lecture 09 network security management through the isms asst.prof.supakorn kungpisdan, ph.d....
TRANSCRIPT
![Page 1: Lecture 09 Network Security Management through the ISMS Asst.Prof.Supakorn Kungpisdan, Ph.D. supakorn@mut.ac.th 1 NETE0519-ITEC4614](https://reader035.vdocuments.net/reader035/viewer/2022070407/56649e2f5503460f94b1f2a7/html5/thumbnails/1.jpg)
Lecture 09Network Security Management through the ISMS
Asst.Prof.Supakorn Kungpisdan, [email protected]
1NETE0519-ITEC4614
![Page 2: Lecture 09 Network Security Management through the ISMS Asst.Prof.Supakorn Kungpisdan, Ph.D. supakorn@mut.ac.th 1 NETE0519-ITEC4614](https://reader035.vdocuments.net/reader035/viewer/2022070407/56649e2f5503460f94b1f2a7/html5/thumbnails/2.jpg)
Learning Objectives
Explain the purpose of an ISMS and the process for: Establishing Implementing Operating Monitoring Reviewing Improving the ISMS
Explain the purpose and the contents of ISO27001, ISO27002, ISO27005 and their relationship
NETE0519-ITEC4614 2
![Page 3: Lecture 09 Network Security Management through the ISMS Asst.Prof.Supakorn Kungpisdan, Ph.D. supakorn@mut.ac.th 1 NETE0519-ITEC4614](https://reader035.vdocuments.net/reader035/viewer/2022070407/56649e2f5503460f94b1f2a7/html5/thumbnails/3.jpg)
Asset Identification
Exercise Give example of Asset
NETE0519-ITEC4614 3
![Page 4: Lecture 09 Network Security Management through the ISMS Asst.Prof.Supakorn Kungpisdan, Ph.D. supakorn@mut.ac.th 1 NETE0519-ITEC4614](https://reader035.vdocuments.net/reader035/viewer/2022070407/56649e2f5503460f94b1f2a7/html5/thumbnails/4.jpg)
Asset Valuation
NETE0519-ITEC4614 4
![Page 5: Lecture 09 Network Security Management through the ISMS Asst.Prof.Supakorn Kungpisdan, Ph.D. supakorn@mut.ac.th 1 NETE0519-ITEC4614](https://reader035.vdocuments.net/reader035/viewer/2022070407/56649e2f5503460f94b1f2a7/html5/thumbnails/5.jpg)
Information
Information asset Knowledge or data that has value to the organization
NETE0519-ITEC4614 5
![Page 6: Lecture 09 Network Security Management through the ISMS Asst.Prof.Supakorn Kungpisdan, Ph.D. supakorn@mut.ac.th 1 NETE0519-ITEC4614](https://reader035.vdocuments.net/reader035/viewer/2022070407/56649e2f5503460f94b1f2a7/html5/thumbnails/6.jpg)
Storing and communicating information
Printed or written on paper Stored electronically Transmitted by post or using electronic means Shown on corporate videos Verbal-spoken in conversations “Whatever form the information takes, or means by which it
is shared or stored, it should always be appropriated protected”
NETE0519-ITEC4614 6
![Page 7: Lecture 09 Network Security Management through the ISMS Asst.Prof.Supakorn Kungpisdan, Ph.D. supakorn@mut.ac.th 1 NETE0519-ITEC4614](https://reader035.vdocuments.net/reader035/viewer/2022070407/56649e2f5503460f94b1f2a7/html5/thumbnails/7.jpg)
What is Information Security?
ISO27001:2005 defines Information Security asPreservation of Confidentiality: the property that information is not
made available or disclosed to unauthorized individuals, entities, or processes
Integrity: the property of safeguarding the accuracy and completeness of assets
Availability: the property of being accessible and usable upon demand by an authorized party
of information
NETE0519-ITEC4614 7
![Page 8: Lecture 09 Network Security Management through the ISMS Asst.Prof.Supakorn Kungpisdan, Ph.D. supakorn@mut.ac.th 1 NETE0519-ITEC4614](https://reader035.vdocuments.net/reader035/viewer/2022070407/56649e2f5503460f94b1f2a7/html5/thumbnails/8.jpg)
What is Information Security? (cont.)
