ISO/IEC Information & ICT Security and Governance Standards in practice. Charles Provencher, Nurun Inc; Chair CAC-SC27 & CAC-CGIT

Transcription

1 ISO/IEC Information & ICT Security and Governance Standards in practice Charles Provencher, Nurun Inc; Chair CAC-SC27 & CAC-CGIT June 4, 2009

2 ISO and IEC ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National Bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organization to deal with particular fields of technical activity. ISO is made up of 159 national body members which are divided into three categories. June 4, 2009 Titre 2

3 ISO and IEC form JTC1 In the field of information technology, ISO and IEC have established a Joint Technical Committee 1: ISO/IEC JTC 1. Draft International Standards adopted by the joint technical committees are circulated to the national bodies for voting. Publication as an International Standard requires approval by at least 75% of the national bodies casting a vote. June 4, 2009 Titre 3

4 JTC1 Areas of Expertise, Mirrored in Canada ISO/IEC CAC/JTC1 - Canadian Advisory Committees for the Joint Technical Committee 1 of ISO/IEC CAC/JTC1 Privacy Group CAC/JTC1/SC 2 - Coded Character CAC/JTC1/SC 6 - Telecommunications and Information Exchange Between Systems CAC/JTC1/SC17 - Identification Cards and Related Devices (ANSI X3B.10) CAC/JTC1/SC22 - Programming Languages, Their Environments and System Software Interfaces CAC/JTC1/SC24 - Computer Graphics and Image Processing CAC/JTC1/SC25 - Interconnection of Information Technology Equipment CAC/JTC1/SC27 - IT Security Techniques CAC/JTC1/SC31 - Automatic Identification and Data Capture Techniques CAC/JTC1/SC32 - Data Management and Interchange CAC/JTC1/SC34 - Document Description and Processing Languages (includes the SGML family of standards) CAC/JTC1/SC35 - User Interfaces CAC/JTC1/SC36 - Information Technology for Learning, Education and Training CAC/JTC1/SC37 - Biometrics CAC/JTC1/SWG - Accessibility CAC/JTC1/TCIT - Information Technology CAC/JTC1/WG6 - Corporate Governance of IT June 4, 2009 Séance d accueil 4

5 ISO/IEC/JTC1/SC27 SC27 Programme of Work Area of Work: The development of standards for the protection of information and ICT. This includes generic methods, techniques and guidelines to address both security and privacy aspects, such as: * Security requirements capture methodology; * Management of information and ICT security; in particular information security management systems (ISMS), security processes, security controls and services; * Cryptographic and other security mechanisms, including but not limited to mechanisms for protecting the accountability, availability, integrity and confidentiality of information; * Security management support documentation including terminology, guidelines as well as procedures for the registration of security components; * Security aspects of identity management, biometrics and privacy; * Conformance assessment, accreditation and auditing requirements in the area of information security; * Security evaluation criteria and methodology. SC 27 engages in active liaison and collaboration with appropriate bodies to ensure the proper development and application of SC 27 standards and technical reports in relevant areas. 39 National Bodies constitute ISO/IEC/JTC 1/SC27, where at least a 75% approval is required for IS 7 décembre 2007 Séance d accueil 5

6 Specific Domains of Expertise in IT Security CAC/JTC1/SC27 - IT Security Techniques Working Group 1: "Information Security Management Systems" WG 1 covers the development of ISMS (Information Security Management System, ISO/IEC 27001, ISO/IEC 27002) standards and guidelines family. Working Group 2: "Cryptography and Security Mechanisms" WG 2 covers both cryptographic and non-cryptographic techniques and mechanism Working Group 3: "Evaluation Criteria of Information Security" WG 3 covers IT Security evaluation and certification of IT systems, components, and products (such as Common Criteria for Evaluation). This will include consideration of computer networks, distributed systems, associated application services, etc. Working Group 4: "Security controls and services" WG 4 covers the development and maintenance of standards and guidelines addressing services and applications supporting the implementation of control objectives and controls as defined in ISO/IEC (such as Network Security, CyberSecurity, Business Continuity, etc). Working Group 5: "Identity Mgmt. & Privacy Technologies" WG 5 covers the development and maintenance of standards and guidelines addressing security aspects of identity management, biometrics and the protection of personal data. June 4, 2009 Séance d accueil 6

