Chapter 5 - 01 - Discuss Various Regulatory Frameworks, Laws, and Acts - 06_ocred.pdf

Full Transcript

Certified Cybersecurity Technician Network Security Controls — Administrative Controls Exam 212-82 ISO Information Security Standards 1 I1SO/IEC 27001 S [siho. Formal ISMS specification 16 swndars ISO/IEC 27018 objeawe Cloud privacy 2 1SO/IEC 27002 Information security controls 17 ISO/IEC TR 27019 Process control in energy 3 I1SO/IEC 27003 ISMS implementation guide 18 I1SO/IEC 27031 ICT business continuity 4 ISO/IEC 27004 Information security metrics 19 ISO/IEC 27032 Cybersecurity 5 I1SO/IEC 27005 Information security risk management e KOAEC27033-1 t0-5 Network Security 21 ISO/IEC 27034 -1 & -5 Application security 22 I1SO/IEC 27035 Incident management 23 ISO/IEC 27036-1 -2 & -3 ICT supply chain 24 I1SO/IEC 27037 1SO/IEC 27038 1SO/IEC 27039 Digital evidence [forensics] ‘ Document reduction Intrusion prevention Storage security 6 ISO/IEC 27006 ISMS certification guide 7 1SO/IEC 27007 Management 8 ISO/IEC TR 27008 Technical auditing 9 I1SO/IEC 27010 For inter-organization communication 10 ISO/IEC 27011 15027k in telecoms 25 26 11 1SO/IEC 27013 ISMS & ITIL/service management 27 1SO/IEC 27040 12 ISO/IEC 27014 Information security governance 28 1SO/IEC 27041 Investigation assurance 13 1SO/IEC TR27015 15027k in financial services 29 1SO/IEC 27042 Analyzing digital evidence / 8 o em auditin € a 14 ISO/IEC TR 27016 Information security economics 30 I1SO/IEC 27043 Incident investigation 15 1SO/IEC 27017 Cloud security controls 31 1S0 27799 15027k In healthcare hitps//www.is027001securily.com ISO Information Security Standards Source: https://www.iso27001security.com ISO/IEC 27001 ISO/IEC 27001 formally specifies an Information Security Management System (ISMS), a suite of activities concerning the management of information security risks. The ISMS is an overarching management framework through which an organization identifies, analyzes, and addresses its information security risks. The ISMS ensures that the security arrangements are fine-tuned to keep pace with changes to the security threats, vulnerabilities, and business impacts—an important aspect in such a dynamic field and a key advantage of ISO27k’s flexible risk-driven approach compared with, for example, PClDSS. ISO/IEC 27002 ISO/IEC 27002 is relevant to all types of organizations, including commercial enterprises of all sizes (from one-man-bands up to multinational giants), not-for-profits, charities, government departments, and quasi-autonomous bodies, or any organization that handles and depends on information. The specific information security risk and control requirements may differ in detail, although there is common ground—for instance, most organizations need to address the information security risks relating to their employees plus contractors, consultants, and the external suppliers of information services. ISO/IEC 27003 ISO/IEC 27003 guides the design of an ISO/IEC 27001-compliant ISMS, leading up to the initiation of anISMS implementation project. It describes the process of ISMS Module 05 Page 526 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Controls — Administrative Controls Exam 212-82 specification and design from inception to the production of implementation plans, covering the preparation and planning activities priorto the implementation. = project actual ISO/IEC 27004 ISO/IEC 27004 concerns the measurements relating to information security management; these are commonly known as “security metrics”. = ISO/IEC 27005 The standard provides guidelines for information security risk management and supports the general concepts specified in ISO/IEC 27001 and is designed to assist the satisfactory implementation of information security based on a risk management approach. = ISO/IEC 27006 ISO/IEC 27006 is the accreditation standard that guides certification bodies on the formal processes they must follow when auditing their client’s Information Security Management Systems (ISMSs) against ISO/IEC 27001 in order to certify or register them compliant. The accreditation processes laid out in the standard give assurance that ISO/IEC 27001 certificates issued by accredited organizations are valid. = ISO/IEC 27007 ISO/IEC 27007 provides guidance for accredited certification bodies, internal auditors, external/third-party auditors, and others auditing ISMSs against ISO/IEC 27001 (i.e., auditing the management system for compliance with the standard). ISO/IEC 27007 reflects and largely refers to 1ISO 19011, the ISO standard for auditing quality and environmental management systems—with “management systems” being the common factor linking it to the ISO27k standards. It provides additional ISMS-specific guidance. = ISO/IEC TR 27008 This standard provides guidance for all auditors regarding ISMS controls selected through a risk-based approach (e.g., as presented in a statement of applicability) for information security management. It supports the information security risk management process as well as internal, external, and third-party audits of ISMS by explaining the relationship between the ISMS and its supporting controls. It provides guidance on how to verify the extent to which the required ISMS controls are implemented. Further, it supports any organization using ISO/IEC 27001 and ISO/IEC 27002 to satisfy assurance requirements and is a strategic platform for information security governance. = ISO/IEC 27010 This standard provides guidance in relation to sharing information