Uploaded bycomstarndt
PPTX, PDF212 views

ISMS End-User Training Presentation.pptx

The document outlines the implementation of an Information Security Management System (ISMS) based on ISO 27001:2013, detailing risks associated with poor security practices and the necessity of protecting information assets. It includes real-world incidents of data breaches and fraud, emphasizing the importance of confidentiality, integrity, and availability in information security. The document also describes the framework, requirements, and risk management processes involved in establishing an effective ISMS to safeguard organizational assets.

Technology
Related topics:
Information Security

Embed presentation

Download to read offline
June, 2022 Information Security Management System – ISO 27001:2013 ICT End-User Presentation
Agenda ISMS – ISO 27001:2013 Information & Information Security User Responsibility ISMS Implementation Q&A
3 Incidents…… Patient Health Information (PHI) of patients of Diatherix, providing clinical laboratory testing services was accessed by unauthorised external entity. Exposed Information included patient name, account number, address, date of test, insurance information and insured information Three persons indicted for their involvement in an International cybercrime scheme that used stolen information from banks, businesses and government agencies to steal $15 million. Tennessee Electric Company Inc., d.b.a. TEC Industrial Maintenance & Construction, in July filed a complaint against TriSummit Bank, a $278 million institution based in Tennessee for a series of fraudulent payroll drafts sent from TEC's account in 2012. TEC says the bank failed to have those ACH transactions approved by the utility before they were transmitted.
 The internet allows an attacker to attack from anywhere on the planet.  Risks caused by poor security knowledge and practice:  Data/ information breach  Unavailability of data/information  Unavailability of system, internet, application etc.  Identity Theft  Monetary Theft  Legal Ramifications (for yourself and companies) Why Information Security?
Solution to such situations.....?? Information Security Management System – ISO 27001
Information & Information Security 6
What is Information Information is an asset which, like other important business assets, has value to an organization and consequently needs to be suitably protected What is Information…
Information exists in many forms
9 Information can be…. Printed or written on paper Stored Electronically Transmitted by post/ courier or electronically Shown on corporate video Displayed / published on web Verbal – spoken in conversation Whatever form the information takes or means by which it is shared or stored, it should always be appropriately protected Transmitted through an individual
10 Information Lifecycle  Create  Store  Distribute (to authorized persons)  Modify (by authorized persons)  Archive  Delete (electronic) or Dispose (paper, disk, etc) Information may need protection through its entire lifecycle including deletion or disposal
Why Information Assets are the most important?  Business Requirements – Client / customer / stakeholder – Marketing – Trustworthy – Internal management tool  Legal Requirements – Revenue Department – Qatar Stock Exchange – Copyright, patents, ….  Contractual Security Obligations – Intranet connections to other BU – Extranets to business partners – Remote connections to staff – VPN – Customer networks – Supplier chains – SLA, contracts, outsourcing arrangement – Third party access
What is Information Security? “Information security is protecting the information through preserving their Confidentiality, Integrity and Availability along with the authenticity and reliability”
In some organizations integrity and/or availability may be more important than confidentiality Information Security is preservation of Confidentiality Ensuring that information is available only to those with authorized access. Integrity Safeguarding the accuracy and completeness of information and information processing methods and facilities Availability Ensuring authorized users have access to information when required 15 Information Security Triads/Components –CIA
Information is not made available to unauthorized individuals, entities or processes; Confidentiality Measures include encryption, social engineering best practices, Access rights, Secured storage, etc Safeguarding the accuracy and completeness of assets Integrity Measures include Access controls, Backups, etc. Asset being accessible and usable upon demand by authorized entity Availability Measures include Disaster Recovery Plan, Redundancy, High Availability, etc. Information Security Triads/Components – CIA
Information Security Management System –ISO 27001:2013 15
Information Security Management System
