applying iso 27000

8/11/2019 Applying ISO 27000

1/16

Applying ISO 27000 to Address Compliance Mandates

2010. All Rights Reserved. ecfirst.

Applying ISO 27000 to Address ComplianceMandates

A Global Information Security Standard

Ali Pabrai, MSEE, CISSP (ISSMP, ISSAP)Author, Cyber Security Strategy:

The 4 Laws of Information Security

2

Copyright. 2010. All Rights Reserved. ecfirst.

ISO 27000: An InternationalSecurity Standard

A comprehensive set of controls comprising best practices ininformation security

Comprised of:A code of practice

A specification for an information security management system

Intended to serve as a single reference point for identifying arange of controls needed for most situations where informationsystems are used in industry and commerce

8/11/2019 Applying ISO 27000

2/16



3


PCI DSS

PCI DSS requirements apply to all members, merchants,and service providers that store, process, or transmitcardholder dataOrganizations are struggling in several areasincluding:

Addressing transmission security requirementsTracking and monitoring access to network and systems withcardholder dataEncryption of card dataConducting comprehensive vulnerability scansControlling logical access to systems containing card data

Businesses are holding onto too much customer personalinformation unnecessarily, and for too long

4


The PCI DSS StandardAre You Impacted? 1. Build and Maintain a Secure Network

1. Firewall configuration2. Vendor defaults

2. Protect Cardholder Data3. Protect stored cardholder data4. Encrypt transmission

3. Maintain a Vulnerability Management Program5. Update anti-virus software6. Maintain secure systems and applications

4. Implement Strong Access Control Measures7. Restrict access need to know8. Assign unique IDs9. Restrict physical access

5. Regularly Monitor and Test Networks10. Track and monitor all access11. Regularly test security processes

6. Maintain an Information Security Policy12. Maintain policies

8/11/2019 Applying ISO 27000

3/16



5


HITECH is HIPAA v2.0

Title XIII of American Recovery and Reinvestment Act (ARRA) is theHealth Information Technology for Economic and Clinical Health(HITECH) ActPrivacy and Security Breach Notification to Individuals

Notices sent without delay No later than 60 calendar days after discovery

Business Associates = Covered Entities? Business associates must report privacy and security breaches Subject to the same civil and criminal penalties as covered entities

New Penalties DefinedPersonal Health Record Vendors Now Covered!

Impacts vendors of PHRs as well as entities that access information in or send information to aPHR

Vendors must inform FTC and each individual if privacy or security breach occurs

6


State RegulationsCA to MA - Taking Security Mandates Further California SB 1386 requires notification of security breaches involving unencrypted

sensitive data AB 1950 requires that organizations take reasonable precautions to

protect CA residents personal data AB 1298 expands data breach notification law to include unencrypted

medical histories, health insurance information, medical treatments &diagnoses

SB 541 requires breaches must be disclosed to the affected patients AB 211 includes fines starting from $2,500 to $25,000 per violation for

organizations that negligently disclose patient records

Massachusetts 201 CMR 17.00 establishes minimal standards for safeguarding personal

information contained in both paper and electronic records

8/11/2019 Applying ISO 27000

4/16



7


ISO 27001

The ISO 27001 standard provides a model for:EstablishingImplementingOperatingMonitoringMaintainingImprovingan Information Security Management System (ISMS) withinthe context of an organizations overall business risks

The application, identification, and interactions of asystem of processes within an organization, and theirmanagement, can be referred to as a processapproach

8


Consists of 11 security control clauses (sections)These contain 39 main security categories and 1introductory clause (risk assessment and treatment)

Each clause contains a number of main securitycategories:Each main security category includes

Control Objective ( what is to be achieved )

One or more Controls ( that can be applied toachieve the control objective )

