Main points covered:
• Information Security best practices (ESA, COBIT, ITIL, Resilia)
• NIST security publications (NIST 800-53)
• ISO standards for information security (ISO 20000 and ISO 27000 series)
- Information Security Management in ISO 20000
- ISO 27001, ISO 27002 and ISO 27005
• What is best for me: Information Security Best Practices or ISO standards?
Presenter:
This webinar was presented by Mohamed Gohar. Mr.Gohar has more than 10 years of experience in ISM/ITSM Training and Consultation. He is one of the expert reviewers of CISA RM 26th edition (2016), ISM Senior Trainer/Consultant at EGYBYTE.
Link of the recorded session published on YouTube: https://youtu.be/eKYR2BG_MYU
Using Grammatical Signals Suitable to Patterns of Idea Development
Information Security between Best Practices and ISO Standards
1.
2. Mohamed Gohar
Instructor-Consultant
Mr.Mohamed Gohar has more than 10 years of experience in ISM/ITSM Training and
Consultation.He is one of the expert reviewers of CISA RM 26th edition (2016), ISM
Senior Trainer/Consultant at EGYBYTE
+2 01061281600
mohamed.gohar@egybyte.net www.egybyte.net
eg.linkedin.com/in/mohamed-gohar-89253840
3. Information Security between Best
Practices and ISO Standards
Presented by: Mohamed Gohar
- 10 years of experience in ISM/ITSM Training and Consultation
- Gohar is one of the expert reviewers of CISA RM 26th edition (2016)
- Certified in/as ISO 27001, ISO 27034, ISO 38500, ISO 24762, Resilia, CISA, CISM,
TOGAF, COBIT, ITIL and PMP
- ISM Senior Trainer/Consultant at EGYBYTE
4. Agenda
The webinar will cover the following areas:
Information Security best practices (ESA, COBIT, ITIL, Resilia)
Information Security Governance frameworks
Cobit 5 for information security
Enterprise Security Architecture (ESA) frameworks (O-ESA and SABSA)
Information Security in ITIL 2011 framework
Resilia Cyber Security framework
NIST security publications
NIST 800-100
Framework for Improving Critical Infrastructure Cybersecurity
NIST 800-53
ISO standards for information security (ISO 38500, ISO 20000 and ISO 27000 series)
ISO 38500
Information Security Management in ISO 20000
ISO 27001, ISO 27002, ISO 27005 and ISO 27034
What is best for me Information Security Best Practices or ISO standards?
5. Information Security Governance Frameworks
Information Security Governance is a subset from the corporate governance (Enterprise Risk
Management and Internal Controls) and in parallel with or subset from the governance of
enterprise IT (Strategic Management, Benefits Realization, Risk Optimization and Resource
Optimization)
Information security governance is the system by which an organization directs and controls
information security.
Information security governance should not be confused with information security management.
Information Security Governance Information Security Management
• Accountability
• Authorizes decision rights
• Enact policy
• Oversight
• Resource allocation
• Strategic planning
• Doing the right thing
• Responsibility
• Authorized to make decisions
• Enforce policy
• Implementation
• Resource utilization
• Project planning
• Doing the things right
6. Information Security Governance Frameworks
NIST describes IT governance as the process of establishing and maintaining a framework to
provide assurance that information security strategies are aligned with and support business
objectives, are consistent with applicable laws and regulations through adherence to policies and
internal controls, and provide assignment of responsibility, all in an effort to manage risk.
Enterprise security governance results from the duty of care owed by leadership towards fiduciary
requirements. This position is based on judicial rationale and reasonable standards of care. The
five general governance areas are:
Govern the operations of the organization and protect its critical assets
Protect the organization's market share and stock price (perhaps not appropriate for education)
Govern the conduct of employees (educational AUP and other policies that may apply to use of
technology resources, data handling, etc.)
Protect the reputation of the organization
Ensure compliance requirements are met
"Governing for enterprise security means viewing adequate security as a non-negotiable
requirement of being in business."
10. Publications for Information Security Governance
Frameworks
IT Governance Institute (ITGI) publications:
Information Security Governance: Guidance for Board of Directors and Executive
Management
Information Security Governance: Guidance for Information Security Managers
Cobit 5 for Information Security
11. Enterprise Security Architecture Frameworks
The Open Group, O-ESA
Corporate Governance Task Force report states: “The road to information security goes through
corporate governance”
To simplify security management, there must be a direct linkage between governance and the
security architecture itself.
Policy-driven security architecture where the policy is the link between governance and security
architecture.