Authenticity Non-repudiation Accountability Reliability
NETE0519-ITEC4614 8
![Page 9: Lecture 09 Network Security Management through the ISMS Asst.Prof.Supakorn Kungpisdan, Ph.D. supakorn@mut.ac.th 1 NETE0519-ITEC4614](https://reader035.vdocuments.net/reader035/viewer/2022070407/56649e2f5503460f94b1f2a7/html5/thumbnails/9.jpg)
Exercise
Give an example of networking technologies, activities, or processes that are related to Confidentiality Integrity availability
NETE0519-ITEC4614 9
![Page 10: Lecture 09 Network Security Management through the ISMS Asst.Prof.Supakorn Kungpisdan, Ph.D. supakorn@mut.ac.th 1 NETE0519-ITEC4614](https://reader035.vdocuments.net/reader035/viewer/2022070407/56649e2f5503460f94b1f2a7/html5/thumbnails/10.jpg)
Sensitive or critical information
Assessment can identify sensitive and critical information based on value to the organization
Sensitive or critical information can be based on time. Some financial information will be very sensitive before reporting to the stock market, but have no sensitivity after once reported
Sensitivity reflects data classification level Assessment involves in valuation of information assets
in order to calculate risks and security level required to protect these assets using appropriate controls
NETE0519-ITEC4614 10
![Page 11: Lecture 09 Network Security Management through the ISMS Asst.Prof.Supakorn Kungpisdan, Ph.D. supakorn@mut.ac.th 1 NETE0519-ITEC4614](https://reader035.vdocuments.net/reader035/viewer/2022070407/56649e2f5503460f94b1f2a7/html5/thumbnails/11.jpg)
Management System includes..
NETE0519-ITEC4614 11
![Page 12: Lecture 09 Network Security Management through the ISMS Asst.Prof.Supakorn Kungpisdan, Ph.D. supakorn@mut.ac.th 1 NETE0519-ITEC4614](https://reader035.vdocuments.net/reader035/viewer/2022070407/56649e2f5503460f94b1f2a7/html5/thumbnails/12.jpg)
Information Security Management System
Part of the overall management system, based on a business risk approach, to establish, implement, operate, monitor, review, maintain and improve information security
Information security should be seen as an ongoing activity of continual improvement
ISMS adoption should be a strategic decision by the top management
NETE0519-ITEC4614 12
![Page 13: Lecture 09 Network Security Management through the ISMS Asst.Prof.Supakorn Kungpisdan, Ph.D. supakorn@mut.ac.th 1 NETE0519-ITEC4614](https://reader035.vdocuments.net/reader035/viewer/2022070407/56649e2f5503460f94b1f2a7/html5/thumbnails/13.jpg)
ISMS (cont.)
ISMS requires that everyone is clear about what is required of them, that: they are trained in what they are meant to do, they have the facilities and resources they need, etc.
ISMS to initiate the production of standard set of (broad) requirements which all have to be complied with.
NETE0519-ITEC4614 13
![Page 14: Lecture 09 Network Security Management through the ISMS Asst.Prof.Supakorn Kungpisdan, Ph.D. supakorn@mut.ac.th 1 NETE0519-ITEC4614](https://reader035.vdocuments.net/reader035/viewer/2022070407/56649e2f5503460f94b1f2a7/html5/thumbnails/14.jpg)
Consideration on overall performance of the organization may impact…
NETE0519-ITEC4614 14
![Page 15: Lecture 09 Network Security Management through the ISMS Asst.Prof.Supakorn Kungpisdan, Ph.D. supakorn@mut.ac.th 1 NETE0519-ITEC4614](https://reader035.vdocuments.net/reader035/viewer/2022070407/56649e2f5503460f94b1f2a7/html5/thumbnails/15.jpg)
Consideration on overall performance of the organization may impact…
NETE0519-ITEC4614 15
![Page 16: Lecture 09 Network Security Management through the ISMS Asst.Prof.Supakorn Kungpisdan, Ph.D. supakorn@mut.ac.th 1 NETE0519-ITEC4614](https://reader035.vdocuments.net/reader035/viewer/2022070407/56649e2f5503460f94b1f2a7/html5/thumbnails/16.jpg)
Notes
Information security protects information from a wide range of threats in order to ensure business continuity, minimize business damage and maximize return on investment and business opportunities
Every organization will have a differing set of requirements in terms of control requirements and the level of confidentiality, integrity, and availability
From the Introduction section of ISO27002
NETE0519-ITEC4614 16
![Page 17: Lecture 09 Network Security Management through the ISMS Asst.Prof.Supakorn Kungpisdan, Ph.D. supakorn@mut.ac.th 1 NETE0519-ITEC4614](https://reader035.vdocuments.net/reader035/viewer/2022070407/56649e2f5503460f94b1f2a7/html5/thumbnails/17.jpg)
History and Family of ISO 27001 Standards
NETE0519-ITEC4614 17
![Page 18: Lecture 09 Network Security Management through the ISMS Asst.Prof.Supakorn Kungpisdan, Ph.D. supakorn@mut.ac.th 1 NETE0519-ITEC4614](https://reader035.vdocuments.net/reader035/viewer/2022070407/56649e2f5503460f94b1f2a7/html5/thumbnails/18.jpg)
ISO27001 Standard
ISO/IEC 27001, part of a growing family of ISO/IEC 27000 standards, is an information security management system (ISMS) standard published in October 2005 by the ISO and the International Electrotechnical Commission (IEC).
