ISO 27001 Annex : A.12.4 Logging and Monitoring Its objective is recording events and generating evidence.
A.12.4.1 Event Logging
Control- Event logs should be produced, retained, and regularly reviewed to record user activities, exceptions, defects, and information security events.
Implementation Guidance- Where applicable, event logs should include:
IDs of User;
Activities of the system;
dates, times and key events details, such as log-on and log-off;
System ID or location and device recognition where possible;
records of the attempts to access the system successfully as well as rejected ones
successful and unsuccessful data records and other attempts to access resources;
Protective mechanisms such as anti-virus and intrusion detection systems are activated and deactivated as required;
Transaction records done in applications by users.
Event logging inspires automatic control systems capable of producing integrated network monitoringnotifications and warnings.
Other information- Sensitive information and personally identifiable information can be used in event logs. Proper measures in the field of privacy should be implemented. System administrators should not be allowed to delete or deactivate logs of their own activities where possible.
Control- Logging and log information should be secure from intrusion and unauthorized access.
Implementation Guidance- Controls should be designed to protect against unauthorized log information changes and operational logging problem, including the following:
Alterations to the types of messages recorded;
Editing or removing log files;
The logfile media storage space is surpassed, which means either that an event is not registered or that the past events have been over-written.
Certain audit logs may require archiving as part of the retention of records or as a result of collecting evidence and retention requirements.
Other information- System logs also contain a large amount of information, which is largely unique to monitoring information security. The copying automatically to a second log of relevant message types or the use of suitable device utilities or auditing tools to perform file interrogations and rationalizing should be considered to help classify significant events for information security monitoring.
System logs must be protected, because data can create a false sense of security, when often modified or deleted. To safeguard logs, real-time copy of logs to a system outside the control of a system manager/operator.
This Blog Article is posted by Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092
ISO 27001 Annex : A.12.3 Backup Its objective is to safeguard against data loss.
A.12.3.1 Information backup
Control- In accordance with the agreed backup policy copies of records, program and device images shall be collected and regularly tested
Implementation Guidance – The organization’s information, software, and systems backup requirements should be established with a backup policy. The policy of backup should define the requirements for retention and protection. There should be sufficient backup facilities to ensure that all important information and software can be recovered after a disaster or media failure.
The following things should be considered when designing a backup plan:
Precise and full backup records should be prepared as well as recorded restoration procedures;
The nature and frequency of the backup (e.g., full or differential backups) should reflect the company’s business requirements, security requirements for the information involved and criticality to the continued operation of the organization;
Backups should be held at a remote location at a distance sufficient to prevent any damage at most locations due to a disaster;
The appropriate level of physical and environmental protection should be given backup information (Refer clause 11) in accordance with the standards at the main site;
The backup medium should be tested regularly to ensure that they can be used for emergency use if required; combined with the restore procedures test and controlled for the required restore time. The check should not be carried out with overwriting of the original medium if the backup or restore process fails and cause irreparable data damage or loss;
Backups should be secured by encryption in cases where confidentiality is the concern.
“By failing to prepare, you are preparing to fail” -Benjamin Franklin
Operating procedures should monitor backup performance and address planned backup failures to ensure that the backups are complete according to the backup policy.
Backup procedures should be reviewed on a regular basis for specific systems and facilities to ensure they meet the criteria of business continuity plans. In essential systems and facilities, all computer information, software, and data required to restore the entire network during the event of a disaster should be protected by backup arrangements.
The preservation period should be set, taking into account any conditions for permanent retention of archive copies.
A well-known ISO 27001 Lead Auditor and ISO 27001 Lead Implementer certificate that mainly covers information security clauses and their implementation, i.e., controls which should be implemented by the organization to preserve the CIA triad, Confidentiality, Integrity, and Availability to maintain their critical, sensitive information in a secure manner. Infosavvy, a Mumbai- based institute, provides multi-domain certifications and training, which include IRCA CQI ISO 27001:2013 Lead Auditor (LA) and ISO 27001 Lead Implementer (LI) (TÜV SÜD Certification). Infosavvy will help you to understand and recognize the full scope of your organization’s security checks to protect your organization’s activities and information equipment (assets) from attacks, and also to illustrate the backup policy to safeguard if data gets lost due to intentional or natural hazards We have trainers with extensive expertise and experience to ensure the efficient handling of the security of information. Consequently, the applicant will gain the necessary skills for the ISMS audit by using commonly agreed audit concepts, procedures and techniques.
This Blog Article is posted by Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092
ISO 27001 Annex : A.12.2 Protection from Malware It’s objective is ensuring that malware protection is provided to information and information processing facilities.
A.12.2.1 Controls Against Malware
Control- In combination with appropriate user awareness, the detection, prevention, and recovery controls to protect against malware should be implemented.
