وتطبق المواصفة ISO/IEC 27001:2005 على أية منظمة أيا كان حجمها أو منتجاتها ومن الممكن بعد تطبيق النظام أن يتم التقدم إلى جهات منح شهادة للحصول على-شهادة مطابقة للمنظمة.
هجمات بروتوكول التحكم في الإرسال/بروتوكول الإنترنت TCP/IP
بعض هجمات الأمن في الآونة الأخيرة
DNS pasion
SYN flood
Danial of service
DDos
three handshaking
Dos
التحكم في الارسال
عناوين الانترنت وبروتوكول tcp/ip
أنواع الهجمات الإلكترونية
attack
cybersecurity
cyber security
TCP/IP
امن المعلومات المحاضرة السادسة
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...PECB
This webinar will provide more information on the importance of information security and how you can take security well beyond compliance, an approach on building strong information security, privacy and data governance programs, and the importance of strong data governance in relation to privacy and information security requirements.
The webinar covers
• Information Security
• Importance Of Information Security Today
• Taking Information Security Beyond A Compliance First
• Importance Of Data Governance In Information Security
• Privacy
• Changing And Evolving Privacy Requirements
• Importance Of Data Governance In Privacy
• Data Governance And Data Privacy
• Data Privacy - Data Processing Principles
Presenters:
Moji is a Senior Business Process Analyst working with GemaltoThales, a leading firm in the IT industry. Moji has over fifteen years of experience in leading projects to improve processes, create and implement processes leading to increased revenue generation and eliminate redundancies.
She has a zeal for adding value and increasing revenue for organizations. Moji is very passionate about Data Privacy and its application in business and consumer rights.
Hardeep Mehrotara has 20+ years of senior leadership experience in Information Technology and Cyber Security working for public and private organizations building security programs from the ground up. He has been featured on Canadian television as a cyber expert and provided advice to various communities on implementing cybersecurity strategy, best practices and controls. He has been a co-author on numerous leading industry security control frameworks, technical benchmarks and industry best practice standards.
-------------------------------------------------------------------------------
Find out more about ISO training and certification services
Training: https://pecb.com/whitepaper/iso-27001-information-technology--security-techniques-information-security--management-systems---requirements
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27701
Webinars: https://pecb.com/webinars
Articles: https://pecb.com/article
Whitepapers: https://pecb.com/whitepaper
-------------------------------------------------------------------------------
For more information about PECB:
Website: https://pecb.com/
LinkedIn: https://www.linkedin.com/company/pecb/
Facebook: https://www.facebook.com/PECBInternational/
Slideshare: http://www.slideshare.net/PECBCERTIFICATION
YouTube video: https://youtu.be/aQcS5-RFIEY
Website link: https://pecb.com/
ISO/IEC 27001 is the main standard that aims to enhance an organization’s information security.
Amongst others, the webinar covers:
• ISO/IEC 27001 & ISO/IEC 27002, catching up with history
• Quick recap on the ISO/IEC 27002:2022
• From ISO/IEC 27002 to the ISO/IEC 27001 updates
• Some considerations & consequences of the update
• What's up next with ISO/IEC 27001, in practice?
Presenters:
Peter Geelen
Peter Geelen is the director and managing consultant at CyberMinute and Owner of Quest for Security, Belgium. Over more than 20 years, Peter has built strong experience in enterprise security & architecture, Identity & Access management, but also privacy, information & data protection, cyber- and cloud security. Last few years, the focus is on ISO/IEC 27001 and other ISO certification mechanisms. Peter is accredited Lead Auditor for ISO/IEC 27001, ISO 9001, PECB Trainer and Fellow in Privacy. Committed to continuous learning, Peter holds renowned security certificates as certified ISO/IEC 27701 lead implementer and lead auditor, ISO/IEC 27001 Master, Sr. Lead Cybersecurity Manager, ISO/IEC 27002 lead manager, ISO/IEC 27701 Lead Implementer, cDPO, Risk management, Lead Incident Mgr., Disaster Recovery, and many more.
Stefan Mathuvis
Stefan Mathuvis, is owner & senior consultant at Quality Management & Auditing BV, Zonhoven, Belgium. With over 20 years of experience, Stefan built strong experience in quality management systems, Information Security management systems, GDPR, data privacy & data protection. Stefan is accredited ISO/IEC 27001 Lead Auditor and operates as a third party auditor for DQS Belgium. Dividing his time between consultancy, training & third party auditing on an international scale, Stefan remains in touch with the issues of today allowing him to assist clients in their needs for Information Security and Data Privacy.
Date: November 9, 2022
-------------------------------------------------------------------------------
Find out more about ISO training and certification services
Training: https://pecb.com/whitepaper/isoiec-270022022--information-security-cybersecurity-and-privacy-protection
https://pecb.com/article/isoiec-27001---what-are-the-main-changes-in-2022
https://pecb.com/article/investing-in-information-security-awareness
Webinars: https://pecb.com/webinars
Article: https://pecb.com/article
Whitepaper: https://pecb.com/whitepaper
-------------------------------------------------------------------------------
For more information about PECB:
Website: https://pecb.com/
LinkedIn: https://www.linkedin.com/company/pecb/
Facebook: https://www.facebook.com/PECBInternational/
Slideshare: http://www.slideshare.net/PECBCERTIFICATION
وتطبق المواصفة ISO/IEC 27001:2005 على أية منظمة أيا كان حجمها أو منتجاتها ومن الممكن بعد تطبيق النظام أن يتم التقدم إلى جهات منح شهادة للحصول على-شهادة مطابقة للمنظمة.
هجمات بروتوكول التحكم في الإرسال/بروتوكول الإنترنت TCP/IP
بعض هجمات الأمن في الآونة الأخيرة
DNS pasion
SYN flood
Danial of service
DDos
three handshaking
Dos
التحكم في الارسال
عناوين الانترنت وبروتوكول tcp/ip
أنواع الهجمات الإلكترونية
attack
cybersecurity
cyber security
TCP/IP
امن المعلومات المحاضرة السادسة
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...PECB
This webinar will provide more information on the importance of information security and how you can take security well beyond compliance, an approach on building strong information security, privacy and data governance programs, and the importance of strong data governance in relation to privacy and information security requirements.
