Downloaded 38 times
![Number_Guessing_Game_Dsbsbssbzboc[1].pptx](https://cdn.slidesharecdn.com/ss_thumbnails/numberguessinggamedoc1-251206215042-a076fc05-thumbnail.jpg?width=640&height=640&fit=bounds)
isms-presentation.ppt
- 1.
- 2. Information is anasset which, like other important business assets, has value to an organization and consequently needs to be suitably protected. ISO/IEC 17799:2005 Information Confidentiality Integrity Availability
- 3. Information Security Managementis a top-down, business driven approach to the management of an organization’s physical and electronic information assets in order to preserve their • confidentiality, • integrity and • availability.
- 4. Increased dependence oninformation assets Increased demand for information availability Increased threats to information security
- 5. Consequences of SecurityBreach Destroy Image Depress the value of the business Erode the “bottom line”; and Compromise future earnings.
- 6. What is ISMS AnISMS is the means by which management monitors and controls the security, minimizing the residual business risk and ensuring that security continues to fulfill corporate, customer and legal requirements.
- 7. ISO 17799 &ISO 27001 ISO 17799:2005 Information Technology Security techniques – Code of practice for information security management ISO 27001:2005 Information technology Security techniques – Information security Management systems – Requirements Provides a comprehensive framework to guide and focus your efforts in building an Information Security Management System (ISMS) Provides a framework for a risk based security management system that can be independently certified
- 8. ISO 17799 AnInternationally recognized Code of Practice for information security management systems (ISMS) A comprehensive framework to guide and focus your efforts in building an Information Security Management System A collection of security best practices along with implementation guidance
- 9. ISO 27001 :2005 An internationally recognized requirement document for information security management systems A framework for building a risk based security management system that can be independently certified
- 10. Communications & Operations Management Critical Information Assets Risk Assessment Risk Treatment Compliance SecurityPolicy Organization of Information Security Asset Management Human Resources Security Physical & Environmental Security Access Control Information Systems Acquisition, Development & Maintenance Information Security Incident Management Business Continuity Management 11 Clauses 39 Control Objectives 133 Security Control
- 11. An Outline ofISO / IEC 17799/27001 Security Clauses Management Aspects Technical Aspects Physical Aspects Legend : Security Policy Organization of Information Security Asset Management Business Continuity Management Compliance Communications & Operations Management Human Resources Security Information Security Incident Management Information System Acquisition, Development & Maintenance Access Control Physical & Environmental Security Operations Management Organizational Structure The 11 Security Clauses Security Policy (1) Organization of Information Security (2) Asset Management (2) Human Resources Security (3) Physical & Environmental Security (2) Communications & Operations Management (10) Access Control (7) Information System Acquisition, Development & Maintenance (6) Information Security Incident Management (2) Business Continuity Management (1) Compliance (3)
- 12. (1) Define Scope (2) PerformGap Analysis (3) Security Improvement Plan (SIP) (4) Information Asset Register (4) Risk Assessment (4) Risk Treatment Plans (4) Selection of Controls (4) Initial SoA (6) Certification Readiness (6) Continues Improvement (6) Internal Audit, Management Review (5) Policies, Procedures, Controls & ISMS Documentation (5) Final SoA On-Going Security Program Improvement Pre-Certification Preparation Methodology
- 13. Steps Towards Certification Plan Do Check Act Establishthe ISMS Implement & Operate the ISMS Monitor & Review the ISMS Maintain & Improve the ISMS Apply for Certification
- 14. ISMS Implementation RequiresAdvisory Services, Project Leadership & Staff Augmentation Established the ISMS Implement & Operate Monitor & Review Maintain & Improve Plan (4.2.1) Do (4.2.2) Check (4.2.3) Act (4.2.4) Initial Training ISMS Scope ISMS Policy ISMS Assets Gap Analysis/ SIP Business Impact Threats & Vulnerabilities Probability of Occurrence Calculate/Evaluate Risks Prioritize Risks Treatment Options Select Controls Management Apvl. Prepare Initial SoA Risk Treatment Plans Implement Risk Treatment Define Effectiveness Metrics Document WI’s, Procedures Implement Training & Awareness Program Conduct Internal Auditor Training Operate the ISMS Monitoring & Incident Response Update SoA Execute Monitoring & Review Procedures Review ISMS Effectiveness Measure the Effectiveness of the Controls Review Risk Assessments Conduct Internal ISMS Audits Regular Mgmt. reviews of the ISMS Update SIP’s based on Findings Record Actions & Events Impacting ISMS Implement Identified Improvements Take Corrective & Preventive Actions Communicate the Actions & Improvements Ensure Improvements Achieve Objectives
