ism2and1.pdf

Full Transcript

||||||||||||||||||||

Technical Editors
Akhil Behl, CCIE No. 19564, is a passionate IT executive with a key focus on cloud
and security. He has more than 15 years of experience in the IT industry, working in
several leadership, advisory, consultancy, and business development profiles with
various organizations. His technology and business specialization includes cloud,
security, infrastructure, data center, and business communication technologies.
Akhil is a published author. Over the past few years, Akhil has authored multiple
titles on security and business communication technologies. He has contributed as a
technical editor for more than a dozen books on security, networking, and
information technology. He has published several research papers in national and
international journals, including IEEE Xplore, and presented at various IEEE
conferences, as well as other prominent ICT, security, and telecom events. Writing
and mentoring are his passions.
Akhil holds CCIE (Collaboration and Security), CCSK, CHFI, PMP, ITIL, VCP,
TOGAF, CEH, ISM, CCDP, and many other industry certifications. He has a
bachelor’s degree in technology and a master’s in business administration.

Michael J. Shannon began his IT career when he transitioned from being a recording
studio engineer to a network technician for a major telecommunications company in
the early 1990s. He soon began to focus on security and was one of the first 10 people
to attain the HIPAA Certified Security Specialist designation. Throughout his 30
years in IT, he has worked as an employee, a contractor, a trainer, and a consultant
for a number of companies, including Platinum Technologies, Fujitsu, IBM, State
Farm, Pearson, MindSharp, Thomson/NetG, and Skillsoft. Mr. Shannon has authored
several books and training manuals, published articles, and produced dozens of CBT
titles over the years as well. For security purposes, he has attained the CISSP, CCNP
Security, SSCP, Security+, and ITIL Intermediate SO and RCV certifications. He is
also a licensed insurance agent, specializing in cyber insurance on behalf of large
insurers and numerous companies throughout Texas.

Chapter 1
Best Practices, Standards, and a Plan of
Action
Technet24
||||||||||||||||||||
||||||||||||||||||||

There are some dogs who wouldn’t debase what are to them sacred forms. A very fine, very serious German
Shepherd I worked with, for instance, grumbled noisily at other dogs when they didn’t obey. When training
him to retrieve, at one point I set the dumbbell on its end for the fun of it. He glared disapprovingly at the
dumbbell and at me, then pushed it carefully back into its proper position before picking it up and returning
with it, rather sullenly.
—Adam’s Task: Calling Animals by Name, Vicki Hearne

Learning Objectives
After studying this chapter, you should be able to:
Explain the need for standards and best practices documents in
cybersecurity.
Present an overview of the Standard of Good Practice for Information
Security.
Explain the difference between ISO 27001 and ISO 27002.
Discuss the role of the National Institute of Standards and Technology
(NIST) Cybersecurity Framework and how it differs from the objectives of
ISO 27002.
Explain the value of the Center for Internet Security (CIS) Critical Security
Controls.

The purpose of this book is to provide security managers and security implementers
with a comprehensive understanding of the technology, operational procedures, and
management practices needed for effective cybersecurity. To that end, this book
makes extensive use of standards and best practices documents that have broad
support and are used to guide—and in many cases require—approaches to
cybersecurity implementation. Although these documents represent the collective
wisdom of numerous organizations and security experts, they are insufficient by
themselves. These documents focus, mainly and in checklist fashion, on what needs to
be done, but they do not provide tutorial material on the “how.” With these
considerations in mind, this book:
Provides detailed explanations of the technology, operational procedures, and
management practices needed to implement the guidelines and requirements of
the standards and best practices documents. For example, a number of these
documents call out the need for risk assessment but do not provide in-depth
||||||||||||||||||||
||||||||||||||||||||

explanation or guidance of how to perform risk assessment. Chapter 3,
“Information Risk Assessment,” describes what is involved in performing a risk
assessment.
Provides a consolidated and comprehensive framework for implementing
cybersecurity based on the many standards and best practices documents. This is
not simply a summary or an outline of these documents. Rather, this book uses
these documents to present a systematic and broad plan of action for
implementing cybersecurity.
This chapter begins with a definition of cybersecurity and a discussion of the
importance of standards and best practices documents in cybersecurity. The sections
that follow look at the most significant sources of these documents for effective
cybersecurity management. Finally, this chapter provides a discussion of the effective
use of standards and best practices documents.

1.1 Defining Cyberspace and Cybersecurity
It is useful, at the start of the book, to have working definitions of cyberspace and
cybersecurity. A useful definition of cyberspace comes from the National Research
Council’s publication At the Nexus of Cybersecurity and Public Policy [CLAR14]:
Cyberspace consists of artifacts based on or dependent on computer and
communications technology; the information that these artifacts use, store,
handle, or process; and the interconnections among these various elements.
A reasonably comprehensive definition of cybersecurity is provided in ITU-T
(International Telecommunication Union Telecommunication Standardization
Sector) Recommendation X.1205 [Overview of Cybersecurity, 2014]:
Cybersecurity is the collection of tools, policies, security concepts, security
safeguards, guidelines, risk management approaches, actions, training, best
practices, assurance and technologies that are used to protect the cyberspace
environment and organization and user’s assets. Organization and user’s
assets include connected computing devices, personnel, infrastructure,
applications, services, telecommunications systems, and the totality of
transmitted and/or stored information in the cyberspace environment.
Cybersecurity strives to ensure the attainment and maintenance of the
security properties of the organization and user’s assets against relevant
security risks in the cyberspace environment. The general security
Technet24
||||||||||||||||||||
||||||||||||||||||||

objectives comprise the following: availability; integrity, which may include
authenticity and non-repudiation; and confidentiality.
risk
A measure of the extent to which an entity is threatened by a potential circumstance or event and
typically a function of (1) the adverse impacts that would arise if the circumstance or event occurs and
(2) the likelihood of occurrence.

asset
Data contained in an information system; or a service provided by a system; or a system capability, such
as processing power or communication bandwidth; or an item of system equipment (that is, a system
component, such as hardware, firmware, software, or documentation); or a facility that houses system
operations and equipment.

