Applying ISO 27000

Applying ISO 27000 to Address Compliance Mandates
2010. All Rights Reserved. ecfirst.

Applying ISO 27000 to Address Compliance
Mandates
A Global Information Security Standard
Ali Pabrai, MSEE, CISSP (ISSMP, ISSAP)
Author, Cyber Security Strategy:
The 4 Laws of Information Security
2
Copyright. 2010. All Rights Reserved. ecfirst.
ISO 27000: An International
Security Standard
A comprehensive set of controls comprising best practices in
information security
Comprised of:
A code of practice
A specification for an information security management system
Intended to serve as a single reference point for identifying a
range of controls needed for most situations where information
systems are used in industry and commerce
3
PCI DSS
PCI DSS requirements apply to all members, merchants,
and service providers that store, process, or transmit
cardholder data
Organizations are struggling in several areas
including:
Addressing transmission security requirements
Tracking and monitoring access to network and systems with
cardholder data
Encryption of card data
Conducting comprehensive vulnerability scans
Controlling logical access to systems containing card data
Businesses are holding onto too much customer personal
information unnecessarily, and for too long
4
The PCI DSS Standard
Are You Impacted?
1. Build and Maintain a Secure Network
1. Firewall configuration
2. Vendor defaults
2. Protect Cardholder Data
3. Protect stored cardholder data
4. Encrypt transmission
3. Maintain a Vulnerability Management Program
5. Update anti-virus software
6. Maintain secure systems and applications
4. Implement Strong Access Control Measures
7. Restrict access need to know
8. Assign unique IDs
9. Restrict physical access
5. Regularly Monitor and Test Networks
10. Track and monitor all access
11. Regularly test security processes
6. Maintain an Information Security Policy
12. Maintain policies
5
HITECH is HIPAA v2.0
Title XIII of American Recovery and Reinvestment Act (ARRA) is the
Health Information Technology for Economic and Clinical Health
(HITECH) Act
Privacy and Security Breach Notification to Individuals
Notices sent without delay
No later than 60 calendar days after discovery
Business Associates = Covered Entities?
Business associates must report privacy and security breaches
Subject to the same civil and criminal penalties as covered entities
New Penalties Defined
Personal Health Record Vendors Now Covered!
Impacts vendors of PHRs as well as entities that access information in or send information to a
PHR
Vendors must inform FTC and each individual if privacy or security breach occurs
6
State Regulations
CA to MA - Taking Security Mandates Further
California
SB 1386 requires notification of security breaches involving unencrypted
sensitive data
AB 1950 requires that organizations take reasonable precautions to
protect CA residents personal data
AB 1298 expands data breach notification law to include unencrypted
medical histories, health insurance information, medical treatments &
diagnoses
SB 541 requires breaches must be disclosed to the affected patients
AB 211 includes fines starting from $2,500 to $25,000 per violation for
organizations that negligently disclose patient records
Massachusetts
201 CMR 17.00 establishes minimal standards for safeguarding personal
information contained in both paper and electronic records
7
ISO 27001
The ISO 27001 standard provides a model for:
Establishing
Implementing
Operating
Monitoring
Maintaining
Improving
an Information Security Management System (ISMS) within
the context of an organizations overall business risks
The application, identification, and interactions of a
system of processes within an organization, and their
management, can be referred to as a process
approach
8
Consists of 11 security control clauses (sections)
These contain 39 main security categories and 1
introductory clause (risk assessment and treatment)
Each clause contains a number of main security
categories:
Each main security category includes
Control Objective (what is to be achieved)
One or more Controls (that can be applied to
achieve the control objective)
ISO 27002
9
ISO 27002 Security Clauses
1. Security Policy (1) [2]
2. Organization of Information Security (2) [11]
3. Asset Management (2) [5]
4. Human Resources Security (3) [9]
5. Physical and Environmental Security (2) [13]
6. Communications and Operations Management (10) [33]
7. Access Control (7) [24]
8. Information Systems Acquisition, Development and Maintenance (6) [16]
9. Information Security Incident Management (2) [5]
10. Business Continuity Management (1) [5]
11. Compliance (3) [10]
The number in ( ) signifies categories within the Clause
The number in [ ] signifies total # of controls
