SlideShare a Scribd company logo

20CS024 Ethics in Information Technology

Kathirvel Ayyaswamy
Kathirvel Ayyaswamy

Module 6: Standards for Information Security Management Information Security Management Systems (ISMS) - ISO 27001 - Framing Security Policy of Organization- Committees- Security Forum, Core Committee, Custodian and Users, Business Continuity Process Team & Procedure- Information Security Auditing Process. IT Security Incidents

Engineering
1 of 57
Download to read offline
20CS2024 Ethics in Information Technology Module 6 Standards for Information Security Management Information. Security Management Systems (ISMS) - ISO 27001 - Framing Security Policy of Organization- Committees- Security Forum, Core Committee, Custodian and Users, Business Continuity Process Team & Procedure- Information Security Auditing Process. IT Security Incidents Dr.A.Kathirvel, Professor, DCSE, KITS kathirvel@karunya.edu
What is ISMS? • Information Security Management System • Strategic decision of an organization • Design and implementation • Needs and objectives • Security requirements • Processes employed • Size and structure of the organization • Scaled with needs simple situation requires a simple ISMS solution
What is ISO 270012013? • ISO 27001 Information Security Management Systems is the international best practice standard for information security. • ISO 270012013, the current version of the standard, provides a set of standardized requirements for an information security management system (ISMS). • ISO 27001 certification is suitable for any organization, large or small and in any sector.
Concept of Information Security • Protecting Information Resources and Systems • Unauthorized Use and Access • Unauthorized Disclosure and Modification • Damage and Destruction
What is ISO 27001 Planning Process? • Define a security policy. • Define the scope of the ISMS. • Conduct a risk assessment. • Manage identified risks. • Select control objectives and controls to be implemented. • Prepare a statement of applicability.
Where ISO 27001 standard is applicable? • This standard is applicable in many types of industry and few areas where Certified organizations in ISO 27001 are —Finance and Insurance —Software development —Data processing —Banks and hospitals —Telecommunications —Utilities —Retail Sectors —Manufacturing sector —Various service industries —Transportation sector —Government bodies
Why ISO 27001 Family Standard? • While the ISO/IEC 27001 document gives general requirements for an ISMS and is the auditable standard for Information Security Management Systems, there are a family of supporting documents behind it that provide guidelines for planning, implementing, and maintaining an effective ISMS. • Below we have listed some of these documents, along with their purpose.
Requirements of ISO 270012013 ISMS • Highlights and features • Risk management approach • Risk assessment • Risk treatment • Management decision making • Continuous improvement model • Measures of effectiveness • Auditable specification (internal and external ISMS • auditing) • Now under revision
Requirements of ISO 270012013 Documents • The scope of the ISMS • The ISMS policy • Procedures for document control, internal audits, and procedures for corrective and preventive actions • All other documents, depending on applicable controls • Risk assessment methodology • Risk assessment report • Statement of applicability • Risk treatment plan • Records
Structure of ISO 270012013 • ISO 27001 is the first Standard to adopt the Annex SL structure. • The 2013 Standard looks very different to the 2005 ver. • To help understand the differences, a cross reference table from between the two versions has been included below. • The structure of the ISO 270012013 is as follows —Planning —Support —Operation —Performance evaluation —Improvement
Process of ISO 270012013 Certification • ISO 270012013 Certification for Information security management system processes can be established. • The company can select the number of controls as per BS7799 and such controls may be implemented partially or fully and same is written in the certificate after assessing the system by certifying body. —Decision —ISO Management Representative —Gap Analysis and Risk Assessment —Scope Implementation Plan —Employee Introduction
Process of ISO 270012013 Certification —ISO Documentation —Documentation Realisation —Internal ISO 27001 Audits —ISO 27001 Certification —Maintaining the ISO 27001 Certification • Key Benefits of ISO 270012013 —Keeps confidential information secure —Provides customers and stakeholders with confidence in how you manage risk —Allows for secure exchange of information —Allows you to ensure you are meeting your legal obligations
Key Benefits of ISO 270012013 • Helps you to comply with other regulations • Provide you with a competitive advantage • Enhanced customer satisfaction that improves client retention • Consistency in the delivery of your service or product • Manages and minimizes risk exposure • Builds a culture of security • Protects the company, assets, shareholders and directors
Pg 14 | Security and Privacy Entities • SC 17 Cards and Personal Identification • SC 27 IT Security • SC 37 Biometrics • SC 40 IT Governance
Pg 15 | JTC 1 Security and Privacy JTC 1 Security focus on areas of IT Security • Technology Mechanisms • Services • Management • Governance • Evaluation Testing • Privacy Technologies
Security and Privacy Topic Areas Security Evaluation, Testing and Specification (including evaluation criteria for IT security, framework for IT security assurance, methodology for IT security evaluation, cryptographic algorithms and security mechanisms conformance testing, security assessment of operational systems, SSE-CMM, vulnerability disclosure, vulnerability handling processes, physical security attacks, mitigation techniques and security requirements) Information security management system (ISMS) requirements plus ISMS accreditatio n, certificatio n and auditing (including acreddited CB requirements, guidance on ISMS auditong and guidelines for auditors on ISMS controls) Cryptographic and security mechanisms (including encryption, digital signature, authentication mechansisms, data integrity, non-repudiation, key management, prime number generation, random number generation, hash functions) Identity management and privacy technologies (including application specific (e.g. cloud and PII), privacy impact analysis, privcy framework, identity management framework, entity authentication assurance framework,) ISMS sector specific security controls (including application and sector specific e.g. Cloud, Telecoms, Energy, Finance) and sector- specific use of ISMS requirements standard Security services and controls (focusing on contributing to security controls and mechanisms, covering ICT readiness for business continuity, IT network security, 3rd party services, supplier relationships (including Cloud), IDS, incident management, cyber security, application security, disaster recovery, forensics, digital redaction, time- stamping and other areas) ISMS supporting guidance - codes of practice of information security controls, ISMS risk management, ISMS performance evaluation and ISMS implementation guidance Biometrics (including file formats, programming interfaces, data interchange formats, biometric profiles, biometric information protection, biometric authentication) Cards and Personal Identification (including: Physical characteristics, circuit cards, machine readable cards, motor vehicle drivers licence) Governance
Pg 17 | Key Security Products • ISO/IEC 27001 – Information Security Management System (ISMS) • 27000 Family of Standards • ISO/IEC 18033 – Encryption Algorithms • specifies asymmetric ciphers and symmetric ciphers • ISO/IEC 7811 – Identification Cards • ISO/IEC 2382-37 – Vocabulary • Harmonized vocabulary for biometrics
Vocabu lary 27000 Risk Manage ment270 05 Implemen tation 27003 27015 Metrics 27004 Control s 27002 27011 27017 27018 27019 27799 ISMS 27001 Audit 27006 27007 27008 27009 27010 27013 31000 20000 -1 Governa nce 27014 27016 27032 27034 Clause 17- 27031 Clause 13.1 - 27033 Clause 16 - 27035 Clause 15 - 27036 Clause 12.4- 27039 Investiga tive 27037 27038 27040 27041 27042 27043 27050 ISO/IEC 27000 family relationship
Pg 19 | Key Privacy Products • ISO/IEC 29100 – Privacy Framework • Identifies privacy principles • ISO/IEC 29134 – Privacy impact assessment • ISO/IEC 29115 - Entity authentication assurance framework
Pg 20 | Vertical Topic Areas • Cloud Computing • Accessibility • Health Care • IoT • Societal considerations • Telecom
Pg 21 | Key Work Products Related to Verticals • Cloud Computing • ITU-T X.1631|ISO/IEC 27017 – Guidelines on Information security controls for the use of cloud computing services based on ISO/IEC 27002 • ISO/IEC 27018 - Code of practice for PII protection in public clouds acting as PII processors • ISO/IEC 27036-4 - Information security for supplier relationships – Part 4: Guidelines for security of cloud services • Health Care • ISO/IEC 27999 • Societal considerations • ISO/IEC 27032 – Guidelines for Cybersecurity • Telecom • ITU-T X.1051|ISO/IEC 27011 - Information security management guidelines for telecommunications organizations based on ISO/IEC 27002
Pg 22 | In Progress and Future Work Areas • Cyber Insurance • Cyber Resilience • Cloud Computing • SLA for security and privacy • Trusted connections and Virtualization • Big Data - Security and Privacy considerations • IoT • Privacy considerations • Identity Management • Security considerations • Privacy implications related to SmartPhone Applications • Privacy • Information Management System • Notices and Consent • De-identification techniques
Information Security Policy 23 • The success of any information security program lies in policy development • Policy is the essential foundation of an effective information security program • The centrality of information security polices to virtually everything that happens in the information security field • An effective information security training and awareness effort cannot be initiated without writing information security policies
NIST–Executive guide to the Protection of Information Resources 24 • ―The success of an information resources protection program depends on the policy generated, and on the attitude of management toward securing information on automated systems. • You, the policy maker, set the tone and the emphasis on how important a role information security will have within your agency. • Your primary responsibility is to set the information resource security policy for the organization within the objectives of reduced risk, compliance with laws and regulations and assurance of operational continuity, information integrity, and confidentiality.‖
Basic Rules in Shaping a Policy 25 • Policy should never conflict with law • Policy must be able to stand up in court, if challenged • Policy must be properly supported and administered • Example: Enron’s dubious business practices and misreporting the financial records - Policy of shredding working papers by accountants
Why Policy 26 • A quality information security program begins and ends with policy • Although information security policies are the least expensive means of control to execute, they are often the most difficult to implement • Policy controls cost only the time and effort that the management team spends to create, approve and communicate them, and that employees spend integrating the policies into their daily activities • Cost of hiring a consultant is minimal compared to technical controls
Guidelines for IT policy 27 • All policies must contribute to the success of the organization • Management must ensure the adequate sharing of responsibility for proper use of information systems • End users of information systems should be involved in the steps of policy formulation
