5.Information Security Policy
-
Upload
newlife439 -
Category
Documents
-
view
221 -
download
0
Transcript of 5.Information Security Policy
-
8/12/2019 5.Information Security Policy
1/65
ISO 27002
GV : CH.Nguyn Duy
Email : [email protected]
1
-
8/12/2019 5.Information Security Policy
2/65
Content
What is data security?
What is ISO 27001 ?
What is ISO 27002 ? Analyze ISO 27001-2005
Analyze ISO 27002-2005
NguynDuy Intranet and Internet Management and Security 2
-
8/12/2019 5.Information Security Policy
3/65
Risk relationship
NguynDuy Intranet and Internet Management and Security 3
-
8/12/2019 5.Information Security Policy
4/65
What is Data security
What is data security?
What is ISO 27001 ?
What is ISO 27002 ? Analyze ISO 27002-2005
NguynDuy Xydngchnh sch ATTT 4
-
8/12/2019 5.Information Security Policy
5/65
The source of data loss
NguynDuy Intranet and Internet Management and Security 5
Data-in-Motion
Data-at-Rest
Data-in-Use
Data Types
W
ILD
W
ILD
W
EST
Email Web Post Network IM Chat
Desktop/LaptopDatabase
Removable Media ScreenPrinter
File Share
Clipboard
-
8/12/2019 5.Information Security Policy
6/65
The source of data loss
NguynDuy Intranet and Internet Management and Security 6
Switch
Databases orRepositories
DLP Prevent
Firewall
DLP Prevent
DLP Monitor
Web Gateway
Email Gateway
DLP Discover
Data-in-Use
DLP Endpoint
Data-in-Motion
Data-at-Rest
Data-in-Use
Data-in-Motion
6
-
8/12/2019 5.Information Security Policy
7/65
Threat Agent
NguynDuy Intranet and Internet Management and Security 7
Human
Employee
Attacker Machine
Nature
-
8/12/2019 5.Information Security Policy
8/65
Data security
NguynDuy Intranet and Internet Management and Security 88
-
8/12/2019 5.Information Security Policy
9/65
Defense in Depth Layers
NguynDuy Intranet and Internet Management and Security 99
-
8/12/2019 5.Information Security Policy
10/65
ISO 27001 formally specifies how to establish anInformation Security Management System (ISMS)
ISO 27001 provides a system for monitoring and
maintainingConfidentiality of information
Availability of information
Accuracy of information
The design and implementation of anorganizations ISMS is influenced by its businessand security objectives, its security risks andcontrol requirements, the processes employedand thesize and structureof the organization
What is ISO 27001
NguynDuy Intranet and Internet Management and Security 10
-
8/12/2019 5.Information Security Policy
11/65
Business continuity
Assessment of risks and implementation of
ways to reduce effects Regular assessment to maintain effectiveness
Improved Security
Access control Provides an internal management process
Benefits of ISO 27001
NguynDuy Intranet and Internet Management and Security 11
-
8/12/2019 5.Information Security Policy
12/65
NguynDuy Intranet and Internet Management and Security 12
Interested
parties
Information
security
requirements
& expectations
PLANEstablish
ISMS
CHECKMonitor &
review ISMS
ACTMaintain &
improve
Management responsibility
ISMS PROCESS
Interested
parties
Managedinformation
security
DOImplement &
operate the
ISMS
-
8/12/2019 5.Information Security Policy
13/65
What is ISO 27002 ?
ISO 27002 is a Code of Practice: a large
number ofinformation security controls
The numerous information security controlsrecommended by the standard are meant to
be implemented in the context of an ISMS, in
order to address risks and satisfy applicable
control objectives systematically
NguynDuy Intranet and Internet Management and Security 13
-
8/12/2019 5.Information Security Policy
14/65
Analyze ISO 27001-2005
NguynDuy Xydngchnh sch ATTT 14
-
8/12/2019 5.Information Security Policy
15/65
Management Support
NguynDuy Intranet and Internet Management and Security 15
Management should actively support informationsecurity by giving clear direction (e.g. policies),demonstrating the organizations commitment, plusexplicitly assigning information security responsibilitiesto suitable people.
Management should approve the information securitypolicy, allocate resources, assign security roles and co-ordinate and review the implementation of security
across the organization. Overt management support makes information
security more effective throughout the organization,not least by aligning it with business and strategicobjectives.
-
8/12/2019 5.Information Security Policy
16/65
Defining ISMS scope
NguynDuy Intranet and Internet Management and Security 16
Management should define the scope of the
ISMS in terms of the nature of the business,
the organization, its location, information
assets and technologies.
