• Save
Information Systems Policy
Upcoming SlideShare
Loading in...5
×
 

Information Systems Policy

on

  • 1,937 views

 

Statistics

Views

Total Views
1,937
Views on SlideShare
1,933
Embed Views
4

Actions

Likes
1
Downloads
0
Comments
0

2 Embeds 4

http://www.linkedin.com 3
http://www.slideshare.net 1

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Information Systems Policy Information Systems Policy Presentation Transcript

  • Information Security Policy Presented by Mr Ali Sadhik Shaik BE (ECE), PGDVLSI, MBA (IS) sadhiqali@gmail.com
  • Agenda • Introduction • Security Policy Framework • Need for IS Policy • E-mail Policy: SandZ Technologies • Implementing security policy • Conclusion Information Security Policy
  • Introduction • Tangible to intangible assets based organizations • Need for protecting information assets • The objective of the policy is to convey the risk concerning information security and what preventive measures a company has adapted. Information Security Policy
  • Security Policy Designing Framework Commitment Risk Assessment Risk Mitigation Final Policy Information Security Policy
  • Commitment • Educate the top management • Align according to corporate vision and business objectives • We also need to analyze the following: • What are the information assets of a company in terms of hardware and software, network as well as the future investment plan in IT/IS? • What is the company's dependence on IT in real measurable terms? • What is the impact of the threat? Information Security Policy
  • Risk Assessment • Business risks, physical risks, environmental risks, technological risks, human risks and so on……. • Tabulate and prioritize the risks involved based on impact and probability of occurrence. Ex: Probability of a website getting hacked is an annual frequency of 0.5 i.e. once in 2 years, and the business loss for each event is Rs 100 lakhs. So the product of probability and consequences gives us an Annual Loss Expectancy of Rs 50 lakhs (0.5 X 100). Information Security Policy
  • Threats Natural and Environmental Threats: Database Security: Disaster recovery Network & Telecommunication Security Backup and recovery WAN recovery Human Threats: Operating Systems Security: Password Security & Controls Firewall Security Internet access and security Data Classification Web server Security Intranet Security Virus-Protection E-commerce Security Data encryption Email security: Administrative Controls: Technical controls Physical Security Logical Access Controls Incidence Response management Program Change Controls Punitive actions Version Controls Application Software Security Information Security Policy
  • Risk Mitigation • Security is not possible with single defense. Have multiple layers of protection. • The measures for risk mitigations could be: Administrative Measures Physical Measures Technical Measures Information Security Policy
  • Risk Mitigation Administrative Physical Technical Measures Measures Measures • Policies, • Perimeter • Logical Access Procedures, Control Control • Network Access Standards and measures • Physical Access Guidelines; Controls • Personnel • Identification Control • Intruder Screening and and Security Detection Authentication awareness • Fire Protection devices training • Data Encryption • Environmental Monitoring. Information Security Policy
  • Risk Mitigation Security Efforts 25 Admisistrative 75 Technical Information Security Policy
  • Final Policy • Security policy is not the last and final word. • It is a master plan, which identifies a company's security concerns and is the first step towards building a secure infrastructure. Information Security Policy
  • Anatomy of Security Policy Specific issues Policy that the policy Best practices Statement is addressing Mandatory Policy Scope Policy details practices Compliance Procedure for Essential Validity requirements implementation Policies Monitoring and Owner Review-details reporting Annexure mechanism Information Security Policy
  • Security Policy Information Security Policy
  • SandZ Technologies • Mainly concentrated into providing online education in the domains of electronic design. • E-mails in and out of company are crucial and are confidential. • E-mail policy to reduce the risk of hampering company image and important information. Information Security Policy
  • Information Security Policy
  • Information Security Policy
  • Implementation of Security Policies • Conduct Security Awareness Seminars, workshops and quizzes. • Have Security Week for the organization. • Prepare Do's & Don'ts of Security Policy, distribute and display them. • Create posters, stickers, t-shirts, mugs and mouse pads all with security messages. • Run slogan competitions. • Perform security audits. Information Security Policy
  • Conclusion An ounce of prevention is better than a pound of detection and correction Information Security Policy
  • References • Avinash Kadam, Writing an Information Security Policy, Network Magazine,Issue of october 2002. Chief Executive - Assurance and Training at Miel e-Security, Pvt. Ltd. • Whitman ME & Mattord HJ (2007) Managing Information security, Thomson Course Technology. Information Security Policy