Information security-management-system

1,537 views
1,316 views

Published on

Information Security Management System Primer

Published in: Technology
1 Comment
2 Likes
Statistics
Notes
No Downloads
Views
Total views
1,537
On SlideShare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
183
Comments
1
Likes
2
Embeds 0
No embeds

No notes for slide

Information security-management-system

  1. 1. INFORMATION SECURITY Management System Dr Kalpesh ParikhINFORMATION SECURITY - Management (ISMS)
  2. 2. INFORMATION SECURITY Management System Dr Kalpesh ParikhWhat is Information?“Information is an asset which, like otherimportant business assets, has value to anorganisation and consequently needs to be suitablyprotected.”BS 7799-1:2000
  3. 3. INFORMATION SECURITY Management System Dr Kalpesh ParikhTypes of Information• Printed or written on paper• Stored electronically• Transmitted by post or using electronic means• Shown on corporate videos• Verbal - spoken in conversations“…...Whatever form the information takes, or means bywhich it is shared or stored, it should always beappropriately protected”(ISO/IEC 17799: 2000)
  4. 4. INFORMATION SECURITY Management System Dr Kalpesh ParikhInformation LifecycleInformation can be:Created Stored Destroyed ?Processed TransmittedUsed (for proper and improper purposes)Lost ! Corrupted !
  5. 5. INFORMATION SECURITY Management System Dr Kalpesh ParikhWhat is Information SecurityIntegritySafeguarding theaccuracy &completeness ofinformation andprocessingmethodsAvailabilityEnsuring thatauthorized usershave access toinformation andassociated assetswhen requiredConfidentialityEnsuring thatinformation isaccessible onlyto thoseauthorized tohave access
  6. 6. INFORMATION SECURITY Management System Dr Kalpesh ParikhHow to Achieve Information Security•Attitude Building•Efforts v/s Value of Asset•Segmentation•Harmonization•Concept of Insurance•Managing Risk•Objective Evidence through Monitoring and Analysis
  7. 7. INFORMATION SECURITY Management System Dr Kalpesh ParikhWhy Information Security Management System?Information is an Asset• Not known even if stolen• Challenge is you don’t know – how to know• Theoretically any information can get stolen• Affects every one• Technical and Technology is subset of complete domain• Dynamic in nature• Very complex to manage
  8. 8. INFORMATION SECURITY Management System Dr Kalpesh ParikhISMS - Commitment You have my fullcommitment…..Apart from money, timeresources and attentionand just so long as I don’thave to be involved
  9. 9. INFORMATION SECURITY Management System Dr Kalpesh ParikhISG – Predictability Default Style
  10. 10. INFORMATION SECURITY Management System Dr Kalpesh ParikhISG - Risk Management – Onion StructureTechnologyEnvironmentInformationHuman FirewallStandardsPoliciesTrainingProcessesManagement
  11. 11. INFORMATION SECURITY Management System Dr Kalpesh ParikhPlan-Do-Check-Act Cycle of ISMS
  12. 12. INFORMATION SECURITY Management System Dr Kalpesh ParikhISMS – Information assets and Valuation• An inventory of all important assets shall be drawn upand maintained. Accountability shall be defined.• What are Assets ?Organisation assigns value to somethingEg. Information assets, paper doc, s/w , physical,people, company image and reputation, services.• Which Assets ?Asset materially affect delivery of product/service bytheir absence or degradation.• ValuationWhat System – 0 to 5 (Quantitative)- low to very high (Qualitative)
  13. 13. INFORMATION SECURITY Management System Dr Kalpesh ParikhISMS - Risk AssessmentThreat :“Potential to cause an unwanted incident which may resultin harm to a system or organization and its assets”Eg. Natural disaster, Human, Technological, Theft/LossVulnerability:A vulnerability is a weakness/hole in an organisation’sInformation System.Eg. Unprotected cabling, unstable power grid, wrong allocation ofpassword
  14. 14. INFORMATION SECURITY Management System Dr Kalpesh ParikhRisk: The possibility of incurring misfortune or loss; hazard(to expose to danger or loss)At Risk: Vulnerable; likely to be lost /damagedSecurity Risk:Potential that a given threat will exploit vulnerabilities to causeloss or damage to an asset or group of Info Asset.Measuring Risk:Risk = Value X Threat X Vulnerability X Probabilityof asset of HappeningISMS - Risk Assessment
  15. 15. INFORMATION SECURITY Management System Dr Kalpesh ParikhISMS - Risk Treatment PlanCoordinated document defining the actions to reduceunacceptable risks and implement the required controls to protectinformation.Direction : Treat, Transfer, Terminate, TolerateTreatment : Define an acceptable level of residual riskconstantly review Threat and VulnerabilitiesReview exiting controlsapply additional security controlsintroducing policy and proceduresControls: Which Controls ? / Selection of Control
  16. 16. INFORMATION SECURITY Management System Dr Kalpesh ParikhISMS - Statement of Applicability (SOA)•The statement of Applicability is a critique of the objectives andcontrols, which the organization has selected as suitable to itsbusiness needs. The statement will also record exclusion of anycontrols.• Risk Assessment will determine which controls should beimplemented• Justification of which controls are relevant and not relevant
  17. 17. INFORMATION SECURITY Management System Dr Kalpesh ParikhISO 27001 (ISMS) Control Areas1. Security Policy2. Security Organization3. Asset Classification and Control4. Personnel Security5. Physical and Environmental Security6. Communications and Operations Management7. Access Control8. Systems Development and Maintenance9. Business Continuity Planning10. Compliance
  18. 18. INFORMATION SECURITY Management System Dr Kalpesh Parikh

×