Showing posts with label ISO27001. Show all posts
Showing posts with label ISO27001. Show all posts

Sunday 13 December 2020

ISO 27001 Certification & OWASP

Overview:  I have been thru several ISO and security audits over the years for various companies offering SaaS products.  This post outlines a some of my note around the latest ISO 27001 audit I touched on.

ISO 27001 covers Information Security Management (ISMS) which is about protecting and managing your businesses information assets to reduce your business risks.  It demonstrates that your organisation has good security practices in place.

Note: ISO 27001 is a management of systems standard for an organisation, it is not done for a particular product.  

An ISO 27001 ISMS consists of policies, procedures and other controls involving people, processes and technology".  https://www.itgovernance.co.uk/iso27001

Parts to an ISO 27001 audit:

  • Part 1 - Check you have the correct documentation.  
            Output is a go ahead and get a visit plan from the auditor.
  • Part 2 - Checks you as a business are complying/working to the documentation.  Basically evidence based reporting based on visual confirmations and discussing with the staff using interviews to verify compliance (sample based auditing).  Findings normally grouped into 3 types of findings: 1)   Opportunity for improvement = suggestions, need to review before next audit to see if this is worth implementing 2) Non conformance - Minor = can have a few of these, look to fix 3) Non conformance - Major - won't get certification with a major.  There is a period to address/fix major issue/issues.  Always complete the phase 2 audit as they may discover other majors.
            Output Findings report and several weeks latter the certification.
  • Certification
  • Yearly: Need to repeat and show you are improving based on the findings and the audit will generally go into specific areas in more detail.
More Info:
Data Protection and Regulation note - see bottom of post for ISO27001

Notes
Business Continuity quarter check
Annual Security Policy & Standard Review 
Security training - different roles need different training
Annual penetration testing
Audit annual re-certification days
Risk Information: Non conformity & root cause analysis

Technical:  Encryption and REST, Encryption in Transit, DAST/SAST on code, =logically secure customer data/security, Azure Defender to harden infra and continuously monitor, vulnerability or external penetration testing, ASVS/OWASP.

ISO 27701 - "ISO 27701 extends the meaning of “information security” detailed in ISO 27001. While the privacy and protection of personal data is part of ISO 27001, the newer standard extends the scope to include the “protection of privacy as potentially affected by the processing of PI" source: https://www.learningcert.com/information-security/iso-27001-vs-iso-27701/

ISO 27017 - is a security standard developed for cloud service providers and users to make a safer cloud-based environment and reduce the risk of security source Wikipedia.  I think ISO27017 is now part of ISO27001 extended.

ISO 28000 - is the spec for security management systems for the supply chain (partner dependancies e.g. software vendor, hosting company service)

ISAE 3402/SOC 2/ISO 27001 - about verification of business processes/internal controls of the business of of a high standard.

Thursday 20 March 2014

Data Protection and Regulation

Update 2023 December - Accessibility

  • European Accessibility Act (EAA) EU directive will be law in member states by June 2025.
  • The Disability Equality Act came into force 2022.
  • General Equal Treatment Act (AGG) came into force in 2006, prohibits discrimination based on disability.

Update 2022 Mar 16: Privacy Management | OneTrust implement Privacy Management

Update 2021 Nov 20:  Applies to organisation handling personal EU and UK data member data.  Limits what organisations can do with peoples personal data.  It's enforce but the key is to only use data you need, protect personal people's data basically how any company should behave.

UK is still part of UK law since Brexit Data protection Act 2018.  Differences:

  • Territorial applicability of UK GDPR
  • International transfers of personal data

Overview:  Data protection in relation to SharePoint is a large body of information.  This post outlines my notes on holding data within SharePoint and generally applicable to various regulations I have come across.  Also, see my post on Compliance for O365 and SharePointLast updated: 18 July 2019

Records Management:  Data needs to be disposed of depending on the applicable rules, the rules depend on the industry, country, the category of data.  AvePoint has good records management and governance tools to help with the disposal/cleanup of data.

Search: Request for Information (Freedom of Information (FOI)).  SharePoint can be used to traverse over multiple systems/LOB to determine where information is held about individuals.  Configure to generate reports or as a starting point in trawling data in the enterprise.

United Kingdom:
Updated 24 May 2016 - The European Union (EU) General Data Protection Regulation (GDPR) "intends to strengthen and unify data protection for individuals within the European Union (EU). It also addresses export of personal data outside the EU" Wikipedia 
The EU GDPR applies to EU member states such as the UK, Germany et al. and covers personal data held by companies in the EU and extends to companies holding EU citizens data.  Of interest for the GDPR is that companies can be fined up to 4% of turnover.  SharePoint and Office 365 holds a lot of company assets and data and appropriate protection needs to be in place.  Part of any companies active Defense needs to include SharePoint.  Of note here is Office 365 have fantastic capabilities in defense and I believe will increase the speed enterprises move to the cloud.  

http://www.computerweekly.com/news/2240114326/EC-proposes-a-comprehensive-reform-of-data-protection-rules New EU Data Protection Directive not yet legally binding.  Companies in the UK are bound by the Data Protection ActFreedom of Information Act 2000  also plays a part with personal data. DPA 1998 explained.  DPA 2018 alignes with GDPR.

