Applying ISO 27000 to Address Compliance Mandates A Global Information Security Standard Ali Pabrai, MSEE, CISSP (ISSMP, ISSAP) Author, Cyber Security Strategy: The 4 Laws of Information Security 2 Copyright. 2010. All Rights Reserved. ecfirst. ISO 27000: An International Security Standard A comprehensive set of controls comprising best practices in information security Comprised of: A code of practice A specification for an information security management system Intended to serve as a single reference point for identifying a range of controls needed for most situations where information systems are used in industry and commerce Applying ISO 27000 to Address Compliance Mandates 2010. All Rights Reserved. ecfirst. 3 Copyright. 2010. All Rights Reserved. ecfirst. PCI DSS PCI DSS requirements apply to all members, merchants, and service providers that store, process, or transmit cardholder data Organizations are struggling in several areas including: Addressing transmission security requirements Tracking and monitoring access to network and systems with cardholder data Encryption of card data Conducting comprehensive vulnerability scans Controlling logical access to systems containing card data Businesses are holding onto too much customer personal information unnecessarily, and for too long 4 Copyright. 2010. All Rights Reserved. ecfirst. The PCI DSS Standard Are You Impacted? 1. Build and Maintain a Secure Network 1. Firewall configuration 2. Vendor defaults 2. Protect Cardholder Data 3. Protect stored cardholder data 4. Encrypt transmission 3. Maintain a Vulnerability Management Program 5. Update anti-virus software 6. Maintain secure systems and applications 4. Implement Strong Access Control Measures 7. Restrict access need to know 8. Assign unique IDs 9. Restrict physical access 5. Regularly Monitor and Test Networks 10. Track and monitor all access 11. Regularly test security processes 6. Maintain an Information Security Policy 12. Maintain policies Applying ISO 27000 to Address Compliance Mandates 2010. All Rights Reserved. ecfirst. 5 Copyright. 2010. All Rights Reserved. ecfirst. HITECH is HIPAA v2.0 Title XIII of American Recovery and Reinvestment Act (ARRA) is the Health Information Technology for Economic and Clinical Health (HITECH) Act Privacy and Security Breach Notification to Individuals Notices sent without delay No later than 60 calendar days after discovery Business Associates = Covered Entities? Business associates must report privacy and security breaches Subject to the same civil and criminal penalties as covered entities New Penalties Defined Personal Health Record Vendors Now Covered! Impacts vendors of PHRs as well as entities that access information in or send information to a PHR Vendors must inform FTC and each individual if privacy or security breach occurs 6 Copyright. 2010. All Rights Reserved. ecfirst. State Regulations CA to MA - Taking Security Mandates Further California SB 1386 requires notification of security breaches involving unencrypted sensitive data AB 1950 requires that organizations take reasonable precautions to protect CA residents personal data AB 1298 expands data breach notification law to include unencrypted medical histories, health insurance information, medical treatments & diagnoses SB 541 requires breaches must be disclosed to the affected patients AB 211 includes fines starting from $2,500 to $25,000 per violation for organizations that negligently disclose patient records Massachusetts 201 CMR 17.00 establishes minimal standards for safeguarding personal information contained in both paper and electronic records Applying ISO 27000 to Address Compliance Mandates 2010. All Rights Reserved. ecfirst. 7 Copyright. 2010. All Rights Reserved. ecfirst. ISO 27001 The ISO 27001 standard provides a model for: Establishing Implementing Operating Monitoring Maintaining Improving an Information Security Management System (ISMS) within the context of an organizations overall business risks The application, identification, and interactions of a system of processes within an organization, and their management, can be referred to as a process approach 8 Copyright. 2010. All Rights Reserved. ecfirst. Consists of 11 security control clauses (sections) These contain 39 main security categories and 1 introductory clause (risk assessment and treatment) Each clause contains a number of main security categories: Each main security category includes Control Objective (what is to be achieved) One or more Controls (that can be applied to achieve the control objective) ISO 27002 Applying ISO 27000 to Address Compliance Mandates 2010. All Rights Reserved. ecfirst. 9 Copyright. 2010. All Rights Reserved. ecfirst. ISO 27002 Security Clauses 1. Security Policy (1) [2] 2. Organization of Information Security (2) [11] 3. Asset Management (2) [5] 4. Human Resources Security (3) [9] 5. Physical and Environmental Security (2) [13] 6. Communications and Operations Management (10) [33] 7. Access Control (7) [24] 8. Information Systems Acquisition, Development and Maintenance (6) [16] 9. Information Security Incident Management (2) [5] 10. Business Continuity Management (1) [5] 11. Compliance (3) [10] The number in ( ) signifies categories within the Clause The number in [ ] signifies total # of controls within the Clause 10 Copyright. 2010. All Rights Reserved. ecfirst. Risk Assessment & Treatment Introductory Clause 0 (4) The information security risk assessment should have a clearly defined scope in order to be effective The results should guide and determine appropriate management action and priorities for managing risks and for implementing controls selected to protect against these risks Consists of two categories: Assessing Security Risks Treating Security Risks Applying ISO 27000 to Address Compliance Mandates 2010. All Rights Reserved. ecfirst. 