# Week 9
## Slide 1 - SANS 1779927001 Security & Audit Framework
## Slide 3 - A. Overview of ISO 17799 (ISO/IEC 27002)
a. Overview of ISO 17799 (ISO/IEC 27002) • ISO 17799, now known as ISO/IEC 27002, is a globally recognized standard for information security management. It provides guidelines and best practices for establishing, implementing, maintaining, and improving an information security management system (ISMS). The standard covers various aspects of information security including risk management, access control, physical security, incident management, and business continuity. • Example: A healthcare organization wants to ensure the confidentiality, integrity, and availability of patient data. By implementing ISO 17799, the organization can establish policies and procedures to protect data from unauthorized access, ensure data accuracy, and maintain data availability even in the event of a disaster.
b. Twelve Steps Implementation Process for ISO 17799
1. Define an Information Security Policy: Establish a policy that sets the direction of the ISMS. • Example: A bank establishes an information security policy that defines how customer data should be protected, the acceptable use of IT resources, and the consequences of policy violations.
2. Define the Scope of the ISMS: Determine the boundaries and applicability of the ISMS. • Example: A software development company defines the scope of its ISMS to include its development network, customer support systems, and any third - party services it uses.
3. Conduct a Risk Assessment: Identify and assess risks to the organization's information assets. • Example: A hospital performs a risk assessment to identify potential risks to patient data, such as unauthorized access, data corruption during system upgrades, and data loss through system failures.
4. Manage Identified Risks: Decide how to address and mitigate identified risks. • Example: After the hospital identifies risks to patient data, it decides to implement stronger access control measures, regular data backups, and encryption of sensitive data.
5. Select Control Objectives and Controls: Choose appropriate security controls to meet the control objectives. • Example: An e - commerce company selects control objectives aimed at protecting customer transaction data and decides on controls such as SSL encryption, intrusion detection systems, and regular security audits.
6. Prepare an SOA (Statement of Applicability): Document the chosen controls and their applicability. • Example: An IT service provider documents in an SOA that they will apply controls such as multi - factor authentication for all remote access and employ anti - malware defenses on all endpoints.
7. Implement the Selected Controls: Put the chosen security controls into practice. • Example: A financial institution implements network segmentation to separate critical servers from the rest of the network to limit the potential spread of a security breach.
8. Prepare for Incidents: Develop and implement an incident response plan. • Example: A retail chain develops an incident response plan that includes immediate isolation of affected systems, communication strategies for customers, and legal teams in case of a data breach.
9. Train and Educate Staff: Ensure that employees are aware of and understand their security responsibilities. • Example: A manufacturing company holds monthly training sessions on information security awareness, teaching employees about phishing, password security, and how to report suspicious activity.
10. Monitor and Review the ISMS: Regularly assess the performance and effectiveness of the ISMS. • Example: A logistics company uses security information and event management (SIEM) software to continuously monitor its network and reviews logs weekly for unusual activity.
11. Conduct Internal Audits: Perform regular internal audits to ensure compliance with the ISMS. • Example: An advertising agency conducts semi - annual internal audits to check for compliance with its ISMS, including a review of security policies, physical access controls, and employee adherence to security practices.
12. Undertake Management Reviews: Review the ISMS at the management level for continual improvement. • Example: The senior management of a cloud services provider holds quarterly meetings to review the ISMS performance, discuss the findings from internal audits, and plan for any changes or improvements.
b. Twelve Steps Implementation Process for ISO 17799 - Cont' • Example: A financial institution implementing the twelve steps might start by defining a security policy focused on protecting customer financial data, then assess risks related to data breaches and select controls like encryption and access controls to mitigate these risks. They would document their choices in an SOA, implement the controls, and then train staff on security procedures. Regular monitoring, internal audits, and management reviews would ensure the ongoing effectiveness of the ISMS.
c. SANS ISO - 17799 Methodology • The SANS (Sys Admin, Audit, Network, and Security) Institute provides a methodology for implementing ISO 17799, which emphasizes a practical, step - by - step approach to developing and maintaining an ISMS. The methodology includes:
1. Building Awareness: Educating stakeholders about the importance of information security and the benefits of ISO 17799. • Example: A manufacturing company conducts a series of workshops to educate employees about the risks of phishing attacks and the importance of protecting company data.
2. Project Planning and Management: Establishing a project plan for implementing the standard, including timelines, resources, and responsibilities. • Example: An IT firm assigns a project manager to oversee the ISO 17799 implementation, setting clear milestones, such as completion of risk assessment by Q1 and policy development by Q2.
3. Asset Identification and Classification: Identifying and classifying information assets to determine their value and sensitivity. • Example: A retail business lists all of its information assets, including customer databases and proprietary software, and classifies them based on sensitivity and value to the business.
