5.Information Security Policy
Content
ISO 27002
GV : CH.Nguyễn Duy
Email : [email protected]
1
Content
• What isdatasecurity?
• What isISO27001?
• What isISO27002?
• AnalyzeISO27001-2005
• AnalyzeISO27002-2005
Nguyễn Duy Intranet and Internet Management and Security 2
Risk relationship
Nguyễn Duy Intranet and Internet Management and Security 3
What is Data security
• What isdatasecurity?
• What isISO27001?
• What isISO27002?
• AnalyzeISO27002-2005
Nguyễn Duy Xâydựng chínhsáchATTT 4
The source of data loss
Nguyễn Duy Intranet and Internet Management and Security 5
Data-in-Motion
Data-at-Rest
Data-in-Use
Data Types
W
I
L
D
W
I
L
D
W
E
S
T
Email Web Post Network IM Chat
Desktop/Laptop Database
Removable Media Screen Printer
File Share
Clipboard
The source of data loss
Nguyễn Duy Intranet and Internet Management and Security 6
Switch
Databases or
Repositories
DLP Prevent
Firewall
DLP Prevent
DLP Monitor
Web Gateway
Email Gateway
DLP Discover
Data-in-Use
DLP Endpoint
Data-in-Motion
Data-at-Rest
Data-in-Use
Data-in-Motion
6
Threat Agent
Nguyễn Duy Intranet and Internet Management and Security 7
• Human
– Employee
– Attacker
• Machine
• Nature
Data security
Nguyễn Duy Intranet and Internet Management and Security 8
8
Defense in Depth Layers
Nguyễn Duy Intranet and Internet Management and Security 9
9
• ISO27001formally specifies howto establish an
InformationSecurityManagement System(ISMS)
• ISO27001 provides a systemfor monitoringand
maintaining
– Confidentiality of information
– Availability of information
– Accuracy of information
• The design and implementation of an
organization’s ISMS is influenced by its business
and security objectives, its security risks and
control requirements, the processes employed
andthesizeandstructureof theorganization
What is ISO 27001
Nguyễn Duy Intranet and Internet Management and Security 10
• Businesscontinuity
• Assessment of risks and implementation of
waystoreduceeffects
• Regular assessment tomaintaineffectiveness
• ImprovedSecurity
• Accesscontrol
• Providesaninternal management process
Benefits of ISO 27001
Nguyễn Duy Intranet and Internet Management and Security 11
Nguyễn Duy Intranet and Internet Management and Security 12
Interested
parties
Information
security
requirements
& expectations
PLAN
Establish
ISMS
CHECK
Monitor &
review ISMS
ACT
Maintain &
improve
Management responsibility
ISMS PROCESS
Interested
parties
Managed
information
security
DO
Implement &
operate the
ISMS
What is ISO 27002 ?
• ISO 27002 is a “Code of Practice”: a large
number of informationsecuritycontrols
• The numerous information security controls
recommended by the standard are meant to
be implemented in the context of an ISMS, in
order to address risks and satisfy applicable
control objectivessystematically
Nguyễn Duy Intranet and Internet Management and Security 13
Analyze ISO 27001-2005
Nguyễn Duy Xây dựng chính sáchATTT 14
Management Support
Nguyễn Duy Intranet and Internet Management and Security 15
• Management should actively support information
security by giving clear direction (e.g. policies),
demonstrating the organization’s commitment, plus
explicitlyassigninginformationsecurityresponsibilities
tosuitablepeople.
• Management should approve the information security
policy, allocateresources, assignsecurityroles and co-
ordinate and review the implementation of security
acrosstheorganization.
• Overt management support makes information
security more effective throughout the organization,
not least by aligning it with business and strategic
objectives.
Defining ISMS scope
Nguyễn Duy Intranet and Internet Management and Security 16
• Management should define the scope of the
ISMS in terms of the nature of the business,
the organization, its location, information
assetsandtechnologies.
• If commonplace controls are deemed not
applicable, this should be justified and
documented in the Statement of Applicability
(SOA)
Inventory of Assets
Nguyễn Duy Intranet and Internet Management and Security 17
• An inventory of all important information assets
should be developed and maintained, recording
detailssuchas
– Typeof asset
– Format (i.e. software, physical/printed, services,
people, intangibles)
– Location
– Backup information
– License information
– Business value (e.g. what business processes depend
on it?).
