ISO or NIST Which Security Framework is Best for Your Firm? Kathryn Hume Principal Consultant Security GRC2
Michael Johnson Managing Member & Principal Consultant Security GRC2
Doug Kersten Sr. Information Security Manager Paul, Weiss, Rifkind, Wharton & Garrison LLP
Agenda
• • • •
Why? Client Audits and Information Security What? Overview of ISO 27001 and NIST 800‐53 How? An Integrated Approach Who? Resources Required for Implementation
Client Audits and Information Security
The Brave New World of Private Regulation
Regulatory Focus on Third‐Party Risk
• October 21, 2014: New York Dept of Financial Services sends letter to banks • “It is important that financial institutions are able to identify, monitor, and mitigate any cybersecurity risks posed by their third‐party relationships, including but not limited to law firms and accounting firms.”
What is Regulation?
“The sustained and focused attempt to alter the behavior of others according to defined standards or purposes with the intention of producing broadly defined outcomes, which may involve mechanisms of standard setting, information gathering and behavior modification.” Julia Black “Critical Reflections on Regulation”
Multiple Regulatory Paradigms
Self Regulation
Private Regulation
State Regulation
Poll Question 1
Audits and Frameworks
• Security framework streamlines audit response • Some clients accept ISO certification in lieu of audit • Some clients encourage adoption of NIST 800‐53
• Obama endorses 2014 NIST Cybersecurity Framework • Certification process for ISO; no certification for NIST
Overview: ISO 27001
Implementing an Information Security Management System
Poll Question 2
Legal Industry Momentum
ISO‐Certified Firms
Working Towards Certification
Addleshaw Godard
Allen & Overy
Alston & Bird
Baker & McKenzie
Bird & Bird
Bond Dickinson
Baker Donelson
BuckleySandler
Clifford Chance
Cravath
Eversheds
Hogan Lovells
Cleary Gottlieb Steen & Davis Polk & Wardwell Hamilton
Irwin Mitchell
Linklaters
Milbank Tweed Hadley & McCloy
Orrick Herrington & Sutcliffe
Paul Weiss Rifkind Wharton & Garrison
Pinsent Masons
Ropes & Gray
Shook Hardy
Simpson Thacher & Bartlett
Sullivan & Cromwell
White & Case
Davis Wright Tremaine
Debevoise & Plimpton
Faegre Baker Daniels
Fried Frank
Goodwin Procter
Gray Robinson
Holland & Knight
Kramer Levin
Proskauer & Rose
Shearman & Sterling
Skadden Arps
Taft
Vinson & Elkins
What is ISO 27001?
This International Standard specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization.
ISO 27001 Structure
Part I: Setting up System (9 pages) 1.‐3. Scope, Normative references, Terms 4. Context of the organization 5. Leadership 6. Planning 7. Support 8. Operation 9. Performance Evaluation 10. Improvement Part II: Annex A Controls (12 pages) • 14 Domains • 35 Control Objectives • 114 Controls • ISO 27002 Sister Doc
ISO 27001 Control Domains Information Security Policies (2) Organization of Information Security (7)
14 Domains 35 Control Objectives 114 Controls
Human Resources Security (6)
Physical and Environmental (15)
Supplier Relationships (5)
Asset Management (10)
Operations Security (14)
Incident Management (7)
Access Control (14)
Communications Security (7)
Business Continuity Mgt (4)
Cryptography (2)
System Acquisition, Dev & Maintenance (13)
Compliance Internal & External (8)
ISMS Implementation Tasks
ISMS Scope
Scope determines resources. Start with critical systems
Asset Inventory
Document assets and owners
Roles & Responsibilities
Risk Assessment
Assign and document roles
Assess risks on in‐scope services Define treatment plan
Compliance Requirements
Statement of Applicability
Monitor and Review
Internal Audit
Certification
Define legal, regulatory, contractual obligations
Control selection driven by risk and compliance
Process for evaluation, mgt review and corrective actions
Conduct internal audit
Conduct 2 certification audits
Improve
Review
ISMS Life Cycle
Implement Operate
Monitor
Information Security Risk Management ISO 27005:2011
Risk Management Process
Risk Treatment Options
Overview: NIST 800‐53 (R 4)
Security and Privacy Controls for Federal Organizations
Poll Question 3
What is NIST 800‐53?
