Author Archives:

High level introduction to ISO27001 and ISO27002

18 Sunday Mar 2012

Posted by in Papers & Presentations, ISO27K ISMS

Leave a Comment

Tags

,

Introduction to the standard

The ISO27000 ISMS family of standards is a collection of standards produced by the International Organisation for Standardisation (ISO) and the International Electrotechnical Commission (IEC). They form the best practice recommendations on developing and running an Information Security Management System (ISMS)

BS7799 was the original standard developed by the British Government’s Department for Trade and Industry (DTI) in 1995 that was later revised in to an International standard, now known as ISO27001, in 2005. This standard, as the name implies, is used through-out the world to build and manage corporate ISMS’s, some times as ISO27001 but in some countries as its equivalent standard, usually just a translation from English to their native language.

ISO27001 has been developed to allow it to easily integrate in with the organisations Quality Management System (QMS – ISO9000) and Environmental Management System (EMS – ISO 14000) and when implemented correctly, all three standards co-exist harmoniously to form a complete corporate management system.

The ISO27000 family comprises of several standards, each concentrating on specific areas that may or may not be relevant to all companies. The key standards are:

  • ISO27000      – Information security management systems – Overview and vocabulary
  • ISO27001      – Information security management systems – Requirements
  • ISO27002      – Code of practice for information security management

There are other standards to cover implementation guidance (ISO27003), measurement and metrics (ISO27004), risk management (ISO27005) and more.

The ISO27000 family of standards is an evolving family with new standards being developed as needed and updates to previous ones as industry best practice changes in reflection to changes in the security landscape.

ISO27001 details the requirements on an ISMS, in summary it is that

“The organization shall establish, implement, operate, monitor, review, maintain and improve a documented ISMS within the context of the organization’s overall business activities and the risks it faces.”

This is accomplished via the Plan, Do, Check Act (PDCA) model:

Plan
(establish the ISMS)		 Establish ISMS policy, objectives, processes and procedures relevant   to managing risk and improving information security to deliver results in   accordance with an organization’s overall policies and objectives.
Do
(implement and operate the ISMS)		 Implement and operate the ISMS policy, controls, processes and   procedures.
Check
(monitor and review the ISMS) 		 Assess and, where applicable, measure process performance against ISMS   policy, objectives and practical experience and report the results to   management for review.
Act
(maintain and improve the ISMS) 		 Take corrective and preventive actions, based on the results of the   internalISMS audit and management review or other relevant information, to   achieve continual improvement of the ISMS.

 ISO27001 is what you are required to have (policy, objectives, processes and procedures), ISO27002 is a technical standard concerned with the best practices on implementing an ISMS, covering areas such as access control; physical security; incident management; business continuity etc.

ISO27002 is broken down in to 12 sections:

  1. Risk assessment and treatment
  2. Security policy - management direction
  3. Organization of information security - governance of information security
  4. Asset managementinventory and classification of information assets
  5. Human resources securitysecurity aspects for employees joining, moving and leaving an organization
  6. Physical and environmental securityprotection of the computer facilities
  7. Communications and operations managementmanagement of technical security controls in systems and networks
  8. Access controlrestriction of access rights to networks, systems, applications, functions and data
  9. Information systems acquisition, development and maintenancebuilding security into applications
  10. Information security incident management - anticipating and responding appropriately to information security breaches
  11. Business continuity managementprotecting, maintaining and recovering business-critical processes and systems
  12. Complianceensuring conformance with information security policies, standards, laws and regulations

Each section will contain security controls and objectives specified. All the provided information is based on best practice and may or may not be suitable for all organisations. It is down to the implementation of the ISMS to develop the controls inline with business function and risk appetite.

Why is ISO27001 needed?

An organisation may have a number of security controls in place and documented, usually as the result of a point solution from an incident or a requirement (internal or external). The problem with this point based solution approach is that the controls tend to be disorganised and disjointed. By implementing a formal management system the entire information security system will have a management framework developed from objectives and policies through to processes and procedures – tailored to the business requirements, size and complexity. The system will bring together different functions to carry out same tasks as approved by the executive team. Regular auditing of these functions will report back to management on the compliance to corporate policy. Incidents will be managed by pre-defined process ensuring consistency. Reports from the audits and incidents will help to evolve and develop the system through to maturity, reducing risks, incidents and non-compliance.

The ISO27001 and ISO2002 family, like ISO9000, and more and more these days with ISO14000, are the de-facto standards for businesses to have and maintain. Most large organisations require at least ISO9000 accreditation if you wish to do business with them. For IT service providers, without ISO27001 accreditation, most large businesses (and even SME) will be hesitant to have you provide services as you are unable to show proper management of the security for information assets.

