Adhering to the ISO 27002 Security Framework with Privileged and Vulnerability Management

The International Organization for Standardization (ISO) has established guidelines and general principles for initiating, implementing, maintaining and improving information security management in an organization. The objectives outlined in ISO 27002 provide general guidance on the commonly accepted goals of information security management. ISO 2700 security management can serve as a practical guideline for developing organizational security standards and effective security management practices.

For organizations that have adopted ISO 27002:2013(E), it is important that all existing and new security solutions map into this framework. This standard contains 14 security control clauses containing a total of 35 main security categories and 114 security controls.

Whether an organization’s objective is to achieve legislative compliance or to adopt security best practices, these controls apply to most organizations and in most environments.

How can privileged access management and vulnerability management help achieve compliance with ISO 27002 requirements?

Privileged access management and vulnerability management play key roles in adhering to the ISO 27002 standard. BeyondTrust solutions address parts of 12 security control clauses, 29 security control categories, and 74 security controls in the standard.

For a summary of how BeyondTrust solutions map into the specific control clauses, please see below.

• 6 - Organization of Information Security:

  Identity all assets, security policies defined by asset and user, authorization levels for role based access, and policies, and coordinate oversight of security roles and responsibilities with solutions in the BeyondTrust platform.

• 8 - Asset Management:

  Provide a centralized location for asset inventory and provide details on user behavior, vulnerabilities, attacks, malware, services, processes, tasks, users, software, and events.

• 9 - Access Control:

  Address several controls under this clause, include those regarding access control policy, user access management, and user responsibilities – as well as network, operating system and application access controls.

• 10 - Cryptography:

  Scan and report on security weaknesses in deployed cryptographic controls, and provide a framework for managing, reporting, and assessing keys within an organization.

• 11 - Physical Environment Security:

  Aggregate vulnerability and configuration assessments to determine if clear screen policies are being implemented correctly; and assess a resource to determine if settings like automatic session activity logoff, multi-factor authentication, and inappropriate peripherals are connected contrary to clear screen policies.

• 12 - Operations Security:

  Provide complete logging as a part of change management procedures for any access that may affect privileged access management, users, or settings. Document malware against assets by comparing file and application hashes with Virus Total and NSRL using BeyondTrust’s Clarity Malware Analysis capabilities. Provide vulnerability assessment, reporting, and advanced threat analytics to support vulnerability management processes using network scanners, agents, or the cloud for assessments.

• 13 - Communications Security:

  Aggregate vulnerability and privileged access control into a central framework to verify the security and operation integrity of network services, and manage privileged access to network resources.

• 14 - System Acquisition, Development and Maintenance:

  Support best practices for security, data analysis, and implementation of technical specifications included in business processes.

• 15 - Supplier Relationships:

  Store vulnerability assessment information gathered per contractual requirements from suppliers.

• 16 - Information Security Incident Management:

  Assign critical events and incidents to the proper teams for enforcement of cyber security responsibilities and roles. Escalate and consolidate cyber security events related to vulnerabilities and user behavior. This information can be forwarded to SIEM solutions for additional correlation.

• 17 - Information Security Aspects of Business Continuity Management:

  Support high availability installations and disaster recovery plans for cyber security continuity.

• 18 - Compliance:

  Allow for secure access to privileged access and vulnerability data that could be used for compliance, legal, and contractual requirements. Collect and securely store all log data – including session logs, event logs and recordings.

How do BeyondTrust’s solutions help address these ISO 27002 requirements?

For a complete explanation of how each BeyondTrust solution addresses ISO 27002 requirements, please download the white paper, "Mapping BeyondTrust Solutions to ISO 27002". The paper not only includes detailed product mappings down to the lowest level of the framework, but it also includes reporting available in Retina Enterprise Vulnerability Management to prove it.

For more information on how BeyondTrust can help you achieve greater control and accountability over your information security environment, contact us today for a strategy session.