ISO 27001:2013 Information Security Management System Information Security Management System (ISMS) is :  That part of the overall management system, based on a business risk approach, to establish, implement, operate, monitor, review, maintain and improve information security  A management process  Not a technological process The purpose of an Information Security Management System is to secure an organization’s Information Assets by identifying, assessing and managing Risks resulting from Threats exploiting Vulnerabilities.
Introduction to ISO 27001:2013 standard  ISO 27001 is the international standard that provides requirements for safeguarding an organization’s asset  ISO 27001:2005 was the first ISO standard for information security  ISO 27001:2013 was published on 25th September, 2013  Comprehensive set of Clauses and Controls comprising best practices in information security  A framework for building a risk based information security management system
ISO 27001:2013 Features Focus on continual improvement process Plan-Do-Check-Act Process Model Process based approach Scope covers Information Security not only IT Security 14 Domains, 35 Control Objectives and 114 Controls Covers People, Process & Technology
ISO 27001:2013 Requirements Requirements Clause 4 – Context of the organization Clause 5 – Leadership Clause 6 – Planning Clause 7 – Support Clause 8 – Operation Clause 9 – Performance Evaluation Clause 10 – Improvement Like other management system standards, ISO 27001:2013 has 10 clauses…. Additionally, ISO 27001:2013 has Controls in Annex A with 14 Domains, 35 Control Objectives & 114 Controls
21 A.5 Security Policy A.6 Organisation of Information Security A.7 Human Resources Security A.8 Asset Management A.9 Access Control A.10 Cryptography A.11 Physical and Environmental Security A.17 Information Security Aspects of BCM A.13 Communications Security A.14 System Acquisition, Development and Maintenance A.15 Supplier Relationships A.16 Information Security Incident Management A.12 Operations Security A.18 Compliance 14 Domains 35 Control Objectives 114 Controls Control Objectives & Controls (Annexure A of ISO 27001:2013) Availability INFORMATION
ISMS Implementation 22
Risk Management – The critical first step in ISO 27001 implementation RISK = ASSET VALUE X PROBABILITY X IMPACT Risk is the possibility that a threat exploits a vulnerability in an information asset, leading to an adverse impact on the organization
Information Assets & Types  Software  IT Hardware (Physical Assets)  Persons who support and use the IT system  Processes & support processes that deliver products and services  IT and other Infrastructure of the organization  System interfaces (internal and external connectivity)  Electronic media and, above all Data and Information An asset is any tangible or intangible thing or characteristic that has value to an organization
Classification of Information Asset Public Non-Sensitive Information Available for external release.. Examples include periodicals, bulletins, financial statements, press releases, etc. Internal/Protected Information that is generally available to employees and approved non-employees such as contractors, trainees. Examples include Staff memos, news letters, staff awareness program documentation or bulletins, etc. Confidential Information that is sensitive & related to project & personnel, is intended for use by employees, customer and approved non-employees such as contractors, trainees can be printed in hard copy format only with the approval of HODs. Examples include personal information, business plans, unpublished financial statements, etc. Restricted Information that is highly sensitive within and outside organization, Shall be applied to the documented information Leakage of which can cause damage to organization Security.Examples include Design documents , drawings, contracts etc.
Information Security Risk Assessment  Inherent Risk = Asset Value X Threat Value X Vulnerability Value X Probability Value X Impact Value  Asset Inventory  Asset Classification  Asset Value: Confidentiality Value + Integrity Value + Availability Value (each value will be assigned on a scale of 1 to 3, where 1 is low, 2 is medium & 3 is high)  Existing Controls Effectiveness will be assigned on a scale of 1 to 3, where  Treatment of Risk if it is Unacceptable  Risk Priority Number = Inherent Risk /Existing Controls Effectiveness  Residual Risk if risk is High or Moderate – will be signed by Management or Risk Owner
What is a Threat  An Expression of intention to inflict evil injury or damage  Attacks against key security services – Confidentiality, Integrity & Availability  Threat means something bad is coming your way – High threat means it is highly likely to hit you and it will be very bad .
Q & A
Thank You!