about information security risks, controls, issues, and/or incidents that span the boundaries between industry sectors and/or nations, particularly those affecting “critical infrastructure.” Module 05 Page 527 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Controls — Administrative Controls = Exam 212-82 ISO/IEC 27011 This ISMS implementation guide for the telecom industry was developed jointly by ITU Telecommunication Standardization Sector (ITU-T) and ISO/IEC JTC1/SC 27, with the identical text being published as both ITU-T X.1051 and ISO/IEC 27011. * ISO/IEC 27013 This standard provides guidance on implementing an integrated information security and IT service management 20000-1:2011. = system based on both ISO/IEC 27001:2005 (ISMS) and ISO/IEC ISO/IEC 27014 ISO/IEC JTC1/SC 27, in collaboration with the ITU-T, has developed a standard specifically aimed at helping organizations govern their information security arrangements. * ISO/IEC TR 27015 This is a guideline intended to help financial services organizations (e.g., banks, insurance companies, and credit card companies) implement ISMSs using the 1ISO27k standards. Although the financial services sector already labors under a vast swathe of risk and security standards (such as ISO TR 13569 “Banking Information Security Guidelines,” SOX and Basel II/111), the ISMS implementation guidance developed by SC 27 reflects ISO/IEC 27001 and 27002, along with various general-purpose security standards such as Control Objectives for Information and Related Technologies(COBIT) and the PCI-DSS requirements. = ISO/IEC TR 27016 This standard helps management information security in the appreciate and understand the financial impacts of context of an 1SO27k ISMS, along with political, social, compliance, and other potential impacts on an organization that collectively influence how much it needs to invest in protecting its information assets. * ISO/IEC 27017 This standard provides guidance on the information security aspects of cloud computing, recommending and assisting with the implementation of a cloud-specific information security controls supplementing the guidance inISO/IEC 27002 and other 1SO27k standards. * ISO/IEC 27018 This standard provides guidance aimed at ensuring that cloud service providers (such as Amazon and Google) offer suitable information security controls to protect the privacy of their customer’s clients by securing personally identifiable information entrusted to them. The standard will be followed by ISO/IEC 27017, covering the wider information security angles of cloud computing, other than privacy. Module 05 Page 528 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Controls — Administrative Controls = Exam 212-82 [|SO/IEC TR 27019 This standard (a Technical Report) is intended to help organizations in the energy industry interpret and apply ISO/IEC 27002:2005 in order to secure their electronic process control systems. * ISO/IEC 27031 ISO/IEC 27031 provides guidance on the concepts and principles behind the role of information and communications technology in ensuring business continuity. The standard o Suggests a structure or framework (actually a set of methods and processes) for any o Identifies and specifies all relevant aspects including performance criteria, design, and implementation details for improving information and communications technology organization, whether private, governmental, or non-governmental; (ICT) readiness as part of an organization’s ISMS; thus, it helps ensure business continuity; and o = Enables an organization to measure its ICT continuity, security, and, hence, readiness to survive a disaster in a consistent and recognized manner. ISO/IEC 27032 ISO/IEC 27032 addresses “cybersecurity” or “cyberspace security,” defined as the “preservation of confidentiality, integrity and availability of information in the Cyberspace.” In turn “the cyberspace” is defined as “the complex environment resulting from the interaction of people, software and services on the Internet by means of technology devices and networks connected to it, which does not exist in any physical form.” * [|SO/IEC 27033-1t0 -5 ISO/IEC 27033 is a multi-part standard derived from the existing five-part network security standard ISO/IEC 18028. It is being substantially revised, and not only renamed, to fit into the ISO27k suite. * ISO/IEC 27034 -1 & -5 ISO/IEC 27034 offers guidance on information security to those specifying, designing and programming or procuring, and implementing and using application systems, that is, business and IT managers, developers and auditors, and ultimately the end-users of ICT. The aim is to ensure that computer applications deliver the desired or necessary level of security in support of an organization’s ISMS, adequately addressing many ICT security risks. = ISO/IEC 27035 Information security controls are imperfect in various ways: controls can be overwhelmed or undermined (e.g., by competent hackers, fraudsters, or malware), fail in service (e.g., authentication failures), work partially or poorly (e.g., slow anomaly detection), or be Module 05 Page 529 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Controls — Administrative Controls Exam 212-82 more or less completely missing (e.g., not [yet] fully implemented, not [yet] fully operational, or never even conceived because of failures upstream in risk identification and analysis). Consequently, information security incidents are bound to occur to some extent, even in organizations that