SlideShare une entreprise Scribd logo

ISO27k Awareness presentation.pptx

Télécharger en tant que PPTX, PDF
H
harigopala

ISO27k Awareness

Business
1  sur  41
Security awareness seminar An introduction to ISO27k I n f o r m a t i o n s e c u r i t y This work is copyright © 2012, Mohan Kamat and ISO27k Forum, some rights reserved. It is licensed under the Creative Commons Attribution-Noncommercial-Share Alike 3.0 License. You are welcome to reproduce, circulate, use and create derivative works from this provided that: (a) it is not sold or incorporated into a commercial product; (b) it is properly attributed to the ISO27k Forum (www.ISO27001security.com); and (c) any derivative works that are shared are subject to the same terms as this work.
 What is information?  What is information security?  What is risk?  Introduction to the ISO standards  Managing information security  Your security responsibilities A g e n d a 2
Information is an asset which, like other important business assets, has value to an organization and consequently needs to be suitably protected I N F O R M A T I O N 3 ISO/IEC 27002:2005
I n f o r m a t i o n t y p e s Information exists in many forms:  Printed or written on paper  Stored electronically  Transmitted by post or electronic means  Visual e.g. videos, diagrams  Published on the Web  Verbal/aural e.g. conversations, phone calls  Intangible e.g. knowledge, experience, expertise, ideas ‘Whatever form the information takes, or means by which it is shared or stored, it should always be appropriately protected’ (ISO/IEC 27002:2005) 4
I n f o l i f e c y c l e Information can be …  Created  Owned (it is an asset)  Stored  Processed  Transmitted/communicated  Used (for proper or improper purposes)  Modified or corrupted  Shared or disclosed (whether appropriately or not)  Destroyed or lost  Stolen  Controlled, secured and protected throughout its existence 5
K e y t e r m What is information security?  Information security is what keeps valuable information ‘free of danger’ (protected, safe from harm)  It is not something you buy, it is something you do o It’s a process not a product  It is achieved using a combination of suitable strategies and approaches: o Determining the risks to information and treating them accordingly (proactive risk management) o Protecting CIA (Confidentiality, Integrity and Availability) o Avoiding, preventing, detecting and recovering from incidents o Securing people, processes and technology … not just IT! 6
S e c u r i t y e l e m e n t s PEOPLE PROCESSES TECHNOLOGY Staff & management Business activities IT, phones, pens … 7
P e o p l e People People who use or have an interest in our information security include:  Shareholders / owners  Management & staff  Customers / clients, suppliers & business partners  Service providers, contractors, consultants & advisors  Authorities, regulators & judges Our biggest threats arise from people (social engineers, unethical competitors, hackers, fraudsters, careless workers, bugs, flaws …), yet our biggest asset is our people (e.g. security-aware employees who spot trouble early) 8
Processes Processes are work practices or workflows, the steps or activities needed to accomplish business objectives. • Processes are described in procedures. • Virtually all business processes involve and/or depend on information making information a critical business asset. Information security policies and procedures define how we secure information appropriately and repeatedly. P r o c e s s e s 9
Technology Information technologies  Cabling, data/voice networks and equipment  Telecommunications services (PABX, VoIP, ISDN, videoconferencing)  Phones, cellphones, PDAs  Computer servers, desktops and associated data storage devices (disks, tapes)  Operating system and application software  Paperwork, files  Pens, ink Security technologies  Locks, barriers, card-access systems, CCTV T e c h n o l o g y 10
• Protects information against various threats • Ensures business continuity • Minimizes financial losses and other impacts • Optimizes return on investments • Creates opportunities to do business safely • Maintains privacy and compliance V a l u e We all depend on information security 11 Information security is valuable because it …
Information security is defined as the preservation of: Confidentiality Making information accessible only to those authorized to use it Integrity Safeguarding the accuracy and completeness of information and processing methods Availability Ensuring that information is available when required C I A 12
• IT downtime, business interruption • Financial losses and costs • Devaluation of intellectual property • Breaking laws and regulations, leading to prosecutions, fines and penalties • Reputation and brand damage leading to loss of customer, market, business partner or owners’ confidence and lost business • Fear, uncertainty and doubt Security incidents cause … 13 I m p a c t s
K e y t e r m What is risk? Risk is the possibility that a threat exploits a vulnerability in an information asset, leading to an adverse impact on the organization Threat: something that might cause harm Vulnerability: a weakness that might be exploited Impact: financial damage etc. 14
R e l a t i o n s h i p s Risk relationships Threats Vulnerabilities exploit Risk Value Security requirements Information assets Controls reduce 15 to
T h r e a t a g e n t Threat agent The actor that represents, carries out or catalyzes the threat • Human • Machine • Nature 16
Motive Something that causes the threat agent to act • Implies intentional/deliberate attacks but some are accidental M o t i v e 17
Threat type Example Human error Typo, wrong attachment/email address, lost laptop or phone Intellectual property Piracy, industrial espionage Deliberate act Unauthorized access/trespass, data theft, extortion, blackmail, sabotage, vandalism, terrorist/activist/criminal activity Fraud Identity theft, expenses fraud System/network attack Viruses, worms, Trojans, hacks Service issue Power cuts, network outages Force of nature Fire, flood, storm, earthquake, lightning, tsunami, volcanic eruption Hardware issue Computer power supply failure, lack of capacity Software issue Bugs or design flaws, data corruption Obsolescence iPhone 4? 18 T h r e a t t y p e s
So how do we secure our information assets? 19
1990’s • Information Security Management Code of Practice produced by a UK government-sponsored working group • Based on the security policy used by Shell • Became British Standard BS7799 2000’s • Adopted by ISO/IEC • Became ISO/IEC 17799 (later renumbered ISO/IEC 27002) • ISO/IEC 27001 published & certification scheme started Now • Expanding into a suite of information security standards (known as “ISO27k”) • Updated and reissued every few years I S O 2 7 k A brief history of ISO27k 20
• Concerns the management of information security, not just IT/technical security • Formally specifies a management system • Uses Plan, Do, Check, Act (PDCA) to achieve, maintain and improve alignment of security with risks • Covers all types of organizations (e.g. commercial companies, government agencies, not-for-profit organizations) and all sizes • Thousands of organizations worldwide have been certified compliant ISO 27001 I S O 2 7 0 0 1 21
Interested parties Information security requirements & expectations PLAN Establish ISMS CHECK Monitor & review ISMS ACT Maintain & improve Management responsibility ISMS PROCESS Plan-Do-Check-Act Interested parties Managed information security DO Implement & operate the ISMS P D C A 22
Information Security Policy Organisation of Information Security Asset Management Human Resource Security Physical Security Communication & Operations Management Access Control System Development & Maintenance Incident Management Business Continuity Planning Compliance Availability C O N T R O L C L A U S E S 23
• Information security policy - management direction • Organization of information security - management framework for implementation • Asset management – assessment, classification and protection of valuable information assets • HR security – security for joiners, movers and leavers • Physical & environmental security - prevents unauthorised access, theft, compromise, damage to information and computing facilities, power cuts C O N T R O L C L A U S E S 24
