24 September 2013 Nieuwe versie O/IEC 27002 Code of practice for information security management controls Nieuwe titel
1 Inhoudsopgave Inleiding Wat is gewijzigd in O/IEC FD 27002:2013? Wat is de impact van deze wijzigingen? Samenvatting Slides zijn in Engels
Guidelines Requirements Terminology 2 O/IEC 27000 family of standards 27000 :2012 MS Overview and vocabulary (freely available) 27001 :2005 Information Security Management System (MS) Requirements Requirements for bodies providing audit and certification of MSs 27006 :2007 27002 :2007 27003 :2010 27004 :2009 27005 :2011 27007 :2011 TR 27008 :2011 Code of practice for info. sec. management MS implementation guidance Info. sec. management measurements Information security risk management Guidelines for MSs auditing Guidance for Auditor on MS Controls
Guidelines Requirements Terminology 3 O/IEC 27000 family of standards status D 27000 :2014 MS Overview and vocabulary (freely available) FD 27001 :2013 Information Security Management System (MS) Requirements Requirements for bodies providing audit and certification of MSs 27006 :2007 Focus of this talk FD 27002 :2013 Code of practice for info. sec. controls 27003 :2010 MS implementation guidance 27004 :2009 Info. sec. management measurements 27005 :2011 Information security risk management 27007 :2011 Guidelines for MSs auditing TR 27008 :2011 Guidance for Auditor on MS Controls
4 O/IEC 27002:2007 Code of practice Set of commonly accepted control objectives (39) and best practice controls (133) for information security management Description of the controls is structured as follows: Control Implementation guidance Other information 11 clauses of O/IEC 27002 5. Security Policy 6. Organizing information security 7. Asset management 8. Human resources security 9. Physical and environmental security 10. Communications and operations management 11. Access control 12. Systems acquisition, development and maintenance 13. Information security incident management 14. Business continuity management 15. Compliance
Sector Specific Guidelines Guidelines 5 O/IEC 27002 based sector-specific standards FD 27002 :2013 Code of practice for information security controls WG1 Roadmap Annex E Annex F Annex E Principles for sector-specific MS standards Annex F Template for sector-specific MS standards 27010 :2012 inter-sector and inter-organizational communications 27011 :2008 telecommunications (ITU-T X.1051) TR 27015 :2012 financial services 5 th WD 27017 :201x cloud computing services 27799 :2010 healthcare NEN 7510
6 Revision O/IEC 27002
7 Revision O/IEC 27002 Overview More focused on control selection Information technology Security techniques Code of practice for information security management controls Lot of changes to control objectives and controls Text is updated (in particular control objectives, Implementation guidance & Other information) Titles changed Relocation & merging (re-structuring of sections) Removal of outdate ones & Introduction of new ones 2005 FD Clauses 11 14 Control obj. 39 35 Controls 133 114 General structure of control description remained Control Implementation guidance Other information
8 Revision O/IEC 27002 More focused on control selection Some text in O/IEC 27002:2005 is closely associated with: Guidance on the establishment of an MS => also covered in O/IEC 27003 Guidance on security risk management (clause 4) => also covered in O/IEC 27005 In the revisions the items covered in other 2700x standards are removed. 0.1 Background and context This International Standard is designed for organizations to use as a reference for selecting controls within the process of implementing an Information Security Management System (MS) based on O/IEC 27001[10] or as a guidance document for organizations implementing commonly accepted information security controls. This standard is also intended for use in developing industry- and organization-specific information security management guidelines, taking into consideration their specific information security risk environment(s). O/IEC FD 27002
9 Revision O/IEC 27002 New structure of clauses, control objectives & controls O/IEC 27002:2005 5. Security Policy 6. Organizing information security 7. Asset management 8. Human resources security 9. Physical and environmental security 10. Communications and operations management 11. Access control 12. Systems acquisition, development and maintenance 13. Information security incident management 14. Business continuity management 15. Compliance O/IEC FD 27002:2013 5. Security Policy 6. Organizing information security 7. Human resources security 8. Asset management 9. Access control 10. Cryptography 11. Physical and environmental security 12. Operations security 13. Communications security 14. Systems acquisition, development and maintenance 15. Supplier relationships 16. Information security incident management 17. Information security aspects of business continuity management 18. Compliance
