Information Security Management System

15,940 views

Published on

Information Security Management System

Published in: Technology
1 Comment
36 Likes
Statistics
Notes
No Downloads
Views
Total views
15,940
On SlideShare
0
From Embeds
0
Number of Embeds
54
Actions
Shares
0
Downloads
0
Comments
1
Likes
36
Embeds 0
No embeds

No notes for slide

Information Security Management System

  1. 2. <ul><li>Increasing dependence on information as a resource </li></ul><ul><li>Shift from paper-based to IT-based information </li></ul><ul><li>Increasing need for access to information </li></ul><ul><ul><li>Customer expectations </li></ul></ul><ul><ul><li>Legislation </li></ul></ul><ul><ul><ul><li>Right to Information Act </li></ul></ul></ul><ul><li>Speed of change </li></ul><ul><ul><li>Security versus flexibility </li></ul></ul><ul><ul><li>Security versus accessibility </li></ul></ul>
  2. 3. <ul><li>Information availability should be controlled </li></ul><ul><ul><li>It should be available to all authorized persons when they need it </li></ul></ul><ul><ul><li>It should be unavailable to unauthorized persons </li></ul></ul><ul><li>A continuous process to manage the information should be in place </li></ul><ul><li>Information security involves </li></ul><ul><ul><li>Confidentiality </li></ul></ul><ul><ul><li>Integrity </li></ul></ul><ul><ul><li>Availability </li></ul></ul><ul><ul><li>Traceability </li></ul></ul>
  3. 4. <ul><li>Threats come from different sources </li></ul><ul><li>Threats can be identified </li></ul><ul><li>Vulnerabilities exist in the system </li></ul><ul><li>Threats exploit Vulnerabilities </li></ul>
  4. 5. <ul><li>Risks vary with the nature of information </li></ul><ul><li>Risks can be assessed </li></ul><ul><li>Risks depend on vulnerabilities and associated threats </li></ul><ul><li>The degree to which the risk can be mitigated should be decided </li></ul><ul><ul><li>Know the risk </li></ul></ul><ul><ul><li>Assess the cost of mitigation </li></ul></ul><ul><ul><li>Live with the risk or mitigate it </li></ul></ul>
  5. 6. <ul><li>Identify the risks </li></ul><ul><li>Identify their associated vulnerabilities </li></ul><ul><li>Identify the associated threats </li></ul><ul><li>Minimize the vulnerabilities </li></ul><ul><ul><li>Change procedures </li></ul></ul><ul><ul><li>Add a security layer </li></ul></ul><ul><ul><li>Reclassify information </li></ul></ul>
  6. 7. <ul><li>By the late 1980s, need for a code for information security was felt </li></ul><ul><li>First addressed in the UK in 1989 </li></ul><ul><li>Resulted in the BS7799:1995 standard </li></ul><ul><li>Current standards are ISO/IEC17799:2000 and BS7799:2002 </li></ul><ul><li>Future: ISO27000 series of standards </li></ul>
  7. 8. <ul><li>The role of an organization is to proactively look for new vulnerabilities and threats </li></ul><ul><li>A pre-requisite is to know the existing vulnerabilities and threats </li></ul><ul><li>first steps: </li></ul><ul><ul><li>Assigning Information Security roles and responsibilities in all units of Indian Railways </li></ul></ul><ul><ul><li>Training staff in the area of Information Security </li></ul></ul><ul><ul><li>Establishing Information Security Policies in all units </li></ul></ul>
  8. 9. <ul><li>Set of formal procedures </li></ul><ul><li>Adequate and proportionate security controls for protection of Information Assets </li></ul><ul><li>Procedures to be followed by persons within the organization </li></ul><ul><li>System to give confidence to customers and other stakeholders </li></ul>
  9. 10. <ul><li>An effective ISMS is based on the PDCA cycle </li></ul><ul><ul><li>Plan: make an effective security policy </li></ul></ul><ul><ul><li>Do: implement the plan </li></ul></ul><ul><ul><li>Check: is the plan working? </li></ul></ul><ul><ul><li>Act: change the things that don’t work </li></ul></ul><ul><li>An effective ISMS needs continuous effort </li></ul>
  10. 11. <ul><li>Assess threats, vulnerabilities and risks </li></ul><ul><li>Establish security policy, objectives, targets, processes and procedures </li></ul><ul><li>Aimed at managing risk and improving information security </li></ul>
  11. 12. <ul><li>Implement and operate </li></ul><ul><ul><li>Security policy </li></ul></ul><ul><ul><li>Controls </li></ul></ul><ul><ul><li>Processes and procedures </li></ul></ul>
  12. 13. <ul><li>Assess and where applicable measure process performance </li></ul><ul><ul><li>Against security policy and objectives </li></ul></ul><ul><ul><li>Against practical experience </li></ul></ul><ul><li>Report results for management review </li></ul>
  13. 14. <ul><li>Based on the results of the management review </li></ul><ul><ul><li>Take corrective action </li></ul></ul><ul><ul><li>Take preventive action </li></ul></ul><ul><li>Aim: to achieve continual improvement of the ISMS </li></ul><ul><li>To take care of new threats, vulnerabilities and associated risks </li></ul>
  14. 15. <ul><li>All members must establish a security policy </li></ul><ul><ul><li>Identify important information assets </li></ul></ul><ul><ul><li>Fix ownership and responsibilities </li></ul></ul><ul><ul><li>Identify threats to these assets </li></ul></ul><ul><ul><li>Identify vulnerabilities that these threats may exploit </li></ul></ul>
  15. 16. <ul><li>Assess the impact of each possible adverse incident </li></ul><ul><li>Assess the realistic likelihood of the occurrence of such incident </li></ul><ul><li>Estimate the level of risk </li></ul><ul><li>Determine whether the risk is acceptable or needs mitigation </li></ul>
