2. Attack on Individuals: Ransonware
Worm enters systems through downloaded file
Payload encrypts user’s hard drive and deletes the original files – user cannot decipher his/her own files
Pay USD 1000 in bitcoin to get your files !
Attack on Services : Target Store in 2013
40 million: number of credit and debit cards thieves stolen
70 million: The number of records stolen that include names and addresses
46 % drop in profits in 4 quarter
53.7 million: The income that hackers likely to generate from the sales of 2 million cards
Attack on Infrastructure – The Stuxnet Cyber physical Attack
A 500kbyte worm that infected the software of at least 14 industrials sites in Iran including a nuclear facility
Goal was to cause fast-spinning centrifuges to tear themselves apart
Stuxnet was tracked down by Kaspersky lab bit not before it did some damage
3. Over 13 years of strong technical and analytical experience along with driving business innovation, leveraging information
security, applications, networking, operations, and risk management
Head of Information Technology at Ibdar Bank and Board Member of Bahrain Information Technology Society
Past – Head of Network and Support/ Consultant – Transworld Computers
Academic Background
◦ Cybersecurity -Cybersecurity: Technology, Application and Policy - MIT Professional Education- Massachusetts Institute of
Technology, USA
◦ Master of Business Administration, Chifley Business School at Torrens University, Australia
◦ Post Graduate Certificate in Business Administration and Technology, University of Wales, United Kingdom
◦ Master of Business Administration – Information Technology, All India Institute of Business Management
◦ Bachelor of Science in Computer Science, Bharitya Shikha Parishad University, India
Certifications
◦ Prince2 Certified Practitioner (Prince2)
◦ Infrastructure Library Certified Expert (ITIL Expert)
◦ Certified Information Security Professional (CISSP)
◦ Certified in Governance of Enterprise IT (CGEIT)
◦ Certified Information Security Manager (CISM)
◦ Certified Project Management Professional (PMP)
◦ ISO 27001 Information Security Management Lead Auditor/ Implementation
◦ Others – MCSE, CCNA, CCNP, Linux+, CEH
Publications
◦ 20+ Publication on Information Security, Project Management and Software Development
4. A short 20-30 minutes educational and informative talk on:
What is information Security ?
What is an Information Security management system (ISMS) ?
What is ISO 27001 ?
The drivers for ISO 27001
Why should organisation care about ISO 27001
Accreditation Certification
The Central role of risk assessment in ISO 27001
ISMS Domains
Question and Answer
5. “ Preservation of confidentiality, Integrity and availability of
information; in addition, other properties such as authenticity,
accountability, non-repudiation and reliability can also be
involved.”
ISO/IEC 27001:2013
6. Information security Management System (ISMS):
Systematic approach to managing confidential or sensitive corporate information
so that it remains secure.
7. An ISMS standard that replaced BS 77799-2:2002 in late 2005
The world’s only cyber security standard
Formally specifies an ISMS that is intended to bring information security
under explicit management control
Best practice specification that helps businesses and organisations
throughout the world develop a best-in-class ISMS
Adopt the Plan-Do-Check-Act (PDCA) model
9. Plan (establish the ISMS)
◦ Establish ISMS policy, objectives, processes and procedures relevant to
managing risk and improving information security to deliver results in
accordance with an organization’s overall policies and objectives.
Do (implement and operate the ISMS)
◦ Implement and operate the ISMS policy, controls, processes and procedures.
Check (monitor and review the ISMS)
◦ Assess and, where applicable, measure process performance against ISMS
policy, objectives and practical experience and report the results to
management for review.
Act (maintain and improve the ISMS)
◦ Take corrective and preventive actions, based on the results of the internal
ISMS audit and management review or other relevant information, to achieve
continual improvement of the ISMS.
10. Clients need confidence in their supply chain
Breaches of Personal Data can bring fines up to GBP 500K by information commissioner
Data Handling Review 2013 – Better information security in Government and down the
food chain
Improved reputational protection
Balance expenditure to the information security risk
11. Reason 1- Compliance
ISO 27001 can bring in the methodology that enables organisations to comply
in the most efficient way.
Certification is often the quickest “return on investment”- if an organisation
must comply to various regulations regarding data protection, privacy and IT
governance ( Particularly if it is a financial, health or government organisation)
12. Reason 2- Marketing edge
In a market which is more and more competitive, it is sometimes very difficult
to find something that will differentiate you in the eyes of your customers.
ISO 27001 could indeed a unique selling point, especially if you handle clients’
sensitive information.
13. Reason 3-Lowering the expenses
Information security is usually considered as a cost with no obvious financial
gain. However, there is financial gain if you lower your expense caused by
incidents.
You probably do have interruption in service or occasional data leakage, or
disgruntled employees. Or disgruntled former employees.
14. Reason 4-Putting business in order
ISO 27001 is particular good in sorting out those thorny management issue- it
forces you to define very precisely both the responsibilities and duties , and
therefore strengthen you internal organisation.
15. Provides evidence of Information Security Management System Assurance
Verified by independent auditor
In Bahrain is Bureau VERITAS Certification Schemes: World wide
recognition
National certification body – Member of international Accreditation Forum
16. ISO 27001:2013 conformance requires implementation and documentation of an
Information Security Management System (ISMS) implementing controls selected in
accordance with 4.2.1.g
17. Structure ISMS gives:
◦ Best Practices
◦ Marketing Opportunities
◦ Compliance to Cooperate Governance requirement
◦ Appropriate action to comply with law
◦ Systematic approach to risks
◦ Credibility with staff, customers and partner organisations
◦ Informed decisions on security investments