Iso 27005

ISO 270 ISO 27005:2 05:2008 008 A Sta tand nd a rd - Ba se d A p p ro a c h to IT Ris isk k Management Presented to:

Secure 360 Updated October 22, 2008

Jo hn B. We a ve r

CISSP, CISA, CISM, CPP

Pre sid e nt nt// C EO Princ ip a l Co C o ns nsul ulta ta nt

Wha t is Risk? Information Assets Te c hno lo g y T  h   r    e  a  t     s 

Custo m er Da ta V   u l     n  e r    a  b   i     l     i      t    i      e  s 

IP & Tra d e Se c re ts I     m   p  a  c   t   

“Hackers” Lost Poo rly Ma nag ed Malware Productivity Tec hnolog y Dishonest Lost Inconsistent Em p loye es Ma rket Sha re Policies Brand New Servic es Informal Deterioration Competitors Processes Penalties Leg a l & Reg ulatory Litigation Requirements Jail Tim e (H, M, L)

Ke y Co ntrib uto rs L   i     k    e l     i     h    o  o  d  

Daily Weekly Monthly Annually (H, M, L)

What is Risk Assessment? Vulnerability Assessment Zero-day Vulnerabilities

Employee Job Change

     k     s      i      R

Change in Environment Now

Tim e

Wha t is Risk Ma na g em ent? Risk Ma na g em ent is a system for:  Id entifying inform a tion a ssets  Id entifying releva nt leg a l a nd b usiness requirements  Determ ining va luation of a ssets  Determ ining vulnera b ilities a ssoc iated with the identified a ssets  Antic ip a ting threa ts tha t m a y e xp loit a sset vulnerabilities  Assessing the likelihood of oc c urrenc e  Ca lc ula ting the level of risk

Then . . .

Wha t is Risk Ma na g em ent? 

    



Eva lua ting the risk a nd d eterm ine a n a c c ep ta b le level of risk Id entifying a risk trea tment stra teg y Im p lem enting the risk trea tm ent stra teg y Assessing the imp lem entation of c ontrols Mo nitoring a nd rep orting effec tive ness Reviewing a nd re-a ssessing risks to the organization Im p roving the ong oing Risk Ma nag em ent activities

ISO 27001:2008

Risk Ma na g em ent Vulnerability Assessment Zero-day Vulnerabilities

Employee Job Change

     k     s      i      R

Change in Environment Now

Tim e

Sta nda rd s-b a sed Ap p roa c h 

Proc ess Ap p roa c h   



Fa c t-Sp ec ific , Risk-Ba sed , Co ntinua l Improvement 



Found a tions in reg ulatory g uid a nc e Id entific a tion of releva nt c om p onents Pla n d evelop m ent and m a intenanc e

Proc ess a s a p p lied to sec urity c ontrols m ust a d a p t/ resp ond to existing threa ts a nd to c hanges in the b usiness a nd inform a tion environm ents

Core c om p onents 

Asset inve ntory; period ic risk a ssessm ent; c ontrols a p p rop ria te to risks; p re- d eterm ined a c c ep ta nc e c riteria; m onitoring a nd testing ; review a nd revise, resp onsibility a nd a uthority a ssigned org a niza tiona lly, risk a ssessor c om p etenc y

See Thomas Smedinghoff, “The New Law of Information Security: What Companies Need to do Now”, The Computer and Internet Lawyer Journal, November 2005.

ISO 27005:2008 Risk m a na g em ent guid elines d esig ned for use a s a c om p a nion to ISO 27001:2005 a nd req uires:  Busine ss c a se for Inform a tion Sec urity  Clea rly d efined sc op e of the sec urity p rog ra m (ISMS)  Polic y in c lea r sup p ort for inform a tion security  Risk m a nag em ent m ethod olog y  Inform a tion sec urity risks in the org a niza tional c ontext

ISO 27005 Risk Assessment 

Risk a ssessm ent p roc ess Id entific a tion o f a ssets  Id entific a tion of leg a l a nd b usiness requirements  Va luation of a ssets  Id entific a tion a nd a ssessm ent of threa ts a nd vulnera b ilities  Assess the likelihood of oc c urrenc e 



Eva lua tion of risk Ca lc ulation of risk  Assessm ent a g a inst a p re-d eterm ined scale 

Risk Ca lc ulation a nd Eva lua tion Med ium

     t     c     a     p     m      I

Low

Likelihood o f Occurrence

Hig h

Medium

ISO 27005 Risk Trea tm ent Risk trea tment oc c urs throug h:  Prevention and d etec tion c ontrols  Avo id a nc e of risk  Ac c ep ta nc e o f risk  Tra nsfer risk to a no the r entity  Som e c om b ination Ma nag em ent d ec ision-m a king c riteria  Wha t is the imp a c t?  How freq uently is it exp ec ted to oc c ur?  Wha t is the c ost to m a na g e the risk?  



