Lecture 09 Network Security Management through the ISMS Asst.Prof.Supakorn Kungpisdan, Ph.D. supakorn@mut.ac.th NETE0519-ITEC4614

Learning Objectives Explain the purpose of an ISMS and the process for: Establishing Implementing Operating Monitoring Reviewing Improving the ISMS Explain the purpose and the contents of ISO27001, ISO27002, ISO27005 and their relationship NETE0519-ITEC4614

Asset Identification Exercise Give example of Asset NETE0519-ITEC4614 Personnel Buildings Equipment Furniture Software (purchased and home-grown) Intellectual property Inventory Cash Processes Reputation NETE0519-ITEC4614

Asset Valuation The cost to design and develop or acquire, install, maintain, protect the asset Acquired value; information assets may increase in value over time The cost of collecting and processing data for information assets The value to a competitor The value of lost business opportunity if the asset is compromised The value of providing information to customers A reduction in productivity while the asset is unavailable The cost to replace or repair the asset Depreciation; most assets lose value over time NETE0519-ITEC4614

Information Information asset Knowledge or data that has value to the organization NETE0519-ITEC4614

Storing and communicating information Printed or written on paper Stored electronically Transmitted by post or using electronic means Shown on corporate videos Verbal-spoken in conversations “Whatever form the information takes, or means by which it is shared or stored, it should always be appropriated protected” NETE0519-ITEC4614

What is Information Security? ISO27001:2005 defines Information Security as Preservation of Confidentiality: the property that information is not made available or disclosed to unauthorized individuals, entities, or processes Integrity: the property of safeguarding the accuracy and completeness of assets Availability: the property of being accessible and usable upon demand by an authorized party of information NETE0519-ITEC4614

What is Information Security? (cont.) Authenticity Non-repudiation Accountability Reliability NETE0519-ITEC4614

Exercise Give an example of networking technologies, activities, or processes that are related to Confidentiality Integrity availability NETE0519-ITEC4614

Sensitive or critical information Assessment can identify sensitive and critical information based on value to the organization Sensitive or critical information can be based on time. Some financial information will be very sensitive before reporting to the stock market, but have no sensitivity after once reported Sensitivity reflects data classification level Assessment involves in valuation of information assets in order to calculate risks and security level required to protect these assets using appropriate controls NETE0519-ITEC4614

Management System includes.. Organization Resources Structures Policies Planning activities Responsibilities Practices Procedures Processes NETE0519-ITEC4614

Information Security Management System Part of the overall management system, based on a business risk approach, to establish, implement, operate, monitor, review, maintain and improve information security Information security should be seen as an ongoing activity of continual improvement ISMS adoption should be a strategic decision by the top management NETE0519-ITEC4614

ISMS (cont.) ISMS requires that everyone is clear about what is required of them, that: they are trained in what they are meant to do, they have the facilities and resources they need, etc. ISMS to initiate the production of standard set of (broad) requirements which all have to be complied with. NETE0519-ITEC4614

Consideration on overall performance of the organization may impact… CIA of information Competitive advantages through improved organizational capabilities Customer loyalty Repeat business and referral Understanding and motivation of people towards the organizational goals and objectives, as well as participation in continual improvement Operational results e.g. revenue and market share Reviewing threats and vulnerabilities on a regular basis Efficient and effective use of resources Alignment of processes which will best achieve desired results NETE0519-ITEC4614

Consideration on overall performance of the organization may impact… Confidence of interested parties in the effectiveness and efficiency of the organization Ability to create value for both the organization and its suppliers by optimization of cost and resources as well as flexibility and speed of joint responses to changing markets NETE0519-ITEC4614

Notes Information security protects information from a wide range of threats in order to ensure business continuity, minimize business damage and maximize return on investment and business opportunities Every organization will have a differing set of requirements in terms of control requirements and the level of confidentiality, integrity, and availability From the Introduction section of ISO27002 NETE0519-ITEC4614

History and Family of ISO 27001 Standards NETE0519-ITEC4614

ISO27001 Standard ISO/IEC 27001, part of a growing family of ISO/IEC 27000 standards, is an information security management system (ISMS) standard published in October 2005 by the ISO and the International Electrotechnical Commission (IEC). Its full name is ISO/IEC 27001:2005—Information technology—Security techniques—Information security management systems—Requirements but it is com- monly known as ISO 27001. NETE0519-ITEC4614

