Info jag


Published on

Published in: Technology
1 Comment
  • Dear,

    Wishing good day. Hope you are fine in all aspect. Request to send me a PPT/ PDF of the document, 'Information Security, Info Jag. My mail address:

    Longing for hearing from your good-self.

    TOHID, Bangladesh.
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Info jag

  1. 1. Information Security
  2. 2. Agenda •  Information and Security •  Threats and Risk •  Approach and Organization •  Measures •  Legislation and Regulation.
  3. 3. Information and Security •  Most Valuable Assets !  Information !  People •  Need !  System and Procedures to Protect both •  Most Security Breaches !  Lack of Awareness of risks and Procedures !  Poor communication and Indifference
  4. 4. Project Goal •  Organisation see ISO 270001:2005 as a Project goal •  Once the Security Management and Policies have been described and communicated, the organization becomes certified. •  Information Protection is not a Project but a ongoing process,,,its an atitutude •  Exin Program help you align Policy and Practice by getting Operational and tactical –Level Personnel Involved
  5. 5. Overview of the Series •  ISO/IEC 27000 — ISMS — Overview and vocabulary •  ISO/IEC 27001 — ISMS — Requirements •  ISO/IEC 27002 — Code of practice •  ISO/IEC 27003 — ISMS implementation guidance •  ISO/IEC 27004 — ISMS — Measurement •  ISO/IEC 27005 — Information security risk management •  ISO/IEC 27006 — Requirements for bodies providing audit and certification • 
  6. 6. ISO / IEC 27002 •  EXIN’s Information Security program is based on ISO/IEC 27002 •  code of practice •  Tests knowledge of the most important subjects in the standard and their application in daily practice •  The objective is that people learn to become better at security management
  7. 7. Origins of ISO/IEC 27001 •  BS 7799 was a standard originally published by BSI Group[1] in 1995. •  It was written by the United Kingdom Government's Department of Trade and Industry (DTI), and consisted of several parts. •  The first part, containing the best practices for information security management, was revised in 1998 •  After a lengthy discussion in the worldwide standards bodies, it was eventually adopted by ISO as ISO/IEC 17799 in 2000 •  ISO/IEC 17799 was then revised in June 2005 •  Finally incorporated in the ISO 27000 series of standards as ISO/IEC 27002 in July 2007
  8. 8. Certification •  An ISMS may be certified compliant with ISO/IEC 27001 by a number of Accredited Registrars worldwide •  In some countries, the bodies that verify conformity of management systems to specified standards are called "certification bodies", •  while in others they are commonly referred to as "registration bodies", "assessment and registration bodies", "certification/ registration bodies", and sometimes "registrars".
  9. 9. The ISO/IEC 27001 certification like other ISO management system certifications •  Involves a three-stage external audit process: •  Stage 1 is a preliminary, informal review of the ISMS, for example checking the existence and completeness of key documentation such as the organization's information security policy, Statement of Applicability (SoA) and Risk Treatment Plan (RTP). This stage serves to familiarize the auditors with the organization and vice versa. •  Stage 2 is a more detailed and formal compliance audit, independently testing the ISMS against the requirements specified in ISO/IEC 27001. The auditors will seek evidence to confirm that the management system has been properly designed and implemented, and is in fact in operation (for example by confirming that a security committee or similar management body meets regularly to oversee the ISMS). Certification audits are usually conducted by ISO/IEC 27001 Lead Auditors. Passing this stage results in the ISMS being certified compliant with ISO/IEC 27001.
  10. 10. The ISO/IEC 27001 certification like other ISO management system certifications Stage 3 involves follow-up reviews or audits to confirm that the organization remains in compliance with the standard. Certification maintenance requires periodic re-assessment audits to confirm that the ISMS continues to operate as specified and intended. These should happen at least annually but (by agreement with management) are often conducted more frequently, particularly while the ISMS is still maturing
  11. 11. Information security Basics
  12. 12. What is Information? ‘Information is an asset which, like other important business assets, has value to an organization and consequently needs to be suitably protected’ - ISO 27002:2005
  13. 13. Then what do we do?
