Purpose And Scope Of Iso 27002 Information Technology Essay

Originally, the basis of ISO 27002 was a document published by the UK government, which was re-published in 1995 by BSI as BS7799 and became a proper standard. It was again re-published as ISO 17799 by the ISO in the year 2000 which made it an international standard. Then in 2005, a new version of ISO 17799 was published by ISO along with a new publication, ISO 27001. [1]

Both these documents i.e. ISO 27002 and 27001 are intended to be used together, as one compliments the other. Basically, ISO 27002 standards is a code of practice for information security which outlines all the potential controls and control mechanisms that may theoretically be implemented, with the guidance provided within ISO 27001. The mandatory requirements for an Information Security Management System (ISMS) are formally defined by ISO 27001 whereas the suitable information security controls within the ISMS are given by ISO 27002 which is a mere guidelines rather than a certification standard. The organizations are free to select and implement alternative controls ignore any of the controls as none of the them are mandatory, but if an organization chooses not to adopt something as basic as, say, antivirus controls, they should be prepared to justify their decision through a rational risk management decision process, if they anticipate being ISO 27001 certified.”ISO 27001 incorporates a summary of controls from ISO 27002 under its Annex A.  In practice, organizations that adopt ISO 27001 also substantially adopt ISO 27002.”[3][1]

The standard “established guidelines and general principles for initiating, implementing, maintaining, and improving information security management within an organization”. A formal risk assessment is required to identify the specific requirements which are addressed by the controls listed in the standard. The standard also provides a guide for the development of “organizational security standards and effective security management practices and to help build confidence in inter-organizational activities”. [1]

Purpose and Scope of ISO 27002

The main purpose of ISO 27002 is to provide a comprehensive information security management program for any organization which either require a new information security management program or wants to improve its existing information security policies and practices. The standard gives the recommendations for managing the information security to the people who are responsible for initiating, implementing and maintaining the information security in any organization. ISO/IEC recommends that every organization should consider each of these practices when they establish or improve their organization’s information security management program. However, the implementation of each and every security practice is not necessary as every company would have a unique set of information security risks and requirements would also be different. So, a company can pick and choose the information security practices that according to its own security requirements and ignore the one’s that doesn’t apply to them. [2]

Information security is a broad topic and therefore ISO 27002, has ramifications in all types of organisations including commercial enterprises of all sizes, non profit organizations, government agencies, charities, and any other organization that handles and depends on information. [3]

Contents of ISO 27002

ISO 27002 lays out a reasonably well structured set of suggested controls to address information security risks which covers confidentiality, integrity and availability aspects. [3]

Structure

Risk Assessment and Treatment

Security Policy

Organization of Information Security

Asset Management

Human Resources Security

Physical Security

Communications and Ops Management

Access Control

Information Systems Acquisition, Development, Maintenance

Information Security Incident management

Business Continuity

Compliance

Following is a structure of the ISO/IEC 27002 which shows the controls in each section, out of which HR security and physical security will be discussed in detail.

http://www.iso27001security.com/assets/images/ISO_27002_mind_map_780.gif

Physical and environmental security

This section focuses on the physical aspects of security of the information as well as the information systems. For maintaining the confidentiality, integrity and availability of the information a proper physical environment for systems, records and staff is crucial. [4]

Physical security of information and information systems not only means protecting them from unauthorised physical access by people but also means that it is important to protect from other physical and environmental elements. The protection of IT equipment is also essential to protect the information an information system from damaged by accidents or sabotage. [4]

“Maintenance of the physical operating environment in a computer server room is as important as ensuring that paper records are not subject to damage by mould, fire or fading.” This can be done by the use of supporting equipment such as air conditioning plant or mains services. Physical controls also rely on the building structure to some extent which makes it difficult to manage, but still a good physical security policy is always very effective. [4]

Objectives [5]

Use secure areas to protect facilities and special controls to safeguard supporting facilities.