More Related Content

PPTX
INFORMATION SECURITY
byAhmed Moussa
 
PPTX
ISMS User_Awareness Training.pptx
byMukesh Pant
 
PPTX
Iso 27001 isms presentation
byMidhun Nirmal
 
PPTX
ISO 27001 - Information security user awareness training presentation - part 3
byTanmay Shinde
 
PDF
GDPR and Security.pdf
byAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
PDF
What is ISO 27001 ISMS
byBusiness Beam
 
PPTX
ISMS Awareness Training (2) (1).pptx
byvasidharta
 
PDF
Iso 27001 Checklist
byCraig Willetts ISO Expert
 
INFORMATION SECURITY
byAhmed Moussa
 
ISMS User_Awareness Training.pptx
byMukesh Pant
 
Iso 27001 isms presentation
byMidhun Nirmal
 
ISO 27001 - Information security user awareness training presentation - part 3
byTanmay Shinde
 
GDPR and Security.pdf
byAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
What is ISO 27001 ISMS
byBusiness Beam
 
ISMS Awareness Training (2) (1).pptx
byvasidharta
 
Iso 27001 Checklist
byCraig Willetts ISO Expert
 

What's hot

PPTX
Information security
byLusungu Mkandawire CISA,CISM,CGEIT,CPF,PRINCE2
 
PPTX
What is iso 27001 isms
byCraig Willetts ISO Expert
 
PPTX
Identity and access management
byPiyush Jain
 
PDF
ISO/IEC 27001:2013 An Overview
byAhmed Riad .
 
PPTX
Iso iec 27001 foundation training course by interprom
byMart Rovers
 
PPT
IT System & Security Audit
byMufaddal Nullwala
 
PPTX
Iso 27001 awareness
byÃsħâr Ãâlâm
 
PDF
Isms awareness presentation
byPranay Kumar
 
PPTX
Implementing ISO27001 2013
byscttmcvy
 
PPTX
Structure of iso 27001
byCUNIX INDIA
 
PPTX
information security
byuniversity of karachi
 
PPTX
Security Policies and Standards
byprimeteacher32
 
PPT
Information security policy_2011
bycodka
 
PPT
Information System Security(lecture 1)
byAli Habeeb
 
PDF
Steps to iso 27001 implementation
byRalf Braga
 
PPT
ISO 27001 - Information Security Management System
byMuhammad Faisal Naqvi, CISSP, CISA, AMBCI, ITIL, ISMS LA n Master
 
PPTX
microsoft-cybersecurity-reference-architectures (1).pptx
byGenericName6
 
PPTX
Project plan for ISO 27001
bytechnakama
 
PPTX
Password Policy and Account Lockout Policies
byanilinvns
 
PPTX
Network defenses
byPrachi Gulihar
 
Information security
byLusungu Mkandawire CISA,CISM,CGEIT,CPF,PRINCE2
 
What is iso 27001 isms
byCraig Willetts ISO Expert
 
Identity and access management
byPiyush Jain
 
ISO/IEC 27001:2013 An Overview
byAhmed Riad .
 
Iso iec 27001 foundation training course by interprom
byMart Rovers
 
IT System & Security Audit
byMufaddal Nullwala
 
Iso 27001 awareness
byÃsħâr Ãâlâm
 
Isms awareness presentation
byPranay Kumar
 
Implementing ISO27001 2013
byscttmcvy
 
Structure of iso 27001
byCUNIX INDIA
 
information security
byuniversity of karachi
 
Security Policies and Standards
byprimeteacher32
 
Information security policy_2011
bycodka
 
Information System Security(lecture 1)
byAli Habeeb
 
Steps to iso 27001 implementation
byRalf Braga
 
ISO 27001 - Information Security Management System
byMuhammad Faisal Naqvi, CISSP, CISA, AMBCI, ITIL, ISMS LA n Master
 