Risk Assessment
Nguyễn Duy Intranet and Internet Management and Security 18
• Riskassessmentsshouldidentify, quantify, and
prioritize information security risks against
defined criteria for risk acceptance and
objectivesrelevant totheorganization
• Assessing risks and selecting controls may
need to be performed repeatedly across
different parts of the organization and
information systems, and to respond to
changes
Prepare Statement of
Applicability
Nguyễn Duy Intranet and Internet Management and Security 19
• The Statement of Applicability (SOA) is a key
ISMS document listing the organization’s
information security control objectives and
controls.
• TheSOAisderivedfromtheresultsof therisk
assessment, where:
– Risktreatmentshavebeenselected
– All relevant legal and regulatory requirements
havebeenidentified
Prepare Risk Treatment
Plan
Nguyễn Duy Intranet and Internet Management and Security 20
• The organization should formulate a risk
treatment plan (RTP) identifying the
appropriate management actions, resources,
responsibilities and priorities for dealingwith
itsinformationsecurityrisks
• The RTP should be set within the context of
the organization's information security policy
and should clearly identify the approach to
riskandthecriteriafor acceptingrisk
PDCA Model
Nguyễn Duy Intranet and Internet Management and Security 21
• Plan(establish the ISMS)
– Establish ISMS policy, objectives, processes and procedures relevant to
managing risk and improving information security to deliver results in
accordance with an organization’s overall policies and objectives.
• Do(implement and operate the ISMS)
– Implement and operate the ISMS policy, controls, processes and
procedures.
• Check(monitor and review the ISMS)
– Assess and, where applicable, measure process performance against
ISMS policy, objectives and practical experience and report the results
to management for review.
• Act(maintain and improve the ISMS)
– Take corrective and preventive actions, based on the results of the
internal ISMS audit and management review or other relevant
information, to achieve continual improvement of the ISMS.
The ISMS
Nguyễn Duy Intranet and Internet Management and Security 22
• It is important to be able to demonstrate the
relationshipfromtheselectedcontrolsbackto therisk
assessment and risk treatment process, and
subsequentlybacktotheISMSpolicyandobjectives.
• ISMSdocumentationshouldinclude:
– Documentedstatementsof theISMSpolicyandobjectives
– Thescopeof theISMS
– Proceduresandother controlsinsupport of theISMS
– Adescriptionof theriskassessment methodology
– Ariskassessment report andRiskTreatment Plan(RTP)
– Proceduresfor effectiveplanning, operationandcontrol of
the information security processes, describing how to
measuretheeffectivenessof controls
– TheStatement of Applicability(SOA)
Compliance Review and
Corrective Actions
Nguyễn Duy Intranet and Internet Management and Security 23
• Management must review the organization’s
ISMSat least onceayear toensureitscontinuing
suitability, adequacyandeffectiveness.
• Theymust assess opportunities for improvement
and the need for changes to the ISMS, including
the information security policy and information
securityobjectives
• The results of these reviews must be clearly
documentedandmaintained(“records”).
• Reviews are part of the ‘Check’ phase of the
PDCAcycle
Pre-Certification
Assessment
Nguyễn Duy Intranet and Internet Management and Security 24
• Prior to certification, the organization should
carryout acomprehensivereviewof theISMS
andSOA.
• The organization will need to demonstrate
compliance with both the full PDCA cycle and
clause 8 of ISO27001, the requirement for
continual improvement
• The ISMS therefore needs a while to settle
down, operate normally and generate the
recordsafter it hasbeenimplemented
Management Support
Nguyễn Duy Intranet and Internet Management and Security 25
• Certification involves the organization’s ISMS
beingassessedfor compliancewithISO27001.
