ISO or NIST Which Security Framework is  Best for Your Firm? Kathryn Hume Principal Consultant Security GRC2

Michael Johnson Managing Member &  Principal Consultant Security GRC2

Doug Kersten Sr. Information Security  Manager Paul, Weiss, Rifkind,  Wharton & Garrison LLP

Agenda

• • • •

Why?      Client Audits and Information Security What?    Overview of ISO 27001 and NIST 800‐53  How?      An Integrated Approach   Who?      Resources Required for Implementation

Client Audits and Information Security

The Brave New World of  Private Regulation

Regulatory Focus on Third‐Party Risk

• October 21, 2014: New York Dept of Financial Services sends letter to banks  • “It is important that financial institutions are able to identify, monitor, and mitigate any  cybersecurity risks posed by their third‐party relationships, including but not limited to  law firms and accounting firms.”

What is Regulation?

“The sustained and focused attempt to alter the behavior  of others according to defined standards or purposes with  the intention of producing broadly defined outcomes,  which may involve mechanisms of standard setting,  information gathering and behavior modification.” Julia Black  “Critical Reflections on Regulation”

Multiple Regulatory Paradigms

Self Regulation 

Private Regulation 

State Regulation 

Poll Question 1

Audits and Frameworks

• Security framework streamlines audit response • Some clients accept ISO certification in lieu of audit • Some clients encourage adoption of NIST 800‐53

• Obama endorses 2014 NIST Cybersecurity Framework • Certification process for ISO; no certification for NIST

Overview: ISO 27001

Implementing an  Information Security  Management System

Poll Question 2

Legal Industry Momentum

ISO‐Certified Firms

Working Towards Certification

Addleshaw Godard

Allen & Overy

Alston & Bird

Baker & McKenzie

Bird & Bird

Bond Dickinson

Baker Donelson

BuckleySandler

Clifford Chance

Cravath

Eversheds

Hogan Lovells

Cleary Gottlieb Steen &  Davis Polk & Wardwell Hamilton

Irwin Mitchell

Linklaters

Milbank Tweed Hadley & McCloy

Orrick Herrington &  Sutcliffe

Paul Weiss Rifkind Wharton & Garrison

Pinsent Masons

Ropes & Gray

Shook Hardy

Simpson Thacher &  Bartlett

Sullivan & Cromwell

White & Case

Davis Wright Tremaine

Debevoise & Plimpton

Faegre Baker Daniels

Fried Frank

Goodwin Procter

Gray Robinson

Holland & Knight

Kramer Levin

Proskauer & Rose

Shearman & Sterling

Skadden Arps

Taft

Vinson & Elkins

What is ISO 27001?

This International Standard specifies the requirements for  establishing, implementing, maintaining and continually  improving an information security management system  within the context of the organization.

ISO 27001 Structure

Part I: Setting up System (9 pages) 1.‐3. Scope, Normative references, Terms  4. Context of the organization 5. Leadership 6. Planning  7. Support  8. Operation 9. Performance Evaluation 10. Improvement Part II: Annex A Controls (12 pages) • 14 Domains • 35 Control Objectives • 114 Controls • ISO 27002 Sister Doc

ISO 27001 Control Domains Information Security  Policies (2) Organization of Information Security (7)

14 Domains  35 Control Objectives    114 Controls

Human Resources Security (6)

Physical and Environmental (15)

Supplier Relationships (5)

Asset  Management (10)

Operations Security (14)

Incident Management (7)

Access Control (14)

Communications Security (7)

Business Continuity Mgt (4)

Cryptography (2)

System Acquisition, Dev & Maintenance (13)

Compliance Internal & External (8)

ISMS Implementation Tasks

ISMS  Scope

Scope  determines  resources.  Start with  critical  systems

Asset  Inventory

Document  assets and  owners

Roles &  Responsibilities

Risk  Assessment

Assign and  document  roles

Assess risks  on in‐scope  services  Define  treatment  plan

Compliance  Requirements

Statement of  Applicability

Monitor and  Review

Internal  Audit

Certification

Define legal,  regulatory,  contractual  obligations

Control  selection  driven by   risk and  compliance

Process for  evaluation,  mgt review  and  corrective  actions

Conduct  internal audit

Conduct 2  certification  audits

Improve

Review

ISMS  Life Cycle

Implement Operate

Monitor

Information Security Risk  Management ISO 27005:2011

Risk Management Process

Risk Treatment Options

Overview: NIST 800‐53 (R 4)

Security and Privacy Controls  for Federal Organizations

Poll Question 3 

What is NIST 800‐53?