Two related terms should be mentioned:

Information security: Preservation of confidentiality, integrity, and availability
of information. In addition, other properties—such as authenticity,
accountability, non-repudiation, and reliability—can also be involved.
Network security: Protection of networks and their services from unauthorized
modification, destruction, or disclosure and provision of assurance that the
network performs its critical functions correctly and that there are no harmful
side effects.
Cybersecurity encompasses information security, with respect to electronic information,
and network security. Information security also is concerned with physical (for example,
paper-based) information. However, in practice, the terms cybersecurity and
information security are often used interchangeably.
Figure 1.1 illustrates essential cybersecurity objectives.

||||||||||||||||||||
||||||||||||||||||||

FIGURE 1.1 Essential Cybersecurity Objectives

A more extensive list of cybersecurity objectives includes the following:

Availability: The property of a system or a system resource being accessible or
usable or operational upon demand, by an authorized system entity, according to
performance specifications for the system; that is, a system is available if it
provides services according to the system design whenever users request them.
Integrity: The property that data has not been changed, destroyed, or lost in an
unauthorized or accidental manner.
Authenticity: The property of being genuine and being able to be verified and
trusted. This means verifying that users are who they say they are and that
each input arriving at the system came from a trusted source.
Non-repudiation: Assurance that the sender of information is provided with
proof of delivery and the recipient is provided with proof of the sender’s identity,
so neither can later deny having processed the information.
Technet24
||||||||||||||||||||
||||||||||||||||||||

Confidentiality: The property that data is not disclosed to system entities unless
they have been authorized to know the data.
Accountability: The property of a system or system resource ensuring that the
actions of a system entity may be traced uniquely to that entity, which can then
be held responsible for its actions.
Cybersecurity Dilemmas: Technology, Policy, and Incentives [CICE14] summarizes
the challenges in developing an effective cybersecurity system as follows:

Scale and complexity of cyberspace: The scale and complexity of cyberspace
are massive. Cyberspace involves mobile devices, workstations, servers, massive
data centers, cloud computing services, Internet of Things (IoT) deployments,
and a wide variety of wired and wireless networks. The variety of individuals
and applications requiring some level of access to these resources is also huge.
Further, the challenges to achieving cybersecurity constantly change as
technologies advance, new applications of information technologies emerge, and
societal norms evolve.
Nature of the threat: Organizational assets in cyberspace are under constant and
evolving threat from vandals, criminals, terrorists, hostile states, and other
malevolent actors. In addition, a variety of legitimate actors, including businesses
and governments, are interested in collecting, analyzing, and storing information
from and about individuals and organizations, potentially creating security and
privacy risks.
threat
A potential for violation of security that exists when there is a circumstance, a capability, an
action, or an event that could breach security and cause harm. That is, a threat is a possible danger
that might exploit a vulnerability.

vulnerability
A flaw or weakness in a system’s design, implementation, or operation and management that
could be exploited to violate the system’s security policy.

User needs versus security implementation: Users want technology with the
most modern and powerful features, that is convenient to use, that offers
anonymity in certain circumstances, and that is secure. But there is an inherent
conflict between greater ease of use and greater range of options on the one hand
and robust security on the other. In general, the simpler the system, and the more
its individual elements are isolated from one another, the easier it is to
implement effective security. But over time, people demand more functionality,
and the greater complexity that results makes systems less secure. Users or
||||||||||||||||||||
||||||||||||||||||||

groups within an organization that feel inconvenienced by security mechanisms
will be tempted to find ways around those mechanisms or demand relaxation of
the security requirements.
Difficulty estimating costs and benefits: It is difficult to estimate the total cost
of cybersecurity breaches and, therefore, the benefits of security policies and
mechanisms. This complicates the need to achieve consensus on the allocation of
resources to security.
Because of these challenges, there is an ongoing effort to develop best practices,
documents, and standards that provide guidance to managers charged with making
resource allocation decisions as well as those charged with implementing an effective
cybersecurity framework. The focus of this book is on the broad consensus that has
been reached, as expressed in such documents. The volume and variety of these
documents is very broad, and the goal of this book is to consolidate that material and
make it accessible.

1.2 The Value of Standards and Best Practices Documents
The development, implementation, and management of a cybersecurity system for an
organization are extraordinarily complex and difficult. A wide variety of technical
approaches are involved, including cryptography, network security protocols,
operating system mechanisms, database security schemes, and malware identification.
The areas of concern are broad, including stored data, data communications, human
factors, physical asset and property security, and legal, regulatory, and contractual
concerns. And there is an ongoing need to maintain high confidence in the
cybersecurity capability in the face of evolving IT systems, relationships with outside
parties, personnel turnover, changes to the physical plant, and the ever-evolving threat
landscape.
Effective cybersecurity is very difficult, and any attempt to develop an ad hoc,
growyour-own approach to cybersecurity is an invitation to failure. The good news is
that a great deal of thought, experimentation, and implementation experience have
already gone into the development of policies, procedures, and overall guidance for
cybersecurity system management teams. A number of organizations, based on wide
professional input, have developed best practices types of documents as well as
standards for implementing and evaluating cybersecurity. On the standards side, the
most prominent player is the National Institute of Standards and Technology (NIST).

Technet24
||||||||||||||||||||
||||||||||||||||||||

NIST has a huge number of security publications, including nine Federal Information
Processing Standards (FIPS) and well 100 active Special Publications (SP) that
provide guidance on virtually all aspects of cybersecurity. Other organization that
have produced cybersecurity standards and guidelines include the ITU-T,
International Organization for Standardization (ISO), and the Internet Society
(ISOC).
In addition, a number of professional and industry groups have produced best
practices documents and guidelines. The most important such document is the
Standard of Good Practice for Information Security, produced by the Information
Security Forum (ISF). This 300-plus-page document provides a wide range of best
practices representing the consensus of industry and government organizations. Other
respected organizations, including the Information Systems Audit and Control
Association (ISACA) and the Payment Card Industry (PCI), have produced a number
of similar documents.
Table 1.1 lists the most prominent best practices and standards documents that are
discussed in this book.