microsoft-cybersecurity-reference-architectures (1).pptx
byGenericName6
 
Project plan for ISO 27001
bytechnakama
 
Password Policy and Account Lockout Policies
byanilinvns
 
Network defenses
byPrachi Gulihar
 

Similar to ISMS End-User Training Presentation.pptx

PPTX
Information security
byavinashbalakrishnan2
 
PPTX
ISO 27001 2022 REQUIREMENTS EXPLAINED 4.pptx
byJustinNickaf3
 
PDF
A to Z of Information Security Management
byMark Conway
 
PPT
ISMS Requirements
byhumanus2
 
PDF
Iso27001- Nashwan Mustafa
byFahmi Albaheth
 
PDF
Chapter 12 iso 27001 awareness
bynewbie2019
 
PDF
1678784047-mid_sem-2.pdf
byRimurutempest594985
 
PPTX
ISO27k Awareness presentation.pptx
byharigopala
 
PPTX
ISO27k_Awareness_presentation_v2xxxx.pptx
byimed11
 
PPTX
ISO27k Awareness presentation v2.pptx
byNapoleon NV
 
PPTX
Dancyrityshy 1foundatioieh
byAnne Starr
 
PPTX
Information Security Induction Training.pptx
byCelDeleon1
 
PPTX
Why ISO 27001 for an Organisation
bySyed Azher
 
PDF
ISO 27001 Awareness IGN Mantra 2nd Day, 1st Session.
byIGN MANTRA
 
PDF
Solve the exercise in security management.pdf
bysdfghj21
 
PDF
Iso 27001 2005- by netpeckers consulting
byIskcon Ahmedabad
 
PPTX
D1 security and risk management v1.62
byAlliedConSapCourses
 
PPTX
Presentation1 110616195133-phpapp01(information security)
byBonagiri Rajitha
 
PDF
ISO 27001 Awareness IGN Mantra 2nd Day, 2nd Session.
byIGN MANTRA
 
PPTX
Overview of ISO 27001 [null Bangalore] [Dec 2013 meet]
byn|u - The Open Security Community
 
Information security
byavinashbalakrishnan2
 
ISO 27001 2022 REQUIREMENTS EXPLAINED 4.pptx
byJustinNickaf3
 
A to Z of Information Security Management
byMark Conway
 
ISMS Requirements
byhumanus2
 
Iso27001- Nashwan Mustafa
byFahmi Albaheth
 
Chapter 12 iso 27001 awareness
bynewbie2019
 
1678784047-mid_sem-2.pdf
byRimurutempest594985
 
ISO27k Awareness presentation.pptx
byharigopala
 
ISO27k_Awareness_presentation_v2xxxx.pptx
byimed11
 
ISO27k Awareness presentation v2.pptx
byNapoleon NV
 
Dancyrityshy 1foundatioieh
byAnne Starr
 
Information Security Induction Training.pptx
byCelDeleon1
 
Why ISO 27001 for an Organisation
bySyed Azher
 
ISO 27001 Awareness IGN Mantra 2nd Day, 1st Session.
byIGN MANTRA
 
Solve the exercise in security management.pdf
bysdfghj21
 
Iso 27001 2005- by netpeckers consulting
byIskcon Ahmedabad
 
D1 security and risk management v1.62
byAlliedConSapCourses
 
Presentation1 110616195133-phpapp01(information security)
byBonagiri Rajitha
 
ISO 27001 Awareness IGN Mantra 2nd Day, 2nd Session.
byIGN MANTRA
 
Overview of ISO 27001 [null Bangalore] [Dec 2013 meet]
byn|u - The Open Security Community
 

Recently uploaded

PPTX
AI and Digital Transformation Solutions.
byBuildingblocks
 
PDF
Azure DevOps Managed Services: Driving Speed, Security, and Business Growth
byjohncarterjn
 
PPTX
AI in Marine Insurance Future of Smarter Risk, Faster Claims & Safer Shipping...
byAutomationEdge Technologies
 
