5.information Security Policy

ISO 27002
GV : CH.Nguyn Duy
Email : nguyenduy0606@gmail.com
1
Content
What isdatasecurity?
What isISO27001?
What isISO27002?
AnalyzeISO27001-2005
Nguyn Duy Intranet and Internet Management and Security 2
Risk relationship
What is Data security
What isdatasecurity?
What isISO27001?
What isISO27002?
Nguyn Duy Xydng chnhschATTT 4
The source of data loss
Data-in-Motion
Data-at-Rest
Data-in-Use
Data Types
W
I
L
D

W
I
L
D
W
E
S
T
Email Web Post Network IM Chat
Desktop/Laptop Database
Removable Media Screen Printer
File Share
Clipboard
The source of data loss
Switch
Databases or
Repositories
DLP Prevent
Firewall
DLP Prevent
DLP Monitor
Web Gateway
Email Gateway
DLP Discover
Data-in-Use
DLP Endpoint
Data-in-Motion
Data-at-Rest
Data-in-Use
Data-in-Motion
6
Threat Agent
Human
Employee
Attacker
Machine
Nature
Data security
8
Defense in Depth Layers
9
ISO27001formally specifies howto establish an
InformationSecurityManagement System(ISMS)
ISO27001 provides a systemfor monitoringand
maintaining
Confidentiality of information
Availability of information
Accuracy of information
The design and implementation of an
organizations ISMS is influenced by its business
and security objectives, its security risks and
control requirements, the processes employed
andthesizeandstructureof theorganization
What is ISO 27001
Businesscontinuity
Assessment of risks and implementation of
waystoreduceeffects
Regular assessment tomaintaineffectiveness
ImprovedSecurity
Accesscontrol
Providesaninternal management process
Benefits of ISO 27001
Interested
parties
Information
security
requirements
& expectations
PLAN
Establish
ISMS
CHECK
Monitor &
review ISMS
ACT
Maintain &
improve
Management responsibility
ISMS PROCESS
Interested
parties
Managed
information
security
DO
Implement &
operate the
ISMS
What is ISO 27002 ?
ISO 27002 is a Code of Practice: a large
number of informationsecuritycontrols
The numerous information security controls
recommended by the standard are meant to
be implemented in the context of an ISMS, in
order to address risks and satisfy applicable
control objectivessystematically
Analyze ISO 27001-2005
Nguyn Duy Xy dng chnh schATTT 14
Management Support
Management should actively support information
security by giving clear direction (e.g. policies),
demonstrating the organizations commitment, plus
explicitlyassigninginformationsecurityresponsibilities
tosuitablepeople.
Management should approve the information security
policy, allocateresources, assignsecurityroles and co-
ordinate and review the implementation of security
acrosstheorganization.
Overt management support makes information
security more effective throughout the organization,
not least by aligning it with business and strategic
objectives.
Defining ISMS scope
Management should define the scope of the
ISMS in terms of the nature of the business,
the organization, its location, information
assetsandtechnologies.
If commonplace controls are deemed not
applicable, this should be justified and
documented in the Statement of Applicability
(SOA)
Inventory of Assets
An inventory of all important information assets
should be developed and maintained, recording
detailssuchas
Typeof asset
Format (i.e. software, physical/printed, services,
people, intangibles)
Location
Backup information
License information
Business value (e.g. what business processes depend
on it?).
Risk Assessment
Riskassessmentsshouldidentify, quantify, and
prioritize information security risks against
defined criteria for risk acceptance and
objectivesrelevant totheorganization
Assessing risks and selecting controls may
need to be performed repeatedly across
different parts of the organization and
information systems, and to respond to
changes
Prepare Statement of
Applicability
The Statement of Applicability (SOA) is a key
ISMS document listing the organizations
information security control objectives and
controls.
TheSOAisderivedfromtheresultsof therisk
assessment, where:
Risktreatmentshavebeenselected
All relevant legal and regulatory requirements
havebeenidentified
Prepare Risk Treatment
Plan
The organization should formulate a risk
treatment plan (RTP) identifying the
appropriate management actions, resources,
responsibilities and priorities for dealingwith
itsinformationsecurityrisks
The RTP should be set within the context of
the organization's information security policy
and should clearly identify the approach to
riskandthecriteriafor acceptingrisk
PDCA Model
Plan(establish the ISMS)
Establish ISMS policy, objectives, processes and procedures relevant to
managing risk and improving information security to deliver results in
accordance with an organizations overall policies and objectives.
Do(implement and operate the ISMS)
Implement and operate the ISMS policy, controls, processes and
procedures.
Check(monitor and review the ISMS)
Assess and, where applicable, measure process performance against
ISMS policy, objectives and practical experience and report the results
to management for review.
Act(maintain and improve the ISMS)
Take corrective and preventive actions, based on the results of the
internal ISMS audit and management review or other relevant
information, to achieve continual improvement of the ISMS.
The ISMS
It is important to be able to demonstrate the
relationshipfromtheselectedcontrolsbackto therisk
assessment and risk treatment process, and
subsequentlybacktotheISMSpolicyandobjectives.
ISMSdocumentationshouldinclude:
Documentedstatementsof theISMSpolicyandobjectives
Thescopeof theISMS
Proceduresandother controlsinsupport of theISMS
Adescriptionof theriskassessment methodology
