iso17799 maturity. confidentiality confidentiality relates to the protection of sensitive data from...

ISO17799 Maturity

Confidentiality

Confidentiality relates to the protection of sensitive data from unauthorized use and distribution.

Examples include:

Securing corporate data

Securing personnel (payroll, health) information

Secure Business –Need Security Infrastructures…

Confidentiality

Integrity

Integrity relates to maintaining the quality and validity of data.

Examples include:

Ensuring that the transactional systems aren’t modified by an unauthorized party


Examples include:




Confidentiality

Integrity

Availability

Availability relates to ensuring that data is accessible.

Examples include:

Ensuring that processing can take place 24 hours a day

Integrity relates to maintaining the quality and validity of data.

Examples include:

Ensuring that the transactional systems aren’t modified by an unauthorized party


Examples include:




Key facets of an information security program include:

People – organization, responsibility, accountability, and leadership

Process – policies, procedures, and practices

Technology – scalable technical support for automation, integration, and enabling of information security operations.

What Is Information Security?

Ultimately, information security is the method by which an organization ensures that it has control over its systems and data, thereby protecting its investment in information technology and its ability to maintain business operations.


Effective control requires executive sponsorship.

Everyone must know and agree to their responsibilities for maintaining effective controls.

Liability may depend on “due care”.

If you’re going to be plugged

in, you accept responsibility.

Trust can’t be enforced.

-- Policy can.


Corporate information protection is based on a multi-layered approach. The structure limits the exposure of any one security breach, however today, the Internet cuts across traditional layers and an unauthorized user could quickly exploit a weak layer.

Internet

Perimeter

Network

Host

Application

Data

Security ProgramOverall foundation to protect environment and set policy for other security layers. Includes monitoring, detection and response.

Perimeter SecurityFirst layer of physical protection (Voice & Data). If breached, access to data is possible.

Network SecurityFirst Internal layer of protection. If breached, loss control of data movement is possible and/or data modification.

Host SecurityProtects computer, application and data. If breached, data could be altered and/or deleted.

Application SecurityProtects application and data. If breached, data could be altered and/or deleted.

Internet SecurityProtects the data that is visible to the Internet from Web pages and via corporate communications. If breach, corporate image and/or communications can be compromised.

Security Program

Electronic Commerce

E-Commerce SecurityProtects the data while communicating across the organization and outside the organization. If breach, all corporate layers of security can be compromised.

…Having An Enterprise View

Began as UK Department of Trade and Industry (DTI) Code of Practice

Facilitated trade in trusted environments

Led to British Standard 7799 (BS7799)

Adopted as ISO17799 in December 2000

Where did ISO17799 Originate?

What is ISO17799?

A comprehensive set of controls comprising best practices

in information securityControls-based policyMeasurableCertifiableRisk-management based Internationally recognized

What is ISO17799?

10-Section Standard• Security Policy• Organizational Security• Asset Classification & Control • Personnel Security • Physical and Environmental Security • Computer & Operations Management• Access Control • System Development and Maintenance • Business Continuity Planning• Compliance

What is ISO17799?

Security Policy• To provide management direction and support for information

security.» Policy - program

What is ISO17799?

Security Organization• To manage information security both in and out of the

organization.» Infrastructure – leadership

» Third party access – contracts

» Outsourcing - SLAs

What is ISO17799?

Asset Classification & Control• To maintain appropriate protection of corporate assets and to

ensure that information assets receive an appropriate level of protection.

» Accountability – ownership

» Information classification - appropriateness

What is ISO17799?

Personnel Security• To reduce risk of human error, maintain awareness, and

minimize damage from incidents.» Job resourcing – background» User training – awareness» Incident response – procedures

What is ISO17799?

Physical and Environmental Security• To prevent unauthorized access, damage and interference to

business premises and information.» Secure areas – physical control

» Equipment security – individual

» General controls – common sense

What is ISO17799?

Computer & Operations Management• To ensure the correct and secure operations of information

systems.» Procedures / responsibilities – who & how» Planning & acceptance – capacity» Malicious software – virus» Housekeeping – backup» Network management – segregation of duties» Media handling – disposal» Information exchange – agreements

What is ISO17799?

Access Control• To control access to information.

» Policy – existence

» User access management – authorization

» User registration – maintenance

» User responsibilities – awareness

» Network access – interfaces

» Operating system access – foundation

» Application access – segregation

» Monitoring – detection

» Mobile access – ubiquitousness

What is ISO17799?

System Development and Maintenance• To ensure that security is built into information systems

» Security in applications – integrity

» Cryptographic controls – confidentiality

» Input / Output Controls

» Security of system files – foundation

» Security in development – change control

What is ISO17799?

Business Continuity Planning• To counteract interruptions to business activities and to

protect critical business processes from the effects of major failures or disasters.

» Management process – not tech!

» Impact analysis – risk assessment

» Continuity plans - existence

» Planning framework - consistency

» Test, test, test! - update

What is ISO17799?

Compliance• To avoid breaches of compliance with law & policy and

maximize effectiveness of system audits.» Legal requirements – money

» Reviews – policy and technology

» System audit – impact

How Will Organizations Benefit?

Standardization – efficiency & automation

Competitive advantage

Risk management – not security for the sake of security

Cost-effectiveness

Move from reactive to proactive

Accepted framework for policy

How Will Organizations Benefit?

1) Driver for process improvement

2) Meet business partner requirements

3) Maintain regulatory compliance

4) Measure the effectiveness of information security efforts

5) (ROI!)