TABLE 1.1 Important Best Practices and Standards Documents
Source Title Date
ISF Standard of Good Practice for Information Security 2016

ISO ISO 27002: Code of Practice for Information Security 2013
Controls
NIST Framework for Improving Critical Infrastructure 2017
Cybersecurity
Center for Internet CIS Critical Security Controls for Effective Cyber 2018
Security (CIS) Defense Version 7
ISACA COBIT 5 for Information Security 2012
PCI Security Data Security Standard v3.2: Requirements and 2016
Standards Council Security Assessment Procedures
1.3 The Standard of Good Practice for Information
Security

||||||||||||||||||||
||||||||||||||||||||

The ISF is an independent, not-for-profit association of leading organizations from
around the world. ISF members fund and cooperate in the development of a practical
research program in information security. It is dedicated to investing, clarifying, and
resolving key issues in cybersecurity, information security, and risk management and
to developing best practice methodologies, processes, and solutions that meet the
business needs of its members. ISF members benefit from harnessing and sharing in-
depth knowledge and practical experience drawn from within their organizations and
developed through an extensive research and work program.
Information Security Forum https://www.securityforum.org/tool/the-isfstandardrmationsecurity/

The most significant activity of the ISF is the ongoing development of the Standard of
Good Practice for Information Security (SGP). This document is a business-focused,
comprehensive guide to identifying and managing information security risks in
organizations and their supply chains. The breadth of the consensus in developing the
SGP is unmatched. The SGP is based on research projects and input from ISF
members, as well as analysis of the leading standards on cybersecurity, information
security, and risk management. In creating and updating the SGP, the goal of the ISF
is the development of best practice methodologies, processes, and solutions that meet
the needs of its members, including large and small business organizations,
government agencies, and nonprofit organizations.
The SGP, first released in 1996, has gone through numerous revisions. The current
version, as of this writing, is the 2016 version. The development of the standard is
based on the results of four main groups of activities, shown in Figure 1.2.
An extensive work program involving the expertise of a full-time ISF management
team that performs comprehensive research into hot topics in information
security; produces reports, tools, and methodologies; and maintains strategic
projects such as the ISF’s Information Risk Analysis Methodology (IRAM).
Analysis and integration of information security–related standards (for example,
ISO 27002, COBIT v5.1) and legal and regulatory requirements (for example,
the
Sarbanes-Oxley Act 2002, the PCI Data Security Standard, Basel II 1998, the EU
Directive on Data Protection). All of the standards listed in Table 1.1 are
incorporated into the SGP.
The involvement of ISF members, using techniques such as workshops, face-
toface meetings, and interviews to contribute their practical experience.

Technet24
||||||||||||||||||||
||||||||||||||||||||

The results of the ISF Benchmark, which provide valuable insights into how
information security is applied in member organizations.

FIGURE 1.2 Basis for the ISF Standard of Good Practice for Information
Security

The SGP is of particular interest to the following individuals:

Chief information security officers (or equivalent): Responsible for developing
policy and implementing sound information security governance and information
security assurance.

||||||||||||||||||||
||||||||||||||||||||

Information security managers (as well as security architects, local security
coordinators, and information protection champions): Responsible for
promoting or implementing an information security assurance program
Business managers: Responsible for ensuring that critical business applications,
processes, and local environments on which an organization’s success depends are
effectively managed and controlled
IT managers and technical staff: Responsible for designing, planning,
developing, deploying, and maintaining key business applications,
information systems, or facilities
security policy
A set of rules and practices that specify or regulate how a system or organization provides security
services to protect sensitive and critical system resources.

Internal and external auditors: Responsible for conducting security audits
IT service providers: Responsible for managing critical facilities (for example,
computer installations, networks) on behalf of the organization
Procurement and vendor management teams: Responsible for defining
appropriate information security requirements in contracts
The SGP is organized into 17 categories, each of which is broken down into 2 areas
(see Table 1.2). Each area is further broken down into a number of topics, or business
activities, for a total of 132 topics. Each of the 132 topics addresses good practice
controls relevant to a particular activity from an information security perspective.
Further, each topic is broken down into a number of subtopics, providing a substantial
amount of detailed information and guidance. The SGP is consistent with the
structure and flow of the ISO/IEC 27000 suite of standards (described in Section 1.4)
and is suitable for organizations that want to use it in pursuing ISO compliance or
certification or in implementing one or more information security management
systems (ISMSs). The structure of the SGP reflects a broad consensus that has
evolved and has been refined over more than 20 years, and the following 17 chapters
of this book correspond to the 17 categories of the SGP. Thus, each chapter serves as
a guide and source of background material on its respective category.

TABLE 1.2 ISF Standard of Good Practice for Information Security: Categories and
Areas
Category Areas
Technet24
||||||||||||||||||||
||||||||||||||||||||

Security Governance (SG) Security Governance Approach
Security Governance Components
Information Risk Assessment (IR) Information Risk Assessment
Framework
Information Risk Assessment Process
Security Management (SM) Security Policy Management
Information Security Management
People Management (PM) Human Resource Security
Security Awareness/Education
Information Management (IM) Information Classification and
Privacy
Information Protection
Physical Asset Management (PA) Equipment Management
Mobile Computing
System Development (SD) System Development Management
System Development Life Cycle
Business Application Management (BA) Corporate Business Applications
End User Developed Applications
System Access (SA) Access Management
Customer Access
System Management (SY) System Configuration
System Maintenance
Networks and Communications (NC) Network Management
Electronic Communication
Supply Chain Management (SC) External Supplier Management
Cloud Computing
Technical Security Management (TS) Security Solutions
Cryptography
Threat and Incident Management (TM) Cybersecurity Resilience
Security Incident Management
Local Environment Management (LE) Local Environments
Physical and Environmental Security
Business Continuity (BC) Business Continuity Framework
||||||||||||||||||||
||||||||||||||||||||

Business Continuity Process
Security Monitoring and Improvement (SI) Security Audit
Security Performance

It is informative to consider the 17 SGP categories as being organized into three
principal activities (see Figure 1.3):
1. Planning for cybersecurity: Developing approaches for managing and
controlling the cybersecurity function(s); defining the requirements specific to a
given IT environment; and developing policies and procedures for managing the
security function
2. Managing the cybersecurity function: Deploying and managing the security
controls to satisfy the defined security requirements
3. Security assessment: Assuring that the security management function enables
business continuity; monitoring, assessing, and improving the suite of
cybersecurity controls

