21
Security Standard ISO/IEC 27000 e ISO/IEC 27001 Trabalho de Segurança da Informação MCI 2012/13 Docente: José Manuel de Magalhães Cruz Faculdade de Engenharia da Universidade do Porto Mestrado em Ciência da Informação

Information Security Standard ISO/IEC 27000 e ISO/IEC 27001 Trabalho de Segurança da Informação MCI 2012/13 Docente: José Manuel de Magalhães Cruz Faculdade

Embed Size (px)

Citation preview

Page 1: Information Security Standard ISO/IEC 27000 e ISO/IEC 27001 Trabalho de Segurança da Informação MCI 2012/13 Docente: José Manuel de Magalhães Cruz Faculdade

Information SecurityStandard ISO/IEC 27000 e

ISO/IEC 27001

Trabalho de Segurança da Informação MCI 2012/13Docente: José Manuel de Magalhães Cruz

Faculdade de Engenharia da Universidade do PortoMestrado em Ciência da Informação

Page 2: Information Security Standard ISO/IEC 27000 e ISO/IEC 27001 Trabalho de Segurança da Informação MCI 2012/13 Docente: José Manuel de Magalhães Cruz Faculdade

Information Security

Increased dependence of firms on Information Technologies and Systems+

Web Evaluation +

Proliferation of Information.

• Access control to information is a fundamental requirement in organization systems;• Establishing a security policy;• The management of the risks of information security to ensure that the information is not

denied or becomes unavailable, it will not be lost, destroyed or damaged, unauthorized disclosure or even stolen.Management of the risks of information security to ensure that the information is not denied or becomes unavailable, it will not be lost, destroyed or damaged, unauthorized disclosure or even stolen.

Information SecurityInformation Security Management Systems

Page 3: Information Security Standard ISO/IEC 27000 e ISO/IEC 27001 Trabalho de Segurança da Informação MCI 2012/13 Docente: José Manuel de Magalhães Cruz Faculdade

Information Security

Ensuring the protection and preservation of existing information in any format;Risk analysis to identify all the risks that threaten the information, pointing

solutions that eliminate, minimize or transfer risks.

Beal (2005, p.71) defines Information Security as "the process of protecting information from threats to ensure the integrity, availability and confidentiality.“

CONFIDENTIALITY INTEGRITY AVAILABILITY AUTHENTICITY

Threats are all situations that puts in question the Information Security• Natural phenomenon• Human Causes (theft and fraud)• Technical defects (hardware and software failures)• Purposeful attacks (hackers, virus disseminators, among others)

Information Security

Page 4: Information Security Standard ISO/IEC 27000 e ISO/IEC 27001 Trabalho de Segurança da Informação MCI 2012/13 Docente: José Manuel de Magalhães Cruz Faculdade

Access ControlControl the persons authorized to enter into certain location and logs the date and time of access, controlling and deciding which permissions each user has.

Intrusion DetectionAlert the administrators to potential intruders from entering the systems. These systems attempt to recognize a behavior / action intrusive.

EncryptionArt of encoding that enables reversible transformation of information in order to make it intelligible to third parties.

Digital SignatureSet of encrypted data associated with a document that guarantee its integrity and authenticity.

Protection of Stored DataAntivirus software that is able to detect and remove malicious programs or files.

Disaster RecoveryEmergency plans to ensure the preservation of documents and own physical integrity of the employees of an organization in case of occurrence of natural disasters.

Information Security

Page 5: Information Security Standard ISO/IEC 27000 e ISO/IEC 27001 Trabalho de Segurança da Informação MCI 2012/13 Docente: José Manuel de Magalhães Cruz Faculdade

Standard ISO/IEC 27000 e 27001

Standard ISO/IEC 27000: vocabulary and definitionsStandard ISO/IEC 27001: requirements

Standard ISO/IEC 27000

It is a standard certification of management systems, in this case applies to the implementation of Systems Management for Information Security (ISMS).

