ISO 27001 compliant Information Security Log

C

chris02 - 2011

#1
Hi all,

I have pulled together a Information Security log that will used to record data security issues and based the severity levels on CVSS but without the scoring system.

Do you think the following will provide sufficient coverage for 27001 if not suggestions welcome.

Thanks

Chris

Security Severity Levels

…….severity levels are based on the basic principles of the ‘Common Vulnerability Scoring System’ (CVSS). The CVSS is a vendor-neutral, industry standard that provides an open framework for communicating the characteristics and impacts of IT vulnerabilities.

Critical

Vulnerabilities that score in the Critical range usually include:

• Exploitation of the vulnerability results in root-level compromise of servers or infrastructure devices
• The information required in order to exploit the vulnerability, such as example code, is widely available to attackers
• Exploitation is usually straightforward, in the sense that the attacker does not need any special authentication credentials or knowledge about individual victims, and does not need to persuade a target user, for example via social engineering, into performing any special functions.

For critical vulnerabilities, it is advisable to upgrade systems/processes as soon as possible, unless there are mitigating measures in place. For example, the installation is not accessible from the Internet.

High

Vulnerabilities that score in the High range usually have the following characteristics:

• The vulnerability is difficult to exploit
• Exploitation does not result in elevated privileges
• Exploitation does not result in a significant data loss.

Moderate

Vulnerabilities that score in the Moderate range usually have the following characteristics:

• Denial of service vulnerabilities that are difficult to set up.
• Exploits that require an attacker to reside on the same local network as the victim.
• Vulnerabilities that affect only nonstandard configurations or obscure applications.
• Vulnerabilities that require the attacker to manipulate individual victims via social engineering tactics.

Vulnerabilities where exploitation provides only very limited access.

Low

Vulnerabilities in the Low range typically have very little impact on an organisation's business. Exploitation of such vulnerabilities usually requires local or physical system access.
 

Stijloor

Staff member
Super Moderator
#2
Hi all,

I have pulled together a Information Security log that will used to record data security issues and based the severity levels on CVSS but without the scoring system.

Do you think the following will provide sufficient coverage for 27001 if not suggestions welcome.

Thanks

Chris

Security Severity Levels

…….severity levels are based on the basic principles of the ‘Common Vulnerability Scoring System’ (CVSS). The CVSS is a vendor-neutral, industry standard that provides an open framework for communicating the characteristics and impacts of IT vulnerabilities.

Critical

Vulnerabilities that score in the Critical range usually include:

• Exploitation of the vulnerability results in root-level compromise of servers or infrastructure devices
• The information required in order to exploit the vulnerability, such as example code, is widely available to attackers
• Exploitation is usually straightforward, in the sense that the attacker does not need any special authentication credentials or knowledge about individual victims, and does not need to persuade a target user, for example via social engineering, into performing any special functions.

For critical vulnerabilities, it is advisable to upgrade systems/processes as soon as possible, unless there are mitigating measures in place. For example, the installation is not accessible from the Internet.

High

Vulnerabilities that score in the High range usually have the following characteristics:

• The vulnerability is difficult to exploit
• Exploitation does not result in elevated privileges
• Exploitation does not result in a significant data loss.

Moderate

Vulnerabilities that score in the Moderate range usually have the following characteristics:

• Denial of service vulnerabilities that are difficult to set up.
• Exploits that require an attacker to reside on the same local network as the victim.
• Vulnerabilities that affect only nonstandard configurations or obscure applications.
• Vulnerabilities that require the attacker to manipulate individual victims via social engineering tactics.

Vulnerabilities where exploitation provides only very limited access.

Low

Vulnerabilities in the Low range typically have very little impact on an organisation's business. Exploitation of such vulnerabilities usually requires local or physical system access.
Suggestions/feedback for Chris?

Thank you!!

Stijloor.
 

AndyN

A problem shared...
Staff member
Super Moderator
#5
Chris:
How dos this answer work as a place to start?

If the person wishes to use the vulnerability scoring system as input to part of the required ISO 27001 Risk Assessment I think it works fine as a component to risk of technology based assets.

If however they are using the vulnerability scoring system as part of security incident tracking, it may be missing the mark. As we all know, ISO 27001 is an information security management system. A security incident and the severity of that incident should be measured by the type of data (asset) compromised, the classification of that data (asset), and the amount of data (asset) compromised. Secondary to this is the method of compromise (for example, it may be stealing the recipe for Coke from the corporate vault, or it may be stealing PCI type data from every transaction at a supermarket chain over the course of 6 months, either way the asset has been compromised)

My suggestion would be to develop an incident severity tracking system utilizing the controls in Annex A.6 Asset Management.

