Information Security Management Systems(ISMS) By Dr Wafula


Published on

Published in: Technology
1 Like
  • Very good post, I was really searching for this topic, as I wanted this topic to understand completely and it is also very rare in internet, that is why it was very difficult to understand.Thank you for sharing this.
    iso 9000
    Are you sure you want to  Yes  No
    Your message goes here
  • I absolutely adore reading your blog posts, the variety of writing is smashing.This blog as usual was educational, I have had to bookmark your site and subscribe to your feed in ifeed. Your theme looks lovely.Thanks for sharing.
    iso 9000
    Are you sure you want to  Yes  No
    Your message goes here
  • ISO is Short form of International Organization for Standard. ISO 9001:2008 require an organization to develop a quality management system that fits the product & Process requirement as well as regulatory requirement AS an ISO 9001:2008 certified company.
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Information Security Management Systems(ISMS) By Dr Wafula

  2. 2. Aims/objectives 1. Introduction 2. Info security stds ◦ Clauses ◦ Control objectives ◦ controls 3. ISMS Implementation using PDCA Model Dr Muliaro-ISMS 2
  3. 3. Information Security (IS) Defn  Why IS? 1. Ensure business continuity 2. Reduce/prevent damage on business 3. Ensure preservation of confidentiality, integrity and availability of info. Also authenticity , accountability, non-repudation and reliability enhanced. 4. Interconnection of networks pose risk 5. Trends in distributed computing 6. Participation of customers/employees/stakeholder 7. Marketing of products/services 8. Internal management tool-for control & confidence 9. Dependence on Info systems-vulnerable to IS threats 10. Information, systems & networks are key business assets Dr Muliaro-ISMS 3
  4. 4. Information Security Management System (ISMS)  Defination:-  that part of overall magmt system, based on business risk approach, to establish, implement, operate, monitor , review, maintain and improve info security.  A management process with 3 key components: ◦ Confidentiality-available to authorized only ◦ Integrity-accurate and complete Dr Muliaro-ISMS 4
  5. 5. Information Types  Internal  Public  Private  Customer/client  Shared etc Dr Muliaro-ISMS 5
  6. 6. Info security risks  Info theft  Intrusion and subversion of system resources  Denial of services  Loss  Corruption  Masquerade  Paper document  What are the most common IS mistakes made by individuals? Dr Muliaro-ISMS 6
  7. 7. Common IS mistakes 1. Unattended comp. 1. Loose talk about left on p/word in public 2. Bad password 2. Getting into rush & etiquette-no default bypassing key 3. Laptops stolen security measures 4. Keeping p/words 3. Vague knowledge on post-it notes of security policy 5. Opening e-mail 4. Non-reporting of attachments from security violations strangers 5. Late in updating 6. Check in/out workers ethics Dr Muliaro-ISMS 7
  8. 8. Selection of Controls  Its expenditure need to balance against business harm/risk  Common ones include: ◦ Data protection and privacy of personal information (15.1.4) ◦ Protection of org. records (15.1.3) ◦ Intellectual property rights (15.1.2) ◦ Information security policy document (5.1.1) ◦ Business continuity mgt (14) etc Dr Muliaro-ISMS 8
  9. 9. ISO 27002:2005  Provides guidance on best practices for ISM  Prime objectives are: ◦ A common basis for organizations ◦ Build confidence in inter-organizational dealings  It defines a set of control objectives, controls and implementation guidance. Dr Muliaro-ISMS 9
  10. 10. ISO 27001:2005  Specifies requirements for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving a documented ISMS  Its designed to ensure adequate security controls to protect info assets, and documenting ISMS  Applicable for assessment and certification Dr Muliaro-ISMS 10
  11. 11. Clauses  Clause 4-8 are mandatory.  How would you ensure that management: ◦ Management is committed to IS? ◦ Establishes roles and responsibilities for IS? ◦ Provides training, awareness and competency? ◦ Carry out review of the ISMS? Dr Muliaro-ISMS 11
  12. 12. PDCA Model: Establishment & Mgmt of ISMS (plan) 1. Scope and boundaries 2. Policy/objectives 3. Define risk assessment approach 4. Identify risk 5. Analyse and evaluate risks 6. Identify and evaluate options of risk treatment 7. Select control objectives and controls 8. Obtain mgmt approval on residual risk 9. Obtain mgmt authorization to implement and operate the ISMS 10. Prepare statement of applicability Dr Muliaro-ISMS 12
  13. 13. PDCA Model: Implementation & Operation of ISMS (Do) 1. Formulate risk treatment plan 2. Implement risk treatment plan 3. Define how to measure effectiveness of selected controls 4. Implement controls selected to meet control objectives 5. Implement training and awareness 6. Manage operations and resources 7. Implement procedures and other controls Dr Muliaro-ISMS 13
  14. 14. PDCA Model: Monitoring & reviewing of ISMS (Check) 1. Execute monitoring procedures and other controls 2. Undertake regular reviews of the effectiveness of ISMS 3. Measure effectiveness of controls 4. Review risks assessments at planned intervals 5. Review level of residual risk and identified acceptable risk 6. Internal ISMS audit/magmt review 7. Update security plans 8. Records actions and events Dr Muliaro-ISMS 14
  15. 15. PDCA Model: Maintaining & Improving of ISMS (ACT) 1. Implement identified improvements 2. Take appropriate corrective and preventive actions 3. Communicate the actions and improvements 4. Ensure improvements achieve intended objectives Dr Muliaro-ISMS 15
  16. 16. ISMS Critical Success Factors 1. Info security policy, objectives, and activities that reflect business objectives 2. An approach and framework to implementing, maintaining, monitoring, and improving IS that is consistent with org. culture 3. Visible support and commitment from all levels of management 4. A good understanding of the information security requirements, risk assessment, and risk management. 5. Effective marketing of IS to all managers, employees, and other parties to achieve awareness 6. Distribution of guidance on IS policy and std to all managers/employees/stakeholders 7. Funding IS management activites 8. Providing appropriate awareness , training, and education 9. Establishment of an effective IS incident mgmt process 10. Implementation of a measurement system for performance in IS mgmt and feedback info for improvment Dr Muliaro-ISMS 16
  17. 17. JKUAT Information Security Policy (JISP)  The specific objectives of information security are to: ◦ Protect information resources from unauthorized access; ◦ Ensure the continuity of systems processing services; ◦ Guarantee the privacy and accuracy of information resources; ◦ Allow proper restoration of the functionality of damaged resources; ◦ Prevent and detect possible threats, violations and security incidents Dr Muliaro-ISMS 17