- 15. Steps Towards Certification InternalAudit Ongoing Improvement Training & Awareness Documentation Management Risk Treatment Plan Risk Assessment Identification of Assets ISMS Scope Definition Establish Project Team
- 16. Steps Towards Certification InternalAudit Ongoing Improvement Training & Awareness Documentation Management Risk Treatment Plan Risk Assessment Identification of Assets ISMS Scope Definition Establish Project Team Ensure management commitment Select and train team members Establish Management Committee Establish Implementation Committee Establish Working Groups Team Definition
- 17. Steps Towards Certification InternalAudit Ongoing Improvement Training & Awareness Documentation Management Risk Treatment Plan Risk Assessment Identification of Assets ISMS Scope Definition Establish Project Team • Careful consideration to the processes, applications & locations to be included • scope should recognize business objectives, security requirements and structure of the organization • The scope must clearly define the boundaries of the ISMS including justification for exclusions
- 18. Steps Towards Certification InternalAudit Ongoing Improvement Training & Awareness Documentation Management Risk Treatment Plan Risk Assessment Identification of Assets ISMS Scope Definition Establish Project Team Identify all assets important to the scope including: • Physical Assets- IT • Physical Assets- Non IT • Information (Hard Copy and Electronic) • Software • Services • Supporting documentation • Intangible
- 19. Steps Towards Certification InternalAudit Ongoing Improvement Training & Awareness Documentation Management Risk Treatment Plan Risk Assessment Identification of Assets ISMS Scope Definition Establish Project Team • Valuation of assets - Impact to the Business in terms of Confidentiality, Integrity & Availability • Threat & Vulnerability Assessment • Probability of Occurrence • Effectiveness and Strength of Current Safeguards • Residual Risk • Determination of Risk Tolerance
- 20. Steps Towards Certification InternalAudit Ongoing Improvement Training & Awareness Documentation Management Risk Treatment Plan Risk Assessment Identification of Assets ISMS Scope Definition Establish Project Team • Risk Management decisions – • Terminate • Treat • Transfer or • Tolerate • Selection of controls from ISO 27001:2005 with direct link back to the risk assessment • Measurement of the effectiveness of controls • Manage risk treatment activities and resources • Management approval of residual risk
- 21. Steps Towards Certification InternalAudit Ongoing Improvement Training & Awareness Documentation Management Risk Treatment Plan Risk Assessment Identification of Assets ISMS Scope Definition Establish Project Team • Information classification & document and records control procedures • Internal ISMS audit plan • Corrective & preventive action procedures • Procedures and controls supporting the ISMS based on the risk assessment results • Description of the risk assessment methodology & risk treatment plan • Development of the Statement of Applicability, (SoA), with justification for controls not selected • Objective evidence of a living & improving ISMS
- 22. Steps Towards Certification InternalAudit Ongoing Improvement Training & Awareness Documentation Management Risk Treatment Plan Risk Assessment Identification of Assets ISMS Scope Definition Establish Project Team • Roles & responsibilities fully understood • Staff, contractors and third party users trained • Competency assessed • Training program formulation • Role based training • Metrics and measurements
- 23. Steps Towards Certification InternalAudit Ongoing Improvement Training & Awareness Documentation Management Risk Treatment Plan Risk Assessment Identification of Assets ISMS Scope Definition Establish Project Team • Implementation of the Plan Do Check Act model for continuous improvement • Independent internal evaluation of compliance to security Policy’s and Procedures • Risk based corrective actions • Defined preventive action requirements • Feedback into the Risk Management Framework • Records of continuous improvement
- 24. The Certification Audit PostCertification Process Stage 2 Audit System in Action Stage 1 Audit Documentation Review Application for Certification with a Certification Body • Agree on scope and contract terms • Assessment of Process Documentation • On-site Completion of Audit of Staff & Process • Presentation of the Audit Findings • Corrective Actions if Required • Award of Certificate • Certification is valid for three years • Annual Surveillance Audits are required • Internal Audit Program is Required • Full re-audit on the third Anniversary
- 25.