Sunday 26 April 2015

ISO/IEC 27001:2013 – A.6.1.5 Information security in Project Management

Information Security in Project Management: Information security shall be addressed in project management regardless of the type of the project.


This is NEW control in 2013 version of ISO27001. However I have my own perspective with respect to this control.

According to me ISO27001:2005 A.6.1.4 (Authorization process for information processing facility) has been broaden in ISO27001:2013 A.6.1.5 (Information security in project management).

ISO/IEC 27001:2005
ISO/IEC 27001:2015
A.6.1.4 Authorization process for information processing facility
A.6.1.5 Information security in project management
  • Limited focus on end point devices e.g. desktop, laptop, personal or hand held devices, software check etc
  • More focused on authorization and less on end to end security
  • Broaden focus from end point to end to end project implementation
  • Complete focus on security.
  • Identify and address RISKS as a part of project
  • Information Security Risk Management for Project

While interacting with many people, I have observed common challenge with respect to this control; the challenge is “How to implement this control”? This has become challenge for many security organizations and professionals as SCOPE has been widen from “End Point” to “Project Management”.

Let’s start breaking jargons:
  • Understand what is “PROJECT” for your organization: if you ask me, simple examples could be:
    • Implementation of DLP, Anti-Virus, Firewall, BYOD or any technology solutions
    • Buying new office location
    • Develop or procure new business application
    • Adding a new client or new process (depend upon size and complexity)
  • Understand the business & security purpose of the PROJECT: You cannot start the project unless you know the Value (Benefits) project is going to contribute to organization
  • Understand end to end project flow from respective owner. This could be data flow diagram, application architecture, network diagram, input-process-output etc

  • Define security baseline for a particular project -> Complete the Project -> verify security baseline (project risk management)


I know this theory is very boring. Let’s take an example of “Implementation of DLP”


Purpose:
  • Prevent organization’s IPR and customer’s information from information leakage.
Project Understanding:
  • Organization has developed / customized an internal application for processing customer’s information. Protection of application source code and customer information is utmost important
  • Customer sends input file through FTP, project user downloads file from FTP and upload on application to process. There are 50 users working on this project and has access to FTP and application. Once processing is completed, project user sends and output file back to customer through FTP.
Proposed Project Design

Security Baseline for DLP Project
·         Data stored on Code Repository shall not go out of the organization (through any medium E-mail, FTP, internet, file upload etc)
·         Data stored on “File Server” -> Folder Name “Prising” shall not go out of the organization
·         Any data stored on “DB and App Server” shall not go out the organization.
·         User shall be able to send data with file extension .xml only
·         Any attempt to information leakage shall be logged in DLP server
·         Any attempt to Source code leakage shall be alerted to management immediately through email or SMS
I have listed few baseline checks; this could be much more in detail. This can be prepared with the help of product vendor and security professionals. These checks are depending upon organization’s requirement.
Verification of baseline
·         Security professional to verify the compliance of each and every security baseline, in case there is any non compliance; same shall be documented in risk management methodology.
For example in this example, customer data (input and output file) can be leaked through FTP as FTP is accessible from anywhere


Friday 17 April 2015

Making Effective Information Security Policy


I am working in Information Security for last 9 years; my general observation is most of people do not like documentations because they are thinking “Documentation is not their cup of tea and different skill sets are required”. Many people are good in doing practical e.g. conducting information security audit, verifying records, identifying new or unknown risks, technology review audit etc.

To give you a perspective, in the field of information security, Documentation skill will make you “End to End Professional”. In my view none of the information security activities would start unless there is defined information security policy. A documentation skill gives you an opportunity to convert “Management Thinking” into “Line Item”.

