IT Risk Management Class 7 SU2024 PDF
Document Details
Uploaded by ProgressivePopArt
York University
2024
JIANG HE
Tags
Summary
This document is a lecture on industry frameworks for managing information security risks. It discusses ISO 27001/27002 and CIS critical security controls. The material is suitable for an IT risk management class.
Full Transcript
Industry Frameworks to Manage Information Security Risks (Part 1) CLASS #7 FOR IT RISK MANAGEMENT By JIANG HE, PH.D., CISSP, CCSP, CISA, CRISC Frameworks to be discussed in this lecture 1. ISO 27001/27002 2. CIS Critical Security Controls Why it matters to adopt a well-known framework to manage i...
Industry Frameworks to Manage Information Security Risks (Part 1) CLASS #7 FOR IT RISK MANAGEMENT By JIANG HE, PH.D., CISSP, CCSP, CISA, CRISC Frameworks to be discussed in this lecture 1. ISO 27001/27002 2. CIS Critical Security Controls Why it matters to adopt a well-known framework to manage information security risks? 1. Good security frameworks are based on industry best practices and lessons learned from numerous failures in the past 2. Avoid reinventing the wheel 3. Organizations need to adopt a common language to communicate with internal and external stakeholders with regards to information security risk management. For example, before signing an important contract with vendor X, the buyer would want to understand, at a high level, how the service provider is managing its information security risks. A couple of industry frameworks which one to choose? Well-known industry frameworks share a common goal, which is to help organizations improve their overall information security posture. Yet different frameworks have different areas of concentration, and therefore the selection of a framework should be aligned with long-term mission of the organization. By officially adopting a well-known industry framework, organizations may obtain a competitive advantage when pursuing opportunities with potential clients. In certain cases, a client may even demand its service provider to become officially certified for an industry framework such as ISO 27001, as part of terms/conditions for the business contract. Note: Depending on nature of the business, some organizations may be mandated to comply with certain industry-specific regulatory frameworks, such as PCI (Payment Card Industry) and HIPAA (Health Insurance Portability and Accountability Act of 1996), and these industry-specific regulations are NOT in scope of our lecture discussions. ISO/IEC 27001 ISO 27001 is an international standard published by the International Standardization Organization (ISO), and it describes how to manage information security within a company. ISO 27001 can be implemented in any kind of organization, profit or non-profit, private or state- owned, small or large. The focus of ISO 27001 is to protect the confidentiality, integrity and availability of the information in a company. The main philosophy of ISO 27001 is based on managing risks: find out where the risks are, and then systematically treat them. The safeguards (or controls) that are to be implemented are usually in the form of policies, procedures and technical implementation (e.g., software and equipment). The majority of ISO 27001 implementation is about setting the organizational rules (i.e., writing documents) that are needed in order to prevent security breaches. Since such implementation will require multiple policies, procedures, people, assets, etc. to be managed, ISO 27001 has described how to fit all these elements together in the information security management system (ISMS). Source: Advisera ISO/IEC 27001 ISO 27001: Table of Contents costs of obtaining/maintaining certification. The requirements of 27001 are very high-level, and the standard only defines what controls and programs must be in place in order to achieve the security goals (C-I-A). For example, to comply with the 27001, the organization must have a set of security policies which includes the following basic elements ISO/IEC 27002 ISO/IEC 27002:2013 Information Technology Security Techniques Code of Practice for Information Security Controls (second edition published in 2013) It is a code of practice - a generic, advisory document containing 114 controls covering the multiple domains 7 ISO/IEC 27002 Unlike 27001, ISO 27002 is NOT a standard to be certified against. By definition, it "establishes guidelines and general principles for initiating, implementing, maintaining, and improving information security management in an organization." Designed to establish guidelines and general principles for initiating, implementing, maintaining, and improving information security management in an organization. ISO 27002 is used primarily to address risks discovered during or after the risk assessment process, which is just one component of what ISO 27001 requires. ISO 27002 provides hundreds of potential controls and control mechanisms that are designed to be implemented with guidance provided within ISO 27001. The suggested controls listed in the standard are intended to address specific issues identified during a formal risk assessment. The two standards, ISO 27001 and 27002, are intended to be used together, with one complimenting the other. ISO/IEC 27001 vs. 27002 ISO 27001 defines the requirements of the Information Security Management System Standard; while ISO 27002 provides guidelines and best practices intended for organizations who are becoming certified or implementing their own security processes and controls. For example, ISO 27001 has a very high-level requirement for Information Security Risk Assessment (Section 8.2). In practice, there are many different approaches which can be implemented to run the actual risk assessments, and the implementation guidelines as well as a code of practice are explained in ISO 27002. ISO 27001 - Example Requirement in order to become 27001-certified, and ISO Note: Both ISO 27001 and 27002 are copyright-protected material, and thus the full documents have to be purchased separately. CIS Critical Security Controls CIS (The Center for Internet Security) CIS Control 1: Inventory and Control of Enterprise Assets CIS Control 11: Data Recovery Critical Security Controls provides a recommended set of actions for cyber CIS Control 2: Inventory and Control of Software Assets CIS Control 12: Network Infrastructure Management defense that provide specific and actionable ways to thwart the most CIS Control 3: Data Protection CIS Control 13: Network Monitoring and Defense pervasive attacks. The CIS Controls are a relatively short list of high-priority, CIS Control 4: Secure Configuration of Enterprise Assets and Software CIS Control 14: Security Awareness and Skills Training highly effective defensive actions that provide a "must-do, do-first" starting CIS Control 5: Account Management CIS Control 15: Service Provider Management point for every enterprise seeking to improve their cyber defense. CIS Control 6: Access Control Management CIS Control 16: Application Software Security The CIS Controls do not conflict with CIS Control 7: Continuous Vulnerability Management CIS Control 17: Incident Response Management other major frameworks. These controls can be mapped to CIS Control 8: Audit Log Management CIS Control 18: Penetration Testing most major industry frameworks including ISO 27001/2, NIST CSF, etc. CIS Control 9: Email and Web Browser Protections In other words, you can adopt the ISO 27001 as the overarching framework CIS Control 10: Malware Defenses controls suggested by CIS. Key benefits of the CIS Critical Security Controls Applicable to all types of organizations, regardless of their sizes, organizational structures, or levels of maturity for security management. Quick wins that provide solid risk reduction without major procedural, architectural, or technical changes to an environment. Prioritization is a key. The control list was designed to help organizations direct their scarce resources on actions with immediate and high-value payoff, and then focus their attention and resources on additional risk issues that are unique to their business or mission. CIS Version 8 is the latest version, which contains 18 high-level controls. Each control is comprised of multiple specific requirements, and these requirements are grouped into three major categories (i.e., IG1, IG2, IG3). Organizations, depending on their level of maturity, will select the relevant categories for implementation. For example, the requirements under IG1 (very basic) are IG3 organizations have the highest level of maturity for security management and typically employ security experts in different facets of cybersecurity, e.g., risk management, penetration testing, application security, etc. IG2 organizations sit between IG1 and IG3 in terms of maturity for security management. #1 Inventory and Control of Enterprise Assets #2 Inventory and Control of Software Assets #3 Data Protection #4 Secure Configuration of Enterprise Assets and Software #5 Account Management #6 Access Control Management #7 Continuous Vulnerability Management CIS Controls Control #8 to #18 All controls have their value. When security funding or resources are limited, make sure that the organizations grow and mature for their level of maturity, consider adopting IG2 and eventually IG3 categories. Controls should be implemented with a risk-based approach, i.e., make sure the mission-critical applications and IT assets are secured properly. Case Study and Group Discussion