5.Information Security Policy

8/12/2019 5.Information Security Policy

1/65

ISO 27002

GV : CH.Nguyn Duy

Email : [email protected]

1


2/65

Content

What is data security?

What is ISO 27001 ?

What is ISO 27002 ? Analyze ISO 27001-2005

Analyze ISO 27002-2005

NguynDuy Intranet and Internet Management and Security 2


3/65

Risk relationship



4/65

What is Data security

What is data security?

What is ISO 27001 ?

What is ISO 27002 ? Analyze ISO 27002-2005

NguynDuy Xydngchnh sch ATTT 4


5/65

The source of data loss


Data-in-Motion

Data-at-Rest

Data-in-Use

Data Types

W

ILD

W

ILD

W

EST

Email Web Post Network IM Chat

Desktop/LaptopDatabase

Removable Media ScreenPrinter

File Share

Clipboard


6/65

The source of data loss


Switch

Databases orRepositories

DLP Prevent

Firewall

DLP Prevent

DLP Monitor

Web Gateway

Email Gateway

DLP Discover

Data-in-Use

DLP Endpoint

Data-in-Motion

Data-at-Rest

Data-in-Use

Data-in-Motion

6


7/65

Threat Agent


Human

Employee

Attacker Machine

Nature


8/65

Data security



9/65

Defense in Depth Layers



10/65

ISO 27001 formally specifies how to establish anInformation Security Management System (ISMS)

ISO 27001 provides a system for monitoring and

maintainingConfidentiality of information

Availability of information

Accuracy of information

The design and implementation of anorganizations ISMS is influenced by its businessand security objectives, its security risks andcontrol requirements, the processes employedand thesize and structureof the organization

What is ISO 27001



11/65

Business continuity

Assessment of risks and implementation of

ways to reduce effects Regular assessment to maintain effectiveness

Improved Security

Access control Provides an internal management process

Benefits of ISO 27001



12/65


Interested

parties

Information

security

requirements

& expectations

PLANEstablish

ISMS

CHECKMonitor &

review ISMS

ACTMaintain &

improve

Management responsibility

ISMS PROCESS

Interested

parties

Managedinformation

security

DOImplement &

operate the

ISMS


13/65

What is ISO 27002 ?

ISO 27002 is a Code of Practice: a large

number ofinformation security controls

The numerous information security controlsrecommended by the standard are meant to

be implemented in the context of an ISMS, in

order to address risks and satisfy applicable

control objectives systematically



14/65


NguynDuy Xydngchnh sch ATTT 14


15/65

Management Support


Management should actively support informationsecurity by giving clear direction (e.g. policies),demonstrating the organizations commitment, plusexplicitly assigning information security responsibilitiesto suitable people.

Management should approve the information securitypolicy, allocate resources, assign security roles and co-ordinate and review the implementation of security

across the organization. Overt management support makes information

security more effective throughout the organization,not least by aligning it with business and strategicobjectives.


16/65

Defining ISMS scope


Management should define the scope of the

ISMS in terms of the nature of the business,

the organization, its location, information

assets and technologies.

If commonplace controls are deemed not

applicable, this should be justified and

documented in the Statement of Applicability(SOA)


17/65

Inventory of Assets


Aninventoryof all important information assetsshould be developed and maintained, recordingdetails such as

Type of assetFormat (i.e. software, physical/printed, services,

people, intangibles)

Location

Backup informationLicense information

Business value (e.g. what business processes dependon it?).


18/65

Risk Assessment


Risk assessments should identify, quantify, and

prioritize information security risks against

defined criteria for risk acceptance and

objectives relevant to the organization

Assessing risks and selecting controls may

need to be performed repeatedly across

different parts of the organization andinformation systems, and to respond to

changes


19/65

Prepare Statement of

Applicability


The Statement of Applicability (SOA) is a key

ISMS document listing the organizations

information security control objectives and

controls.

The SOA is derived from the results of the risk

assessment, where:

Risk treatments have been selected

All relevant legal and regulatory requirements

have been identified


20/65

Prepare Risk Treatment

Plan


The organization should formulate a risk

treatment plan (RTP) identifying the

appropriate management actions, resources,

responsibilities and priorities for dealing with

its information security risks

The RTP should be set within the context of

the organization's information security policyand should clearly identify the approach to

risk and the criteria for accepting risk


21/65

PDCA Model


Plan(establish the ISMS)

Establish ISMS policy, objectives, processes and procedures relevant to

managing risk and improving information security to deliver results in

accordance with an organizations overall policies and objectives.

Do(implement and operate the ISMS) Implement and operate the ISMS policy, controls, processes and

procedures.

Check(monitor and review the ISMS)

Assess and, where applicable, measure process performance against

ISMS policy, objectives and practical experience and report the resultsto management for review.

