Security Policy Primer: ISO/NIST or COBIT/ITIL

Security Policies and Standards (Process)

Common uses of Information #Security frameworks

• ISO 27002 – ISO/IEC 27002 is an information security standard published by the International Organization for Standardization (ISO) and by the International Electrotechnical Commission (IEC), entitled Information technology – Security techniques – Code of practice for information security management. ISO/IEC 27002:2005 has developed from BS7799, published in the mid-1990s. ISO/IEC 27002 provides best practice recommendations on information security management for use by those responsible for initiating, implementing or maintaining information security management systems (ISMS). (Wikipedia, 2014)

ISO 27002 is commonly used by international organizations that rely on other ISO standards certifications such as ISO 9000 series quality standard for manufacturing processes. It is also common for European businesses operating internationally, and currently used by organizations all over the world.

• #COBIT – Control Objectives for Information and Related Technology (COBIT) is a framework created by ISACA for information technology (IT) management and IT governance. (IT Governance Institute). COBIT provides a comprehensive control framework to align business and technical risks.

COBIT is a control framework commonly used by IT auditors, and as such COBIT is popular with audit-centric organizations, such as financial institutions.

• #NIST – National Institute of Standards and Technology (NIST) is a non- regulatory agency of the United States Department of Commerce. NIST develops and issues standards, guidelines, and other publications to assist federal agencies in implementing the Federal Information Security Management Act of 2002 (FISMA). NIST publications attempt to standardize a set of processes to protect federal systems not involved in national security, and commonly used by federal and state agencies.

• ITIL – The Information Technology Infrastructure Library (ITIL) is a set of IT service management (ITSM) practices that align IT services with the business needs. ITIL published a series of five core volumes, covering different stages of ITSM lifecycle.

ITIL is most commonly used by IT service providers, however it is common to use some components of ITIL in many industries.

Purpose of various frameworks:

• ISO 27002 – ISO 27002 provides an advisory standard meant to be applied for all types and sizes of organizations, based on the information security risks specific to that organization.

• COBIT – COBIT framework provides standardized control frameworks that auditors can use to compare the state of information security between systems and organizations. COBIT covers 5 key principles and 7 enablers: principles, policies, frameworks, processes, organization, culture, information, services and competencies.

• NIST – The special publications SP 800-37 and SP 800-53 addresses risk management framework and Information Security. They can be applied to organizations other than Federal government.

• ITIL – ITIL provides five core volumes: service strategies, service design, service transition, service operations, and continual service improvement. Though no specific information security program is mentioned, ITIL provides recommendation to align service operations with the organizations operational and business needs.

Strengths:

• ISO 27002 – ISO provides specific guidelines to build an Information Security

Management System (ISMS), that can be customized for many types of organization. The strength of ISO is that it's internationally recognized standard, and not specific to an industry. • COBIT –COBIT framework is continuously developed by ISACA. The latest

publications include controls for Cloud Computing environment and virtualization. ISACA membership and COBIT framework publications are very inexpensive.

• NIST – NIST publications are available from NIST.gov website free of cost, thus making the adoption of the standard affordable for smaller organization.

• ITIL - ITIL standardized service delivery framework, thus the people trained in ITIL processes can provide standardized services to the customers, reducing customer frustration from different levels of services received.

Weaknesses

• ISO 27002 - The standard is quite expensive to obtain. The certification process requires third-party, and audit verifies the existence of procedures and policies, not an extensive audit if the procedures are being followed on daily basis.

• COBIT – COBIT control frameworks can be quite restrictive for industries that rely on innovation. For example, its data classification and encryption requirements may not be the best fit for technology companies that rely on easy sharing of information and collaboration channels such as social media.

• NIST – NIST provides separate publications on Information Security and RIsk management, which may be outdated, as key changes to infrastructure such as Cloud computing have not been addressed in NIST standards.

ITIL – ITIL does not provide any specific security guidance for an ISMS, or a framework to assess an ISMS.

Certification

• ISO 27002 – Organizations can obtain certification from ISO-certified partners on different aspects of operations. For example, the IT security operations can get ISO 27002 certification by passing an audit. These certifications have to be reneweed through regular audits.

