ISMS User_Awareness Training.pptx

By – MukeshPant
FIA TechnologyServicesPvt.Ltd.
ISO/IEC 27001:2013
Awareness Training
MukeshPant
FIA TechnologyServicesPvt.Ltd.

Agenda
 What is Information?
 What is Information Security?
 What is RISK?
 An Introduction to ISO 27001:2013
 ISMS @ Organization
 User Responsibilities

What is Information
Information is an asset that, like other important business assets, has value to an organization and consequently needs to
be suitably protected.
ISO 27000:2018

Information Types
Information can be in many forms, including:
 Digital form (e.g. data files stored on electronic or optical media),
 Material form (e.g. on paper)
 Unrepresented information in the form of knowledge of the employees.
 Shown on corporate videos
 Displayed / published on web
 Verbal – spoken in conversations
‘…Whatever form the information takes, or means by which it is shared or stored, it should always be appropriately
protected’
(ISO 27000:2018)

InformationSecurity
What is Information Security?
 Safeguarding an organization’s information and Information processing facilities from unauthorized
access or modification to ensure its, Confidentiality, Integrity and Availability.
(ISO 27000:2018)

Property of being accessible and usable on
demand by an authorized entity
Property of accuracy and completeness
ISO27000:2018defines InformationSecurityas the preservationof:
C I A
Confidentiality Integrity Availability
Property that information is not made
available or disclosed to unauthorized
individuals, entities, or processes
INFORMATIONATTRIBUTES

InformationSecurity Benefits
 Helps Retain Customers and Win New Business
 Improves Information Security Processes and Strategies
 Ensures Implementation of Best Practices
 Promotes Compliance with Commercial, Contractual and Legal requirements
 Continuously Monitor and Prevent Risk
 Prepares your Organization for Long-term Success
BUSINESS SURVIVAL DEPENDSON INFORMATIONSECURITY

INFOSEC COMPONENTS
Organization’s Staff
PEOPLE
TECHNOLOGY
Technology Used by
Organization
Business Processes PROCESS

People who use or interact with the Information include:
 Share Holders / Owners
 Management
 Employees
 Business Partners
 Service providers
 Contractors
 Customers / Clients
 Regulators etc…
Diagram
PEOPLE (Who we are)
PEOPLE
STACK
HOLDERS
PEOPLE
PROCESS
TECHNOLOGY03

Diagram
PROCESS
The processes refer to "work practices" or workflow.
Processes are the repeatable steps to accomplish business
objectives. Typical process in our IT Infrastructure could
include:
 Helpdesk / Service management
 Incident Reporting and Management
 Change Requests process
 Request fulfillment
 Access management
 Identity management
 Service Level / Third-party Services Management
 IT procurement process etc...
PROCESS (What we do)
PEOPLE
PROCESS
TECHNOLOGY03

TECHNOLOGY
Network Infrastructure:
 Cabling, Data/Voice Networks and equipment
 Telecommunications services (PABX), ISDN , Video
Conferencing
 Server computers and associated storage devices
 Operating Software for server, Desktops & Laptops
 Communications equipment and related hardware.
 Intranet and Internet connections
 VPNs and Virtual environments
 Remote access services
 Wireless connectivity
Environmental management Systems:
 Ventilation , Air Conditioning, Fire Control systems
 Electricity / Power backup
TECHNOLOGY (“what we use to improve”)
PEOPLE
PROCESS
TECHNOLOGY

Application software:
 HROne & Bill Pay portals
Physical Security components:
 CCTV Cameras
 Clock in systems / Biometrics
Access Devices:
 Desktop computers
 Laptops
 Thin client computing.
 Digital cameras, Printers, Scanners, Photocopier etc.
TECHNOLOGY (“what we use to improve”)
PEOPLE
PROCESS
TECHNOLOGY
TECHNOLOGY

15
Effect of uncertainty on objectives
RISK
Potential cause of an unwanted
incident, which can result in harm to
a system or organization
Weakness of an asset or control that
can be exploited by one or more threats
THREATS VULNERABILITY
RISK, THREATS & VULNERABILITY

16
B
OPTIONS
RISK
Risk is defined as the potential for loss or
damage when a threat exploits a
vulnerability.
Examples of risk include:
 Financial losses
 Loss of privacy
 Damage to your reputation
 Legal implications
 Even loss of life
THREATS VULNERABILITY

17
RISK THREATS VULNERABILITY
A threat refers to a new or newly
discovered incident that has the
potential to harm a system or your
company overall.
There are three main types of
threats:
 Natural threats
 Unintentional threats
 Intentional threats

18
B
OPTIONS
C
OPTIONS
RISK THREATS VULNERABILITY
A vulnerability refers to
a known weakness of an asset
(resource) that can be exploited by one
or more attackers. In other words, it is a
known issue that allows an attack to
succeed.
 Network Vulnerabilities
 Lack of security cameras
 Unlocked doors at businesses
 Lack of user awareness

RELATIONSHIP BETWEEN RISK, THREATS, AND VULNERABILITIES

Security Breaches Leads To
 Reputation loss
 Financial loss
 Intellectual property loss
 Legislative Breaches leading to legal actions (Cyber Law)
 Loss of customer confidence
 Business interruption costs
L O S S O F G O O D W I L L

RISK & THREATS
SO HOW DO WE
OVERCOME THESE
PROBLEMS?

“WHEN THINGS DON'T WORK AS THEY SHOULD,
IT OFTEN MEANS THAT STANDARDS ARE ABSENT”

WHAT IS ISO
SO HOW DO WE
OVERCOME THESE
PROBLEMS?
ISO is an independent, non-governmental international organization with a membership of
167 national standards bodies.
It is important to note that the full name of ISO 27001 is “ISO/IEC 27001 – Information technology
— Security techniques — Information security management systems — Requirements.”
It is the leading international standard focused on information security, published by the
International Organization for Standardization (ISO), in partnership with the International
Electrotechnical Commission (IEC). Both are leading international organizations that develop
international standards.
ISO-27001 is part of a set of standards developed to handle information security: the ISO/IEC
27000 series.

ISO FRAMEWORK AND THE PURPOSE OF ISO 27001
SO HOW DO WE
OVERCOME THESE
PROBLEMS?
ISO framework is a combination of policies and processes for organizations to use. ISO 27001 provides
a framework to help organizations, of any size or any industry, to protect their information in a
systematic and cost-effective way, through the adoption of an Information Security Management
System (ISMS).

WHY IS ISO 27001 IMPORTANT?
SO HOW DO WE
OVERCOME THESE
PROBLEMS?
Not only does the standard provide companies with the necessary know-how for protecting their most
valuable information, but a company can also get certified against ISO 27001 and, in this way, prove to
its customers and partners that it safeguards their data.
Individuals can also get ISO 27001-certified by attending a course and passing the exam and, in this
way, prove their skills to potential employers.
Because it is an international standard, ISO 27001 is easily recognized all around the world, increasing
business opportunities for organizations and professionals.

WHAT IS AN ISMS?
SO HOW DO WE
OVERCOME THESE
PROBLEMS?
An Information Security Management System (ISMS) is a set of rules that a company needs to establish
in order to:
1. identify stakeholders and their expectations of the company in terms of information security.
2. identify which risks exist for the information.
3. define controls (safeguards) and other mitigation methods to meet the identified expectations
and handle risks.
4. set clear objectives on what needs to be achieved with information security.
5. implement all the controls and other risk treatment methods.
6. continuously measure if the implemented controls perform as expected.
7. make continuous improvement to make the whole ISMS work better.
This set of rules can be written down in the form of policies, procedures, and other types of documents,
or it can be in the form of established processes and technologies that are not documented. ISO 27001
defines which documents are required, i.e., which must exist at a minimum.

