ethical hacking Figure 2 Synthesis Figure 1 of - Synthesis cyber security of cyber assessment security assessment and risk mitigation and risk mitigation approaches approaches (made by SIG [42]) 1.4 Relevance This The dimensions research used aims in to the provide circle in this a framework image are the to software evaluate life cycle organizational (from development processes to operations) based on and ISO a distinction 27002:2013. between This the framework software product will and be the part processes of an Information governing its life cycle. Security Process Assessment, which is an extra service to SIG s clients. The results of the framework will indicate to organizations how market conform they 2 are in handling their organizational processes secure. 1.5 Previous work During a previous research project, a prototype of an evaluation framework was created [6]. This small research project had the same goals as this research, namely: flexible, lightweight, measurable, market conformance and ISO compliant. The previous version was based on ISO 27002:2005[13]. Those (old) standards had 11 chapters and the previous research itself covered only chapter 10 about communications and operations security. Chapter 10 contains 32 ISO controls, while the full standard has 133 ISO controls. Each aspects of the requirements were taken apart and it was checked what is required to achieve the requirement. The idea to make the approach lightweight was to create checkpoints that could be easily marked as implemented or done. In addition, the checkpoints had to be written down unambiguous. To meet this requirement, the SMART- technique (Specific, Measurable, Attainable, Relevant and Time- bound) was used. There were several ideas to make the approach flexible. One was using exceptions if the possible actions are different for the size of the organizations. In addition, a baseline was created for the previous version of the evaluation framework based on several papers[4][5][7]. Finally, there were 25 baselines out of 133 ISO controls. Beside the baselines, the approach is made more flexible by applying the 27 groups for the ISO controls based on the master thesis of Altena[4]. 10

11 The third goal was to be measurable. In case an ISO control has to be measurable, it has to be unambiguous, complete and objective. The completeness is guaranteed, because the checkpoints are fully based on the ISO implementation guidelines. Unambiguousness and objectiveness were implemented by the above mentioned SMART- technique. Only this technique explodes the number of checkpoints in the prototype. Another option is to write it more general, but this is less implicit about what has to be measured. Beside the prototype itself, a rating system was created. On the question level (ISO subchapter) of the prototype, the maturity model concept is applied. This means that the rating is based on the completeness of all checkpoints of a specific level. In addition to that, each low level (ISO subchapter) has its own weight between 1.0 and 2.0 based on the number of baselines it holds. For the full prototype an average is calculated based on the rating of the low levels (ISO subchapters) and their weight. The result of this previous research was a prototype. At the beginning there were 492 checkpoints after applying all the requirements of SIG on the 32 ISO controls. After re- thinking about the amount of checkpoints, a possibility for reduction was found. One option was combining some checkpoints and skip some checkpoints that are overlapping with some other checkpoints in other ISO chapters. Finally, the prototype was reduced to 212 checkpoints. After finishing the prototype, a pilot test was performed at SIG. This pilot test showed that the trial version still has some problems. Some checkpoints could be answered in different ways, because the answer could be different on how critical a system is. For example a critical system will be reviewed more often than a non- critical system. Furthermore another issue was detected, namely there are some exceptions that are not mentioned in ISO An example is that an organization can reduce the risk of viruses by using virus scanner. However, an ios system might have a lower risk than Windows, therefore, an organization might accept this risk. 1.6 Overview In Chapter 2 the background of the research is given including standards ISO series, NIST special publication 800, the 2011 Standard of Good Practices for Information Security, 10 steps to cyber security, COBIT 5 framework, BSIMM, PAS 555, SAS70 and its successors. Chapter 2 also introduces several research papers of similar research topics. In both cases (the standards and similar research) some comparisons are made. Next Chapter 3 describes what is involved in the construction of the questionnaire and the validation of the questions. Then Chapter 4 describes the construction of the rating system, which translates the answers of the questionnaire to a star rating and actions for improvement. Chapter 5 discusses several aspects connected to the evaluation framework, namely how to keep the evaluation framework up- to- date and the potential risks of the evaluation framework. At the end of this master thesis there is a conclusion with answers to the research questions and possible further work. 11

