• Save
Information Security Management System
Upcoming SlideShare
Loading in...5

Information Security Management System



Information Security Management System

Information Security Management System



Total Views
Views on SlideShare
Embed Views



5 Embeds 20

http://www.slideshare.net 8
http://www.ferassayed.com 4
http://www.linkedin.com 4
https://www.linkedin.com 3
http://www.lmodules.com 1



Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

Information Security Management System Information Security Management System Presentation Transcript

    • Increasing dependence on information as a resource
    • Shift from paper-based to IT-based information
    • Increasing need for access to information
      • Customer expectations
      • Legislation
        • Right to Information Act
    • Speed of change
      • Security versus flexibility
      • Security versus accessibility
    • Information availability should be controlled
      • It should be available to all authorized persons when they need it
      • It should be unavailable to unauthorized persons
    • A continuous process to manage the information should be in place
    • Information security involves
      • Confidentiality
      • Integrity
      • Availability
      • Traceability
    View slide
    • Threats come from different sources
    • Threats can be identified
    • Vulnerabilities exist in the system
    • Threats exploit Vulnerabilities
    View slide
    • Risks vary with the nature of information
    • Risks can be assessed
    • Risks depend on vulnerabilities and associated threats
    • The degree to which the risk can be mitigated should be decided
      • Know the risk
      • Assess the cost of mitigation
      • Live with the risk or mitigate it
    • Identify the risks
    • Identify their associated vulnerabilities
    • Identify the associated threats
    • Minimize the vulnerabilities
      • Change procedures
      • Add a security layer
      • Reclassify information
    • By the late 1980s, need for a code for information security was felt
    • First addressed in the UK in 1989
    • Resulted in the BS7799:1995 standard
    • Current standards are ISO/IEC17799:2000 and BS7799:2002
    • Future: ISO27000 series of standards
    • The role of an organization is to proactively look for new vulnerabilities and threats
    • A pre-requisite is to know the existing vulnerabilities and threats
    • first steps:
      • Assigning Information Security roles and responsibilities in all units of Indian Railways
      • Training staff in the area of Information Security
      • Establishing Information Security Policies in all units
    • Set of formal procedures
    • Adequate and proportionate security controls for protection of Information Assets
    • Procedures to be followed by persons within the organization
    • System to give confidence to customers and other stakeholders
    • An effective ISMS is based on the PDCA cycle
      • Plan: make an effective security policy
      • Do: implement the plan
      • Check: is the plan working?
      • Act: change the things that don’t work
    • An effective ISMS needs continuous effort
    • Assess threats, vulnerabilities and risks
    • Establish security policy, objectives, targets, processes and procedures
    • Aimed at managing risk and improving information security
    • Implement and operate
      • Security policy
      • Controls
      • Processes and procedures
    • Assess and where applicable measure process performance
      • Against security policy and objectives
      • Against practical experience
    • Report results for management review
    • Based on the results of the management review
      • Take corrective action
      • Take preventive action
    • Aim: to achieve continual improvement of the ISMS
    • To take care of new threats, vulnerabilities and associated risks
    • All members must establish a security policy
      • Identify important information assets
      • Fix ownership and responsibilities
      • Identify threats to these assets
      • Identify vulnerabilities that these threats may exploit
    • Assess the impact of each possible adverse incident
    • Assess the realistic likelihood of the occurrence of such incident
    • Estimate the level of risk
    • Determine whether the risk is acceptable or needs mitigation
    • Accept the risk
    • Avoid the risk
    • Transfer the risk to other parties: insurers, suppliers
    • Apply appropriate controls
    • Roles and responsibilities for
      • Protection of individual information assets
      • Identifying and managing risks
      • Providing security awareness
      • Reviewing information security incidents
      • Providing business continuity
    • Authorization process for
      • New information facilities
      • Access to information assets not covered by the existing procedures
      • Reviewing security policy
    • Assets covered within the scope of the policy
      • Information assets: Databases and data files, system documentation, operational / support procedures, archived information
      • Software assets: application software, system software, development tools
      • Physical assets: computer equipment, communication equipment, storage media, technical equipment, furniture
      • Services: lighting, heating, air-conditioning, power supply, housekeeping
    • Assets should be classified based on the extent of sharing / restriction necessary
    • Procedures for information assets should cover
      • Copying
      • Storage
      • Transmission, by electronic means or voice
      • Destruction
    • Assets should be labeled, physically or electronically
    • Information sensitivity is often time bound
    • Classification system should be as simple as possible
    • Information Security should be part of job definition
    • Personnel screening
    • User training in information security
    • Responding to security incidents
      • Reporting incidents
      • Reporting security weaknesses
      • Reporting software malfunctions
      • Learning from incidents
    • Security perimeters, manned reception area
    • Physical entry controls for secure areas
    • Procedures for working in secure areas
    • Isolated delivery / loading areas
    • Equipment siting: safety from
      • Theft
      • Fire, flood
      • Dust, vibration, chemicals, rodents
    • Secure disposal / reuse of equipment
    • Third party access to information processing facilities should be controlled
      • Physical access
      • Logical access
    • Type of access should be controlled
      • Support staff: will access system level / hardware level
      • Application maintenance: low level application access
      • Trading partners: exchange information, access databases
    • Documented operating procedures
    • Operational change control
    • Incident management procedures
      • Contingency plans
      • Audit trails
      • Recovery mechanisms
    • Segregation of duties
    • Separation of development and operational facilities
    • System access control
      • User registration
      • Privilege management
      • Review of access rights
    • Application access control
    • Network access control
    • Monitoring system access and use
    • Mobile computing
    • Security requirements analysis
    • Cryptographic controls
    • Change control procedures
    • Covert channels and Trojan code
    • Business continuity and impact analysis
    • Testing, maintaining and reassessing business continuity plans
    • Adherence to all existing legislations
      • IT Act 2000
      • Right to Information Act 2005
      • Indian Railways Act
      • Intellectual Property Rights
    • Adherence to internal procedures
      • Codal provisions
      • Other local orders
    • Audit provisions
    • Implementation can start as soon as an acceptable draft security policy is in place
    • In parallel, staff should be given specific responsibilities
    • Training programs will be announced by Board from time to time
    • Incident Response Teams to be set up in each unit when the Security Policy is established
    • Information security shall become increasingly important for Indian Railways
    • The time for preparation is now
    • Suggestions are welcome