Security Standards

Symbiosis International (Deemed University)

Threats to information security
Compliance
Information security is managing risks to
the confidentiality, integrity, and availability of
information
using administrative, physical and technical controls.

1. Security Compliance Helps You Avoid Fines and Penalties

2. Security Compliance Protects Your Business Reputation
3. Security Compliance Enhances Your Data Management Capabilities
4. Security Compliance Yields Insights That Promote Operational Benefits
5. Security Compliance Supports Access Controls and Accountability
 The Act/standard What it Regulates Company Affected

This framework was created to provide a customizable

guide on how to manage and reduce cybersecurity
NIST This is a voluntary framework that can be
related risk by combining existing standards, guidelines,
(National Institute of Standards and implemented by any organization that wants to
and best practices. It also helps foster communication
Technology) reduce their overall risk.
between internal and external stakeholders by creating a
common risk language between different industries.

This family of standards provide security requirements These regulations are broad and can fit a wide range
ISO 27000 Family (International around the maintenance of information security of businesses. All businesses can use this family of
Organization for Standardization) management systems (ISMS) through the regulations for assessment of their cybersecurity
implementation of security controls. practices.

These regulations are broad and can fit a wide range

ISO 31000 Family (International This set of regulations governs principles of of businesses. All businesses can use this family of
Organization for Standardization) implementation and risk management. regulations for assessment of their cybersecurity
practices.

It protects the healthcare of people who are transitioning Any organization that handles healthcare data. That
HIPAA (Health Insurance Portability
between jobs or are laid off. Simplifies the healthcare includes, but is not limited to, doctor’s offices,
and Accountability Act)
process by shifting to electronic data. It also protects the hospitals, insurance companies, business associates,
privacy of individual patients. and employers.
 The Act/standard What it Regulates Company Affected

PCI-DSS
A set of 12 regulations designed to reduce fraud
(Payment Card Industry Data Security Companies handling credit card information.
and protect customer credit card information.
Standard)

Any company doing business in the European Union

GDPR This regulates the data protection and privacy of citizens
or handling the data of a citizen of the European
(General Data Protection Act) of the European Union.
Union.

SOX This act requires companies to maintain financial records U.S. public company boards, management, and public
(Sarbanes-Oxley Act) for up to seven years. accounting firms.

Organizations that are responsible for business

processes related to technology and quality control
COBIT This framework was developed to help organizations
of information. This includes, but is not limited to,
(Control Objectives for Information manage information and technology governance by
areas such as audit and assurance, compliance, IT
and Related Technologies) linking business and IT goals.
operations, governance, and security and risk
management.

ITAR
Controls the sale of defense articles and defense services Anyone who produces or sells defense items and
(International Traffic in Arms
(providing critical military or intelligence capability). defense services.
Regulations)
COPPA
The online collection of personal information about
(Children’s Online Privacy Protection Any Person or entity under U.S. jurisdiction.
children under 13 years of age.
Rule)
5 step approach on risk management
• Establish risk management framework
• Identify risks
• Analyse risks
• Evaluate risk
• Select risk treatment option
Formal Methodology
• Consistent – It needs to be objective and not subject to individuals’ choices or priorities
• Valid – It should not hinder/block the business operations
• Comparable – The results should be comparable, and can be replicated or stepped-up/down

• Clear risk ownership matrix is created – risks v/s designation

 • People, Process and technology risk
• Information Asset Register –
• Information/data
• Software
Identify • Hardware

Risks • IP
• Hard copies etc.
• CIA analysis of each asset
• Identification of Asset and Risk owner
Analyze the risk

Vulnerability X Threat

Internal to an asset External factors which exploit

the vulnerabilities.

