Compiled by; Mark E.S. Bernard, ISO 27001 Lead Auditor, CISSP, CISM, SABSA-F2, CISA, CRISC, CGEIT
Introduction Current Known Threats Potential Impacts to Enterprise Assets Legal Risks Managing Compliance Risks Preventive Security Measurers Risk Management Policy Risk Management Process Ranking & Prioritization of Risks Treating Risks Monitoring Risks Conclusion
Skype; Mark_E_S_Bernard; LinkedIn; http://www.linkedin.com/in/markesbernard Mark E.S. Bernard, - Information Security /Privacy, GRC Management Consultant CRISC, CGEIT, CISA, CISM, CISSP, PM, ISO 27001LA, CNA, SABSA-Security Service Management /Architecture, COBiT, ITIL Mark has 24 years of proven experience within the domain of Information Security, Privacy, Governance, Compliance. Mark has led teams of 30 or more as a Director and Project Manager and managed budgets of $5 Million +. Mark has also provided oversight to 250 contractors and 230 regular fulltime employees as a senior manager during government outsourcing contract valued at $300 million. Mark skills and experience as a Systems Engineer, Software Engineer and Network Engineer has provided him an ability to led small and larger contracts for specialized services including ERP systems like Oracle, SAP, JD Edwards, BPCS, JBA and red team penetration testing. Mark also led his work-stream during Negotiated RFP process, followed by the on-boarding and knowledge transfer of the exiting Service Provider for a $25 Million Dollar Contract. Mark designed information security and privacy architecture established information security management systems as program manager based on ISO 27001. Mark Also led the reengineered IT processes based on Service Manager ITIL/ISO 20000 building in Quality Management ISO 9001 also establishing a Knowledge Management framework. Accomplishments: In 2013 Assisted Provincial Government with Privacy Impact Assessment of External Parties In 2013 Assisted Aviation organization with ISO/IEC 27001 Registration/Certification In 2013 Facilitated ISO Lead Auditor Training for International Manufacturing and Services Corporation In 2013 Assisted Major Bank with Risk Assessment of New Services and Products In 2012 Assisted National Legal Firm with ISO/IEC 27001 Reg./Certification In 2012 Assisted Executive Relocation Organization to ISO/IEC 27001 Reg./Certification In 2012 Assisted Cloud Service Provider of SaaS to achieve ISO/IEC 27001 Reg./Certification In 2012 Assisted Global Electronic Solutions Provider ISO/IEC 27001 Reg./Certification In 2012 Assisted Nano Technology Manufacturer with ISO/IEC 27001 Reg./Certification In 2010/11 Led Cloud Service Provider of PaaS and IaaS in 8 DCs & 4 Continents to ISO 27001 Reg./Cert In 2009 Led Provincial Government to become 1st Canadian Public Sector ISO 27001 Reg./Certification In 2009 Led Provincial Government On-boarding Project for Oracle ERP Integrated Service Provider In 2009 Led Technology and Operations during Negotiated Request for Proposal on behalf of Prov. Gov. In 2007 Led Major Credit Union Trade & Wholesale Service to achieve ISO/IEC 27001 Reg./Certification In 2006 Led Privacy, Security, and Compliance Office during BC Government, outsourcing to Alternate Service Delivery during migration to SAP R3 - ERP
Registration need not be the final goal however every business can benefit from adopting a management system that provides assurance of information assets in alignment with strategy and tactical business goals while addressing Governance, Risk Management, Compliance Management requirements.
The demand for ISO/IEC 27001:2005 has nearly tripled in six years and the number of countries adopting the Information Security Management System has doubled. ISO/IEC 27001:2005 will soon be releasing its first major revision since the 2005 adoption and if it turns out to be anything like the changes that we've seen in ICFR /ICIF, ISAE 3402 or NIST SP 53 there will be significant improvements to be leveraged. In 2006, the first year of the annual survey, ISO/IEC 27001:2005 certificates at the end of December 2006 totaled 5,797. The number of countries adopting ISO/IEC 27001 totaled 64. At the end of 2010, at least 15,625 certificates had been issued in 117 countries. The 2010 total represents an increase of 2,691 or (+21 %) since December 2009. In 2006 the top three countries adopting ISO/IEC 27001 included Japan, United Kingdom and India and in 2010 that trend continued. However, the top three countries from December 2009 to 2010 were Japan, China and the Czech Republic.