Malware protection should be supported by malware detection and repair software, awareness of the safety of information, and adequate system access and management reviews on changes. The guidance should be considered as follows:
Implementation guidance
a create formal policy barring the use of unauthorized software;
Implementation of controls preventing or detecting the use of unauthorized software;
Implement controls which avoid or detect the use of malicious websites known or suspected (e.g. blacklisting);
Create a structured risk managementpolicy, which indicates what protective measures should be taken to secure obtaining file and information, either from or through external networks;
Reducing malware-exploitable vulnerabilities, e.g. by management of technical vulnerabilities;
conduct frequent software and data quality reviews of applications that help critical processes; a formal investigation will take place into the existence of unapproved files or unauthorized amendments;
Installing and regularly updating malware and repair software as precautionary or routine test for scanning computers and media; Administered scanning should include:
scan for malware before using any files received via networks or any storage device;
Scanning of E-mail attachments and downloads for malware; the scan will be performed in different places, e.g. electronic mail servers, mobile computers and when accessing the organization’s network;
Malware scanning of web pages;
define malware protection procedures and responsibilities on systems, training in their use, reporting and recovery from malware:
Establishing appropriate business continuity plans, including all necessary software backup and recovery arrangements to recover from malware attacks;
implementation of information gathering procedures, such as a subscription to mailing lists or websites providing new malware information;
Implementing malware information verification procedures to ensure the accuracy and information quality of advisory bulletins; managers should ensure the differentiation between rogues and real malware is achieved using a qualified source, e.g. reputable journals, reliable internet sites or software suppliers;
Isolate environments that could result in catastrophic effects.
“One single vulnerability is all an attacker needs” – Window Synder
The organization wishes to maintain the CIA triads. They also ensure that the operation in their business have been implemented with proper security controls to protect the confidentiality, authenticity and/or integrity of the organization’s information and information processing facilities, and also free from virus or malware attacks. This malware protection control is covered in Annex 12.2 of ISO 27001. This famous certification of lead auditor and lead implementer covers all the annexes to the security of information by implementing appropriate access controls to ensure authorized access to protect the organization’s critical information. Infosavvy, a Mumbai-based institute, offers certifications and training for multiple-domain-like management of information security, cybersecurity, and many others, including the IRCA CQI ISO 27001:2013 Lead Auditor (LA) and ISO 27001 Lead Implementer (LI) (TÜV SÜD Certification). This certification covers several audits to keep an organization safe from the intended destructor. Infosavvy will help you to understand and identify the full extent of the security controls of your organization that is necessary to protect the operations and information equipment (assets)of your organization from attacks even at the time of their demise. We have trained trainers who have ample know-how and experience in order to make sure that the information security is effectively handled. The applicant will, therefore, gain the skills needed to conduct the ISMS audit using commonly agreed audit concepts, procedures and techniques.
This Blog Article is posted by Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092
ISO 27001 Annex : 12 Operations Security in this article explain Operational procedures and responsibilities, Documented Operating Procedures, Change Management & Separation of Development, Testing and Operational Environments.
A.12.1 Operational procedures and responsibilities
Its objective is to ensure that information processing facilities operate correctly and securely.
A.12.1.1 Documented Operating Procedures
Control-Operating procedures should be documented and accessed by all users in need.
Implementation Guidance- Documented procedures for operating information processing and communications facility activities should be prepared including computer start-up and closing down, backup, maintenance of equipment, media handling, computer room and mail management, and safety.
The operating procedures should include the following operating instructions:
Systems installation and settings;
Automated and manual processing and management of information;
Backing up
scheduling requirements such as early work start and latest job completion times, including interdependencies to other systems;
Instructions for handling errors or any additional exceptional conditions, including restrictions on system utilities that may arise during job execution;
Support and escalation contacts in cases of unexpected operational or technical issues include external support contacts
Specific output and medium handling instructions, including procedures for safe disposition of the output from failed work, such as the use of specific stationery or confidential output management;
system reboot and recovery procedures for the system failure to be used;
Audit-trail management and system log information;
Operating procedures and documented procedures for system operations should be treated as managerial authorized formal documents and alterations. Where technically feasible, IT systems should be consistently administered using the same procedures, tools, and utilities.
This Blog Article is posted by Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092
In this article explain ISO 27001 Annex : A.11.2.7 Secure Disposal or Re-use of Equipment, A.11.2.8 Unattended User Equipment & A.11.2.9 Clear Desk and Clear Screen Policy
A.11.2.7 Secure Disposal or Re-use of Equipment
Control- To avoid the removal or overriding of sensitive data and software by the disposal or reuse of any device containing storage medium, all devices must be reviewed.
Implementation Guidance- Equipment should be tested to ensure that the storage media is contained or not until disposal or re-use. In order to make original information inaccessible instead of using the standard delete or a software functionality, the storage media with confidential or copyrighted information should physically be destroyed or information destroyed, deleted, or overwritten using techniques.
Other information- Determining whether the items should be physically destroyed rather than sent to repair or discard damaged equipment containing storage media can require a risk assessment. The use or reuse of equipment may compromise information.