ISO 27002

8/11/2019 Applying ISO 27000

5/16



9


ISO 27002 Security Clauses

1. Security Policy (1) [2]2. Organization of Information Security (2) [11]3. Asset Management (2) [5]4. Human Resources Security (3) [9]5. Physical and Environmental Security (2) [13]6. Communications and Operations Management (10) [33]7. Access Control (7) [24]8. Information Systems Acquisition, Development and Maintenance (6) [16]9. Information Security Incident Management (2) [5]10. Business Continuity Management (1) [5]11. Compliance (3) [10]

The number in ( ) signifies categories within the ClauseThe number in [ ] signifies total # of controlswithin the Clause

10


Risk Assessment & TreatmentIntroductory Clause 0 (4)

The information security risk assessment shouldhave a clearly defined scope in order to beeffectiveThe results should guide and determineappropriate management action and priorities formanaging risks and for implementing controlsselected to protect against these risksConsists of two categories:

Assessing Security RisksTreating Security Risks

8/11/2019 Applying ISO 27000

6/16



11


Risk Assessment & TreatmentIntroductory Clause 0 (4)

12


Security PolicyClause 1 (5)Establishes the dial-tone for security in the organizationCritical elements include:

Establishing management direction for information securityRegular updates and reviews

Consists of 1 categoryInformation Security Policy (5.1)

8/11/2019 Applying ISO 27000

7/16



13


Organization of Information SecurityClause 2 (6)

The objective is:To manage information security within the organizationTo maintain the security of the organizations information andinformation processing facilities that are accessed, processed,communicated to, or managed by external parties

Consists of two categories:1. Internal Organization2. External Parties

The team of managers should consist of individuals representing allareas of the organization

The information security management team is responsible for theimplementation of controls to meet security policy requirements

14


Asset ManagementClause 3 (7)

This clause is intended to provide guidance forthe creation and maintenance of an effectivemethod of tracking all organizational assetsExamples of organizational assets includecomputer hardware, software, proprietarydatabases and processes, human resources,

and servicesConsists of two categories:1. Responsibility for Assets2. Information Classification

8/11/2019 Applying ISO 27000

8/16



15


Human Resources Security

Clause 4 (8)Provide guidance for the development andmaintenance of an effective program to protectthe organization from:

FraudTheftInappropriate use of organizational resources byworkforce members

Consists of three categories:1. Prior to Employment2. During Employment3. Termination and Change of Employment

16


Physical and Environmental SecurityClause 5 (9)

Provide guidance for the development and maintenanceof a comprehensive strategy for the protection of anorganizations physical assetsIncludes the establishment of security perimeter aroundfacilities and data processing centersRemoval of assets should also be strictly controlledConsists of two categories:

1. Secure Areas2. Equipment Security

8/11/2019 Applying ISO 27000

9/16



17


Communications & Operations ManagementClause 6 (10)

Provide guidance for the development andmaintenance of comprehensive plan to ensurean organizations information processing facilitiesare operated in a secure and controlled mannerSegregation of duties should be implemented,where appropriate, to reduce the risk of

negligent or deliberate system misuse

18


Access ControlClause 7 (11)

Provide guidance for the development andmaintenance of a comprehensive physical andlogical information access control strategyPrevention of unauthorized access toinformation resources is a key objectiveKey requirements include:

Development of user creation and terminationproceduresRole based access controlPeriodic review of users access to information

8/11/2019 Applying ISO 27000

10/16



19


Information Systems Acquisition,Development & MaintenanceClause 8 (12)

Provide guidance for the development and maintenanceof a comprehensive strategy to ensure theconfidentiality and integrity of information systemsCategories defined for this clause include:

1. Security Requirements of Information Systems2. Correct Processing in Applications3. Cryptographic Controls4. Security of System Files

5. Security in Development and Support Processes6. Technical Vulnerability Management

20


Information Security IncidentManagementClause 9 (13)

This clause provides guidance for the development andmaintenance of a comprehensive strategy for respondingto a security violationConsists of two categories:

Reporting Information Security Events and WeaknessesManagement of Information Security Incidents and Improvements

8/11/2019 Applying ISO 27000

11/16



21


Cost of data breach rose to $202 for each compromised recordAverage cost of healthcare breach was $282 for each recordAverage expense to an organization was $6.6 millionVast majority caused by negligencePortable devices, laptops are responsible for growing # ofbreaches

Source: The Wall Street Journal, February 2, 2009

How prepared is your organization?