Its full name is ISO/IEC 27001:2005—Information technology—Security techniques—Information security management systems—Requirements but it is com- monly known as ISO 27001.
NETE0519-ITEC4614 18
![Page 19: Lecture 09 Network Security Management through the ISMS Asst.Prof.Supakorn Kungpisdan, Ph.D. supakorn@mut.ac.th 1 NETE0519-ITEC4614](https://reader035.vdocuments.net/reader035/viewer/2022070407/56649e2f5503460f94b1f2a7/html5/thumbnails/19.jpg)
History of ISMS Standards
1992: BSI approached by industry sectors and service providers with concerns over the increase of electronic office systems and potential problems related to controls over these systems
Jan 1993: set up an industry working group to review the concerns raised by the industry. The results published is called “Code of Practice”
Feb 1995: Code of Practice had become BS 7799-1 standard Feb 1998: BSI produced BS 7799-2 to form basis for organization to be registered
for an ISMS system (focused on audit) April 1999: both BS 7799-1 and BS 7799-2 were aligned and republished as BS
7799-1:1999 and BS 7799-2:1999 2000: BS7799-1 had become ISO17799:2000 2005: ISO17799:2000 were revised and re-numbered to ISO 27002:2005 2005: BS 7799-2 has been adopted as ISO 27001:2005
NETE0519-ITEC4614 19
![Page 20: Lecture 09 Network Security Management through the ISMS Asst.Prof.Supakorn Kungpisdan, Ph.D. supakorn@mut.ac.th 1 NETE0519-ITEC4614](https://reader035.vdocuments.net/reader035/viewer/2022070407/56649e2f5503460f94b1f2a7/html5/thumbnails/20.jpg)
The ISO27001 family of standards
ISO27000 – Overview and vocabulary ISO27001 – Audit requirements ISO27002 – Code of Practices (was ISO17799:2005) ISO27003 – Implementation Guidance ISO27004 – Measurement ISO27005 – Risk Management ISO27006 – Requirements for Bodies providing Audit and
Certification of ISMSs
NETE0519-ITEC4614 20
![Page 21: Lecture 09 Network Security Management through the ISMS Asst.Prof.Supakorn Kungpisdan, Ph.D. supakorn@mut.ac.th 1 NETE0519-ITEC4614](https://reader035.vdocuments.net/reader035/viewer/2022070407/56649e2f5503460f94b1f2a7/html5/thumbnails/21.jpg)
Why Implement ISO27001:2005
Without suitable protection, information can be: Given away, leaked or disclosed in an authorized way Modified without your knowledge to become less valuable Loss without trace or hope of recovery Can be rendered unavailable when needed
Information should be protected and properly managed like other business asset of the organization
NETE0519-ITEC4614 21
![Page 22: Lecture 09 Network Security Management through the ISMS Asst.Prof.Supakorn Kungpisdan, Ph.D. supakorn@mut.ac.th 1 NETE0519-ITEC4614](https://reader035.vdocuments.net/reader035/viewer/2022070407/56649e2f5503460f94b1f2a7/html5/thumbnails/22.jpg)
ISMS Implementation and ISO 27001 Certification Process
NETE0519-ITEC4614 22
![Page 23: Lecture 09 Network Security Management through the ISMS Asst.Prof.Supakorn Kungpisdan, Ph.D. supakorn@mut.ac.th 1 NETE0519-ITEC4614](https://reader035.vdocuments.net/reader035/viewer/2022070407/56649e2f5503460f94b1f2a7/html5/thumbnails/23.jpg)
