ISO 27001:2013 Autograph Made Easy

Iso 270012013 initials

ladies and gentlemen I would like to welcome you for another session and this session is very important I'll just repeat my name is dr. Mohammed Amin shark sati I'm the CEO of company called IT butta which I set in 2003 in Sydney and now we are more working in the Middle Eastern area also in Pakistan so Middle East particularly and rest of the world is more concerned about the information security and especially the cyber security and we received number of threats and we received number of viruses worms malware's with different breeds of threats into a corporate organization and my company myself is always helping in assisting our customers in the region and also participating in two global conferences I Triple E conferences so my today topic is one of the most ideal topic for me I mean with the information security consultancy governance risk and compliance for past more than 20 years and good thing about it that I have implemented information security management systems in number of organization including telecom education versus industry governmental organizations so I'll try to introduce you information security management system and bit about my experience and my team experience so that a global community in particularly Middle Eastern and Pakistani community can take the benefits of this speech which may leads to 35 to 40 minutes when it comes to information security management system the specific ISO is called ISO for this before I guess so what is this 27001 the pre-disaster of ISO 27001 was BS seven seven nine nine a BSI standard globally accepted and was the first information security standard in the world and later on the same code of practices been taken by ISO and Brendon has 27001 historically it is now almost 20 years when 27001 is in practice and thousands of organizations worldwide has adopted implemented and currently complaining with is 227 zeros one when it comes to information security management system now the standard actually governed by 14 the Wales and it covers 114 controls now let me explain you a little bit what does domain me it's kind of chapter that is a divisional logical division of information security for example the first domain if a 5-0 15.1 is information security policy so all the information security policy related particles recitals clauses information everything is written into that domain and then there are controls objective and then there are controls control objectives mean why you wanna do and controls mean how we can do so these are two areas which I must emphasize at the very beginning domain me a chapter domain name a specific area of the practice control mean how we can mitigate the level of risk to that particular asset is all about risk and managing risk control objective mean why we wanna do it is this is only investment for lagg-3 to have a better name and so no in reality it is the mitigation of the risk at particular demand that's why the domain and its control is very important in summary are you so 4700 one which is currently is 2013 mean the latest version is two zero one three however two's new version is coming so the version which we are currently complaining has fourteen domain 14 chapters 14 areas of practices and all those 14 has 114 control one one four control now when we say control it means that entire information security will govern over 114 controls but the question comes that does all applies to every organization the answer is no because each organization has its own verticals its own you know the product or its own services or its own business model so each business model may need a different control set but some controls are mandatory controls some controls are optional controls so generally 106 210 controls required by most of the productive organization of the mental opsonization 3 to 5 maybe 10 can be excluded if it is not necessary for relating to a particular organization this slide is very important just to see a nutshell of ISO 27001 which is basically relates to information security management system under one framework that framework itself called ISO 27001 : 2013 which means that is the latest version we have Appendix A defines the demands those are 14 domain starting from a 5 which is information security management day six which is organization of information security a seven which is human resource security a eight asset management a nine access control am category al-eman physical and environmental security a twelve appreciative security a thirteen communication security in fourteen system acquisition development and development and maintenance a fifty supplier relationship age 16 information security incident management a seventeen information security aspects of business continuity business continuity management a a being as a compliance so these are the chapters of the domain under the chapter if you look at this one for example a five let me let me give you some writing this is a five in a five you see there are two controls let's talk about the controls and control objective so there are two things to note the first one is controls the second one is control objective on objectives control objectives mean why we need this one so for example AFI information security policy why we'll need information security policy basically information security policy is a constitution all it is the agreement between the management and employee and it is governed by the the head of the the organization it could be IT director or it could be CEO that under the CEO ship or chief information security officer ship there is an agreement between employee and the company employee in the organization that following action will not be taken while at work or following actions will be taken carefully so that the compromise of information security or asset or data data should not happen or we need to comply our action with the with the support of people which is HR process and technology so they didn't form of such a Constitution or such an agreement is called information security policy so objective is very clear now how we can control and as you saw that