The purpose of this publication is to provide guidelines for selecting and  specifying security controls for organizations and information systems supporting  executive agencies of the federal government…

The publication provides a comprehensive set of security controls, three security  baselines (low, moderate, and high impact) and guidance for tailoring the  appropriate baseline to specific needs according to an organization’s mission,  environments of operation, and technologies used.

NIST 800‐53 Structure

Conceptual Framework (45 pages) Chapter 1: Introduction (purpose, cross to  other frameworks, responsibilities) Chapter 2: Fundamentals (multitiered risk mgmt., control baselines, external  service providers) Chapter 3: Process (selecting control  baselines, documenting selection) Annex D Baseline Controls (39 pages) • 18 Control Families • Multiple Sub‐Domains (3 control  domains)

Control Identifiers &  Family Names 

18 Control Families 

NIST Risk Management Framework

Risk Management Framework

FIPS 199 Security Categories Potential 

Adverse

Impact

Security  Objective

Low

Moderate 

High

Confidentiality

Limited

Serious 

Severe or Catastrophic

Integrity

Limited 

Serious

Severe or Catastrophic

Availability

Limited

Serious

Severe or Catastrophic

Security Category Information/Systems Type =  (C, impact) (I, impact) (A, impact)

Comparing ISO with NIST

Side‐by‐Side Comparison

Reference Documents

ISO 27001:2013 Reference Document

NIST 800‐53, Revision 4 Pages

Reference Document

Pages

ISO/IEC 27001: 2013 Information  technology — Security techniques — Information security management  systems — Requirement

25

FIPS 199 Standards for Security  Categorization of Federal Information  and Information Systems 

9

ISO/IEC 27002:2013 Information  technology — Security techniques — Code of practice for information  security controls

80

NIST 800‐53, R4 Security and Privacy  Controls for Federal Information  Systems and Organizations

460

ISO/IEC 27005:2011 Information  technology — Security techniques — Information security risk management  

68

NIST 800‐39 Managing information Security Risks

88

Management Clauses and Controls

ISO 27001:2013

NIST 800‐53, Revision 4

Clauses (implement, operate, monitor,  and review)

10

Chapters (introduction, fundamentals,  process)

3

Annex (es)

1

Annex (es)

10

Controls Domains

14

Control Domains (Baseline, Security,  Privacy Controls)

18

Controls

114

Controls – Baseline*

* Some controls may be discontinued.  ** Total number of controls, including sub‐controls/enhancements estimated at 1491

260  1491**

Basis for Controls Selection

ISO 27001:2013

NIST 800‐53, Revision 4

1. Results of Risk Assessment

1. Criticality of information stored, processed, or transmitted by systems

2. Compliance Requirements – legal,  regulatory, contractual, and business  requirements

2. Sensitivity of information stored, processed, or transmitted by systems

NIST Security Category Information/Systems Type = (C, impact) (I, impact) (A, impact) Applicable values for potential impact are: low, moderate, or high

Best of Both Worlds

Integration of ISO  27001 and NIST

Poll Question 4

Integrate By Mapping Controls

Three stage process 1. Implement and certify ISO 27001 Information Security  Management System (ISMS) 2. Map ISO 27001 Applicable Controls to NIST 800‐53  Baseline Security Controls on ISMS Statement of  Applicability (SoA) 3. Use annual ISMS Surveillance Audit to integrate and  demonstrate compliance to NIST 800‐53

Example 1: Controls Mapping

ISO/ICE 27001:2013

Asset Management A.8.1.1 Inventory of Assets: Assets associated with information and information processing facilities shall be identified and an inventory of these assets shall be drawn up and maintained.