If commonplace controls are deemed not
applicable, this should be justified and
documented in the Statement of Applicability(SOA)
-
8/12/2019 5.Information Security Policy
17/65
Inventory of Assets
NguynDuy Intranet and Internet Management and Security 17
Aninventoryof all important information assetsshould be developed and maintained, recordingdetails such as
Type of assetFormat (i.e. software, physical/printed, services,
people, intangibles)
Location
Backup informationLicense information
Business value (e.g. what business processes dependon it?).
-
8/12/2019 5.Information Security Policy
18/65
Risk Assessment
NguynDuy Intranet and Internet Management and Security 18
Risk assessments should identify, quantify, and
prioritize information security risks against
defined criteria for risk acceptance and
objectives relevant to the organization
Assessing risks and selecting controls may
need to be performed repeatedly across
different parts of the organization andinformation systems, and to respond to
changes
-
8/12/2019 5.Information Security Policy
19/65
Prepare Statement of
Applicability
NguynDuy Intranet and Internet Management and Security 19
The Statement of Applicability (SOA) is a key
ISMS document listing the organizations
information security control objectives and
controls.
The SOA is derived from the results of the risk
assessment, where:
Risk treatments have been selected
All relevant legal and regulatory requirements
have been identified
-
8/12/2019 5.Information Security Policy
20/65
Prepare Risk Treatment
Plan
NguynDuy Intranet and Internet Management and Security 20
The organization should formulate a risk
treatment plan (RTP) identifying the
appropriate management actions, resources,
responsibilities and priorities for dealing with
its information security risks
The RTP should be set within the context of
the organization's information security policyand should clearly identify the approach to
risk and the criteria for accepting risk
-
8/12/2019 5.Information Security Policy
21/65
PDCA Model
NguynDuy Intranet and Internet Management and Security 21
Plan(establish the ISMS)
Establish ISMS policy, objectives, processes and procedures relevant to
managing risk and improving information security to deliver results in
accordance with an organizations overall policies and objectives.
Do(implement and operate the ISMS) Implement and operate the ISMS policy, controls, processes and
procedures.
Check(monitor and review the ISMS)
Assess and, where applicable, measure process performance against
ISMS policy, objectives and practical experience and report the resultsto management for review.
Act(maintain and improve the ISMS)
Take corrective and preventive actions, based on the results of the
internal ISMS audit and management review or other relevant
information, to achieve continual improvement of the ISMS.
-
8/12/2019 5.Information Security Policy
22/65
The ISMS
NguynDuy Intranet and Internet Management and Security 22
It is important to be able to demonstrate therelationship from the selected controls back to the riskassessment and risk treatment process, andsubsequently back to the ISMS policy and objectives.
ISMS documentation should include:Documented statements of the ISMS policyand objectivesThe scopeof the ISMSProcedures and other controls in support of the ISMSA description of the risk assessment methodology
A risk assessment report and Risk Treatment Plan (RTP)Procedures for effective planning, operation and control ofthe information security processes, describing how tomeasure the effectiveness of controls
The Statement of Applicability (SOA)
-
8/12/2019 5.Information Security Policy
23/65
Compliance Review and
Corrective Actions
NguynDuy Intranet and Internet Management and Security 23
Management must review the organizationsISMS at least once a year to ensure its continuingsuitability, adequacy and effectiveness.
They must assess opportunities for improvementand the need for changes to the ISMS, includingthe information security policy and informationsecurity objectives
The results of these reviews must be clearlydocumented and maintained (records).
Reviews are part of the Check phase of thePDCA cycle
-
8/12/2019 5.Information Security Policy
24/65
Pre-Certification
Assessment
NguynDuy Intranet and Internet Management and Security 24
Prior to certification, the organization should
carry out a comprehensive review of the ISMS
and SOA.
The organization will need to demonstrate
compliance with both the full PDCA cycle and
clause 8 of ISO27001, the requirement for
continual improvement The ISMS therefore needs a while to settle
down, operate normally and generate the
records after it has been implemented
-
8/12/2019 5.Information Security Policy
25/65
Management Support
NguynDuy Intranet and Internet Management and Security 25
Certification involves the organizations ISMS
being assessed for compliance with ISO27001.