Map the vulnerabilities and threats in the Likelihood v/s Impact matrix for risk analysis
 Risk Calculation
• Numeric impact gives
likelihood

Risk level 5 Risk level 6 Risk level 7 Risk level 8 Risk level 9
you the actual risk levels

Risk level 4 Risk level 5 Risk level 6 Risk level 7 Risk level 8 • Understand the risk
taking ability of the
organisation
Risk level 3 Risk level 4 Risk level 5 Risk level 6 Risk level 7
• Classify the risk – in 3/5
or more levels
Risk level 2 Risk level 3 Risk level 4 Risk level 5 Risk level 6 depending on
• Money
Risk level 1 Risk level 2 Risk level 3 Risk level 4 Risk level 5 • Time
• Compliance
• Brand value etc

impact
Risk Assessment Scale
Evaluation of risk
➢ Compare the risk with predetermined
levels of accepted risk

➢ Identify the highest/urgent risks

Urgent

3 5 6

2 4 5

1 2 3

Important
➢ Prioritize risks
Risk treatment options

Avoid – do not trigger the risk

Modify – patching/back-ups
Share – insurance, third party risk

Retain – ignore & do nothing

Risk Control
1. Statement of Applicability (SOA) - is the
main link between risk assessment and
risk treatment in an enterprise or in an
organization Review Report
2. Risk Treatment Plan (RTP) - it documents
the way your organization will respond to
identified threats.
3. Continually review, update, and improve
ISMS
4. Adjust according to threat treatment Monitor
RTP (Risk Treatment Plan)
Once you’ve completed your risk assessment and defined your risk appetite, you’ll be left with a list of
‘unacceptable’ threats that need to be addressed.

ISO 27001 recommends that organizations take one of four actions:

1. Modify the risk by implementing a control to reduce the likelihood of it occurring.
2. Avoid the risk by ceasing any activity that creates it. This response is appropriate if the risk is too
big to manage with a security control.
3. Share the risk with a third party.
1. by outsourcing the security efforts to another organization or
2. by purchasing cyber insurance to ensure you have the funds to respond appropriately in the
event of a disaster.
Neither option is ideal, because you are ultimately responsible for your organization's security, but
they might be the best solutions if you lack the resources to tackle the risk.
4. Retain the risk. This option means that your organization accepts the risk and believes that the
cost of treating it is greater than the damage that it would cause.
Types of Controls
Types of Controls

• Deterrent Controls – are intended to discourage a potential attacker. For example,

establishing an information security policy, a warning message on the logon screen, or
security cameras.

• Preventive Controls – are intended to minimize the likelihood of an incident occurring. For
example, a user account management process, restricting server room access to
authorized personnel, configuring appropriate rules on a firewall or implementing an
access control list on a file share.

• Detective Controls – are intended to identify when an incident has occurred. For example,
review of server or firewall security logs or Intrusion Detection System (IDS) alerts.

• Corrective Controls – are intended to fix information system components after an incident
has occurred. For example, data backups, SQL transaction log shipping or business
continuity and disaster recovery plans.
CONTROLS IDENTIFICATION AND
ASSESSMENT
• A control can reduce the risk by
reducing the likelihood of an event, the
impact, or both.
• Typically deterrent and preventive
controls reduce the likelihood of a risk
eventuating whereas,
• detective and corrective controls reduce
the impact should it eventuate.
Incident management (ISO27001 Annex A.16)
Security incident management is the process of:
• identifying,
• managing,
• recording and
• analyzing
security threats or incidents in real-time.
A security incident can be anything from an active
threat to an attempted intrusion to a successful
compromise or data breach. Policy violations and
unauthorized access to data such as health,
financial, social security numbers, and personally
identifiable records are all examples of security
incidents.
 Incident management best practices
Implement these best practices to develop a comprehensive security incident management plan:

•Develop a security incident management plan and supporting policies that include Guidance on how incidents are
detected, reported, assessed, and responded to. Have a checklist ready for a set of actions based on the threat.
Continuously update security incident management procedures as necessary, particularly with lessons learned from
prior incidents.

•Establish an incident response team (IRT) including clearly defined roles and responsibilities. Your incident response
team should include functional roles within the IT/security department as well as representation for other
departments such as legal, communications, finance, and business management or operations.

