Understanding ISO 27001 IT Requirements

How to bring your network and data into compliance with the ISO 27001 regulations

Background

The International Standards Organization (ISO) is the largest developer of standards in the world. Its membership includes the national standards bodies of countries around the world including the Americas, Europe and Asia. The standards are developed by committees of technical experts and undergo much scrutiny and revision prior to publication. ISO 27001 is the result of such an effort and represents updating and augmentation of the BS 7799-2 standard. ISO 27001 aims to “provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving an Information Security Management System” (ISMS). ISO 27002 also outlines controls for information security, but discusses in greater detail the components that make up an ISMS. While once separate, ISO 27001 and 27002 are now seen as complementary. Entities may use the combined guidance to construct an ISMS that is commensurate with the organization’s size and risk tolerance. Ultimately, companies that implement the ISO 27000 guidance certify their ISMS to ISO 27001.

Who is Covered by ISO 27001

All organizations, businesses, government groups, academic institutions and nonprofits interested in implementing a framework for the long term protection of their information assets may apply the guidelines and certification requirements of the ISO 2700 standards.Specifically entities may use ISO 27001 to:

  • Formulate security requirements and objectives
  • Ensure that security risks are cost effectively managed
  • Comply with laws and regulations
  • Ensure that the specific security objectives of an organization are met
  • Implement new information security management processes
  • Determine the degree of compliance with the policies, directives and standards adopted by an organization
  • Provide relevant information about information security policies, directives, standards and procedures to customers and business partners as well as other organizations with whom they interact
  • Implement business-enabling information security

Key ISO 27001 IT Requirements

Varonis provides a comprehensive system for meeting the information protection controls as they apply to unstructured and semi-structured data, that is, the contents of file servers and SharePoint servers. In particular, Varonis solutions ensure that access and use of sensitive and important personal data residing on these servers are automatically ratcheted down to need-to-know, and that use of sensitive data is continuously monitored so that organizations have an accurate audit of data use and user access behavior at all times.

Requirement Description Varonis Product/Feature
Asset Management 7.1.1 Inventory of assets Varonis shows all directory and file share contents mapping users to data and vice versa
7.1.2 Ownership of Assets Varonis shows which persons are the likely business owners of a given data set or folder
7.1.3 Acceptable use of assets Varonis audits all file share data use by username, filename and action taken on the data, and identifies abnormally excessive access activity
7.2.1 Classification Guidelines Varonis provides the ability to classify data based on business guidelines and ensure that proper controls are in place based on that classification
Communications and Operations Management 10.1.2 Change Management Varonis tracks all changes to file systems including modifications of access controls and security settings
10.1.3 Segregation of Duties Varonis helps enforce least privilege access by furnishing the list of persons who should have their data access permissions revoked and providing the means to enforce that access
10.2.2 Monitoring and review of third party services Varonis can help monitor and audit third-party system activity on unstructured and semi structured data
10.3.1 Capacity management Varonis shows all inactive and orphaned data and its size so that file shares and network attached storage space can be used efficiently, sending unused assets to less expensive archive storage
10.10.1 Audit logging Varonis provides a detailed and searchable audit log of all unstructured and semi structured data use on file systems and network attached storage
10.10.2 Monitoring system use Varonis provides detailed activity analysis of unstructured file access on monitored file systems
Access control 11.1.1 Access Control Policy Varonis allows the enforcement of an access control policy by ensuring that business owners accept or reject recommendations for permissions revocations
11.2.4 Review of user access rights Varonis gives the means to conduct a full in depth data entitlement review by which all user privileges to data is reported. It also provides reports of historical access rights to data sets showing any trends toward overly permissive access
11.6.1 Information access restriction Varonis can provide excess access information to help an organization adhere to proper access controls
Information Security Incident Management 13.1.1 Reporting Information security events Varonis will report on anomalous file share data access activity for individuals who exceed their normal or average level of access. Overly rigorous access will generate an alert and a report of the type of activity which will automatically be forwarded to stakeholders like data business owners or IT operations personnel
13.1.2 Reporting security weaknesses Varonis will report on data which has weakened security through global groups (everyone, authenticated users, etc.) or otherwise excessive access, as well as users and groups which have excess access
13.2.3 Collection of evidence The Varonis log of all file touches can be referenced in support of forensic analysis of data use and activity
Compliance 15.1.2 Intellectual Property Rights(IPR) Varonis helps organizations comply with initiatives to ensure least privilege access to regulated data.The system analyzes data access patterns and continually recommends that those without business need to data have their privileges revoked
15.1.3 Protection of organizational records Varonis helps protect sensitive and important information by ensuring that access is continually monitored and that access controls are warranted
15.1.4 Data Protection and privacy of personal information With Varonis compliance officers and auditors can receive regular reports of data use and access activity of privileged and protected information to ensure compliant use and safekeeping
15.1.5 Prevention of misuse of information processing facilities Varonis significantly reduces the risk of data loss and misuse by continually maintaining access controls that are restrictive to business need to know
15.2.1 Compliance with security policy Varonis can ensure that only business owners manage data authorizations, and further allow auditors and compliance personnel to monitor the process
15.2.2 Technical compliance checking Varonis tools can enable the regular audit of compliance standards on monitored systems
15.3.1 Information System Audit controls Varonis provides reporting detail on all aspects of data use and file share use including those actions taken by domain administrators