The webinar covers
• Information Security
• Importance Of Information Security Today
• Taking Information Security Beyond A Compliance First
• Importance Of Data Governance In Information Security
• Privacy
• Changing And Evolving Privacy Requirements
• Importance Of Data Governance In Privacy
• Data Governance And Data Privacy
• Data Privacy - Data Processing Principles
Presenters:
Moji is a Senior Business Process Analyst working with GemaltoThales, a leading firm in the IT industry. Moji has over fifteen years of experience in leading projects to improve processes, create and implement processes leading to increased revenue generation and eliminate redundancies.
She has a zeal for adding value and increasing revenue for organizations. Moji is very passionate about Data Privacy and its application in business and consumer rights.
Hardeep Mehrotara has 20+ years of senior leadership experience in Information Technology and Cyber Security working for public and private organizations building security programs from the ground up. He has been featured on Canadian television as a cyber expert and provided advice to various communities on implementing cybersecurity strategy, best practices and controls. He has been a co-author on numerous leading industry security control frameworks, technical benchmarks and industry best practice standards.
-------------------------------------------------------------------------------
Find out more about ISO training and certification services
Training: https://pecb.com/whitepaper/iso-27001-information-technology--security-techniques-information-security--management-systems---requirements
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27701
Webinars: https://pecb.com/webinars
Articles: https://pecb.com/article
Whitepapers: https://pecb.com/whitepaper
-------------------------------------------------------------------------------
For more information about PECB:
Website: https://pecb.com/
LinkedIn: https://www.linkedin.com/company/pecb/
Facebook: https://www.facebook.com/PECBInternational/
Slideshare: http://www.slideshare.net/PECBCERTIFICATION
YouTube video: https://youtu.be/aQcS5-RFIEY
Website link: https://pecb.com/
ISO/IEC 27001 is the main standard that aims to enhance an organization’s information security.
Amongst others, the webinar covers:
• ISO/IEC 27001 & ISO/IEC 27002, catching up with history
• Quick recap on the ISO/IEC 27002:2022
• From ISO/IEC 27002 to the ISO/IEC 27001 updates
• Some considerations & consequences of the update
• What's up next with ISO/IEC 27001, in practice?
Presenters:
Peter Geelen
Peter Geelen is the director and managing consultant at CyberMinute and Owner of Quest for Security, Belgium. Over more than 20 years, Peter has built strong experience in enterprise security & architecture, Identity & Access management, but also privacy, information & data protection, cyber- and cloud security. Last few years, the focus is on ISO/IEC 27001 and other ISO certification mechanisms. Peter is accredited Lead Auditor for ISO/IEC 27001, ISO 9001, PECB Trainer and Fellow in Privacy. Committed to continuous learning, Peter holds renowned security certificates as certified ISO/IEC 27701 lead implementer and lead auditor, ISO/IEC 27001 Master, Sr. Lead Cybersecurity Manager, ISO/IEC 27002 lead manager, ISO/IEC 27701 Lead Implementer, cDPO, Risk management, Lead Incident Mgr., Disaster Recovery, and many more.
Stefan Mathuvis
Stefan Mathuvis, is owner & senior consultant at Quality Management & Auditing BV, Zonhoven, Belgium. With over 20 years of experience, Stefan built strong experience in quality management systems, Information Security management systems, GDPR, data privacy & data protection. Stefan is accredited ISO/IEC 27001 Lead Auditor and operates as a third party auditor for DQS Belgium. Dividing his time between consultancy, training & third party auditing on an international scale, Stefan remains in touch with the issues of today allowing him to assist clients in their needs for Information Security and Data Privacy.
Date: November 9, 2022
-------------------------------------------------------------------------------
Find out more about ISO training and certification services
Training: https://pecb.com/whitepaper/isoiec-270022022--information-security-cybersecurity-and-privacy-protection
https://pecb.com/article/isoiec-27001---what-are-the-main-changes-in-2022
https://pecb.com/article/investing-in-information-security-awareness
Webinars: https://pecb.com/webinars
Article: https://pecb.com/article
Whitepaper: https://pecb.com/whitepaper
-------------------------------------------------------------------------------
For more information about PECB:
Website: https://pecb.com/
LinkedIn: https://www.linkedin.com/company/pecb/
Facebook: https://www.facebook.com/PECBInternational/
Slideshare: http://www.slideshare.net/PECBCERTIFICATION
Improve Cybersecurity posture by using ISO/IEC 27032PECB
Cybersecurity is a universal concern across today’s enterprise and the need for strategic approach is required for appropriate mitigation.
Adopting ISO 27032 will help to:
• Understanding the nature of Cyberspace and Cybersecurity
• Explore Cybersecurity Ecosystem – Roles & Responsibilities
• Achieve Cyber Resilience through implementing defensive and detective cybersecurity controls
Presenter:
Obadare Peter Adewale is a first generation and visionary cyberpreneur. He is a PECB certified Trainer, Fellow Chartered Information Technology Professional, the First Licensed Penetration Tester in Nigeria, second COBIT 5 Assessor in Africa and PCI DSS QSA. He is also an alumnus of Harvard Business School and MIT Sloan School of Management Executive Education.
Link of the recorded session published on YouTube: https://youtu.be/NX5RMGOcyBM
2022 Webinar - ISO 27001 Certification.pdfControlCase
ControlCase Introduction
What is ISO 27001?
What is ISO 27002?
What is ISO 27701, ISO 27017, & ISO 27018?
What is an ISMS?
What is ISO 27001 Certification?
Who Needs ISO 27001?
What is Covered in ISO 27001?
How Many Controls in ISO 27001?
