Cavirin Blog

Why align with ISO/IEC 27002:2013?

THE ISO/IEC 27002:2013 CHALLENGE

ISO/IEC 27002:2013 Information technology -- Security techniques -- Code of practice for information security controls

You might think that implementing an ISO 27002 ISMS program is fairly straight forward, and even an easy sell to the business and supporting enterprise.  After all, Information Security is defined by the the C-I-A triad, the most well-known model for security policy development.  Who can resist a tried and true C-I-A triad?

  • Nothing to hide

    Confidentiality, ensuring that information is only accessible to those authorized to have access
  • Integrity, safeguarding the accuracy and completeness of information and processing methods
  • Availability, ensuring that authorized users have access to information and associated assets when required

Instead of disparaging everyone who resists the full ISO 27002 ISMS implementation, let's empathize with the sheer willpower and perseverance it takes to drive an organization toward this prestigious achievement.

Here's a diagram that covers common steps to an ISO 27001 readiness and implementation. Put simply, it's a lot of work.  One area that needn't be difficult, is the thing people often fear the most, the implementation of system policy via security controls.   

ISO Implementation

What's in it for us? Reasons to accomplish ISO 27001 certification of your ISMS include that organizations need to demonstrate:

  • measured reduction in security events
  • ability to satisfy regulatory compliance requirements across multiple industries and foreign nations
  • enhance competitive position in the face of cyber-security threats
  • increase security and overall quality in IT Systems

ISMS Standard, SIMM 5305-A, Information Technology Management is responsible for oversight … ensuring protection of the state entity’s information assets and state entity compliance with security policies, standards, and procedures. Implementing the necessary technical controls to preserve the confidentiality, integrity, and availability of the state entity’s information assets.

  • Managing the risks associated with those assets.
  • Monitoring for and reporting to the Information Security Officer any actual or attempted security incidents.

ISO is an independent, non-governmental international organization with a membership of 163 national standards bodies.Pulling people to ISO

Cavirin offers assessment models to support technical aspects of ISO/IEC 27002:2013, which gives guidelines for organizational information security standards and practices including the selection, implementation, and management of controls taking into consideration the organization's information security risk environment.

Among its many benefits, the standard enables users to:

  • implement commonly accepted information security controls
  • further evolve a risk based approach in developing their own information security management guidelines.
  • International Standards can help governments and regulators achieve public policy goals 
    –conclusion drawn by experts at the conference on standards and policy held in November 2015 in Geneva, Switzerland

Why align with ISO/IEC 27002:2013?

Cavirin clients gain advantage through alignment with international standards compliance. The simple act of managing Information Security Management Systems, or ISMS, program effectiveness supports elements in achieving compliance with all of the following laws:

  • UK Data Protection Act 1998
  • The Computer Misuse Act 1990 (UK)ISO Policy
  • Federal Information Security Management Act 2001 (US)
  • Gramm‐Leach‐Bliley Act (GLBA) 1999 (US)
  • Federal Financial Inst. Examination Council’s (FFIEC) security guidelines (US)
  • Sarbanes‐Oxley Act (SOX) 2002 (US)
  • State security breach notification laws (e.g. California) (US)
  • Health Insurance Portability and Accountability Act (HIPAA) 1996 (US)

Gaining the most from your ISMS program implementation

In addition to satisfying multiple aspects in world standards and regulations, the achievement of ISO 27001 certification is recognized for:

  • Improved company reputation and image
  • Proof of senior management’s commitment to the security of the organization

The effective use of best practices such as the ISMS helps companies to avoid reinventing their own policies and procedures, optimize use of scarce IT resources and reduce the occurrence of major IT risks, such as:

  • Project failures
  • Wasted investments
  • Security breaches
  • System crashes
  • Failures by service providers to understand and meet customer requirements

Companies embarking on the path of ISO 27001 certification need assistance to establish, monitor, maintain and measure improvement in their ISMS (27002:2013).  One key path to a more secure organization is establishing and maintain secure host baseline configurations.

What is a Secure Host Baseline?

As identified in the NSA's Slicksheet_SecureHostBaseline_Web "A Secure Host Baseline (SHB) is a pre-configured and security hardened machine-ready image that contains an organization’s common Operating Systems (OS) and application software. SHB images are developed with the latest relevant standards and policies which include a layered security architecture enabling the implementation of best practice mitigation strategies to counter cyber threats... An SHB image can be generated for any OS and common application software used by an organization. The image can be deployed across an office’s host systems to include desktops, laptops, servers, tablets, and mobile devices. This provides administrators with a common core operating picture that makes it easier to identify and isolate anomalies. An SHB simplifies the implementation of robust security practices and technologies such as Application Whitelisting, Host Intrusion Prevention Systems (HIPS), Enhanced Experience Mitigation Toolkit (EMET), and other anti-exploitation capabilities. It also ensures that the security features of each host residing on a network are consistent with the organization’s security policies and directives."

