Assurance through the ISO27002 Standard

and the US NIST Cybersecurity Framework

Keith Price

Principal Consultant

1

About

2

• About me

- Specialise in cybersecurity strategy, architecture, and assessment

- Veteran of the IT industry from networking and telecommunications

to the emergence of the Internet, Internet banking, and IT security

- Work experience in AU, US, UK, Europe

- BBus, MSc, CISSP, CISM, CGEIT

• About Black Swan Group

- Professional services company based in Sydney

- Clients are large and small companies in financial services, state &

federal government, education, property, and more.

All images not created by the author are used

under the “fair use for education” provision.

3

Agenda

• Frameworks versus standards

• COSO Cube

• PCI-DSS

• ISO27001/2

• US NIST Cybersecurity Framework (CSF)

• NIST CSF Informative References

• Center for Internet Security Critical Security Controls

• COBIT 5

• NIST SP 800-53

• Cybersecurity assessment

4

Framework versus Standard

• Framework: A basic structure underlying a

system, concept, or text.

• Standard: Something used as a measure,

norm, or model in comparative evaluations.

5Source: https://www.oxforddictionaries.com/

Frameworks and standards

6Images: Respective organisations

Adoption of security frameworks

7Source: Trends in Security Framework Adoption, Dimensional Research, March 2016

Which one should you use?

8Image: Google Images

CyberRisk

Cyber risk

9

- Customer Records- Access credentials

- Cybercriminals

- Their malware

- People, process or technology weakness

Image: Google Images

Source: Keith Price, Informed from US Dept of Defense

How do you modify risk?

• Control = a measure that is modifying risk

• Controls for information security include any

process, policy, procedure, guideline,

practice or organizational structure, which

can be administrative, technical,

management, or legal in nature which

modify information security risk.

11Source: ISO27005:2016

Risk equation

12Source: A Controls Factory Approach To Building a Cyber Security Program Based on the NIST Cybersecurity Framework (NCSF) - Larry Wilson & Rick Lemieux October 2016

Risk

ThreatsAsset Value

Controls

Vulnerabilities

Residual Risk+x x

=

x

To reduce cyber risk: reduce vulnerabilities, increase controls

13

COSO: Committee of Sponsoring Organizations of the Treadway Commission

Source: Deloitte – COSO in the Cyber Age 2015

COSO Cube (1985)

1995: AS/NZS 4360 Risk Management (the very first risk management standard)2008: ISO27005 Information Security Risk Management2009: ISO31000 Risk Management (supersedes AS4360)

Payment Card Industry – Data Security

Standard (PCI-DSS)

• Developed to encourage and enhance

cardholder data security

• Provides a baseline of technical and operational

requirements designed to protect account data

The problem: focused on cardholder data security

14

15

16

17

“Designed to use as a reference for selecting controls within the process of implementing an ISMS based on ISO27001.”

“Provides requirements for establishing, implementing, maintaining, and continually improving an ISMS.”

• Information security is achieved through the implementation of an applicable set of controls

• Controls are selected through the risk management process and managed using an ISMS

• Management involves activities to direct, control, and improve the organisation

• A management system uses a framework of resources to achieve an organisation’s objectives

18

Information security management system

Source: ISO27000:2016

ISO27002 clauses 5 – 18 control

categories

• Information security policies

• Organisation of information security

• Human resource security

• Asset management

• Access control

• Cryptography

• Physical and environmental security

• Operations security

• Communications security

• System acquisition, development & maintenance

• Supplier relationships

• Incident management

• Business continuity management

• Compliance

19

20Source: ISO27001:2013

Discusses information security risk treatment

21Source: ISO27002:2013

22Source: Security and Privacy Controls for Information Systems and Organizations, NIST Special Publication 800-53 Revision 5 draft, Aug17

Control families (from SP800-53)

• Framework for Improving Critical Infrastructure Cybersecurity

• “The Framework enables organisations –regardless of size, degree of cybersecurity risk, or cybersecurity sophistication – to apply the principles and best practices of risk management to improving the security and resilience of critical infrastructure.“

23

24Source: US NIST

25Source: NIST CSF

• CCS CSC 1 (was Council on Cyber Security (CCS)), now Center for

Internet Security Critical Security Controls

• COBIT 5 BAI09.01, BAI09.02

• ISA 62443-2-1:2009 4.2.3.4 (Security for Industrial Automation and

Control Systems, Establishing an Industrial Automation and Control

Systems Security Program)

• ISA 62443-3-3:2013 SR 7.8 (Security for Industrial Automation and

Control Systems, System Security Requirements And Security Levels)

• ISO/IEC 27001:2013 A.8.1.1, A.8.1.2

• NIST SP 800-53 Rev. 4 CM-8 (Security and Privacy Controls for

Federal Information Systems and Organizations)26

27Source: A Controls Factory Approach To Building a Cyber Security Program Based on the NIST Cybersecurity Framework (NCSF) - Larry Wilson & Rick Lemieux October 2016

28

The Center for Internet Security was an active participant in the development of the NIST cybersecurity framework.

Source: A Controls Factory Approach To Building a Cyber Security Program Based on the NIST Cybersecurity Framework (NCSF) - Larry Wilson & Rick Lemieux October 2016

COBIT 5 BAI09.01, BAI09.02

29Source: COBIT 5

30

Security for Industrial Automation and

Control Systems

31

ISO/IEC 27001:2013 A.8.1.1, A.8.1.2

32

Source: A Controls Factory Approach To Building a Cyber Security Program Based on the NIST Cybersecurity Framework (NCSF) - Larry Wilson & Rick Lemieux October 2016

PR.DS-2 Data in transit is protected

NIST SP800-53 Rev. 4 CM-8

34

35

Recommendation

36Images: Respective organisations

RACI from ISACA’s COBIT 5

37

RACI from ISACA’s Risk IT

38

Risk IT RE3 Maintain risk profile: Maintain an up-to-date and complete inventory of known risks and attributes (e.g., expected frequency, potential impact, disposition), IT resources, capabilities and controls as understood in the context of business products, services and processes.

39