Although costly to implement and maintain, these standards are business drivers and risk reducers.

With more and more in the news relating to information security incidents, never before has there been more of a requirement for businesses to focus heavily on managing and protecting their digital assets.

With organisations open to heavy fines and public brand embarrassment if certain types of information are to be lost or stolen, the cost of implementing and managing an ISO27001 system, weighed against the financial and brand risk, is usually acceptable. It is also a requirement of other regulatory requirements such as PCI-DSS for handling and processing of credit cards, or the HMG SPF for providing services to UK Government.

Like ISO9000 and ISO14000, ISO27000 is a “living” system that must evolve through audits (internal and external) and changes both in the standards and the business.

Download a copy of this paper here

HMG CloudStore 2.0 goes Open Source

01 Thursday Mar 2012

Posted by in PSN, GCN & G-Cloud

Leave a Comment

Tags

The HMG CloudStore (part of the G-Cloud programme) was released as version 1.0 on Microsoft’s Azure platform after 4 weeks of developement by SME SolidSoft.

Director for the CloudStore programme, Chris Chant has mentioned in a ComputerWorld news article yesterday that version 2.0 is around the corner and will be based on Open Source code.

“We will have the next version out in the next six weeks or so and it is going to be a fully open source version,” said Chant.

“I’m a believer in using whatever IT works and it’s pretty clear from the work GDS has done that open source can work well. There are plenty of e-commerce style open source products out there now and I would expect we would use something like that,” he added.

Check out the full article here

CloudStore Opens for Business

19 Sunday Feb 2012

Posted by in PSN, GCN & G-Cloud

Leave a Comment

Tags

After announcement by Francis Maude this morning the Governments new CloudStore has opened for business.

What is the CloudStore?

Government has been working to make the purchasing of public sector ICT as simple and transparent as possible. The result is a new web site, which we are calling the CloudStore.

The CloudStore is a new way for Government to buy IT products and services. At the moment this site is a pilot and we’re asking for your feedback so we can add to and improve it.

The CloudStore is an online catalogue of over 1,700 information and communications services available to the UK public sector, and contains details of each of the suppliers and their services. You can use the CloudStore to select the services that best suit your needs.

All the services listed on the CloudStore are part of the G-Cloud framework so are immediately available for the public sector to procure and use.

This is the first of its kind in the UK for public sector ICT procurement, and we are committed to ensuring that this method of buying ICT goods and services is efficient and fit for purpose.

[description from the CloudStore website]

Check out the CloudStore at http://www.govstore.net/

Information Assurance Practitioners’ Event 2012

12 Sunday Feb 2012

Posted by in Information Assurance

Leave a Comment

Tags

Date: 29th February & 1st March 2012
Time: 9:30am – 5:30pm (day 1) & 9:00am – 3:15pm (day 2)
Location: York Racecourse

Website: http://www.softbox.co.uk/events/iapevent2012

Building on the success of the last event, this is the perfect opportunity for you to hear from and network with Government and industry experts to discuss your Information Assurance concerns and strategies and find out about the latest solutions.

Full details of the event are included for your perusal, including how to register for your free place at the event.

Setting the Agenda
The IA Practitioners’ Event is a key event in CESG’s calendar for Information Assurance experts at a practical level and it promises to be exceptional with an informative and comprehensive agenda themed around Information Assurance.

Dr Ian Levy, Technical Director at CESG, will be chairing the two day programme which includes main plenary sessions plus a series of workshops for delegates and vendors to take a full and active part in.

During the event there will be dedicated sessions for the Police Information Assurance Forum (PIAF) and the IT Security Officers’ Forum (ITSOF). This will provide an opportunity for those involved to discuss their specific issues and concerns in their own groups yet still be able to join in the main event where a wealth of expertise from industry and delegates across the entire public sector will be discussing innovative ways of meeting the security standards and policies required in today’s environment.

Extended breaks for tea/coffee and lunch each day will also allow you the opportunity to visit the exhibition stands, talk to the exhibitors about their latest product and service offerings and network with your peers.

At the end of day one everyone is invited to join in the Networking Evening and Dinner where you will get ample time to chat with your peers in a relaxed atmosphere whilst enjoying a traditional four course meal and being entertained by our guest speaker ‘Dr Kevin Jones’ who will give you a hilarious insight into the world of medical practice.

First Set of PSN Roadmaps Published

06 Monday Feb 2012

Posted by in PSN, GCN & G-Cloud

Leave a Comment

High level roadmaps indicating the progress of central and non-central Governement departments/organisations on to the PSN service have been relased by the PSN programme.