To use physical methods to protect the organization’s information and premises from unauthorized access, intentional and unintentional damage and interference.

To keep the organization’s critical or sensitive information processing facilities by putting them in secure areas, by using defined security perimeters, applying appropriate security barriers and using proper entry controls.

To make sure that the physical protection methods used are proportionate with identified security risks of the organization.

To protect the organization’s equipment from damage, loss, theft, physical threats and environmental threats in order to avoid interruptions in work as well as unauthorized access to the organizations information.

To use proper disposal and secure siting strategies to protect the organization’s equipment.[5]

3.1.2 Secure areas

The objective of this category is to prevent unauthorized physical access, damage or interference to the premises and infrastructure of the organization by using controls appropriate to the identified risks and the value of the protected assets.

Authorities: ISO-27002:2005 9.1; HIPAA 164.310(a)(1) Error: Reference source not found [6] [7]

Physical security perimeter [6] [7]

Areas that contain information and information processing facilities should be protected by securing the perimeters by using walls, manned reception, controlled entry gates and doors, and other measures.  Control includes:

Perimeter strength should be determined by risk assessment and the perimeter should be clearly defined and marked, unless disguised or hidden perimeters are required to enhance the security.

The premises should have physically sound walls, doors and windows and should be protected with bars, locks, alarms as suitable. To prevent Physical contamination and unauthorized access, additional physical barriers should be put in place where ever appropriate.

Intrusion detection systems like motion detection and perimeter alarms should be used as well as audio and video surveillance where ever appropriate.

Appropriate measures and policies to protect the premises against fire, water or other environmental threats should be in place.

The reception areas should be manned with proper locks and ID systems in place to control passage into restricted areas.

Sufficient redundancy in design to avoid compromise in security due to single point of failure and regular maintenance and review of the adequacy of these physical protections.

Authorities: ISO-27002:2005 9.1.1.; HIPAA 164.310(a)(1) [6] [7]

Physical entry control [6] [7]

Appropriate entry controls should be put in place to protect the secure areas and to make sure that access is given to only authorized personnel.  Control includes:

Authentication mechanisms such as key card, PIN, fob, etc should be used according to the identified risks and the value of the protected assets.

Where ever appropriate, the date/ time logs of entry and exit as well as video recording of activities in the entry/exit area should be recorded.

Appropriate security policy should be there for authorized personnel to wear visible identification, and to report people without such identification.

Third-party personnel who are given access to the restricted area should be subjected to appropriate authorization and monitoring procedures.

A regular review of all the above controls should be regularly reviewed and, when indicated, revocation of access rights should be done.

Authorities: ISO-27002:2005 9.1.2.; HIPAA 164.310(a)(1) [6][7]

Secure offices, rooms and facilities  [6]

Designed and implementation of the physical security for offices, rooms and facilities should be done.  Control includes:

Security measures and policies should be in accordance to the value of the protected assets and the corresponding identified risks in each setting.

The measures used should balance the applicable health and safety as well as other related regulations and standards.

Extremely noticeable controls should be used, where ever appropriate as a deterrent.

For highly sensitive assets unobtrusive or hidden facilities can be used where ever appropriate.

Information about the facilities like directory and location information should have a restricted access.

Authorities: ISO-27002:2005 9.1.3.  [6]

Protecting against external and environmental threats [6]

Design and implementation of the physical protection against damage from natural and man-made risks like fire, flood, explosion, wind, earthquake, civil unrest, etc should be considered carefully.  Control includes:

Various types of risks and value of the assets protected against those risks should be evaluated by calculating the probability of the risks.

Threats posed by neighbouring facilities and structures should also be considered.

Appropriate equipment for fire-fighting and other counter-measures should be provided and suitably located on site

Suitable backup facilities and redundant copies of data should be available in a suitable location off-site.