Technet24
||||||||||||||||||||
||||||||||||||||||||

FIGURE 1.3 Categories in the Standard of Good Practice for Information
Security

The arrows in Figure 1.3 suggest that these activities occur an ongoing process. We
return to this concept in Section 1.11.
1.4 The ISO/IEC 27000 Suite of Information Security
Standards
Perhaps the most important set of standards for cybersecurity is the ISO 27000 suite of
information security standards. The ISO is an international agency for the
development of standards on a wide range of subjects. It is a voluntary, nontreaty
organization whose members are designated standards bodies of participating nations
as well as nonvoting observer organizations. Although the ISO is not a government
body, more than 70% of ISO member bodies are government standards institutions or
organizations incorporated by public law. Most of the remainder have close links with
the public administrations in their own countries. The U.S. member body is the
American National Standards Institute (ANSI).
International Organization for Standardization https://www.iso.org/home.html

The ISO, which was founded in 1946, has issued more than 12,000 standards in a
broad range of areas. Its purpose is to promote the development of standardization
and related activities to facilitate international exchange of goods and services and to
develop cooperation in the sphere of intellectual, scientific, technological, and
economic activity. It has issued standards covering everything from screw threads to
solar energy. One important area of ISO standardization deals with the Open Systems
Interconnection (OSI) communications architecture and the standards at each layer of
this architecture.
In the areas of data communications, networking, and security, ISO standards are
developed in a joint effort with another standards body, the International
Electrotechnical Commission (IEC). The IEC is primarily concerned with electrical
and electronic engineering standards. The interests of the two groups overlap in the
area of information technology, with the IEC emphasizing hardware and the ISO
focusing on software. In 1987, the two groups formed the Joint Technical Committee 1
(JTC 1). This committee has the responsibility of developing the documents that
ultimately become ISO (and IEC) standards in the area of information technology.

||||||||||||||||||||
||||||||||||||||||||

In the area of information security, together the ISO and IEC have developed a growing
family of standards in the ISO/IEC 27000 series that deal with ISMSs.1 The ISO 27000
definition of ISMS substantially addresses the concerns of this book:
1. Throughout the rest of this book, for brevity, ISO/IEC standards are simply designated as ISO standards.

Information security management system consists of the policies,
procedures, guidelines, and associated resources and activities, collectively
managed by an organization, in the pursuit of protecting its information
assets. An ISMS is a systematic approach for establishing, implementing,
operating, monitoring, reviewing, maintaining and improving an
organization’s information security to achieve business objectives. It is
based upon a risk assessment and the organization’s risk acceptance levels
designed to effectively treat and manage risks. Analyzing requirements for
the protection of assets, as required, contributes to the successful
implementation of an ISMS. The following fundamental principles also
contribute to the successful implementation of an ISMS: awareness of the
need for information security assignment of responsibility for information
security; incorporating management commitment and the interests of
stakeholders enhancing societal values
risk assessments determining appropriate controls to reach acceptable levels
of risk
security incorporated as an essential element of information networks and
systems active prevention and detection of information security incidents
ensuring a comprehensive approach to information security management
continual reassessment of information security and making of
modifications as appropriate
The ISO 27000 series deals with all aspects of an ISMS. It helps small, medium, and
large businesses in any sector keep information assets secure. This growing collection
of standards falls into four categories (see Figure 1.4):

Overview and vocabulary: Provide an overview and relevant vocabulary for
ISMS
Requirements: Discuss normative standards that define requirements for an
ISMS and for those certifying such systems

Technet24
||||||||||||||||||||
||||||||||||||||||||

Guidelines: Provide direct support and detailed guidance and/or interpretation for
the overall process of establishing, implementing, maintaining, and improving an
ISMS
Sector-specific guidelines: Address sector-specific guidelines for an ISMS

FIGURE 1.4 ISO 27000 ISMS Family of Standards

The most significant documents in the series are those that are cited in the ISF SGP:

ISO 27001: ISMS Requirements: Provides a mandatory set of steps—such as
defining a target environment, assessing risks, and selecting appropriate controls—
for creating an ISMS, against which an organization can certify its security
arrangements.
ISO 27002: Code of Practice for Information Security Controls: Provides a
framework of security controls that can be used to help select the controls required
in an ISMS.
ISO 27005: Information Security Risk Management System Implementation
Guidance: Provides information security risk management guidance, including
advice on risk assessment, risk treatment, risk acceptance, risk reporting, risk
monitoring, and risk review. Examples of risk assessment methodologies are
included as well.

||||||||||||||||||||
||||||||||||||||||||

ISO 27014: Governance of Information Security: Provides guidance on
principles and processes for the governance of information security, by which
organizations can evaluate, direct, and monitor the management of information
security.
ISO 27036: Information Security for Supplier Relationships: Outlines
information security for external parties for both the acquirers and suppliers. It
supports organizations in implementing information security controls related to
supplier relationships.
security controls
The management, operational, and technical controls (that is, countermeasures) prescribed for an
information system to protect the confidentiality, integrity, and availability of the system and its
information.

ISO 27001
Although ISO 27001 is brief, it is an important document for organizational executives
with security responsibility. It is used to define the requirements for an ISMS in such a
way that it serves as a checklist for certification. Certification gives credibility to an
organization, demonstrating that a product or service meets the expectations of the
organization’s customers. For example, security certification using ISO 27001 is a
way for executives to be assured that the security capability was funded and
implemented and meets the security requirements of the organization. For some
industries, certification is a legal or contractual requirement. A number of independent
certification bodies provide certification services.
certification
The provision by an independent body of written assurance (a certificate) that the product, service, or
system in question meets specific requirements. Also known as third-party conformity assessment.

