Read this excellent post on Israeli Software

Problems in a security audit

The biggest problem is prioritizing your security control implementation. ISO 27001 and PCI DSS 1.1 provide standard or mandatory controls – but the standards lack the functionality to weigh control cost against risk damage cost. In early 2007, after realizing that Excel was basically broken for data collection and analysis in a risk assessment, we started looking for a tool that would help us automate the entire ISO 27001 life cycle from data collection, perform risk analysis and produce a cost-effective, prioritized control implementation plan. We felt that threat modeling would be a good way to add additional dimensions of assets, vulnerability and threats to the ISO 27001 security control model.

What is PTA (Practical Threat Analysis)?

PTA Professional is a free risk assessment application that can be downloaded from the PTA Technologies Web site. The PTA ISO 27001:27005 library is available for free download and distribution, licensed from the Control Policy Group under the Creative Commons Attribution License.

Feel free to download and introduce the PTA ISO 27001 library to your colleagues and promote it via postings to security forums and adding links to our web site . We wish to freely distribute the ISO 27001:27005 library to the security community and hope that its popularity and availability will contribute to your productivity and let you benefit from the experience of security colleagues world wide. Contact us at any time with questions or suggestions for improvement.

How PTA helps automate ISO27001

The PTA data model includes assets, threats, vulnerabilities (that are exploited by threats) and controls (that mitigate vulnerabilities). The PTA threat model entities are measured in dollar values and enable a security analyst to quickly calculate threat impact and optimal security control plan.

By using PTA in a risk assessment,  you get a robust database for the data collection and a user-friendly application that runs on all versions of Windows. PTA Professional helps you understand how threats exploit vulnerabilities to create risk. During a ISO 27001 audit – PTA helps you store your findings, produce reports, prioritize controls and save money for the security control implementation.

Motivation – ISO Standards

The ISO standard for information security risk assessments-ISO 27001, continues to gain a reputation for helping organizations improve their business practices and protect information assets. ISO 27001 is both important and increasingly popular for two reasons:

1. Compliance
2. The need to achieve the most effective risk mitigation controls

Perhaps one of the more significant comments that underscores the relevance of ISO 27001 for the industry was made last year by ISO Secretary-General Alan Bryden :

“SMEs may mistakenly perceive of International Standards as being only for big business and government. In fact, SMEs too can benefit from the state-of-the-art technology and management practices disseminated by International Standards which also open the door to export markets and participation in global supply chains”.

Compliance

Standards and privacy compliance regulation like ISO, SOX and PCI are fueling demand to improve information security practices. It has becomes a trend trickling up and down the value chain of regulators, customers and suppliers. Customer data breach incidents have steeply increased over the past 3 years, pouring additional fuel on the value chain of compliance. Once the exclusive domain of large institutions; many SMEs are now performing risk assessments as their customers call on them to manage their data better and prove it by certifying to ISO 27001.
Attaining effective risk reduction

The output of an ISO 27001 risk assessment is two fold:

1. Certification
2. Identify appropriate risk reduction controls for the organization

The certification process can be as simple or as involved as an organization wants but there are always far more available controls than threats and then, organizations, large and small, find themselves coping with a long and confusing shopping list of controls. You can implement the entire check list of controls (if you have deep pockets), you can do nothing or you can try and achieve the most effective purchase and risk control policy ( i.e. get the most for your security investment dollar) with a set of controls optimized for your business situation.

It is worth noting at this point that additional security controls do not necessarily reduce risk.

Modifying your existing infrastructure (like firewalls and proxies) and installing more security products is never a free lunch and tends to increase the total system risk and cost of ownership, as a result of the interaction between the elements. Many firms see the information security issue as mainly an exercise in Access Control (Section 11 of ISO 27001) that requires better permissions and identity management (IDM). However, further threat analysis reveals that (a) IDM does not mitigate the threat of a trusted insider with appropriate privileges and (b) the majority of IDM systems are notorious for requiring large amounts of customization (as much as 90% in a large enterprise network) and may actually contribute additional vulnerabilities instead of lowering overall system risk.

The result of providing inappropriate countermeasures to threats, is that your cost of attacks and ownership go up, instead of your risk going down.

The PTA ISO 27001 library enables a risk analyst to provide a quantitative risk model to her client and construct an economically-justified, cost-effective set of countermeasures that reduces risk in the customers business environment. More importantly, a company can execute a “gentle” implementation plan of controls concomitant with its budget instead of taking an all-or-nothing strategy.

ISO 17799 compared to ISO 27001

ISO 17799 is Part 1 of BS 7799 (the ISO standard for information security). ISO 17799 is a code of best practice for information security management and provides practical guidance on implementation of the security controls that should be implemented on the basis of the ISO 27001 risk assessment. ISO 17799 will be renumbered to ISO/IEC 27002 in the course of 2007.

