I. INTRODUCTION
In the present multi-threatened world there is an
increasing interrelation between traditional criminal actions
and modern ways of attacking personal and corporate
information and data.
There is also a new sensibility on business and
Government Security responsible personnel, who has been
divided so far, at least in Spain, into two very well
differentiated groups: those responsible of the information
security and those who are in charge of assuring physical
security. Last changes in the Spanish Legislation for Critical
Infrastructures [1] shows how this process is at a critical point.
This paper describes a particular Physical and Logical
Security Management Organizational model methodology,
developed by the companies S21Sec and Cuevavaliente
Ingenieros. This methodology unifies both ISO 31000 and ISO
27001 standards.
This model describe too, each document has to be written
for a CSMS (Corporate Security Management System)
The aim of this methodology is to solve common problems
as:
• Radically opposed perspective at deciding which
assets to consider and protec
• Different steps to follow
• Processes based on different standards and best
practices
• Different nomenclature and terminology
• Different evaluation and consequences measuring
methods
All these aspects are solved thanks to a neat methodology
based on international standards and both worlds’ best
practices.
II. REGULATORY CONTEXT
This methodology is in compliance with ISO 27001 [5] and
with ISO 31000 [6]
Both standards share very similar models, allowing a
common structure that emerges from the junction of each
model: CSMS Model (Corporate Security Management
System Model).
III. METHOD BASICS AND FUNDAMENTALS
The proposed Security Management Organization Model
is based on the convergence of two mature methodologies,
which are specific for each sector:
• Physical Security
: Cuevavaliente’s own methodology,
based on ISO 3100 and implemented through its
software GRSec31000. It also takes some aspects
and recommendations from AS/NZS4360 standard [7]
• Logical Security
: MAGERIT II [4]. Developed by the
Spanish “Consejo Superior de Administración
Electrónica” (CSAE). This methodology is focused on
the Spanish administration dependency (in fact, the
whole society dependency) on information
technologies in order to fulfill its mission.
The resulting methodology proposes an unique procedure
in which both, Physical and Logical Security are evaluated.
Corporate Security must be a commitment of each
member of the organization with stakeholders, employees,
customers, and Society.
Model Objectives:
• Get and maintain a security level in order to guarantee
business continuity
• Increase Physical and Logical integration
• Establish Security Corporate Structure and their
Communications Channels
•
Comply with applicable security regulations
Fundamentals of Corporate Security
• Integration. Corporate Security is an integrated and
aligned process with the business. The entire
organization must be involved.
• Profitability. Corporate Security is aimed at business
criteria (Costs/Investments). Centralized management
enables an overall cost reductions and better
performance of security applied efforts.
• Continuity: Corporate Security must be present
throughout the work cycle: protection, prevention,
detection, response and recovery.
• Suitability: Methods used must be adapted to business
environment. Because business impact and organization
security levels, can be emphasized:
o Competition with other companies
o Terrorist threat
o Natural environment events
o Disorders of social, political or economic
o Amateur or professional hacking
o Organized crime
o Ordinary delinquency
Corporate Security consists of:
• Physical Security:
o Ordinary delinquency (Burglary, Theft,
Vandalism, Inappropriate Occupation)
o Aggressive and violent crimes (Aggression, Hold
Up, Sabotage)
o Terrorism and Organized Crime (Explosives by
mail, Explosives Placed/Abandoned, RocketPropelled
Grenades and Mortar Attacks,
Massive Poisoning, etc.)
• Logical Security
o Information Systems and Networking
o Data Information
o Business Continuity
o Legal
o Risk Management
• Job Security
• Natural environment Security
• Civil Protection
This paper focuses on:
• Deliberated threat
• Consideration of the following consequence/impact
dimensions:
o Profit Reduction
o Health and Safety
o Natural Environment
o Social/Cultural Heritage
o Community, Government, Reputation and
Media
o Legal
• Countermeasures
• Risk Management
IV. UNIFIED METHODOLOGY
A. Establish the Context
This methodology is in compliance with ISO 27001 [5] and
with ISO 31000 [6].
Figure 1 shows the similarity of both models (ISO 27001
and ISO 31000). Methodology model presented, in this paper,
for Security Integrated Management, consists of de fusion of
both models.
Implementation of these two standards, provides the
organization that implements, a management system of
comprehensive security both physical and logical
environment, regarding physical and technological
infrastructures.
B. Methodology
This item will show, in figure 2, how ISO 31000 an ISO
27001, are integrated and related seamlessly into proposed
CSMS complete model.
Also, we’ll describe, every task PDCA methodology (Plan,
Do, Check, Act).
Plan
• Status Analysis. Should be analyzing ISO 31000 and
ISO 27001.
o Implementation status
o Security Management System Maturity.
• CSMS Scope. Must be defined CSMS scope, in terms
of:
o Corporate business objectives,
o infrastructure management,
o locations,
o business processes
o And technology.