I have listed key Information Security Policies and Key Considerations while designing IS policy.
  1. Information Security Policy
    • Management’s commitment towards information security
  2. Information Security Risk Management
    • Define objective and scope of risk management
    • How information criticality shall be evaluated
    • What parameters shall be identified to arrive at risk value e.g. threat, likelihood, vulnerability etc
    • Define how risk value shall be calculated
    • What is acceptable level of risk value
  3. Information classification
    • Define information classification scheme e.g.
                                                              i.      Strictly confidential
                                                            ii.      Confidential
                                                          iii.      Internal
                                                          iv.      Public
    • Minimum protection requirement for each information classification scheme
    • Users awareness on information classification and protection requirement (information handling requirements)
    • Information labeling
  1. Organization of Information Security
    • Setup information security steering committee
    • Setup InfoSec team
    • Define roles and responsibility for steering committee and InfoSec team
    • Define frequency and agenda for IS steering committee meeting
  2. Human Resource
    • Background check prior to joining
    • Communicate and take acknowledgement towards IS roles and responsibility on first day of joining
    • Periodic information security refresher training
    • Sign organization’s terms and conditions
  3. Information backup
    • Prepare backup plan which defines “What information to backup”, “Where to backup”, “Frequency of backup” and information owner.
    • Offsite backup requirement
    • Secure transportation between primary site and offsite backup location
    • Encryption
    • Backup requirement reconciliation
  4. Change Management
    • Define what is change, types of changes
    • How to raise change management request / change management template
    • Who should approve change management request
    • Define emergency change
    • Test the changes
    • Communication to relevant users about changes being done.
  5. Malicious code Policy
    • Central Anti-Virus solution
    • Install on every desktops, laptops, servers, mobile devices
    • Regular Anti-Virus signature updation
    • Weekly Anti-Virus report to IT Team
    • Restrict users to disable antivirus settings
    • Daily/weekly full system scan for virus/malware
    • Disable USB/CD/DVD drive
    • Scan third party device before connecting to organization’s network
  6. Network Security
    • Firewall between internal and external word
    • Specific ports open on firewall based on business requirements
    • Regular firewall rulebase review
    • Change management to follow to make any changes in firewall
    • Periodic VAPT
    • Firewall hardening to protect network from malicious attack/hacking
    • Regular patching
    • Redudancy
  7. Server OS Security Policy
    • Strong authentication policy
    • Access requirement e.g. who should have access to server
    • Server hardening
    • Patch management
    • High availability requirement / redundancy
  8. Log monitoring policy
    • Identify critical servers to monitor
    • Configure audit logs as per best industry practice
    • Implement central log server which pull logs from all critical devices
    • Dedicated log monitoring team
    • Read only access to admin
    • Monitor administrator’s log
    • Incident management process
  9. Third party / service level policy
    • NDA and confidentiality agreement with third party
    • Third party’s capability and skill with respect to information security
    • Information security benchmark
    • Right to audit
  10. Physical security
    • Physical perimeter security
    • Access control to facility and data center
    • Stuffiest power supply with UPS and DGSet
    • Fire fight equipments e.g. smoke detectors, fire extinguishers, water detectors, water splinters, FM200 for data center etc
    • Regular preventive maintenance for facility management equipments
  11.  Access control
    • How to raise request for access
    • Approval from information owner
    • Access control matrix or levels
    • Regular access reconciliation
    • Restrict administrator to limited users
  12. business continuity
    • business impact analysis
    • RPO and RTO
    • Critical business requirement to be made available from DR
    • Periodic DR Drill
    • Share findings with IS steering committee
  13. Information Security incident management
    • Define what is incident
    • Create awareness on “What is incident”
    • Incident reporting channel
    • Who can report incident (generally any uses should be able to report incident)
    • Maintain privacy for users who has raised incident
    • Incident analysis and gather evidence
    • Disciplinary actions
    • Preserve evidence and take corrective actions

Every organization has unique requirement, adopt organization’s philosophy and key points (mentioned above) to frame “Good information security policy statements”

Lets take an example from one of above key point.

Policy Document: Information Security Incident Management (Point no 15 Above)

Key point: Incident analysis and gather evidence

Lets make good statement which suites to organization's philosophy. See Below..

Organization’s information security team shall take the ownership of incident analysis and shall gather the evidences towards reported incident.

Keep below philosophy in mind while you are doing documentation:
"Document what you DO" and then "DO what you have DOCUMENTED"


Hope this would be useful…..


Sunday 12 April 2015

Effectiveness Measurement : Information Security

Why Measurement of Information Security is so Important and challenging?

In today’s edge, businesses are going global across the world. In this competitive environment, organizations are creating, collecting and receiving lot of information through various channels such as analyzing social media, research, survey, outsourcing business process to another country. Many organizations are dealing with HUGE VOLUME OF INFORMATION rather I would say SENSETIVE INFORMATION.

Today many organizations are investing huge amount to ensure CONFIDENTIALITY, INTEGRITY and AVAILABILITY of such Information.

