Napoleon NV, profile picture
Uploaded byNapoleon NV
PPTX, PDF81 views

ISO27k Awareness presentation v2.pptx

This document provides an overview of an information security seminar that introduces ISO27k standards. The seminar agenda covers topics such as defining information and information security, risk, ISO standards, managing information security, and security responsibilities. It also summarizes key aspects of the ISO27k standards such as the ISO27001 certification process and ISO27002 control clauses around information security policies, asset management, access control, and more.

Technology
Related topics:
ISO 27001 Overview

Embed presentation

Download to read offline
Security awareness seminar An introduction to ISO27k In fo r m at io n se cu rit y This work is copyright © 2012, Mohan Kamat and ISO27k Forum, some rights reserved. It is licensed under the Creative Commons Attribution-Noncommercial-Share Alike 3.0 License. You are welcome to reproduce, circulate, use and create derivative works from this provided that: (a) it is not sold or incorporated into a commercial product; (b) it is properly attributed to the ISO27k Forum (www.ISO27001security.com); and (c) any derivative works that are shared are subject to the same terms as this work.
▪ What is information? ▪ What is information security? ▪ What is risk? ▪ Introduction to the ISO standards ▪ Managing information security ▪ Your security responsibilities A ge nd a 2
Information is an asset which, like other important business assets, has value to an organization and consequently needs to be suitably protected IN F O R M A TI O N 3 ISO/IEC 27002:2005
In fo r m at io n ty pe s Information exists in many forms: ▪ Printed or written on paper ▪ Stored electronically ▪ Transmitted by post or electronic means ▪ Visual e.g. videos, diagrams ▪ Published on the Web ▪ Verbal/aural e.g. conversations, phone calls ▪ Intangible e.g. knowledge, experience, expertise, ideas ‘Whatever form the information takes, or means by which it is shared or stored, it should always be appropriately protected’ (ISO/IEC 27002:2005) 4
In fo lif ec yc le Information can be … ▪ Created ▪ Owned (it is an asset) ▪ Stored ▪ Processed ▪ Transmitted/communicated ▪ Used (for proper or improper purposes) ▪ Modified or corrupted ▪ Shared or disclosed (whether appropriately or not) ▪ Destroyed or lost ▪ Stolen ▪ Controlled, secured and protected throughout its existence 5
Ke y te r m What is information security? ▪ Information security is what keeps valuable information ‘free of danger’ (protected, safe from harm) ▪ It is not something you buy, it is something you do o It’s a process not a product ▪ It is achieved using a combination of suitable strategies and approaches: o Determining the risks to information and treating them accordingly (proactive risk management) o Protecting CIA (Confidentiality, Integrity and Availability) o Avoiding, preventing, detecting and recovering from incidents o Securing people, processes and technology … not just IT! 6
Se cu rit y el e m en ts PEOPLE PROCESSES TECHNOLOGY Staff & management Business activities IT, phones, pens … 7
Pe op le People People who use or have an interest in our information security include: ∙ Shareholders / owners ∙ Management & staff ∙ Customers / clients, suppliers & business partners ∙ Service providers, contractors, consultants & advisors ∙ Authorities, regulators & judges Our biggest threats arise from people (social engineers, unethical competitors, hackers, fraudsters, careless workers, bugs, flaws …), yet our biggest asset is our people (e.g. security-aware employees who spot trouble early) 8
Processes Processes are work practices or workflows, the steps or activities needed to accomplish business objectives. • Processes are described in procedures. • Virtually all business processes involve and/or depend on information making information a critical business asset. Information security policies and procedures define how we secure information appropriately and repeatedly. Pr oc es se s 9
Technology Information technologies ∙ Cabling, data/voice networks and equipment ∙ Telecommunications services (PABX, VoIP, ISDN, videoconferencing) ∙ Phones, cellphones, PDAs ∙ Computer servers, desktops and associated data storage devices (disks, tapes) ∙ Operating system and application software ∙ Paperwork, files ∙ Pens, ink Security technologies ∙ Locks, barriers, card-access systems, CCTV Te ch no lo gy 10
• Protects information against various threats • Ensures business continuity • Minimizes financial losses and other impacts • Optimizes return on investments • Creates opportunities to do business safely • Maintains privacy and compliance Va lu e We all depend on information security 11 Information security is valuable because it …
Information security is defined as the preservation of: Confidentiality Making information accessible only to those authorized to use it Integrity Safeguarding the accuracy and completeness of information and processing methods Availability Ensuring that information is available when required CI A 12
• IT downtime, business interruption • Financial losses and costs • Devaluation of intellectual property • Breaking laws and regulations, leading to prosecutions, fines and penalties • Reputation and brand damage leading to loss of customer, market, business partner or owners’ confidence and lost business • Fear, uncertainty and doubt Security incidents cause … 13 I m pa ct s
Ke y te r m What is risk? Risk is the possibility that a threat exploits a vulnerability in an information asset, leading to an adverse impact on the organization Threat: something that might cause harm Vulnerability: a weakness that might be exploited Impact: financial damage etc. 14