• Thecertificationbodyneedstogainassurance
that the organization’s information security
risk assessment properly reflects its business
activitiesfor thefull scopeof theISMS
Analyze ISO 27002-2005
• Scope
• Terms and definitions
• Structure of this standard
• Risk assessment and treatment
• Policy
Nguyễn Duy Intranet and Internet Management and Security 26
Analyze ISO 27002-2005
Scope
• The standard gives information security
management recommendationsfor thosewho
areresponsiblefor initiating, implementingor
maintainingsecurity
Nguyễn Duy Intranet and Internet Management and Security 27
Analyze ISO 27002-2005
Terms and definitions
• “Informationsecurity” isexplicitlydefinedasthe
“preservation of confidentiality, integrity and
availabilityof information”
– Asset:anythingthat hasvaluetotheorganization
– Control : means of managingrisk, includingpolicies,
procedures, guidelines, practices or organizational
structures
– Guideline: adescriptionthat clarifieswhat shouldbe
done and how, to achieve the objectives set out in
policies
Nguyễn Duy Intranet and Internet Management and Security 28
Analyze ISO 27002-2005
Structure of this standard
• This standard contains 11 security control
clauses collectively containing a total of 39
mainsecuritycategoriesandoneintroductory
clause introducing risk assessment and
treatment
Nguyễn Duy Intranet and Internet Management and Security 29
Analyze ISO 27002-2005
Security Control Clauses
1. SecurityPolicy
2. Organizationof InformationSecurity
3. Asset Management
4. HumanResourcesSecurity
5. Physical Security
6. CommunicationsandOpsManagement
7. AccessControl
8. Information Systems Acquisition, Development,
Maintenance
9. InformationSecurityIncident management
10.BusinessContinuity
11.Compliance
Nguyễn Duy Intranet and Internet Management and Security 30
Analyze ISO 27002-2005
Main security categories
• Eachmainsecuritycategorycontains:
– acontrol objectivestatingwhat istobeachieved
– one or more controls that can be applied to
achievethecontrol objective
Nguyễn Duy Intranet and Internet Management and Security 31
Analyze ISO 27002-2005
1. Security Policy
• Objective: To providemanagement direction
and support for information security in
accordance with business requirements and
relevant lawsandregulations
• Management should set a clear policy
direction inlinewith:
– businessobjectives
– demonstrate support for, and commitment to,
information security through the issue and
maintenance of an information security policy
acrosstheorganization
Nguyễn Duy Intranet and Internet Management and Security 32
Analyze ISO 27002-2005
1. Security Policy
Informationsecuritypolicydocument:
• Control
– An information security policy document should be approved
by management, and published and communicated to all
employeesandrelevant external parties
• Implementationguidance
– adefinitionof informationsecurity
– aframeworkfor settingcontrol objectivesand control
– abrief explanationof thesecuritypolicies, principles, standards,
and compliance requirements of particular importance to the
organization
– adefinitionof general andspecificresponsibilities
– referencestodocumentationwhichmaysupport thepolicy
• Other information
– …….
Nguyễn Duy Intranet and Internet Management and Security 33
Analyze ISO 27002-2005
2. Organization of Information Security
• Internal organization
– Objective: To manageinformationsecuritywithin
theorganization
•Management commitment toinformationsecurity
•Informationsecurityco-ordination
•Allocationof informationsecurityresponsibilities
•Authorization process for information processing
facilities
•Confidentialityagreements
•Contact withauthorities
•Contact withspecial interest groups
•Independent reviewof informationsecurity
Nguyễn Duy Intranet and Internet Management and Security 34
Analyze ISO 27002-2005
2. Organization of Information Security
• External parties:
– Objective : To maintain the security of the
organization’s information and information
processingfacilities that are accessed, processed,
communicatedto, or managedbyexternal parties
•Identificationof risksrelatedtoexternal parties
•Addressingsecuritywhendealingwithcustomers
•Addressingsecurityinthirdpartyagreements
Nguyễn Duy Intranet and Internet Management and Security 35
Analyze ISO 27002-2005
2. Organization of Information Security
• Identification of risks related to external
parties:
– the information processing facilities an external
partyisrequiredtoaccess
– the type of access the external party will have to
the information and information processing
facilities: physical access, logical access
– network connectivity between the organization’s
and the external party’s network : permanent
connection, remoteaccess
– …….
Nguyễn Duy Intranet and Internet Management and Security 36
Analyze ISO 27002-2005
2. Organization of Information Security
• Addressing security when dealing with
customers
– asset protection, including
•procedures to protect the organization’s assets,
including information and software, and management
of knownvulnerabilities;
•procedures to determine whether any compromise of
the assets, e.g. loss or modification of data, has
occurred
•restrictionsoncopyinganddisclosinginformation
– description of the product or service to be
provided
– …….
Nguyễn Duy Intranet and Internet Management and Security 37
Analyze ISO 27002-2005
2. Organization of Information Security
• Addressingsecurityinthirdpartyagreements
– ISP
– OnlineServices: Gmail, yahoo, ….