Ariskassessment report andRiskTreatment Plan(RTP)
Proceduresfor effectiveplanning, operationandcontrol of
the information security processes, describing how to
measuretheeffectivenessof controls
TheStatement of Applicability(SOA)
Compliance Review and
Corrective Actions
Management must review the organizations
ISMSat least onceayear toensureitscontinuing
suitability, adequacyandeffectiveness.
Theymust assess opportunities for improvement
and the need for changes to the ISMS, including
the information security policy and information
securityobjectives
The results of these reviews must be clearly
documentedandmaintained(records).
Reviews are part of the Check phase of the
PDCAcycle
Pre-Certification
Assessment
Prior to certification, the organization should
carryout acomprehensivereviewof theISMS
andSOA.
The organization will need to demonstrate
compliance with both the full PDCA cycle and
clause 8 of ISO27001, the requirement for
continual improvement
The ISMS therefore needs a while to settle
down, operate normally and generate the
recordsafter it hasbeenimplemented
Management Support
Certification involves the organizations ISMS
beingassessedfor compliancewithISO27001.
Thecertificationbodyneedstogainassurance
that the organizations information security
risk assessment properly reflects its business
activitiesfor thefull scopeof theISMS
Scope
Terms and definitions
Structure of this standard
Risk assessment and treatment
Policy
Scope
The standard gives information security
management recommendationsfor thosewho
areresponsiblefor initiating, implementingor
maintainingsecurity
Terms and definitions
Informationsecurity isexplicitlydefinedasthe
preservation of confidentiality, integrity and
availabilityof information
Asset:anythingthat hasvaluetotheorganization
Control : means of managingrisk, includingpolicies,
procedures, guidelines, practices or organizational
structures
Guideline: adescriptionthat clarifieswhat shouldbe
done and how, to achieve the objectives set out in
policies
Structure of this standard
This standard contains 11 security control
clauses collectively containing a total of 39
mainsecuritycategoriesandoneintroductory
clause introducing risk assessment and
treatment
Security Control Clauses
1. SecurityPolicy
2. Organizationof InformationSecurity
3. Asset Management
4. HumanResourcesSecurity
5. Physical Security
6. CommunicationsandOpsManagement
7. AccessControl
8. Information Systems Acquisition, Development,
Maintenance
9. InformationSecurityIncident management
10.BusinessContinuity
11.Compliance
Main security categories
Eachmainsecuritycategorycontains:
acontrol objectivestatingwhat istobeachieved
one or more controls that can be applied to
achievethecontrol objective
1. Security Policy
Objective: To providemanagement direction
and support for information security in
accordance with business requirements and
relevant lawsandregulations
Management should set a clear policy
direction inlinewith:
businessobjectives
demonstrate support for, and commitment to,
information security through the issue and
maintenance of an information security policy
acrosstheorganization
1. Security Policy
Informationsecuritypolicydocument:
Control
An information security policy document should be approved
by management, and published and communicated to all
employeesandrelevant external parties
Implementationguidance
adefinitionof informationsecurity
aframeworkfor settingcontrol objectivesand control
abrief explanationof thesecuritypolicies, principles, standards,
and compliance requirements of particular importance to the
organization
adefinitionof general andspecificresponsibilities
referencestodocumentationwhichmaysupport thepolicy
Other information
.
2. Organization of Information Security
Internal organization
Objective: To manageinformationsecuritywithin
theorganization
Management commitment toinformationsecurity
Informationsecurityco-ordination
Allocationof informationsecurityresponsibilities
Authorization process for information processing
facilities
Confidentialityagreements
Contact withauthorities
Contact withspecial interest groups
Independent reviewof informationsecurity
External parties:
Objective : To maintain the security of the
organizations information and information
processingfacilities that are accessed, processed,
communicatedto, or managedbyexternal parties
Identificationof risksrelatedtoexternal parties
Addressingsecuritywhendealingwithcustomers
Addressingsecurityinthirdpartyagreements
Identification of risks related to external
parties:
the information processing facilities an external
partyisrequiredtoaccess
the type of access the external party will have to
the information and information processing
facilities: physical access, logical access
network connectivity between the organizations
and the external partys network : permanent
connection, remoteaccess
.
Addressing security when dealing with
customers
asset protection, including
procedures to protect the organizations assets,
including information and software, and management
of knownvulnerabilities;
procedures to determine whether any compromise of
the assets, e.g. loss or modification of data, has
occurred
restrictionsoncopyinganddisclosinginformation
description of the product or service to be
provided
.
Addressingsecurityinthirdpartyagreements
ISP
OnlineServices: Gmail, yahoo, .
Distribution: Hardware, softwareandservices
3. Asset Management
Objective : To achieve and maintain
appropriate protection of organizational
assets
Responsibilityfor assets
Inventoryof assets
Ownershipof assets
Acceptableuseof assets
Informationclassification