there is two controls here these two controls being a a it should be written for which means that it's not verbal commitment it should be the part of hiring a kit or part of HR and then later on this should be some awareness which mean that a it is in written form and somebody should sign be it should be conveyed or it should be thought it should be shared properly so control a written control be it should be signed so two patrols are there now how do we measure the effectiveness that's the question my effectiveness is that let's say if you have 100 employees with the different Braves starting from that safe you know the guy who got into the data and then it goes up to the director or even general manager or whatever the hierarchy you have in the management everybody should have information security awareness you know knowledge as well as signature that policy is known or policies been practiced so there is no room of ignorance that in case of any action or any violation one should say that I was not aware of it so that is called the control that alias is written be designed so I cannot give you the example of all 114 controls but this is in this example as applies to a five information security policy now each the mail has a different history each domain is not equally divided into the controls it depends on the practices of the domain for example I can give you an example here how much this one see access control it has 1414 controls why as you see there is not only physical access logical and physical both a lot of controls required to have an access control for example very general example I can give you that as soon you approach to any organization right from the gate into the office you have you know security guards you have passes you have a badge you have CCTV you have many you know barrier to cross so that is called controls for the physical security but if you are guest anyway utilize their Wi-Fi definitely there will be some Wi-Fi guest account and that guest account is fully under the surveillance of information security managers so you cannot upload or download anything which is against the policy of the organization or contrary the purpose of your visit so that kind of control comes under access control again see system acquisition development and mentioned as 13 controls so some are some are sorry again 18 is to control sandy so the control not even a lot equal to all domains however if you add all 14 demand with all controls the bottom line will be 114 controls these controls required an implementation and as well as the effectiveness which mean that people are practicing again we must understand that any good idea the governess itself is a big question man governess relates to this and compliance if God it is back-alley governed the risk will be minimized the compliance will be fulfilled so GRC governess risk and compliance relies on people process technology again people people mean the people who practice people who use the i.t i.t use rit practice on an IT maintenance team IT design they all comes under people process me change management incident management configuration management all those management's have a processes which relates to machine and people and the third one is called technology so mostly the people are jumping on technology that I have antivirus I have in part security I have good firewall and I have very good you know EDR and so on but nobody cares about the people nobody cares about the process and its resilience so today awareness program will further elaborate all of these three we three indices into one you know practice which is called best practices of is honest let me take you next step next slide because as I mentioned to you that there are 14 to millions I'll take you domain by domain with exemple because this is awareness program and it should have a full total awareness program which you can understand for example a 5 is security policy which means that it should have complete policy which is which is like this one and then you should have for example security policy single policy for entire organization and management commitment so management commitment is necessary objective is written and then commitment is written so for example in commitment acceptable use policy for employee users and management that how do they use the IT system and under their you know work or under their own you know day-to-day practice and if they are managing that IT as well so this is pretty much is information security policy and as I said the high level of confidentiality data integrity and availability so security policy will guarantee the confidentiality of the information confidentiality of the data is one thing and then confidentiality after confidentiality integrity and then availability confidentiality integrity and availability these three parts are must be the part of the good information security policy so if the policy misses let's say confidentiality part so that is not of qualified security information security policy so as per the ISO it talks about confidentiality integrity and availability with the process of people processing technology so these relationship actually is best practices now second is a six which is organization of information security policy or organization of information security to have a pact of governing model you should have roles and responsibilities clearly defined in your job description so the GLD is very important that who do what and in case of any incident who will do what so that kind of responsibilities under the leadership which is very important for any successful business that you are leader is the one who actually leads from the front and that is where the information security and for the leadership is so defines the role of chief information security officers as a group leader and then security team definitely there are multiple Dean's required to work on the IT systems which is incident response team change control team here disaster recovery team name may change people use different names but at the end of the day the objective is that information security is properly governed under the leadership of C so our director information security with the following minimum teams of incident change and disaster so these team work and the entire hierarchy is well defined in the bell 86 next human resource as always is the backbone of any organization so when somebody ask about any organization and try to evaluate the opposition value the venue always comes from their people from their HR no matters they develop or they have number of products but at the end of the day the team the human resource is very important assets now human resource is the good asset of the best asset but it can also other way around so any awared information security aware employee or HR is your acid and meantime any employee who is ignorant to information security deliberately or in deliberately could create an attached profit effects or at least the reputation damage of the organization so that is where the XR is very important the job description is set by HR main human resource development program or the organization of the department and then assign the information security of each role for example I one of the rule that I am DBA main database administrator but it should be written that information security is a part of your job right and then recruitment screaming such as police killer is personal character check before hiring the employee it depends as it varies from organization to organization as well as country to country however the facts remains saying that whosoever is joining you as a new employee or existing employee you should know about his character or her character and particularly not in the personal level but as an as a professional level so that you should evaluate the situation before he joins you and that is not against the privacy that is the employment contract and that should be the part of your employment contract and security training it means handing over security policy awareness training type of response for example this presentation aims to spread the information security or ie SMS globally I am NOT talking Middle Eastern region this is a global subject and it has to be taken Bologna so this time of information and there are hundreds of maybe thousands or millions of contributor in the world who is working on this information security one of them and my efforts are you know just to make sure that we can make an aware employee appear partners where information security aware community so that we should avoid the mistakes and we should minimize the risk of information security and its compromises now exemple is that if you have employee see this example shows that is a security guard he has a key and then another one is policeman who is screaming you and so on so these are the example every organization has its own way to carry such a task but at the end of the day the aim is that a chance will you prepare after that char in a domain talks about asset management now asset management assets are tangible or intangible tangible asset is like you know mother sorry that PC computer servers mouse keyboard so on and intangible mean you're repetition your data your information your you know digital assets because it's intangible however it can be transfer from place to place and social engineering is the one which actually damage the digital assets by having or by sending a deceiving message phishing is another one but asset itself is to broader categories one is tangible and others intentional so SF qualification control and control is necessary to have a proper inventory so you should have electronic tag to all assets barcode and database management or even you if you are a small organization you should have a decent Excel spreadsheet where you can see your assets and you have to have a control mechanism that nobody can change that without authorization ownership mean assignment of asset controller custodianship of Si and so these are the ownership temporary can be assigned to one person or multiple people and then protection protection itself mean that you should have asset location asset ownership and a regular inventory audit internally and externally so that if you have let's say ten 200 assets you can manage but if you have half a million assets or million assets then definitely there is audit required and there is inventory management is required and then the software is required ISO is not specifically looking into the systems is oasiz just a high-level forever which actually elaborates that you should have a stream management how do you do that depends if you have under 50 assets it could be counted every day but if you have half a million 2 million 10 million 40 million then definitely you need a system but at the end of the day the objective will remain same that you are managing your asset chapter and you see that example these are the example there are more example but just to keeping the time in mind that I would like to finish it in a very very you know control time like 35 to 40 minute so that's what I'm winding more examples a 9 is excess control as I mentioned to you earlier that excess control has a three areas which everybody you know to follow up it up that when you access any IT system there are three processes authentication authorization accounting in generally this is Triple A so somewhere the Triple A servers are there but there are other way to manage there are many many systems who actually have the same functionality of authentication authorization and accounting why it is required because any action you perform you should log into your system and then system should give you a proper authorization you can categorize the authority of viewing any files and any data anything and any suta lessons and then counting me if you are a prize to delete or to add again there should be record on the back of the servers and as a syslog as a as a log server so that in case of any investigation forensic or good use you should have a proper accounting in your system so these triple a functionality with access control the most important and the far most important is a password management whatever currently is happening if I'm not exaggerating more than 60 to 70 percent cyber