– Distribution: Hardware, softwareandservices
Nguyễn Duy Intranet and Internet Management and Security 38
Analyze ISO 27002-2005
3. Asset Management
• Objective : To achieve and maintain
appropriate protection of organizational
assets
– Responsibilityfor assets
•Inventoryof assets
•Ownershipof assets
•Acceptableuseof assets
– Informationclassification
•Information should be classified in terms of its value,
legal requirements, sensitivity, and criticality to the
organization.
Nguyễn Duy Intranet and Internet Management and Security 39
Analyze ISO 27002-2005
3. Asset Management
• Inventoryof assets
– Information
• databases and data files, contracts and agreements, system
documentation, researchinformation, user manuals, training
material,…
– softwareassets
• application software, system software, development tools,
andutilities
– physical assets
• computer equipment, communications equipment,
removablemedia, andother equipment
– Services
• computingandcommunicationsservices, general utilities
– people, andtheir qualifications, skills, andexperience
Nguyễn Duy Intranet and Internet Management and Security 40
Analyze ISO 27002-2005
4. Human Resources Security
• Prior toemployment
• Duringemployment
• Terminationor changeof employment
Nguyễn Duy Intranet and Internet Management and Security 41
Analyze ISO 27002-2005
4. Human Resources Security
• Prior toemployment
– Objective: To ensure that employees, contractors
and third party users understand their
responsibilities, andaresuitablefor therolesthey
areconsideredfor, andtoreducetheriskof theft,
fraudor misuseof facilities
•Rolesandresponsibilities
•Screening
•Termsandconditionsof employment
Nguyễn Duy Intranet and Internet Management and Security 42
Analyze ISO 27002-2005
4. Human Resources Security
• Rolesandresponsibilities:
– implement and act in accordance with the
organization’sinformationsecuritypolicies
– protect assets from unauthorized access,
disclosure, modification, destruction or
interference
– executeparticular securityprocessesor activities
– ensure responsibility is assigned to the individual
for actionstaken
– report securityeventsor potential eventsor other
securityriskstotheorganization
Nguyễn Duy Intranet and Internet Management and Security 43
Analyze ISO 27002-2005
4. Human Resources Security
• Duringemployment
– Objective: To ensure that employees, contractors
and third party users are aware of information
security threats and concerns, their
responsibilitiesandliabilities, andareequippedto
support organizational security policy in the
course of their normal work, and to reduce the
riskof humanerror
•Management responsibilities
•Informationsecurityawareness, education, andtraining
•Disciplinaryprocess
Nguyễn Duy Intranet and Internet Management and Security 44
Analyze ISO 27002-2005
4. Human Resources Security
• Terminationor changeof employment
– Objective: To ensure that employees, contractors
and third party users exit an organization or
changeemployment inanorderlymanner
•Terminationresponsibilities
•Returnof assets
•Removal of accessrights
Nguyễn Duy Intranet and Internet Management and Security 45
Analyze ISO 27002-2005
5. Physical Security
• Secureareas
– Physical securityperimeter
– Physical entrycontrols
– Securingoffices, rooms, andfacilities
– Protecting against external and environmental
threats
– Workinginsecureareas
– Publicaccess, delivery, andloadingareas
• Equipment security
Nguyễn Duy Intranet and Internet Management and Security 46
Analyze ISO 27002-2005
5. Physical Security
• Secureareas
• Equipment security
– Equipment sitingandprotection
– Supportingutilities
– Cablingsecurity
– Equipment maintenance
– Securityof equipment off-premises
– Securedisposal or re-useof equipment
– Removal of property
Nguyễn Duy Intranet and Internet Management and Security 47
Analyze ISO 27002-2005
6. Communications and Ops Management
• Operational proceduresandresponsibilities
• Thirdpartyservicedeliverymanagement
• Protectionagainst maliciousandmobilecode
• Back-up
• Networksecuritymanagement
• Mediahandling
• Exchangeof information
• Electroniccommerceservices
Nguyễn Duy Intranet and Internet Management and Security 48
Analyze ISO 27002-2005
7. Access Control
• Businessrequirement for accesscontrol
• User accessmanagement
• User responsibilities
• Networkaccesscontrol
• Operatingsystemaccesscontrol
• Applicationandinformationaccesscontrol
Nguyễn Duy Intranet and Internet Management and Security 49
Analyze ISO 27002-2005
7. Access Control
• Businessrequirement for accesscontrol
– Accesscontrol policy
•Accesscontrol rulesandrightsfor eachuser or groupof
users should be clearly stated in an access control
policy
•Accesscontrolsarebothlogical andphysical
Nguyễn Duy Intranet and Internet Management and Security 50
Analyze ISO 27002-2005
7. Access Control
• User accessmanagement
– User registration
•usinguniqueuser IDs
•theuser hasauthorizationfromthesystemowner
•checkingthat thelevel of accessgrantedisappropriate
tothebusinesspurpose
•givingusersawrittenstatement of their accessrights
Nguyễn Duy Intranet and Internet Management and Security 51
Analyze ISO 27002-2005
7. Access Control
• User accessmanagement (cont.)
