IEC 27001

2 วิชุดา ไชยศิวามงคล โครงสร างของเอกสาร ISO 27000 series 27000 Fundamentals & Vocabulary 27001...

0 downloads 40 Views 247KB Size

รายงานการเขาอบรม มาตรฐาน ISO/IEC 27001 ISOÆ the International Organization for Standardization IECÆ the International Electro technical Commission

เขาอบรม 5-7 ตุลาคม 2552

รายงาน ณ 14 ตุลาคม 52 US EU

1972 ISO

DoD Directive 5200.28


TCSEC ( Orange Book )


TNI ( Red Book) 1996-2001 GMITS ( ISO/IEC TR 13335-3, 1998)

1996, ISO=2002 SSE-CMM


1990 ITSEC 1995,1999

1996, ISO=1999


Common Criteria

2001/2005 ISO/IEC 17799 ( code of practice)

ISO/IEC 13335 MICTS (management of ICT security) ISO/IEC 18028 (network security) 13/10/52

2005 ISO/IEC 27000 series ISMS (management system)


รูปที่ 1 ความเปนมา ความจําเปนของการรักษาความมั่นคงปลอดภัยดานไอซีที (ICT Security issues and Trends) • การพิสูจนตัวตน (Authentication) เพื่อใหมั่นใจวาทั้งผูรับและผูสงเปนตัวจริง • การเขารหัสลับ (Cryptography) เพื่อปกปองการรักษาความลับของขอมูล (Confidential) ไมใหถูกเปดเผยออกไป • การใหสิทธิ (Authorization) เพื่อที่จะรับประกันวาผูใชทุกฝายมีสิทธิทําธุรกรรมได • การตรวจสอบความถูกตอง (Integrity) เพื่อที่จะรับประกันไดวา การทําธุรกรรมไมไดถูกเปลี่ยนแปลง หรือทําใหเสียหาย • การไมปฏิเสธความรับผิดชอบ (Non-repudiation) เพื่อที่จะจัดใหมีหลักฐานรับรองการทําธุรกรรมแกผูใชบริการ ทั้งสองฝาย • การรักษาความมั่นคงปลอดภัยดานไอซีที หมายถึงการบริการจัดการใน 3 สวน ไดแก C (Confidentiality), I (Integrity), A (Availability)

มาตรฐานของ ISO 27000 series • • • • • • •


27000 27001 27002 27003 27004 27005 27006

– – – – – – –

Fundamentals and vocabulary (05-2009) ISMS requirements (10-2005) Code of Practice ISO/ IEC 17799:2005 (4-2007) ISMS Implementation Guidance (under development) ISMS Metrics and measurement (2007) ISMS Risk Management (2006) Guidelines on ISMS accreditation of certification/registration bodies

วิชุดา ไชยศิวามงคล


โครงสรางของเอกสาร ISO 27000 series 27000 Fundamentals & Vocabulary 27001:ISMS requirement 27005 Risk Management

27002 Code of Practice for ISM 27003 Implementation Guidance 27004 Metrics & Measurement

27006 Guidelines on ISMS accreditation

(Information Security Management Standards- ISMS) ISO 27001: ISMS Requirements This ISMS standard is based on BS7799 Part 2 – – – –

with some improvements and changes Annex B (Implementation Guidance has been removed) this will become ISO 27003 publication date was November 2005 (BS7799-2 withdrawn) Certification to ISO 27001 from 30 January 2006

Clarifies and improves existing PDCA process requirements – – – – – – – – –

ISMS scope Approach to risk assessment Selection of controls Statement of Applicability Reviewing risks Management commitment ISMS internal audits Results of effectiveness and measurements Update risk treatment plans, procedures and controls

Annex A of ISO 27001 (ISMS Domains) 1. 2.

3. 4.