In addition, full disk encryption reduces the risk of confidential information being disclosed when equipment is disposal or redeployed if:
Encryption process is strong enough to cover the entire disk (including slack space, swap files, etc.);
Encryption keys are sufficient to resist attacksby brute force;
The encryption keys are confidential themselves (e.g. never stored on the same disk). (Refer Clause 10)
Safe overwriting techniques for storage media differ according to the technology for storage media. To ensure they are applicable to storage media technology, overwriting tools should be reviewed.
Control- Unattended equipment should be adequately protected by users.
Implementation Guidance- Every user should be informed of their responsibility to implement the security requirements and procedures for protecting unattended equipment. Following should be informed to users:
Once done, terminate active sessions, unless protected with correct locking mechanisms, for example. A screen saver protected with a password
When no longer required, log-off from apps or network services;
Unauthorized use by key locks or devices, such as access to passwords, of secure computers or mobile devices, when not in use.
The Organization wishes that its information equipment to remain within the CIA triads. They also ensure that the security controls are properly and efficiently implemented to protect the confidentiality, authenticity and/or integrity of the organization’s information and information processing facilities even at the time of their disposal. The disposal or reuse of any device containing storage medium,covered in Annex 11.2 of ISO 27002. This famous certification of lead auditor and lead implementer covers all the annexes to the security of information by implementing appropriate access controls to ensure authorized access to protect the organization’s critical information. Infosavvy, a Mumbai-based institute, offers certifications and training for multiple-domain-like management of information security, cybersecurity, and many others, including the IRCA CQI ISO 27001:2013 Lead Auditor (LA) and ISO 27001 Lead Implementer (LI) (TÜV SÜD Certification). This certification covers several audits to keep an organization safe from the intended destructor. Infosavvy will help you to understand and identify the full extent of the security controls of your organization that is necessary to protect the operations and information equipment (assets)of your organization from attacks even at the time of their demise. We have trained trainers who have ample know-how and experience in order to make sure that the information security is effectively handled. The applicant will, therefore, gain the skills needed to conduct the ISMS audit using commonly agreed audit concepts, procedures and techniques
Control- A clear desk policy should be adopted for papers and removable storage media and a clear screen policy should be applied to information processing facilities.
Implementation Guidance- Clear desk and clear screen policy should include organization’s information classifications, legal, contractual requirements, and associated risk and cultural aspects. It is important to consider the following guidelines:
When not needed, confidential or critical information for businesses (e.g. on paper or in electronic storage media), especially when the office is vacated, should be closed away (ideally in safe or cabinet or in some type of safe furniture).
Computers and terminals should be left signed off or secured by a password, token, or similar users’ authentication mechanism, regulated with screen and keyboard locking mechanism, when unattended.
It should not be permitted to use photocopiers and other reproductive technology ( e.g. scanners, digital cameras);
Sensitive or classified information media should immediately be removed from printers.
Other Information- A clear desk/screen policy minimizes the risk of unexpected access, information loss, and damage during and outside normal hours of work. Security systems or other forms of safe storage may also protect information stored on them from disasters such as earthquakes, floods, or explosions.
Consider the use of PIN-code printers, so only originators are able to get their print-outs and only when they stand beside the printer.
This Blog Article is posted by Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092
Understand the Importance of Network Forensics in this this article Network Forensics is the implementation of sniffing, recording, acquisition, and analysis of network traffic and event logs to investigate a network security incident. Capturing network traffic over a network is simple in theory, but relatively complex in practice due to many inherent reasons such as the large amount of data flow and complex nature of Internet protocols. Recording network traffic involves a lot of resources. It is often not possible to record all the data flowing through the network due to the large volume. Again, these recorded data need to be backed up to free recording media and for future analysis.
The analysis of recorded data is the most critical and time-consuming task. There are many automated analysis tools for forensic purposes, but they are insufficient, as there is no foolproof method to recognize bogus traffic generated by an attacker from a pool of genuine traffic. Human judgment is also critical because with automated traffic analysis tools, there is always a chance of false positives.
Network forensics is necessary in order to determine the type of attack over a network and to trace the culprit. A proper investigation process is required to produce the evidence recovered during the investigation in the court of law.
Investigators perform postmortem of logs to detect something that has already occurred in a network/device and determine what it is.
Here, an investigator can go through the log files a number of times to examine and check the flow of previous runs. When compared to real-time analysis, it is an exhaustive process, since the investigators need to examine the attack in detail and give a final report.
Real-Time Analysis
Real-time analysis is an ongoing process, which returns results simultaneously, so that the system or operators can respond to the attacks immediately.
Real-time analysis is an analysis done for the ongoing process. This analysis will be more effective if the investigators/administrators detect the attack quickly. In this analysis, the investigator can go through the log files only once to evaluate the attack, unlike postmortem analysis.