The certification body needs to gain assurance
that the organizations information security
risk assessment properly reflects its business
activities for the full scope of the ISMS
-
8/12/2019 5.Information Security Policy
26/65
Analyze ISO 27002-2005
Scope
Terms and definitions
Structure of this standard Risk assessment and treatment
Policy
NguynDuy Intranet and Internet Management and Security 26
-
8/12/2019 5.Information Security Policy
27/65
Analyze ISO 27002-2005
Scope
The standard gives information security
management recommendations for those who
are responsible for initiating, implementing or
maintaining security
NguynDuy Intranet and Internet Management and Security 27
-
8/12/2019 5.Information Security Policy
28/65
Analyze ISO 27002-2005
Terms and definitions
Information security is explicitly defined as thepreservation of confidentiality, integrity andavailability of information
Asset :anything that has value to the organization
Control :means of managing risk, including policies,procedures, guidelines, practices or organizationalstructures
Guideline: a description that clarifies what should bedone and how, to achieve the objectives set out inpolicies
NguynDuy Intranet and Internet Management and Security 28
-
8/12/2019 5.Information Security Policy
29/65
Analyze ISO 27002-2005
Structure of this standard
This standard contains 11 security cont rol
clauses collectively containing a total of 39
main security categoriesand one introductory
clause introducing risk assessment and
treatment
NguynDuy Intranet and Internet Management and Security 29
-
8/12/2019 5.Information Security Policy
30/65
Analyze ISO 27002-2005
Security Control Clauses
1. Security Policy2. Organization of Information Security
3. Asset Management
4. Human Resources Security
5. Physical Security6. Communications and Ops Management
7. Access Control
8. Information Systems Acquisition, Development,
Maintenance9. Information Security Incident management
10.Business Continuity
11.ComplianceNguynDuy Intranet and Internet Management and Security 30
-
8/12/2019 5.Information Security Policy
31/65
Analyze ISO 27002-2005
Main securit y categories
Each main security category contains :
a control objective stating what is to be achieved
one or more controls that can be applied to
achieve the control objective
NguynDuy Intranet and Internet Management and Security 31
-
8/12/2019 5.Information Security Policy
32/65
Analyze ISO 27002-2005
1. Security Policy
Objective: To provide management directionand support for informat ion security in
accordance with business requirements and
relevant laws and regulat ions
Management should set a clear policydirection in line with :
business objectives
demonstrate support for, and commitment to,information security through the issue andmaintenance of an information security policyacross the organization
NguynDuy Intranet and Internet Management and Security 32
-
8/12/2019 5.Information Security Policy
33/65
Analyze ISO 27002-2005
1. Security Policy
Information security policy document : Control
An information security policy document should be approvedby management, and published and communicated to allemployees and relevant external parties
Implementation guidance a definition of information security
a framework for setting control objectives and control
a brief explanation of the security policies, principles, standards,and compliance requirements of particular importance to theorganization
a definition of general and specific responsibilities references to documentation which may support the policy
Other information .
NguynDuy Intranet and Internet Management and Security 33
-
8/12/2019 5.Information Security Policy
34/65
Analyze ISO 27002-2005
2. Organizat ion of Informat ion Securit y
Internal organizationObjective : To manage information security within
the organization
Management commitment to information security
Information security co-ordination
Allocation of information security responsibilities
Authorization process for information processing
facilities
Confidentiality agreements
Contact with authorities
Contact with special interest groups
Independent review of information security
NguynDuy Intranet and Internet Management and Security 34
-
8/12/2019 5.Information Security Policy
35/65
Analyze ISO 27002-2005
2. Organizat ion of Informat ion Securit y
External parties :Objective : To maintain the security of the
organizations information and information
processing facilities that are accessed, processed,
communicated to, or managed by external parties
Identification of risks related to external parties
Addressing security when dealing with customers
Addressing security in third party agreements
NguynDuy Intranet and Internet Management and Security 35
-
8/12/2019 5.Information Security Policy
36/65
Analyze ISO 27002-2005
2. Organizat ion of Informat ion Securit y
Identification of risks related to externalparties :
the information processing facilities an external
party is required to access
the type of access the external party will have to
the information and information processing
facilities : physical access, logical access
network connectivity between the organizationsand the external partys network : permanent
connection, remote access
.
NguynDuy Intranet and Internet Management and Security 36
-
8/12/2019 5.Information Security Policy
37/65
Analyze ISO 27002-2005
2. Organizat ion of Informat ion Securit y
Addressing security when dealing withcustomers
asset protection, including procedures to protect the organizations assets,
including information and software, and managementof known vulnerabilities;
procedures to determine whether any compromise ofthe assets, e.g. loss or modification of data, hasoccurred
restrictions on copying and disclosing informationdescription of the product or service to be
provided
.