• Communications & operations management - ensures the correct and secure operation of IT • Access control – restrict unauthorized access to information assets • Information systems acquisition, development & maintenance – build security into systems • Information security incident management – deal sensibly with security incidents that arise • Business continuity management – maintain essential business processes and restore any that fail • Compliance - avoid breaching laws, regulations, policies and other security obligations C O N T R O L C L A U S E S 25
PLAN Establish ISMS CHECK Monitor & Review ISMS ACT Maintain & Improve DO Implement & Operate the ISMS IS POLICY SECURITY ORGANISATION ASSET IDENTIFICATION & CLASSIFICATION CONTROL SELECTION & IMPLEMENTATION OPERATIONALIZ E THE PROCESES MANAGEMENT REVIEW CORRECTIVE & PREVENTIVE ACTIONS CHECK PROCESSES I M P L E M E N T A T I O N P R O C E S S C Y C L E 26
B e n e f i t s • Demonstrable commitment to security by the organization • Legal and regulatory compliance • Better risk management • Commercial credibility, confidence, and assurance • Reduced costs • Clear employee direction and improved awareness 27
S c o p e ISMS scope • Data center & DR site • All information assets throughout the organization 28
Key ISMS documents K e y d o c u m e n t s • High level corporate security policy • Supporting policies e.g. physical & environmental, email, HR, incident management, compliance etc. • Standards e.g. Windows Security Standard • Procedures and guidelines • Records e.g. security logs, security review reports, corrective actions 29
Information security vision V I S I O N & M I S S I O N Vision The organization is acknowledged as an industry leader for information security. Mission To design, implement, operate, manage and maintain an Information Security Management System that complies with international standards, incorporating generally-accepted good security practices 30
Who is responsible? W h o • Information Security Management Committee • Information Security Manager/CISO and Department • Incident Response Team • Business Continuity Team • IT, Legal/Compliance, HR, Risk and other departments • Audit Committee • Last but not least, you! Bottom line: 31 Information security is everyone’s responsibility
P o l i c y Corporate Information Security Policy Policy is signed by the CEO and mandated by top management Find it on the intranet 32
I N F O A S S E T C L A S S I F I C A T I O N CONFIDENTIAL: If this information is leaked outside the organization, it will result in major financial and/or image loss. Compromise of this information may result in serious non-compliance (e.g. a privacy breach). Access to this information must be restricted based on the concept of need-to-know. Disclosure requires the information owner’s approval. In case information needs to be disclosed to third parties, a signed confidentiality agreement is required. Examples: customer contracts, pricing rates, trade secrets, personal information, new product development plans, budgets, financial reports (prior to publication), passwords, encryption keys. INTERNAL USE ONLY: Leakage or disclosure of this information outside the organization is unlikely to cause serious harm but may result in some financial loss and/or embarrassment. Examples: circulars, policies, training materials, general company emails, security policies and procedures, corporate intranet. PUBLIC: This information can be freely disclosed to anyone although publication must usually be explicitly approved by Corporate Communications or Marketing. Examples: marketing brochures, press releases, website. 33 Information Asset Classification
Confidentiality Confidentiality level Explanation High Information which is very sensitive or private, of great value to the organization and intended for specific individuals only. The unauthorized disclosure of such information can cause severe harm such as legal or financial liabilities, competitive disadvantage, loss of brand value e.g. merger and acquisition related information, marketing strategy Medium Information belonging to the company and not for disclosure to public or external parties. The unauthorized disclosure of this information may harm to the organization somewhat e.g. organization charts, internal contact lists. Low Non-sensitive information available for public disclosure. The impact of unauthorized disclosure of such information shall not harm Organisation anyway. E.g. Press releases, Company’s News letters e.g. Information published on company’s website Confidentiality of information concerns the protection of sensitive (and often highly valuable) information from unauthorized or inappropriate disclosure. C l a s s i f i c a t i o n 2/14/ 34 Mohan Kamat
U S E R R E S P O N S I B I L I T I E S Physical security • Read and follow security policies and procedures • Display identity cards while on the premises • Challenge or report anyone without an ID card • Visit the intranet Security Zone or call IT Help/Service Desk for advice on most information security matters • Allow unauthorized visitors onto the premises • Bring weapons, hazardous/combustible materials, recording devices etc., especially in secure areas • Use personal IT devices for work purposes, unless explicitly authorized by management 35 Do not Do
U S E R R E S P O N S I B I L I T I E S Password Guidelines  Use long, complicated passphrases - whole sentences if you can  Reserve your strongest passphrases for high security systems (don’t re-use the same passphrase everywhere)  Use famous quotes, lines from your favorite songs, poems etc. to make them memorable  Use short or easily-guessed passwords  Write down passwords or store them in plain text  Share passwords over phone or email 36
U S E R R E S P O N S I B I L I T I E S Warning: Internet usage is routinely logged and monitored. Be careful which websites you visit and what you disclose.  Avoid websites that would be classed as obscene, racist, offensive or illegal – anything that would be embarrassing  Do not access online auction or shopping sites, except where authorized by your manager  Don’t hack!  Do not download or upload commercial software or other copyrighted material without the correct license and permission from your manager  Use the corporate Internet facilities only for legitimate and authorized business purposes Internet usage 37
U S E R R E S P O N S I B I L I T I E S E-mail usage  Do not use your corporate email address for personal email  Do not circulate chain letters, hoaxes, inappropriate jokes, videos etc.  Do not send emails outside the organization unless you are authorized to do so  Be very wary of email attachments and links, especially in unsolicited emails (most are virus-infected) 38  Use corporate email for business purposes only  Follow the email storage guidelines  If you receive spam email, simply delete it. If it is offensive or you receive a lot, call the IT Help/Service Desk
U S E R R E S P O N S I B I L I T I E S Security incidents 39  Report information security incidents, concerns and near-misses to IT Help/Service Desk:  Email …  Telephone …  Anonymous drop-boxes …  Take their advice on what to do  Do not discuss security incidents with anyone outside the organization  Do not attempt to interfere with, obstruct or prevent anyone else from reporting incidents
R e s p o n s i b i l i t i e s  Ensure your PC is getting antivirus updates and patches  Lock your keyboard (Windows-L) before leaving your PC unattended, and log-off at the end of the day  Store laptops and valuable information (paperwork as well as CDs, USB sticks etc.) securely under lock and key  Keep your wits about you while traveling:  Keep your voice down on the cellphone  Be discreet about your IT equipment  Take regular information back ups  Fulfill your security obligations:  Comply with security and privacy laws, copyright and licenses, NDA (Non Disclosure Agreements) and contracts  Comply with corporate policies and procedures  Stay up to date on information security:  Visit the intranet Security Zone when you have a moment 40
41