Network Vulnerabilities
The massive technological advances in networking have also led to a rapid increase in the complexity and vulnerabilities of networks. The only thing that a user can do is minimize these vulnerabilities, since the complete removal of the vulnerabilities is not possible. There are various internal and external factors that make a network vulnerable.
Internal network vulnerabilities
Internal network vulnerabilities occur due to the overextension of bandwidth and bottlenecks.
Overextension of bandwidth: Overextension of bandwidth occurs when user need exceeds total resources.
Bottlenecks: Bottlenecks usually occur when user need exceeds resources in particular network sectors.
The network management systems direct these problems and software to the log or other management solutions. System administrators examine these systems and identify the location of network slowdowns. Using this information, they reroute the traffic within the network architecture to increase the speed and functionality of the network.
External network vulnerabilities
External network vulnerabilities occur due to threats such as DoS/DDoS attacks and network data interception. DoS and DDoS attacks result from one or numerous attacks. These attacks are responsible for slowing down or disabling the network and are considered as one of the most serious threats that a network faces. To minimize this attack, use network performance monitoring tools that alert the user or the administrator about an attack.
Data interception is a common vulnerability among LANs and WLANs. In this type of attack, an attacker infiltrates a secure session and thus monitors or edits the network data to access or edit the network operation. In order to minimize these attacks, the user or administrator needs to apply user authentication systems and firewalls to restrict unauthorized users from accessing the network.
Eavesdropping is a technique used in intercepting the unsecured connections in order to steal personal information, which is illegal.
2. Data Modification
Once the intruder gets access to sensitive information, his or her first step is to alter the data. This problem is referred to as a data modification attack.
3. IP Address Spoofing
IP spoofing is a technique used to gain unauthorized access to a computer. Here, the attacker sends messages to the computer with an IP address that indicates the messages are coming from a trusted host.
4. Denial of Service (DoS)
In a DoS attack, the attacker floods the target with huge amount of invalid traffic, thereby leading to exhaustion of the resources available on the target. The target then stops responding to further incoming requests, thereby leading to denial of service to the legitimate users.
5. Man-in-the-Middle Attack
In man-in-the-middle attacks, the attacker makes independent connections with the users/victims and relays messages between them, making them believe that their conversation is direct.
6. Packet Sniffing
Sniffing refers to the process of capturing traffic flowing through a network, with the aim of gaining sensitive information such as usernames and passwords and using them for illegitimate purposes. In the computer network, packet sniffer captures the network packets. Software tools known as Cain&Able are used to server this purpose.
7. Enumeration
Enumeration is the process of gathering information about a network that may help in an attacking the network. Attackers usually perform enumeration over the Internet. During enumeration, the following information is collected:
Topology of the network
List of live hosts
Architecture and the kind of traffic (for example, TCP, UDP, IPX)
Potential vulnerabilities in host systems
8. Session Hijacking
A session hijacking attack refers to the exploitation of a session-token generation mechanism or token security controls, such that the attacker can establish an unauthorized connection with a target server.
9. Buffer Overflow
Buffers have data storage capacity. If the data count exceeds the original capacity of a buffer, then buffer overflow occurs. To maintain finite data, it is necessary to develop buffers that can direct additional information when they need. The extra information may overflow into neighboring buffers, destroying or overwriting the legal data.
10. Email Infection
This attack uses emails as a means to attack a network. Email spamming and other means are used to flood a network and cause a DoS attack.
11. Malware Attacks
Malware is a kind of malicious code or software designed to damage the system. Attackers try to install the malware on the targeted system; once the user installs it, it damages the system.
12. Password-based attacks
Password-based attackis a process where the attacker performs numerous login attempts on a system or an application to duplicate the valid login and gain access to it.
13. Router attacks
It is the process of an attacker attempting to compromise the router and gaining access to it.
Attacks specific to wireless networks:
1. Rogue Access PointAttack
Attackers or insiders create a backdoor into a trusted network by installing an unsecured access point inside a firewall. They then use any software or hardware access point to perform this kind of attack.
2. Client Mis-association
The client may connect or associate with an AP outside the legitimate network either intentionally or accidentally. An attacker who can connect to that network intentionally and proceed with malicious activities can misuse this situation. This kind of client mis-association can lead to access control attacks.
3. Misconfigured Access Point Attack
This attack occurs due to the misconfiguration of the wireless access point. This is the easiest vulnerability the attacker can exploit. Upon successful exploitation, the entire network could be open to vulnerabilities and attacks. One of the means of causing the misconfiguration is to apply default usernames and passwords to use the access point.
4. Unauthorized Association
In this attack, the attacker takes advantage of soft access points, which are WLAN radios present in some laptops. The attacker can activate these access points in the victim’s system through a malicious program and gain access to the network.
5. Ad Hoc Connection Attack
In an Ad Hoc connection attack, the attacker carries out the attack using an USB adapter or wireless card. In this method, the host connects with an unsecured station to attack a particular station or evade access point security.