Authorities: ISO-27002:2005 9.1.4.  [6]

Working in secure areas [6]

There should be proper planning and implementation of physical security as well as safe procedures to work in the secure areas should be on place. Control includes:

Only limited personnel should be aware of the secure location as well as their knowledge should be limited to the requirement.

For safety purposes, the secure areas should always be supervised and all the work in the secure areas should always be monitored for safety as well as to avoid any unauthorized activity.

The areas that are not in use within the secure area should be kept locked as well as monitored remotely through video surveillance. Inspection of these areas should also be done regularly.

Audio, video and other recording equipment should not be allowed within the secure areas.

Authorities: ISO-27002:2005 9.1.5.  [6]

Public access, delivery and loading access

All the entry and exit points including any access areas for loading and delivery should be tightly controlled for unauthorized access to the premises. Control includes:

There should be a limited access to all public areas as well as the areas used for delivery, loading, unloading, etc

The shipments and any other materials that are delivered to the premises should be thoroughly examined and should be separated from the one’s going out of the premises.

All the information processing and storing facilities should be isolated from all these access areas as far as possible.

Authorities: ISO-27002:2005 9.1.6.  [6]

Equipment security [6] [7]

This section deals with the protection of the organization’s equipment from theft, damage, loss, etc to safeguard the assets of the organisation as well as to avoid interruption of work.

Authorities: ISO-27002:2005 9.2; HIPAA 164.310(a)(1) [6][7]

Equipment location and protection 

An organization’s equipment should be protected against the environmental threats and hazards as well as human threats. This should be done by managing the siting and protection of the equipment such that it reduces the environmental risks and opportunities for unauthorized access. Control includes:

Siting of equipment should be managed such that the unnecessary risks to the equipment is curtailed and need for unauthorised access to the sensitive areas should be minimizes.

There should be individual measures to manage and minimize all the physical threats like fire, water, smoke, electromagnetic radiation, theft, damage, electrical variance, etc.

Equipment that requires special protection should be isolated from the equipment that requires general protection.

There should be proper guidelines for activities like eating, drinking, smoking or other activities in the vicinity of equipment to prevent it from any physical damage like liquid spillage, fire, etc.

Authorities: ISO-27002:2005 9.2.1.; HIPAA 164.310(c) [6] [7]

Supporting utilities [6]

Safety of equipment also depends upon the protection from the disruption caused by failure of the supporting utilities like telecommunication, power, water supply, sewage, HVAC, etc.  Control includes:

Under normal operating conditions, the supporting utilities should be sufficient to support all the equipment properly.

To avoid disruption to work or damage to the equipment in the case of failure of any supporting utility, backup facilities like UPS should be available.

Authorities: ISO-27002:2005 9.2.2.  [6]

Cabling security [6]

It is extremely important to protect the telecom cables that carry all the sensitive information as well as the power cables that support the information services and other equipment from damage or interception. Control includes:

Protection of cabling should be done by using physical methods to avoid any damage or unauthorised interception and the critical systems should be provided with additional security measures.

There should be backup power cabling and redundant routing of transmission media especially for the critical systems.

The cables and equipment should have clear markings for identification unless it is required to hide the marking in order to enhance security.

All the maintenance activities like patching, updating, upgrading, rebooting, etc should be documented.

Authorities: ISO-27002:2005 9.2.3.  [6]

Equipment maintenance [6]

Proper and regular maintenance of the equipment is the key to continued system availability as well as integrity. Control includes:

Maintenance should include proper security measure like supervised maintenance which should be in accordance with the degree of sensitivity of the information or the criticality of the equipment, clearing of information and the maintenance should be done only by authorized personnel or contracted third parties.

Preventive maintenance should be carried out with documentation of all the maintenance activities, including scheduled maintenance along with the documentation of all suspected or actual faults, and associated measures.