Recommandé

ISO27k Awareness presentation v2.pptx
ISO27k Awareness presentation v2.pptxISO27k Awareness presentation v2.pptx
ISO27k Awareness presentation v2.pptxNapoleon NV
 
ISO 27001 Awareness IGN Mantra 2nd Day, 1st Session.
ISO 27001 Awareness IGN Mantra 2nd Day, 1st Session.ISO 27001 Awareness IGN Mantra 2nd Day, 1st Session.
ISO 27001 Awareness IGN Mantra 2nd Day, 1st Session.IGN MANTRA
 
Meeting the cyber risk challenge
Meeting the cyber risk challengeMeeting the cyber risk challenge
Meeting the cyber risk challengeFERMA
 
Information security
Information securityInformation security
Information securityavinashbalakrishnan2
 
Pci Europe 2009 Underside Of The Compliance Ecosystem
Pci Europe 2009 Underside Of The Compliance EcosystemPci Europe 2009 Underside Of The Compliance Ecosystem
Pci Europe 2009 Underside Of The Compliance Ecosystemkpatrickwheeler
 
Item46763
Item46763Item46763
Item46763madunix
 
Cissp- Security and Risk Management
Cissp- Security and Risk ManagementCissp- Security and Risk Management
Cissp- Security and Risk ManagementHamed Moghaddam
 
CCA study group
CCA study groupCCA study group
CCA study groupIIBA UK Chapter
 

Recommandé

ISO27k Awareness presentation v2.pptx
ISO27k Awareness presentation v2.pptxISO27k Awareness presentation v2.pptx
ISO27k Awareness presentation v2.pptxNapoleon NV
 
ISO 27001 Awareness IGN Mantra 2nd Day, 1st Session.
ISO 27001 Awareness IGN Mantra 2nd Day, 1st Session.ISO 27001 Awareness IGN Mantra 2nd Day, 1st Session.
ISO 27001 Awareness IGN Mantra 2nd Day, 1st Session.IGN MANTRA
 
Meeting the cyber risk challenge
Meeting the cyber risk challengeMeeting the cyber risk challenge
Meeting the cyber risk challengeFERMA
 
Information security
Information securityInformation security
Information securityavinashbalakrishnan2
 
Pci Europe 2009 Underside Of The Compliance Ecosystem
Pci Europe 2009 Underside Of The Compliance EcosystemPci Europe 2009 Underside Of The Compliance Ecosystem
Pci Europe 2009 Underside Of The Compliance Ecosystemkpatrickwheeler
 
Item46763
Item46763Item46763
Item46763madunix
 
Cissp- Security and Risk Management
Cissp- Security and Risk ManagementCissp- Security and Risk Management
Cissp- Security and Risk ManagementHamed Moghaddam
 
CCA study group
CCA study groupCCA study group
CCA study groupIIBA UK Chapter
 
Chapter 12 iso 27001 awareness
Chapter 12 iso 27001 awarenessChapter 12 iso 27001 awareness
Chapter 12 iso 27001 awarenessnewbie2019
 
ISMS End-User Training Presentation.pptx
ISMS End-User Training Presentation.pptxISMS End-User Training Presentation.pptx
ISMS End-User Training Presentation.pptxcomstarndt
 
Information Security vs IT - Key Roles & Responsibilities
Information Security vs IT - Key Roles & ResponsibilitiesInformation Security vs IT - Key Roles & Responsibilities
Information Security vs IT - Key Roles & ResponsibilitiesKroll
 
Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...
Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...
Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...EC-Council
 
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAEIT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE360 BSI
 
Infocon Bangladesh 2016
Infocon Bangladesh 2016Infocon Bangladesh 2016
Infocon Bangladesh 2016Prime Infoserv
 
What Is Digital Asset Security. What Are the Risks Associated With It.docx.pdf
What Is Digital Asset Security. What Are the Risks Associated With It.docx.pdfWhat Is Digital Asset Security. What Are the Risks Associated With It.docx.pdf
What Is Digital Asset Security. What Are the Risks Associated With It.docx.pdfSecureCurve
 
Presentation 1.pptx
Presentation 1.pptxPresentation 1.pptx
Presentation 1.pptxrabeetkashif
 
Information & Cyber Security Risk
Information & Cyber Security RiskInformation & Cyber Security Risk
Information & Cyber Security RiskMurray Security Services
 
Selling security to the C-level
Selling security to the C-levelSelling security to the C-level
Selling security to the C-levelDonald Tabone
 
A to Z of Information Security Management
A to Z of Information Security ManagementA to Z of Information Security Management
A to Z of Information Security ManagementMark Conway
 
Security architecture frameworks
Security architecture frameworksSecurity architecture frameworks
Security architecture frameworksJohn Arnold
 
2 Security And Internet Security
2 Security And Internet Security2 Security And Internet Security
2 Security And Internet SecurityAna Meskovska
 
Information security
Information securityInformation security
Information securityAlaaMahmoud108
 
Presentation1 110616195133-phpapp01(information security)
Presentation1 110616195133-phpapp01(information security)Presentation1 110616195133-phpapp01(information security)
Presentation1 110616195133-phpapp01(information security)Bonagiri Rajitha
 
Awareness Security Session 2023 v1.0.pptx.pdf
Awareness Security Session 2023 v1.0.pptx.pdfAwareness Security Session 2023 v1.0.pptx.pdf
Awareness Security Session 2023 v1.0.pptx.pdfAbdullahKanash
 