Bull’s Eye Model 28 • Proven mechanism for prioritizing complex changes • Issues are addressed by moving from general to specifics • Focus of systemic solutions instead of individual problems
Bull’s Eye Model Layers 29 • Policies – the outer layer in the bull’s eye diagram • Networks – the place where threats from public networks meet the organization’s networking infrastructure; in the past, most information security efforts have focused on networks, and until recently information security was often thought to be synonymous with network security • Systems – computers used as servers, desktop computers, and systems used for process control and manufacturing systems • Application – all applications systems, ranging from packed applications such as office automation and e-mail programs, to high-end ERP packages and custom application software developed by the organization
Charles Cresson Wood’s Need for Policy 30 …policies are important reference documents for internal audits and for the resolution of legal disputes about management’s due diligence [and] policy documents can act as a clear statement of management’s intent…
Policy, Standards, and Practices • Policy represents the formal statement of the organization’s managerial policy, in case of our focus, the organization’s information security philosophy • Tradition communities of interest use policy to express their views which then becomes the basis of planning, management and maintenance of the information security profile • Policies – set of rules that dictate acceptable and unacceptable behavior within an organization • Policies should not specify the proper operation of equipment or software • Policies must specify the penalties for unacceptable behavior and define an appeals process • To execute the policy, the organization must implement a set of standards that clarify and define exactly what is inappropriate in the workplace and to what degree the org will stop to act the inappropriate behavior • Standard – More detailed statement of what must be done to comply with policy • Technical controls and their associated procedures might be established such that the network blocks access to pornographic websites
32 Policy, Standards, and Practices (Contd)
Type of InfoSec policies 33 • Based on NIST Special Publication 800-14, the three types of information security policies are – Enterprise information security program policy – Issue-specific security policies – System-specific security policies • The usual procedure – First – creation of the enterprise information security policy – the highest level of policy – Next – general policies are met by developing issue- and system-specific policies
Enterprise Information Security Policy (EISP) 34 • EISP sets the strategic direction, scope, and tone for all of an organization’s security efforts • EISP assigns responsibilities for the various areas of information security including maintenance of information security policies and the practices and responsibilities of other users. • EISP guides the development, implementation, and management requirements of the information security program • EISP should directly support the mission and vision statements
Integrating an Organization’s Mission and Objectives into the EISP 35 • EISP plays a number of vital roles • One of the important role is to state the importance of InfoSec to the organization’s mission and objectives. • InfoSec strategic planning derives from IT strategic planning which is itself derived from the organization’s strategic planning • Policy will become confusing if EISP does not directly reflect the above association
EISP Elements 36 • An overview of the corporate philosophy on security • Information on the structure of the InfoSec organization and individuals who fulfill the InfoSec role • Fully articulated responsibilities for security that are shared by all members of the organization • Fully articulated responsibilities for security that are unique to each role within the organization
Components of a good EISP 37 • Statement of Purpose • Information Technology Security Elements • Need for Information Technology Security • Information Technology Security Responsibilities and Roles • Reference to Other Information Technology Standards and Guidelines
Issue-Specific Security Policy (ISSP) 38 • Provides a common understanding of the purposes for which an employee can and cannot use a technology – Should not be presented as a foundation for legal prosecution • Protects both the employee and organization from inefficiency and ambiguity
Effective ISSP 39 • Articulates expectations for use of technology- based system • Identifies the processes and authorities that provide documented control • Indemnifies the organization against liability for an employee’s inappropriate or illegal use of the system
ISSP Topics 40 • Use of Internet, e-mail, phone, and office equipment • Incident response • Disaster/business continuity planning • Minimum system configuration requirements • Prohibitions against hacking/testing security controls • Home use of company-owned systems • Use of personal equipment on company networks
ISSP Components 41 • Statement of Purpose – Outlines scope and applicability: what is the purpose and who is responsible for implementation • Authorized Uses – Users have no particular rights of use, outside that specified in the policy • Prohibited Uses – Common prohibitions: criminal use, personal use, disruptive use, and offensive materials • Systems Management – Users relationship to systems management – Outline users’ and administrators’ responsibilities • Violations of Policy – Penalties specified for each kind of violation – Procedures for (often anonymously) reporting policy violation • Policy Review/Modification • Limitations of Liability
42 • Three common approaches for creating/managing ISSP – Create individual independent ISSP documents, tailored for specific issues – Create a single ISSP document covering all issues – Create a modular ISSP document unifying overall policy creation/management while addressing specific details with respect to individual issues ISSP Implementation
43 System Specific Security Policy (SysSPs) • SysSPs provide guidance and procedures for configuring specific systems, technologies, and applications – Intrusion detection systems – Firewall configuration – Workstation configuration • SysSPs are most often technical in nature, but can also be managerial – Guiding technology application to enforce higher level policy (e.g. firewall to restrict Internet access)
Guidelines for Effective Policy • Developed using industry-accepted practices • Distributed using all appropriate methods • Reviewed or read by all employees • Understood by all employees • Formally agreed to by act or assertion • Uniformly applied and enforced 44
Developing Information Security Policy • Investigation Phase • Analysis Phase • Design Phase • Implementation Phase • Maintenance Phase 45
Investigation Phase • Support from senior management • Support and active involvement of IT management • Clear articulation of goals • Participation by the affected communities of interest • Detailed outline of the scope of the policy development project 46
Analysis Phase • The analysis phase should produce the following: —A new or recent risk assessment or IT audit documenting the information security needs of the organization. —Gathering of key reference materials – including any existing policies 47 Design Phase • Users or organization members acknowledge they have received and read the policy —Signature and date on a form —Banner screen with a warning
Implementation Phase • Policy development team writes policies • Resources: —The Web —Government sites such as NIST —Professional literature —Peer networks —Professional consultants 48 Maintenance Phase • Policy development team responsible for monitoring, maintaining, and modifying the policy
Policy Distribution • Hand policy to employees • Post policy on a public bulletin board • E-mail/ Intranet • Document management system • Policy Reading —Barriers to employees’ reading policies • Literacy:14%of American adults scored ―below basic‖ level in prose literacy • Language: non-English speaking residents • Policy Comprehension —Language - At a reasonable reading level • With minimal technical jargon and management terminology —Understanding of issues - Quizzes 49
Policy Compliance • Policies must be agreed to by act or affirmation • Corporations incorporate policy confirmation statements into employment contracts, annual evaluations • Policy Enforcement • Uniform and impartial enforcement – must be able to withstand external scrutiny • High standards of due care with regard to policy mgt. – to defend against claims made by terminated emp. • Automated Tools • VigilEnt Policy Center – centralized policy approval &imp. —Manage the approval process, Reduces need to distribute paper copies & Manage policy acknowledgement forms 50
VigilEnt Policy Center Architecture 51 Company Intranet User Site VPC Server Administration Site Users view policies and quizzes. User information to the company intranet. Policy docs and quizzes and news items to the Intranet. Administrators receive policy docs and quizzes. Administrators publish policy docs and quizzes. VPC server sends published policy docs and quizzes to the server for distribution to the user sites. Users read policy docs and complete quizzes.
Policy Management • Policy administrator • Review schedule • Review procedures and practices • Policy and revision dates • Policy administrator —Champion —Mid-level staff member —Solicits input from business and information security communities —Makes sure policy document and subsequent revisions are distributed 52
Review Schedule • Periodically reviewed for currency, accuracy, and modified to keep current - Organized schedule of review & review/year —Solicit input from representatives of all affected parties, management, and staff • Review Procedures and Practices —Easy submission of recommendations —All comments examined & Mgt approved changes implemented • Policy and Revision Date —Often published without a date • Legal issue – are employees ―complying with an out-of-date policy —Should include date of origin, revision dates • don’t use ―today’s date‖ in the document —Sunset clause (expiration date) 53
Information Securities Policy Made Easy Approach • Gather key reference materials • Develop a framework for policies • Prepare a coverage matrix • Make critical systems design decisions • Structure review, approval, and enforcement processes • Next Steps —Post policies —Develop a self-assessment questionnaire —Develop revised user ID issuance forms —Develop agreement to comply with InfoSec policies form —Develop tests to determine if workers understand policies 54
Information Securities Policy Made Easy Approach • Next steps (continued) —Assign information security coordinators —Train information security coordinators —Prepare and deliver a basic information security training course —Develop application-specific information security policies —Develop a conceptual hierarchy of information security requirements —Assign information ownership and custodianship —Establish an information security management committee —Develop an information security architecture document —Automate policy enforcement through policy servers 55
Final Note • Policies are a countermeasure to protect assets from threats —Policies exist to inform employees of acceptable (unacceptable) behavior —Are meant to improve employee productivity and prevent potentially embarrassing situations —Communicate penalties for noncompliance 56
Questions?