6. HoneySpot Access Point Attack
If multiple WLANs co-exist in the same area, a user can connect to any available network. This kind of multiple WLAN is highly vulnerable to attacks. Normally, when a wireless client switches on it probes nearby wireless networks for a specific SSID. An attacker takes advantage of this behavior of wireless clients by setting up an unauthorized wireless network using a rogue AP. This AP has high-power (high gain) antennas and uses the same SSID of the target network. Users who regularly connect to multiple WLANs may connect to the rogue AP. These Aps mounted by the attacker are “honeypot” APs. They transmit a stronger beacon signal than the legitimate APs. NICs searching for the strongest available signal may connect to the rogue AP. If an authorized user connects to a honeypot AP, it creates a security vulnerability and reveals sensitive user information such as identity, user name, and password to the attacker.
7. AP MAC Spoofing
Using the MAC spoofing technique, the attacker can reconfigure the MAC address in such a way that it appears as an authorized access point to a host on a trusted network. The tools for carrying out this kind of attack are changemac.sh,SMAC, and Wicontrol.
8. Jamming Signal Attack
In this attack, the attacker jams the WiFi signals to stop the all the legitimate traffic from using the access point. The attacker blocks the signals by sending huge amounts of illegitimate traffic to the access point by using certain tools
Where to Look for Evidence
Logs contain events associated with all the activities performed on a system or a network. Hence, analyzing these logs help investigators trace back the events that have occurred, Logs collected in the network devices and applications serve as evidence for investigators to investigate network security incidents. Therefore, investigators need to have knowledge on network fundamentals, TCP/IP model, and the layers in the model.
Transmission Control Protocol/Internet Protocol (TCP/IP) is a communication protocol used to connect different hosts in the Internet. Every system that sends and receives information has a TCP/IP program, and the TCP/IP program has two layers:
Higher Layer: It manages the information sent and received in the form of small data packets sent over Internet and joins all those packets as a main message.
Lower Layer: It handles the address of every packet so that they all reach the right destination.
The TCP/1P model and 051 seven-layer models are similar in appearance. As shown in the above figure, the Data Link Layer and Physical Layer of OSI model together form Network Access Layer in TCP/IP model. The Application Layer, Presentation Layer, and Session Layer together form the Application Layer in the TCP/IP Model.
Layer 1: Network Access Layer
This is the lowest layer in the TCP/IP model. This layer defines how to use the network to transfer data. It includes protocols such as Frame Relay, SMDS, Fast Ethernet, SLIP, PPP, FDDI, ATM, Ethernet, ARP, etc., which help the machine deliver the desired data to other hosts in the same network.
Layer 2: Internet Layer
This is the layer above Network Access Layer. It handles the movement of data packet over a network, from source to destination. This layer contains protocols such as Internet Protocol (IP), Internet Control Message Protocol (ICMP), Address Resolution Protocol (ARP), Internet Group Management Protocol (IGMP), etc. The Internet Protocol (IP) is the main protocol used in this layer.
Layer 3: Transport Layer
Transport Layer is the layer above the Internet Layer. It serves as the backbone for data flow between two devices in a network. The transport layer allows peer entities on the source and destination devices to carry on a communication. This layer uses many protocols, among which Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) are the most widely used. TCP is preferable in case of reliable connections, while UDP can handle non-reliable connections.
Layer 4: Application Layer
This is the topmost layer of the TCP/IP protocol suite. This layer includes all processes that use the Transport Layer protocols, especially TCP and UDP, to deliver data. This layer contains many protocols, with HTTP, Telnet, FTP, SMTP, NFS, TFTP, SNMP, and DNS being the most widely used ones.
Log Files as Evidence
In network forensic investigation, information log files help the investigators lead to the perpetrator. Log files contain valuable data about all the activities performed on the system. Different sources on a network/device produce their respective log files. These sources may be operating systems, IDS, firewall, etc. Comparing and relating the log events help the investigators deduce how the intrusion occurred. The log files collected as evidence need to comply with certain laws to be acceptable in the court; additionally, an expert testimony is required to prove that the log collection and maintenance occurred in the admissible manner
This Blog Article is posted by
Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092
ISO 27001 Annex : A.11.2 Equipment Its objective is to avoid loss, damage, theft, or compromise of assets and disrupt the operations of the organization.
A.11.2.1 Equipment Siting and Protection
Control- To mitigate the risk ofenvironmental hazards, risks, and unauthorized access, the equipment should be sited and secured.
