Tag: Cryptographic Techniques

ISO 27001

ISO 27001 Annex : A.10 Cryptography

info savvy

ISO 27001 Annex : A.10 Cryptography in this article explaining Cryptographic controls, Policy on the Utilization of Cryptographic Controls & Key Management.

A.10.1 Cryptographic controls

Its objective is to ensure the proper and efficient use of cryptography to protect the confidentiality, authenticity and/or integrity of the information.

A.10.1.1 Policy on the Utilization of Cryptographic Controls

Control- A policy on the use of cryptographic controls to secure information should be developed and enforced.

Implementation Guidance- The following should be considered when designing a cryptographic policy:

  1. A management guide to the use of cryptographic controls across the organization, including the general principles by which business information should be protected;
  2. Based on the risk assessment, the necessary level of security should be calculated taking into account the type, strength, and quality of the encryption algorithm necessary;
  3. Usage of encryption to secure information transported by mobile or portable media devices or through communication lines;
  4. Approach to key management, including strategies for coping with the security of cryptographic keys and the recovery of encrypted information in the event of missing, corrupted or damaged keys;
  5. Roles and responsibilities, e.g. for who is responsible for whom
     Implementing policy
    – key management including quality generation;
  6. The standards to be followed in the organization for successful implementation (which solution for which business processes are used);
  7. The effect of encrypted information on controls that rely on content validation (e.g. malware detection).

When enforcing the cryptographic policy of the organization, consideration should be given to regulations and national restrictions that may relate to the use of cryptographic techniques in different parts of the world and to issues relating to the trans-border flow of encrypted information.

Related Product : ISO 27001 Lead Auditor Training And Certification ISMS

Specific information security goals can be accomplished by cryptographic control, e.g.

  • Confidentiality: use of information encryption to secure confidential or vital information, either stored or transmitted;
  • Integrity/authenticity: use digital signatures or message authentication codes to check the authenticity or integrity of confidential or vital information stored or transmitted;
  • Non-repudiation: use of cryptographic techniques to provide evidence of an occurrence or non- occurrence
  • Authentication: Use of cryptographic techniques to authentically request access to or transactions with users, entities, and resources of systems.

Cryptography is the ultimate form of non-violent direct action
-Julian Assange

Other Information- Making a judgment as to whether a cryptographic solution is suitable can be seen as part of the broader risk assessment and control selection process. This assessment would then be used to decide if cryptographic control is sufficient, what form of control should be used, and for what function and business processes.

A policy on the use of cryptographic controls is important to optimize the benefits and reduce the risks associated with the use of cryptographic techniques and to prevent inappropriate or incorrect use. Expert consultation should be taken into consideration in selecting suitable cryptographic controls to meet the objectives of the information security policy.

The Organization aims to keep its information within the triads of the CIA . They also ensure the proper and efficient use of cryptography to protect the confidentiality, authenticity and/or integrity of the information and information processing facilities. Annex 10 discusses the cryptographic controls and policies for those controls that an organization should maintain and implement over their entire life cycle. This famous certification of Lead Auditor and Lead Implementer covers all annexes to information security. Infosavvy , a Mumbai-based institute, offers certifications and training for multiple-domain-like management of information security, cybersecurity, and many others, including the IRCA CQI ISO 27001:2013 Lead Auditor (LA) and ISO 27001 Lead Implementer (LI) (TÜV SÜD Certification). This certification covers various audits that an organization should perform to keep it away from the intended destructor. Infosavvy will help you understand and define the full scope of your organization’s cybersecurity posture which is essential to protect your company’s business against breaches. We have trainers who are well-qualified and experienced with adequate training and know-how to ensure the effective management of information security. This will help the applicant gain the requisite skills to conduct the ISMS audit using commonly accepted auditing concepts, procedures, and techniques.

Also Read : ISO 27001 Annex : A.9.4.4 Use of Privileged Utility Programs & A.9.4.5 Access Control to Program Source Code

A.10.1.2 Key Management

Control- A policy on the use, security, and lifetime of cryptographic keys should be created and enforced over their entire life cycle.

Implementation Guidance- The policy should provide criteria for handling cryptographic keys over their entire life cycle, including generating, processing, archiving, retrieving, transmitting, removing, and destroying keys.

Cryptographic algorithms, primary lengths, and implementation methods should be chosen in line with best practice. Appropriate key management includes safe processes for generating, processing, archiving, retrieving, transmitting, removing and destroying cryptographic keys.
All cryptographic keys should be safe against change and loss. In addition, confidential and private keys require protection against unauthorized use as well as disclosure. The equipment used for generating, processing, and archiving keys should be physically secured.