take their information security extremely seriously. = |SO/IEC 27036-1-2 & -3 ISO/IEC 27036 is a multi-part standard offering guidance on the evaluation and treatment of information security risks involved in the acquisition of goods and services from suppliers. The implied context is business-to-business relationships—than retailing—and information-related products. The terms acquisition and acquirer are used rather than purchase and purchasing, since the process and the risks are much the same whether or not the transactions are commercial. = ISO/IEC 27037 This standard provides guidance on identifying, gathering/collecting/acquiring, handling, and protecting/preserving digital forensic evidence, that is, “digital data that may be of evidential value” for use in court. The fundamental purpose of the ISO27k digital forensics standards is to promote best practice methods and processes for forensic capture and investigation of digital evidence. While individual investigators, organizations, and jurisdictions may well retain certain methods, processes, and controls, it is hoped that standardization will (eventually) lead to the adoption of similar, if not identical approaches internationally. This makes it easier to compare, combine, and contrast the results of such investigations even when performed by different people or organizations and potentially across different jurisdictions. * ISO/IEC 27038 Digital data sometimes have to be revealed to third parties, occasionally even published to the public, for reasons such as disclosure of official documents under Freedom of Information laws or as evidence in commercial disputes or legal cases. “Redaction” is the conventional term for the process of denying file recipients’ knowledge of certain sensitive data within the original files. = ISO/IEC 27039 Intrusion detection systems (IDSs) are largely automated systems for identifying attacks on and intrusions into a network or system by hackers and raising the alarm. Intrusion prevention systems (IPSs) take the automation a step further by automatically responding to certain types of identified attack—for example, by closing off specific network ports through a firewall to block identified hacker traffic. Intrusion detection and prevention systems combine features of both IDSs and IPSs. = ISO/IEC 27040 The proposers of this standard claim that the information security aspects of data storage systems and infrastructures have been neglected because of misconceptions and limited familiarity with the storage technology, or in the case of (some) storage managers and administrators, a limited understanding of the inherent risks or basic security concepts. Module 05 Page 530 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Controls — Administrative Controls Exam 212-82 ISO/IEC 27041 The fundamental purpose of the 1ISO27k digital forensics standards is to promote best practice methods and processes for forensic capture and investigation of digital evidence. While individual investigators, organizations, and jurisdictions may well retain certain methods, processes, and controls, it is hoped that standardization will (eventually) lead to the adoption of similar, if not identical, approaches internationally. This makes it easier to compare, combine, and contrast the results of such investigations even when performed by different people or organizations and potentially across different jurisdictions. ISO/IEC 27042 The fundamental purpose of the 1SO27k digital forensics standards is to promote best practice methods and processes for the forensic capture and investigation of digital evidence. While individual investigators, organizations, and jurisdictions may well retain certain methods, processes, and controls, it is hoped that standardization will (eventually) lead to the adoption of similar, if not identical, approaches internationally. This makes it easier to compare, combine, and contrast the results of such investigations even when performed by different people or organizations and potentially across different jurisdictions. ISO/IEC 27043 The fundamental 27043, and 27050 and investigation jurisdictions may standardization purpose of the digital forensics standards ISO/IEC 27037, 27041, 27042, is to promote best practice methods and processes for forensic capture of digital evidence. While individual investigators, organizations, and well retain certain methods, processes, and controls, it is hoped that will (eventually) lead to the adoption of similar, if not identical, approaches internationally. This makes it easier to compare, combine, and contrast the results of such investigations even when performed by different people or organizations and potentially across different jurisdictions. ISO/IEC 27799 1SO27k This standard provides guidance to health care organizations and other custodians of personal health information on how best to protect the confidentiality, integrity, and availability of such information by implementing ISO/IEC 27002. Specifically, it addresses the special information security management needs of the health sector and its unique operating environments. While the protection and security of personal information is important to all individuals, corporations, institutions, and governments, there are special requirements in the health sector that need to be met to ensure the confidentiality, integrity, adaptability, and availability of personal health information. Module 05 Page 531 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.