According to an article in ISSA Journal, ISO 27001 certification confers the
following benefits [LAMB06]:
Certification assures an organization that it is following practices that broad
experience has shown reduce the risk of security breaches.
Certification assures an organization that it is following practices that broad
experience has shown reduce the impact of any breach that does occur.
If an organization can attest that its security and record handling procedures have
been certified, this should reduce the potential penalty for a security breach
Technet24
||||||||||||||||||||
||||||||||||||||||||

imposed by regulators. The certification indicates a good faith effort to following
broadly accepted best practices and standards.
Certification assures stakeholders that the organization has developed and
implemented sound security policy.
Certification provides independent third-party validation of an organization’s
ISMS.
Certification to the ISO 27001 standard is the most comprehensive information
security standard that is internationally accepted.
ISO 27001 is a management standard initially designed for the certification of
organizations. The system works like this: An organization develops an ISMS, which
consists of policies, procedures, people, technology, and so on, and then invites a
certification body to determine that the ISMS is compliant with the standard; this is
called a certification audit. Of course, there must be qualified individuals to develop
and maintain the ISMS. Thus, various certification programs have been developed for
individuals, the most common being for ISO 27001 Lead Implementer and ISO
27001 Lead Auditor programs. Obtaining such a certification enhances the value of
an employee to an organization.
Table 1.3 lists the requirements and topics covered by ISO 27001 (using the
numbering scheme in the ISO document).

||||||||||||||||||||
||||||||||||||||||||

TABLE 1.3 ISO 27001 Requirements Topics
Requirement Topics

4 Context of the 4.1 Understanding the Organization and Its Context
Organization
4.2 Understanding the Needs and Expectations of
Interested Parties
4.3 Determining the Scope of the Information Security
Management System
4.4 Information Security Management System

5 Leadership 5.1 Leadership and Commitment
5.2 Policy
5.3 Organizational Roles, Responsibilities and Authorities
6 Planning 6.1 Actions to Address Risks and Opportunities
6.2 Information Security Objectives and Planning to
Achieve Them
7 Support 7.1 Resources
7.2 Competence
7.3 Awareness
7.4 Communication
7.5 Documented Information

8 Operation 8.1 Operational Planning and Control
8.2 Information Security Risk Assessment
8.3 Information Security Risk Treatment

9 Performance 9.1 Monitoring, Measurement, Analysis and Evaluation
Evaluation
9.2 Internal Audit
9.3 Management Review

Technet24
||||||||||||||||||||
||||||||||||||||||||

10 Improvement 10.1 Nonconformity and Corrective Action
10.2 Continual Improvement
ISO 27002
Although ISO 27001 lays out the requirements for an ISMS, it is rather general, and
the specification of the requirements is only nine pages long. Of equal importance is
ISO 27002, Code of Practice for Information Security Controls, which provides the
broadest treatment of ISMS topics in the ISO 27000 series and comprises 90 pages.
The linkage between the ISMS requirements defined in ISO 27001 and the
information security controls defined in ISO 27002 is provided by Section 6.1.3 of
ISO 27001, Information Security Risk Treatment. In essence, this section requires that
an organization develop a risk treatment process by determining what controls must be
implemented for the risk treatment options chosen. The section then references the
controls in ISO 27002 and indicates that the organization can pick and choose the
controls that are needed to satisfy the ISMS requirements. But ISO 27001 also states
that the organization can select controls from any source, not solely or necessarily ISO
27002.
Table 1.4 lists the topics covered in ISO 27002 (using the numbering scheme in the
ISO document). It should be mentioned that ISO 27001 and 27002 do not cover a
number of important topics discussed in the ISF SGP, including threat intelligence
and system decommissioning, and the ISF SGP is far more detailed, at 320 pages.

TABLE 1.4 ISO 27002 Control Topics
Control Topics
5 Information Security Policies 5.1 Management Direction for
Information Security
6 Organization of Information Security 6.1 Internal Organization
6.2 Mobile Devices and Teleworking
7 Human Resource Security 7.1 Prior to Employment
7.2 During Employment
7.3 Termination and Change of
Employment

8 Asset Management 8.1 Responsibility for Assets
||||||||||||||||||||
||||||||||||||||||||

8.2 Information Classification
8.3 Media Handling

9 Access Control 9.1 Business Requirements of Access
Control
9.2 User Access Management
9.3 User Responsibilities
9.4 System and Application
AccessControl
10 Cryptography 10.1 Cryptographic Controls
11 Physical and Environmental Security 11.1 Secure Areas
11.2 Equipment
12 Operations Security 12.1 Operational Procedures and
Responsibilities
12.2 Protection from Malware
12.3 Backup
12.4 Logging and Monitoring
12.5 Control of Operational Software
12.6 Technical Vulnerability
Management
12.7 Information Systems Audit
Considerations
13 Communications Security 13.1 Network Security Management
13.2 Information Transfer
14 System Acquisition, Development and 14.1 Security Requirements of
Maintenance Information Systems
14.2 Security in Development and
Support Processes
14.3 Test Data
15 Supplier Relationships 15.1 Information Security in Supplier
Relationships

Technet24
||||||||||||||||||||
||||||||||||||||||||

16 Information Security Incident 16.1 Management of Information Security
Management Incidents and Improvements
17 Information Security Aspects of 17.1 Information Security Continuity
Business Continuity Management
17.2 Redundancies

18 Compliance 18.1 Compliance with Legal and
Contractual Requirements
18.2 Information Security Reviews

1.5 Mapping the ISO 27000 Series to the ISF SGP
For an organization that relies on ISO 27001 for certification and ISO 27002 for a
selection of controls to meet ISO 27001 requirements, the ISF SGP is an invaluable
and perhaps essential tool. It provides a far more detailed description of the controls
and represents the widest possible consensus among industry, government, and
academic security experts and practitioners.
Table 1.5 shows maps the ISO 27001 requirements to the ISF SGP security controls.
For each of the detailed requirements, this table indicates the controls that can be used
to satisfy those requirements, as documented in the ISF SGP.

TABLE 1.5 Mapping ISO 27001 to the ISF SGP
ISO 27001 Topic
ISF SGP Category
4.1 Understanding the Organization and Its Context Security Governance
4.2 Understanding the Needs and Expectations of Security Governance
Interested Parties
4.3 Determining the Scope of the Information SecuritySecurity
Management System Management
Security
4.4 Information Security Management System
Management
5.1 Leadership and Commitment Security Governance
Security
5.2 Policy
Management
||||||||||||||||||||
||||||||||||||||||||

5.3 Organizational Roles, Responsibilities and Security Governance
Authorities
6.1 Actions to Address Risks and Opportunities Information Risk
Assessment
6.2 Information Security Objectives and Planning to Security
Achieve Them Management
Security
7.1 Resources Management
7.2 Competence People Management

7.3 Awareness People Management

7.4 Communication People Management

7.5 Documented Information Security Management

8.1 Operational Planning and Control Security Management

8.2 Information Security Risk Assessment Information Risk Assessment
8.3 Information Security Risk Treatment Information Risk Assessment
9.1 Monitoring, Measurement, Analysis and Evaluation Security Monitoring and
Improvement
9.2 Internal Audit Security Monitoring and
Improvement
9.3 Management Review Security Monitoring and
Improvement
10.1 Non-conformity and Corrective Action Security Monitoring and
Improvement
10.2 Continual Improvement Security Monitoring and
Improvement

Similarly, Table 1.6 shows the mapping between the ISO 27002 security controls and
the corresponding controls in ISF SGP. Even if an organization is using ISO 27002 as

Technet24
||||||||||||||||||||
||||||||||||||||||||

a checklist of controls to be chosen to meet security requirements, these selections
should be augmented by the more detailed information available in the ISF SGP.

