ISO27001 - A Business View

1,218 views

Published on

ISO27001 - A Business View by M.S Sripathi @ null Hyderabad Meet, December, 2010

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,218
On SlideShare
0
From Embeds
0
Number of Embeds
110
Actions
Shares
0
Downloads
62
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

ISO27001 - A Business View

  1. 1. A Business View
  2. 2. Who Am I <ul><li>M.S.Sripati </li></ul><ul><li>Information Security Enthusiast and Student </li></ul><ul><li>ISMS Implementer </li></ul><ul><li>CISA (cleared exam in June 2008) </li></ul>
  3. 3. What Am I NOT going to talk about <ul><li>Nothing technical </li></ul><ul><li>Nothing on what is information security (this is NULL chapter, for god sake!) </li></ul><ul><li>Not much on some basic terms (Google devo bhav||) </li></ul>
  4. 4. What Am I going to talk about <ul><li>Some cases where regular firewalls and web application security measures fail </li></ul><ul><li>What is ISO 27001 and how does it helps us </li></ul>
  5. 5. <ul><li>Can you save your organization from these cases? </li></ul>
  6. 6. <ul><li>Someone using you ID card to enter into a secure premise and steal/alter/delete some information </li></ul><ul><li>Copy/paste by developer </li></ul><ul><li>Password sharing </li></ul><ul><li>Kevin Mitnick (!) </li></ul><ul><li>Unlocked desktops/laptops </li></ul><ul><li>Password re-use </li></ul><ul><li>Writing passwords down on paper </li></ul><ul><li>Natural Calamities </li></ul><ul><li>Legal fines (in case of data breach – HIPAA, PCI-DSS) </li></ul><ul><li>Work backlog in antivirus companies </li></ul><ul><li>Someone trying to get your personal data so that he/she can sell it in underground </li></ul>
  7. 7. <ul><li>Some unknown third party vendor working on your computer; </li></ul><ul><li>Someone asking for a password posing as client; </li></ul><ul><li>Some random mail asking you to click so that you can receive some money immediately; </li></ul><ul><li>Social networking sites; </li></ul><ul><li>Farmville and other third party apps; </li></ul><ul><li>Employee having high access to data/information and who has a shady past; </li></ul><ul><li>No frisking of housekeeping personnel, putting information systems at risk (think about hardware key-loggers) </li></ul><ul><li>Taking pictures of code using a camera phone and third party app on it (think about an android app AD) </li></ul><ul><li>Data getting lost because of a natural calamity (fire, flood, earthquake, etc) and having a business requirement to start work as soon as possible; </li></ul>
  8. 8. <ul><li>So, what does it all mean? </li></ul>
  9. 9. Noteworthy points <ul><li>Changing nature of security incidents; </li></ul><ul><li>System ownage through an un-suspecting user click; </li></ul><ul><li>Info-sec as a business, both legit, and non-legit; </li></ul><ul><li>Human as a weak link in info-sec chain; </li></ul><ul><li>Changing legal landscape (HIPAA, PCI-DSS); </li></ul><ul><li>Changing business landscape (threats to India from BRIC); </li></ul>
  10. 10. <ul><li>Implementer’s Dilemma </li></ul>
  11. 11. http://gallery.trupela.com/ Legal Compliance (HIPAA, PCI-DSS, Data Protection Act) Web Application Security Human Awareness Quotient (Technical and Non-technical) Network Security (Firewall, IDS, IPS, Antivirus, etc.)
  12. 12. Copied From:- http://pumapac.org/
  13. 13. <ul><li>Saving Private Ryan  </li></ul>
  14. 14. What is ISO 27001 <ul><li>Specifies the requirements for establishing a comprehensive Information Security Management System (ISMS) helping to achieve information security and to give assurance to interested parties. </li></ul><ul><li>Interested Parties are- </li></ul><ul><ul><li>Share Holders / Owners </li></ul></ul><ul><ul><li>Management </li></ul></ul><ul><ul><li>Employees </li></ul></ul><ul><ul><li>Business Partners </li></ul></ul><ul><ul><li>Service providers </li></ul></ul><ul><ul><li>Contractors </li></ul></ul><ul><ul><li>Customers / Clients </li></ul></ul><ul><ul><li>Regulators etc… </li></ul></ul>
  15. 15. Interested Parties Information Security Requirements & Expectations PLAN Establish ISMS CHECK Monitor & Review ISMS ACT Maintain & Improve Management Responsibility ISMS PROCESS PDCA Process Interested Parties Managed Information Security DO Implement & Operate the ISMS
  16. 16. Information Security Policy Organisation of Information Security Asset Management Human Resource Security Physical Security Communication & Operations Management Access Control System Development & Maintenance Incident Management Business Continuity Planning Compliance Confidentiality Integrity Availability
  17. 17. Thank You <ul><li>M.S.Sripati </li></ul>

×