Implementation Guidance- To protect equipment, the following directives should be considered:
In order to minimize unnecessary access in work areas, equipment should be sited;
Informationprocessing facilities that handle sensitive information should be carefully positioned to reduce the risk of unauthorized persons viewing information during their use;
In order to avoid unauthorized access, storage facilities should be secured;
Objects requiring special protection should be protected to reduce the required level of overall protection;
Theriskof potential threats to the environment and physicality such as theft, fire, explosives, smoke, and water, dust, vibrations, chemical effects, interference with electrical supplies, interference with communications, electric radiation and vandalism should be minimized;
Guidelines should be defined for eating, drinking and smoking close to information processing facilities;
Environmental factors such as temperature and humidity for factors which may have a negative effect on the operation of information processing facilities should be monitored;
Lightening protection for all buildings, and lightning protection filters for all incoming power and communications lines should be implemented;
In order to reduce the risk of information leakage due to electromagnetic emanation, sensitive information treatment equipment should be secured.
Special protection methods such as keyboard membranes for equipment in industrial environments should be considered;
The Organization wishes that its information to remain within the CIA triads. They also ensure that the physical security controls are properly and efficiently implemented to protect the confidentiality, authenticity and/or integrity of the organization’s information and information processing facilities. The physical and environmental protection of the company is covered in Annex 11 of ISO 27001. This famous certification of lead auditor and lead implementer covers all the annexes to the security of information by implementing appropriate access controls to ensure authorized access to protect the organization. Infosavvy, a Mumbai-based institute, offers certifications and training for multiple-domain-like management of information security, cybersecurity, and many others, including the IRCA CQI ISO 27001:2013 Lead Auditor (LA) and ISO 27001 Lead Implementer (LI) (TÜV SÜD Certification). This certification covers several audits to keep an organization safe from the intended destructor. Infosavvy will help you to understand and identify the full extent of the physical and environmental security of your organization that is necessary to protect the operations of your organization from attacks. We have trained trainers who have ample know-how and experience in order to make sure that the information security is effectively handled. The applicant will, therefore, gain the skills needed to conduct the ISMS audit using commonly agreed audit concepts, procedures and techniques
A.11.2.2 Supporting Utilities
Control- Equipment should be secured against power failures and other disruptions caused by the supporting infrastructure failures.
Implementation Guidance- The support facilities (e.g. power, telecommunications, water, gas, sanitation, air conditioning, and ventilation) should consider the following points:
conform to specifications and local legal requirements of the equipment manufacturer;
be periodically assessed for its ability to fulfill corporate growth and relations with other supporting utilities;
to be regularly inspected and tested for effective functioning;
keep Alarm for detecting malfunctions if necessary;
Have multiple physical routing feeds, if necessary.
It should be provided with emergency lighting and communication. Emergency switches and valves should be located close to emergency exits or equipment rooms for power, water, gas or other utilities.
Other Information- Additional redundancy can be achieved through several routes from more than a single utility provider for network connectivity.
Control- Cable for power and telecommunications that carry data or support services should be safeguarded from interception, interference, or damage.
Implementation Guidance- The following cable safety guidelines should be taken into account:
power and telecommunications lines should be underground or subject to appropriate, alternative, securityinto information processing facilities where possible;
Power cables should be isolated in order to avoid interference from communication cables;
In this article explained ISO 27001 Annex : A.11.1.3 Securing Offices Rooms and Facilities, A.11.1.4 Protecting Against External and Environmental Threats, A.11.1.5 Working in Secure Areas, A.11.1.6 Delivery and Loading Areas.
A.11.1.3 Securing Offices, Rooms and Facilities
Control- Physical security should be designed and implemented for the offices, rooms, and facilities.
Implementation Guidance- The following guidelines for safeguarding offices, spaces, and services should be considered:
Key facilities should be situated to avoid public access;
The presence of the information processing activities should be indicated unobtrusively where appropriate and offer a minimum indication of their intent and no obvious signs outside or inside the building;
In order to avoid sensitive information or events that are visible and audible outside, facilities should be installed. Electromagnetic security should also be taken into account as appropriate;
Directories and internal telephone books which identify sites where confidential information processing facilities should not be readily available to unauthorized persons.
A.11.1.4 Protecting Against External and Environmental Threats
Control- Physical protection should be designed and applied against natural disasters, malicious attacks or accidents.
Implementation Guidance- Specialized advice on how to prevent fire damage, flood, earthquake, blast, civil disaster and other types of natural or man-made disaster.
“ When you gambled with safety, you bet your life”
The Organization wishes that its information to remain within the CIA triads. They also ensure that the physical security controls are properly and efficiently implemented to protect the confidentiality, authenticity and/or integrity of the organization’s information and information processing facilities. The physical and environmental protection of the company is covered in Annex 11 of ISO 27002 . This famous certification of lead auditor and lead implementer covers all the annexes to the security of information by implementing appropriate access controls to ensure authorized access to protect the organization. Infosavvy , a Mumbai-based institute, offers certifications and training for multiple-domain-like management of information security, cybersecurity, and many others, including the IRCA CQI ISO 27001:2013 Lead Auditor (LA) and ISO 27001 Lead Implementer (LI) (TÜV SÜD Certification). This certification covers several audits to keep an organization safe from the intended destructor. Infosavvy will help you to understand and identify the full extent of the physical and environmental security of your organization that is necessary to protect the operations of your organization from attacks. We have trained trainers who have ample know-how and experience in order to make sure that the information security is effectively handled. The applicant will, therefore, gain the skills needed to conduct the ISMS audit using commonly agreed audit concepts, procedures and techniques
A.11.1.5 Working in Secure Areas
Control- Procedures should be designed and implemented for working in safe areas.