What is the ISO 27001 Certification Process?
How Often Do You Need ISO 27001 Certification?
What are the Challenges to ISO 27001 Compliance?
Why ControlCase?
في عصر التكنولوجيا أصبح لأمن المعلومات الدور الأكبر لصد ومنع أى هجوم إلكتروني قد تتعرض له أنظمة الدولة المختلفة، وأيضاً حماية الأنظمة التشغيلية من أى محاولات للولوج بشكل غير مسموح به لأهداف غير سليمة.
ففي عالمنا المترابط بواسطة الشبكة، يستفيد الجميع من برامج الدفاع السيبراني، فمثلاً على المستوى الفردي يمكن أن يؤدي هجوم الأمن السيبراني إلى سرقة الهوية أو محأولات الابتزاز أو فقدان البيانات المهمة مثل الصور العائلي كما تعتمد المجتمعات على البنية التحتية الحيوية، مثل محطات الطاقة والمستشفيات وشركات الخدمات المالية، لذا فإن تأمين هذه المنظمات وغيرها أمر ضروري للحفاظ على عمل مجتمعنا بطريقة أمنة وطبيعية.
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...PECB
According to Technavio's latest market research report, the data security market value will grow by $2.85 Billion during 2021-2025.
To secure their data, organizations can use the CIA triad, a data security model developed to help the data security market and people deal with various IT security parts.
The webinar covers
• Overview Of CIA
• Description of Data Governance vs Information Security vs Privacy
• Relationship of CIA to Data Governance
• Relationship of CIA to Information Security
• Relationship of CIA to Privacy
• How to Implement and Maintain the CIA model (e.g., PDCA, etc.)
Presenters:
Anthony English
Our presenter for this webinar is Anthony English, one of the top cybersecurity professionals in Atlantic Canada with extensive Canadian and International experience in cybersecurity covering risk assessment, management, mitigation, security testing, business continuity, information security management systems, architecture security reviews, project security, security awareness, lectures, presentations and standards-based compliance.
Date: November 17, 2021
-------------------------------------------------------------------------------
Find out more about ISO training and certification services
Training: https://pecb.com/whitepaper/iso-27001-information-technology--security-techniques-information-security--management-systems---requirements
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27701
Webinars: https://pecb.com/webinars
Articles: https://pecb.com/article
Whitepapers: https://pecb.com/whitepaper
-------------------------------------------------------------------------------
For more information about PECB:
Website: https://pecb.com/
LinkedIn: https://www.linkedin.com/company/pecb/
Facebook: https://www.facebook.com/PECBInternational/
Slideshare: http://www.slideshare.net/PECBCERTIFICATION
Youtube video: https://youtu.be/eA8uQhdLZpw
Website link: https://pecb.com/
طرق الاختراق وآليته واهم هجمات الاختراق الدوليه وامثله على الجيوش الالكترونيه لكل بلد و كذلك معلومات عن مركز أمن المعلومات و ايضا أهم الشهادات لامن المعلومات
معنى المخاطر
يعتبر الخطر من أهم المشاكل الحيوية التي تؤثر على المشاريع تأثيرا فعالا ولذا يجب أن نفهم ونعرف معنى كلمة الخطر بشكل علمى لأن ازدياد الخطر يتحول إلى مشكلة.
المخاطر: هي عبارة عن ربط بين احتمال وقوع حدث والآثار المترتبة على حدوثه.
إدارة المخاطر: هي عملية تحديد وتحليل والاستجابة للمخاطر وتتبعها ورفع تقارير عنها.
Improve Cybersecurity posture by using ISO/IEC 27032PECB
Cybersecurity is a universal concern across today’s enterprise and the need for strategic approach is required for appropriate mitigation.
Adopting ISO 27032 will help to:
• Understanding the nature of Cyberspace and Cybersecurity
• Explore Cybersecurity Ecosystem – Roles & Responsibilities
• Achieve Cyber Resilience through implementing defensive and detective cybersecurity controls
Presenter:
Obadare Peter Adewale is a first generation and visionary cyberpreneur. He is a PECB certified Trainer, Fellow Chartered Information Technology Professional, the First Licensed Penetration Tester in Nigeria, second COBIT 5 Assessor in Africa and PCI DSS QSA. He is also an alumnus of Harvard Business School and MIT Sloan School of Management Executive Education.
Link of the recorded session published on YouTube: https://youtu.be/NX5RMGOcyBM
2022 Webinar - ISO 27001 Certification.pdfControlCase
ControlCase Introduction
What is ISO 27001?
What is ISO 27002?
What is ISO 27701, ISO 27017, & ISO 27018?
What is an ISMS?
What is ISO 27001 Certification?
Who Needs ISO 27001?
What is Covered in ISO 27001?
How Many Controls in ISO 27001?
What is the ISO 27001 Certification Process?
How Often Do You Need ISO 27001 Certification?
What are the Challenges to ISO 27001 Compliance?
Why ControlCase?
في عصر التكنولوجيا أصبح لأمن المعلومات الدور الأكبر لصد ومنع أى هجوم إلكتروني قد تتعرض له أنظمة الدولة المختلفة، وأيضاً حماية الأنظمة التشغيلية من أى محاولات للولوج بشكل غير مسموح به لأهداف غير سليمة.
ففي عالمنا المترابط بواسطة الشبكة، يستفيد الجميع من برامج الدفاع السيبراني، فمثلاً على المستوى الفردي يمكن أن يؤدي هجوم الأمن السيبراني إلى سرقة الهوية أو محأولات الابتزاز أو فقدان البيانات المهمة مثل الصور العائلي كما تعتمد المجتمعات على البنية التحتية الحيوية، مثل محطات الطاقة والمستشفيات وشركات الخدمات المالية، لذا فإن تأمين هذه المنظمات وغيرها أمر ضروري للحفاظ على عمل مجتمعنا بطريقة أمنة وطبيعية.
