ISO 27001 Presentation - ISO27001 PPT

 This is a very basic ISO27001 PPT that I prepared in 2013.

ISO 27001 Implementation Approach

ISO 27001 Agenda

ISO 27001 Overview

ISO 27001 Standards - Wikipedia 

High Level Structure of ISMS based on ISO 27001

ISO 27001 - Certification Audit Cycle : Internal Audits are mandatory before you plan for certification. Having a strong internal audit team internally helps a lot, however if manpower cost is a concert, onboard a good consultant and run through 2 internal audit cycles atleast before you go for external audit.

External Audit : Choose a certification body , having worked with Bureau Veritas and experienced few others during my consulting assignments, I can rate Bureau Veritas and BSI as good certification bodies.

ISO 27001 Implementation Methodology

ISMS or any other ISO standard implementation follows the PDCA model , sometimes also called as Deming Cycle. PDCA understanding really helps to inculcate strong practices for making ISO implementation successful. Some good links for understanding the PDCA approach are :

1. Mindtools site.

2. MIT Open Courseware

ISMS Implementation Approach

ISO Certification Plan : Certification cycle consists of 3 stages :

Stage 1 Audit : To validate ISO mandatory documents, organization readiness, Management commitment and overall approach adopted. Gaps identified are highlighted and need to be

Stage 2 Audit : Focuses on the control checking, process maturity, management commitment and compliance aspects of the organization. Once Stage 2 audit is clear, organization get ISO certification which is valid for 3 years.

Continued Conformance : Annual Assessments : Certification bodies do conduct annual surveillance audits for next two years, most of the process of audit remains the same except that during these surveillance audits all departments or functions are not audited. Auditors pick up critical functions that are part of scope and few of the secondary or supporting functions. They also check any pending closures against non-conformities raised in previous audits.  After 2 surveillance audits comes the recertification audit which is similar to Stage 2 audit.

ISO Core Team : This team generally overlooks the critical areas which are part of ISO certification scope.

The security committee is generally responsible for ensuring budgets , training support and ensures timely internal audit and other compliances mandatory to continue ISMS certification. Management level employees are generally part of this committee.

Risk Assessment is critical requirement for ISO 27001. The organization is expected to develop a risk assessment and risk management process to ensure risks are identified , evaluated , assessed and managed - 4T's : Treated , Tolerated , Transferred or Terminated.

Risks can only be identified against assets - so asset identification is the first step. Assets can be physical assets such as UPS or Server or non-physical assets such as employees or intellectual property or software code etc.

This is the list of mandatory ISO 27001 documents and records.

You can freely use the PPT, If you need the PDF , I would be happy to share the PDF. You can send me a DM over my Twitter handle #ISOGeek

Endpoint Security - Building a Secure Environment

 WHT IS ENDPOINT SECURITY 

Endpoints are typically the computing devices used by users in an organization and they can be a desktop, laptop, a tablet or a mobile phone also. Since the dawn of pandemic , Endpoint security has again taken a front seat as the traditional network centric approach is no longer valid with users working from anywhere. 

Endpoint security is defined as the process of securing the endpoints and includes a set of security controls and not a single control for example access controls, endpoint hardening , anti-malware , data loss prevention tools etc.

WHY ENDPOINT SECURITY IS IMPORTANT

Any end user computing device, such as a laptop, desktop or a mobile phone can be leveraged by hackers to gain foothold inside the enterprise network for carrying out malicious activities. Securing these end user devices to prevent loss of corporate / organization information has become very privacy important in the wake of heavy fines being imposed as per various regulations such as privacy regulations and also loss of business to competitors. Post pandemic the perimeter security is no longer considered an enterprise security solution as users now access corporate information from discrete networks which no longer have firewalls or other malicious attack prevention technologies at their homes.

The best way is to force endpoint devices to meet corporate security baselines prior to being granted access to corporate data, thus effectively mitigating the risk of exposure to unknown and unverified endpoint devices. Many organizations are also adopting the Zero Trust Architecture, which is more like a Always on VPN with no traffic splitting, so essentially all traffic will be filtered by the organization specific policies via a reverse proxy and for allowing access to internal network assets the solution provides a secure and encrypted tunnel typically referred to as Private VPN.