  14. 14. Top Ten Most Common Security Mistakes •  Passwords on Post-it Notes. Poor password etiquette •  Leaving your computer on, unattended •  Not reporting security violations •  Not knowing internal threats •  Blabber mouths •  Laptops on the loose •  Opening e-mail attachments from strangers •  Plug and play without protection •  Always behind the times (the patch procrastinator) •  Not installing anti-virus software •  Leaving files and documents in the open
  15. 15. Risks & Threats to Information Assets •  Disgruntled Employees •  Low awareness of security issues •  Growth in networking and distributed computing •  Growth in complexity and effectiveness of hacking tools and viruses •  Natural Disasters E.g. Fire, flood, earthquake •  Unrestricted Access to IT Infrastructure (Physical and Logical) •  Lack of Documentation •  System / Network Failure
  16. 16. Security violations - outcome Security breaches leads to… •  Reputation loss •  Financial loss •  Intellectual property loss •  Legislative Breaches leading to legal actions (Cyber Law) •  Loss of customer confidence •  Business interruption costs
  17. 17. Why Information Security Awareness is Important? To Minimize or Avoid - !  Denial of service attack !  Viruses, worms and Trojan horses !  Password cracking !  Social Engineering !  Misuse of systems and network and logical access !  Piggy backing, misuse of physical access !  Theft of laptops, storage media and other technologies !  Accidental disclosure
  18. 18. Then what do we do?
  19. 19. What is Information Security? ISO 27002:2005 defines this as the preservation of: CONFIDENTIALITY, INTEGRITY AND AVAILABILITY OF INFORMATION
  20. 20. What is Information Security? For example - personnel details of employees such as salary need not be available to all the departmental staff When information is read or copied by someone not authorized to do so, the result is known as loss of confidentiality
  21. 21. What is Information Security? •  Integrity: safeguarding the accuracy and completeness of information and processing methods;
  22. 22. What is Information Security? •  Availability: ensuring that authorized users have access to information and associated assets when required For example - if the server or PC or the Internet link is not available during work, it creates chaos and the productivity loss
  23. 23. Information Security - standards
  24. 24. “ISMS”?? What does it mean??
  25. 25. Features Of BS/ISO 27001:2005 –  Plan, Do, Check, Act (PDCA) Process Model
  26. 26. Features Of BS/ISO 27001:2005 –  The scope covers Information Security not only IT Security
  27. 27. Features Of BS/ISO 27001:2005
  28. 28. ISO 27001:2005 Controls
  29. 29. ISO 27001:2005 Clauses •  Clause 0. Introduction •  Clause 1. Scope •  Clause 2. Normative References •  Clause 3. Terms & Definitions •  Clause 4. Information Security Management System (ISMS) •  Clause 5. Management Responsibility •  Clause 6. Internal ISMS audits •  Clause 7. Management review of the ISMS •  Clause 8. ISMS improvement
  30. 30. 4.Information security management system
  31. 31. Structure of ISO 27001:2005 (Mandatory Clauses) 4. Information security management system •  4.1 General requirements •  4.2 Establishing and managing the ISMS –  4.2.1 Establish and manage –  4.2.2 Implement and operate –  4.2.3 Monitor and review –  4.2.4 Maintain and Improve •  4.3 Documentation requirements –  4.3.1 General –  4.3.2 Control of documents –  4.3.3 Control of records
  32. 32. Structure of ISO 27001:2005 (Mandatory Clauses) 5. Management responsibility •  5.1 Management commitment •  5.2 Resource management –  5.2.1 Provision of resources –  5.2.2 Training, awareness and competence 6. Internal ISMS audits 7. Management review of the ISMS •  7.1 General •  7.2 Review input •  7.3 Review output 8. ISMS improvement •  8.1 Continual improvement •  8.2 Corrective action •  8.3 Preventive action
  33. 33. In a nutshell - •  An information security policy is required •  It should be communicated to all employees, third party consultants, vendors etc •  Service level agreements and confidentiality agreement or NDA clause should be signed with external parties •  Assets should be classified as per their criticality and ownership for each must be defined
  34. 34. In a nutshell (contd.) - •  Employees should be made aware of information security roles •  Background screening should be conducted for them •  CA/NDA should be signed, •  Info sec Awareness training should be conducted. •  Disciplinary actions to be taken for security breach •  Removal of access rights before termination of employees •  Physical entry controls should be implemented. The area should be well-guarded •  Visitors should be escorted. •  Adequate protection should be given to the equipments.