Contains terms and definitions used throughout the series vocabulary clearly defined to avoid different interpretations

Includes patterns that define the requirements for an ISMS and certification of these systems and provide direct support and detailed guidance for the processes

and requirements of the PDCA cycle

Supports any sector organizations, to understand the fundamentals, principles and concepts that enable better management of their information assets

Information Security

Good Management of Information Security

Page 6: Information Security Standard ISO/IEC 27000 e ISO/IEC 27001 Trabalho de Segurança da Informação MCI 2012/13 Docente: José Manuel de Magalhães Cruz Faculdade

Some terms defined in Standard

Access control - ways to ensure that access to assets is permitted and restricted based on work and safety requirements;

Responsibility - responsibility to an entity for their actions and decisions;

Assets - anything that has value to the organization (information, software, the computer itself, services, people, etc.);

Corrective action - action to eliminate the cause of a detected nonconformity or other undesirable situation;

Authentication - provide assurance that one characteristic claimed by an entity is correct;

Authenticity - property that tells us that an entity is really what it claims to be;

Availability - the property of being accessible and usable by an authorized entity;

Confidentiality - property that ensures that the information is not available or disclosed to unauthorized individuals, entities or processes;

Information Security

Page 7: Information Security Standard ISO/IEC 27000 e ISO/IEC 27001 Trabalho de Segurança da Informação MCI 2012/13 Docente: José Manuel de Magalhães Cruz Faculdade

Information Security - preservation of confidentiality, integrity and information availability;

Management System of Information Security - part of the overall management system, based on a business risk approach, to establish, implement, operate, monitor, review, maintain and improve information security;

Integrity - the correctness to protect property assets;

Risk-combination of the probability of an event and its consequences;

Risk analysis - the systematic use of information to identify sources and to estimate the occurrence of a risk.

Risk management - coordinated activities to direct and control an organization in relation to a particular risk;

Threat - a potential cause of an undesired event, which may result in damage to a system or entity;

Vulnerability - weakness or control of an asset, which can be exploited by threat.

Information Security

Page 8: Information Security Standard ISO/IEC 27000 e ISO/IEC 27001 Trabalho de Segurança da Informação MCI 2012/13 Docente: José Manuel de Magalhães Cruz Faculdade

Security Management System

Provides a model for the establishment, implementation, operation, monitoring, reviewing, maintaining and improving the protection of information assets

The successful implementation of an ISMS depends on the analysis of requirements and appropriate controls to protect information assets

The implementation has as main the result of reduced risks of SI

The ISMS it’s able to be certified, must satisfy a set of requirements defined by ISO / IEC 27001.

Some basic principles for a successful implementation of an ISMS:• Awareness of the need for information security;• The allocation of responsibilities for information security;• Incorporate the commitment of management and the interests of all stakeholders;• Reinforce the values of society;• Evaluate the risks to determine the appropriate controls to achieve acceptable levels of

risk;• Active prevention and detection of incidents of information security;• Continuous reavaluationt of information security.

Information Security

Page 9: Information Security Standard ISO/IEC 27000 e ISO/IEC 27001 Trabalho de Segurança da Informação MCI 2012/13 Docente: José Manuel de Magalhães Cruz Faculdade

Process ApproachA process is the transformation of inputs into outputs that uses one set of

interconnected or interacting activitiesIn ISMS family of standards, the process approach is based on the exploitation of the PDCA cycle:• PLAN (Planning) - Establishment of policies, objectives, processes and procedures

relevant to managing risk and improving information security. Plans according to the results of the organization's strategy.

• DO (Do) - Implementation and operation of control policies, processes and procedures.

• CHECK (Check) - Inspection of process performance compared with the policies and objectives of an ISMS. These results should be reported to management for review.

• ACT (Acting) - Taking corrective and preventive actions, based on the results of the internal ISMS audits and other information from management or other relevant sources.

Information Security

Page 10: Information Security Standard ISO/IEC 27000 e ISO/IEC 27001 Trabalho de Segurança da Informação MCI 2012/13 Docente: José Manuel de Magalhães Cruz Faculdade

Standard ISO/IEC 27001

Published in 2005

Designed to specify the requirements for the establishment, implementation, operation, monitoring, reviewing, maintaining and

improving an ISMS.