Breaking down the cyber security framework closing critical it security gaps
Breaking down the cyber security framework closing critical it security gapsBreaking down the cyber security framework closing critical it security gaps
Breaking down the cyber security framework closing critical it security gapsIBM Security
 
Information security: importance of having defined policy & process
Information security: importance of having defined policy & processInformation security: importance of having defined policy & process
Information security: importance of having defined policy & processInformation Technology Society Nepal
 
Building and implementing a successful information security policy
Building and implementing a successful information security policyBuilding and implementing a successful information security policy
Building and implementing a successful information security policyRossMob1
 
NUS-ISS Learning Day 2019-Architecting security in the digital age
NUS-ISS Learning Day 2019-Architecting security in the digital ageNUS-ISS Learning Day 2019-Architecting security in the digital age
NUS-ISS Learning Day 2019-Architecting security in the digital ageNUS-ISS
 
Technical recruiter
Technical recruiterTechnical recruiter
Technical recruiterharigopala
 
Technical recruiter
Technical recruiter Technical recruiter
Technical recruiter harigopala
 

Contenu connexe

Similaire à ISO27k Awareness presentation.pptx

Chapter 12 iso 27001 awareness
Chapter 12 iso 27001 awarenessChapter 12 iso 27001 awareness
Chapter 12 iso 27001 awarenessnewbie2019
 
ISMS End-User Training Presentation.pptx
ISMS End-User Training Presentation.pptxISMS End-User Training Presentation.pptx
ISMS End-User Training Presentation.pptxcomstarndt
 
Information Security vs IT - Key Roles & Responsibilities
Information Security vs IT - Key Roles & ResponsibilitiesInformation Security vs IT - Key Roles & Responsibilities
Information Security vs IT - Key Roles & ResponsibilitiesKroll
 
Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...
Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...
Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...EC-Council
 
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAEIT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE360 BSI
 
Infocon Bangladesh 2016
Infocon Bangladesh 2016Infocon Bangladesh 2016
Infocon Bangladesh 2016Prime Infoserv
 
What Is Digital Asset Security. What Are the Risks Associated With It.docx.pdf
What Is Digital Asset Security. What Are the Risks Associated With It.docx.pdfWhat Is Digital Asset Security. What Are the Risks Associated With It.docx.pdf
What Is Digital Asset Security. What Are the Risks Associated With It.docx.pdfSecureCurve
 
Presentation 1.pptx
Presentation 1.pptxPresentation 1.pptx
Presentation 1.pptxrabeetkashif
 
Selling security to the C-level
Selling security to the C-levelSelling security to the C-level
Selling security to the C-levelDonald Tabone
 
A to Z of Information Security Management
A to Z of Information Security ManagementA to Z of Information Security Management
A to Z of Information Security ManagementMark Conway
 
Security architecture frameworks
Security architecture frameworksSecurity architecture frameworks
Security architecture frameworksJohn Arnold
 
2 Security And Internet Security
2 Security And Internet Security2 Security And Internet Security
2 Security And Internet SecurityAna Meskovska
 
Presentation1 110616195133-phpapp01(information security)
Presentation1 110616195133-phpapp01(information security)Presentation1 110616195133-phpapp01(information security)
Presentation1 110616195133-phpapp01(information security)Bonagiri Rajitha
 
Awareness Security Session 2023 v1.0.pptx.pdf
Awareness Security Session 2023 v1.0.pptx.pdfAwareness Security Session 2023 v1.0.pptx.pdf
Awareness Security Session 2023 v1.0.pptx.pdfAbdullahKanash
 
Breaking down the cyber security framework closing critical it security gaps
Breaking down the cyber security framework closing critical it security gapsBreaking down the cyber security framework closing critical it security gaps
Breaking down the cyber security framework closing critical it security gapsIBM Security
 
Information security: importance of having defined policy & process
Information security: importance of having defined policy & processInformation security: importance of having defined policy & process
Information security: importance of having defined policy & processInformation Technology Society Nepal
 
Building and implementing a successful information security policy
Building and implementing a successful information security policyBuilding and implementing a successful information security policy
Building and implementing a successful information security policyRossMob1
 
NUS-ISS Learning Day 2019-Architecting security in the digital age
NUS-ISS Learning Day 2019-Architecting security in the digital ageNUS-ISS Learning Day 2019-Architecting security in the digital age
NUS-ISS Learning Day 2019-Architecting security in the digital ageNUS-ISS
 

Similaire à ISO27k Awareness presentation.pptx (20)

Chapter 12 iso 27001 awareness
Chapter 12 iso 27001 awarenessChapter 12 iso 27001 awareness
Chapter 12 iso 27001 awareness
 
ISMS End-User Training Presentation.pptx
ISMS End-User Training Presentation.pptxISMS End-User Training Presentation.pptx
ISMS End-User Training Presentation.pptx
 
Information Security vs IT - Key Roles & Responsibilities
Information Security vs IT - Key Roles & ResponsibilitiesInformation Security vs IT - Key Roles & Responsibilities
Information Security vs IT - Key Roles & Responsibilities
 
Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...
Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...
Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...
 
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAEIT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
 
Infocon Bangladesh 2016
Infocon Bangladesh 2016Infocon Bangladesh 2016
Infocon Bangladesh 2016
 
What Is Digital Asset Security. What Are the Risks Associated With It.docx.pdf
What Is Digital Asset Security. What Are the Risks Associated With It.docx.pdfWhat Is Digital Asset Security. What Are the Risks Associated With It.docx.pdf
What Is Digital Asset Security. What Are the Risks Associated With It.docx.pdf
 
Presentation 1.pptx
Presentation 1.pptxPresentation 1.pptx
Presentation 1.pptx
 
Information & Cyber Security Risk
Information & Cyber Security RiskInformation & Cyber Security Risk
Information & Cyber Security Risk
 
Selling security to the C-level
Selling security to the C-levelSelling security to the C-level
Selling security to the C-level
 
A to Z of Information Security Management
A to Z of Information Security ManagementA to Z of Information Security Management
A to Z of Information Security Management
 
Security architecture frameworks
Security architecture frameworksSecurity architecture frameworks
Security architecture frameworks
 
2 Security And Internet Security
2 Security And Internet Security2 Security And Internet Security
2 Security And Internet Security
 
Information security
Information securityInformation security
Information security
 
Presentation1 110616195133-phpapp01(information security)
Presentation1 110616195133-phpapp01(information security)Presentation1 110616195133-phpapp01(information security)
Presentation1 110616195133-phpapp01(information security)
 
