Post-Graduate Diploma in Cyber Security Information Security Assurance: Framework, Standards & Industry Best Practices (PGDCS-05)
Total Page:16
File Type:pdf, Size:1020Kb
Post-Graduate Diploma in Cyber Security Information Security Assurance: Framework, Standards & Industry Best Practices (PGDCS-05) Title Information Security Assurance : Framework, Standards and Industry Best Practices Advisors Mr. R. Thyagarajan, Head, Admn. & Finance and Acting Director, CEMCA Dr. Manas Ranjan Panigrahi, Program Officer (Education), CEMCA Prof. Durgesh Pant, Director- SCS&IT, UOU Editor Mr. Pritam Gautam, Consultant-Cyber Security Authors Block I> Unit I, Unit II, Unit III & Unit IV Mr. Mukesh Kumar Verma, Cyber Security Professional, Chandigarh Block II> Unit I, Unit II, Unit III & Unit Mr. Ashutosh Bahuguna, Scientist- Indian IV Computer Emergency Response Team (CERT- In), Department of Electronics & IT, Ministry of Communication & IT, Government of India Block III> Unit I, Unit II, Unit III & Unit Mr. Rajesh Arya, Hardware Engineer- ICT IV Cell, Uttarakhand Open University, Haldwani ISBN: 978-93-84813-95-5 Acknowledgement The University acknowledges with thanks the expertise and financial support provided by Commonwealth Educational Media Centre for Asia (CEMCA), New Delhi, for the preparation of this study material. Uttarakhand Open University, 2016 © Uttarakhand Open University, 2016. Information Security Assurance: Framework, Standards and Industry Best Practices is made available under a Creative Commons Attribution Share-Alike 4.0 Licence (international): http://creativecommons.org/licenses/by-sa/4.0/ It is attributed to the sources marked in the References, Article Sources and Contributors section. Published by: Uttarakhand Open University Expert Panel S. No. Name 1 Dr. Jeetendra Pande, School of Computer Science & IT, Uttarakhand Open University, Haldwani 2 Prof. Ashok Panjwani, Professor, MDI, Gurgoan 3 Group Captain Ashok Katariya, Ministry of Defense, New Delhi 4 Mr. Ashutosh Bahuguna, Scientist- CERT-In, Department of Electronics & Information Technology, Government of India 5 Mr. Sani Abhilash, Scientist- CERT-In, Department of Electronics & Information Technology, Government of India 6 Wing Commander C.S. Chawla, Ministry of Defense, New Delhi 7 Mr. Mukesh Kumar Verma, IT Consultant, Chandigarh 8 Mr. Pritam Dutt Gautam, IT Consultant, New Delhi Contents UNIT I: INFORMATION SECURITY STANDARDS .................................................................... 1 1.1 LEARNING OBJECTIVES .......................................................................................................... 1 1.2 INTRODUCTION .......................................................................................................................... 1 1.2.1 Elements of Information Security Policy ............................................................................... 1 1.3 INFORMATION SECURITY STANDARDS ........................................................................... 11 1.3.1 ISO/IEC 27001:2013 (Information Security Management System) .................................. 11 1.3.1.1 Structure of the standard................................................................................................ 11 1.3.1.2 Changes from the 2005 standard................................................................................... 12 1.3.1.3 New controls in 27001:2013 ......................................................................................... 12 1.3.1.4 Controls .......................................................................................................................... 12 1.3.2 ISO/IEC 27002:2013 (Code of Practice for Information Security Management) ............. 13 1.3.2.1 Outline for ISO27002:2005 ........................................................................................... 13 1.3.2.2 Implementation example of ISO/IEC 27002................................................................ 15 1.3.2.3 Career path with ISMS ISO27001:2013....................................................................... 16 1.3.3 Bullets to improve security posture of organisation............................................................ 17 1.3.3.1 From network protection point of view ........................................................................ 19 1.3.3.2 From data protection point of view .............................................................................. 19 1.4 SUMMARY .................................................................................................................................. 20 1.5 CHECK YOUR PROGRESS ...................................................................................................... 20 1.6 ANSWERS TO CHECK YOUR PROGRESS ........................................................................... 20 1.7 MODEL QUESTIONS ................................................................................................................ 20 2.1 LEARNING OBJECTIVES ........................................................................................................ 21 2.2 INTRODUCTION ........................................................................................................................ 21 1.2.1 Regulations related to Information Security- SOX ............................................................. 21 2.3 IT ACT .......................................................................................................................................... 22 2.3.1Against an Individual ............................................................................................................. 22 2.3.2 Individual Property ................................................................................................................ 22 2.3.3 Against Organisation ............................................................................................................. 22 2.3.4 Against Society at Large ....................................................................................................... 23 2.3.5 Amendments .......................................................................................................................... 23 2.4 SARBANES-OXLEY ACT (SOX)............................................................................................. 23 2.4.1 Background about SOX ........................................................................................................ 23 2.4.1.1 Why SOX was born? ..................................................................................................... 23 2.4.1.2 Key requirements/provisions ........................................................................................ 25 2.4.1.3 What should SOX implementers do in real-time? ....................................................... 27 2.5 PAYMENT CARD INDUSTRY DATA SECURITY STANDARD (PCI DSS) .................... 28 2.6 CHILDRES’S ONLINE PRIVACY PROTECTION ACT (COPPA) ...................................... 29 2.7 HIPPA ........................................................................................................................................... 29 2.8 GLBA ............................................................................................................................................ 30 2.9 FISMA........................................................................................................................................... 30 2.9.1 Purpose for FISMA ............................................................................................................... 30 2.10 FIPS ............................................................................................................................................. 30 2.11 FFIEC .......................................................................................................................................... 32 2.12 CYBER SECURITY .................................................................................................................. 32 2.13 SECURITY CONTROLS .......................................................................................................... 33 2.13.1 Information security standards and control frameworks .................................................. 34 2.13.2 International information security standards ..................................................................... 34 2.13.3 U.S. Federal Government information security standards ................................................ 34 2.14 COMMON PITFALLS OF INFORMATIN SECURITY PROGRAM ................................. 35 2.15 COMMON ELEMENTS OF COMLPINANCE ...................................................................... 37 2.16 SUMMMARY ............................................................................................................................ 37 2.17 CHECK YOUR PROGRESS .................................................................................................... 37 2.18 ANSWERS TO CHECK YOUR PROGRESS......................................................................... 37 2.19 MODEL QUESTIONS .............................................................................................................. 37 3.1 LEARNING OBJECTIVES ........................................................................................................ 38 3.2 ISO/IEC 15408 (EVALUATIN CRITERIA FOR IT SECURITY).......................................... 38 3.2.1 Target of Evaluation (TOE) .................................................................................................. 38 3.2.2 How do the Common Criteria work? ..................................................................................