Authorities: ISO-27002:2005 9.2.4.  [6]

Security of equipment off-premises [6] [7]

The protection of off-site equipment should be given higher priority than the on-site equipment considering the risks of working outside the organisation’s secure premises.  Control includes:

The processing of organisation’s information from off-site areas should be tightly controlled with proper authorisation of every access.

The off-site equipments and the ones that are in transit, if any, should be properly protected and insured (if third party insurance is cost effective) as well as the degree of protection should be proportional to the criticality of the equipment and the sensitivity of the information it carries or can be accessed through it.

The staff and the third party contractors should be aware of their responsibilities towards the protection of the equipment and the information as well as the risks involved with the off-premises environments. 

Authorities: ISO-27002:2005 9.2.5.; HIPAA 164.310(c) [6][7]

Secure disposal or re-use of equipment [6] [7]

Secure disposal of all equipment is a necessary practice for the information security. All the storage media in the equipments should be checked to ensure secure deletion or overwriting sensitive data and licensed software before disposal or re-use. Control includes:

The secure deletion of the data should be done with the use of methods that are generally accepted and it should be in accordance with the sensitivity of the data known or believed to be on the storage media.

The secure deletion of sensitive information should be done by appropriately trained personnel or should be verified by an information removal specialist.

Authorities: ISO-27002:2005 9.2.6.; HIPAA 164.310(d)(1) [6][7]

Removal of property [6] [7]

Removal of property should be strictly controlled and prior authorization should be required to remove any equipment, software or information from the premises. Control includes:

The type and the amount of information or equipment that may be taken off the premises should be limited and should be controlled by logging the authorizations for removal of property and the inventory of equipment and information taken off premises.

The personnel who are given authorization to take equipment o rinformatio off the premises should be made aware of the security risks involved with off-site environments and should be given relevant training for appropriate controls and countermeasures.

Authorities: ISO-27002:2005 9.2.7.; HIPAA 164.310(d)(1) [6][7]

Human resources security (ISO)

Human Resources security helps in reducing the human mistake by defining job description and resources. It ensures that staffs understand what their rights and responsibilities are relating to information security. Most organisations require their staff to report security incidents and evident weaknesses.

Proper personnel security measures ensures:

“That employment contracts and staff handbooks have agreed”

“Ancillary workers, temporary staff, contractors and third parties are covered”

“Anyone else with legitimate access to business information or systems is covered”

To make Information Security Management system effective employee training is extremely vital. It must explain the rights as well as responsibilities for example access to individual files under the Data Protection Act. [8]

HR Security Objectives

Emphasize on security prior to employment. [5]

Decrease the risk of theft, fraud, or misuse of facilities by

making sure that all eventual employees or contractors understand their responsibilities and are suitable for the roles they will be given. This must be done before any of above is allowed to use the facilities.

Use job descriptions, terms and conditions to specify the security responsibilities

that new recruits will be asked to carry out.

All employees, contractors and third-party users must be screened before they are hired, especially when they will be asked to perform responsive jobs.

All potential employees, contractors or third-party must be asked to sign agreements that states what their security roles and responsibilities are. [5]

Emphasize on security during employment [5]

Highlight the need to protect information and reduce risk or human errors.

All employees, contractors and third-party must be aware of information security threats and concerns.

Make employees, contractors and third-party aware of their information security responsibilities and liabilities.

Make sure that employees, contractors and third-party know how to support and apply your security policy during the course of their work.

Make managers responsible for ensuring that employees

carry out their security responsibilities throughout the

course of their employment with your organization.

All employees, contractors and third-party must be provided with an adequate level of security education and training. They must be aware of organisation’s security procedures.

Security risk can be minimized if employees, contractors and third-party

know how to use organisation’s information processing area.

Establish a formal disciplinary process that must be used to handle security breaches. [5]

Emphasize security at termination of employment. [5]

Control how employees, contractors and third-party are terminated and reassigned their duties.

There must be a systematic procedure for employees, contractors and third-party to follow when they leave the organisation or change their work assignment. Managers must be made responsible for controlling the procedure.