Awareness Security Session 2023 v1.0.pptx.pdf
Awareness Security Session 2023 v1.0.pptx.pdfAwareness Security Session 2023 v1.0.pptx.pdf
Awareness Security Session 2023 v1.0.pptx.pdf
 
Breaking down the cyber security framework closing critical it security gaps
Breaking down the cyber security framework closing critical it security gapsBreaking down the cyber security framework closing critical it security gaps
Breaking down the cyber security framework closing critical it security gaps
 
Information security: importance of having defined policy & process
Information security: importance of having defined policy & processInformation security: importance of having defined policy & process
Information security: importance of having defined policy & process
 
Building and implementing a successful information security policy
Building and implementing a successful information security policyBuilding and implementing a successful information security policy
Building and implementing a successful information security policy
 
NUS-ISS Learning Day 2019-Architecting security in the digital age
NUS-ISS Learning Day 2019-Architecting security in the digital ageNUS-ISS Learning Day 2019-Architecting security in the digital age
NUS-ISS Learning Day 2019-Architecting security in the digital age
 

Plus de harigopala

Technical recruiter
Technical recruiterTechnical recruiter
Technical recruiterharigopala
 
Technical recruiter
Technical recruiter Technical recruiter
Technical recruiter harigopala
 
Electrical_PPT_v-03-01-17.pptx
Electrical_PPT_v-03-01-17.pptxElectrical_PPT_v-03-01-17.pptx
Electrical_PPT_v-03-01-17.pptxharigopala
 
email_etiquette[1].ppt
email_etiquette[1].pptemail_etiquette[1].ppt
email_etiquette[1].pptharigopala
 
Fire_Extinguisher.ppt
Fire_Extinguisher.pptFire_Extinguisher.ppt
Fire_Extinguisher.pptharigopala
 
Email etiquette
Email etiquetteEmail etiquette
Email etiquetteharigopala
 
Cordless telephone
Cordless telephoneCordless telephone
Cordless telephoneharigopala
 

Plus de harigopala (7)

Technical recruiter
Technical recruiterTechnical recruiter
Technical recruiter
 
Technical recruiter
Technical recruiter Technical recruiter
Technical recruiter
 
Electrical_PPT_v-03-01-17.pptx
Electrical_PPT_v-03-01-17.pptxElectrical_PPT_v-03-01-17.pptx
Electrical_PPT_v-03-01-17.pptx
 
email_etiquette[1].ppt
email_etiquette[1].pptemail_etiquette[1].ppt
email_etiquette[1].ppt
 
Fire_Extinguisher.ppt
Fire_Extinguisher.pptFire_Extinguisher.ppt
Fire_Extinguisher.ppt
 
Email etiquette
Email etiquetteEmail etiquette
Email etiquette
 
Cordless telephone
Cordless telephoneCordless telephone
Cordless telephone
 

Dernier

Call Girls Pune Just Call 9907093804 Top Class Call Girl Service Available
Call Girls Pune Just Call 9907093804 Top Class Call Girl Service AvailableCall Girls Pune Just Call 9907093804 Top Class Call Girl Service Available
Call Girls Pune Just Call 9907093804 Top Class Call Girl Service AvailableDipal Arora
 
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best Services
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best ServicesMysore Call Girls 8617370543 WhatsApp Number 24x7 Best Services
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best ServicesDipal Arora
 
Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...
Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...
Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...amitlee9823
 
KYC-Verified Accounts: Helping Companies Handle Challenging Regulatory Enviro...
KYC-Verified Accounts: Helping Companies Handle Challenging Regulatory Enviro...KYC-Verified Accounts: Helping Companies Handle Challenging Regulatory Enviro...
KYC-Verified Accounts: Helping Companies Handle Challenging Regulatory Enviro...Any kyc Account
 
Regression analysis: Simple Linear Regression Multiple Linear Regression
Regression analysis: Simple Linear Regression Multiple Linear RegressionRegression analysis: Simple Linear Regression Multiple Linear Regression
Regression analysis: Simple Linear Regression Multiple Linear RegressionRavindra Nath Shukla
 
Pharma Works Profile of Karan Communications
Pharma Works Profile of Karan CommunicationsPharma Works Profile of Karan Communications
Pharma Works Profile of Karan Communicationskarancommunications
 
A DAY IN THE LIFE OF A SALESMAN / WOMAN
A DAY IN THE LIFE OF A SALESMAN / WOMANA DAY IN THE LIFE OF A SALESMAN / WOMAN
A DAY IN THE LIFE OF A SALESMAN / WOMANIlamathiKannappan
 
How to Get Started in Social Media for Art League City
How to Get Started in Social Media for Art League CityHow to Get Started in Social Media for Art League City
How to Get Started in Social Media for Art League CityEric T. Tung
 
Call Girls Jp Nagar Just Call 👗 7737669865 👗 Top Class Call Girl Service Bang...
Call Girls Jp Nagar Just Call 👗 7737669865 👗 Top Class Call Girl Service Bang...Call Girls Jp Nagar Just Call 👗 7737669865 👗 Top Class Call Girl Service Bang...
Call Girls Jp Nagar Just Call 👗 7737669865 👗 Top Class Call Girl Service Bang...amitlee9823
 
Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...
Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...
Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...Dipal Arora
 
FULL ENJOY Call Girls In Majnu Ka Tilla, Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Majnu Ka Tilla, Delhi Contact Us 8377877756FULL ENJOY Call Girls In Majnu Ka Tilla, Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Majnu Ka Tilla, Delhi Contact Us 8377877756dollysharma2066
 
Call Girls In Panjim North Goa 9971646499 Genuine Service
Call Girls In Panjim North Goa 9971646499 Genuine ServiceCall Girls In Panjim North Goa 9971646499 Genuine Service
Call Girls In Panjim North Goa 9971646499 Genuine Serviceritikaroy0888
 
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756dollysharma2066
 
👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...
👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...
👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...rajveerescorts2022
 
Ensure the security of your HCL environment by applying the Zero Trust princi...
Ensure the security of your HCL environment by applying the Zero Trust princi...Ensure the security of your HCL environment by applying the Zero Trust princi...
Ensure the security of your HCL environment by applying the Zero Trust princi...Roland Driesen
 
Call Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service Bangalore
Call Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service BangaloreCall Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service Bangalore
Call Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service Bangaloreamitlee9823
 