Purpose of GDPR (started 25 May 2018):
  • Protect personal data
  • Consistency legislation in the EU
  • Encourage competition between EU countries
GDPR is concerned with EU citizens personal data and protecting it.

DLP has a module for Health Records that adheres to the U.K. Access to Medical Reports Act 

G-Cloud allows public sector organizations to buy cloud services, from a range of suppliers on a validated secure network.  In effect, it is cloud services for local and central government.  G-Cloud in effect offers the cloud (think AWS & Azure type services) to government bodies.  Updated: 16 March 2016, the G-Cloud has been abandoned.

Dealing with Breaches:
SharePoint holds a ton of company data and needs to be part of any companies Active Defence strategy.  Still need the old school basic defences: Firewall, Intrusion detection, and anti-virus. Do you have a list of critical applications and data within SharePoint?  Do we know who we do business with (client or HR could compromise our data)?  Who is likely to attach?  Employee, organised crime, ... and what happens when we are compromised?  (Do we shut down or restrict,  how do we identify, legal and forensics, communication plan). DLP can help with breaches:
PII data
Theft - are employees mining SP data looking for highly confidential data, IP or client lists  
Security Centre helps with:
  • Investigation
  • Forensic collection
European Union (including the UK):
  • Companies will be required to appoint data protection officers if more than 250 employees.
  • Organisations will have to notify citizens in plain language what information is collected and how it is used as well as explicitly get consent before using any personal information.
  • Users of online services must also have the right to be forgotten, which means they must be able to remove or delete personal information from an online service.
  • Clear rules for data transfer across borders within multinational corporations with a streamlined process that once approved by one data authority, will be accepted by all others.
  • Requiring organisations to notify the national data protection authority and all individuals affected by a data breach within 24 hours.
  • Businesses operating in more than one EU country will, however, welcome the fact that they will be subject to oversight from one supervisory authority rather than multiple authorities
  • Once the directive is accepted companies will have 2 years to comply.
  • Organisations will only have to deal with a single national data protection authority in the EU country where they have their main establishment. Likewise, people can refer to the data protection authority in their country, even when their data is processed by a company based outside the EU. Wherever consent is required for data to be processed, it is clarified that it has to be given explicitly, rather than assumed.
  • People will have easier access to their own data and be able to transfer personal data from one service provider to another more easily
  • A ‘right to be forgotten’ will help people better manage data protection risks online: people will be able to delete their data if there are no legitimate grounds for retaining it.
  • EU rules must apply if personal data is handled abroad by companies that are active in the EU market and offer their services to EU citizens.
  • Penalties of up to €1 million or up to 2% of the global annual turnover of a company.
South Africa:

What is POPI?
Protection of Personal Information (POPI) is the legal requirement in South Africa for holding, collecting, distribution, amending and destruction of information involving people and companies. POPI controls how your personal information is used by organizations, businesses or the government.
With so much personal data held by an increasing number of companies, there needs to be some benchmark for companies to follow if they are to ensure that data is handled legitimately. POPI provides the laws/framework to guide how companies must store personal data relating to people and companies that it holds in either electronic or paper form.
In a nutshell, when holding parties personal data POPI attempts to enforce:
  • transparency
  • only collect information that you need
  • ensure the data is protected/secure
  • ensure the personal data help is correct, required and up to date
  • discard data when it is no longer needed
  • ensure the end person/subject has given his/her explicit consent to keep and use their personal data
  • allow the end person/subject to see their own data that you hold if they request it

Why is should you adhere to POPI?

  • Customer confidence is improved
  • No superfluous data is stored
  • Data is more secure, accurate and old data is expired
  • Avoid criminal and civil actions

What you need to do?

POPI applies to all IT and paper-based data that your company holds.  Your company will take steps to ensure the security of personal data which are held in electronic and paper form.  You must prevent the unauthorized disclosure of data to third parties, and loss or damage to data that may affect the interests of end person/subjects.  You will also ensure that data processors your organization uses to provide an appropriate level of security for the personal data which they are processing on your behalf.  Any data must be restricted to the appropriate person and your company needs to take steps to ensure it is not allowing unauthorized access to data and information.

What happens if you Violate POPI - EY South Africa
United States
FATCA requires a financial institution to identify and report US customers. 

Safe Harbour  - US companies storing EU customer data would self-certify that they adhere to 7 principles to comply with the EU Data Protection Directive and with Swiss requirements. Overturned in 2015.  The EU-US Privacy Shield is an agreement between the European Union and the United States to enable US businesses to store EU citizens personal data that complies with EU privacy laws.  EU-US Privacy Shield in effect the replacement to safe harbour agreement.  

Patriot Act - Greatly affects companies as the US can request access to data.  This leads to multinationals choosing to host data outside of the US.