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...PECB
According to Technavio's latest market research report, the data security market value will grow by $2.85 Billion during 2021-2025.
To secure their data, organizations can use the CIA triad, a data security model developed to help the data security market and people deal with various IT security parts.
The webinar covers
• Overview Of CIA
• Description of Data Governance vs Information Security vs Privacy
• Relationship of CIA to Data Governance
• Relationship of CIA to Information Security
• Relationship of CIA to Privacy
• How to Implement and Maintain the CIA model (e.g., PDCA, etc.)
Presenters:
Anthony English
Our presenter for this webinar is Anthony English, one of the top cybersecurity professionals in Atlantic Canada with extensive Canadian and International experience in cybersecurity covering risk assessment, management, mitigation, security testing, business continuity, information security management systems, architecture security reviews, project security, security awareness, lectures, presentations and standards-based compliance.
Date: November 17, 2021
-------------------------------------------------------------------------------
Find out more about ISO training and certification services
Training: https://pecb.com/whitepaper/iso-27001-information-technology--security-techniques-information-security--management-systems---requirements
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27701
Webinars: https://pecb.com/webinars
Articles: https://pecb.com/article
Whitepapers: https://pecb.com/whitepaper
-------------------------------------------------------------------------------
For more information about PECB:
Website: https://pecb.com/
LinkedIn: https://www.linkedin.com/company/pecb/
Facebook: https://www.facebook.com/PECBInternational/
Slideshare: http://www.slideshare.net/PECBCERTIFICATION
Youtube video: https://youtu.be/eA8uQhdLZpw
Website link: https://pecb.com/
طرق الاختراق وآليته واهم هجمات الاختراق الدوليه وامثله على الجيوش الالكترونيه لكل بلد و كذلك معلومات عن مركز أمن المعلومات و ايضا أهم الشهادات لامن المعلومات
معنى المخاطر
يعتبر الخطر من أهم المشاكل الحيوية التي تؤثر على المشاريع تأثيرا فعالا ولذا يجب أن نفهم ونعرف معنى كلمة الخطر بشكل علمى لأن ازدياد الخطر يتحول إلى مشكلة.
المخاطر: هي عبارة عن ربط بين احتمال وقوع حدث والآثار المترتبة على حدوثه.
إدارة المخاطر: هي عملية تحديد وتحليل والاستجابة للمخاطر وتتبعها ورفع تقارير عنها.
هذه الدراسة تتناول وضع تطبيق التعلم الإلكترونى فى العالم العربى يقدمها خبير التعليم والنشر الإلكترونى الدكتور عادل خليفة وتتعرض الدراسة للوافع الحقيقى لتطبيق التعلم الإلكترونى فى العالم العربى والمستقبل المنشود
Information Security assessment of companies in Germany, Austria and Switzerland, February 2015.
Every day critical security incidents show the drastic extent of "successful" cyber attacks for organizations in terms of monetary and material loss. With increasing use of digital technologies and the growing spread of mobile and IoT cyber security is becoming a key factor for companies’ successful digital transformation. To analyze current challenges, trends and maturity of companies state of information security, Capgemini Consulting DACH conducted a survey in Germany, Austria and Switzerland. The 2014 Information Security Benchmarking Study shows that information security is insufficiently embedded in most companies‘ business strategy and operations to effectively safeguard organizations against current cyber threats.
https://www.de.capgemini-consulting.com/resources/information-security-benchmarking
ISO27001 standard was revised and a new version was published in 2013. ISO27001 is also becoming more common Information Security standard among service providers. This presentation focuses on the recent changes in 2013 version and also the process for implementing and getting certified for ISO27001.
Following are the key objectives of this presentation:
Provide an introduction to ISO27001 and changes in 2013 version
Discuss the implementation approach for an Information Security Management System (ISMS) framework
Familiarize the audience with some common challenges in implementation
In this article I will provide an Overview of A new Information Security Management System
Standard ISO/IEC 27001:2013 , The new standard just Published from a few Days Earlier .
ISO/IEC 27001:2013 Provides requirements for Establishing, Implementing, Maintaining
and Continually Improving an Information Security Management System.
ISO/IEC 27001:2013 gives Organization a Perfect Information Security management framework for implementing
and maintaining security.
In this Article, I tried to shed some light on new standard and its Mandatory Requirements, Optional Requirements ,
Structure , Benefits , Certification Process and Estimated time for Implementation and Certification.
مقدمة في التعليم عن بعد ترجمة فصل من كتاب أجنبيarwa88
مقدمة في التعليم عن بعد والتعليم المدمج
الفصل السابع من كتاب
PART||| Linking to Learn :Technology tools and Strategies.
مقرر مستحدثات تقنيات التعليم
ترجمة وإعداد :
أروى عبدالكريم الغامدي
مقدم لـ:
د. دانية عبدالعزيز العباسي
السلام عليكم ورحمه الله وبركاته
العمل مقدم ب اعداد الطلاب
نايف الغامدي
ID: 442140247
معتز يوسف البوق
ID:442140267
نامل ان يحوز على رضاك وينال اعجابك
..,,وتقبل تحياتي
#تواصل_تطوير
المحاضرة رقم 197
مهندس / محمد الشامي
عنوان المحاضرة
أمن المعلومات.. مفاهيم أساسية
يوم السبت 04 فباير 2023
السابعة مساء توقيت القاهرة
الثامنة مساء توقيت مكة المكرمة
و الحضور عبر تطبيق زووم من خلال الرابط
https://us02web.zoom.us/meeting/register/tZYuf-utrTIoH9LHZt6AxN_pd8TcTJCsPDpn
علما ان هناك بث مباشر للمحاضرة على القنوات الخاصة بجمعية المهندسين المصريين
ونأمل أن نوفق في تقديم ما ينفع المهندس ومهمة الهندسة في عالمنا العربي
والله الموفق
للتواصل مع إدارة المبادرة عبر قناة التليجرام
https://t.me/EEAKSA
ومتابعة المبادرة والبث المباشر عبر نوافذنا المختلفة
رابط اللينكدان والمكتبة الالكترونية
https://www.linkedin.com/company/eeaksa-egyptian-engineers-association/
رابط قناة التويتر
https://twitter.com/eeaksa
رابط قناة الفيسبوك
https://www.facebook.com/EEAKSA
رابط قناة اليوتيوب
https://www.youtube.com/user/EEAchannal
رابط التسجيل العام للمحاضرات
https://forms.gle/vVmw7L187tiATRPw9
ملحوظة : توجد شهادات حضور مجانية لمن يسجل فى رابط التقيم اخر المحاضرة.