– Privilegemanagement
•the access privileges associated with each system
product
•privileges should be allocated to users on a need-to-
usebasis
•Privilegesshouldnot begranteduntil theauthorization
processiscomplete
Nguyễn Duy Intranet and Internet Management and Security 52
Analyze ISO 27002-2005
7. Access Control
• User accessmanagement (cont.)
– User passwordmanagement
•Passwordiscomplex
•Passwords should never be stored on computer
systemsinanunprotectedform
•Default vendor passwords should be altered following
installationof systemsor software
•whichtheyareforcedtochangeimmediatelyafter user
first logon
Nguyễn Duy Intranet and Internet Management and Security 53
Analyze ISO 27002-2005
7. Access Control
• User accessmanagement (cont.)
– Reviewof user accessrights
•Users’ access rights should be reviewed at regular
intervals
•authorizations for special privileged access rights
shouldbereviewedat morefrequent intervals
Nguyễn Duy Intranet and Internet Management and Security 54
Analyze ISO 27002-2005
7. Access Control
• User responsibilities
– Password
– Unattendeduser equipment
– Clear deskandclear screenpolicy
Nguyễn Duy Intranet and Internet Management and Security 55
Analyze ISO 27002-2005
7. Access Control
• Networkaccesscontrol
– Policyonuseof networkservices
– User authenticationfor external connections
– Equipment identificationinnetworks
– Segregationinnetworks
– Networkconnectioncontrol
– Networkroutingcontrol
Nguyễn Duy Intranet and Internet Management and Security 56
Analyze ISO 27002-2005
7. Access Control
• Operatingsystemaccesscontrol
– Securelog-onprocedures
– User identificationandauthentication
– Passwordmanagement system
– Useof systemutilities
– Sessiontime-out
– Limitationof connectiontime
Nguyễn Duy Intranet and Internet Management and Security 57
Analyze ISO 27002-2005
7. Access Control
• Operatingsystemaccesscontrol
– Securelog-onprocedures
•not display systemor application identifiers until the
log-onprocesshasbeensuccessfullycompleted
•limit the maximumand minimumtime allowed for the
log-onprocedure
•not display the password being entered or consider
hidingthepasswordcharactersbysymbols
•not transmit passwordsinclear text over anetwork
Nguyễn Duy Intranet and Internet Management and Security 58
Analyze ISO 27002-2005
7. Access Control
• Operatingsystemaccesscontrol
– Passwordmanagement system
•enforcetheuseof individual user IDsandpasswordsto
maintainaccountability
•allowuserstoselect andchangetheir ownpasswords
•enforceachoiceof qualitypasswords
•enforcepasswordchanges
•storepasswordfilesseparatelyfromapplicationsystem
data
Nguyễn Duy Intranet and Internet Management and Security 59
Analyze ISO 27002-2005
7. Access Control
• Applicationandinformationaccesscontrol
– Informationaccessrestriction
– Sensitivesystemisolation
Nguyễn Duy Intranet and Internet Management and Security 60
8. Information Systems Acquisition,
Development, Maintenance
Nguyễn Duy Intranet and Internet Management and Security 61
Analyze ISO 27002-2005
9.Information Security Incident management
Nguyễn Duy Intranet and Internet Management and Security 62
Analyze ISO 27002-2005
10. Business Continuity
Nguyễn Duy Intranet and Internet Management and Security 63
Analyze ISO 27002-2005
11. Compliance
Nguyễn Duy Intranet and Internet Management and Security 64
Question ???