• COBIT – COBIT 5 Certified Assessor program provides professionals the training required to perform COBIT based IT process assessments.

• NIST – Federal and state auditors can validate compliance with NIST frameworks through regular audits. No certification is provided directly by NIST.

• ITIL – ITIL provides four levels of certificatons: Foundation, Intermediate, Expert, Master. Expert and Master levels may require practical examinations along with computer or paper-based testing.

Uses

ISO 27002 –ISO 27002 is best fit for international organizations, however it can serve as a baseline for building an ISMS for any organization, through its Plan-do-check-act (PDCA) model.

COBIT – COBIT 5 certified assessor program is helpful to assess the strength of controls according to COBIT 5, and it may be useful for organizations of all sizes.

NIST – Several US government agencies are required to comply with NIST standards. Non- government agencies that deal with federal grants may also be required to comply with NIST framework as part of their contract.

ITIL – ITIL along with ISO 27002 can be beneficial for organizations seeking to provide standardized security program for its stakeholders.

Policy Recommendations:

Based on the framework discussions above, we are including the following three policy statements as examples of policies the organization should develop.

1. Access Control Policy: Remote access is limited to authorized users and applications. Account re-certifications have to be performed for all user accounts. Access control reviews for all confidential records should be performed, and unauthorized accounts should be removed.

Role-based authorization should be granted to critical applications. Potential toxic combination of access should be reviewed, so that principle of "least privilege", separation of duties and dual control are enforced.

Remote access should only be allowed for users with minimum of two factor authentication credentials. This can be accomplished with employee badges with smart card or biometric identification and PIN, in addition to the system password. Physical security should be limited to data centers and areas with network access.

Relevant framework: The policy statements are in compliance with the following ISO 27002 objectives:

11.2 User access management

Objective: To ensure authorized user access and to prevent unauthorized access to information systems.

11.2.2 Privilege management

Control: The allocation and use of privileges shall be restricted and controlled

A.11.4.2 User authentication for external connections

Control: Appropriate authentication methods shall be used to control access by remote users. Additional Justification: The Health Insurance Portability and Accountability Act (HIPAA) requires that organizations take reasonable precaution to limit access to protected health information (PHI) and personally identifiable information (PII). The 42 USC Section 1320d- 2(d)(2) of the HIPAA act establishes three security principles: “maintain reasonable and appropriate administrative, technical, and physical safeguard”. Thus establishing technical, physical and administrative safeguard for access control is justified to comply with HIPAA, and the ISO framework can help with the implementation.

2. Log Management Policy: The log management policy establishes retention requirements for all systems and access logs for minimum period of one year. Any exception to this policy will have to be approved by the Chief Security Officer.

Relevant frameworks: The policy statements are in compliance with the following sections of ISO 27002 standards:

10.10 Monitoring

Objective: To detect unauthorized information processing activities.

10.10.1 Audit logging

Control: Audit logs recording user activities, exceptions, and information security events shall be produced and kept for an agreed period to assist in future investigations and access control monitoring.

10.10.3 Protection of log information

Control: Logging facilities and log information shall be protected against tampering and unauthorized access.

Additional Justification: The Economic Stimulus Act of 2009 significantly expanded the scope of HIPAA requirements. The HITECH provisions of the act expanded HIPAA regulations to include mandatory data breach notifications, heightened enforcement, increased penalties and expanded patient rights. As a result, healthcare providers, and business associates that have access to Protected Health Information (PHI), need new and enhanced tools to ensure compliance, reduce the risk of privacy breaches and the overall risk of sanctions and penalties. (HIPAA/HITECH Compliance). Having sufficient log is crucial to show sufficient due diligence to investigate the data breach and to conclusively determine the root cause of the data breach.

3. Security Monitoring Policy: Security monitoring system will be configured to alert administrators when a single account is requesting an excessive number of records over a period of time. Security Operations team will investigate the real-time alert, and document the activities for management review.

Relevant framework: The policy statement is in compliance with the following ISO 27002 section:

10.10.2 Monitoring system use

Control: Procedures for monitoring use of information processing facilities shall be established and the results of the monitoring activities reviewed regularly.

Opinions expressed are personal, and do not reflect employer's endorsement.

Read more on Google Books

Buy from Amazon.com