information security standard iso/iec 27000 e iso/iec 27001 trabalho de segurança da informação...
TRANSCRIPT
Information SecurityStandard ISO/IEC 27000 e
ISO/IEC 27001
Trabalho de Segurança da Informação MCI 2012/13Docente: José Manuel de Magalhães Cruz
Faculdade de Engenharia da Universidade do PortoMestrado em Ciência da Informação
Information Security
Increased dependence of firms on Information Technologies and Systems+
Web Evaluation +
Proliferation of Information.
• Access control to information is a fundamental requirement in organization systems;• Establishing a security policy;• The management of the risks of information security to ensure that the information is not
denied or becomes unavailable, it will not be lost, destroyed or damaged, unauthorized disclosure or even stolen.Management of the risks of information security to ensure that the information is not denied or becomes unavailable, it will not be lost, destroyed or damaged, unauthorized disclosure or even stolen.
Information SecurityInformation Security Management Systems
Information Security
Ensuring the protection and preservation of existing information in any format;Risk analysis to identify all the risks that threaten the information, pointing
solutions that eliminate, minimize or transfer risks.
Beal (2005, p.71) defines Information Security as "the process of protecting information from threats to ensure the integrity, availability and confidentiality.“
CONFIDENTIALITY INTEGRITY AVAILABILITY AUTHENTICITY
Threats are all situations that puts in question the Information Security• Natural phenomenon• Human Causes (theft and fraud)• Technical defects (hardware and software failures)• Purposeful attacks (hackers, virus disseminators, among others)
Information Security
Access ControlControl the persons authorized to enter into certain location and logs the date and time of access, controlling and deciding which permissions each user has.
Intrusion DetectionAlert the administrators to potential intruders from entering the systems. These systems attempt to recognize a behavior / action intrusive.
EncryptionArt of encoding that enables reversible transformation of information in order to make it intelligible to third parties.
Digital SignatureSet of encrypted data associated with a document that guarantee its integrity and authenticity.
Protection of Stored DataAntivirus software that is able to detect and remove malicious programs or files.
Disaster RecoveryEmergency plans to ensure the preservation of documents and own physical integrity of the employees of an organization in case of occurrence of natural disasters.
Information Security
Standard ISO/IEC 27000 e 27001
Standard ISO/IEC 27000: vocabulary and definitionsStandard ISO/IEC 27001: requirements
Standard ISO/IEC 27000
It is a standard certification of management systems, in this case applies to the implementation of Systems Management for Information Security (ISMS).
Contains terms and definitions used throughout the series vocabulary clearly defined to avoid different interpretations
Includes patterns that define the requirements for an ISMS and certification of these systems and provide direct support and detailed guidance for the processes
and requirements of the PDCA cycle
Supports any sector organizations, to understand the fundamentals, principles and concepts that enable better management of their information assets
Information Security
Good Management of Information Security
Some terms defined in Standard
Access control - ways to ensure that access to assets is permitted and restricted based on work and safety requirements;
Responsibility - responsibility to an entity for their actions and decisions;
Assets - anything that has value to the organization (information, software, the computer itself, services, people, etc.);
Corrective action - action to eliminate the cause of a detected nonconformity or other undesirable situation;
Authentication - provide assurance that one characteristic claimed by an entity is correct;
Authenticity - property that tells us that an entity is really what it claims to be;
Availability - the property of being accessible and usable by an authorized entity;
Confidentiality - property that ensures that the information is not available or disclosed to unauthorized individuals, entities or processes;
Information Security
Information Security - preservation of confidentiality, integrity and information availability;
Management System of Information Security - part of the overall management system, based on a business risk approach, to establish, implement, operate, monitor, review, maintain and improve information security;
Integrity - the correctness to protect property assets;
Risk-combination of the probability of an event and its consequences;
Risk analysis - the systematic use of information to identify sources and to estimate the occurrence of a risk.
Risk management - coordinated activities to direct and control an organization in relation to a particular risk;
Threat - a potential cause of an undesired event, which may result in damage to a system or entity;
Vulnerability - weakness or control of an asset, which can be exploited by threat.
Information Security
Security Management System
Provides a model for the establishment, implementation, operation, monitoring, reviewing, maintaining and improving the protection of information assets
The successful implementation of an ISMS depends on the analysis of requirements and appropriate controls to protect information assets
The implementation has as main the result of reduced risks of SI
The ISMS it’s able to be certified, must satisfy a set of requirements defined by ISO / IEC 27001.
Some basic principles for a successful implementation of an ISMS:• Awareness of the need for information security;• The allocation of responsibilities for information security;• Incorporate the commitment of management and the interests of all stakeholders;• Reinforce the values of society;• Evaluate the risks to determine the appropriate controls to achieve acceptable levels of
risk;• Active prevention and detection of incidents of information security;• Continuous reavaluationt of information security.
Information Security
Process ApproachA process is the transformation of inputs into outputs that uses one set of
interconnected or interacting activitiesIn ISMS family of standards, the process approach is based on the exploitation of the PDCA cycle:• PLAN (Planning) - Establishment of policies, objectives, processes and procedures
relevant to managing risk and improving information security. Plans according to the results of the organization's strategy.