TABLE 1.6 Mapping ISO 27002 to the ISF SGP
ISO 27002 Topic
ISF SGP Category
5.1 Management Direction for Information Security Security Monitoring and
Improvement
6.1 Internal Organization Security Governance

6.2 Mobile Devices and Teleworking People Management

7.1 Prior to Employment People Management

7.2 During Employment People Management
7.3 Termination and Change of Employment People Management
Physical Asset
8.1 Responsibility for Assets
Management
Physical Asset
8.2 Information Classification
Management
Physical Asset
8.3 Media Handling
Management
9.1 Business Requirements of Access Control System Access
9.2 User Access Management System Access
9.3 User Responsibilities System Access
9.4 System and Application Access Control
10.1 Cryptographic Controls Technical Security
Management
11.1 Secure Areas Local Environment
Management
11.2 Equipment Local Environment
Management
12.1 Operational Procedures and Responsibilities System Development

||||||||||||||||||||
||||||||||||||||||||

12.2 Protection from Malware Technical Security
Management
12.3 Backup System Management
12.4 Logging and Monitoring Threat and Incident
Management
12.5 Control of Operational Software XX

12.6 Technical Vulnerability Management System Development
12.7 Information Systems Audit Considerations Security Monitoring and
Improvement
13.1 Network Security Management Networks and
Communications
13.2 Information Transfer Networks and
Communications
14.1 Security Requirements of Information Systems Security Management
14.2 Security in Development and Support Processes System Development
14.3 Test Data System Development
Supply Chain
15.1 Information Security in Supplier Relationships
Management
16.1 Management of Information Security Incidents Threat and Incident
and Improvements Management
17.1 Information Security Continuity Business Continuity
17.2 Redundancies Business Continuity
18.1 Compliance with Legal and Contractual Security Management
Requirements
18.2 Information Security Reviews Security Monitoring and
Improvement

As an example of the benefit of the ISF SGP, consider the category of threat and
incident management. In ISO 27002, this category is defined in Section 16 in 4 pages
and includes the following 7 subtopics:
Technet24
||||||||||||||||||||
||||||||||||||||||||

16.1.1 Responsibilities and Procedures
16.1.2 Reporting Information Security Events
16.1.3 Reporting Information Security Weaknesses
16.1.4 Assessment of and Decision on Information Security Events
16.1.5 Response to Information Security Incidents
16.1.6 Learning from Information Security Incidents
16.1.7 Collection of Evidence
By contrast, the corresponding treatment in the ISF SGP is defined in 22 pages and
consists of 9 topics and a total of 74 subtopics, as shown in Table 1.7. For additional
guidance, each topic in Table 1.6 is labeled as fundamental or specialized; links to
documents at the ISF website provide related background and technical tutorial
information. An organization that makes use of all this information can have
significant confidence that it is effectively deploying the security controls needed to
meet the

requirement.

TABLE 1.7 The SGP Threat and Incident Management Category
Area Topic Number of Type
Subtopics
Cyber Security Technical Vulnerability 10 Fundamental
Resilience Management
Security Event Logging 7 Fundamental
Security Event Management 11 Specialized
Threat Intelligence 10 Specialized
Cyber Attack Protection 8 Specialized
Security Incident Security Incident 7 Fundamental
Management Management Framework
Security Incident 5 Fundamental
Management Process
Emergency Fixes 7 Fundamental
||||||||||||||||||||
||||||||||||||||||||

Forensic Investigations 9 Specialized

1.6 NIST Cybersecurity Framework and Security
Documents
NIST is a U.S. federal agency that deals with measurement science, standards, and
technology related to the U.S. government and to the promotion of U.S. private sector
innovation. Despite their national scope, NIST Federal Information Processing
Standards (FIPS) and Special Publications (SP) have a worldwide impact. In the area
of information security, the NIST Computer Security Resource Center (CSRC) is the
source of a vast collection of documents that are widely used in the industry.
NIST Computer Security Resource Center (CSRC) http://csrc.nist.gov

NIST Cybersecurity Framework
In response to the growing number of cyber intrusions at U.S. federal agencies,
Executive Order 13636, Improving Critical Infrastructure Cybersecurity [EO13],
directed the NIST to work with stakeholders to develop a voluntary framework for
reducing cyber risks to critical infrastructure. The resulting NIST Cybersecurity
Framework [NIST18] includes leading practices that a variety of standards bodies
have deemed successful. Thus, the framework is a collection of best practices—
practices that improve efficiency and protect constituents. Although provided for
federal agencies, the document is of use for nongovernment organizations.
NIST Cybersecurity https://www.nist.gov/topics/cybersecurity

The NIST Cybersecurity Framework consists of three components (see Figure 1.5):

Core: Provides a set of cybersecurity activities, desired outcomes, and applicable
references that are common across critical infrastructure sectors
Implementation tiers: Provide context on how an organization views
cybersecurity risk and the processes in place to manage that risk
Profiles: Represents the outcomes based on business needs that an organization
has selected from the Framework Core categories and subcategories

Technet24
||||||||||||||||||||
||||||||||||||||||||

FIGURE 1.5 NIST Cybersecurity Framework Components

The Framework Core identifies five key functions that comprise an organization’s
cybersecurity risk management approach. As shown in Table 1.8, each function is
divided into a number of specific categories, each of which in turn is divided into a
number of more detailed subcategories, for a total of 23 categories and 106
subcategories. The five functions provide a high-level view of the elements that
comprise risk management for an organization. The categories are groups of
cybersecurity outcomes closely tied to programmatic needs and particular activities.
Each category is divided into subcategories of specific outcomes of technical and/or
management activities that provide a set of results that, while not exhaustive, help
support achievement of the outcomes in each category. For each subcategory the NIST
Cybersecurity Framework provides a list of informative references, which are specific
sections of standards, guidelines, and practices common among critical infrastructure
sectors that illustrate methods of achieving the outcomes associated with each
subcategory.
||||||||||||||||||||
||||||||||||||||||||