11 Copyright. 2010. All Rights Reserved. ecfirst. Risk Assessment & Treatment Introductory Clause 0 (4) 12 Copyright. 2010. All Rights Reserved. ecfirst. Security Policy Clause 1 (5) Establishes the dial-tone for security in the organization Critical elements include: Establishing management direction for information security Regular updates and reviews Consists of 1 category Information Security Policy (5.1) Applying ISO 27000 to Address Compliance Mandates 2010. All Rights Reserved. ecfirst. 13 Copyright. 2010. All Rights Reserved. ecfirst. Organization of Information Security Clause 2 (6) The objective is: To manage information security within the organization To maintain the security of the organizations information and information processing facilities that are accessed, processed, communicated to, or managed by external parties Consists of two categories: 1. Internal Organization 2. External Parties The team of managers should consist of individuals representing all areas of the organization The information security management team is responsible for the implementation of controls to meet security policy requirements 14 Copyright. 2010. All Rights Reserved. ecfirst. Asset Management Clause 3 (7) This clause is intended to provide guidance for the creation and maintenance of an effective method of tracking all organizational assets Examples of organizational assets include computer hardware, software, proprietary databases and processes, human resources, and services Consists of two categories: 1. Responsibility for Assets 2. Information Classification Applying ISO 27000 to Address Compliance Mandates 2010. All Rights Reserved. ecfirst. 15 Copyright. 2010. All Rights Reserved. ecfirst. Human Resources Security Clause 4 (8) Provide guidance for the development and maintenance of an effective program to protect the organization from: Fraud Theft Inappropriate use of organizational resources by workforce members Consists of three categories: 1. Prior to Employment 2. During Employment 3. Termination and Change of Employment 16 Copyright. 2010. All Rights Reserved. ecfirst. Physical and Environmental Security Clause 5 (9) Provide guidance for the development and maintenance of a comprehensive strategy for the protection of an organizations physical assets Includes the establishment of security perimeter around facilities and data processing centers Removal of assets should also be strictly controlled Consists of two categories: 1. Secure Areas 2. Equipment Security Applying ISO 27000 to Address Compliance Mandates 2010. All Rights Reserved. ecfirst. 17 Copyright. 2010. All Rights Reserved. ecfirst. Communications & Operations Management Clause 6 (10) Provide guidance for the development and maintenance of comprehensive plan to ensure an organizations information processing facilities are operated in a secure and controlled manner Segregation of duties should be implemented, where appropriate, to reduce the risk of negligent or deliberate system misuse 18 Copyright. 2010. All Rights Reserved. ecfirst. Access Control Clause 7 (11) Provide guidance for the development and maintenance of a comprehensive physical and logical information access control strategy Prevention of unauthorized access to information resources is a key objective Key requirements include: Development of user creation and termination procedures Role based access control Periodic review of users access to information Applying ISO 27000 to Address Compliance Mandates 2010. All Rights Reserved. ecfirst. 19 Copyright. 2010. All Rights Reserved. ecfirst. Information Systems Acquisition, Development & Maintenance Clause 8 (12) Provide guidance for the development and maintenance of a comprehensive strategy to ensure the confidentiality and integrity of information systems Categories defined for this clause include: 1. Security Requirements of Information Systems 2. Correct Processing in Applications 3. Cryptographic Controls 4. Security of System Files 5. Security in Development and Support Processes 6. Technical Vulnerability Management 20 Copyright. 2010. All Rights Reserved. ecfirst. Information Security Incident Management Clause 9 (13) This clause provides guidance for the development and maintenance of a comprehensive strategy for responding to a security violation Consists of two categories: Reporting Information Security Events and Weaknesses Management of Information Security Incidents and Improvements Applying ISO 27000 to Address Compliance Mandates 2010. All Rights Reserved. ecfirst. 21 Copyright. 2010. All Rights Reserved. ecfirst. Cost of data breach rose to $202 for each compromised record Average cost of healthcare breach was $282 for each record Average expense to an organization was $6.6 million Vast majority caused by negligence Portable devices, laptops are responsible for growing # of breaches Source: The Wall Street Journal, February 2, 2009 How prepared is your organization? Data Breach Reach New Heights 22 Copyright. 2010. All Rights Reserved. ecfirst. Business Continuity Management Clause 10 (14) This clause provides guidance for the development and implementation of a comprehensive strategy to ensure continued business operation in the event of a catastrophic failure of systems of facilities Key parts of a comprehensive strategy include: Procedures for failover to backup systems Recovery of failed systems Relocation of workforce members to alternate locations The only category defined in this clause is: 1. Information Security Aspects of Business Continuity Management Applying ISO 27000 to Address Compliance Mandates 2010. All Rights Reserved. ecfirst. 