Recommended

Chapter 10 security standart
Chapter 10 security standartChapter 10 security standart
Chapter 10 security standart
newbie2019
 
ISO 27001 2013 Introduction Study Case IGN Mantra, 2nd Day, 3rd Session.
ISO 27001 2013 Introduction Study Case IGN Mantra, 2nd Day, 3rd Session.ISO 27001 2013 Introduction Study Case IGN Mantra, 2nd Day, 3rd Session.
ISO 27001 2013 Introduction Study Case IGN Mantra, 2nd Day, 3rd Session.
IGN MANTRA
 
Dancyrityshy 1foundatioieh
Dancyrityshy 1foundatioiehDancyrityshy 1foundatioieh
Dancyrityshy 1foundatioieh
Anne Starr
 
Information Security Blueprint
Information Security BlueprintInformation Security Blueprint
Information Security Blueprint
Zefren Edior
 
Meletis BelsisManaging and enforcing information security
Meletis BelsisManaging and enforcing information securityMeletis BelsisManaging and enforcing information security
Meletis BelsisManaging and enforcing information security
Meletis Belsis MPhil/MRes/BSc
 
CISSP - Chapter 3 - System security architecture
CISSP - Chapter 3 - System security architectureCISSP - Chapter 3 - System security architecture
CISSP - Chapter 3 - System security architecture
Karthikeyan Dhayalan
 
Security Awareness and Training
Security Awareness and TrainingSecurity Awareness and Training
Security Awareness and TrainingPriyank Hada
 
NIST Supply Chain Risk publication 800-161
NIST Supply Chain Risk publication 800-161NIST Supply Chain Risk publication 800-161
NIST Supply Chain Risk publication 800-161
David Sweigert
 

Recommended

Chapter 10 security standart
Chapter 10 security standartChapter 10 security standart
Chapter 10 security standart
newbie2019
 
ISO 27001 2013 Introduction Study Case IGN Mantra, 2nd Day, 3rd Session.
ISO 27001 2013 Introduction Study Case IGN Mantra, 2nd Day, 3rd Session.ISO 27001 2013 Introduction Study Case IGN Mantra, 2nd Day, 3rd Session.
ISO 27001 2013 Introduction Study Case IGN Mantra, 2nd Day, 3rd Session.
IGN MANTRA
 
Dancyrityshy 1foundatioieh
Dancyrityshy 1foundatioiehDancyrityshy 1foundatioieh
Dancyrityshy 1foundatioieh
Anne Starr
 
Information Security Blueprint
Information Security BlueprintInformation Security Blueprint
Information Security Blueprint
Zefren Edior
 
Meletis BelsisManaging and enforcing information security
Meletis BelsisManaging and enforcing information securityMeletis BelsisManaging and enforcing information security
Meletis BelsisManaging and enforcing information security
Meletis Belsis MPhil/MRes/BSc
 
CISSP - Chapter 3 - System security architecture
CISSP - Chapter 3 - System security architectureCISSP - Chapter 3 - System security architecture
CISSP - Chapter 3 - System security architecture
Karthikeyan Dhayalan
 
Security Awareness and Training
Security Awareness and TrainingSecurity Awareness and Training
Security Awareness and TrainingPriyank Hada
 
NIST Supply Chain Risk publication 800-161
NIST Supply Chain Risk publication 800-161NIST Supply Chain Risk publication 800-161
NIST Supply Chain Risk publication 800-161
David Sweigert
 
Ch 3a: Risk Management Concepts
Ch 3a: Risk Management ConceptsCh 3a: Risk Management Concepts
Ch 3a: Risk Management Concepts
Sam Bowne
 
The red book
The red book The red book
The red book
habiba Elmasry
 
Assessing Risk: Developing a Client/Server Security Architecture,
Assessing Risk: Developing a Client/Server Security Architecture, Assessing Risk: Developing a Client/Server Security Architecture,
Assessing Risk: Developing a Client/Server Security Architecture,
MITDaveMillaar
 
ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...
ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...
ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...
PECB
 
CISSP Preview - For the next generation of Security Leaders
CISSP Preview - For the next generation of Security LeadersCISSP Preview - For the next generation of Security Leaders
CISSP Preview - For the next generation of Security Leaders
NUS-ISS
 
Building a Product Security Practice in a DevOps World
Building a Product Security Practice in a DevOps WorldBuilding a Product Security Practice in a DevOps World
Building a Product Security Practice in a DevOps World
Arun Prabhakar
 
Cybersecurity Priorities and Roadmap: Recommendations to DHS
Cybersecurity Priorities and Roadmap: Recommendations to DHSCybersecurity Priorities and Roadmap: Recommendations to DHS
Cybersecurity Priorities and Roadmap: Recommendations to DHS
John Gilligan
 
Workshop incident response n handling-bssn 12 nop 2019-ignmantra
Workshop incident response n handling-bssn 12 nop 2019-ignmantraWorkshop incident response n handling-bssn 12 nop 2019-ignmantra
Workshop incident response n handling-bssn 12 nop 2019-ignmantra
IGN MANTRA
 
Cybersecurity Framework - Introduction
Cybersecurity Framework - IntroductionCybersecurity Framework - Introduction
Cybersecurity Framework - Introduction
Muhammad Akbar Yasin
 
Full Cybersecurity Regulations Overview for DoD Prime and Subcontractors
Full Cybersecurity Regulations Overview for DoD Prime and SubcontractorsFull Cybersecurity Regulations Overview for DoD Prime and Subcontractors
Full Cybersecurity Regulations Overview for DoD Prime and Subcontractors
Ignyte Assurance Platform
 
AFAC session 2 - September 8, 2014
AFAC session 2 - September 8, 2014AFAC session 2 - September 8, 2014
AFAC session 2 - September 8, 2014
KBIZEAU
 
Your cyber security webinar
Your cyber security webinarYour cyber security webinar
Your cyber security webinar
Empired
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for Executives
Krist Davood - Principal - CIO
 
Lesson 2
Lesson 2Lesson 2
Lesson 2
MLG College of Learning, Inc
 
Industrial IoT Security Standards & Frameworks
Industrial IoT Security Standards & FrameworksIndustrial IoT Security Standards & Frameworks
Industrial IoT Security Standards & Frameworks
Priyanka Aash
 
Cissp- Security and Risk Management
Cissp- Security and Risk ManagementCissp- Security and Risk Management
Cissp- Security and Risk Management
Hamed Moghaddam
 
Lessons Learned from the NIST CSF
Lessons Learned from the NIST CSFLessons Learned from the NIST CSF
Lessons Learned from the NIST CSF
Digital Bond
 
How to Comply with NIST 800-171
How to Comply with NIST 800-171How to Comply with NIST 800-171
How to Comply with NIST 800-171
Corserva
 
CompTIA Security+ Module1: Security fundamentals
CompTIA Security+ Module1: Security fundamentalsCompTIA Security+ Module1: Security fundamentals
CompTIA Security+ Module1: Security fundamentalsGanbayar Sukhbaatar
 
CNIT 160 3a Information Risk Management
CNIT 160 3a Information Risk ManagementCNIT 160 3a Information Risk Management
CNIT 160 3a Information Risk Management
Sam Bowne
 
Whitepaper iso 27001_isms | All about ISO 27001
Whitepaper iso 27001_isms | All about ISO 27001Whitepaper iso 27001_isms | All about ISO 27001
Whitepaper iso 27001_isms | All about ISO 27001
Chandan Singh Ghodela
 
ISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process Overview
Shankar Subramaniyan
 

More Related Content

What's hot

Ch 3a: Risk Management Concepts
Ch 3a: Risk Management ConceptsCh 3a: Risk Management Concepts
Ch 3a: Risk Management Concepts
Sam Bowne
 
The red book
The red book The red book
The red book
habiba Elmasry
 
Assessing Risk: Developing a Client/Server Security Architecture,
Assessing Risk: Developing a Client/Server Security Architecture, Assessing Risk: Developing a Client/Server Security Architecture,
Assessing Risk: Developing a Client/Server Security Architecture,
MITDaveMillaar
 
ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...
ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...
ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...
PECB
 
CISSP Preview - For the next generation of Security Leaders
CISSP Preview - For the next generation of Security LeadersCISSP Preview - For the next generation of Security Leaders
CISSP Preview - For the next generation of Security Leaders
NUS-ISS
 
Building a Product Security Practice in a DevOps World
Building a Product Security Practice in a DevOps WorldBuilding a Product Security Practice in a DevOps World
Building a Product Security Practice in a DevOps World
Arun Prabhakar
 
Cybersecurity Priorities and Roadmap: Recommendations to DHS
Cybersecurity Priorities and Roadmap: Recommendations to DHSCybersecurity Priorities and Roadmap: Recommendations to DHS
Cybersecurity Priorities and Roadmap: Recommendations to DHS
John Gilligan
 
Workshop incident response n handling-bssn 12 nop 2019-ignmantra
Workshop incident response n handling-bssn 12 nop 2019-ignmantraWorkshop incident response n handling-bssn 12 nop 2019-ignmantra
Workshop incident response n handling-bssn 12 nop 2019-ignmantra
IGN MANTRA
 
Cybersecurity Framework - Introduction
Cybersecurity Framework - IntroductionCybersecurity Framework - Introduction
Cybersecurity Framework - Introduction
Muhammad Akbar Yasin
 
Full Cybersecurity Regulations Overview for DoD Prime and Subcontractors
Full Cybersecurity Regulations Overview for DoD Prime and SubcontractorsFull Cybersecurity Regulations Overview for DoD Prime and Subcontractors
Full Cybersecurity Regulations Overview for DoD Prime and Subcontractors
Ignyte Assurance Platform
 
AFAC session 2 - September 8, 2014
AFAC session 2 - September 8, 2014AFAC session 2 - September 8, 2014
AFAC session 2 - September 8, 2014
KBIZEAU
 
Your cyber security webinar
Your cyber security webinarYour cyber security webinar
Your cyber security webinar
Empired
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for Executives
Krist Davood - Principal - CIO
 
Lesson 2
Lesson 2Lesson 2
Lesson 2
MLG College of Learning, Inc
 
Industrial IoT Security Standards & Frameworks
Industrial IoT Security Standards & FrameworksIndustrial IoT Security Standards & Frameworks
Industrial IoT Security Standards & Frameworks
Priyanka Aash
 
Cissp- Security and Risk Management
Cissp- Security and Risk ManagementCissp- Security and Risk Management
Cissp- Security and Risk Management
Hamed Moghaddam
 
Lessons Learned from the NIST CSF
Lessons Learned from the NIST CSFLessons Learned from the NIST CSF
Lessons Learned from the NIST CSF
Digital Bond
 
How to Comply with NIST 800-171
How to Comply with NIST 800-171How to Comply with NIST 800-171
How to Comply with NIST 800-171
Corserva
 
CompTIA Security+ Module1: Security fundamentals
CompTIA Security+ Module1: Security fundamentalsCompTIA Security+ Module1: Security fundamentals
CompTIA Security+ Module1: Security fundamentalsGanbayar Sukhbaatar
 
CNIT 160 3a Information Risk Management
CNIT 160 3a Information Risk ManagementCNIT 160 3a Information Risk Management
CNIT 160 3a Information Risk Management
Sam Bowne
 

What's hot (20)

Ch 3a: Risk Management Concepts
Ch 3a: Risk Management ConceptsCh 3a: Risk Management Concepts
Ch 3a: Risk Management Concepts
 
The red book
The red book The red book
The red book
 
Assessing Risk: Developing a Client/Server Security Architecture,
Assessing Risk: Developing a Client/Server Security Architecture, Assessing Risk: Developing a Client/Server Security Architecture,
Assessing Risk: Developing a Client/Server Security Architecture,
 
ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...
ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...
ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...
 
CISSP Preview - For the next generation of Security Leaders
CISSP Preview - For the next generation of Security LeadersCISSP Preview - For the next generation of Security Leaders
CISSP Preview - For the next generation of Security Leaders
 
Building a Product Security Practice in a DevOps World
Building a Product Security Practice in a DevOps WorldBuilding a Product Security Practice in a DevOps World
Building a Product Security Practice in a DevOps World
 
Cybersecurity Priorities and Roadmap: Recommendations to DHS
Cybersecurity Priorities and Roadmap: Recommendations to DHSCybersecurity Priorities and Roadmap: Recommendations to DHS
Cybersecurity Priorities and Roadmap: Recommendations to DHS
 
Workshop incident response n handling-bssn 12 nop 2019-ignmantra
Workshop incident response n handling-bssn 12 nop 2019-ignmantraWorkshop incident response n handling-bssn 12 nop 2019-ignmantra
Workshop incident response n handling-bssn 12 nop 2019-ignmantra
 
Cybersecurity Framework - Introduction
Cybersecurity Framework - IntroductionCybersecurity Framework - Introduction
Cybersecurity Framework - Introduction
 
Full Cybersecurity Regulations Overview for DoD Prime and Subcontractors
Full Cybersecurity Regulations Overview for DoD Prime and SubcontractorsFull Cybersecurity Regulations Overview for DoD Prime and Subcontractors
Full Cybersecurity Regulations Overview for DoD Prime and Subcontractors
 
AFAC session 2 - September 8, 2014
AFAC session 2 - September 8, 2014AFAC session 2 - September 8, 2014
AFAC session 2 - September 8, 2014
 
Your cyber security webinar
Your cyber security webinarYour cyber security webinar
Your cyber security webinar
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for Executives
 
Lesson 2
Lesson 2Lesson 2
Lesson 2
 
Industrial IoT Security Standards & Frameworks
Industrial IoT Security Standards & FrameworksIndustrial IoT Security Standards & Frameworks
Industrial IoT Security Standards & Frameworks
 
Cissp- Security and Risk Management
Cissp- Security and Risk ManagementCissp- Security and Risk Management
Cissp- Security and Risk Management
 
Lessons Learned from the NIST CSF
Lessons Learned from the NIST CSFLessons Learned from the NIST CSF
Lessons Learned from the NIST CSF
 
How to Comply with NIST 800-171
How to Comply with NIST 800-171How to Comply with NIST 800-171
How to Comply with NIST 800-171
 
CompTIA Security+ Module1: Security fundamentals
CompTIA Security+ Module1: Security fundamentalsCompTIA Security+ Module1: Security fundamentals
CompTIA Security+ Module1: Security fundamentals
 
CNIT 160 3a Information Risk Management
CNIT 160 3a Information Risk ManagementCNIT 160 3a Information Risk Management
CNIT 160 3a Information Risk Management
 

Similar to 20CS024 Ethics in Information Technology

Whitepaper iso 27001_isms | All about ISO 27001
Whitepaper iso 27001_isms | All about ISO 27001Whitepaper iso 27001_isms | All about ISO 27001
Whitepaper iso 27001_isms | All about ISO 27001
Chandan Singh Ghodela
 
ISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process Overview
Shankar Subramaniyan
 
Chapter 1 Best Practices, Standards, and a Plan of Action.pptx
Chapter 1 Best Practices, Standards, and a Plan of Action.pptxChapter 1 Best Practices, Standards, and a Plan of Action.pptx
Chapter 1 Best Practices, Standards, and a Plan of Action.pptx
kevlekalakala
 
Iso iec 27001 foundation training course by interprom
Iso iec 27001 foundation training course by interpromIso iec 27001 foundation training course by interprom
Iso iec 27001 foundation training course by interprom
Mart Rovers
 
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to Know
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to KnowCMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to Know
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to Know
PECB
 
Know more about exin unique information security program
Know more about exin unique information security programKnow more about exin unique information security program
Know more about exin unique information security program
Elke Couto Morgado
 
ISO 27001
ISO 27001ISO 27001
ISO 27001
n|u - The Open Security Community
 
ISO 27001:2022 Introduction
ISO 27001:2022 IntroductionISO 27001:2022 Introduction
ISO 27001:2022 Introduction
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
Bim tek 15 juni 2017 konsep iso27000-2016 smki
Bim tek 15 juni 2017 konsep iso27000-2016 smkiBim tek 15 juni 2017 konsep iso27000-2016 smki
Bim tek 15 juni 2017 konsep iso27000-2016 smki
Sarwono Sutikno, Dr.Eng.,CISA,CISSP,CISM,CSX-F
 
ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview
Ahmed Riad .
 
ISO/IEC 27001, ISO/IEC 27002 and ISO/IEC 27032: How do they map?
ISO/IEC 27001, ISO/IEC 27002 and ISO/IEC 27032: How do they map?ISO/IEC 27001, ISO/IEC 27002 and ISO/IEC 27032: How do they map?
ISO/IEC 27001, ISO/IEC 27002 and ISO/IEC 27032: How do they map?
PECB
 
Info.ppt
Info.pptInfo.ppt
Info.ppt
MuhammadJunaid838607
 
ISO 27001 Awareness IGN Mantra 2nd Day, 2nd Session.
ISO 27001 Awareness IGN Mantra 2nd Day, 2nd Session.ISO 27001 Awareness IGN Mantra 2nd Day, 2nd Session.
ISO 27001 Awareness IGN Mantra 2nd Day, 2nd Session.
IGN MANTRA
 
Presentaion.pptx
Presentaion.pptxPresentaion.pptx
Presentaion.pptx
sanathchandranath69
 
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to KnowISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
PECB
 
GDPR compliance and information security: Reducing data breach risks
GDPR compliance and information security: Reducing data breach risksGDPR compliance and information security: Reducing data breach risks
GDPR compliance and information security: Reducing data breach risks
IT Governance Ltd
 
What are the essential aspects of ISO 27001 Certification in Netherlands.pdf
What are the essential aspects of ISO 27001 Certification in Netherlands.pdfWhat are the essential aspects of ISO 27001 Certification in Netherlands.pdf
What are the essential aspects of ISO 27001 Certification in Netherlands.pdf
Anoosha Factocert
 
Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005
ControlCase
 
english_bok_ismp_202306.pptx
english_bok_ismp_202306.pptxenglish_bok_ismp_202306.pptx
english_bok_ismp_202306.pptx
ssuser00d6eb
 
Information Security between Best Practices and ISO Standards
Information Security between Best Practices and ISO StandardsInformation Security between Best Practices and ISO Standards
Information Security between Best Practices and ISO Standards
PECB
 

Similar to 20CS024 Ethics in Information Technology (20)

Whitepaper iso 27001_isms | All about ISO 27001
Whitepaper iso 27001_isms | All about ISO 27001Whitepaper iso 27001_isms | All about ISO 27001
Whitepaper iso 27001_isms | All about ISO 27001
 
ISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process Overview
 
Chapter 1 Best Practices, Standards, and a Plan of Action.pptx
Chapter 1 Best Practices, Standards, and a Plan of Action.pptxChapter 1 Best Practices, Standards, and a Plan of Action.pptx
Chapter 1 Best Practices, Standards, and a Plan of Action.pptx
 
Iso iec 27001 foundation training course by interprom
Iso iec 27001 foundation training course by interpromIso iec 27001 foundation training course by interprom
Iso iec 27001 foundation training course by interprom
 
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to Know
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to KnowCMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to Know
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to Know
 
Know more about exin unique information security program
Know more about exin unique information security programKnow more about exin unique information security program
Know more about exin unique information security program
 
ISO 27001
ISO 27001ISO 27001
ISO 27001
 
ISO 27001:2022 Introduction
ISO 27001:2022 IntroductionISO 27001:2022 Introduction
ISO 27001:2022 Introduction
 
Bim tek 15 juni 2017 konsep iso27000-2016 smki
Bim tek 15 juni 2017 konsep iso27000-2016 smkiBim tek 15 juni 2017 konsep iso27000-2016 smki
Bim tek 15 juni 2017 konsep iso27000-2016 smki
 
ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview
 
ISO/IEC 27001, ISO/IEC 27002 and ISO/IEC 27032: How do they map?
ISO/IEC 27001, ISO/IEC 27002 and ISO/IEC 27032: How do they map?ISO/IEC 27001, ISO/IEC 27002 and ISO/IEC 27032: How do they map?
ISO/IEC 27001, ISO/IEC 27002 and ISO/IEC 27032: How do they map?
 
Info.ppt
Info.pptInfo.ppt
Info.ppt
 
ISO 27001 Awareness IGN Mantra 2nd Day, 2nd Session.
ISO 27001 Awareness IGN Mantra 2nd Day, 2nd Session.ISO 27001 Awareness IGN Mantra 2nd Day, 2nd Session.
ISO 27001 Awareness IGN Mantra 2nd Day, 2nd Session.
 
Presentaion.pptx
Presentaion.pptxPresentaion.pptx
Presentaion.pptx
 
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to KnowISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
 
GDPR compliance and information security: Reducing data breach risks
GDPR compliance and information security: Reducing data breach risksGDPR compliance and information security: Reducing data breach risks
GDPR compliance and information security: Reducing data breach risks
 
What are the essential aspects of ISO 27001 Certification in Netherlands.pdf
What are the essential aspects of ISO 27001 Certification in Netherlands.pdfWhat are the essential aspects of ISO 27001 Certification in Netherlands.pdf
What are the essential aspects of ISO 27001 Certification in Netherlands.pdf
 
Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005
 
english_bok_ismp_202306.pptx
english_bok_ismp_202306.pptxenglish_bok_ismp_202306.pptx
english_bok_ismp_202306.pptx
 
Information Security between Best Practices and ISO Standards
Information Security between Best Practices and ISO StandardsInformation Security between Best Practices and ISO Standards
Information Security between Best Practices and ISO Standards
 

More from Kathirvel Ayyaswamy

22CS201 COA
22CS201 COA22CS201 COA
22CS201 COA
Kathirvel Ayyaswamy
 
22cs201 COMPUTER ORGANIZATION AND ARCHITECTURE
22cs201 COMPUTER ORGANIZATION AND ARCHITECTURE22cs201 COMPUTER ORGANIZATION AND ARCHITECTURE
22cs201 COMPUTER ORGANIZATION AND ARCHITECTURE
Kathirvel Ayyaswamy
 
22CS201 COA
22CS201 COA22CS201 COA
22CS201 COA
Kathirvel Ayyaswamy
 
18CS3040_Distributed Systems
18CS3040_Distributed Systems18CS3040_Distributed Systems
18CS3040_Distributed Systems
Kathirvel Ayyaswamy
 
20CS2021-Distributed Computing module 2
20CS2021-Distributed Computing module 220CS2021-Distributed Computing module 2
20CS2021-Distributed Computing module 2
Kathirvel Ayyaswamy
 
18CS3040 Distributed System
18CS3040 Distributed System 18CS3040 Distributed System
18CS3040 Distributed System
Kathirvel Ayyaswamy
 
20CS2021 Distributed Computing
20CS2021 Distributed Computing 20CS2021 Distributed Computing
20CS2021 Distributed Computing
Kathirvel Ayyaswamy
 
20CS2021 DISTRIBUTED COMPUTING
20CS2021 DISTRIBUTED COMPUTING20CS2021 DISTRIBUTED COMPUTING
20CS2021 DISTRIBUTED COMPUTING
Kathirvel Ayyaswamy
 
18CS3040 DISTRIBUTED SYSTEMS
18CS3040 DISTRIBUTED SYSTEMS18CS3040 DISTRIBUTED SYSTEMS
18CS3040 DISTRIBUTED SYSTEMS
Kathirvel Ayyaswamy
 
Recent Trends in IoT and Sustainability
Recent Trends in IoT and SustainabilityRecent Trends in IoT and Sustainability
Recent Trends in IoT and Sustainability
Kathirvel Ayyaswamy
 
20CS2008 Computer Networks
20CS2008 Computer Networks 20CS2008 Computer Networks
20CS2008 Computer Networks
Kathirvel Ayyaswamy
 
18CS2005 Cryptography and Network Security
18CS2005 Cryptography and Network Security18CS2005 Cryptography and Network Security
18CS2005 Cryptography and Network Security
Kathirvel Ayyaswamy
 
18CS2005 Cryptography and Network Security
18CS2005 Cryptography and Network Security18CS2005 Cryptography and Network Security
18CS2005 Cryptography and Network Security
Kathirvel Ayyaswamy
 
18CS2005 Cryptography and Network Security
18CS2005 Cryptography and Network Security18CS2005 Cryptography and Network Security
18CS2005 Cryptography and Network Security
Kathirvel Ayyaswamy
 
18CS2005 Cryptography and Network Security
18CS2005 Cryptography and Network Security 18CS2005 Cryptography and Network Security
18CS2005 Cryptography and Network Security
Kathirvel Ayyaswamy
 
18CS2005 Cryptography and Network Security
18CS2005 Cryptography and Network Security18CS2005 Cryptography and Network Security
18CS2005 Cryptography and Network Security
Kathirvel Ayyaswamy
 
18CS2005 Cryptography and Network Security
18CS2005 Cryptography and Network Security18CS2005 Cryptography and Network Security
18CS2005 Cryptography and Network Security
Kathirvel Ayyaswamy
 
20CS2008 Computer Networks
20CS2008 Computer Networks20CS2008 Computer Networks
20CS2008 Computer Networks
Kathirvel Ayyaswamy
 
20CS2008 Computer Networks
20CS2008 Computer Networks 20CS2008 Computer Networks
20CS2008 Computer Networks
Kathirvel Ayyaswamy
 
20CS024 Ethics in Information Technology
20CS024 Ethics in Information Technology20CS024 Ethics in Information Technology
20CS024 Ethics in Information Technology
Kathirvel Ayyaswamy
 

More from Kathirvel Ayyaswamy (20)

22CS201 COA
22CS201 COA22CS201 COA
22CS201 COA
 
22cs201 COMPUTER ORGANIZATION AND ARCHITECTURE
22cs201 COMPUTER ORGANIZATION AND ARCHITECTURE22cs201 COMPUTER ORGANIZATION AND ARCHITECTURE
22cs201 COMPUTER ORGANIZATION AND ARCHITECTURE
 
22CS201 COA
22CS201 COA22CS201 COA
22CS201 COA
 
18CS3040_Distributed Systems
18CS3040_Distributed Systems18CS3040_Distributed Systems
18CS3040_Distributed Systems
 
20CS2021-Distributed Computing module 2
20CS2021-Distributed Computing module 220CS2021-Distributed Computing module 2
20CS2021-Distributed Computing module 2
 
18CS3040 Distributed System
18CS3040 Distributed System 18CS3040 Distributed System
18CS3040 Distributed System
 
20CS2021 Distributed Computing
20CS2021 Distributed Computing 20CS2021 Distributed Computing
20CS2021 Distributed Computing
 
20CS2021 DISTRIBUTED COMPUTING
20CS2021 DISTRIBUTED COMPUTING20CS2021 DISTRIBUTED COMPUTING
20CS2021 DISTRIBUTED COMPUTING
 
18CS3040 DISTRIBUTED SYSTEMS
18CS3040 DISTRIBUTED SYSTEMS18CS3040 DISTRIBUTED SYSTEMS
18CS3040 DISTRIBUTED SYSTEMS
 
Recent Trends in IoT and Sustainability
Recent Trends in IoT and SustainabilityRecent Trends in IoT and Sustainability
Recent Trends in IoT and Sustainability
 
20CS2008 Computer Networks
20CS2008 Computer Networks 20CS2008 Computer Networks
20CS2008 Computer Networks
 
18CS2005 Cryptography and Network Security
18CS2005 Cryptography and Network Security18CS2005 Cryptography and Network Security
18CS2005 Cryptography and Network Security
 
18CS2005 Cryptography and Network Security
18CS2005 Cryptography and Network Security18CS2005 Cryptography and Network Security
18CS2005 Cryptography and Network Security
 
18CS2005 Cryptography and Network Security
18CS2005 Cryptography and Network Security18CS2005 Cryptography and Network Security
18CS2005 Cryptography and Network Security
 
18CS2005 Cryptography and Network Security
18CS2005 Cryptography and Network Security 18CS2005 Cryptography and Network Security
18CS2005 Cryptography and Network Security
 
18CS2005 Cryptography and Network Security
18CS2005 Cryptography and Network Security18CS2005 Cryptography and Network Security
18CS2005 Cryptography and Network Security
 
18CS2005 Cryptography and Network Security
18CS2005 Cryptography and Network Security18CS2005 Cryptography and Network Security
18CS2005 Cryptography and Network Security
 
20CS2008 Computer Networks
20CS2008 Computer Networks20CS2008 Computer Networks
20CS2008 Computer Networks
 
20CS2008 Computer Networks
20CS2008 Computer Networks 20CS2008 Computer Networks
20CS2008 Computer Networks
 
20CS024 Ethics in Information Technology
20CS024 Ethics in Information Technology20CS024 Ethics in Information Technology
20CS024 Ethics in Information Technology
 

Recently uploaded

AKS UNIVERSITY Satna Final Year Project By OM Hardaha.pdf
AKS UNIVERSITY Satna Final Year Project By OM Hardaha.pdfAKS UNIVERSITY Satna Final Year Project By OM Hardaha.pdf
AKS UNIVERSITY Satna Final Year Project By OM Hardaha.pdf
SamSarthak3
 
Quality defects in TMT Bars, Possible causes and Potential Solutions.
Quality defects in TMT Bars, Possible causes and Potential Solutions.Quality defects in TMT Bars, Possible causes and Potential Solutions.
Quality defects in TMT Bars, Possible causes and Potential Solutions.
PrashantGoswami42
 
H.Seo, ICLR 2024, MLILAB, KAIST AI.pdf
H.Seo, ICLR 2024, MLILAB, KAIST AI.pdfH.Seo, ICLR 2024, MLILAB, KAIST AI.pdf
H.Seo, ICLR 2024, MLILAB, KAIST AI.pdf
MLILAB
 
ethical hacking in wireless-hacking1.ppt
ethical hacking in wireless-hacking1.pptethical hacking in wireless-hacking1.ppt
ethical hacking in wireless-hacking1.ppt
Jayaprasanna4
 
ASME IX(9) 2007 Full Version .pdf
ASME IX(9) 2007 Full Version .pdfASME IX(9) 2007 Full Version .pdf
ASME IX(9) 2007 Full Version .pdf
AhmedHussein950959
 
CME397 Surface Engineering- Professional Elective
CME397 Surface Engineering- Professional ElectiveCME397 Surface Engineering- Professional Elective
CME397 Surface Engineering- Professional Elective
karthi keyan
 
Architectural Portfolio Sean Lockwood
Architectural Portfolio Sean LockwoodArchitectural Portfolio Sean Lockwood
Architectural Portfolio Sean Lockwood
seandesed
 
road safety engineering r s e unit 3.pdf
road safety engineering r s e unit 3.pdfroad safety engineering r s e unit 3.pdf
road safety engineering r s e unit 3.pdf
VENKATESHvenky89705
 
Automobile Management System Project Report.pdf
Automobile Management System Project Report.pdfAutomobile Management System Project Report.pdf
Automobile Management System Project Report.pdf
Kamal Acharya
 
Top 10 Oil and Gas Projects in Saudi Arabia 2024.pdf
Top 10 Oil and Gas Projects in Saudi Arabia 2024.pdfTop 10 Oil and Gas Projects in Saudi Arabia 2024.pdf
Top 10 Oil and Gas Projects in Saudi Arabia 2024.pdf
Teleport Manpower Consultant
 
The role of big data in decision making.
The role of big data in decision making.The role of big data in decision making.
The role of big data in decision making.
ankuprajapati0525
 
LIGA(E)11111111111111111111111111111111111111111.ppt
LIGA(E)11111111111111111111111111111111111111111.pptLIGA(E)11111111111111111111111111111111111111111.ppt
LIGA(E)11111111111111111111111111111111111111111.ppt
ssuser9bd3ba
 
Planning Of Procurement o different goods and services
Planning Of Procurement o different goods and servicesPlanning Of Procurement o different goods and services
Planning Of Procurement o different goods and services
JoytuBarua2
 
Standard Reomte Control Interface - Neometrix
Standard Reomte Control Interface - NeometrixStandard Reomte Control Interface - Neometrix
Standard Reomte Control Interface - Neometrix
Neometrix_Engineering_Pvt_Ltd
 
Nuclear Power Economics and Structuring 2024
Nuclear Power Economics and Structuring 2024Nuclear Power Economics and Structuring 2024
Nuclear Power Economics and Structuring 2024
Massimo Talia
 
Cosmetic shop management system project report.pdf
Cosmetic shop management system project report.pdfCosmetic shop management system project report.pdf
Cosmetic shop management system project report.pdf
Kamal Acharya
 
Design and Analysis of Algorithms-DP,Backtracking,Graphs,B&B
Design and Analysis of Algorithms-DP,Backtracking,Graphs,B&BDesign and Analysis of Algorithms-DP,Backtracking,Graphs,B&B
Design and Analysis of Algorithms-DP,Backtracking,Graphs,B&B
Sreedhar Chowdam
 
ethical hacking-mobile hacking methods.ppt
ethical hacking-mobile hacking methods.pptethical hacking-mobile hacking methods.ppt
ethical hacking-mobile hacking methods.ppt
Jayaprasanna4
 
WATER CRISIS and its solutions-pptx 1234
WATER CRISIS and its solutions-pptx 1234WATER CRISIS and its solutions-pptx 1234
WATER CRISIS and its solutions-pptx 1234
AafreenAbuthahir2
 
Courier management system project report.pdf
Courier management system project report.pdfCourier management system project report.pdf
Courier management system project report.pdf
Kamal Acharya
 

Recently uploaded (20)

AKS UNIVERSITY Satna Final Year Project By OM Hardaha.pdf
AKS UNIVERSITY Satna Final Year Project By OM Hardaha.pdfAKS UNIVERSITY Satna Final Year Project By OM Hardaha.pdf
AKS UNIVERSITY Satna Final Year Project By OM Hardaha.pdf
 
Quality defects in TMT Bars, Possible causes and Potential Solutions.
Quality defects in TMT Bars, Possible causes and Potential Solutions.Quality defects in TMT Bars, Possible causes and Potential Solutions.
Quality defects in TMT Bars, Possible causes and Potential Solutions.
 
H.Seo, ICLR 2024, MLILAB, KAIST AI.pdf
H.Seo, ICLR 2024, MLILAB, KAIST AI.pdfH.Seo, ICLR 2024, MLILAB, KAIST AI.pdf
H.Seo, ICLR 2024, MLILAB, KAIST AI.pdf
 
ethical hacking in wireless-hacking1.ppt
ethical hacking in wireless-hacking1.pptethical hacking in wireless-hacking1.ppt
ethical hacking in wireless-hacking1.ppt
 
ASME IX(9) 2007 Full Version .pdf
ASME IX(9) 2007 Full Version .pdfASME IX(9) 2007 Full Version .pdf
ASME IX(9) 2007 Full Version .pdf
 
CME397 Surface Engineering- Professional Elective
CME397 Surface Engineering- Professional ElectiveCME397 Surface Engineering- Professional Elective
CME397 Surface Engineering- Professional Elective
 
Architectural Portfolio Sean Lockwood
Architectural Portfolio Sean LockwoodArchitectural Portfolio Sean Lockwood
Architectural Portfolio Sean Lockwood
 
road safety engineering r s e unit 3.pdf
road safety engineering r s e unit 3.pdfroad safety engineering r s e unit 3.pdf
road safety engineering r s e unit 3.pdf
 
Automobile Management System Project Report.pdf
Automobile Management System Project Report.pdfAutomobile Management System Project Report.pdf
Automobile Management System Project Report.pdf
 
Top 10 Oil and Gas Projects in Saudi Arabia 2024.pdf
Top 10 Oil and Gas Projects in Saudi Arabia 2024.pdfTop 10 Oil and Gas Projects in Saudi Arabia 2024.pdf
Top 10 Oil and Gas Projects in Saudi Arabia 2024.pdf
 
The role of big data in decision making.
The role of big data in decision making.The role of big data in decision making.
The role of big data in decision making.
 