Ensure that all the access rights are removed and equipments are returned when employees, contractors or third-party are terminated or reassigned. [5]

Prior to employment

Prior to employment, organisations should ensure that everyone understands their responsibilities and are suitable for the roles for which they are considered. This will help in reducing theft, fraud or misuse of facilities.

Roles and responsibilities [9] [10]

According to organisations Information and Security Policy, roles and responsibilities of workers and contractors should be clear and documented. This includes:

Organization’s information security policy should be followed while carrying on with execution of processes or activities particular to the individual’s role.

All information assets should be protected from unofficial access, use, alteration, disclosure and destruction.

Possible security risks to the organisation and its possessions must be reported as soon as possible.

Responsibilities must be assigned to the persons for actions taken or not taken according to the sanctions policy.

Authorities: ISO-27002:2005 8.1.1.  [9]

Screening 

Suitable background check should be carried out for all the candidates, this is also known as “screening”.

Control includes checks that are adequate with the organisation’s trade needs and legal requirements. This should be done taking into account the information that will be accesses and apparent risks. For example in banks criminal and credit checks must be done.

Authorities: ISO-27002:2005 8.1.2.; HIPAA 164.308(a)(3)(ii)(B); [9][10]

Terms and conditions of employment 

All staff, contractors and third-party users should sign and agree to terms and conditions of the employment, which must state their rights and responsibilities towards the organisation and the information security. Signed agreement must include:

Information concerning the extent of access that the person will have to the business information and their responsibilities under legal-regulatory-certificatory (for example Financial Service Authority for finance).

Information about usage, classification and execution of the organisation’s sensitive data both internally and externally.

Information about responsibilities outside the organization’s confines

Information about the responsibilities of the organization for handing of personal information of the person, generated in the course of an employment or any other means.

Information about the organization’s disciplinary process and consequences of not abiding to them. This includes providing organizational code of conduct to the worker, contractor or third party.  They should be required to sing before access is given to information or information processing facilities:

“confidentiality or non-disclosure agreement; and/or”

“acceptable use of assets agreement”

Authorities: ISO-27002:2005 8.1.3.  [9]

During employment [9] [10]

This category makes sure that everyone in the organisation is aware of the information security threats, their responsibilities and liabilities and is trained to support organizational security policy and to minimize human error.

Management responsibilities

Management should establish policies and procedures of the business and should require every person to apply security controls accordingly. This includes:

Information security roles and responsibilities should be suitably informed to everyone prior to allowing access to sensitive information. This can be done by providing rules that explains security control expectations.

Appropriate level of knowledge of security controls must be achieved among all workers and contractors applicable to their job roles.

Achieving suitable level of skills to carry out those security controls.

assuring everyone agrees to the terms and conditions of employment associated to security

Motivating faithfulness to the security policies of the association

Ensuring that all people have limited access to the information and information facilities

Authorities: ISO-27002:2005 8.2.1.  [9]

Information security awareness, education and training

Training should be given to all employees, contactors and third party personnel about the organisations security policy as well as security procedure relevant to their job.  Control includes:

Before granting access to information and information systems all employees must have a formal introduction procedure which must include information security training.

Providing an ongoing training in security control requirements, legal-regulatory-certificatory responsibilities, appropriate to each person’s roles and responsibilities. This includes reminders that cover general security topics and talking about specific security incidents that occurred in organisation’s given history.

Appropriate efforts to increase and preserve awareness of security issues.

Authorities: ISO-27002:2005 8.2.2.; HIPAA 164.308(a)(5); [9][10]

Disciplinary process

Every company should have a proper disciplinary process for employees who have committed a security breach. This includes:

A rational standard based on evidences to initiate investigations.

Suitable investigation processes, which includes standards for gathering evidence and series of evidence.

Standards to establish fault finding, that ensures satisfactory treatment for persons alleged of breach.