•Develop a comprehensive training program for every activity necessary within the set of security incident
management procedures. Practice your security incident management plan with test scenarios on a consistent basis
and make refinements as need be.
 Incident management best practices
•After any security incident, perform a post-incident analysis to learn from your successes and failures and
adjust your security program and incident management process where needed.

In some situations, collecting evidence and analyzing forensics is a necessary component of incident response.
For these circumstances, you’ll want the following in place:
•A policy for evidence collection to ensure it is correct and sufficient – or, when applicable, will be accepted in
the court of law.
•The ability to employ forensics as needed for analysis, reporting, and investigation.
•Team members who have experience and training in forensics and functional techniques.

A strong security incident management process is imperative for reducing recovery costs, potential liabilities,
and damage to the victim organization. Organizations should evaluate and select a suite of tools to improve
visibility, alerting, and actionability regarding security incidents.
 Business Continuity
(ISO27001 Annex A.17)
• Business continuity is about having a plan to deal
with difficult situations, so your organization can
continue to function with as little disruption as
possible. It is an organization's ability to ensure
operations and core business functions are not
severely impacted by a disaster or unplanned
incident that take critical systems offline.

• The objective is that information security

continuity shall be embedded in the organization's
business continuity management systems. It’s an
important part of the information security
management system (ISMS)
Business Continuity Management
Process:
•Assessment:
The first step to a successful planning process is to make sure that you have a thorough understanding of what is, and is
not, critical to your organization. You can (and should) perform a Business Impact Analysis (BIA) and a Threat & Risk
Assessment to guide you. Without understanding your organization’s processes, how critical those processes are, and the
threats and risks inherent in your operations, you cannot effectively develop appropriate plans and strategies.

•Business Recovery: The purpose of business recovery planning is to ensure that your critical business processes can be
recovered in the event of an emergency. Your plan will document the actions, including temporary workarounds, that will
be necessary to keep critical functions operational until IT applications, systems, facilities, or personnel are again
available.

•IT Recovery: IT recovery planning refers to the development of plans and strategies for the recovery of your technology,
including actions that will be necessary to restore critical IT applications and systems.

•Crisis Management: Crisis Management refers to a specific plan that details how your organization will manage a crisis
event, as well as to an internal organizational unit (the Crisis Management Team) that will manage that event.
Continual Process Risk Management
(CPRM)
1. Risk Identification
•Asset Identification: Catalog all information assets, including
hardware, software, data, and personnel.
•Threat Identification: Recognize potential threats such as
cyber-attacks, natural disasters, and insider threats.
•Vulnerability Identification: Determine weaknesses in
systems, processes, and controls that could be exploited by 2. Risk Analysis
threats. •Likelihood Assessment: Estimate the probability of identified
threats exploiting vulnerabilities.
•Impact Assessment: Determine the potential consequences on
the organization if threats materialize.

3. Risk Evaluation
•Risk Level Determination: Calculate risk levels by
combining the likelihood and impact assessments.
•Risk Prioritization: Rank risks based on their severity to 4. Risk Treatment
focus resources on the most critical areas. •Risk Avoidance: Implement measures to eliminate risk sources
or conditions.
•Risk Reduction: Apply controls to reduce the likelihood or impact
of risks.
•Risk Sharing: Transfer risks to third parties (e.g., through
insurance or outsourcing).
•Risk Acceptance: Acknowledge and accept the risks when their
levels are within organizational tolerance.
5. Monitoring and Review
•Continuous Monitoring: Regularly monitor risk factors and
controls to ensure their effectiveness.
•Incident Management: Track security incidents and near-
misses to learn and improve.
•Review and Update: Periodically review and update the risk
management processes and ISMS based on changes in the
environment, emerging threats, and new vulnerabilities.
6. Communication and Consultation
•Stakeholder Engagement: Involve all relevant stakeholders in
the risk management process to ensure comprehensive
coverage and buy-in.
•Reporting: Provide regular updates to management and
stakeholders on the status of ISMS risks and controls.
7. Documentation and Evidence
•Risk Registers: Maintain detailed records of identified
risks, assessments, and treatment plans.
•Audit Trails: Keep logs and documentation to support
audits and demonstrate compliance with standards like
ISO/IEC 27001.
8. Continuous Improvement
•Feedback Loops: Use feedback from monitoring, reviews, and
audits to improve risk management practices.
•Training and Awareness: Continuously educate employees
about risks and the importance of adhering to ISMS policies and
procedures.
Best Practices for CPRM in ISMS

Alignment with Business Objectives:

Ensure that the risk management activities support

the organization's strategic goals and objectives. Risk
management should not be an isolated activity but
integrated into the broader business processes.