PDF
MINDCTI Revenue Release Quarter 3 2025 - Financial Presentation
byMIND CTI
 
PDF
How PayPal Account Verification Works – Complete Guide for Online Businesses
byjhdhj3989
 
PPTX
Mastering SQL Server Replication: Types, Setup & Troubleshooting
byGeoPITS Global Pvt Ltd
 
PPTX
apidays Australia 2025 | Building AI RAG Applications with No Code.pptx
byapidays
 
PPTX
API Gateway Architecture - Technical Report 2026
byPowersoft2026
 
PDF
Deploying Windows Clients & Managing Identities
byVICTOR MAESTRE RAMIREZ
 
PPTX
Achieve enterprise automation with SAP BTP solutions and SAP Signavio
bydarrellkiwi
 
PDF
5G Explained! A High Level Overview [Introduction]
byLuciano Motta
 
PDF
apidays Australia 2025 | User Brainpower vs. AI Blind Spots in API Docs
byapidays
 
PPTX
AI Meets DBA Transforming Database Administration with Intelligence
byGeoPITS Global Pvt Ltd
 
PPTX
SOFTWARE DEVELOPMENT PROCESS - INTRODUCTION
byParithi Thamizh
 
PPTX
6G and Non-Terrestrial Networks (NTN) Testing.pptx
byXRComm
 
PDF
How to Design Premium Health (Public Health) PPT Using AI? Top Strategies
byPublic Health Concern Nepal
 
PDF
Ethical AI applied to publishing: Presenting wâsikan kisewâtisiwin, an AI too...
byBookNet Canada
 
PPTX
Strategic Shelf Planning for the New Year Turning Resolutions into Revenue .pptx
byAnoop Ashok
 
PDF
Kubernetes Cloud Native Indonesia Meetup - January 2026
byPrasta Maha
 
PPTX
Advance Computer Architecture Lecture 4.pptx
byBottshikanBottshikan
 
AI and Digital Transformation Solutions.
byBuildingblocks
 
Azure DevOps Managed Services: Driving Speed, Security, and Business Growth
byjohncarterjn
 
AI in Marine Insurance Future of Smarter Risk, Faster Claims & Safer Shipping...
byAutomationEdge Technologies
 
MINDCTI Revenue Release Quarter 3 2025 - Financial Presentation
byMIND CTI
 
How PayPal Account Verification Works – Complete Guide for Online Businesses
byjhdhj3989
 
Mastering SQL Server Replication: Types, Setup & Troubleshooting
byGeoPITS Global Pvt Ltd
 
apidays Australia 2025 | Building AI RAG Applications with No Code.pptx
byapidays
 
API Gateway Architecture - Technical Report 2026
byPowersoft2026
 
Deploying Windows Clients & Managing Identities
byVICTOR MAESTRE RAMIREZ
 
Achieve enterprise automation with SAP BTP solutions and SAP Signavio
bydarrellkiwi
 
5G Explained! A High Level Overview [Introduction]
byLuciano Motta
 
apidays Australia 2025 | User Brainpower vs. AI Blind Spots in API Docs
byapidays
 
AI Meets DBA Transforming Database Administration with Intelligence
byGeoPITS Global Pvt Ltd
 
SOFTWARE DEVELOPMENT PROCESS - INTRODUCTION
byParithi Thamizh
 
6G and Non-Terrestrial Networks (NTN) Testing.pptx
byXRComm
 
How to Design Premium Health (Public Health) PPT Using AI? Top Strategies
byPublic Health Concern Nepal
 
Ethical AI applied to publishing: Presenting wâsikan kisewâtisiwin, an AI too...
byBookNet Canada
 
Strategic Shelf Planning for the New Year Turning Resolutions into Revenue .pptx
byAnoop Ashok
 