Internal State Laws - Each federal state may have localized laws that your business needs to adhere too. For example California Data Privacy Protection Act (CDPA)

Brazil 
LGPD - General Data Protection Law - Basically GDPR for protecting personal data and peoples user privacy.

China has the PRC Cybersecurity Law relating to protecting personal data.
Hong Kong has the Personal Data (Privacy) Ordinance (Ap.486)
Middle East: Bahrain - Data Protection Law (Law No. 30 of 2018), Qatar - Data Protection Law (Law No. 13 of 2016), UAE has Digital payment Regulation and Data protection laws specific to each emirate
Turkey - Law on the Protection of Personal Data 6698 (LPPD)
South America, all the major countries have Data protection laws including Argentina (Law 25.326)
Canada - Various state laws pretty much PIPA.
Australia has a host of Data privacy laws including the "Australian Privacy Principles"
Japan has APPI.
South Korea has PIPA

Other:
Common Reporting Standard (CRS), same idea as FACTA but not just US customers, heavier and most of Europe and others.  "CRS is a globally coordinated approach to the disclosure of income earned by individuals and organizations outside their country of tax residence", KPMG.com.

Pharma and Medical:
  1. HIPAA - "Health Insurance Portability and Accountability Act of 1996) is United States legislation that provides data privacy and security provisions for safeguarding medical information"
  2. DSP is broadly similar to HIPAA but from the UK, it is a toolkit for compliance for the NHS.
  3. HL7 - "Health Level-7 refers to a set of international standards for the transfer of clinical and administrative data between software applications used by various healthcare providers"
  4. FHIR V4 - replaces HL7 for exchanging data exchange and information modelling standards for over 20 years. FHIR is a new specification like HL7
  5. GxP - Good x Practice e.g. GCP, GMP (manufacturing), CLP, 
  6. GCP - Good Clinical Practice - Guidelines and regs used in the pharma industry
  7. GMP - Good Manufacturing Practice
  8. GAMP - Good Automated Manufacturing Practices - applies to software development.  GAMP has 4 categories.  Part 5 is the most hardcode for companies.  Cat 1 is infrastructure Software, Part 4, for instance, is Configurable software, PArt 5 is for custom software.  So depending on the software you are providing to a customer, you need to be audited by external parties and clients to be compliant.  If you have written your own Software, you need to be GAMP5 compliant.  GAMP is GxP but for IT systems.  Build-in quality, this requires following procedures and principles when building software products.  ISPE - Run GAMP and check qualifications.
  9. Eudralex - Pharma industry in EU guidelines for dev, manufacture and control of medicinal products.  Rules governing medical products in the EU.
  10. EMA - European Medicines Agency, same as FDA but covers Europe.
  11. FDA - Food and Drug Agency out of the US.
  12. MHRA (Medical and Healthcare Products Regulation Agency), same as Eudralex but for the UK.
  13. Title 21 CFR part 11 - FDA reg so that electronic records and signatures equivalent to paper hand signed reconds and consent.  About storing e-records including securing and signatures.  Code of Federal Regulations (CFR) Title 21 Part 11.  Ensure the system is secure, audit logs of all transactions with timestamps maintain the integrity of the open or closed system.  Signatures must ensure non-repudiation (the signer can't claim it wasn't him).  E-signatures can be biometric-based, this is hard for web-based systems without specific hardware.  E-signature that are not biometric-based requires that on the first sign-in all components (general means sign in with username and password) on the first signature assuming the user is already logged into the system.  See Section 11.200 Electronic Signature Components and controls go to point a) (1)(i).  Subsequent e-signatures can 1 component meaning the username. If using biometric signatures each signature uses the biometric method again.
  14. ISO 27001 - ISO is best practices guidelines, not regulations.  27001 is concerned with info security and info assets.  Asses and treatment of security risks.  Also see ISO27002 & ISO27017.
  15. ISO 9001 - Quality Management, checklist / process orientated.
  16. FDA (Food and Drug Agency) is equivalent to EMA (European Medicines Agency) in Europe.  

ISO 27001 for SaaS:

It is pretty easy to get ISO 27001 certified for SaaS companies and it brings huge benefits if implemented correctly.  Azure provide fantastic documentation and if your product is based on Azure.  It is really easy as the technology infrastructure is validated.  

Azure have a fantastic set of documentation for certifications called Blueprints

https://docs.microsoft.com/en-us/microsoft-365/compliance/offering-iso-27001?view=o365-worldwide

https://docs.microsoft.com/en-us/azure/governance/blueprints/samples/iso27001/

ISAE3402 (SOC):

ISAE 3402 is similar to ISO 27001

Accounting and Tax:

XBRL (eXtensible Business Reporting Language) - XML based format for exchanging business information.  iXBRL is a derivative of XBRL used in the UK for submitting company accounts, VAT, self assessments.  iXBRL is also used to submit annual accounts to companies house each year.

ISO 21378 - Audit data