Read More : https://www.info-savvy.com/iso-27001-annex-a-10-cryptography/

This Blog Article is posted by

Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092

Contact us – www.info-savvy.com

https://g.co/kgs/ttqPpZ

ISO 27001

ISO 27001 Annex : A.8.3 Media Handling

info savvy

ISO 27001 Annex : A.8.3 Media Handling Its objective is to Stop unauthorized release, alteration, deletion, or destruction of information contained in the media.

A.8.3.1 Management of Removable Media

Control- Procedures shall be implemented for the management of removable media in accordance with the classification scheme adopted by the organization.

Implementation Guidance- The following guidelines should be considered for the management of removable media:

  1. If not needed, the contents of any reusable media that are to be removed from the organization should be made unrecoverable;
  2. Where applicable and practicable, authorization should be needed for the removal of media from the company and a record of these removals should be maintained in order to preserve the audit trail;
  3. In compliance with manufacturers’ standards, all media should be kept in a secure and safe environment;
  4. Where confidentiality or integrity of data is important, cryptographic techniques for securing data on removable media must be used;
  5. In order to minimize the possibility of media loss when storage data is still needed, the data should be moved to fresh media before being unreadable;
  6. Multiple copies of important data should be stored in different media to further reduce the possibility of accidental data damage or loss;
  7. Registration of removable media should be taken into account to limit the possibility of data loss;
  8. Removable media drives should only be allowed if there is a business purpose to do so;
  9. Where there is a requirement for the use of disposable media, the movement of data to such media will be supervised.

Where there is a need to use disposable media, the transition of data to such devices will be monitored. Procedures and levels of approval will be reported.

Related Product : ISO 27001 Lead Auditor Training And Certification ISMS

A.8.3.2 Disposal of Media

Control- When not required by specific protocols, media should be disposed of securely.

Implementation Guidance- Formal protocols for the secure disposal of media should be established to reduce the possibility of leakage of sensitive information to unauthorized persons. The protocols for the secure processing of sensitive information media should be proportionate to the sensitivity of that material.

Following should be taken into account:-

  1. Confidential media should be processed and disposed of safely through, e.g. by incineration or shredding, or data erasure for use by another application within an organization.
  2. Procedures should be in place to identify the items that could need safe disposal
  3. Instead of trying to isolate important objects, it could be better to plan to safely collect and dispose of all media items;
  4. Many organizations offer media collection and disposal services; care must be taken to select a suitable external party with adequate controls and experience;
  5. In order to maintain an audit trail, the disposal of confidential items will be logged.

The aggregation effect should be taken into account when collecting media for disposal, and a large number of sensitive information can become vulnerable.

For a healthy business, identifying the assets, making an inventory of the assets, and then secure disposal. At Infosavvy we have our trainers as our assets who are skilled and well-trained in various courses in the field of information security and we are also eligible for one of the most important certificates in the area of information security. i.e. IRCA CQI ISO 27001:2013 Lead Auditor (LA) and ISO 27001 Lead Implementer (LI) (TÜV SÜD Certification) . Our trainers can empower you to do better asset management by providing you with in-depth information and numerous examples for the same, helping the applicant to improve their skills and do well.

Other Information- Damaged devices containing sensitive data can require a risk assessment to evaluate the physical loss of objects instead of being sent to them for repair or discharge.

Also Read : ISO 27001 Annex : A.8.2.2 Labeling of Information & A.8.2.3 Handling of Assets

A.8.3.3 Physical Media Transfer

Control- Information media should be protected from unauthorized access, misuse or corruption during transportation.

Implementation Guidance- For the safety of media containing information transported, the following guidelines should be considered:

  1. Reliable transport or the use of couriers;
  2. Management should agree on a list of authorized couriers;
  3. procedures should be established for verifying courier identification;
  4. Packaging should probably be sufficient to safeguard the content from any physical damage likely to occur during transit and to protect the content against environmental factors such as exposure to heat, humidity, or electromagnetic fields which could reduce media recovering efficiency.
  5. Logs should be maintained, the content of the media should be established, the security applied, and times of transfer to custodians and reception should be reported at the destination.

Read More : https://www.info-savvy.com/iso-27001-annex-a-8-3-media-handling/

Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092

Contact us – www.info-savvy.com

https://g.co/kgs/ttqPpZ

ISO 27001

ISO 27001 Annex : A.6.2 Mobile Devices and Teleworking

info savvy

ISO 27001 Annex : A.6.2 Mobile Devices and Teleworking its objective is to ensure the security of teleworking and the use of mobile devices.

A.6.2.1  Mobile Device Policy

 Control- To manage the risks introduced by the use of mobile devices, a policy and supporting safety measures should be adopted.