هو تعبير واسع يغطى مجموعة كبيرة من النشاطات في شركتك. وهو يتضمن كل )المنتجات –
العمليات( التي تتم بهدف )منع وصول الأفراد الغير مصرح لهم – منع تعديل البيانات – حماية المصادر(
أمن المعلومات
الإرهاب الإلكتروني
الحرب السيبرانية
الجريمة الإلكترونية
المعايير والإجراءات المتخذة لمنع وصول المعلومات إلى أيدي أشخاص غير مخولين عبر الإتصالات ولضمان صحتها .
افتتحت فعاليات الأسبوع التوعوي في أمن المعلومات في الوزارة بحضور أصحاب السمو والمعالي والسعادة. أدناه العرض الذي تم تقديمه بعنوان "أمن المعلومات -- نظرة عامة".
أنواع الهجمات الإلكترونية
وسائل الحماية
أنظمة التحكم في الوصول Access Control
المصادقة Authentication
المقاييس الحيوية وأنواعها
المصادقه بطريقتين مختلفتين
5. Session objective
• Awareness regarding ISO 27001
• Differentiating between a process based security management system
and a list of security controls or remediation.
7. What Is Information Security
• The quality or state of being secure to be free from
danger.
• Security is achieved using several strategies
simultaneously or used in combination with one another.
• Security is recognized as essential to protect vital
processes and the systems that provide those processes.
• Information security means protecting information
and information systems from unauthorized access,
use, disclosure, disruption, modification, or
destruction.
7/15/2014 7
9. Information Security Triad…
Required by any business that handles information
Confidentiality
• Where the access is restricted to a specific list of people. These could be
company plans, secret manufacturing processes, formulas, etc.
Integrity
• Safeguarding the accuracy and completeness of information and
processing methods.
Availability
• Ensuring that authorized users have access to information when
they need it.
7/15/2014 9
19. Introduction ISO 27001 & ISMS
ISO 27001 has been prepared to provide a model for:
Establishing
Implementing
Operating
Monitoring
Reviewing
Maintaining
and improving
a Risk based Information Security Management System (ISMS)
21. Published in TWO parts
• ISO 27001:2005
Specification for Information Security Management
Systems
• ISO 17799:2005 (now ISO 27002)
Code of Practice for Information Security Management
23. The benefits of certification are numerous and include:
1. Policies & procedures.
2. Assured continued due diligence.
3. Evaluations will be conducted by Certified Bodies.
4. Your ISMS will be audited to a internationally accepted criteria
resulting in mutual recognition of the evaluation results
Certifiable, Proven, Defensible, Cost-Effective, Recognition of Best
Practices in information security
5. Assists organizational compliance with legal, regulatory, and
statutory requirements.
Why a standard?
25. Business Case for ISMS
Study Shows - Most common source of data
leaks*:
Lost or stolen laptops, Personal Digital Assistants or
memory sticks/thumb drives - 35% of all incidents
studied
Records lost by third-party business partners or
outsourcing companies – 24%
Misplaced or stolen back up file – 18%
Lost or stolen paper records – 13%
Usage of malware (spyware) programs - 10%
*U.S. Companies that reported a breach.
[Ponemon Data Breach Study – October 2007 (US)]
27. Security Breaches
• Information Security is “Organizational Problem” rather than “IT
Problem”.
• More than 80% of Threats are Internal.
• More than 60% culprits are First Time fraudsters.
• Biggest Risk : People.
• Biggest Asset : People
• Social Engineering is major threat.
More than 2/3rd express their inability to determine “Whether my
systems are currently compromised?”
7/15/2014 27
29. Security breaches leads to
• Reputation loss
• Financial loss
• Intellectual property loss
• Legislative Breaches leading to legal actions (Cyber Law)
• Loss of customer confidence
• Business interruption costs
7/15/2014 29
LOSS OF GOODWILL
33. Where does it start ? Security
Planning is a quantitative process
which starts from Information
Assets
'Information is an asset which, like other
important business assets, has value to
an organization and consequently needs
to be suitably protected’
7/15/2014 33
37. In order to determine risks faced by Information,
we need to see, what happens to information in
the work place ?
• The three actors on information are
• People
• Processes
• Technology
39. Information can be:
• Created
• Stored
• Destroyed
• Processed
• Transmitted
• Used – (For proper &
improper purposes)
• Corrupted
• Lost
39
Actors
• Stolen
• Printed or written
• Stored electronically
• Transmitted by post or
using electronics means
• Shown on corporate videos
• Displayed / published on
web
• Verbal – spoken in
conversations
41. People “Who we are”
People who use or interact with the Information include:
Share Holders / Owners.
Management.
Employees.
Business Partners.
Service providers.
Contractors.
Customers / Clients.
Regulators etc…
7/15/2014 41
43. Process “what we do”
The processes refer to "work practices" or workflow. Processes
are the repeatable steps to accomplish business objectives.
Typical process in our IT Infrastructure could include:
Helpdesk / Service management.
Incident Reporting and Management.
Change Requests process.
Request fulfillment.
Access management.
Identity management.
Service Level / Third-party Services Management.
IT procurement process etc...