This publication represents a starting point but nevertheless reflects the extent of commitment now evident across the entire Public Sector.  It’s important that we start to communicate the development of all sides of the PSN marketplace, beginning with our own organisations, so that both public sector and industry can start to see the big picture more clearly.

comment from Craig Eblett (PSN Programme Director)

Links to the reports:
PSN Central Government Transition Plan, as at 31 January 2012
PSN Non-Central Government Transition Plan, as at 31 January 2012

UK Top for Cyber Preparedness

05 Sunday Feb 2012

Posted by in Information Assurance

Leave a Comment

According to a recent report comissioned by McAfee, to survey 250 leading authorities and 80 cyber security experts in the public and private sectors, the UK was awarded 4 stars and ranked top for Cyber preparedness, alongside the USA and Germany.

Recognition was given for the UK’s new cyber security strategy and the formation of the Office of Cyber Security and Information Assurance (OSCIA), however it did note that the UK has too high a reliance on the private sector.

The report provides the following top ten recommendations to improve cyber prepardness:

1. Build trust between industry and government stakeholders by setting up bodies to share  information and best practices, like the Common Assurance Maturity Model (CAMM) and the Cloud Security Alliance (CSA).

2. Increase public awareness of how individuals can protect their own internet data, and promote cyber-security education and training.

3. New problems and opportunities created by smart phones and cloud computing must be examined. Cloud computing needs an appropriate architecture to achieve optimum security levels.

4. Prioritise information protection, knowing that no one size fits all. The three key goals that need to be achieved are confidentiality, integration and availability in different doses according to the situation.

5. Consider establishing cyber-confidence building measures as an alternative to a global treaty, or at least as a stopgap measure, knowing that many countries view a treaty as unverifiable, unenforceable and impractical.

6. Improve communication between the various communities, from policy-makers to technological experts to business leaders both at national and international levels.

7. Enhance attribution capabilities by investing in new technologies, and establishing rules and standards.

8. Follow the Dutch model of a third party cyber-exchange for improved private-public partnership on internet security.

9. Despite the many practical hurdles in the way of transparency, both for private companies and for governments, find ways of establishing assurance – or trust – through the use of security mechanisms and processes.

10. Move the ball forward and encourage integration of cyber into existing processes and structures. Make sure cyber considerations and investment are present at every level.

Read the full report here

New Course: IA Protective Monitoring and Incident Management

01 Wednesday Feb 2012

Posted by in Education & Certification

Leave a Comment

Tags

I’ve just noticed a new course added to the National School of Government IA page:-

IA Protective Monitoring and Incident Management http://www.nationalschool.gov.uk/programmes/programme.asp?id=22914&tab=1

What you will learn:

This course will give you an in-depth understanding of the principles policy and issues affecting protective monitoring, forensic readiness and incident management.
At the end of the course you will be able to:

  • describe the purpose of audit
  • describe government protective monitoring policy
  • explain how to manage an IA incident
  • produce a Forensic Readiness plan
  • describe sanitisation and the issues around re-use of media
  • describe ways of monitoring compliance, including the IA Maturity Model.

What the programme covers:

  • Overview of audit
  • IA protective monitoring policy
  • System monitoring
  • Incident management
  • Backup and data storage
  • Forensic readiness
  • Sanitisation
  • Business continuity and disaster recovery
  • Compliance and the IA Maturity Model
  • Service management.

Government bodies responsible for cyber security

31 Tuesday Jan 2012

Posted by in Standards & Policy

Leave a Comment

Tags

,

Below is a list of the defined roles and remit of the Government bodies responsible for Cyber Security.

Policy co-ordination [Office of Cyber Security and Information Assurace (OSCIA)]
Based in the Cabinet Office and set up at the same time as CSOC (see below) to provide coherence and strategic leadership across the Government’s cyber security policy interests. This includes horizon scanning to consider impact of an evolving cyber landscape for the UK’s cyber security and working with partners across government to identify and implement the appropriate policy responses.

Strategic Analysis [Cyber Security Operations Centre (CSOC)]
Established in September 2009 as part of GCHQ with staff from a range of government and other stakeholders.

Provides a hub for strategic analysis of developments in cyberspace and improving the co-ordination of the UK’s response to cyber incidents.

CSOC’s work aims to draw together a range of sources to enable a better understanding of the risks and opportunities of cyberspace, ensure information is coherently distributed to government, industry, international partners and the public and help inform strategic decision making.

Response & Analysis [GovCert UK | CERTs | CSIRTUK]
GovCertUK provide response and analysis to the public sector.
CERTs (MOD Computer Emergency Response Teams) provide response to MOD.
CSIRTUK (Combined Security Incident Response Team) provide response and analysis to critical infrastructure providers.

Advice & Guidance [CPNI | CESG]
Provide advice and guidance on electronic attack/cyber attack to the critical national infrastructure and to government departments.

Information taken from SN/SC/5832 June 2011