John Halpern sued for sexual assault.pdf
John Halpern sued for sexual assault.pdfJohn Halpern sued for sexual assault.pdf
John Halpern sued for sexual assault.pdfAmzadHosen3
 
B.COM Unit – 4 ( CORPORATE SOCIAL RESPONSIBILITY ( CSR ).pptx
B.COM Unit – 4 ( CORPORATE SOCIAL RESPONSIBILITY ( CSR ).pptxB.COM Unit – 4 ( CORPORATE SOCIAL RESPONSIBILITY ( CSR ).pptx
B.COM Unit – 4 ( CORPORATE SOCIAL RESPONSIBILITY ( CSR ).pptxpriyanshujha201
 
Insurers' journeys to build a mastery in the IoT usage
Insurers' journeys to build a mastery in the IoT usageInsurers' journeys to build a mastery in the IoT usage
Insurers' journeys to build a mastery in the IoT usageMatteo Carbone
 

Dernier (20)

Call Girls Pune Just Call 9907093804 Top Class Call Girl Service Available
Call Girls Pune Just Call 9907093804 Top Class Call Girl Service AvailableCall Girls Pune Just Call 9907093804 Top Class Call Girl Service Available
Call Girls Pune Just Call 9907093804 Top Class Call Girl Service Available
 
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best Services
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best ServicesMysore Call Girls 8617370543 WhatsApp Number 24x7 Best Services
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best Services
 
Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...
Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...
Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...
 
KYC-Verified Accounts: Helping Companies Handle Challenging Regulatory Enviro...
KYC-Verified Accounts: Helping Companies Handle Challenging Regulatory Enviro...KYC-Verified Accounts: Helping Companies Handle Challenging Regulatory Enviro...
KYC-Verified Accounts: Helping Companies Handle Challenging Regulatory Enviro...
 
Regression analysis: Simple Linear Regression Multiple Linear Regression
Regression analysis: Simple Linear Regression Multiple Linear RegressionRegression analysis: Simple Linear Regression Multiple Linear Regression
Regression analysis: Simple Linear Regression Multiple Linear Regression
 
Pharma Works Profile of Karan Communications
Pharma Works Profile of Karan CommunicationsPharma Works Profile of Karan Communications
Pharma Works Profile of Karan Communications
 
A DAY IN THE LIFE OF A SALESMAN / WOMAN
A DAY IN THE LIFE OF A SALESMAN / WOMANA DAY IN THE LIFE OF A SALESMAN / WOMAN
A DAY IN THE LIFE OF A SALESMAN / WOMAN
 
How to Get Started in Social Media for Art League City
How to Get Started in Social Media for Art League CityHow to Get Started in Social Media for Art League City
How to Get Started in Social Media for Art League City
 
Call Girls Jp Nagar Just Call 👗 7737669865 👗 Top Class Call Girl Service Bang...
Call Girls Jp Nagar Just Call 👗 7737669865 👗 Top Class Call Girl Service Bang...Call Girls Jp Nagar Just Call 👗 7737669865 👗 Top Class Call Girl Service Bang...
Call Girls Jp Nagar Just Call 👗 7737669865 👗 Top Class Call Girl Service Bang...
 
Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...
Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...
Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...
 
FULL ENJOY Call Girls In Majnu Ka Tilla, Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Majnu Ka Tilla, Delhi Contact Us 8377877756FULL ENJOY Call Girls In Majnu Ka Tilla, Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Majnu Ka Tilla, Delhi Contact Us 8377877756
 
Call Girls In Panjim North Goa 9971646499 Genuine Service
Call Girls In Panjim North Goa 9971646499 Genuine ServiceCall Girls In Panjim North Goa 9971646499 Genuine Service
Call Girls In Panjim North Goa 9971646499 Genuine Service
 
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
 
👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...
👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...
👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...
 
Ensure the security of your HCL environment by applying the Zero Trust princi...
Ensure the security of your HCL environment by applying the Zero Trust princi...Ensure the security of your HCL environment by applying the Zero Trust princi...
Ensure the security of your HCL environment by applying the Zero Trust princi...
 
unwanted pregnancy Kit [+918133066128] Abortion Pills IN Dubai UAE Abudhabi
unwanted pregnancy Kit [+918133066128] Abortion Pills IN Dubai UAE Abudhabiunwanted pregnancy Kit [+918133066128] Abortion Pills IN Dubai UAE Abudhabi
unwanted pregnancy Kit [+918133066128] Abortion Pills IN Dubai UAE Abudhabi
 
Call Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service Bangalore
Call Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service BangaloreCall Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service Bangalore
Call Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service Bangalore
 
John Halpern sued for sexual assault.pdf
John Halpern sued for sexual assault.pdfJohn Halpern sued for sexual assault.pdf
John Halpern sued for sexual assault.pdf
 
B.COM Unit – 4 ( CORPORATE SOCIAL RESPONSIBILITY ( CSR ).pptx
B.COM Unit – 4 ( CORPORATE SOCIAL RESPONSIBILITY ( CSR ).pptxB.COM Unit – 4 ( CORPORATE SOCIAL RESPONSIBILITY ( CSR ).pptx
B.COM Unit – 4 ( CORPORATE SOCIAL RESPONSIBILITY ( CSR ).pptx
 
Insurers' journeys to build a mastery in the IoT usage
Insurers' journeys to build a mastery in the IoT usageInsurers' journeys to build a mastery in the IoT usage
Insurers' journeys to build a mastery in the IoT usage
 