History of ISMS Standards 1992: BSI approached by industry sectors and service providers with concerns over the increase of electronic office systems and potential problems related to controls over these systems Jan 1993: set up an industry working group to review the concerns raised by the industry. The results published is called “Code of Practice” Feb 1995: Code of Practice had become BS 7799-1 standard Feb 1998: BSI produced BS 7799-2 to form basis for organization to be registered for an ISMS system (focused on audit) April 1999: both BS 7799-1 and BS 7799-2 were aligned and republished as BS 7799-1:1999 and BS 7799-2:1999 2000: BS7799-1 had become ISO17799:2000 2005: ISO17799:2000 were revised and re-numbered to ISO 27002:2005 2005: BS 7799-2 has been adopted as ISO 27001:2005 NETE0519-ITEC4614

The ISO27001 family of standards ISO27000 – Overview and vocabulary ISO27001 – Audit requirements ISO27002 – Code of Practices (was ISO17799:2005) ISO27003 – Implementation Guidance ISO27004 – Measurement ISO27005 – Risk Management ISO27006 – Requirements for Bodies providing Audit and Certification of ISMSs NETE0519-ITEC4614

Why Implement ISO27001:2005 Without suitable protection, information can be: Given away, leaked or disclosed in an authorized way Modified without your knowledge to become less valuable Loss without trace or hope of recovery Can be rendered unavailable when needed Information should be protected and properly managed like other business asset of the organization NETE0519-ITEC4614

ISMS Implementation and ISO 27001 Certification Process NETE0519-ITEC4614

ISMS Implementation and ISO 27001 Certification Process See ISO27k ISMS implementation and certification process.ppt NETE0519-ITEC4614

Establishing the ISMS NETE0519-ITEC4614

Continual improvement of the management system PDCA Cycle Continual improvement of the management system NETE0519-ITEC4614

PDCA (cont.) NETE0519-ITEC4614

Meeting ISO 27001:2005 Requirements NETE0519-ITEC4614

Meeting ISO 27001:2005 Requirements The requirements contained in the ISMS process, that are described in clauses 4-8 of ISO 27001:2005. ISMS process requirements address how an organization should establish and maintain their ISMS, based on PDCA model Any organization wants to achieve ISO 27001:2005 certification need to comply with all these requirements, exclusions are not acceptable NETE0519-ITEC4614

Meeting ISO 27001:2005 Requirements (cont.) The ISMS control requirements, contained in Annex A of ISO 27001:2005 ISMS control requirements are applicable for an organization unless the risk assessment and risk acceptance criteria prove that this is not the case “Any exclusions of controls found to be necessary to satisfy the risk acceptance criteria need to be justified and evidence need to be provided that the associated risks have been properly accepted by accountable person.” NETE0519-ITEC4614

Steps of ISO27001 Establish the ISMS (clause 4.2.1) Implement and operate the ISMS (clause 4.2.2) Monitor and review the ISMS (clause 4.2.3) Maintain and improve the ISMS (clause 4.2.4) NETE0519-ITEC4614

4.2.1 Establish the ISMS See ISO 27001 document for details NETE0519-ITEC4614

4.2.1 Establish the ISMS (cont.) In terms of: Characteristics of the business The organization Its location Its assets Its technology Define scope and boundaries of the ISMS Define an ISMS policy NETE0519-ITEC4614

ISMS Policy Example See example from ISO27001 toolkit NETE0519-ITEC4614

Control Objectives A.5 Security policy A.6 Organization of information security A.7 Asset management A.8 Human resources security A.9 Physical and environmental security A.10 Communications and operations management A.11 Access control A.12 Information systems acquisition, development and maintenance A.13 Information security incident management A.14 Business continuity management A.15 Compliance NETE0519-ITEC4614

Implementing and operating the ISMS NETE0519-ITEC4614

4.2.2 Implement and operate the ISMS See ISO 27001 document for details NETE0519-ITEC4614

4.2.3 Monitor and review the ISMS See ISO 27001 document for details NETE0519-ITEC4614

Maintain and improve the ISMS See ISO 27001 document for details NETE0519-ITEC4614

Questions? NETE0519-ITEC4614