12 2 Background Each institute has its own names for a document, which describes norms, requirements and so on. Some examples are standard, model and framework. In this master thesis the term standard is used for all the documents with norms and requirements. Section 2.1 describes eight standards on information security. After this description, a comparison of the eight standards is done in Section 2.2 in order to decide which standard could be used as a basis for the new evaluation framework. In the third section of this chapter, several evaluation frameworks for the ISO 27001/ISO are described. The fourth section contains the comparison between the evaluation frameworks. The difference between the standards and evaluation frameworks is that the standards are the security guidelines and the evaluation frameworks measure those security guidelines. Especially the two comparison sections are important parts in this chapter (Section 2.2 and 2.4). 2.1 Standards There already exist many standards for securing the organizational processes and measuring the effectiveness of them. One example is the ISO standard (ISO 27002:2013), which the new evaluation framework has to be compliant with. Further examples are Building Security In Maturity Model (BSIMM) and Control Objectives for Information and related Technology (COBIT). In general the choice for standards is based on how acceptable they are in the information security society, together with some other factors specific to the standards that will be explained below. The following standards are discussed in the upcoming sections: ISO series The reason to choose the ISO standard series is that these standards are generally accepted for information security management, which makes them a good starting point of the new evaluation framework. NIST Special Publication 800 This set of standards is chosen, because it is based on several international standards and best practices including ISO This means that NIST Special Publication contains a detailed and (almost) complete list of the security controls, which are important. The 2011 Standard of Good Practice for Information Security This best practices document refers to the ISO standard. That is why this standard is chosen. 10 steps to cyber security The reason to check this guide is that it is a well- defined and concise guide, which is generally known. This guide does not only contain the options for managing the risks, but also explains what the risks are. The explanation of the possible risks for the key areas creates awareness under the personnel that has to implement possible security controls. 12

13 COBIT 5 framework This chosen framework is globally accepted and it also specifies the aspects for information security. BSIMM The reason to check this model is that it is specially made for organizations that produce software, which are a specific target for the new evaluation framework. PAS 555 This standard is chosen, because it focuses on the outcomes of the security control implementation. This focus results in a technology independent standard. SAS70 and its successors (SSAE16 and ISAE3402) The reason to check this standard is that it is a standard where an organization could get a certificate. This certificate also covers information security. In the next sections, the above- mentioned standards are briefly introduced. A comparison of those standards is done in Section 2.2. This comparison is to verify which standard is the best option to use as the basis for the new evaluation framework. The result of the comparison was that the ISO standard was the best option for the new evaluation framework. Other standards were also very interesting, but some could not guarantee ISO compliance. Other standards that could guarantee ISO compliance were so detailed, that there was a large amount unnecessary security controls for the organizational process security ISO series The most important standard series for the master thesis research: the ISO series, are named formally ISO/IEC 27000[9]. These standards consist of several standards for information security, which are developed by the International Organization for Standardization (ISO) 4 and the International Electrotechnical Commission (IEC) 5. The information security of these standards is based on an Information Security Management System (ISMS) that needs to be implemented in an organization. The type of organization is not limited to a specific field, because the standard could be applied to all types of organizations such as software development organizations and clothes factories. There are six major standards of the ISO series that are widely used and they form together the basis of the series. 1. ISO [10][12] This standard describes the specification for an ISMS. 2. ISO [11][13] This standard describes a reference for selecting controls for an ISMS implementation. 3. ISO [14]