Organizations needing to maintain secure host baselines (SHB) face considerable challenge. Unless they have a compliance platform such as Cavirin's ARAP, they must be prepared to provide continual updates for all hardware and software OS and applications.  Without a platform to perform these operations, even a successful SHB deployment leaves IT with the daunting task of maintaining business IT alignment to update all secure host images with every notification for baseline improvement. Longer term, organizations must manage lifecycle and end-of-life timelines for OS and applications to ensure that the security features remain current.

Leveraging Cavirin ARAP’s IS0 27002 Policy Pack allows clients to:

  • Identify information assets and their associated security requirements
  • Assess information security and treat risks according to their relative tolerance
  • Select and implement relevant controls to manage or mitigate threats
  • Monitor, maintain and improve the effectiveness of controls associated with the organization’s information assets

Security Program considerations

THE SOLUTION

Cavirin’s Automated Risk Analysis Platform (ARAP™) assists Chief Risk & Security, as well as IT and DevOps leadership in gathering configuration data used to address their top security and compliance challenges:

  • Settings that indicate missing patches for operating systems and applications.
  • Monitoring and detecting sensitive data loss (data exfiltration)
  • Locating policies that enable weak passwords.
  • Lack of logs and audit trails necessary to conduct forensics
  • Security validation for new systems
  • Missing or outdated anti-malware technology
  • Settings that enable encryption of sensitive information in transit
  • The information necessary to remediate deficiencies that would otherwise be impossible to manage due to the lack of trained staff maintaining security controls.

Compliance in any environment

  • Cloud Native platform supporting 12-factor patterns (things like port binding, logs, concurrency…)
  • A “hyper plane” of integrated “risk assessment” amongst segmented vulnerability domains
  • Works with Private, Hybrid, and Public Clouds
  • Support AWS, Azure, GCP (Google Cloud Platform)
  • Manages thousands of out-of-box policies, well curated and certified (SCAP, XCCDF, OVAL)
  • Supports current compliance authority (PCI DSS, HIPAA, NIST, SOC2, FedRamp, CIS Benchmark, DISA, CIS CSC, CSF)
  • Is CIS Certified security content (Multiple OS, Docker, AWS Cloud)
  • Complies with DISA standards in all aspects of delivery and reported results

Cyber Ready

  • Know the critical assets and who’s responsible for them
  • Get everyone involved in cyber-resilience
  • Assure they have the knowledge and autonomy to make good decisions
  • Be prepared for both unsuccessful AND successful attack
  • Prevent a cyber-attack from throwing your organization into complete chaos.

ISO Standards Compliance and Cavirin

Cavirin Security and Compliance actively contributes to all major standards and organizations responsible for the mapping of regulatory requirements and the most highly leveraged national and international standards. In addition to organic CIS Benchmarks and DISA STIG NIST based configuration management, Cavirin has implemented all assessments with NIST Cyber Security Framework (CSF) and NIST 800-53 r4 and Appendix J for Privacy. Clients who elect to use multiple policy packs, including ISO/IEC 27002:2013, will benefit by the extended use of multiple frameworks to align Information Security Programs and Policy.

SHBs for the DoD, the military services, and other government organizations are currently in various stages of development, however Cavirin Security and Compliance manages and maintains keeping your SBH program in the most current state possible.  For additional information about standards for security technical implementation guides, visit:

About Center for Internet Security

The Center for Internet Security, Inc. (CIS) is a 501c3 nonprofit organization focused on enhancing the cyber security readiness and response of public and private sector entities, with a commitment to excellence through collaboration. CIS provides resources that help partners achieve security goals through expert guidance and cost-effective solutions. 

Cavirin is proud to be a CIS Supporter

About DISA

DISA, a Combat Support Agency, provides, operates, and assures command and control, information sharing capabilities, and a globally accessible enterprise information infrastructure in direct support to joint warfighters, national level leaders, and other mission and coalition partners across the full spectrum of operations.

About Cavirin

Cavirin is transforming the way IT security manages risk. Founded in 2012, Cavirin’s platform is a purpose-built agent-less solution that deploys quickly to on-premises, cloud, and containerized infrastructures, helping organizations reduce complexity, become more agile, and drive dramatic increases in efficiency with their risk and compliance programs. Leveraging continuous visibility and automated assessments, companies are empowered to make the right decisions faster. Cavirin’s Automated Risk Analysis Platform (ARAP) is a security and compliance fabric that provides continuous configuration evaluation with recommendations for alignment to industry standards and best practices, prioritizing systems and risk remediation efforts across complex hybrid IT infrastructures.  Offering up-to-the-minute compliance assessments, Cavirin supplies audit ready evidence as measured by every major regulatory, and security best practice framework.

0
0
0
s2sdefault

Cavirin provides security management across physical, public, and hybrid clouds, supporting AWS, Microsoft Azure, Google Cloud Platform, VMware, KVM, and Docker.