Green d olla rs Resources

Current b usiness p riorities

Org a niza tiona l Risk Tolera nc e Deg ree of Assura nc e d eterm ined b y: Risk Assessment Process Output

Leve l of Risk Risk Trea tm ent Strategy Input Output

Residual Risk Deg ree of Assura nc e

Risk = Vulne ra b ilities + Threa ts + Prob a b ility + Im p a c t

Ong oing Risk Ma na g em ent         

Monitoring a nd m a intenanc e Ma nag em ent review Risk reviews a nd re-a ssessm ent Audits Control of do c umenta tion Correc tive a c tions Preve nta tive a c tions Rep orting a nd c om m unic a tions Risk m a na g em ent role

Plan-Do-Check-Act Risk Toleranc e

Plan Assess a nd Evaluate Risks

Ac t Ma inta in & Im p rove the Risk Controls

Do Continuous Improvement Cycle Mo nitor & Review Risks

Check

Selec t & Implement Controls

Output Managed Risk

ISO 27005 Annexes Annex A – Defining the sc op e a nd b ound a ries of the inform a tion sec urity risk m a na g em ent p roc ess  Annex B – Id entific a tion a nd va luation of a ssets a nd imp a c t a ssessm ent  Anne x C – Exa m p les of typ ic a l threa ts  Annex D – Vulnera b ilities a nd m ethod s for vulnerability assessment  Annex E – Inform a tion sec urity risk a ssessm ent ap p roa c hes  Annex F – Co nstra ints for risk red uc tion 

ISO 27001 History Industry working group releases Code of Practice

1990

1995

BS 7799 Part 1 released

BS 7799 Part 2 released

BS 77992:2002 published

2000

BS ISO/IEC 17799:2000 released

This slide needs updating

BS ISO/IEC 27006:2007 published

2005

BS ISO/IEC 27001:2005 Published BS 7799 withdrawn

2007

5100+ registered ISMSs in 72 countries worldwide

ISO 27000 Series 





 





ISO 27000 – Inform a tion Sec urity tec hniques, fund a m enta ls a nd vo c a b ula ry  ISO 27001:2005 – Inform a tion Sec urity  Ma na g em ent System Req uirem ents  ISO 27002:2005 – Cod e of Pra c tic e (form erly  ISO 17799:2005) ISO 27003 – ISMS Im p lem entation (p rop osed ) ISO 27004 – Guid e for Inform a tion Sec urity  Metric s a nd Me a sures (p rop osed ) ISO 27005 – Guide for Risk Ma nag em ent  (formerly BS 7799-3:2006) ISO 27006:2007 – Internationa l Ac c red ita tion  Guidelines (10/ 2007 im p lem enta tion dea d line)

Reasonable Security 

Foc used on all inform a tion in a ny form , a nd a ll inform a tion a ssets within the org a niza tion 



Mo re tha n tec hnolog y tools or “ solutions” 



Purc ha se ord ers for ve nd or p rod uc ts (firewa lls, m onitoring too ls, enc ryp tion, c ontent filters, other) a ren’t the sa m e thing a s a n inform a tion sec urity strategy

More than ac c ep ta nc e o f a rec og nized c ontrol set 



Inform a tion sec urity, not just IT sec urity (the a rc hitec ture- networks, a p p lic a tions, d a tab a ses, hardware)

Use a nd imp lem enta tion o f c ontrols should b e d riven b y sec urity stra teg y a nd g ove rnanc e tied to b usiness ob jec tives a nd risk m a nag em ent priorities

Ap p lic a b le risk m a nag em ent m ethodo log y

John B. Wea ver CISSP, CISA, CISM, CPP President/ CEO – Princ ipa l Consulta nt

JBW Group Interna tiona l PO Box 19393 Minnea p olis, MN 55419 USA

+1.877.97.27001 www.JBWGroup.com