Integration with
Business Processes
Cross-functional Collaboration:

Involve various departments such as IT, HR, legal, and

finance to ensure comprehensive risk management.
This collaboration helps in understanding and
mitigating risks from different perspectives.
Best Practices for CPRM in ISMS
Adoption of
Frameworks and
Standards

ISO/IEC 27001: NIST Framework:

Implement the ISO/IEC 27001 standard, Utilize the National Institute of Standards and COBIT:
which provides a systematic approach to Technology (NIST) Cybersecurity Framework for Use the Control Objectives for Information
a policy framework of computer security
managing sensitive company information so guidance for how private sector organizations
and Related Technologies (COBIT) framework
that it remains secure. This includes people, can assess and improve their ability to prevent, for IT governance and management.
processes, and IT systems. detect, and respond to cyber-attacks.
Best Practices for CPRM in ISMS
Automation and Tools

•Risk Assessment Tools: Employ automated tools for risk assessments to enhance efficiency, accuracy, and repeatability. These tools
can help identify, analyze, and evaluate risks more effectively.
•Continuous Monitoring Systems: Implement systems for continuous monitoring of network activities, vulnerabilities, and incidents
to detect and respond to threats in real-time.
•Incident Management Systems: Use automated incident management systems to track, manage, and report security incidents and
breaches.

Scalability and Flexibility

•Scalable Solutions: Design the risk management process to scale with the organization’s growth. This ensures that the process can
handle increased data, more users, and more complex systems without compromising security.
•Flexible Approaches: Adapt risk management strategies to accommodate changing technologies, emerging threats, and new
business models. Being flexible helps in staying resilient against dynamic cyber threats.

Continuous Improvement

•Feedback Mechanisms: Establish feedback loops from monitoring, audits, and incident reports to continuously improve risk
management practices.
•Regular Training and Awareness: Conduct regular training sessions and awareness programs to educate employees about
information security risks and best practices.
•Lessons Learned: Analyze incidents and near-misses to extract lessons learned and integrate these insights into the risk
management process.
Best Practices for CPRM in ISMS
Documentation and Evidence

•Comprehensive Risk Registers: Maintain detailed risk registers that document identified risks, assessments, and
treatment plans. This ensures traceability and accountability.
•Audit Trails: Keep detailed logs and documentation of all risk management activities. This is essential for audits and
demonstrating compliance with standards.

Stakeholder Engagement

•Regular Communication: Keep stakeholders informed about the status of risks and the measures taken to mitigate them.
Regular updates and reports help in maintaining transparency.
•Involvement in Decision Making: Involve key stakeholders in the risk management decision-making process to ensure
their concerns and insights are considered.

Risk Culture

•Promote a Security-first Culture: Foster a culture where security is a priority for everyone in the organization. This
includes leadership support and encouraging employees to take ownership of security.
•Encourage Reporting: Create an environment where employees feel comfortable reporting potential security risks and
incidents without fear of retribution.
Best Practices for CPRM in ISMS
Policy and Procedure Management

•Clear Policies: Develop clear and concise information security policies and procedures. Ensure they are easily accessible and
understood by all employees.
•Regular Reviews: Regularly review and update policies and procedures to keep them relevant and effective in the face of new
threats and regulatory changes.

Risk Assessment Frequency

Periodic Assessments: Event-Driven Assessments:

Conduct regular risk Perform risk assessments when
assessments to identify new significant changes occur, such
risks and evaluate the as the introduction of new
effectiveness of existing technologies, processes, or
controls. regulations.
Thank You