Please note that Endpoint security doesn't mean actions being taken solely on the endpoint side rather the Endpoint security now encompasses the actions which extend along the entire chain of information access : from OS booting, User login, Application usage and access of Corporate resources (internal applications, data on file server , email etc.) from anywhere. 

ENDPOINT SECURITY REQUIREMENTS

Endpoint security while is never 100% possible , however to manage the risk and achieve an assurance level of risk acceptance , organizations should have adopt a combination of essential and non-essential products to implement a layered defense approach. In my 20+ years I have seen the evolution happening from dumb terminals to AI based technologies and I have realized the essential ones are non-negotiable while non-essential ones can be based on lot of factors such as organization business domain , regulatory requirements , culture etc. Here is the list segregated into Essential and non-essential features , but you are free to build your own list. You may also consult me for building your endpoint security strategy by sending a DM over twitter.

Essential Features

• Endpoint Privileged Access control
• Application Control - Whitelisting and blacklisting
• Network access control
• Malicious Traffic Filtering
• Log Management

Non-Essential - Good to Have

• Device or data encryption at rest
• Information Rights Management
• Data loss prevention
• Insider threat protection
• Endpoint detection and response (EDR) - for Medium sized organizations
• Extended Detection and Response(XDR) for Large Organizations or for those who have complex business operations with sensitive data spread across multiple business units

As the technologies are evolving and most organizations are going cloud centric because of various reasons, the endpoint technologies are surely going to undergo metamorphosis too, don't adopt and commit for a solution longer than 3yrs if you are not very clear of the IT roadmap. Business teams mostly drive those decisions and its better to have beer in their company after business hours to understand what's going around to build a better technology landscape :). 

Spyware Prevention and Detection

Pandemic has accelerated the usage of business and financial applications by almost 500%. While most institutions and users have taken steps to protect their computers using antivirus, but these fail to protect computers “spyware” – another form of malware. 

Spyware  is a type of malicious software that is installed on your computer or mobile device without your consent. It can gain access to your sensitive personal information and then relay it to other parties, some malicious.

What Spyware can do ?

1. Infiltrate — via an app install package, malicious website (drive by downloads or malicious popups), or file attachment.

2. Monitor activities and capture information— via keystrokes, screen captures, and other tracking codes.

3. Sends stolen data — to the third parties without user consent and knowledge.

4. Can make changes to the system configuration for example remove some security settings to allow more software's to be installed remotely, show popups or redirect users to advertising sites.

5. Spyware can also compromise confidential personal information such as:

• Login credentials — passwords and Account PINs
• Credit card numbers
• Keyboard strokes
• Steal email addresses from the mailing clients

Spyware Infection

Spyware is usually installed without a user's knowledge or permission. This malware may be included in other legitimate freeware or shareware or trial software applications, and even may get installed from  websites via drive by downloads. 

Bundleware, or bundled software packages, are a common delivery method for spyware. Mostly users may intentionally install spyware as part of some bundled software application without understanding the full ramifications of their actions. A user may be required to accept an End User Licensing Agreement (EULA), which often does not clearly inform the user about the extent or manner in which information is collected. In such cases, the spyware is installed without the user's “informed consent.”

Some bundled spyware installs discreetly without any warning. While at other times, the bundleware will describe the spyware in the license agreement — without using that term and its purpose and will require you to accept the End-user agreement. By forcing the user to agree to the full software bundle to install the desired program, users voluntarily and unknowingly infecting their systems.

Spywares authors many a times also use the marketing emails to trick users to click a link to visit malicious website or install a software application , again leveraging user interaction to trick them for infection.

Some examples 

Unlocker app bundled with spyware

Applications bundled with Spyware/Adware

Infected Mac-OS Screensavers

Behaviors Associated With Spyware

Spyware can be difficult to detect and remove because it:

1. Does not always appear as a running program in the Window's Task Manager; therefore, the user may be unaware that his or her computer has been infected.
2. May not include a uninstall option in the Windows “Add/Remove Programs” function. Even when such an option is available, the removal process may not eliminate all components, or it may redirect the user to an Internet site to complete the removal. This often results in new or additional infection rather than removal.  Sometimes browsers are installed with toolbars that again redirect the user's to malicious websites for reinstallation of same or other spyware of same author .