NguynDuy Intranet and Internet Management and Security 37
-
8/12/2019 5.Information Security Policy
38/65
Analyze ISO 27002-2005
2. Organizat ion of Informat ion Securit y
Addressing security in third party agreementsISP
Online Services : Gmail, yahoo, .
Distribution : Hardware, software and services
NguynDuy Intranet and Internet Management and Security 38
-
8/12/2019 5.Information Security Policy
39/65
Analyze ISO 27002-2005
3. Asset Management
Objective : To achieve and maintainappropriate protection of organizationalassets
Responsibility for assets
Inventory of assets Ownership of assets
Acceptable use of assets
Information classification
Information should be classified in terms of its value,legal requirements, sensitivity, and criticality to theorganization.
NguynDuy Intranet and Internet Management and Security 39
-
8/12/2019 5.Information Security Policy
40/65
Analyze ISO 27002-2005
3. Asset Management
Inventory of assetsInformation
databases and data files, contracts and agreements, systemdocumentation, research information, user manuals, trainingmaterial,
software assets application software, system software, development tools,and utilities
physical assets computer equipment, communications equipment,
removable media, and other equipment
Services computing and communications services, general utilities
people, and their qualifications, skills, and experience
NguynDuy Intranet and Internet Management and Security 40
-
8/12/2019 5.Information Security Policy
41/65
Analyze ISO 27002-2005
4. Human Resources Security
Prior to employment
During employment
Termination or change of employment
NguynDuy Intranet and Internet Management and Security 41
-
8/12/2019 5.Information Security Policy
42/65
Analyze ISO 27002-2005
4. Human Resources Security
Prior to employmentObjective: To ensure that employees, contractors
and third party users understand their
responsibilities, and are suitable for the roles they
are considered for, and to reduce the risk of theft,fraud or misuse of facilities
Roles and responsibilities
Screening
Terms and conditions of employment
NguynDuy Intranet and Internet Management and Security 42
-
8/12/2019 5.Information Security Policy
43/65
Analyze ISO 27002-2005
4. Human Resources Security
Roles and responsibilities :implement and act in accordance with the
organizations information security policies
protect assets from unauthorized access,
disclosure, modification, destruction or
interference
execute particular security processes or activities
ensure responsibility is assigned to the individualfor actions taken
report security events or potential events or other
security risks to the organization
NguynDuy Intranet and Internet Management and Security 43
-
8/12/2019 5.Information Security Policy
44/65
Analyze ISO 27002-2005
4. Human Resources Security
During employmentObjective: To ensure that employees, contractors
and third party users are aware of information
security threats and concerns, their
responsibilities and liabilities, and are equipped tosupport organizational security policy in the
course of their normal work, and to reduce the
risk of human error
Management responsibilities
Information security awareness, education, and training
Disciplinary process
NguynDuy Intranet and Internet Management and Security 44
-
8/12/2019 5.Information Security Policy
45/65
Analyze ISO 27002-2005
4. Human Resources Security
Termination or change of employmentObjective: To ensure that employees, contractors
and third party users exit an organization or
change employment in an orderly manner
Termination responsibilities
Return of assets
Removal of access rights
NguynDuy Intranet and Internet Management and Security 45
-
8/12/2019 5.Information Security Policy
46/65
Analyze ISO 27002-2005
5. Physical Security
Secure areasPhysical security perimeter
Physical entry controls
Securing offices, rooms, and facilitiesProtecting against external and environmental
threats
Working in secure areas
Public access, delivery, and loading areas
Equipment security
NguynDuy Intranet and Internet Management and Security 46
-
8/12/2019 5.Information Security Policy
47/65
Analyze ISO 27002-2005
5. Physical Security
Secure areas Equipment security
Equipment siting and protection
Supporting utilitiesCabling security
Equipment maintenance
Security of equipment off-premises
Secure disposal or re-use of equipment
Removal of property
NguynDuy Intranet and Internet Management and Security 47
-
8/12/2019 5.Information Security Policy
48/65
Analyze ISO 27002-2005
6. Communicat ions and Ops Management
Operational procedures and responsibilities Third party service delivery management
Protection against malicious and mobile code
Back-up Network security management
Media handling
Exchange of information Electronic commerce services
NguynDuy Intranet and Internet Management and Security 48
-
8/12/2019 5.Information Security Policy
49/65
Analyze ISO 27002-2005
7. Access Control
Business requirement for access control
User access management
User responsibilities Network access control
Operating system access control
Application and information access control
NguynDuy Intranet and Internet Management and Security 49
-
8/12/2019 5.Information Security Policy
50/65
Analyze ISO 27002-2005
7. Access Control
Business requirement for access control
Access control policy
Access control rules and rights for each user or group of
users should be clearly stated in an access controlpolicy
Access controls are both logical and physical
NguynDuy Intranet and Internet Management and Security 50
-
8/12/2019 5.Information Security Policy
51/65
Analyze ISO 27002-2005
7. Access Control
User access management
User registration
using unique user IDs
the user has authorization from the system owner
checking that the level of access granted is appropriate
to the business purpose
giving users a written statement of their access rights
NguynDuy Intranet and Internet Management and Security 51
-
8/12/2019 5.Information Security Policy
52/65
Analyze ISO 27002-2005
7. Access Control
User access management (cont.)
Privilege management
the access privileges associated with each system
product
privileges should be allocated to users on a need-to-
use basis
Privileges should not be granted until the authorization
process is complete
NguynDuy Intranet and Internet Management and Security 52
-
8/12/2019 5.Information Security Policy
53/65
Analyze ISO 27002-2005
7. Access Control
User access management (cont.)
User password management
Password is complex
Passwords should never be stored on computer
systems in an unprotected form
Default vendor passwords should be altered following
installation of systems or software
which they are forced to change immediately after userfirst logon
NguynDuy Intranet and Internet Management and Security 53
-
8/12/2019 5.Information Security Policy
54/65
Analyze ISO 27002-2005
7. Access Control
User access management (cont.)
Review of user access rights
Users access rights should be reviewed at regular
intervals
authorizations for special privileged access rights
should be reviewed at more frequent intervals
NguynDuy Intranet and Internet Management and Security 54
-
8/12/2019 5.Information Security Policy
55/65
Analyze ISO 27002-2005
7. Access Control
User responsibilities
Password
Unattended user equipment
Clear desk and clear screen policy
NguynDuy Intranet and Internet Management and Security 55
-
8/12/2019 5.Information Security Policy
56/65
Analyze ISO 27002-2005
7. Access Control
Network access control
Policy on use of network services
User authentication for external connections
Equipment identification in networks
Segregation in networks
Network connection control
Network routing control
NguynDuy Intranet and Internet Management and Security 56
-
8/12/2019 5.Information Security Policy
57/65
Analyze ISO 27002-2005
7. Access Control
Operating system access control
Secure log-on procedures
User identification and authentication
Password management system
Use of system utilities
Session time-out
Limitation of connection time
NguynDuy Intranet and Internet Management and Security 57
-
8/12/2019 5.Information Security Policy
58/65
Analyze ISO 27002-2005
7. Access Control
Operating system access control
Secure log-on procedures
not display system or application identifiers until the
log-on process has been successfully completed
limit the maximum and minimum time allowed for the
log-on procedure
not display the password being entered or consider
hiding the password characters by symbols not transmit passwords in clear text over a network
NguynDuy Intranet and Internet Management and Security 58
l
-
8/12/2019 5.Information Security Policy
59/65
Analyze ISO 27002-2005
7. Access Control
Operating system access control
Password management system
enforce the use of individual user IDs and passwords to
maintain accountability
allow users to select and change their own passwords
enforce a choice of quality passwords
enforce password changes
store password files separately from application systemdata
NguynDuy Intranet and Internet Management and Security 59
l
-
8/12/2019 5.Information Security Policy
60/65
Analyze ISO 27002-2005
7. Access Control
Application and information access control
Information access restriction
Sensitive system isolation
NguynDuy Intranet and Internet Management and Security 60
8 I f i S A i i i
-
8/12/2019 5.Information Security Policy
61/65
8. Informat ion Systems Acquisit ion,
Development, Maintenance
NguynDuy Intranet and Internet Management and Security 61
l
-
8/12/2019 5.Information Security Policy
62/65
Analyze ISO 27002-2005
9.Informat ion Security Incident management
NguynDuy Intranet and Internet Management and Security 62
A l ISO 27002 2005
-
8/12/2019 5.Information Security Policy
63/65
Analyze ISO 27002-2005
10. Business Cont inuity
NguynDuy Intranet and Internet Management and Security 63
A l ISO 27002 2005
-
8/12/2019 5.Information Security Policy
64/65
Analyze ISO 27002-2005
11. Compliance
NguynDuy Intranet and Internet Management and Security 64
-
8/12/2019 5.Information Security Policy
65/65
Question ???