Information should be classified in terms of its value,
legal requirements, sensitivity, and criticality to the
organization.
3. Asset Management
Inventoryof assets
Information
databases and data files, contracts and agreements, system
documentation, researchinformation, user manuals, training
material,
softwareassets
application software, system software, development tools,
andutilities
physical assets
computer equipment, communications equipment,
removablemedia, andother equipment
Services
computingandcommunicationsservices, general utilities
people, andtheir qualifications, skills, andexperience
4. Human Resources Security
Prior toemployment
Duringemployment
Terminationor changeof employment
Prior toemployment
Objective: To ensure that employees, contractors
and third party users understand their
responsibilities, andaresuitablefor therolesthey
areconsideredfor, andtoreducetheriskof theft,
fraudor misuseof facilities
Rolesandresponsibilities
Screening
Termsandconditionsof employment
Rolesandresponsibilities:
implement and act in accordance with the
organizationsinformationsecuritypolicies
protect assets from unauthorized access,
disclosure, modification, destruction or
interference
executeparticular securityprocessesor activities
ensure responsibility is assigned to the individual
for actionstaken
report securityeventsor potential eventsor other
securityriskstotheorganization
Duringemployment
and third party users are aware of information
security threats and concerns, their
responsibilitiesandliabilities, andareequippedto
support organizational security policy in the
course of their normal work, and to reduce the
riskof humanerror
Management responsibilities
Informationsecurityawareness, education, andtraining
Disciplinaryprocess
Terminationor changeof employment
and third party users exit an organization or
changeemployment inanorderlymanner
Terminationresponsibilities
Returnof assets
Removal of accessrights
Secureareas
Physical securityperimeter
Physical entrycontrols
Securingoffices, rooms, andfacilities
Protecting against external and environmental
threats
Workinginsecureareas
Publicaccess, delivery, andloadingareas
Equipment security
Secureareas
Equipment security
Equipment sitingandprotection
Supportingutilities
Cablingsecurity
Equipment maintenance
Securityof equipment off-premises
Securedisposal or re-useof equipment
Removal of property
6. Communications and Ops Management
Operational proceduresandresponsibilities
Thirdpartyservicedeliverymanagement
Protectionagainst maliciousandmobilecode
Back-up
Networksecuritymanagement
Mediahandling
Exchangeof information
Electroniccommerceservices
7. Access Control
Businessrequirement for accesscontrol
User accessmanagement
User responsibilities
Networkaccesscontrol
Operatingsystemaccesscontrol
Applicationandinformationaccesscontrol
7. Access Control
Businessrequirement for accesscontrol
Accesscontrol policy
Accesscontrol rulesandrightsfor eachuser or groupof
users should be clearly stated in an access control
policy
Accesscontrolsarebothlogical andphysical
7. Access Control
User accessmanagement
User registration
usinguniqueuser IDs
theuser hasauthorizationfromthesystemowner
checkingthat thelevel of accessgrantedisappropriate
tothebusinesspurpose
givingusersawrittenstatement of their accessrights
7. Access Control
User accessmanagement (cont.)
Privilegemanagement
the access privileges associated with each system
product
privileges should be allocated to users on a need-to-
usebasis
Privilegesshouldnot begranteduntil theauthorization
processiscomplete
7. Access Control
User passwordmanagement
Passwordiscomplex
Passwords should never be stored on computer
systemsinanunprotectedform
Default vendor passwords should be altered following
installationof systemsor software
whichtheyareforcedtochangeimmediatelyafter user
first logon
7. Access Control
Reviewof user accessrights
Users access rights should be reviewed at regular
intervals
authorizations for special privileged access rights
shouldbereviewedat morefrequent intervals
7. Access Control
User responsibilities
Password
Unattendeduser equipment
Clear deskandclear screenpolicy
7. Access Control
Networkaccesscontrol
Policyonuseof networkservices
User authenticationfor external connections
Equipment identificationinnetworks
Segregationinnetworks
Networkconnectioncontrol
Networkroutingcontrol
7. Access Control
Securelog-onprocedures
User identificationandauthentication
Passwordmanagement system
Useof systemutilities
Sessiontime-out
Limitationof connectiontime
7. Access Control
Securelog-onprocedures
not display systemor application identifiers until the
log-onprocesshasbeensuccessfullycompleted
limit the maximumand minimumtime allowed for the
log-onprocedure
not display the password being entered or consider
hidingthepasswordcharactersbysymbols
not transmit passwordsinclear text over anetwork
7. Access Control
Passwordmanagement system
enforcetheuseof individual user IDsandpasswordsto
maintainaccountability
allowuserstoselect andchangetheir ownpasswords
enforceachoiceof qualitypasswords
enforcepasswordchanges
storepasswordfilesseparatelyfromapplicationsystem
data
7. Access Control
Applicationandinformationaccesscontrol
Informationaccessrestriction
Sensitivesystemisolation
8. Information Systems Acquisition,
Development, Maintenance
9.Information Security Incident management
10. Business Continuity
11. Compliance
Question ???

5.information Security Policy

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

5.information Security Policy

Hochgeladen von

Copyright:

Verfügbare Formate

ISO 27002

Das könnte Ihnen auch gefallen