7 Some Published and «in-development» Standards ISO/IEC 27000: Information security management systems - Overview and vocabulary ISO/IEC 27001: Information security management systems - Requirements ISO/IEC 27002: Code of practice for information security management ISO/IEC 27004: Information security management measurements ISO/IEC 27005: Information security risk management (replaces ISO/IEC 13335) ISO/IEC 27006: International accreditation guidelines for the accreditation of bodies operating certification / Registration of information security management systems ISO/IEC 27010: Information security management for inter-sector communications (for critical infrastructure) ISO/IEC 27013: Guidelines for integration implementation of ISO/IEC & ISO/IEC ISO/IEC 27014: Information security governance framework ISO/IEC 27033: Network security (replaces ISO/IEC 18028) ISO/IEC 15408: Evaluation criteria for IT security (AKA, Common Criteria) ISO/IEC 29147: Responsible vulnerability disclosure ISO/IEC 27014: A Framework for Corporate Governance of IT June 4, 2009 Séance d accueil 7

8 Some Published and «in-development» Standards (more) ISO/IEC 27031: ICT readiness for business continuity ISO/IEC 27032: Guidelines for CyberSecurity ISO/IEC 27033: Network security (replaces ISO/IEC 18028) ISO/IEC 27034: Application security ISO/IEC 24760: A framework for identity management ISO/IEC 29100: A privacy framework ISO/IEC 29101: A privacy reference architecture ISO/IEC 29146: A framework for access management June 4, 2009 Séance d accueil 8

9 Base SC27 Standards that Drive Organizations to Address Security ISO/IEC 27005: Information security risk management (RISK ASSESSMENT REQUIREMENTS and MANAGEMENT) ISO/IEC 27002: Code of practice for information security management (SECURITY GUIDELINES) ISO/IEC 27001: Information security management systems Requirements (CERTIFICATION) June 4, 2009 Séance d accueil 9

10 General Concepts for these Standards ISO/IEC 27005: This International Standard provides guidelines for Information Security Risk Management in an organization, supporting in particular the requirements of an ISMS according to ISO/IEC ISO/IEC 27002: This International Standard establishes guidelines and general principles for initiating, implementing, maintaining, and improving information security management in an organization. The objectives outlined in this International Standard provide general guidance on the commonly accepted goals of information security management. ISO/IEC 27001: This International Standard has been prepared to provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an Information Security Management System (ISMS). The adoption of an ISMS should be a strategic decision for an organization. This International Standard can be used in order to assess conformance by interested internal and external parties. June 4, 2009 Séance d accueil 10

11 Risk Management Model June 4, 2009 Séance d accueil 11

12 Risk Management Model June 4, 2009 Séance d accueil 12

13 What it Means to Your Organization Adopting and Implementing an Information Security Management System is a top or board level decision. It is a top-down process based on Risk Management It runs through your Enterprise Architecture It affects everyone in your organization It needs an audit and verification process It requires that you PLAN, DO, CHECK and you IMPROVE June 4, 2009 Séance d accueil 13

14 Fundamental Changes to Your Organization Your organization will go through fundamental work changes when implementing an ISMS It requires Change Management within your organization It involves documenting your processes and procedures It requires an auditable trail and logging of your activities It often demands a change from your suppliers and the organizations you do business with Ensuring Security is Not Just IT Projects and Processes, it s Organizational Driven Initiatives and Directives June 4, 2009 Séance d accueil 14

15 Information Security Governance Architecture June 4, 2009 Séance d accueil 15

16 How it fits June 4, 2009 Séance d accueil 16

17 Government Example Government of Quebec: Established a secure communications channel between ministries and awarded the management contract to the organization that agreed to implement and certify against ISO/IEC Asks that the IT arm of its Health and Social Services require that its critical suppliers certify against ISO/IEC Currently undergoing restructuring of its CSIRT to certify against ISO/IEC June 4, 2009 Séance d accueil 17

18 New Domain of Expertise for JTC 1 CAC/JTC1/WG6 - Corporate Governance of IT Provides guiding principles for directors of organizations (including owners, board members, directors, partners, senior executives, or similar) on the effective, efficient, and acceptable use of Information Technology within their organizations. This applies to the governance of management processes (and decisions) relating to the information and communication services used by an organization. These processes could be controlled by IT specialists within the organization or external service providers, or by business units within the organization. June 4, 2009 Séance d accueil 18

19 QUESTIONS & THANK YOU!!! Charles P. Provencher Senior Advisor, IT Security & Conformity Nurun Inc #25072 June 4, 2009 Séance d accueil 19