TABLE 1.8 NIST Cybersecurity Framework Functions and Categories
Description
Function Category
Identify Develop the organizational understanding to manage Asset
cybersecurity risk to systems, assets, data, and Management
capabilities Business
Environment
Governance
Risk
Assessment
Risk
Management
Strategy
Supply Chain
Risk
Management
Protect Develop and implement the appropriate safeguards to Access Control
ensure delivery of critical infrastructure services Awareness and
Training
Data Security
Information
Protection
Processes and
Procedures
Maintenance
Protective
Technology
Detect Develop and implement the appropriate activities to Anomalies and
identify the occurrence of a cybersecurity event Events
Security
Continuous
Monitoring
Detection
Processes

Technet24
||||||||||||||||||||
||||||||||||||||||||

Respond Develop and implement the appropriate activities to Response
take action regarding a detected cybersecurity event Planning
Communications
Analysis
Mitigation
Improvements
Recover Develop and implement the appropriate activities Recovering
to maintain plans for resilience and to restore any Planning
capabilities or services that were impaired due to a Improvements
cybersecurity event Communications

The Framework Core is intended not so much as a checklist of actions to be
performed as a planning tool, enabling decision makers to more clearly appreciate
what goes into effective risk management and to determine policies that emphasize
the specific activities that are appropriate for the security goals of the organization.
The tiers defined in the Cybersecurity Framework help an organization define the
priority that is to be given to cybersecurity and the level of commitment that the
organization intends to make. The tiers range from Partial (Tier 1) to Adaptive (Tier
4) and describe increasing degrees of rigor and sophistication in cybersecurity risk
management practices and the extent to which cybersecurity risk management is
informed by business needs and integrated into an organization’s overall risk
management practices (see Table 1.9).

TABLE 1.9 Cybersecurity Framework Implementation Tiers
Risk Management Process Integrated Risk External
Management Program Participation

Tier 1: Partial

||||||||||||||||||||
||||||||||||||||||||

Risk management practices are Limited awareness of risk, no Lack of
not formalized but are, rather, ad organization-wide approach coordination and
hoc. Prioritization of to risk management or collaboration with
cybersecurity activities may not cybersecurity information to other entities.
be directly informed by be shared within the
organizational risk objectives, organization.
the threat environment, or
business/mission requirements.
Tier 2: Risk Informed
Risk management practices are Processes and procedures are No formal
approved by management but not defined and implemented, and coordination
and
established as organizationwide staff have adequate resources collaboration with
policy. Prioritization of to perform their cybersecurity other entities.
cybersecurity activities is duties. No organizationwide
directly informed by approach to risk
organizational risk objectives, management.
the threat environment, or
business/mission
requirements
Tier 3: Repeatable
Risk management practices Organizationwide approach Collaboration
are formally approved and to RM. Risk-informed with partners
expressed as policy. policies, processes, and enables risk
Organizational cybersecurity procedures are defined, management
practices are regularly updated implemented as intended, decisions in
based on changes in and reviewed. Personnel response to
business/mission requirements possess the knowledge and external
and the threat and technology skills to perform their events.
landscape. appointed roles and
responsibilities.
Tier 4: Adaptive

Technet24
||||||||||||||||||||
||||||||||||||||||||

Organization actively adapts Organizationwide Organization
to the changing cybersecurity approach to managing manages risk and
landscape and responds to cybersecurity risk that uses actively shares
evolving and sophisticated risk-informed policies, information with
threats in a timely manner. processes, and procedures partners to ensure
to address potential that accurate,
cybersecurity events. current
information is
being distributed
and consumed.
Once an organization has clarity on the degree of commitment to risk management
(tiers) and an understanding of the actions that can be taken to match that
commitment, security policies and plans can be put in place, as reflected in a
Framework profile. In essence, a profile is a selection of categories and subcategories
from the Framework Core. A current profile reflects the cybersecurity posture of the
organization. Based on a risk assessment, an organization can define a target profile
and then categories and subcategories from the Framework Core to reach the target.
This definition of current and target profiles enables management to determine what
has been done and needs to be maintained and what new cybersecurity measures need
to be implemented to manage risk. The referenced guidelines, standards, and practices
for each subcategory provide concrete descriptions of the work needed to meet the
target profile.
The NIST Cybersecurity Framework is an important resource for those involved in
the planning, implementation, and evaluation of an organization’s cybersecurity
capability. It is concise and uses clearly defined categories and subcategories.
Approaching a document such as the ISF SGP or the ISO 27002 can be intimidating
and even overwhelming because of the large body of knowledge they contain. The
Cybersecurity Framework is an excellent resource to help an organization more
effectively use these more detailed documents.

NIST Security Documents
NIST has produced a large number of FIPS publications and SPs that are enormously
useful to security managers, designers, and implementers. Some of these documents
are prescriptive standards, but many of them are tutorials or surveys and provide a
continually updated source of educational material on a broad range of security
topics. This section mentions some of the most important ones.

||||||||||||||||||||
||||||||||||||||||||

By far the most significant of these documents is SP 800-53, Security and Privacy
Controls for Federal Information Systems and Organizations. This document lists
management, operational, and technical safeguards or countermeasures prescribed
for an information system to protect the confidentiality, integrity, and availability of
the system and its information. Although intended for U.S. government systems, it is
of equal applicability to IT systems in any organization. State-of-the-practice security
controls and control enhancements have been integrated into the latest revision (2013)
to address the evolving technology and threat space. Examples include issues
particular to mobile and cloud computing; insider threats; applications security; supply
chain risks; advanced persistent threats; and trustworthiness, assurance, and resilience
of information systems. The revision also features eight new families of privacy
controls that are based on the internationally accepted fair information practice
principles.
countermeasure
An action, a device, a procedure, or a technique that reduces a threat, a vulnerability, or an attack by
eliminating or preventing it, by minimizing the harm it can cause, or by discovering and reporting it
so that corrective action can be taken.