Security policy Organization of information security – Management Commitment ตั้งคณะกรรมการตางๆ และกําหนด Job Description >>> PPT Model 1. Information Security Management Committee (ISM Committee) 2. Management Committee >>> CIO 3. Business Continuity Management >>> CEO 4. Budget Committee >>> CFO – Roles and Responsibilities defined – Confidentiality Agreements – Contact with authorities and special interest groups – Addressing security when dealing with 3rd-parties e.g. suppliers, customers, etc. Asset management – Inventory, Ownership and acceptable use of assets – Information classification guidelines and labeling Human resources security – Security roles and responsibilities – Screening and terms & conditions of employment – Disciplinary process – Termination or change of employment Physical and environmental security – Physical entry controls, Working in secure areas, isolation for sensitive areas

วิชุดา ไชยศิวามงคล

3 – Equipment Security – Siting & supporting utilities – Maintenance – Secure Disposal or re-use of equipment 6. Communications and operations management – Change Management – Segregation of duties – Third party service delivery management – SLA definition – Monitoring of their services – Capacity Management – Protection against malicious code and mobile code – Backup – Network Security Management – Media Handling & Exchange of information – Monitoring 7. Access control – Access control policy – User access management – User responsibilities – Network, O.S., Application access control – Mobile Computing & Teleworking 8. Information acquisition, development and maintenance – Security requirements of information system – Correct processing in applications – Cryptographic controls – Security in development and support processes – Technical Vulnerability Management 9. Information security incident management – Reporting & Management of information security events and weaknesses 10. Business continuity management – Business continuity & risk assessment – BC plan – Testing 11. Compliance – Compliance with legal requirements – Compliance with security policies & standards and technical compliance •

What is Information? – an asset that has value to an organization – exist in several forms: • messages written on paper, stored in tapes, transmitted in electronic forms, etc – needs to be suitably protected against wide range of threats to ensure: • business continuity • minimize business loss • maximize ROI and business opportunities Information Security is the preservation of: – Confidentiality • ensuring that information is accessible only to those authorized to have access – Integrity • safeguarding the accuracy and completeness of information and processing methods – Availability • ensuring that authorized users have access to information and associated assets when required Information Security Management Systems (ISMS) – provides a systematic approach to secure sensitive information – encompasses employees, processes and information systems – includes all the good information security practices What is ISO 27001 standard? – the formal standard against which organizations may seek independent certification of their Information –

Security Management Systems (ISMS)

to provide a common base for: • developing organizational security standards and effective security management practice • to provide confidence in inter-organizational dealings ISO 27001 addresses management system in the area of information security – holistic approach by risk assessment & management – incorporate best industry practices – 133 controls to be selected for implementation

วิชุดา ไชยศิวามงคล

4 –

Plan-Do-Check-Act (PDCA) model to achieve continual improvement

ISO 27001 Certification Road map (2 phases) 1. Gap analysis - Getting the ISO 27001 standard - List of identified gaps - Cost and schedule estimation

Phase 1:

2. Setting up ISMS framework -Scope, policy and ISMS framework - Prepare Statement of Applicability (SOA) and produce Risk Assessment (RA) results

Pre-Certification Phase

3. Implementation - Training and communication - Implementation of controls 4.Documentation -Control policy, procedures, work instructions, etc.

5. Application for ISO 27001 certification Phase 2: Certification

6. Document (Manual) assessment (Stage 1)

Phase 7. Preliminary assessment (Stage 1) - Records demonstrating ISMS implementation

8. Certification assessment (Stage 2) -Assessment report and Corrective Action (CA) 9. Awarding of certificate

Setting up ISMS framework 1. Define the scope of the ISMS

Step 1

2. Define the ISMS policy

Step 2

Step 3

Threats, vulnerabilities, impacts

Step 4

Organization’s approach to risk management

Scope of the ISMS

Policy Document

Information assets

3. Undertake a risk assessment

Risk Assessment

Results and Conclusion

4. Manage the risk Degree of assurance required

Step 5

Section 4g of this part of ISO 27001, control objectives and controls

Step 6

Additional controls not in ISO 27001

Selected control options

5. Select control objectives and controls to be implemented Selected control objectives and controls

6. Prepare a statement of applicability (SOA)

Statement of applicability

วิชุดา ไชยศิวามงคล

5 • Key Success Factors: – – – – – –

Management Commitment Cross-functional forum / committee Understanding Stakeholders’ business requirements in relation to Information Security Effective Risk Management Process Training & Awareness Proactive & Continual Improvement • Internal audit & management review • Identify and act on security weaknesses • Learn from incidents and establish relevant Prevention Action

ISO 27002: ISO/IEC 17799:2005 (from 2007) • • •

11 sections specify 39 control objectives to protect information assets Provides 133 best practice controls that can be adopted based on a risk assessment process – but leaves an organisation free to select controls not listed in the standard – giving great flexibility in implementation (but challenging for certification bodies!) New recommendations cover : - security of external service delivery & provisioning of outsourcing - patch management and other current issues - security prior to, during and at termination of employment - guidance on risk management, and a section on incident management - mobile, remote & distributed communications & information processing

ISO 27003 : ISMS Implementation Guidelines •

A new project to cover:- overview - management responsibilities - governance & regulatory compliance - personal security & human resources - asset management - availability/continuity of business processes - handling information incidents - access control - risk management case studies Available in 2009

ISO 27004: Measurement Programme Objectives • • •

Covers information security system management measurement and metrics Helps to measure the effectiveness of information security Management system implementations.