4. Risk Assessment: Conducting a thorough risk assessment to identify potential threats and vulnerabilities. • Example: A financial institution evaluates the potential threats to its electronic fund transfer system, such as hacking or fraudulent transactions.
5. Risk Management: Developing strategies to manage identified risks, including selecting appropriate controls from ISO 17799. • Example: A software company opts to encrypt all its code repositories and implement two - factor authentication for access after identifying risks in their cybersecurity audit. 6. Policy Development: Creating information security policies that align with the organization's objectives and risk management strategy. • Example: A healthcare provider develops a comprehensive data security policy that includes guidelines for handling patient information, responding to data breaches, and training staff. 7. Implementation: Implementing the selected controls and policies, and integrating them into the organization's operations. • Example: An online retailer implements the developed policies by upgrading its network security infrastructure and adopting secure e-commerce platforms. 8. Training and Awareness: Providing ongoing training and awareness programs to ensure that staff understand their roles in maintaining information security. • Example: A marketing firm requires all new hires to complete an information security training program and hosts regular refresher courses for existing staff. 9. Monitoring and Review: Regularly monitoring and reviewing the effectiveness of the ISMS, and making adjustments as needed. • Example: A university sets up a monitoring system that tracks access to student records, reviews the logs monthly, and adjusts the security measures based on the review findings.
## Case Study
A retail company decides to implement the SANS ISO - 17799 methodology to enhance its information security. The company starts by building awareness among its management and staff about the importance of information security and the benefits of adhering to ISO 17799 standards. A project team is formed to oversee the implementation process, and a detailed project plan is developed.
The company then proceeds with identifying and classifying its information assets, which include customer data, financial records, and proprietary information. A risk assessment is conducted to identify potential threats and vulnerabilities to these assets. Based on the risk assessment, the company selects appropriate controls from ISO 17799, such as encryption for customer data, access controls for financial records, and intellectual property rights management for proprietary information
The company develops and implements policies and procedures to support the selected controls. Employees are trained on these policies and their roles in maintaining information security. The implementation is integrated into the company's daily operations, and a monitoring and review process is established to ensure the ongoing effectiveness of the ISMS.
Six months after implementation, the company conducts an internal audit and finds a significant reduction in security incidents and an improvement in overall information security posture. The company's management reviews the audit results and approves additional resources for further enhancing the ISMS.
This case study demonstrates how a retail company successfully implemented the SANS ISO - 17799 methodology to improve its information security management system, resulting in enhanced protection of its information assets and a more robust security posture.
## Slide 1 - Project – Part 2 – Few Examples
## Slide 2 - • Control: We Have Deployed Antivirus and Anti.
- A.10.1 Operational Procedures and Responsibilities • A.10.1.2 Change Management • Control: We have implemented a formal change management process that includes documenting changes, assessing risks, obtaining approvals, and conducting post - implementation reviews. • Testing: The effectiveness of the change management process can be tested by reviewing a sample of change records to ensure that all steps were followed and by conducting audits to assess the impact of changes on system stability and security. • A.10.1.3 Segregation of Duties • Control: Duties and responsibilities are clearly defined and segregated among different individuals or teams to prevent conflicts of interest and reduce the risk of unauthorized or unintentional modifications. • Testing: Segregation of duties can be tested by reviewing job descriptions and access rights to ensure that there is no overlap in critical functions and by conducting regular access audits to detect any violations of segregation principles. • A.10.4 Protection Against Malicious and Mobile Code • A.10.4.1 Controls Against Malicious Code • Control: We have deployed antivirus and anti - malware solutions across all endpoints and servers, and we conduct regular security awareness training for employees to recognize and prevent malware threats. • Testing: The effectiveness of controls against malicious code can be tested by conducting regular antivirus scans and updates, reviewing detection logs, and simulating malware attacks to assess the response and recovery procedures.
## Slide 3 - • Control: Mobile Code is Restricted To.
- A.10.4.2 Controls Against Mobile Code • Control: Mobile code is restricted to authorized applications only, and we use application whitelisting and sandboxing techniques to ensure that unauthorized mobile code cannot execute. • Testing: Controls against mobile code can be tested by attempting to execute unauthorized mobile code to verify that it is blocked and by regularly auditing the whitelist and sandbox configurations. • A.10.6 Network Security Management • A.10.6.1 Network Controls • Control: Our network is secured with firewalls, intrusion detection and prevention systems, and encryption for data in transit. We also have network access controls in place to restrict access based on user roles and device compliance. • Testing: Network controls can be tested by conducting penetration tests to assess the effectiveness of firewalls and intrusion detection systems, reviewing network access logs for compliance with access policies, and conducting regular vulnerability scans to identify and remediate potential weaknesses.
---
Made With Glean | [Open Event](https://app.glean.co/event/f4d4ab73-651c-47f1-b9ee-3fc7c5964e09)