Act(maintain and improve the ISMS)

Take corrective and preventive actions, based on the results of the

internal ISMS audit and management review or other relevant

information, to achieve continual improvement of the ISMS.


22/65

The ISMS


It is important to be able to demonstrate therelationship from the selected controls back to the riskassessment and risk treatment process, andsubsequently back to the ISMS policy and objectives.

ISMS documentation should include:Documented statements of the ISMS policyand objectivesThe scopeof the ISMSProcedures and other controls in support of the ISMSA description of the risk assessment methodology

A risk assessment report and Risk Treatment Plan (RTP)Procedures for effective planning, operation and control ofthe information security processes, describing how tomeasure the effectiveness of controls

The Statement of Applicability (SOA)


23/65

Compliance Review and

Corrective Actions


Management must review the organizationsISMS at least once a year to ensure its continuingsuitability, adequacy and effectiveness.

They must assess opportunities for improvementand the need for changes to the ISMS, includingthe information security policy and informationsecurity objectives

The results of these reviews must be clearlydocumented and maintained (records).

Reviews are part of the Check phase of thePDCA cycle


24/65

Pre-Certification

Assessment


Prior to certification, the organization should

carry out a comprehensive review of the ISMS

and SOA.

The organization will need to demonstrate

compliance with both the full PDCA cycle and

clause 8 of ISO27001, the requirement for

continual improvement The ISMS therefore needs a while to settle

down, operate normally and generate the

records after it has been implemented


25/65

Management Support


Certification involves the organizations ISMS

being assessed for compliance with ISO27001.

The certification body needs to gain assurance

that the organizations information security

risk assessment properly reflects its business

activities for the full scope of the ISMS


26/65


Scope

Terms and definitions

Structure of this standard Risk assessment and treatment

Policy



27/65


Scope

The standard gives information security

management recommendations for those who

are responsible for initiating, implementing or

maintaining security



28/65


Terms and definitions

Information security is explicitly defined as thepreservation of confidentiality, integrity andavailability of information

Asset :anything that has value to the organization

Control :means of managing risk, including policies,procedures, guidelines, practices or organizationalstructures

Guideline: a description that clarifies what should bedone and how, to achieve the objectives set out inpolicies



29/65


Structure of this standard

This standard contains 11 security cont rol

clauses collectively containing a total of 39

main security categoriesand one introductory

clause introducing risk assessment and

treatment



30/65


Security Control Clauses

1. Security Policy2. Organization of Information Security

3. Asset Management

4. Human Resources Security

5. Physical Security6. Communications and Ops Management

7. Access Control

8. Information Systems Acquisition, Development,

Maintenance9. Information Security Incident management

10.Business Continuity

11.ComplianceNguynDuy Intranet and Internet Management and Security 30


31/65


Main securit y categories

Each main security category contains :

a control objective stating what is to be achieved

one or more controls that can be applied to

achieve the control objective



32/65


1. Security Policy

Objective: To provide management directionand support for informat ion security in

accordance with business requirements and

relevant laws and regulat ions

Management should set a clear policydirection in line with :

business objectives

demonstrate support for, and commitment to,information security through the issue andmaintenance of an information security policyacross the organization



33/65


1. Security Policy

Information security policy document : Control

An information security policy document should be approvedby management, and published and communicated to allemployees and relevant external parties

Implementation guidance a definition of information security

a framework for setting control objectives and control

a brief explanation of the security policies, principles, standards,and compliance requirements of particular importance to theorganization

a definition of general and specific responsibilities references to documentation which may support the policy

Other information .



34/65


2. Organizat ion of Informat ion Securit y

Internal organizationObjective : To manage information security within

the organization

Management commitment to information security

Information security co-ordination

Allocation of information security responsibilities

Authorization process for information processing

facilities

Confidentiality agreements

Contact with authorities

Contact with special interest groups

Independent review of information security



35/65



External parties :Objective : To maintain the security of the

organizations information and information

processing facilities that are accessed, processed,

communicated to, or managed by external parties

Identification of risks related to external parties

Addressing security when dealing with customers

Addressing security in third party agreements



36/65



Identification of risks related to externalparties :

the information processing facilities an external

party is required to access

the type of access the external party will have to

the information and information processing

facilities : physical access, logical access

network connectivity between the organizationsand the external partys network : permanent

connection, remote access

.



37/65



Addressing security when dealing withcustomers

asset protection, including procedures to protect the organizations assets,

including information and software, and managementof known vulnerabilities;

procedures to determine whether any compromise ofthe assets, e.g. loss or modification of data, hasoccurred

restrictions on copying and disclosing informationdescription of the product or service to be

provided

.



38/65



Addressing security in third party agreementsISP

Online Services : Gmail, yahoo, .