The functions of the O-ESA components and processes:
Governance (Principles, Policies, Standards/Guidelines/Procedures, Audit, Enforcement)
Technology Architecture (Conceptual framework, Conceptual architecture, Logical architecture,
Physical architecture, Design/Development)
Security Operations (Deployment, Services, Devices and applications, Administration, Event
management, Incident management, Vulnerability management, Compliance)
12. Enterprise Security Architecture Frameworks
Objectives of O-ESA
Preserving Confidentiality, Integrity and Availability (CIA) of an organization’s information
Effective information security management through accountability and assurance
Satisfying the security demands placed on the IT service organization by its customers
13. Enterprise Security Architecture Frameworks
Sherwood Applied Business Security Architecture SABSA
SABSA is a proven framework and methodology for enterprise security architecture and service
management.
It is used successfully around the globe to meet a wide variety of Enterprise needs including Risk
Management, Information Assurance, Governance, and Continuity Management.
SABSA key benefits
ensures that the needs of your Enterprise are met completely and that security services are
designed, delivered and supported as an integral part of your business and IT management
infrastructure.
Although copyright protected, SABSA is an open-use methodology, not a commercial product.
ESA or EISA can be a powerful development, implementation and integration tool for the
development and implementation of a strategy.
ESA or EISA should be an integral part of EA to be effective, as the integration of EISA and EA
helps to ensure that proper controls are implemented and integrated throughout the
organization infrastructure, processes and technologies.
15. Information Security in ITIL 2011
ITIL is a best practice framework in ITSM
ITIL consists of 26 processes and 4 functions
Information Security Management is one of the ITIL processes resides in the Design stage of ITIL
lifecycle
Information Security Management process
Information security is a management process within the corporate governance framework, which
provides the strategic direction for security activities and ensures objectives are achieved.
It further ensures that the information security risks are appropriately managed and that
enterprise information resources are used responsibly.
The purpose and objectives of the information security management process is to align IT security
with business security and ensure that the confidentiality, integrity and availability of the
organization’s assets, information, data and IT services always matches the agreed needs of the
business.
Scope, the information security management process should be the focal point for all IT security
issues, and must ensure that an information security policy is produced, maintained and enforced
that covers the use and misuse of all IT systems and services.
17. Resilia Cybersecurity Framework
RESILIA™ is a framework of best practice, developed by AXELOS
Based on the Cyber Resilience Best Practices guide, it offers practical knowledge to enhance
existing management strategies and help align cyber resilience with IT operations, security and
incident management.
Using the ITIL lifecycle it develops the skills and insight needed to detect, respond to and recover
from cyber-attacks.
19. NIST Security Publications
NIST Publications are usually used by Federal Agencies or Governmental Organizations and can
be used by non-governmental organizations too
NIST is responsible for developing standards and guidelines, including minimum requirements,
and for providing adequate information security for all agency operations and assets
NIST 800-100 (Information Security Handbook: A Guide for Managers)
Covers topics like; Information Security Governance, Performance Measures, Security Planning, IT
Contingency Planning, Risk Management, Incident Response and Configuration Management
Framework for Improving Critical Infrastructure Cybersecurity
The Framework focuses on using business drivers to guide Cybersecurity activities and considering
Cybersecurity risks as part of the organization’s risk management processes
The Framework consists of three parts: the Framework Core, the Framework Profile, and the
Framework Implementation Tiers.
The Framework Core is a set of Cybersecurity activities, outcomes, and informative references
that are common across critical infrastructure sectors, providing the detailed guidance for
developing individual organizational Profiles.
20. NIST Security Publications
Through use of the Profiles, the Framework will help the organization align its Cybersecurity
activities with its business requirements, risk tolerances, and resources.
The Implementation Tiers provide a mechanism for organizations to view and understand the
characteristics of their approach to managing Cybersecurity risk.
NIST 800-53 r4
Security and Privacy Controls for Federal Information Systems and Organizations.
This publication provides a catalog of security and privacy controls for federal information systems
and organizations and a process for selecting controls to protect organizational operations
(including mission, functions, image, and reputation), organizational assets, individuals, other
organizations from a diverse set of threats including hostile cyber attacks, natural disasters,
structural failures, and human errors.
285 controls and 19 family of controls.
The controls are customizable and implemented as part of an organization-wide process that
manages information security and privacy risk.
21. ISO Standards for Information Security
ISO 38500
ISO/IEC 38500:2015 provides guiding principles for members of governing bodies of organizations
(which can comprise owners, directors, partners, executive managers, or similar) on the effective,
efficient, and acceptable use of information technology (IT) within their organizations.
It also provides guidance to those advising, informing, or assisting governing bodies. They include
the following:
— executive managers;
— members of groups monitoring the resources within the organization;
— external business or technical specialists, such as legal or accounting specialists, retail or
industrial associations, or professional bodies;
— internal and external service providers (including consultants);
— auditors.
22. ISO Standards for Information Security
ISO 38500
The purpose of this International Standard is to promote effective, efficient, and acceptable use of
IT in all organizations by
— assuring stakeholders that, if the principles and practices proposed by the standard are
followed, they can have confidence in the organization's governance of IT,
— informing and guiding governing bodies in governing the use of IT in their organization, and
— establishing a vocabulary for the governance of IT.