  35. 35. In a nutshell - •  Adequate measures should be applied for : –  Email security –  Password security –  Virus prevention –  Backup of critical data –  Protection of media –  Secure Disposal of data
  36. 36. In a nutshell - •  Logical access should be granted only to authorized personnel •  Information security incidents should be reported •  The Business continuity plan is prepared for critical services •  Internal & External audits are conducted for technical compliance
  37. 37. Definitions? •  Risk is the probability of something bad happening and it's impact, should it occur •  This Bad or undesirable thing is called as Threat (E.g. Thief or theft) •  The Shortfall or weakness is called as Vulnerability (door not locked properly / window open) •  When threat agent exploits vulnerability it results in Impact (theft) •  Probability of occurrence is low or high - May or may not happen
  38. 38. Risk Management - Parameters •  Asset •  Asset value •  Threat •  Vulnerability •  Threat rating ( Impact) •  Probability of occurrence •  Risk rating •  Mitigation controls
  39. 39. Asset and it’s classification ‘Information is an asset which, like other important business assets, has value to an organization and consequently needs to be suitably protected
  40. 40. Valuation of asset –  Asset value rating is based on C, I, A –  The C, I, A values is assigned –  Assets will be sorted based on the rating assigned for C, I, and A
  41. 41. What is Threat? •  Threats are described as anything that would contribute to the •  tampering, •  destruction or •  interruption of any service E.g.. Hacking, Breakdown, Theft, Floods, Fire, Viruses etc
  42. 42. What is vulnerability? •  Vulnerability is the weaknesses associated with the assets •  These weaknesses may be exploited by a threat agent causing unwanted incidents •  Vulnerability in itself does not cause harm E.g. Absence of entry / exit controls Periodic maintenance is not carried out
  43. 43. Threat rating •  The Severity of Threat rating – a value by considering the impact/ consequences caused by a threat agent exploiting an identified vulnerability •  The rating could be High (3), Medium(2) or low (1)
  44. 44. Probability of occurrence •  The probability of occurrence is the likelihood of threat exploiting vulnerability •  The probability rating is based on the likelihood of incidents that may occur in spite of implemented controls •  Probability is also based upon the incidents that have occurred in the past and have led to operational failures or delays
  45. 45. Risk Rating •  Assets •  Asset value •  Threats •  Threat rating •  Vulnerabilities •  Probability of occurrence •  We need to find RISK……………………………………….. •  Risk rating value = Asset value x Severity of threat rating x Probability of occurrence rating
  47. 47. Risk Treatment Types of control –  Deterrent / Detective control –  Corrective control –  Preventive control Risk treatment can be achieved through: –  Risk Avoidance – Deciding by not going ahead with an activity likely to generate risk; –  Reduce the likelihood – By reducing probability of occurrence; –  Risk Transference – By arranging another party to compensate for the loss, e.g. insurance; –  Risk Acceptance –The organization bears all the risk
  48. 48. Risk Treatment Acceptable risk •  The elimination of all risk is usually impractical •  Implementation of control is dependent on severity of impact vs. cost of proposed control •  So using the cost benefit analysis approach, the most appropriate controls are implemented to reduce the risk to an acceptable level •  This is called as ACCEPTABLE RISK
  49. 49. Risk Treatment Residual risk •  The remainder risk after treatment that cannot be further countered, mitigated or eliminated is called ‘residual risk’ •  Management shall take decision about the residual risk
  50. 50. Statement of applicability (SOA) •  The statement of applicability (also known as an SOA) is a document that lists the implemented controls out of 133 controls •  These implemented controls are used for mitigating/ reducing the risk to acceptable value •  SOA is the output of the risk treatment plan •  The justification of why some controls are excluded also has to be given in it.