Source: Computer Security Institute 2010/11 Survey
Source: Verizon business 2011 Data Breach Investigations Report Large-scale breaches dropped dramatically while small attacks increased. The report notes there are several possible reasons for this trend, including the fact that small to medium-sized businesses represent prime attack targets for many hackers, who favour highly automated, repeatable attacks against these more vulnerable targets, possibly because criminals are opting to play it safe in light of recent arrests and prosecutions of high-profile hackers. Outsiders are responsible for most data breaches. Ninety-two percent of data breaches were caused by external sources. Contrary to the malicious-employee stereotype, insiders were responsible for only 16 percent of attacks. Partner-related attacks continued to decline, and business partners accounted for less than 1 percent of breaches. Physical attacks are on the rise. After doubling as a percentage of all breaches in 2009, attacks involving physical actions doubled again in 2010, and included manipulating common credit-card devices such as ATMs, gas pumps and point-of-sale terminals. The data indicates that organized crime groups are responsible for most of these cardskimming schemes. Hacking and malware is the most popular attack method. Malware was a factor in about half of the 2010 caseload and was responsible for almost 80 percent of lost data. The most common kinds of malware found in the caseload were those involving sending data to an external entity, opening backdoors, and key logger functionalities. Stolen passwords and credentials are out of control. Ineffective, weak or stolen credentials continue to wreak havoc on enterprise security. Failure to change default credentials remains an issue, particularly in the financial services, retail and hospitality industries.
Source: 2010 Cloud Security Alliance Threats #1: Abuse and Nefarious Use of Cloud Computing #2: Insecure Interfaces and APIs #3: Malicious Insiders #4: Shared Technology Issues #5: Data Loss or Leakage #6: Account or Service Hijacking #7: Unknown Risk Profile
Source: 2010 OWSAP Top 10 Web Application Security Risks A1: Injection A2: Cross-Site Scripting (XSS) A3: Broken Authentication and Session Management A4: Insecure Direct Object References A5: Cross-Site Request Forgery (CSRF) A6: Security Misconfiguration A7: Insecure Cryptographic Storage A8: Failure to Restrict URL Access A9: Insufficient Transport Layer Protection A10: Invalidated Redirects and Forwards
Source: The Risk of Insider Fraud Ponemon Institute 2011 Employee-related incidents of fraud, on average, occur weekly in participating organizations. Sixty-four percent of the respondents in this study say the risk of insider fraud is very high or high within their organizations. CEO s and other C-level executives may be ignoring the threat, according to respondents. The majority of insider fraud incidents go unpunished, leaving organizations vulnerable to future such incidents. The threat vectors most difficult to secure and safeguard from insider fraud are mobile devices, outsourced relationships (including cloud providers) and applications. The majority of respondents do not believe their organization has the appropriate technologies to prevent or quickly detect insider fraud, including employees misuse of IT resources.
Source: Computer Security Institute 2010/11 Survey
The Enterprise Risk Management system identifies four major areas of risk within strategic planning, financial services, compliance management and operations. Generally capital and resources are allocated based on priority determined by the Board of Directors and Executive Team. There are six major groups of Enterprise Assets that contribute to the Enterprise strategy, people, information, software, hardware, telecommunications and facilities. The risk associated with each asset can be assessed and treated based on Enterprise Strategic priorities. A risk score can be calculated for each product, service channel, and revenue stream and risk treatment can be applied again based on strategic priorities.
The following example is a subset demonstrating the potential results of an exploited vulnerability within People Assets and most common Enterprises. The impacts are measured against the principles of information security, confidentiality, integrity, and availability. The severity in this example is rated high, medium or low to simplify the message to a broad audience.
The following example is a subset demonstrating the potential results of an exploited vulnerability within Information Assets and most common Enterprises. The impacts are measured against the principles of information security, confidentiality, integrity, and availability. The severity in this example is rated high, medium or low to simplify the message to a broad audience.
The following example is a subset demonstrating the potential results of an exploited vulnerability within Software Assets and most common Enterprises. The impacts are measured against the principles of information security, confidentiality, integrity, and availability. The severity in this example is rated high, medium or low to simplify the message to a broad audience.
The following example is a subset demonstrating the potential results of an exploited vulnerability within Hardware Assets and most common Enterprises. The impacts are measured against the principles of information security, confidentiality, integrity, and availability. The severity in this example is rated high, medium or low to simplify the message to a broad audience.
The following example is a subset demonstrating the potential results of an exploited vulnerability within Telecommunication Assets and most common Enterprises. The impacts are measured against the principles of information security, confidentiality, integrity, and availability. The severity in this example is rated high, medium or low to simplify the message to a broad audience.
The following example is a subset demonstrating the potential results of an exploited vulnerability within Facility Assets and most common Enterprises. The impacts are measured against the principles of information security, confidentiality, integrity, and availability. The severity in this example is rated high, medium or low to simplify the message to a broad audience.
Here is an example of how ISO 27001 ISMS can easily and seamlessly address all HIPA Act legal requirements.
When all the mapping has been completed approximately 70 of the already existing 133 ISO 27001 control objectives will be leveraged to address HIPAA Compliance.
Compliance Management can be broken down into 4 general categories statutes, regulations, internal facing and external facing.
Health Insurance Portability and Accountability Act (HIPAA) Health Information Technology for Economic and Clinical Health Act (HITECH Act) Federal Information Security Management Act (FISMA) Gramm-Leach-Bliley Act (GLBA) Payment Card Industry Data Security Standard (PCI-DSS) Payment Card Industry Payment Application Standard Sarbanes-Oxley Act (SOX) U.S. state data breach notification law International privacy or security laws
Before we can treat compliance concerns we need to identify, record and map ISO 27001 controls listed in the Statement of Applicability to specific legal obligations defined by provisions and clauses within statutes, regulations and internal/external facing contracts.