10 Revision O/IEC 27002 New structure of clauses, control objectives & controls Clauses are highlighted in this talk Clause 6 Clause 12 & 13 Clause 14 O/IEC FD 27002:2013 5. Security Policy 6. Organizing information security 7. Human resources security 8. Asset management 9. Access control 10. Cryptography 11. Physical and environmental security 12. Operations security 13. Communications security 14. Systems acquisition, development and maintenance 15. Supplier relationships 16. Information security incident management 17. Information security aspects of business continuity management 18. Compliance
11 Revision O/IEC 27002 6 Organization of information security 6 Organization of information security 6.1 Internal Organization 6.1.1 Management commitment to information security 6.1.2 Information security coordination 6.1.3 Allocation of information security responsibilities 6.1.4 Authorization process for information processing facilities 6.1.5 Confidentiality agreements moved to 13 Communications security 6.1.6 Contact with authorities 6.1.7 Contact with special interest groups 6.1.8 Independent review of information security 6.2 External Parties 6.2.1 Identification of risks related to external parties 6.2.2 Addressing security when dealing with customers E.g. control 6.1.1 was covered by O/IEC 27001 moved to 18 Compliance 6.2.3 Addressing security in third party agreements moved to 15 Supplier relationships O/IEC 27002:2005
12 Revision O/IEC 27002 6 Organization of information security 6 Organization of information security 6 Organization of information security 6.1 Internal organization 6.1 Internal Organization 6.1.1 Information security roles and responsibilities 6.1.1 Management commitment to information security 6.1.2 Segregation of duties 6.1.2 Information security coordination 6.1.3 Contact with authorities 6.1.3 Allocation of information security responsibilities 6.1.4 Contact with special interest groups 6.1.4 Authorization process for information processing 6.1.5 Information security in project management facilities 6.2 Mobile devices and teleworking 6.1.5 Confidentiality agreements moved 6.2.1 Mobile device policy 6.1.6 Contact with authorities 6.2.2 Teleworking O/IEC FD 27002 6.1.7 Contact with special interest groups 6.1.8 Independent review of information security 6.2 External Parties 6.2.1 Identification of risks related to external parties 6.2.2 Addressing security when dealing with customers 6.2.3 Addressing security in third party agreements O/IEC 27002:2005 E.g. control 6.1.1 was covered by O/IEC 27001 Control 6.1.2 is from clause 10 Communications and Operations Management Controls in 6.2 are from 11 Access Control
13 Revision O/IEC 27002 Mobile devices and teleworking moved from Clause 11 to 6 11.7 Mobile computing and teleworking Objective: To ensure information security when using mobile computing and teleworking facilities. The protection required should be commensurate with the risks these specific ways of working cause. When using mobile computing the risks of working in an unprotected environment should be considered and appropriate protection applied. In the case of 6.2 teleworking Mobile devices the organization and teleworking should apply protection to the teleworking site and ensure Objective: that suitable To ensure arrangements the security are in of place teleworking for this and way use of working. of mobile devices. 6.2.1 11.7.1 Mobile Mobile device computing policy and communications Control Control A A policy formal and policy supporting should security be in place, measures and appropriate should be security adopted measures to manage should the risks be adopted introduced to protect by against using the mobile risks devices. of using mobile computing and communication facilities. 6.2.2 11.7.2 Teleworking Teleworking Control Control A A policy policy, and operational supporting plans security and measures procedures should should be be implemented developed and to protect implemented information accessed, teleworking processed activities. or stored at teleworking sites. O/IEC 27002:2005 O/IEC FD 27002