NIST 800-53, Rev 4 • CM-8 INFORMATION SYSTEM COMPONENT INVENTORY • CM-8 (1) INFORMATION SYSTEM COMPONENT INVENTORY | UPDATES DURING INSTALLATIONS / REMOVALS • CM-8 (2) INFORMATION SYSTEM COMPONENT INVENTORY | AUTOMATED MAINTENANCE

Example 2: Controls Mapping

ISO/ICE 27001:2013

Access Control

NIST 800-53, Rev 4 • AC-1 ACCESS CONTROL POLICY AND PROCEDURES • AC-2 ACCOUNT MGT

9.1.1 Access Control Policy: An access control policy shall be established, documented and reviewed based on business and information security requirements.

• AC-3 ACCESS ENFORCEMENT • AC-3 (1) ACCESS ENFORCEMENT | RESTRICTED ACCESS TO PRIVILEGED FUNCTIONS • AC-5 SEPARATION OF DUTIES • AC-6 LEAST PRIVILEGE

Example 3: Controls Mapping

ISO/ICE 27001:2013

Key Management A.10.1.2 Key Management: A policy on the use, protection and lifetime of cryptographic keys shall be developed and implemented through their whole lifecycle.

NIST 800-53, Rev 4 • AC-3 (6) ACCESS ENFORCEMENT | PROTECTION OF USER AND SYSTEM INFORMATION • SC-12 CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT • SC-12 (4) CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT | PKI CERTIFICATES

Example 4: Controls Mapping

ISO/ICE 27001:2013

Vendor Management A.15.2.1 Monitoring and Review of Supplier Services: Organizations shall regularly monitor, review and audit supplier service delivery.

NIST 800-53, Rev 4 • SA-9 EXTERNAL INFORMATION SYSTEM SERVICES

What it takes

Firm Case Study  Implementing ISO 27001

Why adopt ISO 27001?

Client requirements (OCGs, questionnaires, audits)

Improve security program

Flexibility and recognition of ISO 27001 framework

ISO 27001 Benefits

 Formalize and focus security  program  Prioritize key services and  risks  Facilitate client audits  (sometimes sufficing for  requirement)

ISMS Scope

Document Management  Service

Email Service

Remote Access  Services

Mobile Device  Management  Service

Resource Requirements

Chair and  Management  Liaison Chief Information  Officer

Deputy Chair Director of Global  Infrastructure and  Security Team Lead Sr. Manager for  Information  Security

Risk Management Team for Each In‐Scope Asset

Time to Implement and Certify

Month 1 ISMS  Scope

Scope  determines  resources.  Start with  critical  systems

Month 2 Asset  Inventory

Document  assets and  owners

Month 3‐5

Month 7

Month 9

Roles &  Responsibilities

Risk  Assessment

Compliance  Requirements

Statement of  Applicability

Monitor and  Review

Internal  Audit

Certification

Assign and  document  roles

Assess risks  on in‐scope  services  Define  treatment  plan

Define legal,  regulatory,  contractual  obligations

Control  selection  driven by   risk and  compliance

Process for  evaluation,  mgt review  and  corrective  actions

Conduct  internal audit

Conduct 2  certification  audits

Advice to Firms Considering ISO 27001

Develop Policies and  Procedures

Assign  Responsibility

Plan  Ahead

Stay on Top of  Deliverables

Documentation  central to audit

Person responsible  to collect data

Identify domains  requiring most work

Follow‐up with team  members early and  often

Policies often spread  across local teams

Owners for specific  services + controls

Schedule regular  progress meetings

Continual Improvement Improve

ISMS  Life Cycle Review

Implement

Operate Monitor

• Bi‐monthly team meetings addressing key initiatives • Incorporate security into change control + project  management following ISO 27002 guidelines • Focus security awareness initiatives

Integration with NIST 800‐53

ISMS  Life Cycle Review

Implement

Continual Improvement Operate

Monitor

• Centralize ISO + NIST efforts • Simplify compliance with NIST controls • Certify compliance during annual ISO  surveillance audit

Statement of Applicability

Map NIST controls to  ISO controls to satisfy  business compliance  requirements

Q&A Kathryn Hume      [email protected] Michael Johnson  [email protected] Doug Kersten        [email protected]