7/15/2014 43
47. Why documentation is required
ISO-27001 Audit Criteria:
An auditor audits the auditee against 3 mentioned criteria
1. Legal and Regulatory
2. ISO-27001:2005 Standard
3. Organizational Document
7/15/2014 47
Business advantage of documentation:
The intellect, the skill and experience of the employees
becomes the intellect, skill and experience of the
organization e.g. Manual switch over of a server.
53. Control of Document
• All documents have to be controlled.
• The following information is essential to control a document:
• Title
• Type
• Issue status and version
• Page number & total number of pages
• Approval authority
• Issuing authority
• Issue date
• Document Code
7/15/2014 53
55. Procedures
• Fixed, step-by-step sequence of activities or course of action
with definite start and end points that must be followed in the
same order to correctly perform a task. Repetitive procedures
are called routines.
• Procedure Documents:
• Control Of Documents
• Risk Assessment
• Corrective & Preventive Action
• Data Backup
• Patch Management
• Internal Audit
7/15/2014 55
57. Standards
• General: Written definition, limit, or rule,
approved and monitored for compliance by an
authoritative agency or professional or
recognized body as a minimum acceptable
benchmark.
• Standards may be classified as
• Government or statutory agency standards and
specifications enforced by law,
• Proprietary standards developed by a firm or
organization and
placed in public domain to encourage their
widespread use, and Voluntary standards
established by consultation and consensus and
available
for use by any person, organization, or industry.
7/15/2014 57
• Standard Document:
– Access Control
– Asset Management
– Backup & Restoration
– Data Transmission
– Data Classification
– Data Encryption
– Data Handling
– Employee Conduct
– Event Logging
– Firewall
– Network Application
– Network Security
– Physical Security
– Teleworking
59. Plan
• Written account of intended future course of action scheme aimed at
achieving specific goal(s) or objective(s) within a specific timeframe. It
explains in detail what needs to be done, when, how, and by whom, and
often includes best case, expected case, and worst case scenarios.
• Plan Documents
• Business Continuity Plan
• Change Control Plan
• Incident Response Plan
• Internal Audit Plan
• Security Awareness Plan
• Vendor Implementation Plan
• Vulnerability Assessment
7/15/2014 59
61. Guideline
• Intended to answer specific questions.
• Contain information on questions concerning the directive.
• intended to provide orientation and help to meet the requirements of
the directive.
• Draft Guidelines are developed by the Professional draftsmen and
subjected to internal comment and review by other experts.
• Guideline documents:
• Access Control Guideline
• Data Protection Guideline
• Email Security Guideline
• Password Control Guideline
• Routing Guideline
• Security Guideline
• WLAN Guideline
7/15/2014 61
63. Operational Forms
• Operational forms are set of procedures and permission need
to be filled up at the event of and any non-recommended
action.
7/15/2014 63
65. Records (Evidences)
• The organisation needs to maintain records to provide
evidence of conformities to requirements and to determine the
effectiveness of ISMS.
• Should be simple and legible.
• Should be used for the continual improvement of ISMS.
• Should be organized and manageable.
• Should be maintained in any form.
7/15/2014 65
67. Effective Documentation
Clear
Concise
User friendly
Use short sentences starting with a verb
Avoid using the passive voice. Make it clear who is
performing the task
Use white space for easy reading
Precise and as much as needed
Work instructions written for virtually everything
No overlap and repetition
7/15/2014 67
73. 73
ISO 27001 - Scope
ISO 27001 provides a model for establishing, implementing,
operating, monitoring, reviewing, maintaining and improving an
Information Security Management System (ISMS).
The adoption of an ISMS should be a strategic decision for an
organization. The design and implementation of an organization’s
ISMS is influenced by their needs and objectives, security
requirements, the processes employed and the size and structure of
the organization.
These and their supporting systems are expected to change over time.
It is expected that an ISMS implementation will be scaled in
accordance with the needs of the organization, e.g. a simple situation
requires a simple ISMS solution.
The ISO 27001 Standard can be used in order to assess conformance
by interested internal and external parties.
75. 75
Management Support
• Management should actively support security within the
organization through clear direction, demonstrated commitment,
explicit assignment, and acknowledgment of information security
responsibilities.
• Management should approve the information security policy,
assign security roles and co-ordinate and review the
implementation of security across the organization.
77. 77
Inventory of Assets
• All assets should be clearly identified and an inventory of all
important assets drawn up and maintained.
• The asset inventory should include all information necessary in
order to recover from a disaster, namely:
• Type of asset;
• Format (i.e. Information, software, physical, services, people,
intangibles)
• Location;
• Backup information;
• License information;
• Business value.
79. 79
Risk Assessment
• Risk assessments should identify, quantify, and prioritize risks against criteria
for risk acceptance and objectives relevant to the organization.
• The results should guide and determine the appropriate management action
and priorities for managing information security risks and for implementing
controls selected to protect against these risks.
• The process of assessing risks and selecting controls may need to be
performed a number of times to cover different parts of the organization or
individual information systems.
• Risk assessment should include the systematic approach of estimating the
magnitude of risks (risk analysis) and the process of comparing the
estimated risks against risk criteria to determine the significance of the risks
(risk evaluation).
• The information security risk assessment should have a clearly defined scope
in order to be effective and should include relationships with risk
assessments in other areas, if appropriate.
81. 81
Conduct Risk Assessment and
Prepare Risk Treatment
Plan
• The organisation should formulate a risk treatment plan (RTP) that
identifies the appropriate management action, resources,
responsibilities and priorities for managing information security
risks.
• The RTP should be set within the context of the organization's
information security policy and should clearly identify the approach
to risk and the criteria for accepting risk.
• The RTP is the key document that links all four phases of the Plan,
Do, Check, Act (PDCA) cycle for the ISMS.
83. 83
Prepare Statement of
Applicability
• A Statement of Applicability (SOA) is a document that lists an
organization’s information security control objectives and controls.
• The SOA is derived from the results of the risk assessment, where:
• Risk treatments have been selected;
• All relevant legal and regulatory requirements have been
identified; Contractual obligations are fully understood;
• A review the organization’s own business needs and
requirements has been carried out.