• DO (Do) - Implementation and operation of control policies, processes and procedures.
• CHECK (Check) - Inspection of process performance compared with the policies and objectives of an ISMS. These results should be reported to management for review.
• ACT (Acting) - Taking corrective and preventive actions, based on the results of the internal ISMS audits and other information from management or other relevant sources.
Information Security
Standard ISO/IEC 27001
Published in 2005
Designed to specify the requirements for the establishment, implementation, operation, monitoring, reviewing, maintaining and
improving an ISMS.
The certification is not a requirement of ISO / IEC 27001, is a decision of the organization.
However, eighteen months after its publication more than 2000 organizations in over 50 countries have been certified and growth in this
area has increased.
The ISO / IEC 27001 is universal for all types of organizations and specifies requirements for the implementation of security controls customized
according to the needs of an organization.
Information Security
Application
The certification usually involves an audit process in two stages :
Stage 1 - Review of key documentation and security policy of the organization, statement of applicability (SOA) and risk treatment plan (PTR).
Phase 2 - Conduct an audit involving deep control of ISMS stated in SOA and the PTR as well as supporting documentation
Renovation of the certificate involves some periodic reviews confirming that the ISMS continues to work as desired
The ISO / IEC 27001 involves several components:
The Management System of Information Security:• Establish, implement, operate, monitor, review, maintain and improve the ISMS;• Documentation Requirements;• Documents Control;• Records control.
Information Security
Responsibilities of the direction:Commitment of direction;Management and provision of resources;Training, awareness and competence.
Internal audits that determine if an ISMS:Meets the standardMeets safety requirements identifiedIt run as expected
The entire procedure is documented in an audit and the auditors can not audit its own work, giving objectivity and impartiality.
Critical analysis of the ISMS by direction:Entry: results of audits and reviews, status of preventive and corrective actions, vulnerabilities not properly contemplated in previous analyzes, findings, recommendations and changes;Output: opportunity to include improvements and changes, modification of the ISMS and resource needs.
Improving the ISMS:Continuous improvement through the use of established policy, audit results, analysis of monitored events, corrective action (previous steps);Elimination of non-compliance through corrective and preventive actions.
Information Security
Perspective of reconciliation of ISO / IEC 27000 and 27001
There is no absolute security because you can not eliminate 100% of the risks and threats. However, there may be a control plane
previously defined.
The 27000 comes standard as a way to define some terms and definitions, while the standard 27001 has some requirements for future implementation of a Management System of Information
Security
The Management of Information Security should be performed taking into account some control measures suggested by both standards - the PDCA process model and process analysis / evaluation and treatment
of risks.
Information Security
PDCA Process Model
Information Security
PLAN - Establish
ISMS
Do - Implement and operate the ISMS
Check - Monitoring
and Reviewing the ISMS
Act - Maintaining and optimize
the ISMS
Requirements and expectations of Information
Security
Management System of Information Security
This model is based on process control and verification of Systems Information Security.
The result of the PDCA process is the correct management of the Information Systems Security, based on the expectations and needs of an organization.
Analysis and risk assessment
The management and evaluation of the risks are the key aspects of ISO 27001. As a result of the risk assessment should be made a list of identified risks, ranked in order of severity measures for later
The results of the risk analysis should help to direct and determine the most appropriate control measures to manage these risks.
The risk assessment should be made taking into account a cost-benefit, compensates to reveal if a risk be minimized or transfered. In short, if a risk has a low probability of occurring and the cost of treatment is high, this does not make decisions.
Information Security
After the process of analysis and risk assessment, there are several options for its treatment:• Apply safety measures: choose the most appropriate measures to reduce
the cost;• Accept the risk: knowing and consciously accept the risk, knowing that this
attentive to the security policy of the organization;• Avoid the risk: Do not allow actions that may even cause the occurrence of
risks;• Transfer the risk: transfer risks to other parts, eg insurance or suppliers.
These measures are defined by ISO / IEC 27002, which supports the development of security plans and guides the best way to Management of
Information Security.
Information Security
Family Series ISO / IEC 27000
Standard ISO 27002 - Code of PracticeFrom 2007 is the new name of ISO 17799. This standard is a best practice guide that describes the control objectives and controls recommended for SI.
ISO 27003 - Implementation GuideDiscusses some guidelines for the implementation of ISMS and contains information about using PDCA and requirements of its different phases, that means, will provide a process-oriented approach to successfully implementing an ISMS in accordance with ISO / IEC 27001.
ISO 27004 - Metrics and MeasurementSpecifies metrics and measurement techniques applicable to determine the effectiveness of the ISMS, the control objectives and controls used to implement and manage Information Security. These metrics are used primarily to measure the components of phase "CHECK" PDCA cycle.
ISO 27005 - Guidelines for Risk ManagementEstablishes guidelines for the management of risk in SI, providing directions for implementation, monitoring and continuous improvement of the control systems. It is applied to all types of organizations designed to manage risks that could compromise the security of your information.
ISO 27006 - Guidelines for Disaster Recovery ServicesSpecifies requirements and provides guidance for bodies providing audit and certification of an ISMS.