ISO 27001 is Part 2 of BS 7799 is the risk assessment standard for certification and sets the requirements that an organization must fulfill in order to establish an information security management system. The PTA ISO 27001:27005 is a full implementation of the ISO 27001 compliance check list. If you find that ISO 17799 is more relevant to your practice, please contact us and we may consider development of a PTA library for this standard as well.

How we created the PTA ISO 27001 library

The ISO 27001 contains 185 items in 11 sections, where each item has a reference number, and describes a security policy and a corresponding security control. For example Item 6.1.5 is a “Confidentiality agreements” security policy with the following control: “Requirements for confidentiality or non-disclosure agreements reflecting the organization’s needs for the protection of information shall be identified and regularly reviewed”

First we needed to map the ISO 27001 data model to the PTA threat model concept which is composed of threats, vulnerabilities, assets and countermeasures

Unlike PTA, the ISO data model does not refer to particular threats or assets. We realized that the top level items in each section (number x.y) mapped nicely to PTA vulnerabilities and that the the sub-items were controls that translate directly to PTA countermeasures. For example:

06.1 “Internal organization; information security is lacking or not well-defined” can be easily defined as a PTA threat model vulnerability mitigated by the following PTA threat model countermeasures:

* 6.1.1 Management shall actively support security within the organization through clear direction, demonstrated commitment, explicit assignment, and acknowledgement of information security responsibilities.
* 6.1.2 Information security activities shall be co-ordinated by representatives from different parts of the organization with relevant roles and job functions.
* 6.1.3 All information security responsibilities shall be clearly defined
* 6.1.4 A management authorization process for new information processing facilities shall be defined and implemented.
* 6.1.5 Requirements for confidentiality or non-disclosure agreements reflecting the organization’s needs for the protection of information shall be identified and regularly reviewed.
* 6.1.6 Appropriate contacts with relevant authorities shall be maintained.
* 6.1.7 Appropriate contacts with special interest groups or other specialist security forums and professional associations shall be maintained.
* 6.1.8 The organization’s approach to managing information security and its implementation (i.e. control objectives, policies, processes, and procedures for information security) shall be reviewed independently at planned intervals, or when significant changes to the security implementation occur.

After the conceptual mapping of the ISO 27001 data model to the PTA threat model, we then used the import entities from text file functions in the PTA Professional Edition in order to load an Excel worksheet of the ISO 27001 checklist into a baseline PTA threat model of vulnerabilities and countermeasures and packaged as a PTA library.

How analysts use the PTA ISO 27001 library

The standard specifies that the organization should use a systematic approach to risk assessment (method of risk assessment, legal requirements, policy and objectives for reducing the risks to an acceptable level). The PTA ISO 27001 library provides not only a systematic, but also a quantitative approach to risk assessment that adds a great deal of value by enabling you to arrive at a set of controls optimized for your business situation.

You will discover that doing a risk audit process with the PTA ISO 27001 library is faster, easier and a lot more robust than with an Excel spreadsheet.

An ISO 27001 risk assessment typically involves a two-stage process:

Stage 1 is a “table top” review of the existence and completeness of key documentation for Security Policy and Information Security Management System (ISMS). This would be done by cycling through the PTA threat model, tagging top level vulnerabilities with a status and storing appropriate documentation in the model, while linking to the appropriate entity.

Stage 2 is a detailed, in-depth audit that tests existence and effectiveness of control policies as well as their supporting documentation. Controls that already exist would be marked as “Already Implemented” in the PTA Professional Edition countermeasures detail screen. Other controls needing work, would be tagged with an action-required status (see the tagging option of the PTA tool).

Step by Step with  ISO27001 for PTA

First download and install  the PTA Professional Edition free risk assessment software on a Windows XP PC. Then download the PTA ISO27001 library.

• Step 0 – Start the PTA program by clicking on the eye icon on your desktop
• Step 1 – Load the ISO27001.2.thl library in order to build your own threat model or just open the ISO27001.2.thm data model and start working
• Step 2 – Create assets, assign Euro values to the assets, The asset value might be replacement value or equivalent damage to the business if the asset were attacked successfully.
• Step 3 – Enter the costs of countermeasures; the PTA ISO 27001 library that we provide is neutral and does not specify countermeasure costs; we understand that each organization has their own estimates of how much a control policy or security product should cost.
• Step 4 – Run the Optimized Countermeasures report. You have just built a cost-justified plan of controls compliant with ISO 27001.
• Step 5 – Refine the model. Don’t stop here; return to the model periodically and test the effectiveness of your risk mitigation program. For a structured methodology of continuous security assessment see the excellent article on the Software Associates Web site titled “Practical software security assessment”

The power of the PTA ISO27001 library is demonstrated by a simple risk assessment with assets and threats that was built in just a few minutes – available online Download now