LIGA(E)11111111111111111111111111111111111111111.ppt
LIGA(E)11111111111111111111111111111111111111111.pptLIGA(E)11111111111111111111111111111111111111111.ppt
LIGA(E)11111111111111111111111111111111111111111.ppt
 
Planning Of Procurement o different goods and services
Planning Of Procurement o different goods and servicesPlanning Of Procurement o different goods and services
Planning Of Procurement o different goods and services
 
Standard Reomte Control Interface - Neometrix
Standard Reomte Control Interface - NeometrixStandard Reomte Control Interface - Neometrix
Standard Reomte Control Interface - Neometrix
 
Nuclear Power Economics and Structuring 2024
Nuclear Power Economics and Structuring 2024Nuclear Power Economics and Structuring 2024
Nuclear Power Economics and Structuring 2024
 
Cosmetic shop management system project report.pdf
Cosmetic shop management system project report.pdfCosmetic shop management system project report.pdf
Cosmetic shop management system project report.pdf
 
Design and Analysis of Algorithms-DP,Backtracking,Graphs,B&B
Design and Analysis of Algorithms-DP,Backtracking,Graphs,B&BDesign and Analysis of Algorithms-DP,Backtracking,Graphs,B&B
Design and Analysis of Algorithms-DP,Backtracking,Graphs,B&B
 
ethical hacking-mobile hacking methods.ppt
ethical hacking-mobile hacking methods.pptethical hacking-mobile hacking methods.ppt
ethical hacking-mobile hacking methods.ppt
 
WATER CRISIS and its solutions-pptx 1234
WATER CRISIS and its solutions-pptx 1234WATER CRISIS and its solutions-pptx 1234
WATER CRISIS and its solutions-pptx 1234
 
Courier management system project report.pdf
Courier management system project report.pdfCourier management system project report.pdf
Courier management system project report.pdf
 