Data Breach Reach New Heights

22


Business Continuity ManagementClause 10 (14)

This clause provides guidance for the development andimplementation of a comprehensive strategy to ensurecontinued business operation in the event of acatastrophic failure of systems of facilitiesKey parts of a comprehensive strategy include:

Procedures for failover to backup systemsRecovery of failed systemsRelocation of workforce members to alternate locations

The only category defined in this clause is:1. Information Security Aspects of Business Continuity

Management

8/11/2019 Applying ISO 27000

12/16



23


Business Impact Analysis (BIA)

Understand the impact of a threat on the businessIdentify

Critical business functions or servicesCritical computer resources that support key business functionsDisruption impacts and allowable outage times

Develop recovery prioritiesMust understand each department/units operationaland fiscal impact

Understand the mission of each service

24


ComplianceClause 11 (15)

The purpose of this clause is to provideguidance for the development and maintenanceof a comprehensive plan to ensure compliancewith any and all applicable statutes governingthe organizationConsists of three categories:

1. Compliance with Legal Requirements2. Compliance with Security Policies and Standards andTechnical Compliance

3. Information Systems Audit Considerations

8/11/2019 Applying ISO 27000

13/16

8/11/2019 Applying ISO 27000

14/16



27


HITECH, HIPAA, PCI, FACTA MandatesBe Audit Ready, Always!

If we guard our toothbrushes and diamonds with equal zeal, we will losefewer toothbrushes and more diamonds. McGeorge BundyNational Security Advisor to Presidents Kennedy & Johnson

28


Audit GuidancePreparing for Audits by OCR, FTC & Others Entity-wide Security PlanRisk Analysis (most recent)Risk Management Plan (addressing risks identified in the RiskAnalysis)Security violation monitoring reportsVulnerability scanning plans

Results from most recent vulnerability scanNetwork penetration testing policy and procedure

Results from most recent network penetration testList of all user accounts with access to systems which store,transmit, or access EPHI (for active and terminated employees)Encryption or equivalent measures implemented on systems thatstore, transmit, or access EPHI

Visit www.HIPAAAcademy.net for details.

8/11/2019 Applying ISO 27000

15/16



29


Establish An Information Security ProgramStrategy: Core to the Edge and the Cloud

Examine the ISO 27000 Security Series!

Firewall Systems

Critical Info&

Vital Assets

IDS/IPS

Authentication

Encryption

Physical Security

Approach:

Risk-based Proactive Integrated

30


Pabrais Laws of Information SecurityIs Your Security Kismet or Karma ?

1. There is no such thing as a 100% secure environment2. Security is only as strong as your weakest link3. Security defenses must be integrated and include robust (passive)

and roving (active) controls to ensure a resilient enterprise4. Security incidents provide the foundation for security intelligence

Is Your Enterprise Security?Kismet A Reactive Security FrameworkKarma A Proactive Security FrameworkSource: www.ecfirst.com

8/11/2019 Applying ISO 27000

16/16


31


About ecfirst

Over 1,400 Clients served including HP, Microsoft, Cerner, McKesson, PNCBank and hundreds of hospitals, government agencies

Compliance & Security

32


Thank You!Exclusive ISO 27000 Solutions from ecfirst include:

Managed Compliance Services Program (MCSP) for ISO 27000ISO 27000 1-Day Training Program Delivered On-siteISO 27002 Security Policy TemplatesISO 27002 to HIPAA Matrix (Mapping)

CHP + CSCS Credentials2 Valued Credentials

Network with Pabrai on LinkedIn, Twitter

Contact John Schelewitz to discuss your initiativesP: 1.480.663.3225, or E: [email protected] Pabrai at [email protected] or 1.949.260.2030

Visit www.ecfirst.com

applying iso 27000

Documents