The certification is not a requirement of ISO / IEC 27001, is a decision of the organization.

However, eighteen months after its publication more than 2000 organizations in over 50 countries have been certified and growth in this

area has increased.

The ISO / IEC 27001 is universal for all types of organizations and specifies requirements for the implementation of security controls customized

according to the needs of an organization.

Information Security

Page 11: Information Security Standard ISO/IEC 27000 e ISO/IEC 27001 Trabalho de Segurança da Informação MCI 2012/13 Docente: José Manuel de Magalhães Cruz Faculdade

Application

The certification usually involves an audit process in two stages :

Stage 1 - Review of key documentation and security policy of the organization, statement of applicability (SOA) and risk treatment plan (PTR).

Phase 2 - Conduct an audit involving deep control of ISMS stated in SOA and the PTR as well as supporting documentation

Renovation of the certificate involves some periodic reviews confirming that the ISMS continues to work as desired

The ISO / IEC 27001 involves several components:

The Management System of Information Security:• Establish, implement, operate, monitor, review, maintain and improve the ISMS;• Documentation Requirements;• Documents Control;• Records control.

Information Security

Page 12: Information Security Standard ISO/IEC 27000 e ISO/IEC 27001 Trabalho de Segurança da Informação MCI 2012/13 Docente: José Manuel de Magalhães Cruz Faculdade

Responsibilities of the direction:Commitment of direction;Management and provision of resources;Training, awareness and competence.

Internal audits that determine if an ISMS:Meets the standardMeets safety requirements identifiedIt run as expected

The entire procedure is documented in an audit and the auditors can not audit its own work, giving objectivity and impartiality.

Critical analysis of the ISMS by direction:Entry: results of audits and reviews, status of preventive and corrective actions, vulnerabilities not properly contemplated in previous analyzes, findings, recommendations and changes;Output: opportunity to include improvements and changes, modification of the ISMS and resource needs.

Improving the ISMS:Continuous improvement through the use of established policy, audit results, analysis of monitored events, corrective action (previous steps);Elimination of non-compliance through corrective and preventive actions.

Information Security

Page 13: Information Security Standard ISO/IEC 27000 e ISO/IEC 27001 Trabalho de Segurança da Informação MCI 2012/13 Docente: José Manuel de Magalhães Cruz Faculdade

Perspective of reconciliation of ISO / IEC 27000 and 27001

There is no absolute security because you can not eliminate 100% of the risks and threats. However, there may be a control plane

previously defined.

The 27000 comes standard as a way to define some terms and definitions, while the standard 27001 has some requirements for future implementation of a Management System of Information

Security

The Management of Information Security should be performed taking into account some control measures suggested by both standards - the PDCA process model and process analysis / evaluation and treatment

of risks.

Information Security

Page 14: Information Security Standard ISO/IEC 27000 e ISO/IEC 27001 Trabalho de Segurança da Informação MCI 2012/13 Docente: José Manuel de Magalhães Cruz Faculdade

PDCA Process Model

Information Security

PLAN - Establish

ISMS

Do - Implement and operate the ISMS

Check - Monitoring

and Reviewing the ISMS

Act - Maintaining and optimize

the ISMS

Requirements and expectations of Information

Security

Management System of Information Security

This model is based on process control and verification of Systems Information Security.

The result of the PDCA process is the correct management of the Information Systems Security, based on the expectations and needs of an organization.

Page 15: Information Security Standard ISO/IEC 27000 e ISO/IEC 27001 Trabalho de Segurança da Informação MCI 2012/13 Docente: José Manuel de Magalhães Cruz Faculdade

Analysis and risk assessment

The management and evaluation of the risks are the key aspects of ISO 27001. As a result of the risk assessment should be made a list of identified risks, ranked in order of severity measures for later

The results of the risk analysis should help to direct and determine the most appropriate control measures to manage these risks.

The risk assessment should be made taking into account a cost-benefit, compensates to reveal if a risk be minimized or transfered. In short, if a risk has a low probability of occurring and the cost of treatment is high, this does not make decisions.