• Policy & Objectives. Must be defined Corporate
purpose regarding:
o Strategic Plans
o Business Objectives
It will ensure that target security level is aligned
business needs and legal regulations
• Risk Analysis Methodology: Should identify and assess
specifics risk, in order to select controls defined by ISO
31000 and ISO 27001. Risk and Threats that could
affect corporate security.
• Asset inventory: Must be assessed the risk associated
with each asset/process. Should identify and document
each asset components and their interrelationships.
• Threats Identification. Must identify threats to assets
previously documented. An external threat to de asset
can be defined as any event that causes an unwanted
impact to the organization.
• Risk assessment. Most critical and complex activities is
assessing impact. Aim is to quantify losses that
Corporate could suffer.
• SOA (Statement of Applicability). Define SOA is
required to implement a “Risk Management Plan”.
Target is to mitigate effective risk not acceptable by
Organization.
• Risk Management Plan
o Reduce Risk
o Risk Assuming
o Risk Transfer
o Avoid Risk
Do
• Regulatory. Develop procedure manuals, specific and
detailed, compliance with ISO 31000 and ISO 27000
standards.
o Procedures and work instructions
o Security operating procedures
o Specific security regulations
• Implementation Plan.
o Resource Plan. Establish human, financial
and technological resources to implementing
selected controls in the previous phase and,
of course, planning the implementation of
these controls. Implementation Plan must
establish, for each selected control:
Actions to be taken
Implementation Priorities
Schedule
Costs
Resources
o Change Management Road Map.
Check
• Logs
• Indicators identification
• Auditing and Monitoring
• Controls efficacy
Act
http://www.itrans24.com/landing1.html
• Monitoring and Review
o Risk analysis review
o Pre-certification audit
o Improvement Plan Recommendations
V. INTEGRAL SECURITY.
Risk Management and Security Actions
Managing Security is considered as an integral
security system within a model of continues
improvement.
Following typologies are covered by CSMS
model:
Organizational and Management
• Risk analysis. Evaluation an assessment of threats,
impacts and likeliness, to get a risk level.
• Plan. Targeting and scheduling activities.
• Roles and Responsibilities.
• Regulatory. Policies, standards, and security
procedures development.
• Regulatory Compliance. Identify applicable standards
an compliance.
• Security certification, accreditation and assessment.
Periodic reviews to assess security.
Operational and Procedural
• Asset Management. Asset identification and inventory
control.
• Training and raising awareness.
• Contingency Plan.
• Monitoring.
o CCTV in risk areas
o Assessing and auditing IT
• Personal security.
• User Management.
o Additions and modifications.
o Selection process
o Removal procedures
• Temporal access control
o People, vehicles, …
o Systems and Network user ID’s
• Input / Output Control
o Courier, mail, …
o Media information, equipments, …
• Security personal. Working hours and duties.
• Evacuation Plan
Technology Protection
• Intrusion detection
o Physical security
Perimeter electronic
Lighting
CCTV
Internal Intrusion Protection
…
o Logical security
Firewall
DMZ
IPS
Network segmentation
VPN
Encryption
…
• Access Control
• Monitoring
• Incident management
• Secure installation and configuration
• Malware protection
• Secure application development
VI. APPLICATIONS
The exposed methodology responds to a growing necessity
for a Physical and Logical Security management from a
unified point of view.
CSMS Methodology for both specialties makes possible to
generate and propose unified Security Plans for the Top
Management of the companies, making possible to implement
counter measures proportionally to the real necessities,
independently from its physical or logical nature.
In Spain and other European countries, this methodology
makes possible to comply with the specific Critical
Infrastructure Protection legislation, which oblige the critical
infrastructures operators to provide with joint Physical and
Logical Security Plans.
VII. CONCLUSIONS
• Risks are common across Corporate.
• Risks are independent of the origin.
• Security Management should facilitate security measures
development, to ensure protection of all assets, Physical,
Logical and Personal.
• Need for a Centralized Security Management (Physical
and Logical). Implementation of a CSMS with both
Physical and Logical security integrated facilitates:
o Responsibilities, security policy and protection
criteria unified.
o Security knowledge and management measures
converging
o Legal requirements
o Common model for security management
o Personal Gaps between security personal
(physical and logical)
The proposed methodology is the result of the experience
of a Logical Security specialized enterprise as S21Sec, and
the Physical Security expertise of a company such as
Cuevavaliente Ingenieros. They have both present a practical
solution to one of the most complex problems in the Physical
and Logical Security Management System design.
This methodology is nowadays successfully been used with
different Spanish companies.
AUTHORS:
Koldo Peciña,
Ricardo Estremera
Consultants
S21Sec
Alcobendas
SPAIN
Alfonso Bilbao
Director
Cuevavaliente Ingenieros
Tres Cantos
SPAIN
Enrique Bilbao
Project Manager
Cuevavaliente Ingenieros
Tres Cantos
SPAIN