A Business View

Who Am I
M.S.Sripati
Information Security Enthusiast and Student
ISMS Implementer
CISA (cleared exam in June 2008)

What Am I NOT going to talk about
Nothing technical
Nothing on what is information security (this is NULL
chapter, for god sake!)
Not much on some basic terms (Google devo bhav||)

What Am I going to talk about
Some cases where regular firewalls and web application
security measures fail
What is ISO 27001 and how does it helps us

Can you save your
organization from
these cases?

Someone using you ID card to enter into a secure
premise and steal/alter/delete some information
Copy/paste by developer
Password sharing
Kevin Mitnick (!)
Unlocked desktops/laptops
Password re-use
Writing passwords down on paper
Natural Calamities
Legal fines (in case of data breach – HIPAA, PCI-DSS)
Work backlog in antivirus companies
Someone trying to get your personal data so that he/she
can sell it in underground

Some unknown third party vendor working on your computer;
Someone asking for a password posing as client;
Some random mail asking you to click so that you can receive
some money immediately;
Social networking sites;
Farmville and other third party apps;
Employee having high access to data/information and who has
a shady past;
No frisking of housekeeping personnel, putting information
systems at risk (think about hardware key-loggers)
Taking pictures of code using a camera phone and third party
app on it (think about an android app AD)
Data getting lost because of a natural calamity (fire, flood,
earthquake, etc) and having a business requirement to start
work as soon as possible;

So, what does it all
mean?

Noteworthy points
Changing nature of security incidents;
System ownage through an un-suspecting user click;
Info-sec as a business, both legit, and non-legit;
Human as a weak link in info-sec chain;
Changing legal landscape (HIPAA, PCI-DSS);
Changing business landscape (threats to India from
BRIC);

Implementer’s
Dilemma

Web Application
Security
Legal Compliance
(HIPAA, PCI-DSS,
Data Protection Act)
Human Awareness
Quotient (Technical
and Non-technical)
Network Security
(Firewall, IDS, IPS,
Antivirus, etc.)
http://gallery.trupela.com/

Copied From:- http://pumapac.org/

Saving Private Ryan 

What is ISO 27001
Specifies the requirements for establishing a comprehensive
Information Security Management System (ISMS) helping to
achieve information security and to give assurance to
interested parties.
Interested Parties are Share Holders / Owners
 Management
 Employees
 Business Partners
 Service providers
 Contractors
 Customers / Clients
 Regulators etc…

PDCA Process
ISMS PROCESS
Interested
Parties
Management Responsibility
Interested
Parties
PLAN
Establish
ISMS
DO
ACT
Implement &
Operate the
ISMS
Information
Security
Requirements
&
Expectations
Maintain &
Improve
CHECK
Monitor &
Monitor &
Review ISMS
Managed
Information
Security

Information
Security Policy
Organisation of
Information
Security
Compliance
Business
Continuity
Planning
en
id
nf
Co
y
lit
ia
t
In
t
eg
r
ity
Incident
Management
Asset
Management
Human Resource
Security
Availability
System
Development &
Maintenance
Physical Security
Access Control
Communication &
Operations
Management

Thank You
M.S.Sripati