attack specialist our password compromised either we have easy password or we don't care about our password the other party the other side of the equation who are hackers or who are motivated hackers or even kiddies they used your password and then then they tarnish the entire information security policy unscrupulously so that is what I would rather say that password is one of the area which every ID user IT manager IT team should be careful a it should not be a simple a be it the size wise it should be not less than 8 or 10 character C it should not be the name of the city or persons or your you know kids name your wife your boyfriend your girlfriend names it should be very complex with the special characters so I would take one particular slides or sorry the presentation about 20 to 30 minute about the password management then the restricted users access certain network services setting up user and so and maintaining the records of connection time number of transfer and duration as per the accounting so chapter 9 I think is very useful to have this or password policies and token of excess single sign in through LDAP restricted users certain network services and setting up privilege as per the the the position or as per the job description of an individual and then maintaining the records of the excess of those system particularly if it is a high end business solution such as financial transactions or you know gathering data or doing something within the databases so the correction time number of the transfer and the duration is very very important ladies interval you can understand that ISO 27001 is not a documentation let me make it very clear that having only a documentation made nothing you should have documentation and then implementation and then measuring the effectiveness and then producing the results so all of these steps is basically written and it is a part of the ayah so audit chapter 10 talks about the cryptography because when information passes through a plaintext let's say on a browser or any other application it can be tapped it can be taken off it can be read by other parties so how to avoid your username and password how to avoid your communication from peer to peer over the internet or over even the VPN you should have a complete encrypted messages those encryption are the one which mathematically you have to change the characters into unreadable and you have to assign the key that the other party should use key to decrypt that or I'll give you a little example but because cryptography is a very huge subject that is more security rather it is more mathematical you know notations which we have to understand now science of hiding the sense of remembering information in communication and cryptographic algorithm is the mathematical methods used to convert the readable data into unreadable form it from point A to B so basically controlling the data in transition as well as the the authorization authentication and accountability crypto analysis is the science of unhide the sense of information and breaking the crypto cryptographic algorithm so crypt analysis is this one now all of these three characteristics generally we see like this how does it work you have a plaintext and then you have a key now if you look at here let me show you what is a plaintext me see this is readable here is a message some message for example this is a message same key for encryption same no this is not a message message could be any hello how are you just a message right and then your item let's say Simpson this message is not secret but just to give you an example as soon it is encrypted it will look like this so Simpson hello how are you is being encrypted through these keys and then you have plain text and then you have cipher so this side is up this side is plaintext and this side is cipher which means encrypted now after that if you send the same key here then you see the same message which is here is here and then it can be translated into a readable message again here Simpson power hello how are you so encryption actually the purpose of encryption was to hide the message between the two parties while it was on the internet or on the transition on the transition or in the cable or wherever you are moving from one end to another end so this is pretty much is that the way which talks about the cryptography and it also talked about the HTTP traffic which is basically SSL certificate for the web based application it is like a you know it talks about the PKI public key infrastructure it talks about the key exchange it talks about the key size and talks about all the physics of the encryption normally or generally we use into day-to-day communication next is domain 11 physical environmental security I'll not take much time this is very common that physical and environmental security has access control we already have access control which was a logical access control this is a physical access control it has authorization it has surveillance so access control will be setting up the level of access classifying the area of operations in a groups for example if your ID user you are not authorized to enter to the data center because that's not the area which you used to be so who is authorized only IT people within the IT group there are certain people who works in infrastructure they should be the part of the data center but not every IT people that's an example how to do that you have certain methods such as biometric appliances security guard proximity card or visited badges and then how do you do surveillance very common centrally controlled surveillance with DVR and CCT cameras that domains is domain 11 very common everybody knew about it example see this one just come on example domain 12 his operational security which mean operation super security object is a risk management instrument that enables a manager or a commander to view an oppression or activity from a perspective of in adversities it is process of identifying analyzing and controlling the critical information and you are the key component of all of our security efforts which mean that operationally you have to segregate