Other documents of special interest include:

FIPS 200, Minimum Security Requirements for Federal Information and
Information Systems (2006): Specifies minimum security requirements in 17
security-related areas with regard to protecting the confidentiality, integrity, and
availability of federal information systems and the information processed, stored,
and transmitted by those systems.
SP 800-100, Information Security Handbook: A Guide for Managers (2006):
Provides a broad overview of information security program elements to assist
managers in understanding how to establish and implement an information
security program. Its topical coverage overlaps considerably with ISO 27002.
SP 800-55, Performance Measurement Guide for Information Security
(2008): Provides guidance on how an organization, through the use of metrics,
identifies the adequacy of in-place security controls, policies, and procedures.
SP 800-27, Engineering Principles for Information Technology Security: A
Baseline for Achieving Security (2004): Presents a list of system-level security
principles to be considered in the design, development, and operation of an
information system.

Technet24
||||||||||||||||||||
||||||||||||||||||||

SP 800-12, Introduction to Information Security, (2017): Provides an
outstanding introduction to the topic of information security.
SP 800-144, Guidelines on Security and Privacy in Public Cloud Computing:
Addresses the important security/privacy issues involved in moving data and
applications to the cloud.
Recently, NIST introduced a new series of publications designated SP 1800. This new
series, created to complement the SP 800 series, targets specific cybersecurity
challenges in the public and private sectors and provides practical, user-friendly
guides to facilitate adoption of standards-based approaches to cybersecurity.

1.7 The CIS Critical Security Controls for Effective Cyber
Defense
The Center for Internet Security (CIS) is a nonprofit community of organizations and
individuals seeking actionable security resources. The CIS identifies specific security
techniques and practices that the CIS group of experts agree are important.
Center for Internet Security https://www.cisecurity.org

A major contribution of CIS is The CIS Critical Security Controls for Effective Cyber
Defense (CSC) [CIS18]. CSC focuses on the most fundamental and valuable actions
that every enterprise should take. Value here is determined by knowledge and data—
the ability to prevent, alert, and respond to the attacks plaguing enterprises today.
CSC is significant for the real-world, practical nature of its information. It is not
simply a list of controls that might be useful but a source that can be used to guide
implementation of policy. The introduction to the CSC indicates that the controls have
been matured by an international community of individuals and institutions that:
attack
Any kind of malicious activity that attempts to collect, disrupt, deny, degrade, or destroy information
system resources or the information itself.

Share insight into attacks and attackers, identify root causes, and translate that
into classes of defensive action.
Document stories of adoption and share tools to solve problems.
Track the evolution of threats, the capabilities of adversaries, and current vectors
of intrusions/
||||||||||||||||||||
||||||||||||||||||||

Map the CIS controls to regulatory and compliance frameworks and bring
collective priority and focus to them.
Share tools, working aids, and translations.
Identify common problems (like initial assessment and implementation
roadmaps) and solve them as a community.
The controls were developed as a result of members’ experience with actual attacks
and defenses that proved effective. The controls listed in the CSC are designed to be
the most effective and specific technical measures available to detect, prevent, respond
to, and mitigate damage from the most common to the most advanced attacks.
The bulk of the document is the presentation of 20 controls that encompass the broad
range of known threats and the state of the art in countering those threats (see Table
1.10).
TABLE 1.10 The CIS CSC List of Controls
Basic CIS Controls Foundational CIS Organizational
Controls CIS Controls

Technet24
||||||||||||||||||||
||||||||||||||||||||

CSC 1: Inventory and Control of CSC 7: Email and Web CSC 17:
Hardware Assets Browser Protections Implement a
CSC 2: Inventory and Control of CSC 8: Malware Defenses Security
Software Assets CSC 9: Limitation and Awareness and
CSC 3: Continuous Vulnerability Control of Network Ports, Training Program
Management Protocols, and Services CSC 18:
CSC 4: Controlled Use of CSC 10: Data Recovery Application
Administrative Privileges Capability Software
CSC 5: Secure Configuration for CSC 11: Secure Security
Hardware and Software on Configuration for Network CSC 19: Incident
Mobile Devices, Laptops, Devices, such as Firewalls, Response and
Workstations and Servers Routers, and Switches Management
CSC 6: Maintenance, Monitoring CSC 12: Boundary Defense CSC 20:
and Analysis of Audit Logs Penetration Tests
CSC 13: Data Protection
and Red Team
CSC 14: Controlled Access Exercises
Based on the Need to Know
CSC 15: Wireless Access
Control
CSC 16: Account
Monitoring and Control
Each control section includes the following:
A description of the importance of the control in blocking or identifying the
presence of attacks and an explanation of how attackers actively exploit
the absence of this control
A chart of the specific actions, called sub-controls, that organizations are taking
to implement, automate, and measure the effectiveness of this control
Procedures and tools that enable implementation and automation
Sample entity relationship diagrams that show components of implementation
In addition, a companion document, A Measurement Companion to the CIS Critical
Security Controls, describes techniques for measuring the performance of a given
subcontrol, plus a set of three risk threshold values (lower, moderate, and higher).
The risk threshold values reflect the consensus of experienced practitioners.

||||||||||||||||||||
||||||||||||||||||||

1.8 COBIT 5 for Information Security
Control Objectives for Business and Related Technology (COBIT) is a set of
documents published by ISACA, which is an independent, nonprofit, global
association engaged in the development, adoption, and use of globally accepted,
industry-leading knowledge and practices for information systems. COBIT 5, the fifth
version of the set of documents to be released, is intended to be a comprehensive
framework for the governance and management of enterprise IT. Of particular concern
for this book is the section of COBIT 5 that deals with information security.
COBIT 5 http://www.isaca.org/cobit/pages/default.aspx

COBIT 5 for information security defines a number of policies that are used to develop
a management and governance strategy. Table 1.11 lists the key functions associated
with each policy.

TABLE 1.11 COBIT 5 for Information Security: Main Policies and Functions
Policy Key Functions
Business continuity and disaster Business impact analysis (BIA)
recovery
Business contingency plans with trusted
recovery
Recovery requirements for critical systems
Defined thresholds and triggers for
contingencies, escalation of incidents
Disaster recovery plan (DRP)
Training and testing

Asset managementData classification
Data ownership
System classification and ownership