assurance through the iso27002 standard and the us nist
TRANSCRIPT
Assurance through the ISO27002 Standard
and the US NIST Cybersecurity Framework
Keith Price
Principal Consultant
1
About
2
• About me
- Specialise in cybersecurity strategy, architecture, and assessment
- Veteran of the IT industry from networking and telecommunications
to the emergence of the Internet, Internet banking, and IT security
- Work experience in AU, US, UK, Europe
- BBus, MSc, CISSP, CISM, CGEIT
• About Black Swan Group
- Professional services company based in Sydney
- Clients are large and small companies in financial services, state &
federal government, education, property, and more.
All images not created by the author are used
under the “fair use for education” provision.
3
Agenda
• Frameworks versus standards
• COSO Cube
• PCI-DSS
• ISO27001/2
• US NIST Cybersecurity Framework (CSF)
• NIST CSF Informative References
• Center for Internet Security Critical Security Controls
• COBIT 5
• NIST SP 800-53
• Cybersecurity assessment
4
Framework versus Standard
• Framework: A basic structure underlying a
system, concept, or text.
• Standard: Something used as a measure,
norm, or model in comparative evaluations.
5Source: https://www.oxforddictionaries.com/
Frameworks and standards
6Images: Respective organisations
Adoption of security frameworks
7Source: Trends in Security Framework Adoption, Dimensional Research, March 2016
Which one should you use?
8Image: Google Images
CyberRisk
Cyber risk
9
- Customer Records- Access credentials
- Cybercriminals
- Their malware
- People, process or technology weakness
Image: Google Images
Source: Keith Price, Informed from US Dept of Defense
How do you modify risk?
• Control = a measure that is modifying risk
• Controls for information security include any
process, policy, procedure, guideline,
practice or organizational structure, which
can be administrative, technical,
management, or legal in nature which
modify information security risk.
11Source: ISO27005:2016
Risk equation
12Source: A Controls Factory Approach To Building a Cyber Security Program Based on the NIST Cybersecurity Framework (NCSF) - Larry Wilson & Rick Lemieux October 2016
Risk
ThreatsAsset Value
Controls
Vulnerabilities
Residual Risk+x x
=
x
To reduce cyber risk: reduce vulnerabilities, increase controls
13
COSO: Committee of Sponsoring Organizations of the Treadway Commission
Source: Deloitte – COSO in the Cyber Age 2015
COSO Cube (1985)
1995: AS/NZS 4360 Risk Management (the very first risk management standard)2008: ISO27005 Information Security Risk Management2009: ISO31000 Risk Management (supersedes AS4360)
Payment Card Industry – Data Security
Standard (PCI-DSS)
• Developed to encourage and enhance
cardholder data security
• Provides a baseline of technical and operational
requirements designed to protect account data
The problem: focused on cardholder data security
14
15
16
17
“Designed to use as a reference for selecting controls within the process of implementing an ISMS based on ISO27001.”
“Provides requirements for establishing, implementing, maintaining, and continually improving an ISMS.”
• Information security is achieved through the implementation of an applicable set of controls
• Controls are selected through the risk management process and managed using an ISMS
• Management involves activities to direct, control, and improve the organisation
• A management system uses a framework of resources to achieve an organisation’s objectives
18
Information security management system
Source: ISO27000:2016
ISO27002 clauses 5 – 18 control
categories
• Information security policies
• Organisation of information security
• Human resource security
• Asset management
• Access control
• Cryptography
• Physical and environmental security
• Operations security
• Communications security
• System acquisition, development & maintenance
• Supplier relationships
• Incident management
• Business continuity management
• Compliance
19
20Source: ISO27001:2013
Discusses information security risk treatment
21Source: ISO27002:2013
22Source: Security and Privacy Controls for Information Systems and Organizations, NIST Special Publication 800-53 Revision 5 draft, Aug17
Control families (from SP800-53)
• Framework for Improving Critical Infrastructure Cybersecurity
• “The Framework enables organisations –regardless of size, degree of cybersecurity risk, or cybersecurity sophistication – to apply the principles and best practices of risk management to improving the security and resilience of critical infrastructure.“
23
24Source: US NIST
25Source: NIST CSF
• CCS CSC 1 (was Council on Cyber Security (CCS)), now Center for
Internet Security Critical Security Controls
• COBIT 5 BAI09.01, BAI09.02
• ISA 62443-2-1:2009 4.2.3.4 (Security for Industrial Automation and
Control Systems, Establishing an Industrial Automation and Control
Systems Security Program)
• ISA 62443-3-3:2013 SR 7.8 (Security for Industrial Automation and
Control Systems, System Security Requirements And Security Levels)
• ISO/IEC 27001:2013 A.8.1.1, A.8.1.2
• NIST SP 800-53 Rev. 4 CM-8 (Security and Privacy Controls for
Federal Information Systems and Organizations)26
27Source: A Controls Factory Approach To Building a Cyber Security Program Based on the NIST Cybersecurity Framework (NCSF) - Larry Wilson & Rick Lemieux October 2016
28
The Center for Internet Security was an active participant in the development of the NIST cybersecurity framework.
Source: A Controls Factory Approach To Building a Cyber Security Program Based on the NIST Cybersecurity Framework (NCSF) - Larry Wilson & Rick Lemieux October 2016
COBIT 5 BAI09.01, BAI09.02
29Source: COBIT 5
30
Security for Industrial Automation and
Control Systems
31
ISO/IEC 27001:2013 A.8.1.1, A.8.1.2
32
Source: A Controls Factory Approach To Building a Cyber Security Program Based on the NIST Cybersecurity Framework (NCSF) - Larry Wilson & Rick Lemieux October 2016
PR.DS-2 Data in transit is protected
NIST SP800-53 Rev. 4 CM-8
34
35
Recommendation
36Images: Respective organisations
RACI from ISACA’s COBIT 5
37
RACI from ISACA’s Risk IT
38
Risk IT RE3 Maintain risk profile: Maintain an up-to-date and complete inventory of known risks and attributes (e.g., expected frequency, potential impact, disposition), IT resources, capabilities and controls as understood in the context of business products, services and processes.
39