Presentation laddar. Vänta.

Presentation laddar. Vänta.

Effektivt stöd för GRC med nya ISO Standarder Anders Carlstedt, Editor ISO/IEC 27002, 27005 & 28008 Partner, Amentor.

Liknande presentationer


En presentation över ämnet: "Effektivt stöd för GRC med nya ISO Standarder Anders Carlstedt, Editor ISO/IEC 27002, 27005 & 28008 Partner, Amentor."— Presentationens avskrift:

1 Effektivt stöd för GRC med nya ISO Standarder Anders Carlstedt, Editor ISO/IEC 27002, & Partner, Amentor

2 About Amentor A Swedish GRC professional services company, founded in 2004, servicing leading multinationals and government agencies - Active members in ISACA and SIS & ISO/IEC - PCI/QSA accredited - Provides ISO/IEC standards training and certification for professionals, e.g. Lead Auditor, Risk Manager

3 About Amentor

4 Om presentationen ”Effektivt stöd för GRC och säkerhets- åtgärder med nya ISO-standarder”

5 Områden

6 Bakgrund •Governance: –“The system by which organizations are directed and controlled.” (Cadbury 1992 and OECD 1999) –Corporate governance of IT •“The system by which the current and future use of IT is directed and controlled. •Risk –”Effect of uncertainty on objectives” •Compliance –(Comply) ”act in accordance with a wish or command: we are unable to comply with your request.”

7 Områden

8 Governance •ISO/IEC Governance of information security –”…provides guidance on concepts and principles for the governance of information security, by which organisations can evaluate, direct, monitor and communicate the information security related activities within the organisation. ”

9 Governance – Cobit 5

10 Information Security Governance

11

12 “Evaluate” is the governance process that considers the current and forecast achievement of security objectives based on current processes and planned changes, and determines where any adjustments are required to optimise the achievement of strategic objectives in future. •To perform the “evaluate” process, the governing body should: •ensure that business initiatives take into account information security issues, •respond to information security performance results, prioritize and initiate required actions. •To enable the “evaluate” process, executive management should: •ensure that information security adequately supports and sustains the business objectives, •submit new information security projects with significant impact to governing body.

13 Information Security Governance “Direct” is the governance process, by which the governing body gives direction about the information security objectives and strategy that need to be implemented. Direction can include changes in resourcing levels, allocation of resources, prioritisation of activities, and approvals of policies, material risk acceptance and risk management plans. •To perform the “direct” process, the governing body should: –determine the organisation’s risk appetite, –approve the information security strategy and policy, –allocate adequate investment and resources. –To enable the “direct” process, executive management should: –develop and implement information security strategy and policy, –align information security objectives with business objectives, –promote a positive information security culture.

14 Information Security Governance “Monitor” is the governance process that enables the governing body to assess the achievement of strategic objectives. •To perform the “monitor” process, the governing body should: –assess the effectiveness of information security management activities, –ensure conformance with internal and external requirements, –consider the changing business, legal and regulatory environment and their potential impact on information risk. •To enable the “monitor” process, executive management should: –select appropriate performance metrics from a business perspective, –provide feedback on information security performance results to the governing body including performance of action previously identified by governing body and their impacts on the organisation, –alert the governing body of new developments affecting information risks and information security.

15 Information Security Governance “Communicate” is the bi-directional governance process by which the governing body and stakeholders exchange information about information security, appropriate to their specific needs. To perform the “communicate” process, the governing body should: •report to external stakeholders that the organisation practices a level of information security commensurate with the nature of its business, •notify executive management of the results of any external reviews that have identified information security issues, and request corrective actions, •recognize regulatory obligations, stakeholders expectations, and business needs with regard to information security. •To enable the “communicate” process, executive management should: •advise the governing body of any matters that require its attention and, possibly, decision, •instruct relevant stakeholders on detailed actions to be taken in support of the governing body’s directives and decisions.

16 Information Security Governance “Assure” is the governance process by which the governing body commissions independent and objective audits, reviews or certifications. These will identify and validate the objectives and actions related to carrying out governance activities and conducting operations in order to attain the desired level of information security. •To perform the “assure” process, the governing body should: –commission independent and objective opinions of how it is complying with its accountability for the desired level of information security. •To enable the “assure” process, executive management should: –support the audit, reviews or certifications commissioned by governing body.