Implementation Guidance- The following guidelines should be taken into account:
Workers can only know on a need to know basis the presence of activities within a secure area;
Unattended work in safe areas, both for reasons of safety and to prevent malicious activities opportunities should be avoided;
Vacant secure areas should be physically closed and periodically reviewed;
Photographic, video, audio or other recording equipment, such as cameras on mobile devices, should not be allowed unless it is authorized to do so.
Safe-area work arrangements provide safeguards for employees and external party users operating in a secure area that include all activities taking place in a secure area.
Control- It is important to track and, where possible, differentiate between access points such as the distribution and loading areas and other locations in order to avoid unauthorized access by unauthorized persons to the premises.
Implementation guidance- The following guidelines should be taken into account:
Identified and authorized personnel should restrict access to the delivery area and the loading area from outside the building;
The supply and loading area should be designed so as to allow the loading and unloading of the supplies without access to other parts of the building by delivery personnel;
When opening the interior doors, external doors of a storage and storage area should be secured;
Receiving material shall be inspected before it is transported from the shipping and loading area and tested for explosives, chemicals or other hazardous materials;
ISO 27001 Annex : A.11 Physical and Environmental Security in this article explain Secure areas, Physical Security Perimeter and Physical Entry Controls.
A.11.1 Secure areas
Its objective is to avoid unauthorized physical access, damage and interference with the organization’s information and information processing facilities.
A.11.1.1 Physical Security Perimeter
Control- Security perimeters should be established in order to secure areas that contain either sensitive or confidential information and information processing facilities.
Implementation Guidance- When appropriate, for physical security perimeters, the following guidelines should be considered and implemented:
Security perimeters should be established and the location and intensity of each perimeter should depend on the security requirements of the assets inside the perimeter and on the results of the risk assessment;
The building or facility perimeters should be physically secure (i.e. there are no perimeter gaps or places where a break-in can easily occur); the site’s exterior buildings, walls, and floors should be securely built and all external doors should be properly secured against unauthorized controlled entry (e.g. bars, alarms, locks); Doors and windows should be locked when the windows are unattended and external security, especially at ground level, should be considered;
There should be a manned reception area or other methods of physical access control for the site or building and only authorized personnel can access to sites and buildings.
Physical barriers to prevent unauthorized physical access and environmental contamination should be built, wherever applicable;
All fire doors should be alerted, monitored and tested alongside walls in order to determine the level of resistance needed in accordance with appropriate state, national and international standards; should act in a failsafe fashion in accordance with the Local Code;
Appropriate intrusion detection systems, according to the national, regional, or international standards shall be installed and tested regularly for the coverage of all exterior doors and accessible windows. Unoccupied areas should be alarmed at all times.
Organization-controlled information management facilities should be segregated physically from those operated by outside parties.
“ When you gambled with safety, you bet your life”
Other Information- The physical protection of the organization’s premises and information processing facilities can be achieved by creating one or several physical barriers. Additional protection is offered by using multiple barriers when a single barrier failure does not immediately affect security.
A protected space may be a closed office or multiple rooms that are enclosed with an internal physical protection restriction. Additional barriers and perimeters for the physical access control between areas with various security requirements within the safety perimeter may be necessary. And in the case of buildings with assets for multiple organizations, special attention to be given to physical security of entry.
The use of physical controls especially for the safe areas, as set out in the risk assessment, needs to be adjusted to the technical and economic circumstances of the organization.
The Organization wishes that its information to remain within the CIA triads. They also ensure that the physical security controls are properly and efficiently implemented to protect the confidentiality, authenticity and/or integrity of the organization’s information and information processing facilities. The physical and environmental protection of the company is covered in Annex 11 of ISO 27002 . This famous certification of lead auditor and lead implementer covers all the annexes to the security of information by implementing appropriate access controls to ensure authorized access to protect the organization. Infosavvy, a Mumbai-based institute, offers certifications and training for multiple-domain-like management of information security, cybersecurity, and many others, including the IRCA CQI ISO 27001:2013 Lead Auditor (LA) and ISO 27001 Lead Implementer (LI) (TÜV SÜD Certification). This certification covers several audits to keep an organization safe from the intended destructor. Infosavvy will help you to understand and identify the full extent of the physical and environmental security of your organization that is necessary to protect the operations of your organization from attacks. We have trained trainers who have ample know-how and experience in order to make sure that the information security is effectively handled. The applicant will, therefore, gain the skills needed to conduct the ISMS audit using commonly agreed audit concepts, procedures and techniques
Control- Appropriate access controls should protect places to ensure that only authorized employees are allowed access.