14 This standard describes guidance for implementation of an ISMS. 4. ISO [15] This standard describes guidance on the development and use of measures and measurement for the effectiveness validation of the security controls. 5. ISO [16] This standard describes information security risk management. 6. ISO [17] This standard describes guidance for accreditation of organizations offering ISMS certification. During this research, there is a focus on the ISO 27002:2013 standards as can be seen in the research questions. Other standards ISO 27001:2013 and ISO 27004:2009 are also discussed and the remaining standards are not applied for this master thesis ISO 27001:2013 This ISO standard describes the specification for an ISMS. The most important aspect mentioned is that there is a defined lifecycle in an ISMS. In a previous version of ISO (the 2005 version) a specific lifecycle type was mentioned, namely the Plan- Do- Check- Act (PDCA). A PDCA model structures how the organizational processes could be improved. Act Plan Check Do Figure 3 Plan- Do- Check- Act model This PDCA model contains four phases: Plan In this phase the organization has to establish the objectives and processes, which are required to achieve to desired result. Do In this phase the organization has to implement the plan of the previous phase. Check In this phase the organization has to validate if the implemented plans of previous phases has the expected result. Act In this phase the organization has to take some actions if the expected and actual results are not the same. 14

15 To connect this PDCA model to the master thesis research is that the focus is on the check- phase and partially on the act- phase. The new evaluation framework verifies how far the security controls of ISO are implemented. The result is a rating that shows how market conform an organization has implemented their security controls. The act- phase is involved in giving the found results and which actions have to be done in order to improve the current security implementation ISO 27002:2013 The ISO standard describes security controls to give organizations the best practices recommendations for an ISMS. First, a global overview of the ISO 27002:2013 standard is provided. The standard consists of three ISO layers: ISO layer 1: ISO chapter There are 14 ISO chapters, which are mentioned in Table 2. Each ISO chapter consists out of one or multiple ISO subchapters (ISO layer 2). ISO layer 2: ISO subchapter There are 35 ISO subchapters. An example can be found in Table 3. Each ISO subchapter consists out of one or multiple ISO controls (ISO layer 3). ISO layer 3: ISO control There are 114 ISO controls. An ISO control is described as ISO control name (including id) and a full description. An example can be found in Table 3. Table 2 Overview ISO 27002:2013 chapters [11] ISO chapters 5. Information security policies 6. Organization of information security 7. Human resource security 8. Asset management 9. Access control 10. Cryptography 11. Physical and environmental security 12. Operations security 13. Communications security 14. System acquisition, development and maintenance 15. Supplier relationships 16. Information security incident management 17. Information security aspects of business continuity management 18. Compliance Table 3 Example - ISO control of ISO 27002:2013 [11] ISO chapter ISO subchapter ISO control 5. Information security policies 5.1 Management direction for information security Policies for information security 15

16 ISO control description A set of policies for information security shall be defined, approved by management, published and communicated to employees and relevant external parties ISO/IEC 27004:2009 Besides the ISO and ISO standards, the ISO 27004:2009 standard is possibly also important for the master thesis research. This ISO standard describes guidance on the development and use of measures and measurement for the assessment. These measurements could be used to verify the effectiveness of an implemented ISMS and the ISO controls. This measurement input and output are in all 4 steps of the PDCA lifecycle, which is mentioned in ISO More specially, the standard describes a method on how to create the measurements for each control, which is implemented in the organization. In addition, it describes how an organization could measure security and report the results to the management. In total, the organization follows a four phase procedure for this standard. 1. Development of measurements The organization develops measurements for each implemented ISO control or set of ISO controls. 2. Do the measurements in the organization The organization measures the implementation of ISO controls in the organizations with the developed measurement of phase Do the data analysis and report the result The organization has gathered some data about the effectiveness in phase 2, which have to be analyzed. The analysis shows if the implemented control is effective or not. The result of the data analysis will be reported in a document. 4. Information security measurement program evaluation and improvement The organization has the results of the measurements to evaluate. If the results are positive then no action is needed. Otherwise the organization verifies why the ISO control has not achieved the desired result and takes actions to improve the results in the future. The development of the master thesis framework in this research could be regarded as a high- level version of first phase in the above- mentioned procedure. The framework measures which ISO controls are implemented and in which degree they are implemented. Phase 2 of ISO is meant to measure the effectiveness of the implemented ISO controls Differences between de versions 2005/2013 of ISO and ISO Now it is clear how the ISO standards are structured and what is in the standard, it is time to go deeper into the details. In October 2013, both ISO and ISO were updated. The new ISO versions made large changes in the standards, but what are the actual differences? This section describes the main differences between the 2005 version and the 2013 version. 16

