Is your organization network security keep’s you up at night? Ever get the feeling that your network is a few kilograms heavier than the ideal body mass index? You are not alone! When we consider the end-to-end complexity of the modern network which involves everything from core infrastructure to applications and databases, it is easy to see the potential of multidimensional growth. With current virtualization technology the speed of this growth is greatly enhanced. Couple this with the integration of public and private Cloud services, network growth can become exponential.
Why do we care?
What does a few kilograms of extra mass really mean for your network? The answer can be distilled into two words; availability and security. With every system, either natural or man-made, the more complex and interdependent it is, the more vulnerable it is. Vulnerability can take the form of low availability or, even worse, an increase in security risk. In this series of blog articles I am going to discuss the security risk aspect of a lean and trim network versus one that is not. In all networks, inherent vulnerabilities within systems, processes and people are mitigated by a corresponding security control framework. This is necessary to reduce risk into an acceptable residual amount that is appropriate for the business.
How can your network go on a diet?
What diet goals do you want your network to achieve? Well, unlike a food diet, there are a few proven and recognized network diet methods. One of them is the application of a security framework known as ISO/IEC 27001:2013 & ISO/IEC 27002:2013. It is a formalized and globally recognized structure of hierarchical rules that provide IT organizations with a security blueprint to follow. ISO/IEC 27001:2013 is a framework specification while the ISO/IEC 27002:2013 is a code of practice. ISO/IEC 27001:2013 formally specifies an Information Security Management System (ISMS) which is a management framework. That is very good news! Who would want to re-invent the wheel anyway!
The structure of ISO/IEC 27002:2013 detail can be considered and applied in 4 layers. Layer 1 is the most abstract and general while layer 4 is the most detail and specific. The layer detail establishes itself as documentation artifacts that, in a handy way, provides instruction for management and subject matter experts alike. It can also be presented to auditors as part of the policy and process evidence gathering. The description of each layer is outlined below.
Layer 1: Business Objectives and Directives
Layer 2: Policies
Layer 3: Technical Controls Statements
Layer 4: Process and Procedural Guidelines
The care and feeding of the whole security framework is the responsibility of the ISMS. It is critical for the ISMS to be established and functioning correctly as per the ISO/IEC 27001:2013 specifications and rules.
How comprehensive is my network “diet”?
The ISO/IEC 27002:2013 security control framework is quite comprehensive as diets go. It is comprised of 19 sections covering 35 control objectives with over 114+ controls. Just to give you a quick overview of the framework, the sections are outlined below.
Section 0 – Introduction
Section 1 – Scope
Section 2 – Normative References
Section 3 – Definitions
Section 4 – Structure of this Standard
Section 5 – Information Security Policies
Section 6 – Organization of Information Security
Section 7 – Human Resource Security
Section 8 – Asset Management
Section 9 – Access Control
Section 10 – Cryptography
Section 11 – Physical and Environmental Security
Section 12 – Operations Security
Section 13 – Communications Security
Section 14 – System Acquisition, Development and Maintenance
Section 15 – Supplier Relationships
Section 16 – Information Security Incident Management
Section 17 – Information Security Aspects of Business Continuity Management
Section 18 – Compliance
Generally speaking most organizations would find all of the ISO/IEC 27002:2013 framework sections and control objects applicable to their IT structures since they are written at a high level. Conversely some of the control sub-sections, underneath the control objectives, are specific and may not apply to every business. This type of framework flexibility allows your business to pick which controls are applicable and thus custom tailor the mitigation of an organization’s unique inherent risk profile.Below is a list of ISO/IEC 27000 framework components that constitutes a complete working set needed for all companies dependent on the security of digital and non-digital information.
1. ISO/IEC 27001:2013 — Information Technology — Security Techniques — Information Security Management Systems (2nd Ed.)
2. ISO/IEC 27002:2013 — Information Technology — Security Techniques — Code of Practice for Information Security Controls (2nd Ed.)
3. ISO/IEC 27003:2010 — Information Technology — Security Techniques — Information Security Management System Implementation Guidance
4. ISO/IEC 27004:2009 — Information Technology — Security Techniques ― Information Security Management ― Measurement
5. ISO/IEC 27005:2011 — Information Technology — Security Techniques — Information Security Risk Management (2nd Ed.)
So what are the next steps?
Regardless of the IT organization’s maturity level, every business will benefit from an SO/IEC 27001:2013 & ISO/IEC 27002:2013 pre-assessment and audit. A proper security audit will ensure alignment of IT security controls with the business’s objectives and reduce residual risk. In our current state of network evolution it is critical to be both highly available and highly secure.
StratoGrid IT Advisory practice can assist your organization with security control audits and compliance.
Sign up for our monthly newsletter
Some of our recent articles: