This document provides an overview of ISO 27001 and information security. It begins with defining what information is and its lifecycle. Next, it defines information security, risks, threats, and vulnerabilities. It then introduces ISO 27001 as the leading international standard for information security management systems and describes the components of an ISMS. Key aspects of ISO 27001 such as its requirements, annexes, and history are summarized. Finally, the document outlines user responsibilities for maintaining information security.
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
ISMS User_Awareness Training.pptx
1. By – MukeshPant
FIA TechnologyServicesPvt.Ltd.
ISO/IEC 27001:2013
Awareness Training
MukeshPant
FIA TechnologyServicesPvt.Ltd.
2.
3. Agenda
What is Information?
What is Information Security?
What is RISK?
An Introduction to ISO 27001:2013
ISMS @ Organization
User Responsibilities
4. What is Information
Information is an asset that, like other important business assets, has value to an organization and consequently needs to
be suitably protected.
ISO 27000:2018
6. Information Types
Information can be in many forms, including:
Digital form (e.g. data files stored on electronic or optical media),
Material form (e.g. on paper)
Unrepresented information in the form of knowledge of the employees.
Shown on corporate videos
Displayed / published on web
Verbal – spoken in conversations
‘…Whatever form the information takes, or means by which it is shared or stored, it should always be appropriately
protected’
(ISO 27000:2018)
7. InformationSecurity
What is Information Security?
Safeguarding an organization’s information and Information processing facilities from unauthorized
access or modification to ensure its, Confidentiality, Integrity and Availability.
(ISO 27000:2018)
8. Property of being accessible and usable on
demand by an authorized entity
Property of accuracy and completeness
ISO27000:2018defines InformationSecurityas the preservationof:
C I A
Confidentiality Integrity Availability
Property that information is not made
available or disclosed to unauthorized
individuals, entities, or processes
INFORMATIONATTRIBUTES
9. InformationSecurity Benefits
Helps Retain Customers and Win New Business
Improves Information Security Processes and Strategies
Ensures Implementation of Best Practices
Promotes Compliance with Commercial, Contractual and Legal requirements
Continuously Monitor and Prevent Risk
Prepares your Organization for Long-term Success
BUSINESS SURVIVAL DEPENDSON INFORMATIONSECURITY
11. People who use or interact with the Information include:
Share Holders / Owners
Management
Employees
Business Partners
Service providers
Contractors
Customers / Clients
Regulators etc…
Diagram
PEOPLE (Who we are)
PEOPLE
STACK
HOLDERS
PEOPLE
PROCESS
TECHNOLOGY03
12. Diagram
PROCESS
The processes refer to "work practices" or workflow.
Processes are the repeatable steps to accomplish business
objectives. Typical process in our IT Infrastructure could
include:
Helpdesk / Service management
Incident Reporting and Management
Change Requests process
Request fulfillment
Access management
Identity management
Service Level / Third-party Services Management
IT procurement process etc...
PROCESS (What we do)
PEOPLE
PROCESS
TECHNOLOGY03
13. TECHNOLOGY
Network Infrastructure:
Cabling, Data/Voice Networks and equipment
Telecommunications services (PABX), ISDN , Video
Conferencing
Server computers and associated storage devices
Operating Software for server, Desktops & Laptops
Communications equipment and related hardware.
Intranet and Internet connections
VPNs and Virtual environments
Remote access services
Wireless connectivity
Environmental management Systems:
Ventilation , Air Conditioning, Fire Control systems
Electricity / Power backup
TECHNOLOGY (“what we use to improve”)
PEOPLE
PROCESS
TECHNOLOGY
14. Application software:
HROne & Bill Pay portals
Physical Security components:
CCTV Cameras
Clock in systems / Biometrics
Access Devices:
Desktop computers
Laptops
Thin client computing.
Digital cameras, Printers, Scanners, Photocopier etc.
TECHNOLOGY (“what we use to improve”)
PEOPLE
PROCESS
TECHNOLOGY
TECHNOLOGY
15. 15
Effect of uncertainty on objectives
RISK
Potential cause of an unwanted
incident, which can result in harm to
a system or organization
Weakness of an asset or control that
can be exploited by one or more threats
THREATS VULNERABILITY
RISK, THREATS & VULNERABILITY
16. 16
B
OPTIONS
RISK
Risk is defined as the potential for loss or
damage when a threat exploits a
vulnerability.
Examples of risk include:
Financial losses
Loss of privacy
Damage to your reputation
Legal implications
Even loss of life
THREATS VULNERABILITY
RISK, THREATS & VULNERABILITY
17. 17
RISK THREATS VULNERABILITY
A threat refers to a new or newly
discovered incident that has the
potential to harm a system or your
company overall.
There are three main types of
threats:
Natural threats
Unintentional threats
Intentional threats
RISK, THREATS & VULNERABILITY
18. 18
B
OPTIONS
C
OPTIONS
RISK THREATS VULNERABILITY
A vulnerability refers to
a known weakness of an asset
(resource) that can be exploited by one
or more attackers. In other words, it is a
known issue that allows an attack to
succeed.
Network Vulnerabilities
Lack of security cameras
Unlocked doors at businesses
Lack of user awareness
RISK, THREATS & VULNERABILITY
20. Security Breaches Leads To
Reputation loss
Financial loss
Intellectual property loss
Legislative Breaches leading to legal actions (Cyber Law)
Loss of customer confidence
Business interruption costs
L O S S O F G O O D W I L L
22. “WHEN THINGS DON'T WORK AS THEY SHOULD,
IT OFTEN MEANS THAT STANDARDS ARE ABSENT”
23. WHAT IS ISO
SO HOW DO WE
OVERCOME THESE
PROBLEMS?
ISO is an independent, non-governmental international organization with a membership of
167 national standards bodies.
It is important to note that the full name of ISO 27001 is “ISO/IEC 27001 – Information technology
— Security techniques — Information security management systems — Requirements.”
It is the leading international standard focused on information security, published by the
International Organization for Standardization (ISO), in partnership with the International
Electrotechnical Commission (IEC). Both are leading international organizations that develop
international standards.
ISO-27001 is part of a set of standards developed to handle information security: the ISO/IEC
27000 series.
24. ISO FRAMEWORK AND THE PURPOSE OF ISO 27001
SO HOW DO WE
OVERCOME THESE
PROBLEMS?
ISO framework is a combination of policies and processes for organizations to use. ISO 27001 provides
a framework to help organizations, of any size or any industry, to protect their information in a
systematic and cost-effective way, through the adoption of an Information Security Management
System (ISMS).
25. WHY IS ISO 27001 IMPORTANT?
SO HOW DO WE
OVERCOME THESE
PROBLEMS?
Not only does the standard provide companies with the necessary know-how for protecting their most
valuable information, but a company can also get certified against ISO 27001 and, in this way, prove to
its customers and partners that it safeguards their data.
Individuals can also get ISO 27001-certified by attending a course and passing the exam and, in this
way, prove their skills to potential employers.
Because it is an international standard, ISO 27001 is easily recognized all around the world, increasing
business opportunities for organizations and professionals.
26. WHAT IS AN ISMS?
SO HOW DO WE
OVERCOME THESE
PROBLEMS?
An Information Security Management System (ISMS) is a set of rules that a company needs to establish
in order to:
1. identify stakeholders and their expectations of the company in terms of information security.
2. identify which risks exist for the information.
3. define controls (safeguards) and other mitigation methods to meet the identified expectations
and handle risks.
4. set clear objectives on what needs to be achieved with information security.
5. implement all the controls and other risk treatment methods.
6. continuously measure if the implemented controls perform as expected.
7. make continuous improvement to make the whole ISMS work better.
This set of rules can be written down in the form of policies, procedures, and other types of documents,
or it can be in the form of established processes and technologies that are not documented. ISO 27001
defines which documents are required, i.e., which must exist at a minimum.
31. USER RESPONSBILITIES – (Access Control – Physical)
Follow Information Security Policies and Procedures.
Wear Identity Cards and Badges.
Ask unauthorized visitor his credentials.
Attend visitors in Reception and Conference Room only
Bring visitors in operations area without prior permission.
Bring hazardous and combustible material in secure area.
Practice “Piggybacking”.
Bring and use pen drives, zip drives, ipods, other storage devices
unless and otherwise authorized to do so.
32. USER RESPONSBILITIES – (Password Guideline)
Always use at least 8 character password with combination of
alphabets, numbers and special characters (*, %, @, #, $, ^)
Use passwords that can be easily remembered by you
Change password regularly as per policy
Use password that is significantly different from earlier passwords
Try to use Passphrase in place of Password
Use passwords which reveals your personal information or
words found in dictionary
Write down or Store passwords
Share passwords over phone or Email
Use passwords which do not match above complexity criteria
How Secure Is My Password? | Password Strength Checker (security.org)
33. USER RESPONSBILITIES – (Internet Usage)
Use internet services for business purposes only.
Do not access internet through dial-up connectivity.
Do not use internet for viewing, storing or transmitting obscene or
pornographic material.
Do not use internet for accessing auction sites.
Do not use internet for hacking other computer systems.
Do not use internet to download / upload commercial software /
copyrighted material.
IT Department is continuously monitoring Internet Usage. Any illegal use
of internet and other assets shall call for Disciplinary Action.
34. USER RESPONSBILITIES – (E-mail Usages)
Do not use official ID for any personal subscription purpose
Do not send unsolicited mails of any type like chain letters or E-mail Hoax
Do not send mails to client unless you are authorized to do so
Do not post non-business related information to large number of users
Do not open the mail or attachment which is suspected to be virus or
received from an unidentified sender
Use official mail for business purposes only
Follow the mail storage guidelines to avoid blocking of E-mails
If you come across any junk / spam mail, do the following:
Remove the mail.
Inform the security help desk / IT Administrator
Inform the same to server administrator
Inform the sender that such mails are undesired
35. Report Security Incidents to (IT) Helpdesk through:
E-mail to rajkaran.rana@fiaglobal.com
Telephone : e.g.: 9654676543
IT Incidents: Mail Spamming, Virus attack, Hacking, etc.
Non-ITIncidents: Unsupervised visitor movement, Information leakage, Bringing unauthorized Media
Do not discuss security incidents with anyone outside the organization.
Do not attempt to interfere with, obstruct or prevent anyone from reporting incidents.
User Responsibilities – (Security Incidents)
36. Ensure your system (Laptop/Desktops) are having latest antivirus updates
Ensure your system is locked when you are away
Always store laptops/ media in a lockable place
Be alert while working on laptops during travel
Ensure sensitive business information is under lock and key when unattended
Ensure back-up of sensitive and critical information assets
Understand Compliance Issues such as:
o Cyber Law / IPR, Copyrights, / IT act 2000 etc. / Contractual Obligations with customer
Verify credentials, if the message is received from unknown sender
Always switch off your computer before leaving for the day
Keep your self updated on information security aspects
User Responsibilities