Kubernetes Cloud Native Indonesia Meetup - January 2026
byPrasta Maha
 
Advance Computer Architecture Lecture 4.pptx
byBottshikanBottshikan
 

ISMS End-User Training Presentation.pptx

  • 1.
    June, 2022 Information SecurityManagement System – ISO 27001:2013 ICT End-User Presentation
  • 2.
    Agenda ISMS – ISO27001:2013 Information & Information Security User Responsibility ISMS Implementation Q&A
  • 3.
    3 Incidents…… Patient Health Information(PHI) of patients of Diatherix, providing clinical laboratory testing services was accessed by unauthorised external entity. Exposed Information included patient name, account number, address, date of test, insurance information and insured information Three persons indicted for their involvement in an International cybercrime scheme that used stolen information from banks, businesses and government agencies to steal $15 million. Tennessee Electric Company Inc., d.b.a. TEC Industrial Maintenance & Construction, in July filed a complaint against TriSummit Bank, a $278 million institution based in Tennessee for a series of fraudulent payroll drafts sent from TEC's account in 2012. TEC says the bank failed to have those ACH transactions approved by the utility before they were transmitted.
  • 4.
     The internetallows an attacker to attack from anywhere on the planet.  Risks caused by poor security knowledge and practice:  Data/ information breach  Unavailability of data/information  Unavailability of system, internet, application etc.  Identity Theft  Monetary Theft  Legal Ramifications (for yourself and companies) Why Information Security?
  • 5.
    Solution to suchsituations.....?? Information Security Management System – ISO 27001
  • 6.
  • 7.
    What is Information Informationis an asset which, like other important business assets, has value to an organization and consequently needs to be suitably protected What is Information…
  • 8.
  • 9.
    9 Information can be…. Printedor written on paper Stored Electronically Transmitted by post/ courier or electronically Shown on corporate video Displayed / published on web Verbal – spoken in conversation Whatever form the information takes or means by which it is shared or stored, it should always be appropriately protected Transmitted through an individual
  • 10.
    10 Information Lifecycle  Create Store  Distribute (to authorized persons)  Modify (by authorized persons)  Archive  Delete (electronic) or Dispose (paper, disk, etc) Information may need protection through its entire lifecycle including deletion or disposal
  • 11.
    Why Information Assetsare the most important?  Business Requirements – Client / customer / stakeholder – Marketing – Trustworthy – Internal management tool  Legal Requirements – Revenue Department – Qatar Stock Exchange – Copyright, patents, ….  Contractual Security Obligations – Intranet connections to other BU – Extranets to business partners – Remote connections to staff – VPN – Customer networks – Supplier chains – SLA, contracts, outsourcing arrangement – Third party access
  • 12.
    What is InformationSecurity? “Information security is protecting the information through preserving their Confidentiality, Integrity and Availability along with the authenticity and reliability”
  • 13.
    In some organizationsintegrity and/or availability may be more important than confidentiality Information Security is preservation of Confidentiality Ensuring that information is available only to those with authorized access. Integrity Safeguarding the accuracy and completeness of information and information processing methods and facilities Availability Ensuring authorized users have access to information when required 15 Information Security Triads/Components –CIA
  • 14.
    Information is not madeavailable to unauthorized individuals, entities or processes; Confidentiality Measures include encryption, social engineering best practices, Access rights, Secured storage, etc Safeguarding the accuracy and completeness of assets Integrity Measures include Access controls, Backups, etc. Asset being accessible and usable upon demand by authorized entity Availability Measures include Disaster Recovery Plan, Redundancy, High Availability, etc. Information Security Triads/Components – CIA
  • 15.
  • 16.
  • 17.
    ISO 27001:2013 Information SecurityManagement System Information Security Management System (ISMS) is :  That part of the overall management system, based on a business risk approach, to establish, implement, operate, monitor, review, maintain and improve information security  A management process  Not a technological process The purpose of an Information Security Management System is to secure an organization’s Information Assets by identifying, assessing and managing Risks resulting from Threats exploiting Vulnerabilities.