the area of the critical information versus the working area and so on area sorry domain 13 is communication security again communication security has operating procedure or SOP standard operating procedure assignment of tasks and duties and capacity planning the first one is procedure that answers who to do when the incident occurs and the second one is separation of duties into the task of employee who does what and then regular monitoring on a system resources and bandwidth ensures to have a smooth and seamless operation of IT so ladies and gentlemen the information security itself is just to have a smooth and safe operation IT operation hardware performance such as this one you should have proper monitoring system which can see the CPU which can see the you know the disk space which can see every aspects of your IT now the way from this system acquisition development and maintenance these fall you know the few security system such as ideas or ts or even triple a simmer and then firewall then physical security this two men talks about the hardware and software required to manage a best security posture of best security organization within the organization so network base are most based ids/ips data integrity checkers data independent security data leak prevention data loss prevention endpoint security and response all of those are current Hardware for our software for information security of cyber security stateful packet filtering part of firewall content filtering proxying netting routing these are very basic functionality now we are talking about the content management layer seven management and we also talking about the apt advanced persistent threat we are also talking about the next-generation firewall we are also talking about the term structure contextual awareness of the firewall and so on these intelligence are are now available into our hardware and software if we analyze a firewall of 2001 or 2005 with 2000 19 and 18 you can see a huge difference why because the threat model and tracked level of cyber security has been drastically changed and more intelligent system is required to mitigate those system and up gradation of CPU and hardware has enabled the attackers and the crackers and the hackers that they can run the systems in the seconds they can spread the viruses they can spread the mafia you know in the minutes of seconds compared to early days of cyber security when it tooks days and week now it took seconds to spread out and that's why the challenge is that we should prepare accordingly we should prepare our awareness we should prepare our mitigation prepare our team based on the current environment of information security and cybersecurity deputing security guard Duras alarm all these are commonly practiced but when it comes to internet security or cyber security we still require lot to do more to mitigate the threats the main 15 is supplier relationship management because in any organization IT supply and non IT supplies are every everyday job or every month job so there are a lot of employees sorry there are a lot of suppliers who supplies a different kind of software hardware and even human resource so this particular domain which is called SRM supplier relationship management process should be it defines the processes their alignments provide the structure and manages the supplier relationship so SRM is based on the planning made what we require Dex this year you know IT staff IIT hardware software any machines even floor cleaning even detergent even consumable even papers even you know shredders and all those things and then base lining that how important is this position and who is the proper supplier which is called performance management and then value creation all of this SRM is defined to ensure that IT environment is properly governed and suppliers are well aligned with the requirement of an organization now the main sixteen information security incident management gentlemen ladies and gentlemen rather it is very important to have incident management because when something occurs it's basically considered as an incident it could be small it could be big it could be catastrophic it could be reputational damage it could be individual loss it could be a collective loss all of those is called incident now incident management itself required incident reporting format or incident escalation process incident reporting format incident logging format incident escalation procedure and once the incident is properly reported which means that you have identified the risk Valentine that's the best message which I must convey to you that I know that this happened but how I will convey to the parties who are involved or if it is the my responsibility how I will convey to myself that this has occurred and then investigate after occurring definitely there is a mitigation process they are a third party involved they are may be senior supervisor involved directors involve they have to include and try to mitigate try to stop that incident in progress try to reduce the risk which can be created which which it may create however investigation required incident response team IRT and then you need incident handling and root cause analysis after the incident which also called digital forensic or incident forensic now redress are often the addresses of incident me if if any damages happened do you have to find out who is responsible and how we can address and how we can mitigate not to happen in future and what would be the end of that loss who will bear the loss and stuff like that it's all under domain a 16 information security incident management 17 a 17 is business continuity management today as you see that IT become a part of life then IT Service especially not IT IT services let's say if you are at home and your Wi-Fi doesn't work you see that how even the family members start talking to each other if you are in the hotel if you are on the air for the first thing you see the Wi-Fi which mean your life is becoming a digital life or already became a digital life so the continuation of the IT services the the main part is that how it can be continued and they should