ISMS Implementation and ISO 27001 Certification Process
See ISO27k ISMS implementation and certification
process.ppt
NETE0519-ITEC4614 23
![Page 24: Lecture 09 Network Security Management through the ISMS Asst.Prof.Supakorn Kungpisdan, Ph.D. supakorn@mut.ac.th 1 NETE0519-ITEC4614](https://reader035.vdocuments.net/reader035/viewer/2022070407/56649e2f5503460f94b1f2a7/html5/thumbnails/24.jpg)
Establishing the ISMS
NETE0519-ITEC4614 24
![Page 25: Lecture 09 Network Security Management through the ISMS Asst.Prof.Supakorn Kungpisdan, Ph.D. supakorn@mut.ac.th 1 NETE0519-ITEC4614](https://reader035.vdocuments.net/reader035/viewer/2022070407/56649e2f5503460f94b1f2a7/html5/thumbnails/25.jpg)
PDCA Cycle
NETE0519-ITEC4614 25
Continual improvement of the management systemContinual improvement of the management system
![Page 26: Lecture 09 Network Security Management through the ISMS Asst.Prof.Supakorn Kungpisdan, Ph.D. supakorn@mut.ac.th 1 NETE0519-ITEC4614](https://reader035.vdocuments.net/reader035/viewer/2022070407/56649e2f5503460f94b1f2a7/html5/thumbnails/26.jpg)
NETE0519-ITEC4614 26
PDCA (cont.)
![Page 27: Lecture 09 Network Security Management through the ISMS Asst.Prof.Supakorn Kungpisdan, Ph.D. supakorn@mut.ac.th 1 NETE0519-ITEC4614](https://reader035.vdocuments.net/reader035/viewer/2022070407/56649e2f5503460f94b1f2a7/html5/thumbnails/27.jpg)
Meeting ISO 27001:2005 Requirements
NETE0519-ITEC4614 27
![Page 28: Lecture 09 Network Security Management through the ISMS Asst.Prof.Supakorn Kungpisdan, Ph.D. supakorn@mut.ac.th 1 NETE0519-ITEC4614](https://reader035.vdocuments.net/reader035/viewer/2022070407/56649e2f5503460f94b1f2a7/html5/thumbnails/28.jpg)
Meeting ISO 27001:2005 Requirements
1. The requirements contained in the ISMS process, that are described in clauses 4-8 of ISO 27001:2005. ISMS process requirements address how an
organization should establish and maintain their ISMS, based on PDCA model
Any organization wants to achieve ISO 27001:2005 certification need to comply with all these requirements, exclusions are not acceptable
NETE0519-ITEC4614 28
![Page 29: Lecture 09 Network Security Management through the ISMS Asst.Prof.Supakorn Kungpisdan, Ph.D. supakorn@mut.ac.th 1 NETE0519-ITEC4614](https://reader035.vdocuments.net/reader035/viewer/2022070407/56649e2f5503460f94b1f2a7/html5/thumbnails/29.jpg)
Meeting ISO 27001:2005 Requirements (cont.)
2. The ISMS control requirements, contained in Annex A of ISO 27001:2005 ISMS control requirements are applicable for an
organization unless the risk assessment and risk acceptance criteria prove that this is not the case
“Any exclusions of controls found to be necessary to satisfy the risk acceptance criteria need to be justified and evidence need to be provided that the associated risks have been properly accepted by accountable person.”
