De Nieuwe Code voor Informatiebeveiliging

Transcription

1 De Nieuwe Code voor Informatiebeveiliging Piet Donga, ING Voorzitter NEN NC 27 - IT Security 1

2 Agenda Standardisation of Information security The new Code of Practice for Information Security The Code used inside ING 2

3 Cooperation on various levels ISO IEC ITU Global JTC1 SC27 European CEN CENELEC ETSI National NEN NEC

4 ISO/IEC JTC 1/SC27 structure ISO/IEC JTC 1/SC27 Information Technology Security Techniques Chairman: Mr. W. Fumy Vice Chair: Mrs. M. De Soete WG1: Requirements, services, guidelines Convenor: Mr. T. Humpreys WG2: Security techniques and mechanisms Convenor: Mr. K. Naemura WG3: Security evaluation criteria Convenor: Mr. M. Ohlin WG4: Security controls and services Convenor: Mr. Kang WG5: Identity management & privacy technologies Convenor: unknown 4

5 History of the Code of Practice Industry Code of Practice for IS published 1994 Code of Practice published as BS7799 First BS ISO/IEC published & Dutch version of BS7799-1:1999 and BS7799-2: published & ISO/IEC 17799:2005 published & NEN- ISO- IEC 17799: 2005 (UK) First edition of Dutch CvI Revised version of BS7799(-1) 2000 BS7799-2:2002 & 2005 Publication of NEN BS (UK) NEN-ISO- IEC 17799: 2002 (NL) NEN- ISO-IEC 17799: 2005 (NL) & (NL) 5

6 27000 series Need for a family of standards around ISO17799 Inspired by ISO9000 and ISO14000 series Consistent with standard framework guidelines such as ISO Guide 72 and ISO Guide 73 Typing of standards A lot of discussion regarding loss of 7799 brand name 6

7 27000 series 27000: ISMS Fundamentals and Vocabulary 27001: ISMS Requirements 27002: Code of Practice for Information Security Man : ISMS Implementation Guidance 27004: Information Security Management Measurements Current status 1st WD IS IS 2nd WD 4th WD Expected IS (renum) : Information Security Risk Management 2nd CD 27006: ISMS Accreditation FCD

8 The Code of Practice for Information Security 8

9 27002: Code of Practice for Information Security Management RISK ASSESSMENT AND TREATMENT SECURITY POLICY ORGANIZING INFORMATION SECURITY ASSET MANAGEMENT HUMAN RESOURCES SECURITY PHYSICAL AND ENVIRONMENTAL SECURITY COMMUNICATIONS AND OPERATIONS MANAGEMENT ACCESS CONTROL INFORMATION SYSTEMS ACQUISITION, DEVELOPMENT AND MAINTENANCE INFORMATION SECURITY INCIDENT MANAGEMENT BUSINESS CONTINUITY MANAGEMENT COMPLIANCE 9

10 REVISION OF ISO/IEC Update controls to keep them up to date and to include new developments Emerging trends and managing new and emerging risks, threats and vulnerabilities Due diligence, governance and fit for purpose Greater customer assurance and demands Growth in use of services and new ways of doing business New technologies, new ways of using technologies and access to more diverse networked business * From Presentation Ted Humphreys, 10

11 REVISION OF ISO/IEC Update controls to keep them up to date and to include new developments Emerging trends and managing new and emerging risks; bringing into place management controls and Best Practice Maintain backwards compatibility User friendly interface Improve internationalisation of the text Language, Culture and Context * From Presentation Ted Humphreys, 11

12 Changes: enhancements* OLD Sections 17799:2000 Security Policy Security organisation Asset classification & control Personnel security Physical & environm. security Comm. & oper. management Access Control Systems development & maint. Business continuity Compliance NEW Sections 17799:2005 Security policy Organising inform. Security Asset management Human resources security Physical & environm. Security Comm. & oper. Management Access control Inf. Syst. Acquis. Dev. & maint. Inf. security incident handling Business cont. management Compliance * From Presentation Marijke de Soete, Security4Biz; address: marijke.desoete@pandora.be 12

13 Changes: structure* Old Control text New Control text Control, Implementation guidance and other supporting text Control Implementation guidance Other information * From Presentation Marijke de Soete, Security4Biz; address: marijke.desoete@pandora.be 13

