ISO 27001 on AWS

Transcript

1. ISO 27001 ON AWS_ ANDREW WASILCZUK | he/him/his

2. $whoami Senior Consultant Information Security Manager Systems guy at heart

3. GETTING TO KNOW YOU_

4. ISO/IEC 27001 Defines requirements for an ISMS Non-prescriptive Risk based

   approach

5. WHY DO WE NEED ISO 27001?_

6. SUPPLIER QUESTIONNAIRES_

7. ANOTHER POLL_

8. WITH COMPLIANCE_ Questionnaires are easier to answer …or avoided altogether

   Sales cycle is shorter Close bigger deals Reduce operational risks

9. TWO PARTS_ ISO 27001 Mandatory ISMS Requirements ISO 27002 Optional

   Annex A Controls

10. WHERE DO I START?_

11. COMPLIANCE JOURNEY_ Establish an ISMS Conduct a risk assessment Choose

    Annex A controls Establish an AWS account strategy Treat the risks (or have a plan) Collect evidence Schedule your audit 1 6 2 3 4 5 7

12. AUTOMATED COMPLIANCE PLATFORMS_ TIP

13. Policy templates Risk register Asset management Evidence collection Easier audits

    Multiple standards Vulnerability management AWS integration Vulnerability management Security awareness training On-boarding/off-boarding flows Vendor assessments Access review Endpoint monitoring

14. RISK REDUCTION CYCLE_

15. IMPLEMENTING ANNEX A CONTROLS ON AWS_

16. THE SHARED RESPONSIBILITY MODEL_

17. 8.15 LOGGING_ To record events, generate evidence, ensure the integrity

    of log information, prevent against unauthorized access, identify information security events that can lead to an information security incident and to support investigations. “

18. 8.15 LOGGING DEPENDENCIES_ 5.25 Assessment and decision on info sec

    events 5.28 Collection of evidence 5.37 Privacy & protection of PII 8.10 Information deletion 8.11 Data masking 8.16 Monitoring activities 8.17 Synchronised time sources

19. 8.15 LOGGING GUIDELINES_ Log structure & types of events to

    log Protected from de-activation (inc. by privileged users), Protected from deletion & modification Protected from failure of storage media Stored in-line with the data retention requirements Sensitive data in logs is protected Log analytics & anomalous behaviour detection
20. None

21. 8.15 LOGGING GUIDELINES_ Log structure & types of events to

    log Protected from de-activation (inc. by privileged users), Protected from deletion & modification Protected from failure of storage media Stored in-line with the data retention policy Sensitive data protection Log analytics & anomalous behaviour detection
22. None

23. { "Version": "2012-10-17", "Statement": [ { "Action": [ "cloudtrail:StopLogging", "cloudtrail:DeleteTrail"

    ], "Resource": "*", "Effect": "Deny" } ] }

24. 8.15 LOGGING GUIDELINES_ Log structure & types of events to

    log Protected from de-activation (inc. by privileged users), Protected from deletion & modification Protected from failure of storage media Stored in-line with the data retention policy Sensitive data protection Log analytics & anomalous behaviour detection
25. None

26. 8.15 LOGGING GUIDELINES_ Log structure & types of events to

    log Protected from de-activation (inc. by privileged users), Protected from deletion & modification Protected from failure of storage media Stored in-line with the data retention policy Sensitive data protection Log analytics & anomalous behaviour detection

27. AWS ACCOUNT STRATEGY_

28. AWS CONTROL TOWER_ Centralised audit logging (AWS CloudTrail) AWS account

    management AWS IAM Identity Center Ready baked controls: Preventative (Service Control Policies) Detective (AWS Config) Proactive (AWS CloudFormation Hooks) Compliance dashboard

29. YOUR NEXT STEPS_ FREE CONSULTATION ISO 27001 AWS READINESS ASSESSMENT

    A review of your current AWS practice. FREE CONSULTATION ISO 27001 AWS RISK ASSESSMENT REVIEW A review of the AWS risks you’ve identified, and advice on risk treatment.

30. FINAL POLL_

31. KEEP IN TOUCH_ http:/ /www.scalefactory.com/ https:/ /github.com/scalefactory @scalefactory [email protected]