there should be minimal outage so that is called business continuity the continual operation the guarantee of continual operation and based on that you have to set up the risk assessment study of internet sorry studies of natural disaster eg lightning a flood and terrorism bomb threat those all at the hilari high level then incident response planning emergency fallback planning reception procedures and then you need evacuation and recovery means using remote disaster recovery planning site restoring the operation and recovering the data from the backup which mean that you have a full thorough physical illogical place in case of major disaster on your main site or if you are you know good company and you have you know in some budget in your heads you can have n plus 1 or n plus 2 operation which mean that if male sites are main data center is compromised down happen anything v flood anything the second side which is secondary site will take over your operation and you your operation idea pressure will continue this subject is very wide subject on the subject there is a special is so called ISO 22 3:01 which is business continuity management and I will it would be one of my shop one of my topic to have a more awareness in coming lectures ISO 22 3:01 business continuity management I'll speak about that as well now example is these are the examples natural disasters but ladies and gentlemen natural disasters are likely less compared to human-made compared to our own you know people who actually try to tarnish the Internet any purpose even for you know some hackers of some groups are paid group some of them are just doing as a fun so national disaster could be one of the the element but human disaster mean the human-made disaster is much more seen on the internet and for my past 25 or 28 years of practices into an IT and telecom hardly the nature disaster ever you know net ever created any outlets very very less compared to human-made compared to viruses compared to other things this is slightly less so that's what I am not convinced that Mitchell is the only one but also the other one the last domain is a compliance domain and compliance mean every framework has some audit process so as I guess for 27001 it has a complete audit process before you submit your audit to a third party such as you cause such as the the certification bodies available worldwide you have to carry out your pre audit and that is called all the procedures for us processes should be based on the best practices and it should be checked by professional body which is internally and then you have external bodies and then you have a maintenance external bodies will be only invited if you are confident enough that you have placed all of the controls you met all the objectives and you are very confident that if third party will come they will hardly find any major Skol NCS and that is what the compliance and review corrective action is required if anything you feel that can be corrected it is good practice to do at your own and rather external auditor will come and identify identifying as a major nonconformist call major NC however if there is a minor and sees mind of non performance the auditor will give you a time to correct and to mitigate that one and write a report called correctional corrective action report and then pre-certification assessment will tell you exactly how far are you for finalizing the ISO 27001 certification prea certification should be harder than the real certification that's the best practice we ever - ladies and gentlemen I being an auditor I being in a consultant I feel that pre-audit pre-certification is more important in the final certification because if you prepare your organization well aligned with the control system or ISO and every Fassett of the compliant such as people process technology is properly done then it is just a day or two or maybe three days audit where third party will come and will certify you and you will feel as soon the results will come that your organization has cleared up past the ISO certificate now audit process I will not take much time it has internal pre assessment stage one documentation review stage two on-site audit then surveillance audit and so on the formal requirement is that you should have a proper surveillance documentation and you should be willing to share or willing to invite a third party allow them to look at all the controls in all the the mitigation strategy versus the action and you have to prove use the evidences for the effectiveness of those control in your organization that effectiveness could be a shape of hardcopy papers could be your you know logs could be your security operation laws could be your you know management review meeting could be your change control meeting could be your configuration all of those documentation can be seen or can be asked by the third-party auditors in order to pass your ISO 27001 and I think the gap analysis before and then statement of applicability and met checking security manual risk assessment treatment plan and this treatment and continuation countermeasures a residual risk management all is a part of the audit stage to full process compliance requirement process approach simple technique sampling technique you cannot do all the IT in three days or four days so the auditor will take samples and he will go after samples you have to produce the evidence of operational hours and so on and then on-site surveillance and after the on-site surveillance the ISO implementation will be completing sorry I cannot take your questions and my answers in a lie but there would be you know the page where you can post you a question I would request you to give me your feedback that how was my presentation how I can improve myself and I should continue to make more awareness so that it could be beneficial for everyone who is an internet who is available in Internet who is after the knowledge and it may be a very general talk for the people who are in the same space such as information security gurus consultant but it should be useful for ordinary IT people NIT user thank you so much and see you next time bye bye [Music]