NETE0519-ITEC4614 29
![Page 30: Lecture 09 Network Security Management through the ISMS Asst.Prof.Supakorn Kungpisdan, Ph.D. supakorn@mut.ac.th 1 NETE0519-ITEC4614](https://reader035.vdocuments.net/reader035/viewer/2022070407/56649e2f5503460f94b1f2a7/html5/thumbnails/30.jpg)
Steps of ISO27001
1. Establish the ISMS (clause 4.2.1)2. Implement and operate the ISMS (clause 4.2.2)3. Monitor and review the ISMS (clause 4.2.3)4. Maintain and improve the ISMS (clause 4.2.4)
NETE0519-ITEC4614 30
![Page 31: Lecture 09 Network Security Management through the ISMS Asst.Prof.Supakorn Kungpisdan, Ph.D. supakorn@mut.ac.th 1 NETE0519-ITEC4614](https://reader035.vdocuments.net/reader035/viewer/2022070407/56649e2f5503460f94b1f2a7/html5/thumbnails/31.jpg)
4.2.1 Establish the ISMS
NETE0519-ITEC4614 31
See ISO 27001 document for details
![Page 32: Lecture 09 Network Security Management through the ISMS Asst.Prof.Supakorn Kungpisdan, Ph.D. supakorn@mut.ac.th 1 NETE0519-ITEC4614](https://reader035.vdocuments.net/reader035/viewer/2022070407/56649e2f5503460f94b1f2a7/html5/thumbnails/32.jpg)
4.2.1 Establish the ISMS (cont.)
In terms of: Characteristics of the business The organization Its location Its assets Its technology
Define scope and boundaries of the ISMS Define an ISMS policy
NETE0519-ITEC4614 32
![Page 33: Lecture 09 Network Security Management through the ISMS Asst.Prof.Supakorn Kungpisdan, Ph.D. supakorn@mut.ac.th 1 NETE0519-ITEC4614](https://reader035.vdocuments.net/reader035/viewer/2022070407/56649e2f5503460f94b1f2a7/html5/thumbnails/33.jpg)
ISMS Policy Example
See example from ISO27001 toolkit
NETE0519-ITEC4614 33
![Page 34: Lecture 09 Network Security Management through the ISMS Asst.Prof.Supakorn Kungpisdan, Ph.D. supakorn@mut.ac.th 1 NETE0519-ITEC4614](https://reader035.vdocuments.net/reader035/viewer/2022070407/56649e2f5503460f94b1f2a7/html5/thumbnails/34.jpg)
Control Objectives
A.5 Security policy A.6 Organization of information security A.7 Asset management A.8 Human resources security A.9 Physical and environmental security A.10 Communications and operations management A.11 Access control A.12 Information systems acquisition, development and maintenance A.13 Information security incident management A.14 Business continuity management A.15 Compliance
NETE0519-ITEC4614 34
![Page 35: Lecture 09 Network Security Management through the ISMS Asst.Prof.Supakorn Kungpisdan, Ph.D. supakorn@mut.ac.th 1 NETE0519-ITEC4614](https://reader035.vdocuments.net/reader035/viewer/2022070407/56649e2f5503460f94b1f2a7/html5/thumbnails/35.jpg)
Implementing and operating the ISMS
NETE0519-ITEC4614 35
![Page 36: Lecture 09 Network Security Management through the ISMS Asst.Prof.Supakorn Kungpisdan, Ph.D. supakorn@mut.ac.th 1 NETE0519-ITEC4614](https://reader035.vdocuments.net/reader035/viewer/2022070407/56649e2f5503460f94b1f2a7/html5/thumbnails/36.jpg)
4.2.2 Implement and operate the ISMS
NETE0519-ITEC4614 36
See ISO 27001 document for details
![Page 37: Lecture 09 Network Security Management through the ISMS Asst.Prof.Supakorn Kungpisdan, Ph.D. supakorn@mut.ac.th 1 NETE0519-ITEC4614](https://reader035.vdocuments.net/reader035/viewer/2022070407/56649e2f5503460f94b1f2a7/html5/thumbnails/37.jpg)
4.2.3 Monitor and review the ISMS
NETE0519-ITEC4614 37
See ISO 27001 document for details
![Page 38: Lecture 09 Network Security Management through the ISMS Asst.Prof.Supakorn Kungpisdan, Ph.D. supakorn@mut.ac.th 1 NETE0519-ITEC4614](https://reader035.vdocuments.net/reader035/viewer/2022070407/56649e2f5503460f94b1f2a7/html5/thumbnails/38.jpg)
Maintain and improve the ISMS
NETE0519-ITEC4614 38
See ISO 27001 document for details
![Page 39: Lecture 09 Network Security Management through the ISMS Asst.Prof.Supakorn Kungpisdan, Ph.D. supakorn@mut.ac.th 1 NETE0519-ITEC4614](https://reader035.vdocuments.net/reader035/viewer/2022070407/56649e2f5503460f94b1f2a7/html5/thumbnails/39.jpg)
NETE0519-ITEC4614 39
Questions?