INTRODUCTION TO ISO 27001 (History)

ISMS – REQUIRMENTS (Clause #4 – Clause #10)
SO HOW DO WE
OVERCOME THESE
PROBLEMS?

ISMS – ANNEX (Control Clauses A5 – A18)
SO HOW DO WE
OVERCOME THESE
PROBLEMS?

USER RESPONSIBILITY
WHO IS AT THE CENTRE OF
SEC ITY
U-R

USER RESPONSBILITIES – (Access Control – Physical)
 Follow Information Security Policies and Procedures.
 Wear Identity Cards and Badges.
 Ask unauthorized visitor his credentials.
 Attend visitors in Reception and Conference Room only
 Bring visitors in operations area without prior permission.
 Bring hazardous and combustible material in secure area.
 Practice “Piggybacking”.
 Bring and use pen drives, zip drives, ipods, other storage devices
unless and otherwise authorized to do so.

USER RESPONSBILITIES – (Password Guideline)
 Always use at least 8 character password with combination of
alphabets, numbers and special characters (*, %, @, #, $, ^)
 Use passwords that can be easily remembered by you
 Change password regularly as per policy
 Use password that is significantly different from earlier passwords
 Try to use Passphrase in place of Password
 Use passwords which reveals your personal information or
words found in dictionary
 Write down or Store passwords
 Share passwords over phone or Email
 Use passwords which do not match above complexity criteria
How Secure Is My Password? | Password Strength Checker (security.org)

USER RESPONSBILITIES – (Internet Usage)
 Use internet services for business purposes only.
 Do not access internet through dial-up connectivity.
 Do not use internet for viewing, storing or transmitting obscene or
pornographic material.
 Do not use internet for accessing auction sites.
 Do not use internet for hacking other computer systems.
 Do not use internet to download / upload commercial software /
copyrighted material.
IT Department is continuously monitoring Internet Usage. Any illegal use
of internet and other assets shall call for Disciplinary Action.

USER RESPONSBILITIES – (E-mail Usages)
 Do not use official ID for any personal subscription purpose
 Do not send unsolicited mails of any type like chain letters or E-mail Hoax
 Do not send mails to client unless you are authorized to do so
 Do not post non-business related information to large number of users
 Do not open the mail or attachment which is suspected to be virus or
received from an unidentified sender
 Use official mail for business purposes only
 Follow the mail storage guidelines to avoid blocking of E-mails
 If you come across any junk / spam mail, do the following:
 Remove the mail.
 Inform the security help desk / IT Administrator
 Inform the same to server administrator
 Inform the sender that such mails are undesired

Report Security Incidents to (IT) Helpdesk through:
E-mail to rajkaran.rana@fiaglobal.com
Telephone : e.g.: 9654676543
IT Incidents: Mail Spamming, Virus attack, Hacking, etc.
Non-ITIncidents: Unsupervised visitor movement, Information leakage, Bringing unauthorized Media
 Do not discuss security incidents with anyone outside the organization.
 Do not attempt to interfere with, obstruct or prevent anyone from reporting incidents.
User Responsibilities – (Security Incidents)

 Ensure your system (Laptop/Desktops) are having latest antivirus updates
 Ensure your system is locked when you are away
 Always store laptops/ media in a lockable place
 Be alert while working on laptops during travel
 Ensure sensitive business information is under lock and key when unattended
 Ensure back-up of sensitive and critical information assets
 Understand Compliance Issues such as:
o Cyber Law / IPR, Copyrights, / IT act 2000 etc. / Contractual Obligations with customer
 Verify credentials, if the message is received from unknown sender
 Always switch off your computer before leaving for the day
 Keep your self updated on information security aspects
User Responsibilities

ISMS User_Awareness Training.pptx

ISMS User_Awareness Training.pptx

More Related Content

What's hot

Similar to ISMS User_Awareness Training.pptx

Recently uploaded

ISMS User_Awareness Training.pptx