  51. 51. Quantitative Risk Analysis To derive the overall loss potential per threat, do the following : •  Combine potential loss and probability •  Calculate the annualized loss expectancy (ALE) per threat by using the information calculated in the first three steps •  Choose remedial measures to counteract each threat •  Carry out Cost / benefit analysis on the identified countermeasures.
  52. 52. SLE AND ALE SLE = asset value * exposure factor Exposure factor represent the percentage of loss a realized threat could have on a certain asset. Ex: Firewall has the asset value of $150,000, it might be estimated that if a fire were to occur, 25 percent of the warehouse would be damaged ,in which case the SLE WOULD be $ 37,500
  53. 53. ALE SLE* annualised rate of occurrence(ARO)= ALE The annualized rate of occurrence is the value that represents the estimated frequency of a specific threat taking place within a one –year time frame. The range can be from 0.0 (never) to 1.0 (once a year) So if a fire taking place within a company Firewall facility can cause $37,500 in damages , and the frequency (or ARO) of a fire taking place has an ARO value of 0.1 , then the ALE Value is $3,750.
  54. 54. Accesscontrol models
  55. 55. Discretionary access control
  56. 56. AccessControl List
  57. 57. Identity based access control
  58. 58. File 1 File 2 File 3 User3 RW RW RW User2 RW RW No Access User1 RW No Access No Access
  59. 59. Mandatory access control
  60. 60. Laws and Regulations Geographies
  61. 61. Various Laws •  UK Data Protection Act 1998 makes new provisions for the regulation of the processing of information relating to individuals, including the obtaining, holding, use or disclosure of such information. The European Union Data Protection Directive (EUDPD) requires that all EU member must adopt national regulations to standardize the protection of data privacy for citizens throughout the EU. •  The Computer Misuse Act 1990 is an Act of the UK Parliament making computer crime (e.g. hacking) a criminal offence. The Act has become a model upon which several other countries including Canada and the Republic of Ireland have drawn inspiration when subsequently drafting their own information security laws. •  EU Data Retention laws requires Internet service providers and phone companies to keep data on every electronic message sent and phone call made for between six months and two years.
  62. 62. Laws contdd… •  The Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. § 1232 g; 34 CFR Part 99) is a USA Federal law that protects the privacy of student education records. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education. Generally, schools must have written permission from the parent or eligible student in order to release any information from a student's education record. •  Health Insurance Portability and Accountability Act (HIPAA) of 1996 requires the adoption of national standards for electronic health care transactions and national identifiers for providers, health insurance plans, and employers. And, it requires health care providers, insurance providers and employers to safeguard the security and privacy of health data.
  63. 63. Laws contd… •  Gramm-Leach-Bliley Act of 1999 (GLBA), also known as the Financial Services Modernization Act of 1999, protects the privacy and security of private financial information that financial institutions collect, hold, and process. •  Sarbanes–Oxley Act of 2002 (SOX). Section 404 of the act requires publicly traded companies to assess the effectiveness of their internal controls for financial reporting in annual reports they submit at the end of each fiscal year. Chief information officers are responsible for the security, accuracy and the reliability of the systems that manage and report the financial data. The act also requires publicly traded companies to engage independent auditors who must attest to, and report on, the validity of their assessments.
  64. 64. Laws contd….. •  Payment Card Industry Data Security Standard (PCI DSS) establishes comprehensive requirements for enhancing payment account data security. It was developed by the founding payment brands of the PCI Security Standards Council, including American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International, to help facilitate the broad adoption of consistent data security measures on a global basis. The PCI DSS is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. •  State Security Breach Notification Laws (California and many others) require businesses, nonprofits, and state institutions to notify consumers when unencrypted "personal information" may have been compromised, lost, or stolen.
  65. 65. Laws contd… •  Personal Information Protection and Electronics Document Act (PIPEDA) – An Act to support and promote electronic commerce by protecting personal information that is collected, used or disclosed in certain circumstances, by providing for the use of electronic means to communicate or record information or transactions and by amending the Canada Evidence Act, the Statutory Instruments Act and the Statute Revision Act
  66. 66. •  Thank you