17 The ISO 27001:2013 differs with ISO 27001:2005 on one major point. Most of the general information for the ISO series were defined in each ISO standard itself like the terms and definitions. In the 2013 version, this common information is moved to the ISO standard itself. Then there is also a change in the security controls in Annex A of the ISO These security controls are more detailed described in ISO 27002, so the changes for ISO are described to show the differences in the ISO controls. There are many differences that could be noticed if somebody compares the different versions. Many of the small differences are caused by one large change. The reason for this is that the new ISO version is technically and structurally revised in comparison with the old 2005 version. This resulted in the following differences: The ISO 27002:2013 has 114 controls instead of 133 ISO controls of the previous version. This new number of ISO controls is caused by the following actions: o 22 ISO controls are added to the new standard o 38 ISO controls are deleted from the old standard o Three times two ISO controls are combined to one control, so the six old ISO controls are combined to three ISO controls. The ISO controls are structured in 14 chapters instead of the 11 chapters in the 2005 version. Controls are sometimes renamed to a more obvious title. The ISO 27002:2013 has more third- party services controls than the 2005 version, because many organizations start using third- party services instead of implementing everything by themselves. The 2013 implementation guide is changed in comparison with the old version. In some cases it has more detailed information. In some other cases, the information is more limited than in the older version. The comparison between the old and new versions of ISO 27k is also done by other organizations [18][19]. The found differences between the old and new versions of ISO 27k are not exactly the same in the three comparisons. The reason for these differences is the interpretation of the reader. One person could interpret a large change in an ISO control as alteration, but another one could see it as removing an old ISO control and creating a new ISO control NIST Special Publication 800 Next to the ISO standard, there are standards created by the National Institute of Standards and Technology (NIST). NIST is a science institution and is part of the United States federal government. The NIST is primarily involved in creating standards and guidelines. These standards and guidelines are commonly used, especially in the United States. 17

18 An example of the NIST standards series is the special publication 800 series, which is specially designed for security related topics. Some of the security related topics are about risk management processes in organizations. Tier 1 Organization Tier 2 Mission / Business processes Tier 3 Information systems Figure 4 Three- tiered risk management approaches The first tier is an overall level, which means that all actions and decisions in the first tier influences the possible actions and approaches in the other tiers. This tier has a view from an organizational perspective and provides context for all risk management activities. After the first tier of the risk management approach, there is the second tier which checks the risk management processes from a mission and/or business perspective. This tier watches what mission and business processes are required, prioritizes the mission and business processes and so on. The second tier influences the third tier. The lowest level is the third tier that checks from the information system perspective. In this level there is a Risk Management Framework (RMF), which has 6 steps: Step 1: Categorize Information Systems More information about this can be found in FIPS 199[22] and SP [23][24] Step 2: Select Security Controls More information about this can be found in FIPS 200[25] and SP [26] Step 3: Implement Security Controls More information about this can be found in SP [27] Step 4: Assess Security Controls More information about this can be found in SP A[28] Step 5: Authorize Information Systems More information about this can be found in SP [29] Step 6: Monitor Security Controls More information about this can be found in SP [30] 18

19 The third tier is especially important for the master thesis research, because this tier contains the RMF that describes a lifecycle to create an effective information security program. In the NIST Special Publication revision 4[26] a global overview of the security control catalogue of all NIST security controls is given. The catalogue consists of two layers: NIST layer 1: Family The catalogue contains 18 families, which can be found in Table 4. NIST layer 2: Security control The catalogue contains 240 security controls. Each security control has some basic information: the family, the name, control ( basic control ) and supplemental guidance. An example of a security control is given in Table 5. In addition to the basic information, the following information is given: o Control Enhancements Each security control can have several additional requirements. First an organization has to implement the basic control and then, if more security is required, an organization can add some implementations of control enhancements. o Reference The reference describes where more information could be found, o Priority A priority has four possible options: P0: Undefined P1: First to implement P2: Next to implement P3: Last to implement o Baseline selection Whether a specific security control is a baseline depends on how high the risk of the information system is. Table 4 Overview NIST families [26] ID AC AT AU CA CM CP IA IR MA MP PE PL PS RA SA SC Family Access Control Awareness and Training Audit and Accountability Security Assessment and Authorization Configuration Management Contingency Planning Identification and Authentication Incident Response Maintenance Media Protection Physical and Environmental Protection Planning Personnel Security Risk Assessment System and Services Acquisition System and Communications Protection 19