Corrective procedures that examine reasonable requirements for due process and quality of evidence.

Sanctions that aptly consider factors such as the nature of the breach, its impact on company, if it is a first or repeat offense, whether or not the violator was correctly trained.

Authorities: ISO-27002:2005 8.2.3.; HIPAA 164.308(a)(1)(ii)(C); [9][10]

Termination or change of employment [9] [10]

“This section ensures that employees, contractors and third party users exit the organization, or change employment responsibilities within the organization, in an orderly manner.”

Termination responsibilities

Employment termination responsibilities or responsibilities for the change of employment should be clearly defined and assigned. Control includes:

If responsibilities and duties changes within the organisation, it should be processed as a termination of the previous position and re-hire to a new position and all the standard protocols should be used for both, unless stated otherwise.

All other co-workers, contractors and third parties should be informed about the change in the person’s status

All the post-employment responsibilities should be mentioned in the terms and conditions of employment, or the contract for the contractor or third party.

Authorities: ISO-27002:2005 8.3.1.; HIPAA 164.308(a)(3)(ii)(B-C); [9][10]

Return of assets 

After termination of employment or a contract the staff, contractors or third party personnel should return all of the assets of the company given to them during employment or contract.  Control includes:

There should be a formal process for return of the organisation’s assets by using checklists and inventory management.

The assets to be returned should include organisation’s hardware, software and any kind of data.

If personal equipment were used by the worker, contractor and third party then secure removal of organization’s data and software on their personal equipment should be done.

Authorities: ISO-27002:2005 8.3.2.  [9]

Removal of access rights [9] [10]

One of the most important parts of the employment /contract termination process is to remove the Access rights to all the information and information system. Control includes:

The changes of employment or contractual status should include the removal of access rights associated with the old role and duties first and then creation of new access rights according to the new role and duties.

The access rights should be removed before the termination if appropriate and justified by the risks involved.

Authorities: ISO-27002:2005 8.3.3. [9]

Conclusion

To conclude, although ISO 27002 is a good set of guidelines for physical and environmental security as well as the HR security it is not mandatory for an organisation to follow all the guidelines and leaves it up to the organisation to follow it with their convenience and requirement. This means that although a company might be following most of the guidelines of ISO 27002 but still might have a security hole which leaves a big question on the ISO 27002 standard.

Another important point is that ISO 27002 is e generic standard and not an industry specific standard. This means that the guidelines should be modified according to each industry and which again might lead to some big holes in the security. This issue is now being addressed by ISO and thus the future plans for ISO 27002 mainly focussed around the development of industry specific versions like health sector, manufacturing, etc. [1]

References

http://www.27000.org/iso-27002.htm

http://www.praxiom.com/iso-17799-intro.htm

http://www.iso27001security.com/html/27002.html#Section1

http://webarchive.nationalarchives.gov.uk/20091204141339/http://www.berr.gov.uk/whatwedo/sectors/infosec/infosecadvice/legislationpolicystandards/securitystandards/isoiec27002/section5/page33375.html

http://www.praxiom.com/iso-17799-objectives.htm

http://privacy.med.miami.edu/glossary/xd_iso_phys_env_sec.htm

http://frwebgate.access.gpo.gov/cgi-bin/get-cfr.cgi?TITLE=45&PART=164&SECTION=310&TYPE=TEXT

http://webarchive.nationalarchives.gov.uk/20091204141348/http://www.berr.gov.uk/whatwedo/sectors/infosec/infosecadvice/legislationpolicystandards/securitystandards/isoiec27002/section4/page33374.html

http://privacy.med.miami.edu/glossary/xd_iso_hum_res_sec.htm

http://frwebgate.access.gpo.gov/cgi-bin/get-cfr.cgi?TITLE=45&PART=164&SECTION=316&TYPE=TEXT

Image reference http://www.iso27001security.com/assets/images/ISO_27002_mind_map_780.gif