R el at io ns hi ps Risk relationships Threats Vulnerabilities exploit Risk Value Security requirements Information assets Controls reduce 15 to
Th re at ag en t Threat agent The actor that represents, carries out or catalyzes the threat • Human • Machine • Nature 16
Motive Something that causes the threat agent to act • Implies intentional/deliberate attacks but some are accidental M ot iv e 17
Threat type Example Human error Typo, wrong attachment/email address, lost laptop or phone Intellectual property Piracy, industrial espionage Deliberate act Unauthorized access/trespass, data theft, extortion, blackmail, sabotage, vandalism, terrorist/activist/criminal activity Fraud Identity theft, expenses fraud System/network attack Viruses, worms, Trojans, hacks Service issue Power cuts, network outages Force of nature Fire, flood, storm, earthquake, lightning, tsunami, volcanic eruption Hardware issue Computer power supply failure, lack of capacity Software issue Bugs or design flaws, data corruption Obsolescence iPhone 4? 18 Th re at ty pe s
So how do we secure our information assets? 19
1990’s • Information Security Management Code of Practice produced by a UK government-sponsored working group • Based on the security policy used by Shell • Became British Standard BS7799 2000’s • Adopted by ISO/IEC • Became ISO/IEC 17799 (later renumbered ISO/IEC 27002) • ISO/IEC 27001 published & certification scheme started Now • Expanding into a suite of information security standards (known as “ISO27k”) • Updated and reissued every few years IS O 27 k A brief history of ISO27k 20
• Concerns the management of information security, not just IT/technical security • Formally specifies a management system • Uses Plan, Do, Check, Act (PDCA) to achieve, maintain and improve alignment of security with risks • Covers all types of organizations (e.g. commercial companies, government agencies, not-for-profit organizations) and all sizes • Thousands of organizations worldwide have been certified compliant ISO 27001 IS O 27 00 1 21
Interested parties Information security requirements & expectations PLAN Establish ISMS CHECK Monitor & review ISMS ACT Maintain & improve Management responsibility ISMS PROCESS Plan-Do-Check-Act Interested parties Managed information security DO Implement & operate the ISMS PD CA 22
Information Security Policy Organisation of Information Security Asset Management Human Resource Security Physical Security Communication & Operations Management Access Control System Development & Maintenance Incident Management Business Continuity Planning Compliance Availability CON TRO L CLA USE S 23
• Information security policy - management direction • Organization of information security - management framework for implementation • Asset management – assessment, classification and protection of valuable information assets • HR security – security for joiners, movers and leavers • Physical & environmental security - prevents unauthorised access, theft, compromise, damage to information and computing facilities, power cuts CON TRO L CLA USE S 24
• Communications & operations management - ensures the correct and secure operation of IT • Access control – restrict unauthorized access to information assets • Information systems acquisition, development & maintenance – build security into systems • Information security incident management – deal sensibly with security incidents that arise • Business continuity management – maintain essential business processes and restore any that fail • Compliance - avoid breaching laws, regulations, policies and other security obligations CON TRO L CLA USE S 25
PLAN Establish ISMS CHECK Monitor & Review ISMS ACT Maintain & Improve DO Implemen t & Operate the ISMS IS POLICY SECURITY ORGANISATION ASSET IDENTIFICATION & CLASSIFICATION CONTROL SELECTION & IMPLEMENTATION OPERATIONALIZ E THE PROCESES MANAGEMENT REVIEW CORRECTIVE & PREVENTIVE ACTIONS CHECK PROCESSES IMPL EME NTA TIO N PRO CESS CYCL E 26
Be ne fit s • Demonstrable commitment to security by the organization • Legal and regulatory compliance • Better risk management • Commercial credibility, confidence, and assurance • Reduced costs • Clear employee direction and improved awareness 27
Sc op e ISMS scope • Data center & DR site • All information assets throughout the organization 28
Key ISMS documents Ke y do cu m en ts • High level corporate security policy • Supporting policies e.g. physical & environmental, email, HR, incident management, compliance etc. • Standards e.g. Windows Security Standard • Procedures and guidelines • Records e.g. security logs, security review reports, corrective actions 29
Information security vision VISI ON & MIS SIO N Vision The organization is acknowledged as an industry leader for information security. Mission To design, implement, operate, manage and maintain an Information Security Management System that complies with international standards, incorporating generally-accepted good security practices 30
Who is responsible? W ho • Information Security Management Committee • Information Security Manager/CISO and Department • Incident Response Team • Business Continuity Team • IT, Legal/Compliance, HR, Risk and other departments • Audit Committee • Last but not least, you! Bottom line: 31 Information security is everyone’s responsibility
Po lic y Corporate Information Security Policy Policy is signed by the CEO and mandated by top management Find it on the intranet 32