ISO 20000
ISO/IEC 20000-1:2011 is a service management system (SMS) standard. It specifies requirements
for the service provider to plan, establish, implement, operate, monitor, review, maintain and
improve an SMS. The requirements include the design, transition, delivery and improvement of
services to fulfil agreed service requirements.
23. ISO Standards for Information Security
ISO 20000
ISO/IEC 20000-1:2011 can be used by:
an organization seeking services from service providers and requiring assurance that their service
requirements will be fulfilled;
an organization that requires a consistent approach by all its service providers, including those in a
supply chain;
a service provider that intends to demonstrate its capability for the design, transition, delivery
and improvement of services that fulfil service requirements;
a service provider to monitor, measure and review its service management processes and services;
a service provider to improve the design, transition, delivery and improvement of services through
the effective implementation and operation of the SMS;
an assessor or auditor as the criteria for a conformity assessment of a service provider's SMS to the
requirements in ISO/IEC 20000-1:2011.
24. ISO Standards for Information Security
ISO 20000
Information Security Management Process
The information security management (ISM) process should ensure that security controls are in
place to protect information assets and that information security requirements are incorporated
into the design and transition of new or changed services.
Deals with issues like; Information Security Policy, Information Security Controls, Risk Assessment,
Managing Information Security Risks, Information Security Changes and Incidents, Documentation
and Authorities and Responsibilities.
26. ISO 27000 series
ISO 27001 Information Security Management Systems
The ISO 27000 family of standards helps organizations keep information assets secure.
Using this family of standards will help your organization manage the security of assets such as
financial information, intellectual property, employee details or information entrusted to you by
third parties.
ISO/IEC 27001:2013 is the best-known standard in the family providing requirements for an
information security management system (ISMS).
This International Standard specifies the requirements for establishing, implementing, maintaining
and continually improving an information security management system within the context of the
organization.
114 controls, 14 groups of controls and 35 control objectives
27. ISO 27000 series
ISO 27002:2013 Code of practice for information security controls
This International Standard gives guidelines for organizational information security standards and
information security management practices including the selection, implementation and
management of controls taking into consideration the organization’s information security risk
environment(s).
It is designed to be used by organizations that intend to:
select controls within the process of implementing an Information Security Management System
based on ISO/IEC 27001;
implement commonly accepted information security controls;
develop their own information security management guidelines.
28. ISO 27000 series
ISO 27005:2011 Information Security Risk Management
It supports the general concepts specified in ISO/IEC 27001 and is designed to assist the
satisfactory implementation of information security based on a risk management approach.
Knowledge of the concepts, models, processes and terminologies described in ISO/IEC 27001 and
ISO/IEC 27002 is important for a complete understanding of ISO/IEC 27005:2011.
ISO/IEC 27005:2011 is applicable to all types of organizations (e.g. commercial enterprises,
government agencies, non-profit organizations) which intend to manage risks that could
compromise the organization's information security.
29. ISO 27000 series
ISO 27034-1:2011 Application Security – Overview and Concepts
ISO/IEC 27034 provides guidance to assist organizations in integrating security into the processes
used for managing their applications.
ISO/IEC 27034-1:2011 presents an overview of application security. It introduces definitions,
concepts, principles and processes involved in application security.
ISO/IEC 27034 is applicable to in-house developed applications, applications acquired from third
parties, and where the development or the operation of the application is outsourced.
ISO 27034-2:2015 Application Security – Organization Normative Framework
ISO/IEC 27034-2:2015 provides a detailed description of the Organization Normative Framework
and provides guidance to organizations for its implementation.
30. What is best for me Information Security Best Practices or
ISO standards?
Conclusion
Whenever it is applicable start with GEIT
GEIT is a subset of Corporate Governance
Policy is the linkage between Governance and EISA
EISA is an integral part of EA
The main objective of EA is to strategically align the business objectives with the enterprise IT
objectives and to effectively and efficiently respond to the changing needs of the business
Policies define the necessary standards to implement and comply with
ISM/ITSM best practices frameworks are important steps on the way to successfully implement ISO
standards. Generally, ISO standards are auditable while best practices frameworks are not.
Solid business case should be developed to adopt any best practices framework and/or standards
Cybersecurity is more than just protecting information assets, it is about preventing, detecting and
correcting the adverse impact of the incidents on the information assets required to do business
Auditing is the governance powerful tool to enforce compliance with policies and standards
31. About EGYBYTE
ISM/ITSM and Project Management Training
ITIL 2011, PRINCE2, AgilePM, COBIT 5, SDI, Business Analysis, ISO/IEC 20000, ISO/IEC 27001,
ISO/IEC 38500, ISO 22301, ISO 21500, CPDE and CLoudSchool
ISM/ITSM Consultation
ISM/ITSM projects, assessment and development
Company Website
www.egybyte.net
For inquiries contact us:
INFO@EGYBYTE.NET