ISO 27002 Feature-Requirement Map

While ISO 27001 provides standards for data governance against which an organization can be certified and audited,ISO 27002 provides best practices for an organization to follow. The following table maps out specific ways that Varonis products can help an organization enact ISO 27002 controls.

Requirement Description Varonis Product/Feature
Corporate Security Management Objectives 6.1.18 Carry out a risk assessment whenever there is a business need to allow external parties to access your information Varonis products can help quickly identify operational risk with regard to file system and SharePoint data
6.1.19 Make sure that your risk assessments examine security implications whenever there is a need to allow external parties to access your information Varonis can help show exactly what access will be granted to users and groups
Organizational Asset Management Objectives 7.1.1 Protect your organization’s assets Varonis products provide visibility into who can access data, enabling the protection of data and proper access control
7.1.4 Nominate owners for all organizational assets Varonis products provide the ability to intelligently identify and assign owners to data based on detailed activity analysis
7.2.1 Provide an appropriate level of protection for your organization’s information The Varonis Data Classification Framework extends the IDU Framework by incorporating content classification information produced by looking within files to find key words, phrases and patterns (i.e., regular expressions) that are of interest to the organization
Communications and Operations Management Objectives 10.4.4 Detect the introduction of malicious code and unauthorized mobile code Activity analysis can indicate possible malicious and unauthorized code
10.9.6 Protect the availability of information that is published using publicly accessible systems Permissions visibility can help protect the availability of information
10.10.1 Monitor information processing systems in order to detect unauthorized activities Varonis records every file system event, which enables the software to provide detailed activity analysis. This can help detect system problems as well as be used to verify controls
Information Access Control Management Objectives 11.1.1 Control access to your organization’s information Varonis products can help ensure that access controls are in place and effective
11.2.1 Control authorized access to information systems Varonis can help identify excess permissions to better maintain proper authorization for access to file systems
11.3.1 Prevent unauthorized user access to your information and information processing facilities Varonis can help identify excess permissions so you can better maintain proper authorization for access to file systems
11.3.3 Prevent the theft of information and information facilities Activity analysis can help identify anomalous user behavior to help prevent data theft
11.3.4 Ask authorized users to help you control access to your information systems and information processing facilities. DataPrivilege automatically involves data owners and business stakeholders in access control processes, including authorization and ongoing review of access
Systems Development and Maintenance Objectives 12.4.1 Ensure the security of your organization’s system files Permissions visibility, detailed audit information, and data classification helps protect and control system files
Information Security Incident Management Objectives 13.1.1 Make sure that information system security incidents are promptly reported Varonis can provide automatic, data-driven reports to data owners and IT
Compliance Management Objectives 15.1.1 Make sure that your information systems comply with all relevant statutory security requirements By providing the ability to enforce access controls with certainty, Varonis products can help meet compliance requirements related to data governance, including PCI , Sarbanes Oxley, HIPAA , Hitech, and many others
15.2.1 Make sure that your systems comply with your organization’s security policies Varonis products provide detailed audit information of file system activity, helping an organization to comply with security policies
15.3.1 Perform audits of your information systems Varonis provides detailed audit information on all file system and authorization activity

Request a demo

Interested in finding out how Varonis can help with your compliance initiatives?

Request a demo

Or contact sales at 877-292-8767