 Implementation Guidance- Special care should be taken when using mobile devices to ensure that business information is not compromised. The policy on mobile devices should take into account the risks of working with mobile devices in unprotected environments.

Related Product : ISO 27001 Lead Auditor Training And Certification ISMS

Mobile device policy should include:-

  1. Registration of mobile devices;
  2. Requirements for physical protection;
  3. Restriction of software installation;
  4. Requirements for mobile device software versions and for applying patches;
  5. Restriction of connection to information services;
  6. Access controls; Cryptographic techniques;
  7. Malware protection;
  8. Remote disabling,
  9. erasure or lockout;
  10. Backups;
  11. Usage of web services and web apps.

Be careful while using mobile devices in public areas like meeting rooms and other not so protected areas. Preventive measures should be taken to avoid unauthorized access, or disclosure of confidential information stored and processed by the devices, eg. cryptographic methods and enforcing the use of secret authentication information

Mobile devices should also be physically secured against theft, particularly when entering, for example, in vehicles and other modes of transport, hotel rooms, convention centers, and public gatherings. A chosen protocol, taking into account the regulatory, insurance, and other security requirements of the organization, should be defined for cases of theft or loss of mobile devices. Devices containing confidential, sensitive, or crucial business information should not be ignored and, if possible, should be physically locked away, or special locks should be used to protect the items.

Training should be provided for workers using mobile devices to increase their understanding of the potential risks emerging from this method of operating and, thereby, the controls that should be implemented. If the mobile device policy allows the use of private mobile devices, it will also include the rules and associated security controls, those are:-

  1. Separate personal and business usage of the devices, including by using software to help the segregation of personal devices and protect business data;
  2. Providing access to business information only after an end-user agreement has been signed that recognizes their duties (physical safeguard, software upgrade, etc.) waives control of the company’s business data and requires remote data wiping by the client for burglary, loss of a device, or no longer authorized to use a service. The Privacy Legislation must be taken into account in this strategy.

Other Information- Wireless networks for mobile devices are similar to other network connections but have significant variations to be taken into account in the detection of controls. Those significant variations are as follows:-

  1. Certain wireless security protocols are immature and have defined weaknesses;
  2. Mobile device storage may not be backed up due to insufficient network bandwidth and even when backup processing is scheduled, devices may not be connected.

Mobile devices generally share common functions, e.g. networking, internet access, e-mail, and file handling, with fixed-use devices. Controls in information security for mobile devices typically consist of those implemented within fixed use systems and those to counter risks raised by their use outside the premises of the organization.

A.6.2.2  Teleworking

Control- To guard the accessed, processed, or stored information at teleworking sites, a policy and supporting security measures should be implemented.

Implementation Guidance- Teleworking organizations should issue a policy defining the guidelines for using teleworking. The following points should be considered where deemed applicable and authorized by law:-

  1. The existing physical security of the teleworking site, taking into account the physical safety of the building and, consequently, the local environment;
  2. the proposed physical teleworking environment;
  3. Communications security requirements, taking into consideration the need for direct access to the internal networks of the organization, the sensitivity of the information to be obtained and transmitted via the contact channel and, thus, the vulnerability of the internal system;
  4. Providing virtual desktop access which prevents information processing and storing on private equipment;
  5. Risk of unauthorized access to information or resources from other persons using the amenities, e.g. family and friends.
  6. Usage of home networks, and requirements or limitations on wireless network access configuration;
  7. Policies and procedures for settling conflicts involving property rights built on privately-owned equipment;
  8. Access to private facilities (to test the security of the device or during an investigation) which may be prohibited by law;
  9. Software License agreements which are such organizations may be responsible on workstations owned privately by staff and/or external parties for licensing for client software;
  10. Requirements for malware protection and firewall.

Also Read : ISO 27001 Annex : A.6 Organization of Information Security

The guidelines and arrangements should include the following:-

  • The procurement of suitable teleworking facilities and storage furniture, where the use of private devices not under the organization’s regulation is not permitted;
  • A definition of the work allowed, the hours of work, the classification of the information to be stored and therefore the internal systems and services to which the teleworker is entitled;
  • Provision of an appropriate communication system, including methods for securing remote access;
  • Physical security, provision of insurance policies, a requirement of support and maintenance for hardware and software
  • Rules and guidance on access to equipment and information for families and visitors;
  • Monitoring of audit and security,
  • Backup and business continuity planning
  • Revocation of authority and service privileges and removal of facilities after termination of teleworking operations.

Read More : https://www.info-savvy.com/iso-27001-annex-a-6-2-mobile-devices-and-teleworking/

Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092

Contact us – www.info-savvy.com

https://g.co/kgs/ttqPpZ