Your SlideShare is downloading. ×
4 System For Information Security
4 System For Information Security
4 System For Information Security
4 System For Information Security
4 System For Information Security
4 System For Information Security
4 System For Information Security
4 System For Information Security
4 System For Information Security
4 System For Information Security
4 System For Information Security
4 System For Information Security
4 System For Information Security
4 System For Information Security
4 System For Information Security
4 System For Information Security
4 System For Information Security
4 System For Information Security
4 System For Information Security
4 System For Information Security
4 System For Information Security
4 System For Information Security
4 System For Information Security
4 System For Information Security
4 System For Information Security
4 System For Information Security
4 System For Information Security
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

4 System For Information Security

1,935

Published on

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,935
On Slideshare
0
From Embeds
0
Number of Embeds
8
Actions
Shares
0
Downloads
138
Comments
0
Likes
2
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • Проект: Имплементација на ISO27001:2005 во Hi-Tech (c) Trajkovski & Partneri Consulting Тренинг Модул 1: Вовед во Системи за Управување со Безбедност на Информации според ISO27001:2005 и ISO17799:2005
  • Does the privacy statement on your web site actually mean something. How does your customers know that the policies and procedures that you have put in place are followed and effective. Also : 1) Scope of the standard; 2) Proven; 3) Public; 4) International; 5) A name associated with « quality »; 6) Evolutionary and flexible (adapts to each context); 7) Availability of tools and support. Проект: Имплементација на ISO27001:2005 во Hi-Tech (c) Trajkovski & Partneri Consulting Тренинг Модул 1: Вовед во Системи за Управување со Безбедност на Информации според ISO27001:2005 и ISO17799:2005
  • Тренинг Модул 1: Вовед во Системи за Управување со Безбедност на Информации според ISO27001:2005 и ISO17799:2005 Проект: Имплементација на ISO27001:2005 во Hi-Tech (c) Trajkovski & Partneri Consulting
  • Тренинг Модул 1: Вовед во Системи за Управување со Безбедност на Информации според ISO27001:2005 и ISO17799:2005 Проект: Имплементација на ISO27001:2005 во Hi-Tech (c) Trajkovski & Partneri Consulting
  • Тренинг Модул 4: Интерна проверка на СУБИ Проект: Имплементација на ISO27001:2005 во Hi-Tech (c) Trajkovski & Partneri Consulting
  • Documents need to be: approved, updated, re-approved, change management, , available, identify doc. From external sources, controlled distribution, Records: retrieval, retention period, disposition recorded…
  • Проект: Имплементација на ISO27001:2005 во Hi-Tech (c) Trajkovski & Partneri Consulting Тренинг Модул 1: Вовед во Системи за Управување со Безбедност на Информации според ISO27001:2005 и ISO17799:2005
  • Staff - screening and background checks, confidentiality agreements Also : - Compliance with governance rules for risk management; - Better protection of the company’s confidential information ; - reduced risk of hacker attacks ; - Faster and easier recovery from attack. Проект: Имплементација на ISO27001:2005 во Hi-Tech (c) Trajkovski & Partneri Consulting Тренинг Модул 1: Вовед во Системи за Управување со Безбедност на Информации според ISO27001:2005 и ISO17799:2005
  • Transcript