The purpose of this publication is to provide guidelines for selecting and specifying security controls for organizations and information systems supporting executive agencies of the federal government…
The publication provides a comprehensive set of security controls, three security baselines (low, moderate, and high impact) and guidance for tailoring the appropriate baseline to specific needs according to an organization’s mission, environments of operation, and technologies used.
NIST 800‐53 Structure
Conceptual Framework (45 pages) Chapter 1: Introduction (purpose, cross to other frameworks, responsibilities) Chapter 2: Fundamentals (multitiered risk mgmt., control baselines, external service providers) Chapter 3: Process (selecting control baselines, documenting selection) Annex D Baseline Controls (39 pages) • 18 Control Families • Multiple Sub‐Domains (3 control domains)
Control Identifiers & Family Names
18 Control Families
NIST Risk Management Framework
Risk Management Framework
FIPS 199 Security Categories Potential
Adverse
Impact
Security Objective
Low
Moderate
High
Confidentiality
Limited
Serious
Severe or Catastrophic
Integrity
Limited
Serious
Severe or Catastrophic
Availability
Limited
Serious
Severe or Catastrophic
Security Category Information/Systems Type = (C, impact) (I, impact) (A, impact)
Comparing ISO with NIST
Side‐by‐Side Comparison
Reference Documents
ISO 27001:2013 Reference Document
NIST 800‐53, Revision 4 Pages
Reference Document
Pages
ISO/IEC 27001: 2013 Information technology — Security techniques — Information security management systems — Requirement
25
FIPS 199 Standards for Security Categorization of Federal Information and Information Systems
9
ISO/IEC 27002:2013 Information technology — Security techniques — Code of practice for information security controls
80
NIST 800‐53, R4 Security and Privacy Controls for Federal Information Systems and Organizations
460
ISO/IEC 27005:2011 Information technology — Security techniques — Information security risk management
68
NIST 800‐39 Managing information Security Risks
88
Management Clauses and Controls
ISO 27001:2013
NIST 800‐53, Revision 4
Clauses (implement, operate, monitor, and review)
10
Chapters (introduction, fundamentals, process)
3
Annex (es)
1
Annex (es)
10
Controls Domains
14
Control Domains (Baseline, Security, Privacy Controls)
18
Controls
114
Controls – Baseline*
* Some controls may be discontinued. ** Total number of controls, including sub‐controls/enhancements estimated at 1491
260 1491**
Basis for Controls Selection
ISO 27001:2013
NIST 800‐53, Revision 4
1. Results of Risk Assessment
1. Criticality of information stored, processed, or transmitted by systems
2. Compliance Requirements – legal, regulatory, contractual, and business requirements
2. Sensitivity of information stored, processed, or transmitted by systems
NIST Security Category Information/Systems Type = (C, impact) (I, impact) (A, impact) Applicable values for potential impact are: low, moderate, or high
Best of Both Worlds
Integration of ISO 27001 and NIST
Poll Question 4
Integrate By Mapping Controls
Three stage process 1. Implement and certify ISO 27001 Information Security Management System (ISMS) 2. Map ISO 27001 Applicable Controls to NIST 800‐53 Baseline Security Controls on ISMS Statement of Applicability (SoA) 3. Use annual ISMS Surveillance Audit to integrate and demonstrate compliance to NIST 800‐53
Example 1: Controls Mapping
ISO/ICE 27001:2013
Asset Management A.8.1.1 Inventory of Assets: Assets associated with information and information processing facilities shall be identified and an inventory of these assets shall be drawn up and maintained.