23 Copyright. 2010. All Rights Reserved. ecfirst. Business Impact Analysis (BIA) Understand the impact of a threat on the business Identify Critical business functions or services Critical computer resources that support key business functions Disruption impacts and allowable outage times Develop recovery priorities Must understand each department/units operational and fiscal impact Understand the mission of each service 24 Copyright. 2010. All Rights Reserved. ecfirst. Compliance Clause 11 (15) The purpose of this clause is to provide guidance for the development and maintenance of a comprehensive plan to ensure compliance with any and all applicable statutes governing the organization Consists of three categories: 1. Compliance with Legal Requirements 2. Compliance with Security Policies and Standards and Technical Compliance 3. Information Systems Audit Considerations Applying ISO 27000 to Address Compliance Mandates 2010. All Rights Reserved. ecfirst. 25 Copyright. 2010. All Rights Reserved. ecfirst. ISO 27799 Health Informatics: Information Security Management in Health Using ISO/IEC 27002 Defines guidelines to support the interpretation and implementation in health informatics of ISO/IEC 27002 and is a companion to that standard ISO 27799 specifies a set of detailed controls for managing health information security and provides health information security best practice guidelines By implementing the ISO 27799, healthcare organizations and other custodians of health information will be able to ensure a minimum requisite level of security that is appropriate to their organization's circumstances and that will maintain the confidentiality, integrity and availability of personal health information 26 Copyright. 2010. All Rights Reserved. ecfirst. From the Inside Out How Confidential Information Leaves Your Organization Took hard copy files 61% Download onto CD/DVD 53% Download onto USB drives 42% Sent files as email attachment 38% Download onto portable data bearing device 28% The faster a company learns that a device (laptop) is stolen, the lower the average cost for the incident If loss is discovered the same day, the average cost is $8,950 If loss is discovered after a week, the average cost is $115,849 Source: Ponemon Institute (WSJ - September 23, 2009) The Insider Threat Applying ISO 27000 to Address Compliance Mandates 2010. All Rights Reserved. ecfirst. 27 Copyright. 2010. All Rights Reserved. ecfirst. HITECH, HIPAA, PCI, FACTA Mandates Be Audit Ready, Always! If we guard our toothbrushes and diamonds with equal zeal, we will lose fewer toothbrushes and more diamonds. McGeorge Bundy National Security Advisor to Presidents Kennedy & Johnson 28 Copyright. 2010. All Rights Reserved. ecfirst. Audit Guidance Preparing for Audits by OCR, FTC & Others Entity-wide Security Plan Risk Analysis (most recent) Risk Management Plan (addressing risks identified in the Risk Analysis) Security violation monitoring reports Vulnerability scanning plans Results from most recent vulnerability scan Network penetration testing policy and procedure Results from most recent network penetration test List of all user accounts with access to systems which store, transmit, or access EPHI (for active and terminated employees) Encryption or equivalent measures implemented on systems that store, transmit, or access EPHI Visit www.HIPAAAcademy.net for details. Applying ISO 27000 to Address Compliance Mandates 2010. All Rights Reserved. ecfirst. 29 Copyright. 2010. All Rights Reserved. ecfirst. Establish An Information Security Program Strategy: Core to the Edge and the Cloud Examine the ISO 27000 Security Series! Firewall Systems Critical Info & Vital Assets IDS/IPS Authentication Encryption Physical Security Approach: Risk-based Proactive Integrated 30 Copyright. 2010. All Rights Reserved. ecfirst. Pabrais Laws of Information Security Is Your Security Kismet or Karma? 1. There is no such thing as a 100% secure environment 2. Security is only as strong as your weakest link 3. Security defenses must be integrated and include robust (passive) and roving (active) controls to ensure a resilient enterprise 4. Security incidents provide the foundation for security intelligence Is Your Enterprise Security? Kismet A Reactive Security Framework Karma A Proactive Security Framework Source: www.ecfirst.com Applying ISO 27000 to Address Compliance Mandates 2010. All Rights Reserved. ecfirst. 31 Copyright. 2010. All Rights Reserved. ecfirst. About ecfirst Over 1,400 Clients served including HP, Microsoft, Cerner, McKesson, PNC Bank and hundreds of hospitals, government agencies Compliance & Security 32 Copyright. 2010. All Rights Reserved. ecfirst. Thank You! Exclusive ISO 27000 Solutions from ecfirst include: Managed Compliance Services Program (MCSP) for ISO 27000 ISO 27000 1-Day Training Program Delivered On-site ISO 27002 Security Policy Templates ISO 27002 to HIPAA Matrix (Mapping) CHP + CSCS Credentials 2 Valued Credentials Network with Pabrai on LinkedIn, Twitter Contact John Schelewitz to discuss your initiatives P: 1.480.663.3225, or E: John.Schelewitz@ecfirst.com Ali Pabrai at Pabrai@ecfirst.com or 1.949.260.2030 Visit www.ecfirst.com
Hacking With Kali Linux : A Comprehensive, Step-By-Step Beginner's Guide to Learn Ethical Hacking With Practical Examples to Computer Hacking, Wireless Network, Cybersecurity and Penetration Testing