Distribution : Hardware, software and services



39/65


3. Asset Management

Objective : To achieve and maintainappropriate protection of organizationalassets

Responsibility for assets

Inventory of assets Ownership of assets

Acceptable use of assets

Information classification

Information should be classified in terms of its value,legal requirements, sensitivity, and criticality to theorganization.



40/65


3. Asset Management

Inventory of assetsInformation

databases and data files, contracts and agreements, systemdocumentation, research information, user manuals, trainingmaterial,

software assets application software, system software, development tools,and utilities

physical assets computer equipment, communications equipment,

removable media, and other equipment

Services computing and communications services, general utilities

people, and their qualifications, skills, and experience



41/65



Prior to employment

During employment

Termination or change of employment



42/65



Prior to employmentObjective: To ensure that employees, contractors

and third party users understand their

responsibilities, and are suitable for the roles they

are considered for, and to reduce the risk of theft,fraud or misuse of facilities

Roles and responsibilities

Screening

Terms and conditions of employment



43/65



Roles and responsibilities :implement and act in accordance with the

organizations information security policies

protect assets from unauthorized access,

disclosure, modification, destruction or

interference

execute particular security processes or activities

ensure responsibility is assigned to the individualfor actions taken

report security events or potential events or other

security risks to the organization



44/65



During employmentObjective: To ensure that employees, contractors

and third party users are aware of information

security threats and concerns, their

responsibilities and liabilities, and are equipped tosupport organizational security policy in the

course of their normal work, and to reduce the

risk of human error

Management responsibilities

Information security awareness, education, and training

Disciplinary process



45/65



Termination or change of employmentObjective: To ensure that employees, contractors

and third party users exit an organization or

change employment in an orderly manner

Termination responsibilities

Return of assets

Removal of access rights



46/65


5. Physical Security

Secure areasPhysical security perimeter

Physical entry controls

Securing offices, rooms, and facilitiesProtecting against external and environmental

threats

Working in secure areas

Public access, delivery, and loading areas

Equipment security



47/65


5. Physical Security

Secure areas Equipment security

Equipment siting and protection

Supporting utilitiesCabling security

Equipment maintenance

Security of equipment off-premises

Secure disposal or re-use of equipment

Removal of property



48/65


6. Communicat ions and Ops Management

Operational procedures and responsibilities Third party service delivery management

Protection against malicious and mobile code

Back-up Network security management

Media handling

Exchange of information Electronic commerce services



49/65


7. Access Control

Business requirement for access control

User access management

User responsibilities Network access control

Operating system access control

Application and information access control



50/65


7. Access Control

Business requirement for access control

Access control policy

Access control rules and rights for each user or group of

users should be clearly stated in an access controlpolicy

Access controls are both logical and physical



51/65


7. Access Control

User access management

User registration

using unique user IDs

the user has authorization from the system owner

checking that the level of access granted is appropriate

to the business purpose

giving users a written statement of their access rights



52/65


7. Access Control

User access management (cont.)

Privilege management

the access privileges associated with each system

product

privileges should be allocated to users on a need-to-

use basis

Privileges should not be granted until the authorization

process is complete



53/65


7. Access Control


User password management

Password is complex

Passwords should never be stored on computer

systems in an unprotected form

Default vendor passwords should be altered following

installation of systems or software

which they are forced to change immediately after userfirst logon



54/65


7. Access Control


Review of user access rights

Users access rights should be reviewed at regular

intervals

authorizations for special privileged access rights

should be reviewed at more frequent intervals



55/65


7. Access Control

User responsibilities

Password

Unattended user equipment

Clear desk and clear screen policy



56/65


7. Access Control

Network access control

Policy on use of network services

User authentication for external connections

Equipment identification in networks

Segregation in networks

Network connection control

Network routing control



57/65


7. Access Control


Secure log-on procedures

User identification and authentication

Password management system

Use of system utilities

Session time-out

Limitation of connection time



58/65


7. Access Control


Secure log-on procedures

not display system or application identifiers until the

log-on process has been successfully completed

limit the maximum and minimum time allowed for the

log-on procedure

not display the password being entered or consider

hiding the password characters by symbols not transmit passwords in clear text over a network


l


59/65


7. Access Control


Password management system

enforce the use of individual user IDs and passwords to

maintain accountability

allow users to select and change their own passwords

enforce a choice of quality passwords

enforce password changes

store password files separately from application systemdata


l


60/65


7. Access Control

Application and information access control

Information access restriction

Sensitive system isolation


8 I f i S A i i i


61/65

8. Informat ion Systems Acquisit ion,

Development, Maintenance


l


62/65


9.Informat ion Security Incident management


A l ISO 27002 2005


63/65


10. Business Cont inuity


A l ISO 27002 2005


64/65


11. Compliance



65/65

Question ???

5.Information Security Policy

Documents

Transcript of 5.Information Security Policy