Information Security

Page 16: Information Security Standard ISO/IEC 27000 e ISO/IEC 27001 Trabalho de Segurança da Informação MCI 2012/13 Docente: José Manuel de Magalhães Cruz Faculdade

After the process of analysis and risk assessment, there are several options for its treatment:• Apply safety measures: choose the most appropriate measures to reduce

the cost;• Accept the risk: knowing and consciously accept the risk, knowing that this

attentive to the security policy of the organization;• Avoid the risk: Do not allow actions that may even cause the occurrence of

risks;• Transfer the risk: transfer risks to other parts, eg insurance or suppliers.

These measures are defined by ISO / IEC 27002, which supports the development of security plans and guides the best way to Management of

Information Security.

Information Security

Page 17: Information Security Standard ISO/IEC 27000 e ISO/IEC 27001 Trabalho de Segurança da Informação MCI 2012/13 Docente: José Manuel de Magalhães Cruz Faculdade

Family Series ISO / IEC 27000

Standard ISO 27002 - Code of PracticeFrom 2007 is the new name of ISO 17799. This standard is a best practice guide that describes the control objectives and controls recommended for SI.

ISO 27003 - Implementation GuideDiscusses some guidelines for the implementation of ISMS and contains information about using PDCA and requirements of its different phases, that means, will provide a process-oriented approach to successfully implementing an ISMS in accordance with ISO / IEC 27001.

ISO 27004 - Metrics and MeasurementSpecifies metrics and measurement techniques applicable to determine the effectiveness of the ISMS, the control objectives and controls used to implement and manage Information Security. These metrics are used primarily to measure the components of phase "CHECK" PDCA cycle.

ISO 27005 - Guidelines for Risk ManagementEstablishes guidelines for the management of risk in SI, providing directions for implementation, monitoring and continuous improvement of the control systems. It is applied to all types of organizations designed to manage risks that could compromise the security of your information.

ISO 27006 - Guidelines for Disaster Recovery ServicesSpecifies requirements and provides guidance for bodies providing audit and certification of an ISMS.

Information Security

Page 18: Information Security Standard ISO/IEC 27000 e ISO/IEC 27001 Trabalho de Segurança da Informação MCI 2012/13 Docente: José Manuel de Magalhães Cruz Faculdade

Some practical cases of implementation of ISO / IEC 27001

The ISO 27001 has already a high number of certifications distributed by various countries:

Information Security

Japão 4152 Holanda 24 Bélgica 3Reino Unido 573 Arábia Saudita 24 Gibraltar 3Índia 546 Emirados Árabes Unidos 19 Lituânia 3Taiwan 461 Bulgária 18 Macau 3China 393 Irão 18 Albânia 3Alemanha 228 Portugal 18 Bósnia Herzegovina 2República Checa 112 Argentina 17 Chipre 2Coreia 107 Filipinas 16 Equador 2Estados Unidos da América 105 Indonésia 15 Nova Jérsia 2Itália 82 Paquistão 15 Cazaquistão 2Espanha 72 Colômbia 14 Luxemburgo 2Hungria 71 Federação Russa 14 Macedónia 2Malásia 66 Vietname 14 Malta 2Polónia 61 Islândia 13 Mauritânia 2Tailândia 59 Kuwait 11 Ucrânia 2Grécia 50 Canadá 10 Arménia 1Irlanda 48 Noruega 10 Bangladesh 1Áustria 42 Suécia 10 Bielorrússia 1Turquia 35 Suíça 9 Bolívia 1França 34 Bahrain 8 Dinamarca 1Hong Kong 32 Peru 7 Estónia 1Austrália 30 Chile 5 Quirguistão 1Singapura 29 Egipto 5 Líbano 1Croácia 27 Omã 5 Moldávia 1Eslovénia 26 Qatar 5 Nova Zelândia 1México 25 Sri Lanka 5 Sudão 1Eslováquia 25 África do Sul 5 Uruguai 1Brasil 24 República dominicana 4 Iémen 1 Marrocos 4 Total 7940

Page 19: Information Security Standard ISO/IEC 27000 e ISO/IEC 27001 Trabalho de Segurança da Informação MCI 2012/13 Docente: José Manuel de Magalhães Cruz Faculdade

Certification Process of an ISMS

The first phase of the process involves the organizations, the fact that they are prepared for certification of its ISMS. The second phase involves an audit of the organization's ISMS, involving accredited certification bodies. The certificate provided a duration for three years, so the third phase of the process is monitored by the certification bodies.