20 SI PM System and Information Integrity Program Management Table 5 Example - NIST security control AC- 21 [26] Family Security control name Control Supplemental Guidance Control Enhancements References Priority Baseline Allocation Access Control AC- 21 Information sharing The organization: a. Facilitates information sharing by enabling authorized users to determine whether access authorizations assigned to the sharing partner match the access restrictions on the information for [Assignment: organization-defined information sharing circumstances where user discretion is required]; and b. Employs [Assignment: organization-defined automated mechanisms or manual processes] to assist users in making information sharing/collaboration decisions. This control applies to information that may be restricted in some manner (e.g., privileged medical information, contract- sensitive information, proprietary information, personally identifiable information, classified information related to special access programs or compartments) based on some formal or administrative determination. Depending on the particular information- sharing circumstances, sharing partners may be defined at the individual, group, or organizational level. Information may be defined by content, type, security category, or special access program/compartment. Related control: AC- 3. (1) Information sharing Automated decision support The information system enforces information- sharing decisions by authorized users based on access authorizations of sharing partners and access restrictions on information to be shared. (2) Information sharing Information search and retrieval The information system implements information search and retrieval services that enforce [Assignment: organization- defined information sharing restrictions]. None P2 LOW: not selected MOD: AC- 21 HIGH: AC

21 2.1.3 The 2011 Standard of Good Practice for Information Security The 2011 Standard of Good Practice for Information Security is created by Chaplin and Creasey and published by the Information Security Forum (ISF)[32]. The standard provides insights, best practice standards and tools, which address each aspect of the model to aid organizations in enhancing their information security environment. At this moment the 2013 version has already been published, but this 2013 version was not available during this research. The older 2011 version is used in this thesis. The standard is part of a much larger aspect, namely an Information Risk Management Business Cycle of ISF that consists of 4 phases. Define In the define phase an organization can use The Standard of Good Practice for Information Systems. Implement In the implementation phase an organization can use the ISF Information Risk Analysis Methodology (IRAM) 6 Evaluate In the evaluation phase an organization can use the ISF benchmark 7 Enhance In this phase an organization can use the results of the evaluation phase to know the weaknesses in security and can use the standard of good practices to select new security controls. During the first and the last phase of the cycle, an organization could use the standard of good practices. The standard consists of many possible security controls in several groups. These controls are based on the ISO standard, the ISO standard and COBIT 4. A short overview of the control framework that contains three layers is given. ISF layer 1: Area This standard contains 20 areas and the list of areas could be found in Table 6. ISF layer 2: Topics Each area has two or more topics. The topics are described as an ID, name, principle and objective. An example can be found in Table 7. ISF layer 3: Control Each topic has multiple controls. The control is described as an ID and some description. An example can be found in Table 7. Table 6 Overview ISF areas [32] ID CF1 CF2 Area Security Policy and Organization Human Resource Security