  16. 17. <ul><li>Accept the risk </li></ul><ul><li>Avoid the risk </li></ul><ul><li>Transfer the risk to other parties: insurers, suppliers </li></ul><ul><li>Apply appropriate controls </li></ul>
  17. 18. <ul><li>Roles and responsibilities for </li></ul><ul><ul><li>Protection of individual information assets </li></ul></ul><ul><ul><li>Identifying and managing risks </li></ul></ul><ul><ul><li>Providing security awareness </li></ul></ul><ul><ul><li>Reviewing information security incidents </li></ul></ul><ul><ul><li>Providing business continuity </li></ul></ul><ul><li>Authorization process for </li></ul><ul><ul><li>New information facilities </li></ul></ul><ul><ul><li>Access to information assets not covered by the existing procedures </li></ul></ul><ul><ul><li>Reviewing security policy </li></ul></ul>
  18. 19. <ul><li>Assets covered within the scope of the policy </li></ul><ul><ul><li>Information assets: Databases and data files, system documentation, operational / support procedures, archived information </li></ul></ul><ul><ul><li>Software assets: application software, system software, development tools </li></ul></ul><ul><ul><li>Physical assets: computer equipment, communication equipment, storage media, technical equipment, furniture </li></ul></ul><ul><ul><li>Services: lighting, heating, air-conditioning, power supply, housekeeping </li></ul></ul>
  19. 20. <ul><li>Assets should be classified based on the extent of sharing / restriction necessary </li></ul><ul><li>Procedures for information assets should cover </li></ul><ul><ul><li>Copying </li></ul></ul><ul><ul><li>Storage </li></ul></ul><ul><ul><li>Transmission, by electronic means or voice </li></ul></ul><ul><ul><li>Destruction </li></ul></ul><ul><li>Assets should be labeled, physically or electronically </li></ul><ul><li>Information sensitivity is often time bound </li></ul><ul><li>Classification system should be as simple as possible </li></ul>
  20. 21. <ul><li>Information Security should be part of job definition </li></ul><ul><li>Personnel screening </li></ul><ul><li>User training in information security </li></ul><ul><li>Responding to security incidents </li></ul><ul><ul><li>Reporting incidents </li></ul></ul><ul><ul><li>Reporting security weaknesses </li></ul></ul><ul><ul><li>Reporting software malfunctions </li></ul></ul><ul><ul><li>Learning from incidents </li></ul></ul>
  21. 22. <ul><li>Security perimeters, manned reception area </li></ul><ul><li>Physical entry controls for secure areas </li></ul><ul><li>Procedures for working in secure areas </li></ul><ul><li>Isolated delivery / loading areas </li></ul><ul><li>Equipment siting: safety from </li></ul><ul><ul><li>Theft </li></ul></ul><ul><ul><li>Fire, flood </li></ul></ul><ul><ul><li>Dust, vibration, chemicals, rodents </li></ul></ul><ul><li>Secure disposal / reuse of equipment </li></ul>
  22. 23. <ul><li>Third party access to information processing facilities should be controlled </li></ul><ul><ul><li>Physical access </li></ul></ul><ul><ul><li>Logical access </li></ul></ul><ul><li>Type of access should be controlled </li></ul><ul><ul><li>Support staff: will access system level / hardware level </li></ul></ul><ul><ul><li>Application maintenance: low level application access </li></ul></ul><ul><ul><li>Trading partners: exchange information, access databases </li></ul></ul>
  23. 24. <ul><li>Documented operating procedures </li></ul><ul><li>Operational change control </li></ul><ul><li>Incident management procedures </li></ul><ul><ul><li>Contingency plans </li></ul></ul><ul><ul><li>Audit trails </li></ul></ul><ul><ul><li>Recovery mechanisms </li></ul></ul><ul><li>Segregation of duties </li></ul><ul><li>Separation of development and operational facilities </li></ul>
  24. 25. <ul><li>System access control </li></ul><ul><ul><li>User registration </li></ul></ul><ul><ul><li>Privilege management </li></ul></ul><ul><ul><li>Review of access rights </li></ul></ul><ul><li>Application access control </li></ul><ul><li>Network access control </li></ul><ul><li>Monitoring system access and use </li></ul><ul><li>Mobile computing </li></ul>
  25. 26. <ul><li>Security requirements analysis </li></ul><ul><li>Cryptographic controls </li></ul><ul><li>Change control procedures </li></ul><ul><li>Covert channels and Trojan code </li></ul>
  26. 27. <ul><li>Business continuity and impact analysis </li></ul><ul><li>Testing, maintaining and reassessing business continuity plans </li></ul>
  27. 28. <ul><li>Adherence to all existing legislations </li></ul><ul><ul><li>IT Act 2000 </li></ul></ul><ul><ul><li>Right to Information Act 2005 </li></ul></ul><ul><ul><li>Indian Railways Act </li></ul></ul><ul><ul><li>Intellectual Property Rights </li></ul></ul><ul><li>Adherence to internal procedures </li></ul><ul><ul><li>Codal provisions </li></ul></ul><ul><ul><li>Other local orders </li></ul></ul><ul><li>Audit provisions </li></ul>
  28. 29. <ul><li>Implementation can start as soon as an acceptable draft security policy is in place </li></ul><ul><li>In parallel, staff should be given specific responsibilities </li></ul><ul><li>Training programs will be announced by Board from time to time </li></ul><ul><li>Incident Response Teams to be set up in each unit when the Security Policy is established </li></ul>
  29. 30. <ul><li>Information security shall become increasingly important for Indian Railways </li></ul><ul><li>The time for preparation is now </li></ul><ul><li>Suggestions are welcome </li></ul>

×