ISO27k Awareness presentation.pptx

  • 1. Security awareness seminar An introduction to ISO27k I n f o r m a t i o n s e c u r i t y This work is copyright © 2012, Mohan Kamat and ISO27k Forum, some rights reserved. It is licensed under the Creative Commons Attribution-Noncommercial-Share Alike 3.0 License. You are welcome to reproduce, circulate, use and create derivative works from this provided that: (a) it is not sold or incorporated into a commercial product; (b) it is properly attributed to the ISO27k Forum (www.ISO27001security.com); and (c) any derivative works that are shared are subject to the same terms as this work.
  • 2.  What is information?  What is information security?  What is risk?  Introduction to the ISO standards  Managing information security  Your security responsibilities A g e n d a 2
  • 3. Information is an asset which, like other important business assets, has value to an organization and consequently needs to be suitably protected I N F O R M A T I O N 3 ISO/IEC 27002:2005
  • 4. I n f o r m a t i o n t y p e s Information exists in many forms:  Printed or written on paper  Stored electronically  Transmitted by post or electronic means  Visual e.g. videos, diagrams  Published on the Web  Verbal/aural e.g. conversations, phone calls  Intangible e.g. knowledge, experience, expertise, ideas ‘Whatever form the information takes, or means by which it is shared or stored, it should always be appropriately protected’ (ISO/IEC 27002:2005) 4
  • 5. I n f o l i f e c y c l e Information can be …  Created  Owned (it is an asset)  Stored  Processed  Transmitted/communicated  Used (for proper or improper purposes)  Modified or corrupted  Shared or disclosed (whether appropriately or not)  Destroyed or lost  Stolen  Controlled, secured and protected throughout its existence 5
  • 6. K e y t e r m What is information security?  Information security is what keeps valuable information ‘free of danger’ (protected, safe from harm)  It is not something you buy, it is something you do o It’s a process not a product  It is achieved using a combination of suitable strategies and approaches: o Determining the risks to information and treating them accordingly (proactive risk management) o Protecting CIA (Confidentiality, Integrity and Availability) o Avoiding, preventing, detecting and recovering from incidents o Securing people, processes and technology … not just IT! 6
  • 8. P e o p l e People People who use or have an interest in our information security include:  Shareholders / owners  Management & staff  Customers / clients, suppliers & business partners  Service providers, contractors, consultants & advisors  Authorities, regulators & judges Our biggest threats arise from people (social engineers, unethical competitors, hackers, fraudsters, careless workers, bugs, flaws …), yet our biggest asset is our people (e.g. security-aware employees who spot trouble early) 8
  • 9. Processes Processes are work practices or workflows, the steps or activities needed to accomplish business objectives. • Processes are described in procedures. • Virtually all business processes involve and/or depend on information making information a critical business asset. Information security policies and procedures define how we secure information appropriately and repeatedly. P r o c e s s e s 9
  • 10. Technology Information technologies  Cabling, data/voice networks and equipment  Telecommunications services (PABX, VoIP, ISDN, videoconferencing)  Phones, cellphones, PDAs  Computer servers, desktops and associated data storage devices (disks, tapes)  Operating system and application software  Paperwork, files  Pens, ink Security technologies  Locks, barriers, card-access systems, CCTV T e c h n o l o g y 10
  • 11. • Protects information against various threats • Ensures business continuity • Minimizes financial losses and other impacts • Optimizes return on investments • Creates opportunities to do business safely • Maintains privacy and compliance V a l u e We all depend on information security 11 Information security is valuable because it …
  • 12. Information security is defined as the preservation of: Confidentiality Making information accessible only to those authorized to use it Integrity Safeguarding the accuracy and completeness of information and processing methods Availability Ensuring that information is available when required C I A 12
  • 13. • IT downtime, business interruption • Financial losses and costs • Devaluation of intellectual property • Breaking laws and regulations, leading to prosecutions, fines and penalties • Reputation and brand damage leading to loss of customer, market, business partner or owners’ confidence and lost business • Fear, uncertainty and doubt Security incidents cause … 13 I m p a c t s
  • 14. K e y t e r m What is risk? Risk is the possibility that a threat exploits a vulnerability in an information asset, leading to an adverse impact on the organization Threat: something that might cause harm Vulnerability: a weakness that might be exploited Impact: financial damage etc. 14
  • 16. T h r e a t a g e n t Threat agent The actor that represents, carries out or catalyzes the threat • Human • Machine • Nature 16
  • 17. Motive Something that causes the threat agent to act • Implies intentional/deliberate attacks but some are accidental M o t i v e 17
  • 18. Threat type Example Human error Typo, wrong attachment/email address, lost laptop or phone Intellectual property Piracy, industrial espionage Deliberate act Unauthorized access/trespass, data theft, extortion, blackmail, sabotage, vandalism, terrorist/activist/criminal activity Fraud Identity theft, expenses fraud System/network attack Viruses, worms, Trojans, hacks Service issue Power cuts, network outages Force of nature Fire, flood, storm, earthquake, lightning, tsunami, volcanic eruption Hardware issue Computer power supply failure, lack of capacity Software issue Bugs or design flaws, data corruption Obsolescence iPhone 4? 18 T h r e a t t y p e s
  • 19. So how do we secure our information assets? 19
  • 20. 1990’s • Information Security Management Code of Practice produced by a UK government-sponsored working group • Based on the security policy used by Shell • Became British Standard BS7799 2000’s • Adopted by ISO/IEC • Became ISO/IEC 17799 (later renumbered ISO/IEC 27002) • ISO/IEC 27001 published & certification scheme started Now • Expanding into a suite of information security standards (known as “ISO27k”) • Updated and reissued every few years I S O 2 7 k A brief history of ISO27k 20
  • 21. • Concerns the management of information security, not just IT/technical security • Formally specifies a management system • Uses Plan, Do, Check, Act (PDCA) to achieve, maintain and improve alignment of security with risks • Covers all types of organizations (e.g. commercial companies, government agencies, not-for-profit organizations) and all sizes • Thousands of organizations worldwide have been certified compliant ISO 27001 I S O 2 7 0 0 1 21
  • 22. Interested parties Information security requirements & expectations PLAN Establish ISMS CHECK Monitor & review ISMS ACT Maintain & improve Management responsibility ISMS PROCESS Plan-Do-Check-Act Interested parties Managed information security DO Implement & operate the ISMS P D C A 22
  • 23. Information Security Policy Organisation of Information Security Asset Management Human Resource Security Physical Security Communication & Operations Management Access Control System Development & Maintenance Incident Management Business Continuity Planning Compliance Availability C O N T R O L C L A U S E S 23
  • 24. • Information security policy - management direction • Organization of information security - management framework for implementation • Asset management – assessment, classification and protection of valuable information assets • HR security – security for joiners, movers and leavers • Physical & environmental security - prevents unauthorised access, theft, compromise, damage to information and computing facilities, power cuts C O N T R O L C L A U S E S 24