By implementing these controls a company has identified their information assets, and classified those assets. For example the Information asset could be the recipe for Coke, the classification could be Top Secret.

This severity tracking system could also be utilized in a transaction processing environment but would need to have added to it a measurement of how much data was compromised. An alternative to this could be how much financial, operational and/or reputational risk would compromise of this data cause the organization.

As I look at what was written, I’ve pasted the Critical Range below, I think it deals more in IT rather than IS. It does not allow for evaluation of the compromised data, but looks instead at how the breach exploited a vulnerability to an IT environment.

Vulnerabilities that score in the Critical range usually include:

• Exploitation of the vulnerability results in root-level compromise of servers or infrastructure devices
• The information required in order to exploit the vulnerability, such as example code, is widely available to attackers
• Exploitation is usually straightforward, in the sense that the attacker does not need any special authentication credentials or knowledge about individual victims, and does not need to persuade a target user, for example via social engineering, into performing any special functions.

For critical vulnerabilities, it is advisable to upgrade systems/processes as soon as possible, unless there are mitigating measures in place. For example, the installation is not accessible from the Internet.
 
C

chris02 - 2011

#6
Hi Andy

Many thanks for you thoughts, really useful.

If the person wishes to use the vulnerability scoring system as input to part of the required ISO 27001 Risk Assessment I think it works fine as a component to risk of technology based assets.

If however they are using the vulnerability scoring system as part of security incident tracking, it may be missing the mark. We are so I need to rethink. As we all know, ISO 27001 is an information security management system. A security incident and the severity of that incident should be measured by the type of data (asset) compromised, the classification of that data (asset), and the amount of data (asset) compromised. Secondary to this is the method of compromise (for example, it may be stealing the recipe for Coke from the corporate vault, or it may be stealing PCI type data from every transaction at a supermarket chain over the course of 6 months, either way the asset has been compromised)

You have spotted the flaw in my thinking, I was trying to make the process work with CVSS but without the scoring associated with it. My worry was that different people would come up with different levels of severity based on the long winded scoring system. Maybe I have to bite the bullet and go for it, but open to suggestions as to how to simplify the process.

My suggestion would be to develop an incident severity tracking system utilizing the controls in Annex A.6 Asset Management.

By implementing these controls a company has identified their information assets, and classified those assets. For example the Information asset could be the recipe for Coke, the classification could be Top Secret.

We have classified information assets so if I am reading you correctly we assign risk measure and use that when deciding on the severity should an issue arise?

This severity tracking system could also be utilized in a transaction processing environment but would need to have added to it a measurement of how much data was compromised. An alternative to this could be how much financial, operational and/or reputational risk would compromise of this data cause the organization.

As with any risk we have trouble determining the actual cost of an issue, but does this matter as we could use make a rough guess and assign levels (not values) to each eventuality. Not sure I am making any sense here.

As I look at what was written, I’ve pasted the Critical Range below, I think it deals more in IT rather than IS. It does not allow for evaluation of the compromised data, but looks instead at how the breach exploited a vulnerability to an IT environment.

Vulnerabilities that score in the Critical range usually include:

• Exploitation of the vulnerability results in root-level compromise of servers or infrastructure devices
• The information required in order to exploit the vulnerability, such as example code, is widely available to attackers
• Exploitation is usually straightforward, in the sense that the attacker does not need any special authentication credentials or knowledge about individual victims, and does not need to persuade a target user, for example via social engineering, into performing any special functions.

For critical vulnerabilities, it is advisable to upgrade systems/processes as soon as possible, unless there are mitigating measures in place. For example, the installation is not accessible from the Internet.

These all make sense for critical ,Ill have a go at the other levels.

Thanks again.

C
 

AndyN

A problem shared...
Staff member
Super Moderator
#7
Hi Chris:
Not my thoughts, but those of a very excellent colleague of mine in the ITSMS world! I'll relay those points to her and see how her responses go...
Glad to have been of service!
 

JaneB

Inactive Registered Visitor
#9
Sensible advice and good answer.

Gosh though, pink text as well as italics makes it all very very hard to read!
 

Top Bottom