85. 85
PDCA Model
• The "Plan-Do-Check-Act" (PDCA) model is
applied to structure all ISMS processes.
• The diagram illustrates how an ISMS takes as
input the information security requirements
and expectations of the interested parties and
through the necessary actions and processes
produces managed information security
outcomes that meets those requirements and
expectations.
87. 87
• Plan (establish the ISMS)
• Establish ISMS policy, objectives, processes and procedures relevant to managing risk and
improving information security to deliver results in accordance with an organization’s overall
policies and objectives.
• Do (implement and operate the ISMS)
• Implement and operate the ISMS policy, controls, processes and procedures.
• Check (monitor and review the ISMS)
• Assess and, where applicable, measure process performance against ISMS policy, objectives
and practical experience and report the results to management for review.
• Act (maintain and improve the ISMS)
• Take corrective and preventive actions, based on the results of the internal ISMS audit and
management review or other relevant information, to achieve continual improvement of the
ISMS.
PDCA Model
89. 89
ISMS Implementation
Programme
• Implement the risk treatment plan in order to achieve the
identified control objectives, which includes consideration of
funding and allocation of roles and responsibilities.
• Implement controls selected during establishing the ISMS to meet
the control objectives.
• Define how to measure the effectiveness of controls to allows
managers and staff to determine how well controls achieve
planned control objectives.
• Implement training and awareness programmes.
91. 91
The ISMS Controls
• It is important to be able to demonstrate the relationship from the
selected controls back to the results of the risk assessment and risk
treatment process, and subsequently back to the ISMS policy and
objectives.
• The ISMS documentation should include:
• Documented statements of the ISMS policy and objectives;
• The scope of the ISMS;
• Procedures and controls in support of the ISMS;
• A description of the risk assessment methodology;
• The risk assessment report;
• The risk treatment plan;
• Documented procedures needed by the organization to ensure the
effective planning, operation and control of its information security
processes and describe how to measure the effectiveness of controls;
• Records required by the Standard;
• The Statement of Applicability.
93. ISO 27001 General Clauses
4 Information security management
system
4.1 General requirements
4.2 Establishing and managing the
ISMS
4.2.1 Establish the ISMS
4.2.2 Implement and operate the ISMS
4.2.3 Monitor and review the ISMS
4.2.4 Maintain and improve the ISMS
4.3 Documentation requirements
4.3.1 General
4.3.2 Control of documents
4.3.3 Control of records
5 Management responsibility
5.1 Management commitment
5.2 Resource management
5.2.1 Provision of resources
5.2.2 Training, awareness and
competence
8 ISMS improvement
8.1 Continual
improvement
8.2 Corrective action
8.3 Preventive action
6 Internal ISMS audits
7 Management review of the
ISMS
7.1 General
7.2 Review input
7.3 Review output
95. ISO 27001 Annex A (normative)
A.5
Information
Security Policy
A.8
Human resource
Security
A.7
Asset Management
A.11
Access Control
A.12
Systems Acquisition,
Development &
Maintenance
A.13
Security Incident
Management
A.14
Business Continuity
Management
A.6
Organization of
information
Security
A.9
Physical & Environment
Security
A.10
Communication and
Operations
Management
A.15
Compliance
97. ISO 27001 Annex A (normative)
A.5 Security policy (1/2)
A.6 Organization of information security (2/11)
A.7 Asset management (2/5)
A.8 Human resources security (3/9)
A.9 Physical and environmental security (2/13)
A.10 Communications and operations management (10/32)
A.11 Access control (7/25)
A.12 Information systems acquisition, development and maintenance
(6/16)
A.13 Information security incident management (2/5)
A.14 Business continuity management (1/5)
A.15 Compliance (3/10)
Total
39 control objectives
133 controls
98. ايزو27001أ الملحق(المعيارية)
A.5 Security policy (1/2)
A.6 Organization of information security (2/11)
A.7 Asset management (2/5)
A.8 Human resources security (3/9)
A.9 Physical and environmental security (2/13)
A.10 Communications and operations management (10/32)
A.11 Access control (7/25)
A.12 Information systems acquisition, development and maintenance
(6/16)
A.13 Information security incident management (2/5)
A.14 Business continuity management (1/5)
A.15 Compliance (3/10)
5/14/2014
المجموع
39lكونترول موضوع
133كونترول
99. 1. Security Policy
• Security Policy
Single Policy for Entire
Organisation & manage-
mental Commitment
Objectives
Achieve High level of
confidentiality , Data
integrity and Protection
Commitment
Acceptable ‘ USE’ Policy
for Employees, Users and
Management
Scope
101. 2. Organization of Information Security
Security Organisation
Assignments of roles
according to the area of
Professional Practice
Leadership
Chief Information Security
Officer (CISO)
Security Group Leader(s)
Security Teams
Incident Response Team
Change Control Team
Disaster Recovery Team
Responsibilities
103. 3. Asset Management
Asset Classification
& Control
Electronic Tags on all
Assets, Barcodes and
Database management
Inventory Assignment of Assets
controller, Custodianship of
assets under use.
Protection
Assets location, ownership
and regular inventory audit
internally, externally
Ownership
107. 4. Human Resource Security
HR Security
Security assignment as add-
on role for all employees
Job descriptions Police clearance for personal
character check before hiring
employees
Security training
Handing over security policy,
awareness training & type of
response reporting
Recruitment screening
111. 5. Physical & environmental Security
Physical & environmental
Security
Setting up the Levels of
Access ,classifying area of
operations in groups
Access control Biometric appliances,
Security Guards, Proximity
card and Visitor Badges
Surveillance
Centrally Controlled
Surveillance Cameras
CTVs
Authorisation
115. 6. Communication and operations
Management
Procedures that answer!!!
“What to do when the
incident occurs?”