NIST 800-53, Rev 4 • CM-8 INFORMATION SYSTEM COMPONENT INVENTORY • CM-8 (1) INFORMATION SYSTEM COMPONENT INVENTORY | UPDATES DURING INSTALLATIONS / REMOVALS • CM-8 (2) INFORMATION SYSTEM COMPONENT INVENTORY | AUTOMATED MAINTENANCE
Example 2: Controls Mapping
ISO/ICE 27001:2013
Access Control
NIST 800-53, Rev 4 • AC-1 ACCESS CONTROL POLICY AND PROCEDURES • AC-2 ACCOUNT MGT
9.1.1 Access Control Policy: An access control policy shall be established, documented and reviewed based on business and information security requirements.
• AC-3 ACCESS ENFORCEMENT • AC-3 (1) ACCESS ENFORCEMENT | RESTRICTED ACCESS TO PRIVILEGED FUNCTIONS • AC-5 SEPARATION OF DUTIES • AC-6 LEAST PRIVILEGE
Example 3: Controls Mapping
ISO/ICE 27001:2013
Key Management A.10.1.2 Key Management: A policy on the use, protection and lifetime of cryptographic keys shall be developed and implemented through their whole lifecycle.
NIST 800-53, Rev 4 • AC-3 (6) ACCESS ENFORCEMENT | PROTECTION OF USER AND SYSTEM INFORMATION • SC-12 CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT • SC-12 (4) CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT | PKI CERTIFICATES
Example 4: Controls Mapping
ISO/ICE 27001:2013
Vendor Management A.15.2.1 Monitoring and Review of Supplier Services: Organizations shall regularly monitor, review and audit supplier service delivery.
NIST 800-53, Rev 4 • SA-9 EXTERNAL INFORMATION SYSTEM SERVICES
What it takes
Firm Case Study Implementing ISO 27001
Why adopt ISO 27001?
Client requirements (OCGs, questionnaires, audits)
Improve security program
Flexibility and recognition of ISO 27001 framework
ISO 27001 Benefits
Formalize and focus security program Prioritize key services and risks Facilitate client audits (sometimes sufficing for requirement)
ISMS Scope
Document Management Service
Email Service
Remote Access Services
Mobile Device Management Service
Resource Requirements
Chair and Management Liaison Chief Information Officer
Deputy Chair Director of Global Infrastructure and Security Team Lead Sr. Manager for Information Security
Risk Management Team for Each In‐Scope Asset
Time to Implement and Certify
Month 1 ISMS Scope
Scope determines resources. Start with critical systems
Month 2 Asset Inventory
Document assets and owners
Month 3‐5
Month 7
Month 9
Roles & Responsibilities
Risk Assessment
Compliance Requirements
Statement of Applicability
Monitor and Review
Internal Audit
Certification
Assign and document roles
Assess risks on in‐scope services Define treatment plan
Define legal, regulatory, contractual obligations
Control selection driven by risk and compliance
Process for evaluation, mgt review and corrective actions
Conduct internal audit
Conduct 2 certification audits
Advice to Firms Considering ISO 27001
Develop Policies and Procedures
Assign Responsibility
Plan Ahead
Stay on Top of Deliverables
Documentation central to audit
Person responsible to collect data
Identify domains requiring most work
Follow‐up with team members early and often
Policies often spread across local teams
Owners for specific services + controls
Schedule regular progress meetings
Continual Improvement Improve
ISMS Life Cycle Review
Implement
Operate Monitor
• Bi‐monthly team meetings addressing key initiatives • Incorporate security into change control + project management following ISO 27002 guidelines • Focus security awareness initiatives
Integration with NIST 800‐53
ISMS Life Cycle Review
Implement
Continual Improvement Operate
Monitor
• Centralize ISO + NIST efforts • Simplify compliance with NIST controls • Certify compliance during annual ISO surveillance audit
Statement of Applicability
Map NIST controls to ISO controls to satisfy business compliance requirements
Q&A Kathryn Hume
[email protected] Michael Johnson
[email protected] Doug Kersten
[email protected]