14 10 Communications and Operations Mngt 10.1 Operational procedures and responsibilities 10.2 Third party service delivery management 10.3 System planning and acceptance 10.4 Protection against malicious and mobile code 10.5 Back-up 10.6 Network security management 10.7 Media handling moved to 8 Asset Management 10.8 Exchange of information 10.9 E-commerce services 10.10 Monitoring Revision O/IEC 27002 12 Operations security & 13 Communications security O/IEC 27002:2005 moved to 15 Supplier relationships moved to 14 System acquisition, development & maintenance moved to 14 System acquisition, development & maintenance Renamed to application services on public networks
15 Revision O/IEC 27002 12 Operations security & 13 Communications security 10 Communications and Operations Mngt 10.1 Operational procedures and responsibilities 10.2 Third party service delivery management 10.3 System planning and acceptance moved 10.4 Protection against malicious and mobile code 10.5 Back-up 10.6 Network security management 10.7 Media handling moved to 8 Asset Mngt 10.8 Exchange of information 10.9 E-commerce services moved 10.10 Monitoring O/IEC 27002:2005 12 Operations security 12.1 Operational procedures and responsibilities 12.2 Protection from malware 12.3 Backup 12.4 Logging and monitoring 12.5 Control of operational software 12.6 Technical vulnerability management 12.7 Information systems audit considerations 13 Communications security 13.1 Network security management 13.2 Information transfer From 12 From 15 O/IEC FD 27002
16 Revision O/IEC 27002 14 System acquisition, development and maintenance 12 14 Information System acquisition, systems development acquisition, development and maintenance and maintenance 14.1 Security requirements of information systems 12.1 14.1.1 Security Information requirements security requirements of information analysis systems and specification 12.2 14.1.2 Correct Securing processing application in services applications public networks 12.3 14.1.3 Cryptographic Protecting application controls services transactions 12.4 14.2 Security of in system development files and support processes 12.5 14.2.1 Security Secure development in development policy and support processes 12.6 14.2.2 Technical System change Vulnerability control procedures Management O/IEC 27002:2005 14.2.3 Technical review of applications after operating platform changes 14.2.4 Restrictions on changes to software packages 14.2.5 Secure system engineering principles 14.2.6 Secure development environment 14.2.7 Outsourced development 14.2.8 System security testing 14.2.9 System acceptance testing 14.3 Test data 14.3.1 Protection of test data O/IEC FD 27002 From clause 10 Comm. & Oper. Management
17 Revision O/IEC 27002 My opinion More logical structure for control objectives & controls More up-to-date & less trend specific More to-the-point
18 Impact of revision O/IEC 27002
19 Impact of revision O/IEC 27002 For organisations If O/IEC 27002 is used as basis of your Information Security Management, then you will have to choose: Still use the old version not recommended Use other framework up to you Migrate to new version recommended (SoA required for O/IEC 27001 certification) O/IEC 27002:2013 New structure Changed controls (obj.) Removed controls New controls (obj.) Impact Update of information security policy documents Review impact of changed text on implemented controls and improve the controls if necessary. Determine if removed controls are implemented and for what risks. Select and implement alternatives. Review risk assessment & risk treatment with the revised O/IEC 27002:2013
20 Impact of revision O/IEC 27002 On other sector specific guidelines based on O/IEC 27002 Sector-specific guidelines that are based O/IEC 27002 will be updated O/IEC 27010 (inter-sector and inter-organizational communications) O/IEC 27011 (telecommunications-sector-specific) O 27799:2008 (health-sector-specific) O/IEC TR 27015:2012 (financial services-sector-specific) draft O/IEC 27017 already based on new version (cloud computing services) National specific standards frameworks based O/IEC 27002 NEN 7510:2011 Baseline Informatiebeveiliging Rijksdienst (BIR) - Tactisch Normenkader (TNK); 2012 Tactische Baseline Informatiebeveiliging Nederlandse Gemeenten; 2013
21 Recap Updating of text; re-structuring of clauses; relocation, merging, removal of controls; and introduction of new controls Expected publication date: November 2013 Impact on existing use of O/IEC 27002:2007
22 Questions +31 (0)88 866 7729 frank.fransen@tno.nl