Certification Bodies

Information Security

Page 20: Information Security Standard ISO/IEC 27000 e ISO/IEC 27001 Trabalho de Segurança da Informação MCI 2012/13 Docente: José Manuel de Magalhães Cruz Faculdade

Organizations with ISMS Certificates in Portugal

Information Security

Nome da Organização Número da Certificação Entidade Certificadora Norma de Certificação

ARENA MEDIA 83889CC2-2010-AIS-IBE-UKAS DNV ISO/IEC 27001:2005

Caixa Económica de Cabo Verde Bureau Veritas Certiifcation ISO/IEC 27001:2005

Departamento de Jogos da Santa Casa da Misericórdia de Lisboa (DJSCML)

IS 524281 ISO/IEC 27001:2005

ENAME S.A. GB11/82769 SGS United Kingdom Ltd ISO/IEC 27001:2005

HAVAS SPORT & ENTERTAINMENT 83889CC6-2010-AIS-IBE-UKAS DNV ISO/IEC 27001:2005

INSTITUTO DE INFORMÁTICA, I.P. 3896769 Bureau Veritas Certiifcation ISO/IEC 27001:2005

INTEGRITY S.A. GB12/85456 SGS United Kingdom Ltd ISO/IEC 27001:2005

LATTITUDE 83889CC3-2010-AIS-IBE-UKAS DNV ISO/IEC 27001:2005

Maksen Consulting, S.A. PT001307 Bureau Veritas Certiifcation ISO/IEC 27001:2005

MEDIA CONTACTS 83889CC9-2010-AIS-IBE-UKAS DNV ISO/IEC 27001:2005

MOBEXT 83889CC10-2010-AIS-IBE-UKAS DNV ISO/IEC 27001:2005

MPG 83889CC13-2010-AIS-IBE-UKAS DNV ISO/IEC 27001:2005

ONE TO ONE 83889CC8-2010-AIS-IBE-UKAS DNV ISO/IEC 27001:2005

Ponto.C – Desenvolvimento de Sistemas de Informação, Lda.

GB11/83230 SGS United Kingdom Ltd ISO/IEC 27001:2005

Portugalmail SA 12/86073 SGS United Kingdom Ltd ISO/IEC 27001:2005

TV Cabo Portugal 202194 Bureau Veritas Certiifcation ISO/IEC 27001:2005

VORTAL – COMÉRCIO ELECTRÓNICO CONSULTADORIA E MULTIMEDIA SA

IS 515264 ISO/IEC 27001:2005

ZON TV CABO PORTUGAL, SA 202194 Bureau Veritas Certiifcation ISO/IEC 27001:2005

Page 21: Information Security Standard ISO/IEC 27000 e ISO/IEC 27001 Trabalho de Segurança da Informação MCI 2012/13 Docente: José Manuel de Magalhães Cruz Faculdade

Conclusions

• Understand what are the control mechanisms to threats.

• Studying the ISO 27000 and 27001 is to understand the assumptions related to Information Security.

• This theme is quite relevant today, since it talks a lot about hackers and crackers against digital platforms, trying to gain access to confidential information.

• Information is an asset with great value for organizations and needs to be properly protected in order to maintain its confidentiality, availability, integrity and authenticity.

• We analyze the standards and identify clearly enough what characterizes each of them.

• The standard ISO 27000 gives us some terms and definitions and ISO 27001 standard adopts a process approach for establishing, implementation, operation, monitoring, reviewing, maintaining and improving a Management System of Information Security.

Information Security