The objectives are to: • Evaluate the effectiveness of security controls & control objectives; • Evaluate the effectiveness of the ISMS inc. continual improvement; • Provide security indicators to assist management review • Facilitate improvement of information security • Provide input for security audits; • Communicate the effectiveness of ISM to the organization; • Serve as an input into the risk management process • Provide output for internal comparison & benchmarking of effectiveness This development is aimed at addressing how to measure the effectiveness of ISMS implementations (processes and controls) • Performance targets • What to measure • How to measure การประเมินมีหลายวิธีควรตกลงกันกอนวาจะใชวิธีใด • Qualitative Æ SO27001 ทํา Gap Analysis , Benchmarking และทํา Scoring

วิชุดา ไชยศิวามงคล

6 •

Quantitative Æ CMM (Capability Maturity Model) - KPI (Key Point Indicator) – Requirement - CSF - Bottleneck - Balance Score Card (BSC) Æ เชื่อมตอกับ Risk Management > Cost > Customer Satisfaction > Innovation > Internal When to measure

เกณฑผาน CMM (Capability Maturity Model) กับ Compliance

ISO 27005: ISMS Risk Management Process >> published BS7799 Part 3 à Information Security Risk Management • Risk Assessment >>> RAFT Model >>> BIA เพื่อกําหนด Priority โดยพิจารณาจาก Business value (LE >> SLE ALE), MDT , Recovery time , vulnerabilities และ Threat • Risk Analysis and Evaluation ÆImpact Result (Asset Exposure) • Identification of assets • Identification of threats • Identification of vulnerabilities • Risk Identification Æ Impact Rating • Risk Estimation Æ Summary Risk and Control • Risk Evaluation/ Selection Æ Score •

Information Security Risk Treatment • Risk Treatment Æ หนาที่ผูบริหารตัดสินใจเลือก • การหลีกเลี่ยง (Risk Avoidance) : หลีกเลี่ยงเหตุการณที่กอใหเกิดความเสี่ยง • การโอนยาย (Risk Transfer) : โอนความเสี่ยงใหกับผูอื่น Æ จาง Outsource ทําประกันชีวิต เปนตน • การลดความเสี่ยง (Risk Reduction) : Æหาวิธีการควบคุมเพิ่มเติมเพื่อจัดการความเสี่ยง • การยอมรับ (Risk Acceptance) : การยอมใหความเสี่ยงนั้นเกิดขึ้นได โดยไมทําอะไร เพิ่มเติม

• Approve > Roles & Resources > Document Management ดังนี้ – QM >>Quality Management < Executive …IS policy 3 ระดับ (general, Specific และ System) Æ โดยผูบริหาร รับทราบและสนับสนุนงบประมาณ – QP >>Quality Procedure> WI Work instruction – FM >>Form – SD >>Support Document • Annex A – Scope • Annex B – Identification and valuation of assets • Annex C – Common vulnerabilities

วิชุดา ไชยศิวามงคล

7 RAFT Model

PPT Model

Risk Assessment Framework for Technology

Top Executive Middle Management Staff


People Threat


Network Infrastructure

BIA Priority




Vulnerability Assessment

Experience Documentation > Standard


Control Business Impact Analysis (BIA)








RISK DECISION POINT 1 Assessment satisfactory






RISK DECISION POINT 2 Accept risks Yes


ISO 27006: Guidelines on ISMS Accreditation • International ISO2700 community realised that the guidance to certification/registration bodies – currently EA7/03 was now outdated • There is a need for increased rigour & evidence from certifying bodies that the organisations going for certification are ‘fit for purpose’ i.e. that a robust ISMS framework is not only well established (meeting business needs) but it is also well communicated and is working in practice • These guidelines will be operation from January 2007 (launched at ‘ISO27000 Business goes Global’ in London)

วิชุดา ไชยศิวามงคล