    • 1. System for Information Security Jasmina Trajkovski [email_address] Ana Meskovska [email_address] ELSA Conference Strumica, 27.11.2008
    • 2. Contents
      • What is ISO27001?
      • What is management system?
      • Methodology for implementation of ISO27001:2005
        • Asset management
        • Risk management
        • Policies and procedures development
        • Internal audit
      • ISO 27001 certification
    • 3. Introduction to ISO27001:2005
    • 4. Introduction to ISO 27001
      • ISO 27001 is international standard for Information Security Management System (ISMS)
      • ISO 27001 – Information technology – Security techniques – Information Security Management System – Requirements
      • Latest version - 2005
    • 5. What is a management system?
      • Management system is documented system of policies, objectives and standard practices for achieving those objectives.
      • Organizations use management systems through:
        • Organizational structure
        • Systematic processes and related recourses
        • Measurements and methodology for evaluation
        • Management review
        • Corrective and preventive actions
    • 6. What is ISO 27001:2005?
      • International, structured methodology dedicated to information security
      • Defined processes for evaluation, implementation, maintenance and management of information security
      • Overall set of controls based on best practices for information security
      • Developed by the industry for itself
    • 7. What isn’t ISO 27001:2005?
      • Technical standard
      • Connected to a technology or a product
      • Methodology for evaluation of equipment like Common Criteria / ISO 15408
      • Connected to "Generally Accepted System Security Principles“ – GASSP
      • Connected to "Guidelines for the Management of IT Security“ - GMITS/ISO TR 13335
    • 8.
      • Introduction
      • Scope
      • Normative references
      • Definitions
      • Requirements
      • Annexes :
        • Normative – Control objectives and controls
        • Informative – OECD principles
        • Informative – comparison with ISO9001, ISO14000
      Structure of the standard ISO27001:2005
    • 9. ISO 27001 control objectives and controls
      • Security policy
      • Organizing information security
      • Asset management
      • Human resources security
      • Physical & environmental security
      • Communications & operations management
      • Access control
      • Information systems acquisition, development & maintenance
      • Information security incident management
      • Business continuity management
      • Compliance
    • 10. PDCA approach: Plan-Do-Check-Act
    • 11. Benefits
      • Increased information security
      • Competitive advantage
      • Customer satisfaction
      • Globally accepted standard
      • Focuses on responsibilities of employees
      • Compliant with the legislation and other regulations
        • Law on classified information
        • Law on personal data protection
        • BASEL II
        • Sarbanes Oxley
      • Complementary with other ISO standard
    • 12. Methodology for implementation of ISO27001:2005
    • 13. Methodology for implementation of ISO27001:2005 1/2
    • 14. Definition of policies
      • Policy – a course of conduct to be followed
      • Structure of the policy
        • Purpose
        • Scope
        • Legal commitments
        • Strategic approach
        • Responsibilities
        • Revision of the policy
        • Implementation of the policy
    • 15. Legal compliance
      • Law on personal data protection
      • Law on classified information
      • E-Commerce L aw
      • L aw for data in electronic form and electronic signature
      • Law on Copyright and related rights
      • Law on industrial property
      • Law on electronic communications
      • Law on communications monitoring
      • Law on free access to public information
      • Criminal code
    • 16. Asset management
      • Identification of assets
      • Grouping of assets
      • Preparation of asset inventory
      • Grouping of information assets
      • Definition of level of confidentiality
      • “ Classification” of information assets
      • Defining asset management strategy
    • 17. Risk management
      • Choose appropriate risk assessment methodology
      • Form a team for conduction of risk assessment
      • Conduct a risk assessment
        • Identify possible threats to the identified assets
        • Calculate the risk factors (taking into consideration probability of risk, vulnerability of assets etc.)
        • Define acceptable level of risk
        • Risk treatment – select mitigation approach (acceptance, mitigation, transfer)
      • Choose appropriate controls and prepare a plan for their implementation
    • 18. Methodology for implementation of ISO27001:2005 2/2
    • 19. Development of procedures
      • Procedure - an ordered set of tasks for performing some action
      • Structure of procedures
        • Purpose
        • Scope
        • Responsibility and authority
        • Description of activities
        • Records
        • Enforcement
        • Review
        • Approval
    • 20. Internal audit
      • Process of independent and objective assessment
      • Includes systematic methodology for business process modeling, problem analyses and recommendation of solutions
      • Collects evidence for objective assessment for effectiveness of management systems
      • The objective of such audit is to find the shortcomings and weaknesses of management systems and to identify possibility for their improvement
    • 21. Internal audit vs. Certification audit
      • Auditors – employees
      • Looks for non-conformities in order to improve the system
      • It is conducted minimum once a year for all processes
      • Auditors – external persons
      • Looks for conformities in order to certify the system
      • It is conducted once or twice a year for some aspects
    • 22. Control of documents and records
      • Requirement of the standard
        • storage: approval, availability, versioning
        • protection and control
        • traceability
      • Challenge – how to satisfy requirement of the legislation for archiving of documents and records
    • 23. ISO 27001 certification
    • 24. Compliance vs. Certification
      • Any organization is able to claim compliance with the ISO 27001 standard
      • It is more valuable for such claims to be independently verified as part of a formal certification scheme
      • ISO 27001 certified organization
        • must comply with the standard
        • must be assessed by Registered Certification Body
    • 25. What is certification ?
      • Certification refers to the confirmation of certain characteristics of an object, person, or organization
      • Certification of information security management system of an organization means acknowledgment that the organization has implemented a management system that satisfies the requirements of ISO 270001
      • Certification is voluntary
      • The certificate is public document
      • List of certified organizations can be found on www.xisec.com
    • 26. Benefits from the certification
      • Opportunity for identification and improvement of weaknesses
      • Commitment from the top management
      • Independent review of your Information Security Management System (ISMS)
      • Raises confidence among partners, clients and interested parties (certification shows 'due diligence')
      • Awareness raising among employees
      • Mechanism for measuring the effectiveness of the management system
    • 27. Questions
      • ?

    ×