These investments could be in terms of:
  • Hiring competent people
  • Establish workflow terms of IT as well as INFORMATION SECURITY related processes
  • Procuring secured technology
  • Third party assurance on organization’s INFORMATION SECURITY practices
  • Spending lot of time as INFORMATION SECURITY needs checks and balances
With such huge investment in INFORMATION SECURITY, board of directors are more concerned about the effectiveness of implementation of INFORMATION SECURITY practices to protect SENSITIVE INFORMATION. Such huge investment has NO VALUE if there is no reasonable assurance on implemented practices from an Independent IS Auditor.

Many organizations are now more concerned about the overall “Health of Information Security Management System”. Board of directors are now taking interest in reviewing IS audit findings and showing commitment towards information security. Board of directors are expecting to see the quantities or qualitative analysis with trend analysis.

For an organization’s Information Security Manager, this is becoming challenge to measure the effectiveness of information security. Measurement of process is now common requirement of many international standards such as ISO/IEC27001:2013. Board of Directors might not understand the technicality of information security controls, this creates further difficulties for an Information Security Manages in terms of:
  • What to present: board of directors might not understand all technical jargon. these people are more interested in high level dash board which shows overall analysis in few graphs or statistics.
  • How to present: it would be so foolish to open complete word document or PDF or complete VAPT technical report in front of management. Simple power point presentation would work for them.
  • How much to present: Finally you want board of directors to take key decisions. According to approved measurement approach, you may only want to present TOP 5 or TOP 10 key risks to prioritize risk treatment plan.

 In this entire measurement exercises, information security manager has to play a vital role in defining:
  • Management’s expectations in terms of “Health of Information Security Management System”
  • Information security control metrics
  • Identify metrics owner
  • Define measurement frequency
  • Create meaningful dashboard for management
  • Trend analysis
Once implemented, over a period of 12 to 18 months, both information security manager and board of directors would have reasonable understanding in terms of information security control effectiveness and how these metrics are adding value to their organization.

NOTE: if your organization is planning to implement information security effectiveness measurement framework, reach out to me janakmajithiya@gmail.com


Friday 10 April 2015

The Very Basic of Information Security Risk Management


We all talk about the word “RISK” every day during many discussions both personally and professionally, with family and friends, with doctors and lawyers, with builders and stock brokers and with all others.

Have we understood the word “RISK”?
Reply: I…. Think…. Yesss.

RISK is integral part of EVERY ACTION that we do in our LIFE. Action could be anything, it could be walking on street, driving to office, having dinner at five star restaurant, Buying any objects, switch to new job etc. Every thing we do during a day is ACTION.

There is “RISK OF ACCIDENT while walking on street or driving a car. There is a “RISKOF THEFT/LOSS while buying any object. There is “RISKOF DISEASE/FOOD POISONING while having dinner at restaurants.

From an INFORMATION SECURITY context, there is “RISK” OF LOSS OF CUSTOMER in case security requirements are violated by the organization. In fact, in today’s edge, this is not only about LOSS OF CUSTOMER but this may also come with other bigger aspects like “RISKOF LOSS OF REPUTATION due to non compliance of contract or legal or regulatory requirements. This could event became worst in case of huge legal liability under legal & regulatory requirement and could result into huge financial penalty and may lead to “OUT of BUSINESS”.

So tell me what is RISK?
RISK” is a function of IMPACT and LIKELIHOOD OF OCCURRENCE

Every ACTION has POSITIVE or NEGATIVE IMPACT. Since we are talking about RISK”, let’s think of negative outcome of an ACTION. Think of what worst could happen to BUSINESS. Think what could be the magnitude of IMPACT in terms of MONITORY LOSS or REPUTATION LOSS.

Unless we consider the likelihood factor, Magnitude of IMPACT shall always remains on HIGHER side hence this might not reflect accurate RISK POSTURE. Further without factoring likelihood of occurrence, “COST-EFFECTIVE” risk treatment plan is difficult to arrive.

But I have already implemented controls to reduce both IMPACT and LIKELIHOOD OF OCCURRENCE.
Reply: Great. These controls are implemented against VULNERABILITIES.

VULNERABILITY is a weakness associated with Information System. These could be “Improper Firewall Configuration”, “Unsecured Ports are OPEN”, “No Periodic Review of Access Rules” etc.

IN MOST OF THE CASE, primary reason of successful attack is existence of such VULNERABILITIES or WEAKNESSES.

Now, how would you prevent such attack?
Response: work on weaknesses.

In an ideal Information Security Risk Management, RISK is measured after considering existing VULNERABILITIES and existing IMPLEMENTED CONTROLS.

There are many Information Security Risk Management methodologies available. An organization can choose best suitable for them based on their requirements, level of complexity, capability to perform risk management and organization structure.