20CS024 Ethics in Information Technology

  • 1. 20CS2024 Ethics in Information Technology Module 6 Standards for Information Security Management Information. Security Management Systems (ISMS) - ISO 27001 - Framing Security Policy of Organization- Committees- Security Forum, Core Committee, Custodian and Users, Business Continuity Process Team & Procedure- Information Security Auditing Process. IT Security Incidents Dr.A.Kathirvel, Professor, DCSE, KITS kathirvel@karunya.edu
  • 2. What is ISMS? • Information Security Management System • Strategic decision of an organization • Design and implementation • Needs and objectives • Security requirements • Processes employed • Size and structure of the organization • Scaled with needs simple situation requires a simple ISMS solution
  • 3. What is ISO 270012013? • ISO 27001 Information Security Management Systems is the international best practice standard for information security. • ISO 270012013, the current version of the standard, provides a set of standardized requirements for an information security management system (ISMS). • ISO 27001 certification is suitable for any organization, large or small and in any sector.
  • 4. Concept of Information Security • Protecting Information Resources and Systems • Unauthorized Use and Access • Unauthorized Disclosure and Modification • Damage and Destruction
  • 5. What is ISO 27001 Planning Process? • Define a security policy. • Define the scope of the ISMS. • Conduct a risk assessment. • Manage identified risks. • Select control objectives and controls to be implemented. • Prepare a statement of applicability.
  • 6. Where ISO 27001 standard is applicable? • This standard is applicable in many types of industry and few areas where Certified organizations in ISO 27001 are —Finance and Insurance —Software development —Data processing —Banks and hospitals —Telecommunications —Utilities —Retail Sectors —Manufacturing sector —Various service industries —Transportation sector —Government bodies
  • 7. Why ISO 27001 Family Standard? • While the ISO/IEC 27001 document gives general requirements for an ISMS and is the auditable standard for Information Security Management Systems, there are a family of supporting documents behind it that provide guidelines for planning, implementing, and maintaining an effective ISMS. • Below we have listed some of these documents, along with their purpose.
  • 8. Requirements of ISO 270012013 ISMS • Highlights and features • Risk management approach • Risk assessment • Risk treatment • Management decision making • Continuous improvement model • Measures of effectiveness • Auditable specification (internal and external ISMS • auditing) • Now under revision
  • 9. Requirements of ISO 270012013 Documents • The scope of the ISMS • The ISMS policy • Procedures for document control, internal audits, and procedures for corrective and preventive actions • All other documents, depending on applicable controls • Risk assessment methodology • Risk assessment report • Statement of applicability • Risk treatment plan • Records
  • 10. Structure of ISO 270012013 • ISO 27001 is the first Standard to adopt the Annex SL structure. • The 2013 Standard looks very different to the 2005 ver. • To help understand the differences, a cross reference table from between the two versions has been included below. • The structure of the ISO 270012013 is as follows —Planning —Support —Operation —Performance evaluation —Improvement
  • 11. Process of ISO 270012013 Certification • ISO 270012013 Certification for Information security management system processes can be established. • The company can select the number of controls as per BS7799 and such controls may be implemented partially or fully and same is written in the certificate after assessing the system by certifying body. —Decision —ISO Management Representative —Gap Analysis and Risk Assessment —Scope Implementation Plan —Employee Introduction
  • 12. Process of ISO 270012013 Certification —ISO Documentation —Documentation Realisation —Internal ISO 27001 Audits —ISO 27001 Certification —Maintaining the ISO 27001 Certification • Key Benefits of ISO 270012013 —Keeps confidential information secure —Provides customers and stakeholders with confidence in how you manage risk —Allows for secure exchange of information —Allows you to ensure you are meeting your legal obligations
  • 13. Key Benefits of ISO 270012013 • Helps you to comply with other regulations • Provide you with a competitive advantage • Enhanced customer satisfaction that improves client retention • Consistency in the delivery of your service or product • Manages and minimizes risk exposure • Builds a culture of security • Protects the company, assets, shareholders and directors
  • 14. Pg 14 | Security and Privacy Entities • SC 17 Cards and Personal Identification • SC 27 IT Security • SC 37 Biometrics • SC 40 IT Governance
  • 15. Pg 15 | JTC 1 Security and Privacy JTC 1 Security focus on areas of IT Security • Technology Mechanisms • Services • Management • Governance • Evaluation Testing • Privacy Technologies
  • 16. Security and Privacy Topic Areas Security Evaluation, Testing and Specification (including evaluation criteria for IT security, framework for IT security assurance, methodology for IT security evaluation, cryptographic algorithms and security mechanisms conformance testing, security assessment of operational systems, SSE-CMM, vulnerability disclosure, vulnerability handling processes, physical security attacks, mitigation techniques and security requirements) Information security management system (ISMS) requirements plus ISMS accreditatio n, certificatio n and auditing (including acreddited CB requirements, guidance on ISMS auditong and guidelines for auditors on ISMS controls) Cryptographic and security mechanisms (including encryption, digital signature, authentication mechansisms, data integrity, non-repudiation, key management, prime number generation, random number generation, hash functions) Identity management and privacy technologies (including application specific (e.g. cloud and PII), privacy impact analysis, privcy framework, identity management framework, entity authentication assurance framework,) ISMS sector specific security controls (including application and sector specific e.g. Cloud, Telecoms, Energy, Finance) and sector- specific use of ISMS requirements standard Security services and controls (focusing on contributing to security controls and mechanisms, covering ICT readiness for business continuity, IT network security, 3rd party services, supplier relationships (including Cloud), IDS, incident management, cyber security, application security, disaster recovery, forensics, digital redaction, time- stamping and other areas) ISMS supporting guidance - codes of practice of information security controls, ISMS risk management, ISMS performance evaluation and ISMS implementation guidance Biometrics (including file formats, programming interfaces, data interchange formats, biometric profiles, biometric information protection, biometric authentication) Cards and Personal Identification (including: Physical characteristics, circuit cards, machine readable cards, motor vehicle drivers licence) Governance
  • 17. Pg 17 | Key Security Products • ISO/IEC 27001 – Information Security Management System (ISMS) • 27000 Family of Standards • ISO/IEC 18033 – Encryption Algorithms • specifies asymmetric ciphers and symmetric ciphers • ISO/IEC 7811 – Identification Cards • ISO/IEC 2382-37 – Vocabulary • Harmonized vocabulary for biometrics
  • 19. Pg 19 | Key Privacy Products • ISO/IEC 29100 – Privacy Framework • Identifies privacy principles • ISO/IEC 29134 – Privacy impact assessment • ISO/IEC 29115 - Entity authentication assurance framework
  • 20. Pg 20 | Vertical Topic Areas • Cloud Computing • Accessibility • Health Care • IoT • Societal considerations • Telecom
  • 21. Pg 21 | Key Work Products Related to Verticals • Cloud Computing • ITU-T X.1631|ISO/IEC 27017 – Guidelines on Information security controls for the use of cloud computing services based on ISO/IEC 27002 • ISO/IEC 27018 - Code of practice for PII protection in public clouds acting as PII processors • ISO/IEC 27036-4 - Information security for supplier relationships – Part 4: Guidelines for security of cloud services • Health Care • ISO/IEC 27999 • Societal considerations • ISO/IEC 27032 – Guidelines for Cybersecurity • Telecom • ITU-T X.1051|ISO/IEC 27011 - Information security management guidelines for telecommunications organizations based on ISO/IEC 27002
  • 22. Pg 22 | In Progress and Future Work Areas • Cyber Insurance • Cyber Resilience • Cloud Computing • SLA for security and privacy • Trusted connections and Virtualization • Big Data - Security and Privacy considerations • IoT • Privacy considerations • Identity Management • Security considerations • Privacy implications related to SmartPhone Applications • Privacy • Information Management System • Notices and Consent • De-identification techniques
  • 23. Information Security Policy 23 • The success of any information security program lies in policy development • Policy is the essential foundation of an effective information security program • The centrality of information security polices to virtually everything that happens in the information security field • An effective information security training and awareness effort cannot be initiated without writing information security policies
  • 24. NIST–Executive guide to the Protection of Information Resources 24 • ―The success of an information resources protection program depends on the policy generated, and on the attitude of management toward securing information on automated systems. • You, the policy maker, set the tone and the emphasis on how important a role information security will have within your agency. • Your primary responsibility is to set the information resource security policy for the organization within the objectives of reduced risk, compliance with laws and regulations and assurance of operational continuity, information integrity, and confidentiality.‖
  • 25. Basic Rules in Shaping a Policy 25 • Policy should never conflict with law • Policy must be able to stand up in court, if challenged • Policy must be properly supported and administered • Example: Enron’s dubious business practices and misreporting the financial records - Policy of shredding working papers by accountants
  • 26. Why Policy 26 • A quality information security program begins and ends with policy • Although information security policies are the least expensive means of control to execute, they are often the most difficult to implement • Policy controls cost only the time and effort that the management team spends to create, approve and communicate them, and that employees spend integrating the policies into their daily activities • Cost of hiring a consultant is minimal compared to technical controls
  • 27. Guidelines for IT policy 27 • All policies must contribute to the success of the organization • Management must ensure the adequate sharing of responsibility for proper use of information systems • End users of information systems should be involved in the steps of policy formulation
  • 28. Bull’s Eye Model 28 • Proven mechanism for prioritizing complex changes • Issues are addressed by moving from general to specifics • Focus of systemic solutions instead of individual problems
  • 29. Bull’s Eye Model Layers 29 • Policies – the outer layer in the bull’s eye diagram • Networks – the place where threats from public networks meet the organization’s networking infrastructure; in the past, most information security efforts have focused on networks, and until recently information security was often thought to be synonymous with network security • Systems – computers used as servers, desktop computers, and systems used for process control and manufacturing systems • Application – all applications systems, ranging from packed applications such as office automation and e-mail programs, to high-end ERP packages and custom application software developed by the organization
  • 30. Charles Cresson Wood’s Need for Policy 30 …policies are important reference documents for internal audits and for the resolution of legal disputes about management’s due diligence [and] policy documents can act as a clear statement of management’s intent…
  • 31. Policy, Standards, and Practices • Policy represents the formal statement of the organization’s managerial policy, in case of our focus, the organization’s information security philosophy • Tradition communities of interest use policy to express their views which then becomes the basis of planning, management and maintenance of the information security profile • Policies – set of rules that dictate acceptable and unacceptable behavior within an organization • Policies should not specify the proper operation of equipment or software • Policies must specify the penalties for unacceptable behavior and define an appeals process • To execute the policy, the organization must implement a set of standards that clarify and define exactly what is inappropriate in the workplace and to what degree the org will stop to act the inappropriate behavior • Standard – More detailed statement of what must be done to comply with policy • Technical controls and their associated procedures might be established such that the network blocks access to pornographic websites
  • 32. 32 Policy, Standards, and Practices (Contd)
  • 33. Type of InfoSec policies 33 • Based on NIST Special Publication 800-14, the three types of information security policies are – Enterprise information security program policy – Issue-specific security policies – System-specific security policies • The usual procedure – First – creation of the enterprise information security policy – the highest level of policy – Next – general policies are met by developing issue- and system-specific policies
  • 34. Enterprise Information Security Policy (EISP) 34 • EISP sets the strategic direction, scope, and tone for all of an organization’s security efforts • EISP assigns responsibilities for the various areas of information security including maintenance of information security policies and the practices and responsibilities of other users. • EISP guides the development, implementation, and management requirements of the information security program • EISP should directly support the mission and vision statements
  • 35. Integrating an Organization’s Mission and Objectives into the EISP 35 • EISP plays a number of vital roles • One of the important role is to state the importance of InfoSec to the organization’s mission and objectives. • InfoSec strategic planning derives from IT strategic planning which is itself derived from the organization’s strategic planning • Policy will become confusing if EISP does not directly reflect the above association
  • 36. EISP Elements 36 • An overview of the corporate philosophy on security • Information on the structure of the InfoSec organization and individuals who fulfill the InfoSec role • Fully articulated responsibilities for security that are shared by all members of the organization • Fully articulated responsibilities for security that are unique to each role within the organization
  • 37. Components of a good EISP 37 • Statement of Purpose • Information Technology Security Elements • Need for Information Technology Security • Information Technology Security Responsibilities and Roles • Reference to Other Information Technology Standards and Guidelines
  • 38. Issue-Specific Security Policy (ISSP) 38 • Provides a common understanding of the purposes for which an employee can and cannot use a technology – Should not be presented as a foundation for legal prosecution • Protects both the employee and organization from inefficiency and ambiguity
  • 39. Effective ISSP 39 • Articulates expectations for use of technology- based system • Identifies the processes and authorities that provide documented control • Indemnifies the organization against liability for an employee’s inappropriate or illegal use of the system
  • 40. ISSP Topics 40 • Use of Internet, e-mail, phone, and office equipment • Incident response • Disaster/business continuity planning • Minimum system configuration requirements • Prohibitions against hacking/testing security controls • Home use of company-owned systems • Use of personal equipment on company networks
  • 41. ISSP Components 41 • Statement of Purpose – Outlines scope and applicability: what is the purpose and who is responsible for implementation • Authorized Uses – Users have no particular rights of use, outside that specified in the policy • Prohibited Uses – Common prohibitions: criminal use, personal use, disruptive use, and offensive materials • Systems Management – Users relationship to systems management – Outline users’ and administrators’ responsibilities • Violations of Policy – Penalties specified for each kind of violation – Procedures for (often anonymously) reporting policy violation • Policy Review/Modification • Limitations of Liability
  • 42. 42 • Three common approaches for creating/managing ISSP – Create individual independent ISSP documents, tailored for specific issues – Create a single ISSP document covering all issues – Create a modular ISSP document unifying overall policy creation/management while addressing specific details with respect to individual issues ISSP Implementation
  • 43. 43 System Specific Security Policy (SysSPs) • SysSPs provide guidance and procedures for configuring specific systems, technologies, and applications – Intrusion detection systems – Firewall configuration – Workstation configuration • SysSPs are most often technical in nature, but can also be managerial – Guiding technology application to enforce higher level policy (e.g. firewall to restrict Internet access)
  • 44. Guidelines for Effective Policy • Developed using industry-accepted practices • Distributed using all appropriate methods • Reviewed or read by all employees • Understood by all employees • Formally agreed to by act or assertion • Uniformly applied and enforced 44
  • 45. Developing Information Security Policy • Investigation Phase • Analysis Phase • Design Phase • Implementation Phase • Maintenance Phase 45
  • 46. Investigation Phase • Support from senior management • Support and active involvement of IT management • Clear articulation of goals • Participation by the affected communities of interest • Detailed outline of the scope of the policy development project 46
  • 47. Analysis Phase • The analysis phase should produce the following: —A new or recent risk assessment or IT audit documenting the information security needs of the organization. —Gathering of key reference materials – including any existing policies 47 Design Phase • Users or organization members acknowledge they have received and read the policy —Signature and date on a form —Banner screen with a warning
  • 48. Implementation Phase • Policy development team writes policies • Resources: —The Web —Government sites such as NIST —Professional literature —Peer networks —Professional consultants 48 Maintenance Phase • Policy development team responsible for monitoring, maintaining, and modifying the policy
  • 49. Policy Distribution • Hand policy to employees • Post policy on a public bulletin board • E-mail/ Intranet • Document management system • Policy Reading —Barriers to employees’ reading policies • Literacy:14%of American adults scored ―below basic‖ level in prose literacy • Language: non-English speaking residents • Policy Comprehension —Language - At a reasonable reading level • With minimal technical jargon and management terminology —Understanding of issues - Quizzes 49
  • 50. Policy Compliance • Policies must be agreed to by act or affirmation • Corporations incorporate policy confirmation statements into employment contracts, annual evaluations • Policy Enforcement • Uniform and impartial enforcement – must be able to withstand external scrutiny • High standards of due care with regard to policy mgt. – to defend against claims made by terminated emp. • Automated Tools • VigilEnt Policy Center – centralized policy approval &imp. —Manage the approval process, Reduces need to distribute paper copies & Manage policy acknowledgement forms 50
  • 51. VigilEnt Policy Center Architecture 51 Company Intranet User Site VPC Server Administration Site Users view policies and quizzes. User information to the company intranet. Policy docs and quizzes and news items to the Intranet. Administrators receive policy docs and quizzes. Administrators publish policy docs and quizzes. VPC server sends published policy docs and quizzes to the server for distribution to the user sites. Users read policy docs and complete quizzes.
  • 52. Policy Management • Policy administrator • Review schedule • Review procedures and practices • Policy and revision dates • Policy administrator —Champion —Mid-level staff member —Solicits input from business and information security communities —Makes sure policy document and subsequent revisions are distributed 52
  • 53. Review Schedule • Periodically reviewed for currency, accuracy, and modified to keep current - Organized schedule of review & review/year —Solicit input from representatives of all affected parties, management, and staff • Review Procedures and Practices —Easy submission of recommendations —All comments examined & Mgt approved changes implemented • Policy and Revision Date —Often published without a date • Legal issue – are employees ―complying with an out-of-date policy —Should include date of origin, revision dates • don’t use ―today’s date‖ in the document —Sunset clause (expiration date) 53
  • 54. Information Securities Policy Made Easy Approach • Gather key reference materials • Develop a framework for policies • Prepare a coverage matrix • Make critical systems design decisions • Structure review, approval, and enforcement processes • Next Steps —Post policies —Develop a self-assessment questionnaire —Develop revised user ID issuance forms —Develop agreement to comply with InfoSec policies form —Develop tests to determine if workers understand policies 54
  • 55. Information Securities Policy Made Easy Approach • Next steps (continued) —Assign information security coordinators —Train information security coordinators —Prepare and deliver a basic information security training course —Develop application-specific information security policies —Develop a conceptual hierarchy of information security requirements —Assign information ownership and custodianship —Establish an information security management committee —Develop an information security architecture document —Automate policy enforcement through policy servers 55
  • 56. Final Note • Policies are a countermeasure to protect assets from threats —Policies exist to inform employees of acceptable (unacceptable) behavior —Are meant to improve employee productivity and prevent potentially embarrassing situations —Communicate penalties for noncompliance 56