INF O ASS ET CLAS SIFI CATI ON CONFIDENTIAL: If this information is leaked outside the organization, it will result in major financial and/or image loss. Compromise of this information may result in serious non-compliance (e.g. a privacy breach). Access to this information must be restricted based on the concept of need-to-know. Disclosure requires the information owner’s approval. In case information needs to be disclosed to third parties, a signed confidentiality agreement is required. Examples: customer contracts, pricing rates, trade secrets, personal information, new product development plans, budgets, financial reports (prior to publication), passwords, encryption keys. INTERNAL USE ONLY: Leakage or disclosure of this information outside the organization is unlikely to cause serious harm but may result in some financial loss and/or embarrassment. Examples: circulars, policies, training materials, general company emails, security policies and procedures, corporate intranet. PUBLIC: This information can be freely disclosed to anyone although publication must usually be explicitly approved by Corporate Communications or Marketing. Examples: marketing brochures, press releases, website. 33 Information Asset Classification
Confidentiality Confidentiality level Explanation High Information which is very sensitive or private, of great value to the organization and intended for specific individuals only. The unauthorized disclosure of such information can cause severe harm such as legal or financial liabilities, competitive disadvantage, loss of brand value e.g. merger and acquisition related information, marketing strategy Medium Information belonging to the company and not for disclosure to public or external parties. The unauthorized disclosure of this information may harm to the organization somewhat e.g. organization charts, internal contact lists. Low Non-sensitive information available for public disclosure. The impact of unauthorized disclosure of such information shall not harm Organisation anyway. E.g. Press releases, Company’s News letters e.g. Information published on company’s website Confidentiality of information concerns the protection of sensitive (and often highly valuable) information from unauthorized or inappropriate disclosure. Cl as sif ic at io n 10/13 34 Mohan Kamat
USE R RESP ONSI BILI TIES Physical security • Read and follow security policies and procedures • Display identity cards while on the premises • Challenge or report anyone without an ID card • Visit the intranet Security Zone or call IT Help/Service Desk for advice on most information security matters • Allow unauthorized visitors onto the premises • Bring weapons, hazardous/combustible materials, recording devices etc., especially in secure areas • Use personal IT devices for work purposes, unless explicitly authorized by management 35 Do not Do
USE R RESP ONSI BILI TIES Password Guidelines ⮚ Use long, complicated passphrases - whole sentences if you can ⮚ Reserve your strongest passphrases for high security systems (don’t re-use the same passphrase everywhere) ⮚ Use famous quotes, lines from your favorite songs, poems etc. to make them memorable ⮚ Use short or easily-guessed passwords ⮚ Write down passwords or store them in plain text ⮚ Share passwords over phone or email 36
USE R RESP ONSI BILI TIES Warning: Internet usage is routinely logged and monitored. Be careful which websites you visit and what you disclose. ⮚ Avoid websites that would be classed as obscene, racist, offensive or illegal – anything that would be embarrassing ⮚ Do not access online auction or shopping sites, except where authorized by your manager ⮚ Don’t hack! ⮚ Do not download or upload commercial software or other copyrighted material without the correct license and permission from your manager ⮚ Use the corporate Internet facilities only for legitimate and authorized business purposes Internet usage 37
USE R RESP ONSI BILI TIES E-mail usage ⮚ Do not use your corporate email address for personal email ⮚ Do not circulate chain letters, hoaxes, inappropriate jokes, videos etc. ⮚ Do not send emails outside the organization unless you are authorized to do so ⮚ Be very wary of email attachments and links, especially in unsolicited emails (most are virus-infected) 38 ⮚ Use corporate email for business purposes only ⮚ Follow the email storage guidelines ⮚ If you receive spam email, simply delete it. If it is offensive or you receive a lot, call the IT Help/Service Desk
USE R RESP ONSI BILI TIES Security incidents 39 ⮚ Report information security incidents, concerns and near-misses to IT Help/Service Desk: ⮚ Email … ⮚ Telephone … ⮚ Anonymous drop-boxes … ⮚ Take their advice on what to do ⮚ Do not discuss security incidents with anyone outside the organization ⮚ Do not attempt to interfere with, obstruct or prevent anyone else from reporting incidents
R es po ns ibi lit ie s ✔ Ensure your PC is getting antivirus updates and patches ✔ Lock your keyboard (Windows-L) before leaving your PC unattended, and log-off at the end of the day ✔ Store laptops and valuable information (paperwork as well as CDs, USB sticks etc.) securely under lock and key ✔ Keep your wits about you while traveling: ▪ Keep your voice down on the cellphone ▪ Be discreet about your IT equipment ✔ Take regular information back ups ✔ Fulfill your security obligations: ▪ Comply with security and privacy laws, copyright and licenses, NDA (Non Disclosure Agreements) and contracts ▪ Comply with corporate policies and procedures ✔ Stay up to date on information security: ▪ Visit the intranet Security Zone when you have a moment 40
41