22 CF3 CF4 CF5 CF6 CF7 CF8 CF9 CF10 CF11 CF12 CF13 CF14 CF15 CF16 CF17 CF18 CF19 CF20 Asset Management Business Applications Customer Access Access Management System Management Technical Security Infrastructure Network Management Threat and Vulnerability Management Incident Management Local Environments Desktop Applications Mobile Computing Electronic Communications External Supplier Management System Development Management Systems Development Lifecycle Physical and Environmental Security Business Continuity Table 7 Example ISF control [32] Area Topic CF1 Security Policy and Organization CF1.1 Information Security Policy Principle A comprehensive, documented information security policy should be produced and communicated to all individuals with access to the organization s information and systems. Control Control description Objective To document the governing body s direction on and commitment to information security, and communicate it to all relevant individuals. CF There should be a documented information security policy, ratified at board level that applies across the organization. There should be an individual (or a group of individuals) responsible for maintaining the policy steps to cyber security Furthermore a 10 steps to cyber security guide is created by Government Communications Headquarters (GCHQ), The Department for Business Innovation & Skills (BIS) and the Centre for the Protection of National Infrastructure (CPNI)[33]. According to the creators of the guide it is possible to stop 80% of the cyber attacks with basic information risk management. For the last 20%, an organization has to implement more advanced steps in ten key areas (see Table 8). The 10 steps to cyber security document describe the ten 22

23 key areas in a summary, the possible risks in the area and how the risk can be managed. Table 8 Overview - Key areas [33] Key area Home & Mobile Working User Education & Awareness Incident Management Information Risk Management Regime Managing User Privileges Removable Media Controls Monitoring Secure Configuration Malware Protection Network Security Examples of risks for the area Home & Mobile Working that are being overlooked are loss of credentials. In the area there are also six controls to prevent the possible risks, including education of users and maintaining their awareness COBIT 5 The Information Systems Audit and Control Association (ISACA) and the IT Governance Institute (ITGI) created the Control Objectives for Information and related Technology (COBIT). COBIT is a framework for governance and management of enterprise IT. The framework is based on globally accepted principles, practices, analytical tools and models to help increase the trust in information systems. The current version is COBIT 5[35] and contains several parts including COBIT 5 for information security[36] (see Figure 5). Figure 5 Overview COBIT 5 framework [35] 23

24 For this research, the COBIT 5 for information security document is useful, because it provides more detailed and practical guidance for information security. The first part of the document describes the COBIT 5 framework and the enablers for using COBIT 5 for information security. Furthermore a mapping is given of COBIT 5 for information security and other information security standards (including ISO 27002). The detailed guidance is given in seven parts: The principles, policies and frameworks enabler The processes enabler The organizational structures enabler The culture, ethics and behavior enabler The information enabler The services, infrastructure and applications enabler The people, skills and competencies enabler Aligning COBIT 4.1, ITIL V3 and ISO/IEC for Business Benefit Next to using only the COBIT framework, it is possible to use the combination of the COBIT framework with other standards including ITIL 8 and ISO/IEC The IT Governance Institute describes the combination of these three standards in the book Aligning COBIT 4.1, ITIL V3 and ISO/IEC for Business Benefit [40]. This book includes why best practices are so important to use in an organization. Additionally the IT Governance Institute gives an overview on what to expect of each of the three standards (COBIT, ITIL and ISO 27002). In the book they states that: COBIT and ISO/IEC helping to define what should be done and ITIL providing the how for service management aspects Furthermore in the book, the best ways to implement the best practices are mentioned: tailoring, prioritizing, planning, avoiding pitfalls and aligning the best practices of the three standards. In the appendix of the book, the mapping between COBIT, ITIL and ISO can be found BSIMM Another standard that is generally known is Build Security In Maturity Model (BSIMM)[7]. BSIMM focuses on organizational security, but is more on a software development side than ISO (see Figure 2). In addition, BSIMM is different in comparison with other models, namely BSIMM describes what organizations actually do. This means that BSIMM is a descriptive model. Other models define what an organization has to do to get the organizational processes secure, so those models are prescriptive. The current version is BSIMM- V and it was released in October A global view of the BSIMM model is given to understand how the model is built up in some activities. This model has four BSIMM layers:

25 BSIMM layer 1: BSIMM domain The model describes four domains, which can be found in the top row in Table 9. Each domain contains three BSIMM practices (BSIMM layer 2). BSIMM layer 2: BSIMM practices The model describes twelve practices, which can be found in Table 9. Each practices divided BSIMM activities (BSIMM layer 4) into three BSIMM maturity levels (BSIMM layer 3). BSIMM layer 3: BSIMM maturity levels The model describes three different maturity levels, namely 1, 2 and 3. An example can be found in Table 10. BSIMM layer 4: BSIMM activities The model describes 112 activities, all are described as an ID with a name and a full description. An example can be found in Table 10. Table 9 Software Security Framework (SFF) of BSIMM [7] Governance Intelligence SSDL Touchpoints Deployment Strategy and Metrics Attack Models Architecture Analysis Penetration Testing Compliance and Policy Security Features and Design Code review Software Environment Training Standards and Requirements Security Testing Configuration Management and Vulnerability Management Table 10 Example - BSIMM activity SM1.1 of BSIMM- V [7] BSIMM domain BSIMM practice BSIMM maturity level BSIMM maturity level full description BSIMM activity BSIMM activity full description Governance Strategy and Metrics SM Level 1: Attain a common understanding of direction and strategy Managers must ensure that everyone associated with creating, deploying, operating, and maintaining software understands the written organizational software security objectives. Leaders must also ensure that the organization as a whole understands the strategy for achieving these objectives. A common strategic understanding is essential for effective and efficient program execution. SM1.1 Publish process (roles, responsibilities, plan), evolve as necessary The process for addressing software security is broadcast to all participants so that everyone knows the plan. Goals, roles, responsibilities and activities are explicitly defined. Most organizations pick and choose from a published methodology such as the Microsoft SDL or the Cigital Touchpoints and then tailor the 25

26 methodology to their needs. An SSDL process evolves as the organization matures and as the security landscape changes. In many cases, the methodology is published only internally and is controlled by the SSG. The SSDL does not need to be publically promoted outside of the firm to count. For each BSIMM activity it is measured how many times it occurs in the organizations from a data set. The data set compromises 161 distinct measurements collected from 67 different firms. The most common activity is marked for each of the twelve practices. The results of a company for each domain will be represented in a spider diagram, which an example is displayed in Figure 6. Pen. Testing Conqig. Mgmt. & Vuln. Mgmt Software Env. Strategy & Metrics Compliance & Policy Training Attack Models Company A Company B Sec. Testing Sec. Features & Design Code review Arch. Analysis Standards & Req'ts Figure 6 Example results of BSIMM activities for company A and B PAS 555:2013 Besides ISO and NIST, the British Standards Institution (BSI) developed the standard PAS 555:2013[31]. Many standards and guidelines defined good practices as to how cyber security could be achieved, but the focus of PAS 555 is different. PAS 555 takes into account that there are rapid changes in technology, so they see that there are many ways to achieve the goals. That is why PAS 555 describes a fundamental set of outcomes that the controls, systems and processes aim to achieve. They describe fourteen main- outcomes and there are in total fifteen sub- outcomes. 26

27 Table 11 Outcomes of security implementation [31] Outcomes Management structure Commitment to cyber security culture Security context Business architecture strategy Capability development strategy Supplier and partner strategy Technology strategy Business resilience Compliance with legislation and other standards Risk assessment Asset management Threat assessment Vulnerability assessment Protection and mitigation People security Physical security Technical security Resilience preparedness Detection and response External awareness Internal monitoring Protective monitoring Cyber security incident management Recovery Investigation Data integrity reassurance Business- as- usual restoration Legal process Compliance analysis and continual improvement The outcomes are connected to several controls and requirements that are mentioned in other standards including the ISO 27002:2005 standard. In the overview in Annex A of PASS 555:2013 is shown that almost all outcomes are related to one or multiple controls of ISO 27002: SAS70 and its successors The American Institute of Certified Public Accountants (AICPA) developed the Statement on Auditing Standards No. 70 (SAS70) 9. SAS70 is an international norm for internal control of service organizations. This norm is used to get a SAS70- statement, which describes if the controls of the service organization are described correctly, the effectiveness of the design and which controls are used. 9 More information on SAS70: 27