Mitigate the Risks Associated With Spyware

1. Restricting users from downloading software, especially software not previously approved by the organization policies.
2. Removing administrator rights or provisioning a non-admin account for internet surfing.
3. If possible, configure the browser to reject Active X controls to lessen the likelihood that spyware could be installed on computers through drive by downloads during website visits.
4. Keeping systems updated with patches lowers the chances of infection as many spyware programs take advantage of reported vulnerabilities
5. Installing and maintaining a comprehensive anti-malware solution that offers anti-spyware features 
6. Setting firewall filters to prohibit Internet downloads and visits to inappropriate Websites
7. Spreading user awareness about malware and spyware. 
8. Email security tools for removing phishing and spam mails as well as preventing delivery of mails with malicious links

Implementation Steps for ISO 27001:2013

ISO 27001:2013 implementation expects a lot of top management involvement. The standard itself emphasizes on "Leadership" while implementing information security management system. The clause 5 of standard 27001:2013 emphasises "top management must demonstrate leadership and commitment to the ISMS, mandate information security policy and assign information security roles, responsibilities and authorities within the organization". 

Following steps are generally followed while implementing ISMS based on ISO27001:2013

• Scope defining including physical boundaries
• Appointment of ISO/CISO & roles and responsibilities
• Implementation Plan
• Awareness Trainings
• Risk Assessment Trainings
• Risk Analysis & Gap analysis
• SOA
• Process Implementation - Policies, Procedures etc.
• Internal Audits
• NC Closures - if any
• Management Review Meeting
• Repeat awareness training and audits if required
• Select Certification Body & call for audit
• Achieve Certification
• Celebrate :)
• Get busy in continual improvements & surveillance audits.

Here is the link to the ISO27001:2013 implementation process chart.

Alternate link is 
ISMS 27001:2013 IMPLEMENTATION ROADMAP

ISO27001:2013 Benefits

There are many advantages of implementing any management system in an organization. Here some of the well known potential benefits are listed for implementing an information security management system based on ISO27001:2013 standard.

• 1. High level of management involvement as it is top driven

• 2. Helps the organization to demonstrate due diligence and compliance with legal and regulatory requirements

• 3. Ensures a structured analysis and management of information security risks
  
  
• 4. Helps in proactive development of risk management due to loss of confidentiality, integrity and availability or a combination of thereof

• 5. Inculcates better security awareness among employees, customers and vendors

• 6. Provides best practices guidelines for information security management.

• 7. Increases stake holders confidence in management

ISO 27001 :2013 Introduction

ISO 27001:2013 is an international standard published by the International Standardization Organization (ISO) and the International Electrotechnical Commission (IEC). ISO 27001:2013 describes how to manage information security in any organization/company/institution or the like. The latest revision of this standard was published on 25th Sep, 2013, is titled as ISO/IEC 27001:2013. 

ISO 27001 can be implemented in any kind of organization/company/institution, profit or non-profit, private or state-owned, small or large. It was written by the world’s best experts in the field of information security and provides methodology for the implementation of information security management in an organization and has been updated to address the requirements of the changed business scenarios.

ISO/IEC 27001:2013 specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented Information Security Management System within the context of the organization's overall business risks. It specifies requirements for the implementation of security controls customized to the needs of individual organizations or parts thereof. 

This ISO standard is designed to ensure the selection of adequate and proportionate security controls that protect information assets and give confidence to interested parties

ISO 27001 Series of Standards

The ISO/IEC 27000 series consists of information security standards published by the International Standards Organization (ISO) and the International Electrotechnical Commission (IEC). The series is designed to provide best practices on information security management based on the risk assessment and to recommend controls within the context of an organization to enable it to implement an Information Security Management System (ISMS).

Since technology and business environments are continuously evolving , the older standards are revised and new standards are developed to address the evolving business landscape. 

At present there are 33 published standards are under the umbrella of 27001 family. However ISO/IEC 27001 is the only certifiable standard against which an organization's Information Security Management System (ISMS) can be audited and certified by an accreditation body. (ISO/IEC 27001:2005 and ISO/IEC 27002:2005 are not included here , considering they are now obsolete after release of new versions).

 All the other standards in the ISO 27000 family are codes of practice which provide non-mandatory best-practice guidelines published and released to support the ISMS based on ISO/IEC 27001. 

The other 27000 series standards are not mandatory and adopting those is at the sole discretion of the organization.

A list of published standards is available at ISO.

About 33 standards have been released and many more in development phase.