14 Changes 9 old controls modified 116 controls remaining 17 controls added Now 133 paragraphs (was 127) 14

15 New controls - 1 Management commitment to information security (6.1.1) Contacts with special interest groups (6.1.7) Ownership of assets (7.1.2) Acceptable use of assets (7.1.3) Service delivery (10.2.1) Monitoring and review of third party services (10.2.2) Managing changes to third party services (10.2.3) Controls against mobile code (10.4.2) Electronic messaging (10.8.4) Electronic commerce (10.9.1) On-line transactions (10.9.2) 15

16 New controls - 2 Protecting log information ( ) Control of technical vulnerability (12.6.1) Reporting information security evidence (13.1.1) Reporting security weaknesses (13.1.2) Management of security incidents Responsibilities and procedures (13.2.1) Collection of evidence (13.2.2) 16

17 The Code used within ING 17

18 Policies and Standards Development Policies and standards developed in 2002 Goal: Develop a set of consistent, actionable information security operational-level policies to establish a baseline of security across the Group Use ISO as primary input Strategic and Tactical Level Group policies Dutch National Bank guidance Basel Committee guidelines Existing EC/MC/OC policies, standards, procedures, etc. Gain input from business and support activities Four review rounds of drafts Sanity check review by MC ISO s and other stakeholders 18

19 Recognizing Reality of ING in 2002 ING has over 60 operating companies, many regulated businesses with different rules ING is in over 80 countries, national laws, customs ING has an enormous infrastructure, new and old technology ING has over 50 million customers, reputation and service expectation ING has over 110,000 employees, training and labor rules 19

20 Development Strategy Security has to be business driven, support goals of the business Use a layered approach consisting of policies, standards, procedures and guidelines Requirements must be adequate but flexible Give OC s room to innovate and remain compliant Require what and when but not how Require who only when important Do not mandate specific products, protocols, etc. Detailed requirements only when very important Use concepts of risk management not risk elimination Deployment of baseline security 20

21 Policy Set 37 documents produced in three categories 14 perimeter security 17 infrastructure security 6 business unit specific security 23 policies 11 standards 2 procedures Glossary 21

22 SOX IT, ISO and IS policies ING Group ING Group SOX COBIT ITIL ISO (BS 17799) ING SOX Framework of Controls Information security policies & standards 22

23 Information Security Maturity Baseline: 3 implementation levels based on ISO/IEC Maturity levels ofr IRM Processes; required levels enforced through integrated operational risk scorecards (OR capital reduction) 23

24 Thank you for your attention Piet Donga ING / Global Information Risk Management Policy, Governance & Risk Management Piet.donga@mail.ing.nl 24

25 Appendix 25

26 ISO/IEC JTC 1/SC27 ISO/IEC family of standards ISO/IEC ISMS requirements ISO/IEC ISMS implementation guidance ISO/IEC ISM metrics and measurements ISO/IEC Information Security Risk Management ISO/IEC ISMS Accreditation ISO/IEC ISMS Audit guidelines ISO/IEC Code of practice for information security management ISO/IEC Management of ICT security (MICTS) WG1 26

27 ISO/IEC JTC 1/SC27 WG2 ISO/IEC 9796 Digital signature schemes giving message recovery ISO/IEC 9797 Message authentication codes ISO/IEC 9798 Entity authentication ISO/IEC Hash-functions ISO/IEC Key management ISO/IEC Digital signatures with appendix ISO/IEC Cryptographic techniques based on elliptic curves ISO/IEC Time stamping services ISO/IEC Encryption algorithms ISO/IEC Biometric template protection 27

28 ISO/IEC JTC 1/SC27 ISO/IEC Cryptographic techniques based on elliptic curves ISO/IEC Time stamping services ISO/IEC Random bit generation ISO/IEC Prime number generation ISO/IEC Encryption algorithms ISO/IEC Data encapsulation mechanisms ISO/IEC Biometric template protection WG2 28

29 ISO/IEC JTC 1/SC27 ISO/IEC Evaluation criteria for IT security ISO/IEC A framework for IT security assurance ISO/IEC Methodology for IT security evaluation ISO/IEC Security requirements for cryptographic modules ISO/IEC Security assessment of operational systems ISO/IEC A framework for security evaluation and testing of biometric technology WG3 29

30 ISO/IEC JTC 1/SC27 ISO/IEC IT Network security ISO/IEC Selection, deployment and operations of intrusion detection systems ISO/IEC Information security incident management ISO/IEC Disaster recovery services WG4 30

31 ISO/IEC JTC 1/SC27 WG5 ISO/IEC Biometric template protection ISO/IEC Authentication context for biometrics ISO/IEC A framework for biometrics 31