  • 18.
    Introduction to ISO27001:2013 standard  ISO 27001 is the international standard that provides requirements for safeguarding an organization’s asset  ISO 27001:2005 was the first ISO standard for information security  ISO 27001:2013 was published on 25th September, 2013  Comprehensive set of Clauses and Controls comprising best practices in information security  A framework for building a risk based information security management system
  • 19.
    ISO 27001:2013 Features Focuson continual improvement process Plan-Do-Check-Act Process Model Process based approach Scope covers Information Security not only IT Security 14 Domains, 35 Control Objectives and 114 Controls Covers People, Process & Technology
  • 20.
    ISO 27001:2013 Requirements Requirements Clause4 – Context of the organization Clause 5 – Leadership Clause 6 – Planning Clause 7 – Support Clause 8 – Operation Clause 9 – Performance Evaluation Clause 10 – Improvement Like other management system standards, ISO 27001:2013 has 10 clauses…. Additionally, ISO 27001:2013 has Controls in Annex A with 14 Domains, 35 Control Objectives & 114 Controls
  • 21.
    21 A.5 Security Policy A.6 Organisation of Information Security A.7 Human Resources Security A.8 Asset Management A.9 Access Control A.10 Cryptography A.11 Physicaland Environmental Security A.17 Information Security Aspects of BCM A.13 Communications Security A.14 System Acquisition, Development and Maintenance A.15 Supplier Relationships A.16 Information Security Incident Management A.12 Operations Security A.18 Compliance 14 Domains 35 Control Objectives 114 Controls Control Objectives & Controls (Annexure A of ISO 27001:2013) Availability INFORMATION
  • 22.
  • 23.
    Risk Management –The critical first step in ISO 27001 implementation RISK = ASSET VALUE X PROBABILITY X IMPACT Risk is the possibility that a threat exploits a vulnerability in an information asset, leading to an adverse impact on the organization
  • 24.
    Information Assets &Types  Software  IT Hardware (Physical Assets)  Persons who support and use the IT system  Processes & support processes that deliver products and services  IT and other Infrastructure of the organization  System interfaces (internal and external connectivity)  Electronic media and, above all Data and Information An asset is any tangible or intangible thing or characteristic that has value to an organization
  • 25.
    Classification of InformationAsset Public Non-Sensitive Information Available for external release.. Examples include periodicals, bulletins, financial statements, press releases, etc. Internal/Protected Information that is generally available to employees and approved non-employees such as contractors, trainees. Examples include Staff memos, news letters, staff awareness program documentation or bulletins, etc. Confidential Information that is sensitive & related to project & personnel, is intended for use by employees, customer and approved non-employees such as contractors, trainees can be printed in hard copy format only with the approval of HODs. Examples include personal information, business plans, unpublished financial statements, etc. Restricted Information that is highly sensitive within and outside organization, Shall be applied to the documented information Leakage of which can cause damage to organization Security.Examples include Design documents , drawings, contracts etc.
  • 26.
    Information Security RiskAssessment  Inherent Risk = Asset Value X Threat Value X Vulnerability Value X Probability Value X Impact Value  Asset Inventory  Asset Classification  Asset Value: Confidentiality Value + Integrity Value + Availability Value (each value will be assigned on a scale of 1 to 3, where 1 is low, 2 is medium & 3 is high)  Existing Controls Effectiveness will be assigned on a scale of 1 to 3, where  Treatment of Risk if it is Unacceptable  Risk Priority Number = Inherent Risk /Existing Controls Effectiveness  Residual Risk if risk is High or Moderate – will be signed by Management or Risk Owner
  • 27.
    What is aThreat  An Expression of intention to inflict evil injury or damage  Attacks against key security services – Confidentiality, Integrity & Availability  Threat means something bad is coming your way – High threat means it is highly likely to hit you and it will be very bad .
  • 28.
  • 29.