We can choose to respond to the security incident after the fact? Or before a Threat exploit the known Vulnerability? We can choose to identify the threats and matching vulnerabilities and remediate them to acceptable levels.
ISO 27001 has already developed controls that are designed to remediate common or known threats, vulnerabilities and risks.
A close assessment of the technology stack can easily identify vulnerabilities that might be exposed to threats leading to risks.
Risk Management Goals To assess risks to Information Assets and System Resources To state the goals of the RM, along with the desired security level to be attained, consistent with the Enterprise s risk appetite and Information Assets sensitivity To identify vulnerabilities within the infrastructure and facilitate the decision making process by determining the likelihood and impact based on motive and opportunity To identify potential impacts should a threat agent successfully exploit the identified vulnerability further impacting the Information Assets and System Resource and business functions supported along with applications, expressed in terms of confidentiality, integrity and availability and To provide recommendations that will mitigate and/or eliminate risk to acceptable levels.
Risk Acceptance Criteria: There are three possible Risk Acceptance Criteria scenarios that management can choose from based on the results of a Risk Assessment and the overall Risk Rating include the following: Management can choose to accept the risk in which case they do nothing to remediate it. They should understand that they will be held accountable for any security incident, however the risk of a security may not be a concern to management and thus they tend to accept low risks as part of normal daily operations. Management may choose to remediate the risk in which case management takes some sort of corrective and/or preventive action to mitigate and/or eliminate the risk from the Enterprise s environment. Management may also choose to transfer the risk in which case management has chosen to outsource the process causing the risk and/or purchase insurance to cover the potential damages caused by the realization of a risk.
Temporary ISMS Exemption Application There may be occasions where compliance is not possible during a particular period of time and an exemption from compliance is this best method of identifying those occasions and following up to ensure that they are closed. During these instances it is important to identify the manager responsible for these security gaps and have them sign off. This will not only help the Enterprise s security office to document gaps but also to identify the responsible party who will ensure that they are closed. The following information is required for the Temporary Exemption Form to be completed: Exemption period - From-To ISMS policy, procedure or standard reference ID Reason for Exemption Application Department or division unit affected Information system affected Network location affected Rational by not granting this application: a). would adversely affect the accomplishment of Enterprise s business b). would cause a major adverse financial impact Rational explanation Signature of Responsible Manager and date
Where possible and practical organizations need to integrate the Risk Management decision tool within existing business processes. The Control Self Assessment technique is an excellent approach to RM integration.
The optimal time to initiate the RM process with SDLC is during the creation of the systems definition and functional design criteria or during development and acquisition.
Identify Assets in Scope: in this work task we document department name, asset owner and asset name. Identify Threats: in this work task we document threat(s) to asset(s) in scope of the risk analysis as defined within the RA worksheet including the threat identification, description, and rating. Identify Business Impact: in this work step we clarify the business perspective for confidentiality, integrity and availability based on a high, medium or low impact to regular business processes. Identify Vulnerabilities: in this work task we document vulnerabilities associated with the asset in scope for risk analysis as defined in RA worksheet including the vulnerability identification, description, and rating.
Control Selection: in this work task we list the existing controls for further consideration during the preparation of remediation activities designed to lower the overall risk rating. It is possible that existing controls may be implemented incorrectly or suffer from other deficiency that if corrected would eliminate the need for additional controls. Risk Assessment: in the work task we calculate the overall risk rating, calculated sum of the threat and CIA business impact ratings multiplied by business impact rating multiplied by vulnerability rating. Recommendations: in this work task we identify the manager who has been assigned the responsibility of facilitating the risk mitigation activity, the date of expected delivery and the current status of progress in the resolution process. Report to Management: in this work task we identify and report to management the planned targets for risk mitigation expressed in terms of high, medium, and low impacts to confidentiality, integrity and availability. These values are rolled up into an overall revised Residual Risk Rating.
The Corrective Action and Preventive Action plans are important pieces of the evidence based Quality Management component of Risk Management. The CA or PA can be initiated together or completely separate from one another. CAPA reports will be audited and include specific information like the date, source of nonconformity, who s responsible for taking action and the date it will be completed. The Root-Cause must also be documented. Once the CAPA has been completed it must be independently validated.
Risk Treatment Plans are defined by Corrective Action plans and Preventive Action plans. The RTP is basically a rolled up dashboard utilized for tracking and monitoring CAPA by ISMS Governance Committee.
Following the assessment of threats, vulnerabilities and identification of risks management makes a decision and we begin monitoring and tracking risks.
In more advanced ISMS Risk Management programs we monitor and track risks in connection with the Enterprise Risk Management program.
We should not only track risks internally as many risks are shared with external vendors and service providers through Service Management processes and Service Desk.
Risk Management is a useful process that should be seamlessly integrated within every business process to help support and facilitate management decisions. Need help with your Risk Management adoption or integration project please contact me, thanks.
For more information contact Skype; Mark_E_S_Bernard Twitter; @MESB_TechSecure LinkedIn; http://ca.linkedin.com/in/markesbernard