Implementation Guidance- The following points should be taken into consideration:
Visitors should be registered on the date and time of their entry and departure and should supervise all visitors, without prior approval of their access; Access should be given for certain approved purposes only, and guidelines should be provided regarding safety and emergency procedures specifications for the region. Visitors’ identity should be authorized using a suitable means;
Access should be limited to areas where information is processed or stored by means of suitable access controls, for example, the introduction of a two-factor authentication system, such as an access card and a secret PIN;
Securely maintaining and monitoring of a physical logbook or electronic audit trail of all access records;
ISO 27001 Annex : A.10 Cryptography in this article explaining Cryptographic controls, Policy on the Utilization of Cryptographic Controls & Key Management.
A.10.1 Cryptographic controls
Its objective is to ensure the proper and efficient use of cryptography to protect the confidentiality, authenticity and/or integrity of the information.
A.10.1.1 Policy on the Utilization of Cryptographic Controls
Control- A policy on the use of cryptographic controls to secure information should be developed and enforced.
Implementation Guidance- The following should be considered when designing a cryptographic policy:
A management guide to the use of cryptographic controls across the organization, including the general principles by which business information should be protected;
Based on the risk assessment, the necessary level of security should be calculated taking into account the type, strength, and quality of the encryption algorithm necessary;
Usage of encryption to secure information transported by mobile or portable media devices or through communication lines;
Approach to key management, including strategies for coping with the security of cryptographic keys and the recovery of encrypted information in the event of missing, corrupted or damaged keys;
Roles and responsibilities, e.g. for who is responsible for whom – Implementing policy – key management including quality generation;
The standards to be followed in the organization for successful implementation (which solution for which business processes are used);
The effect of encrypted information on controls that rely on content validation (e.g. malware detection).
When enforcing the cryptographic policy of the organization, consideration should be given to regulations and national restrictions that may relate to the use of cryptographic techniques in different parts of the world and to issues relating to the trans-border flow of encrypted information.
Specific information security goals can be accomplished by cryptographic control, e.g.
Confidentiality: use of information encryption to secure confidential or vital information, either stored or transmitted;
Integrity/authenticity: use digital signatures or message authentication codes to check the authenticity or integrity of confidential or vital information stored or transmitted;
Non-repudiation: use of cryptographic techniques to provide evidence of an occurrence or non- occurrence
Authentication: Use of cryptographic techniques to authentically request access to or transactions with users, entities, and resources of systems.
Cryptography is the ultimate form of non-violent direct action -Julian Assange
Other Information- Making a judgment as to whether a cryptographic solution is suitable can be seen as part of the broader risk assessment and control selection process. This assessment would then be used to decide if cryptographic control is sufficient, what form of control should be used, and for what function and business processes.
A policy on the use of cryptographic controls is important to optimize the benefits and reduce the risks associated with the use of cryptographic techniques and to prevent inappropriate or incorrect use. Expert consultation should be taken into consideration in selecting suitable cryptographic controls to meet the objectives of the information security policy.
The Organization aims to keep its information within the triads of the CIA . They also ensure the proper and efficient use of cryptography to protect the confidentiality, authenticity and/or integrity of the information and information processing facilities. Annex 10 discusses the cryptographic controls and policies for those controls that an organization should maintain and implement over their entire life cycle. This famous certification of Lead Auditor and Lead Implementer covers all annexes to information security. Infosavvy, a Mumbai-based institute, offers certifications and training for multiple-domain-like management of information security, cybersecurity, and many others, including the IRCA CQI ISO 27001:2013 Lead Auditor (LA) and ISO 27001 Lead Implementer (LI) (TÜV SÜD Certification). This certification covers various audits that an organization should perform to keep it away from the intended destructor. Infosavvy will help you understand and define the full scope of your organization’s cybersecurity posture which is essential to protect your company’s business against breaches. We have trainers who are well-qualified and experienced with adequate training and know-how to ensure the effective management of information security. This will help the applicant gain the requisite skills to conduct the ISMS audit using commonly accepted auditing concepts, procedures, and techniques.
Control- A policy on the use, security, and lifetime of cryptographic keys should be created and enforced over their entire life cycle.
Implementation Guidance- The policyshould provide criteria for handling cryptographic keys over their entire life cycle, including generating, processing, archiving, retrieving, transmitting, removing, and destroying keys.
Cryptographic algorithms, primary lengths, and implementation methods should be chosen in line with best practice. Appropriate key management includes safe processes for generating, processing, archiving, retrieving, transmitting, removing and destroying cryptographic keys. All cryptographic keys should be safe against change and loss. In addition, confidential and private keys require protection against unauthorized use as well as disclosure. The equipment used for generating, processing, and archiving keys should be physically secured.
Infosavvy Cyber Security & IT Management Trainings 