within the Clause
10
Risk Assessment & Treatment
Introductory Clause 0 (4)
The information security risk assessment should
have a clearly defined scope in order to be
effective
The results should guide and determine
appropriate management action and priorities for
managing risks and for implementing controls
selected to protect against these risks
Consists of two categories:
Assessing Security Risks
Treating Security Risks
11
Risk Assessment & Treatment
Introductory Clause 0 (4)
12
Security Policy
Clause 1 (5)
Establishes the dial-tone for security in the organization
Critical elements include:
Establishing management direction for information security
Regular updates and reviews
Consists of 1 category
Information Security Policy (5.1)
13
Organization of Information Security
Clause 2 (6)
The objective is:
To manage information security within the organization
To maintain the security of the organizations information and
information processing facilities that are accessed, processed,
communicated to, or managed by external parties
1. Internal Organization
2. External Parties
The team of managers should consist of individuals representing all
areas of the organization
The information security management team is responsible for the
implementation of controls to meet security policy requirements
14
Asset Management
Clause 3 (7)
This clause is intended to provide guidance for
the creation and maintenance of an effective
method of tracking all organizational assets
Examples of organizational assets include
computer hardware, software, proprietary
databases and processes, human resources,
and services
1. Responsibility for Assets
2. Information Classification
15
Human Resources Security
Clause 4 (8)
Provide guidance for the development and
maintenance of an effective program to protect
the organization from:
Fraud
Theft
Inappropriate use of organizational resources by
workforce members
Consists of three categories:
1. Prior to Employment
2. During Employment
3. Termination and Change of Employment
16
Physical and Environmental Security
Clause 5 (9)
Provide guidance for the development and maintenance
of a comprehensive strategy for the protection of an
organizations physical assets
Includes the establishment of security perimeter around
facilities and data processing centers
Removal of assets should also be strictly controlled
1. Secure Areas
2. Equipment Security
17
Communications & Operations Management
Clause 6 (10)
maintenance of comprehensive plan to ensure
an organizations information processing facilities
are operated in a secure and controlled manner
Segregation of duties should be implemented,
where appropriate, to reduce the risk of
negligent or deliberate system misuse
18
Access Control
Clause 7 (11)
maintenance of a comprehensive physical and
logical information access control strategy
Prevention of unauthorized access to
information resources is a key objective
Key requirements include:
Development of user creation and termination
procedures
Role based access control
Periodic review of users access to information
19
Information Systems Acquisition,
Development & Maintenance
Clause 8 (12)
Provide guidance for the development and maintenance
of a comprehensive strategy to ensure the
confidentiality and integrity of information systems
Categories defined for this clause include:
1. Security Requirements of Information Systems
2. Correct Processing in Applications
3. Cryptographic Controls
4. Security of System Files
5. Security in Development and Support Processes
6. Technical Vulnerability Management
20
Information Security Incident
Management
Clause 9 (13)
This clause provides guidance for the development and
maintenance of a comprehensive strategy for responding
to a security violation
Reporting Information Security Events and Weaknesses
Management of Information Security Incidents and Improvements
21
Cost of data breach rose to $202 for each compromised record
Average cost of healthcare breach was $282 for each record
Average expense to an organization was $6.6 million
Vast majority caused by negligence
Portable devices, laptops are responsible for growing # of
breaches
Source: The Wall Street Journal, February 2, 2009
How prepared is your organization?
Data Breach Reach New Heights
22
Business Continuity Management
Clause 10 (14)
This clause provides guidance for the development and
implementation of a comprehensive strategy to ensure
continued business operation in the event of a
catastrophic failure of systems of facilities
Key parts of a comprehensive strategy include:
Procedures for failover to backup systems
Recovery of failed systems
Relocation of workforce members to alternate locations
The only category defined in this clause is:
1. Information Security Aspects of Business Continuity
Management
23
Business Impact Analysis (BIA)
Understand the impact of a threat on the business
Identify
Critical business functions or services
Critical computer resources that support key business functions
Disruption impacts and allowable outage times
Develop recovery priorities
Must understand each department/units operational
and fiscal impact
Understand the mission of each service
24
Compliance
Clause 11 (15)
The purpose of this clause is to provide
guidance for the development and maintenance
of a comprehensive plan to ensure compliance
with any and all applicable statutes governing
the organization
Consists of three categories:
1. Compliance with Legal Requirements
2. Compliance with Security Policies and Standards and
Technical Compliance
3. Information Systems Audit Considerations
25
ISO 27799
Health Informatics: Information Security Management in Health
Using ISO/IEC 27002
Defines guidelines to support the interpretation and implementation
in health informatics of ISO/IEC 27002 and is a companion to that
standard
ISO 27799 specifies a set of detailed controls for managing health
information security and provides health information security best
practice guidelines
By implementing the ISO 27799, healthcare organizations and other
custodians of health information will be able to ensure a minimum
requisite level of security that is appropriate to their organization's
circumstances and that will maintain the confidentiality, integrity and
availability of personal health information
26
From the Inside Out
How Confidential Information Leaves Your Organization
Took hard copy files 61%
Download onto CD/DVD 53%
Download onto USB drives 42%
Sent files as email attachment 38%
Download onto portable data bearing device 28%
The faster a company learns that a device (laptop) is
stolen, the lower the average cost for the incident
If loss is discovered the same day, the average cost is $8,950
If loss is discovered after a week, the average cost is $115,849
Source: Ponemon Institute (WSJ - September 23, 2009)
The Insider Threat
27
HITECH, HIPAA, PCI, FACTA Mandates
Be Audit Ready, Always!
If we guard our toothbrushes and diamonds with equal zeal, we will lose
fewer toothbrushes and more diamonds.
McGeorge Bundy
National Security Advisor to Presidents Kennedy & Johnson
28
Audit Guidance
Preparing for Audits by OCR, FTC & Others
Entity-wide Security Plan
Risk Analysis (most recent)
Risk Management Plan (addressing risks identified in the Risk
Analysis)
Security violation monitoring reports
Vulnerability scanning plans
Results from most recent vulnerability scan
Network penetration testing policy and procedure
Results from most recent network penetration test
List of all user accounts with access to systems which store,
transmit, or access EPHI (for active and terminated employees)
Encryption or equivalent measures implemented on systems that
store, transmit, or access EPHI
Visit www.HIPAAAcademy.net for details.
29
Establish An Information Security Program
Strategy: Core to the Edge and the Cloud
Examine the ISO 27000 Security Series!
Firewall Systems
Critical Info
&
Vital Assets
IDS/IPS
Authentication
Encryption
Physical Security
Approach:
Risk-based
Proactive
Integrated
30
Pabrais Laws of Information Security
Is Your Security Kismet or Karma?
1. There is no such thing as a 100% secure environment
2. Security is only as strong as your weakest link
3. Security defenses must be integrated and include robust (passive)
and roving (active) controls to ensure a resilient enterprise
4. Security incidents provide the foundation for security intelligence
Is Your Enterprise Security?
Kismet A Reactive Security Framework
Karma A Proactive Security Framework
Source: www.ecfirst.com
31
About ecfirst
Over 1,400 Clients served including HP, Microsoft, Cerner, McKesson, PNC
Bank and hundreds of hospitals, government agencies
Compliance & Security
32
Thank You!
Exclusive ISO 27000 Solutions from ecfirst include:
Managed Compliance Services Program (MCSP) for ISO 27000
ISO 27000 1-Day Training Program Delivered On-site
ISO 27002 Security Policy Templates
ISO 27002 to HIPAA Matrix (Mapping)
CHP + CSCS Credentials
2 Valued Credentials
Network with Pabrai on LinkedIn, Twitter
Contact John Schelewitz to discuss your initiatives
P: 1.480.663.3225, or E: John.Schelewitz@ecfirst.com
Ali Pabrai at Pabrai@ecfirst.com or 1.949.260.2030
Visit www.ecfirst.com

Applying ISO 27000

Enviado por

Dados do documento

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

Applying ISO 27000

Enviado por

Direitos autorais:

Formatos disponíveis

Applying ISO 27000 to Address Compliance Mandates

2010. All Rights Reserved. ecfirst.

Você também pode gostar