Operating procedures Separation of duties in the
tasks of employees “ Who
does what”
Capacity planning
Regular monitoring on
systems resources and
bandwidth in use
Assignment of tasks
Communication and
operations Management
119. 7. Access Control
Password management, token
of access and single sign in
through LDAP
Restricts users access to
certain network services and
setting up users privileges
Accounting
Maintaining record of
connection time, Number of
transfer and duration
Authorisation
Access Control
Authentication
121. 8. Information Systems acquisition
Development and Maintenance
Network based IDS
Host based IDS
Data integrity checker
State full packet filtering
Content filtering and proxing
NATing & Routing
Deputing security
guards,duress alarms ,
biometrics & laser lights
Fire walls
System development
and maintenance
Intrusion detection system
Physical security
127. 10. Business continuity management
Studies of natural disasters e.g.
. Lighting,flood,and
terrorism,bomb threats etc.
Risk assessment Incident response planning,
emergency fallback and
resumption procedures
Execution & recovery
Using remote DRP site
Restoring operations and
recovering data from
backups media
Planning
Business continuity
management
131. 11. Compliance
All procedures ,processes should
be based on “best method
practices” and checked by a
professional body
Pre-audit A third party independent
auditor can check &endorse
the compliance. e.g. BSI Auditors
,ISO Auditors
Maintenance
Audit at regular interval e.g
yearly to maintain the
compliance requirement
External-audit
Compliance
133. 133
Compliance Review and
Corrective Actions
• Management shall review the organization’s ISMS at planned
intervals (at least once a year) to ensure its continuing suitability,
adequacy and effectiveness.
• This review shall include assessing opportunities for improvement
and the need for changes to the ISMS, including the information
security policy and information security objectives.
• The results of the reviews shall be clearly documented and records
shall be maintained.
• This is carried out during the ‘Check’ phase of the PDCA cycle and
any corrective actions managed accordingly.
135. 135
Pre-Certification
Assessment
• Prior to the external audit the information security adviser should
carry out a comprehensive review of the ISMS and SOA.
• No audit can take place until sufficient time has passed for the
organization to demonstrate compliance with both the full PDCA
cycle and with clause 8 of ISO 27001, the requirement for continual
improvement.
• Auditors will be looking for evidence that the ISMS is continuing to
improve, not merely that it has been implemented.
137. 137
Certification Audit
Certification involves the assessment of an organization’s ISMS. ISMS certification
ensures that the organization has undertaken a risk assessment and has identified and
implemented a system of management controls appropriate to the information security
needs of the business.
Evidence that an organization is conforming to the Standard, and any supplementary
documentation, will be presented in the form of a certification document or certificate.
Certification bodies shall need to ensure itself that the organization’s information
security risk assessment properly reflects its business activities and extends to the
boundaries and interfaces of its activities as defined in the Standard.
Certification bodies should confirm that this is reflected in the organization’s risk
treatment plan and its Statement of Applicability.
139. Informal / Option Pre-Assessment
Stage 1 Documentation Review
Stage 2 Onsite Audit
Award
Combine or Joint Audit
Surveillance (V2)
Surveillance (V3)
Surveillance (V4)Surveillance (V5)
Surveillance (V6)
Renewal
Close Out
Recommend
Major N/C
Gap Analysis
- Status of implementation
- Option, not mandatory
- Processes not fully covered
- Duration by request
Audit Process Flow
Formal
Requirement
Stage 1
- SOA
- Security Policy /
Objectives
- Security Manual / SOPs
- Risk Assessment Report
- Treatment Plan
- Countermeasures
- Residual Risks
- BCM / BCPs
Stage 2
- Full process & clauses
- Compliance of
requirements
- Process approach
- Sample technique
- Evidence of operation of
house rules
Onsite Surveillances
- Prove continual effectiveness
- Combine or joint audit
140. Informal / Option
التقييم قبل ما
Award
Combine or Joint Audit
Surveillance (V2)
Surveillance (V3)
Surveillance (V4)Surveillance (V5)
Surveillance (V6)
Renewal
Close Out
Recommend
Major N/C
Gap Analysis
- Status of implementation
- Option, not mandatory
- Processes not fully covered
- Duration by request
Audit Process Flow
5/14/2014
Formal
Requirement
Stage 1
- SOA
- Security Policy /
Objectives
- Security Manual / SOPs
- Risk Assessment Report
- Treatment Plan
- Countermeasures
- Residual Risks
- BCM / BCPs
Stage 2
- Full process & clauses
- Compliance of
requirements
- Process approach
- Sample technique
- Evidence of operation of
house rules
الموقع في المراقبات
-مستمرة فعالية أثبت
-أو التدقيق بين الجمعمشتركة
المرحلة1الوثائق استعراض
المرحلة2الموقع في التدقيق
141. 141
Continual Improvement
• The organization shall continually improve the effectiveness of the
ISMS through the use of:
• The information security policy;
• Information security objectives;
• Audit results;
• Analysis of monitored events;
• Corrective and preventive actions;
• Management review.
143. 143
• A - BS ISO/IEC 27001:2005 (ISO 27001) - Information technology - Security
techniques - ISMS Requirements
• B - BS ISO/IEC 27002:2005 (ISO 27002) - Information technology - Security
techniques - Code of practice for Information Security Management
• C - Alan Calder/Steve Watkins (2007) - IT Governance – A Manager’s Guide
to Data Security and BS 7799/ ISO 17799 (3rd Edition) - Kogan Page
Publishing
References
144. 5/14/2014
• A - BS ISO/IEC 27001:2005 (ISO 27001) - Information technology - Security
techniques - ISMS Requirements
• B - BS ISO/IEC 27002:2005 (ISO 27002) - Information technology - Security
techniques - Code of practice for Information Security Management
• C - Alan Calder/Steve Watkins (2007) - IT Governance – A Manager’s Guide
to Data Security and BS 7799/ ISO 17799 (3rd Edition) - Kogan Page
Publishing
المراجع