17 Information Security Governance •Principle 1: Establish organisation-wide information security •Principle 2: Adopt a risk-based approach •Principle 3: Set the direction of investment decisions •Principle 4: Ensure conformance with internal and external requirements •Principle 5: Foster a security-positive environment •Principle 6: Review performance in relation to business outcomes

18 Områden

19 Risk •ISO/IEC Riskhantering för informationssäkerhet –”…innehåller en beskrivning av processen för riskhantering för informationssäkerhet och de aktiviteter som den omfattar.”

20 Risk •En allmän översikt av processen för riskhantering för informationssäkerhet redovisas i avsnitt 6. –Fastställande av kontext i avsnitt 7, –Riskbedömning i avsnitt 8, –Riskbehandling i avsnitt 9, –Riskacceptans i avsnitt 10, –Riskkommunikation i avsnitt 11, –Övervakning och granskning av risker i avsnitt 12.

21 Risk

22

23 Risk – vs

24 Risk 27005

25 Risk •Ytterligare information om aktiviteter för hantering av informationssäkerhetsrisker presenteras i bilagorna. –Fastställandet av kontext stöds av bilaga A (Fastställande av omfattning och begränsningar för processen för riskhantering för informationssäkerhet). –Identifiering och värdering av tillgångar samt bedömning av påverkan diskuteras i bilaga B (Exempel på identifiering av tillgångar), bilaga C (Exempel på typiska hot) och bilaga D (Sårbarheter och metoder för bedömning av sårbarhet). –Exempel på förhållningssätt för bedömning av informationssäkerhetsrisker presenteras i bilaga E. –Begränsningar för reducering av risk presenteras i bilaga F. –Skillnader i definitioner mellan SS-ISO/IEC 27005:27008 och SS- ISO/IEC 27005:2012 redovisas i Annex G!

26 Områden

27 Compliance •ISO/IEC Vägledning om säkerhetsåtgärder för revisorer –”…ger vägledning om granskning av införande och drift av säkerhetsåtgärder, inklusive granskning av teknisk efterlevnad avseende säkerhetsåtgärder i systemmiljö, mot etablerade informationssäkerhetsstandarder inom en organisation.”

28 Compliance •Struktur och innehåll: –…en beskrivning av granskningsprocessen för säkerhetsåtgärder, inklusive granskning av teknisk efterlevnad. –Bakgrundsinformation återfinns i avsnitt 5. –Avsnitt 6 erbjuder en översikt över granskningar av säkerhetsåtgärder. –Granskningsmetoderna presenteras i avsnitt 7 –Granskningsaktiviteterna i avsnitt 8. –Granskning av teknisk efterlevnad återfinns bilaga A –Stöd avseende inledande informationsinsamling återfinns i bilaga B.

29 Compliance

30

31

32 Områden

33 Sammanfattning Information Security Management Corporate Governance Information Security Governance Key Security Governance Responsibilities  Shareholder value from security investments  Minimize and manage risks  Plan and execute strategy to deliver business security and shareholder value  Minimize and manage risks  Deliver ISMS  Deliver security solutions  Operate security capabilities

34 Sammanfattning Functional leadership Enterprise perspective Pooled experience Synergy No synergy Wheel reinvention Potentially more costly BU ownership Users control priorities Responsiveness to needs Scale economies Control of standards Critical mass of skills Does not meet everyone’s needs No BU cost control No BU ownership Less responsive to end users Variable security competencies Decentralized Centralized

35 Sammanfattning • Hårdare krav på effektiv företagsstyrning och intern kontroll • Genom att integrera de nya ”Governance” kraven med företagets existerande ledningssystem skapar organisationen en flexibel plattform och är redo för nya anpassningar i framtiden. • Kommande ISO/IEC ”ISG ”kommer att tydligöra kopplingen mellan IT Governance – Information Security Governance – och Ledningsystem för Informationssäkerhet (”ISMS”) • ISO/IEC ger tydlig vägledning och stöd för hanteringen av informationssäkerhetsrisker • ISO/IEC ger handledning både för kravställning inför eventuell upphandling av, och inför/under/efter genomförande av revisioner

36 Tack för mig


Ladda ner ppt "Effektivt stöd för GRC med nya ISO Standarder Anders Carlstedt, Editor ISO/IEC 27002, 27005 & 28008 Partner, Amentor."

Liknande presentationer


Google-annonser