Information Security
Some practical cases of implementation of ISO / IEC 27001
The ISO 27001 has already a high number of certifications distributed by various countries:
Information Security
Japão 4152 Holanda 24 Bélgica 3Reino Unido 573 Arábia Saudita 24 Gibraltar 3Índia 546 Emirados Árabes Unidos 19 Lituânia 3Taiwan 461 Bulgária 18 Macau 3China 393 Irão 18 Albânia 3Alemanha 228 Portugal 18 Bósnia Herzegovina 2República Checa 112 Argentina 17 Chipre 2Coreia 107 Filipinas 16 Equador 2Estados Unidos da América 105 Indonésia 15 Nova Jérsia 2Itália 82 Paquistão 15 Cazaquistão 2Espanha 72 Colômbia 14 Luxemburgo 2Hungria 71 Federação Russa 14 Macedónia 2Malásia 66 Vietname 14 Malta 2Polónia 61 Islândia 13 Mauritânia 2Tailândia 59 Kuwait 11 Ucrânia 2Grécia 50 Canadá 10 Arménia 1Irlanda 48 Noruega 10 Bangladesh 1Áustria 42 Suécia 10 Bielorrússia 1Turquia 35 Suíça 9 Bolívia 1França 34 Bahrain 8 Dinamarca 1Hong Kong 32 Peru 7 Estónia 1Austrália 30 Chile 5 Quirguistão 1Singapura 29 Egipto 5 Líbano 1Croácia 27 Omã 5 Moldávia 1Eslovénia 26 Qatar 5 Nova Zelândia 1México 25 Sri Lanka 5 Sudão 1Eslováquia 25 África do Sul 5 Uruguai 1Brasil 24 República dominicana 4 Iémen 1 Marrocos 4 Total 7940
Certification Process of an ISMS
The first phase of the process involves the organizations, the fact that they are prepared for certification of its ISMS. The second phase involves an audit of the organization's ISMS, involving accredited certification bodies. The certificate provided a duration for three years, so the third phase of the process is monitored by the certification bodies.
Certification Bodies
Information Security
Organizations with ISMS Certificates in Portugal
Information Security
Nome da Organização Número da Certificação Entidade Certificadora Norma de Certificação
ARENA MEDIA 83889CC2-2010-AIS-IBE-UKAS DNV ISO/IEC 27001:2005
Caixa Económica de Cabo Verde Bureau Veritas Certiifcation ISO/IEC 27001:2005
Departamento de Jogos da Santa Casa da Misericórdia de Lisboa (DJSCML)
IS 524281 ISO/IEC 27001:2005
ENAME S.A. GB11/82769 SGS United Kingdom Ltd ISO/IEC 27001:2005
HAVAS SPORT & ENTERTAINMENT 83889CC6-2010-AIS-IBE-UKAS DNV ISO/IEC 27001:2005
INSTITUTO DE INFORMÁTICA, I.P. 3896769 Bureau Veritas Certiifcation ISO/IEC 27001:2005
INTEGRITY S.A. GB12/85456 SGS United Kingdom Ltd ISO/IEC 27001:2005
LATTITUDE 83889CC3-2010-AIS-IBE-UKAS DNV ISO/IEC 27001:2005
Maksen Consulting, S.A. PT001307 Bureau Veritas Certiifcation ISO/IEC 27001:2005
MEDIA CONTACTS 83889CC9-2010-AIS-IBE-UKAS DNV ISO/IEC 27001:2005
MOBEXT 83889CC10-2010-AIS-IBE-UKAS DNV ISO/IEC 27001:2005
MPG 83889CC13-2010-AIS-IBE-UKAS DNV ISO/IEC 27001:2005
ONE TO ONE 83889CC8-2010-AIS-IBE-UKAS DNV ISO/IEC 27001:2005
Ponto.C – Desenvolvimento de Sistemas de Informação, Lda.
GB11/83230 SGS United Kingdom Ltd ISO/IEC 27001:2005
Portugalmail SA 12/86073 SGS United Kingdom Ltd ISO/IEC 27001:2005
TV Cabo Portugal 202194 Bureau Veritas Certiifcation ISO/IEC 27001:2005
VORTAL – COMÉRCIO ELECTRÓNICO CONSULTADORIA E MULTIMEDIA SA
IS 515264 ISO/IEC 27001:2005
ZON TV CABO PORTUGAL, SA 202194 Bureau Veritas Certiifcation ISO/IEC 27001:2005
Conclusions
• Understand what are the control mechanisms to threats.
• Studying the ISO 27000 and 27001 is to understand the assumptions related to Information Security.
• This theme is quite relevant today, since it talks a lot about hackers and crackers against digital platforms, trying to gain access to confidential information.
• Information is an asset with great value for organizations and needs to be properly protected in order to maintain its confidentiality, availability, integrity and authenticity.
• We analyze the standards and identify clearly enough what characterizes each of them.
• The standard ISO 27000 gives us some terms and definitions and ISO 27001 standard adopts a process approach for establishing, implementation, operation, monitoring, reviewing, maintaining and improving a Management System of Information Security.
Information Security