  • 25. • Communications & operations management - ensures the correct and secure operation of IT • Access control – restrict unauthorized access to information assets • Information systems acquisition, development & maintenance – build security into systems • Information security incident management – deal sensibly with security incidents that arise • Business continuity management – maintain essential business processes and restore any that fail • Compliance - avoid breaching laws, regulations, policies and other security obligations C O N T R O L C L A U S E S 25
  • 26. PLAN Establish ISMS CHECK Monitor & Review ISMS ACT Maintain & Improve DO Implement & Operate the ISMS IS POLICY SECURITY ORGANISATION ASSET IDENTIFICATION & CLASSIFICATION CONTROL SELECTION & IMPLEMENTATION OPERATIONALIZ E THE PROCESES MANAGEMENT REVIEW CORRECTIVE & PREVENTIVE ACTIONS CHECK PROCESSES I M P L E M E N T A T I O N P R O C E S S C Y C L E 26
  • 27. B e n e f i t s • Demonstrable commitment to security by the organization • Legal and regulatory compliance • Better risk management • Commercial credibility, confidence, and assurance • Reduced costs • Clear employee direction and improved awareness 27
  • 28. S c o p e ISMS scope • Data center & DR site • All information assets throughout the organization 28
  • 29. Key ISMS documents K e y d o c u m e n t s • High level corporate security policy • Supporting policies e.g. physical & environmental, email, HR, incident management, compliance etc. • Standards e.g. Windows Security Standard • Procedures and guidelines • Records e.g. security logs, security review reports, corrective actions 29
  • 30. Information security vision V I S I O N & M I S S I O N Vision The organization is acknowledged as an industry leader for information security. Mission To design, implement, operate, manage and maintain an Information Security Management System that complies with international standards, incorporating generally-accepted good security practices 30
  • 31. Who is responsible? W h o • Information Security Management Committee • Information Security Manager/CISO and Department • Incident Response Team • Business Continuity Team • IT, Legal/Compliance, HR, Risk and other departments • Audit Committee • Last but not least, you! Bottom line: 31 Information security is everyone’s responsibility
  • 32. P o l i c y Corporate Information Security Policy Policy is signed by the CEO and mandated by top management Find it on the intranet 32
  • 33. I N F O A S S E T C L A S S I F I C A T I O N CONFIDENTIAL: If this information is leaked outside the organization, it will result in major financial and/or image loss. Compromise of this information may result in serious non-compliance (e.g. a privacy breach). Access to this information must be restricted based on the concept of need-to-know. Disclosure requires the information owner’s approval. In case information needs to be disclosed to third parties, a signed confidentiality agreement is required. Examples: customer contracts, pricing rates, trade secrets, personal information, new product development plans, budgets, financial reports (prior to publication), passwords, encryption keys. INTERNAL USE ONLY: Leakage or disclosure of this information outside the organization is unlikely to cause serious harm but may result in some financial loss and/or embarrassment. Examples: circulars, policies, training materials, general company emails, security policies and procedures, corporate intranet. PUBLIC: This information can be freely disclosed to anyone although publication must usually be explicitly approved by Corporate Communications or Marketing. Examples: marketing brochures, press releases, website. 33 Information Asset Classification
  • 34. Confidentiality Confidentiality level Explanation High Information which is very sensitive or private, of great value to the organization and intended for specific individuals only. The unauthorized disclosure of such information can cause severe harm such as legal or financial liabilities, competitive disadvantage, loss of brand value e.g. merger and acquisition related information, marketing strategy Medium Information belonging to the company and not for disclosure to public or external parties. The unauthorized disclosure of this information may harm to the organization somewhat e.g. organization charts, internal contact lists. Low Non-sensitive information available for public disclosure. The impact of unauthorized disclosure of such information shall not harm Organisation anyway. E.g. Press releases, Company’s News letters e.g. Information published on company’s website Confidentiality of information concerns the protection of sensitive (and often highly valuable) information from unauthorized or inappropriate disclosure. C l a s s i f i c a t i o n 2/14/ 34 Mohan Kamat
  • 35. U S E R R E S P O N S I B I L I T I E S Physical security • Read and follow security policies and procedures • Display identity cards while on the premises • Challenge or report anyone without an ID card • Visit the intranet Security Zone or call IT Help/Service Desk for advice on most information security matters • Allow unauthorized visitors onto the premises • Bring weapons, hazardous/combustible materials, recording devices etc., especially in secure areas • Use personal IT devices for work purposes, unless explicitly authorized by management 35 Do not Do
  • 36. U S E R R E S P O N S I B I L I T I E S Password Guidelines  Use long, complicated passphrases - whole sentences if you can  Reserve your strongest passphrases for high security systems (don’t re-use the same passphrase everywhere)  Use famous quotes, lines from your favorite songs, poems etc. to make them memorable  Use short or easily-guessed passwords  Write down passwords or store them in plain text  Share passwords over phone or email 36
  • 37. U S E R R E S P O N S I B I L I T I E S Warning: Internet usage is routinely logged and monitored. Be careful which websites you visit and what you disclose.  Avoid websites that would be classed as obscene, racist, offensive or illegal – anything that would be embarrassing  Do not access online auction or shopping sites, except where authorized by your manager  Don’t hack!  Do not download or upload commercial software or other copyrighted material without the correct license and permission from your manager  Use the corporate Internet facilities only for legitimate and authorized business purposes Internet usage 37
  • 38. U S E R R E S P O N S I B I L I T I E S E-mail usage  Do not use your corporate email address for personal email  Do not circulate chain letters, hoaxes, inappropriate jokes, videos etc.  Do not send emails outside the organization unless you are authorized to do so  Be very wary of email attachments and links, especially in unsolicited emails (most are virus-infected) 38  Use corporate email for business purposes only  Follow the email storage guidelines  If you receive spam email, simply delete it. If it is offensive or you receive a lot, call the IT Help/Service Desk
  • 39. U S E R R E S P O N S I B I L I T I E S Security incidents 39  Report information security incidents, concerns and near-misses to IT Help/Service Desk:  Email …  Telephone …  Anonymous drop-boxes …  Take their advice on what to do  Do not discuss security incidents with anyone outside the organization  Do not attempt to interfere with, obstruct or prevent anyone else from reporting incidents
  • 40. R e s p o n s i b i l i t i e s  Ensure your PC is getting antivirus updates and patches  Lock your keyboard (Windows-L) before leaving your PC unattended, and log-off at the end of the day  Store laptops and valuable information (paperwork as well as CDs, USB sticks etc.) securely under lock and key  Keep your wits about you while traveling:  Keep your voice down on the cellphone  Be discreet about your IT equipment  Take regular information back ups  Fulfill your security obligations:  Comply with security and privacy laws, copyright and licenses, NDA (Non Disclosure Agreements) and contracts  Comply with corporate policies and procedures  Stay up to date on information security:  Visit the intranet Security Zone when you have a moment 40
  • 41. 41