More Related Content

PPTX
ISO27k Awareness presentation.pptx
byharigopala
 
PDF
ISO 27001 Awareness IGN Mantra 2nd Day, 1st Session.
byIGN MANTRA
 
PDF
Chapter 12 iso 27001 awareness
bynewbie2019
 
PPTX
ISO 27001 2022 REQUIREMENTS EXPLAINED 4.pptx
byJustinNickaf3
 
PDF
1678784047-mid_sem-2.pdf
byRimurutempest594985
 
PPTX
Information security
byavinashbalakrishnan2
 
PPTX
INFORMATION SECURITY
byAhmed Moussa
 
PPTX
Presentation1 110616195133-phpapp01(information security)
byBonagiri Rajitha
 
ISO27k Awareness presentation.pptx
byharigopala
 
ISO 27001 Awareness IGN Mantra 2nd Day, 1st Session.
byIGN MANTRA
 
Chapter 12 iso 27001 awareness
bynewbie2019
 
ISO 27001 2022 REQUIREMENTS EXPLAINED 4.pptx
byJustinNickaf3
 
1678784047-mid_sem-2.pdf
byRimurutempest594985
 
Information security
byavinashbalakrishnan2
 
INFORMATION SECURITY
byAhmed Moussa
 
Presentation1 110616195133-phpapp01(information security)
byBonagiri Rajitha
 

Similar to ISO27k Awareness presentation v2.pptx

PPTX
Information Security Management System ISO/IEC 27001:2005
byControlCase
 
PPTX
ISMS User_Awareness Training.pptx
byMukesh Pant
 
PDF
ISO 27001
byn|u - The Open Security Community
 
PPTX
Dancyrityshy 1foundatioieh
byAnne Starr
 
PPTX
Security Foundation and Incident Mgmt and BCMS.pptx
byMohsenMojabi1
 
PPTX
ISMS End-User Training Presentation.pptx
bycomstarndt
 
PDF
Chapter 7 Managing Secure System.pdf
byAbuHanifah59
 
PPT
Information Security
bychenpingling
 
PPTX
Information Security and Privacy-Unit-1.pptx
byNiharikaDubey17
 
PPTX
Information Security Induction Training.pptx
byCelDeleon1
 
PPTX
c plus plus ssssssssssssssssssssssssssss
byASKMEDIA
 
PPTX
Chapter 1_Overview hhhhhhhhhhhhhhhhhhhhhhhhhh
byASKMEDIA
 
PPT
Intro to Information Security.ppt
byAnuraagAwasthi3
 
PPTX
ke-1.pptx
byAhmadNaswin
 
PPTX
ke-1.pptx454545454545550515545456486498498498
byAhmadNaswin
 
PPTX
ke-1 - Copy cat massunu rahing.pptxdfdff
byAhmadNaswin
 
PDF
Management Information Systems
bymsd11
 
PDF
ISO 27001 Awareness IGN Mantra 2nd Day, 2nd Session.
byIGN MANTRA
 
PPTX
17 info sec_ma_imt_27_2_2012
byRECIPA
 
PPT
MIS chap # 9.....
bySyed Muhammad Zeejah Hashmi
 
Information Security Management System ISO/IEC 27001:2005
byControlCase
 
ISMS User_Awareness Training.pptx
byMukesh Pant
 
ISO 27001
byn|u - The Open Security Community
 
Dancyrityshy 1foundatioieh
byAnne Starr
 
Security Foundation and Incident Mgmt and BCMS.pptx
byMohsenMojabi1
 
ISMS End-User Training Presentation.pptx
bycomstarndt
 
Chapter 7 Managing Secure System.pdf
byAbuHanifah59
 
Information Security
bychenpingling
 
Information Security and Privacy-Unit-1.pptx
byNiharikaDubey17
 
Information Security Induction Training.pptx
byCelDeleon1
 
c plus plus ssssssssssssssssssssssssssss
byASKMEDIA
 
Chapter 1_Overview hhhhhhhhhhhhhhhhhhhhhhhhhh
byASKMEDIA
 
Intro to Information Security.ppt
byAnuraagAwasthi3
 
ke-1.pptx
byAhmadNaswin
 
ke-1.pptx454545454545550515545456486498498498
byAhmadNaswin
 
ke-1 - Copy cat massunu rahing.pptxdfdff
byAhmadNaswin
 
Management Information Systems
bymsd11
 
ISO 27001 Awareness IGN Mantra 2nd Day, 2nd Session.
byIGN MANTRA
 
17 info sec_ma_imt_27_2_2012
byRECIPA
 
MIS chap # 9.....
bySyed Muhammad Zeejah Hashmi
 

More from Napoleon NV

PPTX
ISO27k ISMS implementation and certification process overview v2.pptx
byNapoleon NV
 
PDF
IC-ISO-27001-Checklist-10838_PDF.pdf
byNapoleon NV
 
PPTX
Chương 1- Cung Cầu và Giá cả
byNapoleon NV
 
PPTX
Windows Server 2012 Managing Active Directory Domain
byNapoleon NV
 
PPTX
Implementing Dynamic Host
byNapoleon NV
 
PPTX
Tiêu dùng trong kinh tế Vi mô
byNapoleon NV
 
PPTX
Sản xuất và chi phí trong kinh tế vi mô
byNapoleon NV
 
PPTX
Windows Server 2012 Deploying and managing
byNapoleon NV
 
PPTX
Implementing Domain Name
byNapoleon NV
 
PPTX
SDA Seminar 2023_NTS-Team.pptx
byNapoleon NV
 
PPTX
Automating AD Domain Services Administration
byNapoleon NV
 
PPTX
Installing and Configuring Windows Server® 2012
byNapoleon NV
 
PPTX
Vai trò của nhà nước
byNapoleon NV
 
PPTX
Implementing IP V4
byNapoleon NV
 
ISO27k ISMS implementation and certification process overview v2.pptx
byNapoleon NV
 
IC-ISO-27001-Checklist-10838_PDF.pdf
byNapoleon NV
 
Chương 1- Cung Cầu và Giá cả
byNapoleon NV
 
Windows Server 2012 Managing Active Directory Domain
byNapoleon NV
 
Implementing Dynamic Host
byNapoleon NV
 
Tiêu dùng trong kinh tế Vi mô
byNapoleon NV
 
Sản xuất và chi phí trong kinh tế vi mô
byNapoleon NV
 
Windows Server 2012 Deploying and managing
byNapoleon NV
 
Implementing Domain Name
byNapoleon NV
 
SDA Seminar 2023_NTS-Team.pptx
byNapoleon NV
 
Automating AD Domain Services Administration
byNapoleon NV
 
Installing and Configuring Windows Server® 2012
byNapoleon NV
 
Vai trò của nhà nước
byNapoleon NV
 
Implementing IP V4
byNapoleon NV
 

Recently uploaded

PPTX
Cyber Security Overview-breif note .pptx
byxbitindiacom
 
PPT
Carole BirdCarole BirdCarole BirdCarole Bird.ppt
byk4n3kictf
 
PDF
The map to conquer linear algebra for IT engineer
byakipii ogaoga
 
PDF
Top 10 API Automation Testing Tools: Features, Pros & Cons
byhenrycavill30521
 
PDF
Industrial RFID Landscape for 2025 - Readers, Tags, Antennas, Printers, etc
byRich Rogers
 
PDF
What is Voice User Interface (VUI) Definition & Examples.pdf
byDesign Studio UI UX
 
PPTX
Why 2026 Could Be a Turning Point for Decentralized Exchanges.pptx
bycalliemorgan193
 
PPTX
Compare and contrast types of attacks.pptx
bysyednaqihassan14
 
PDF
Digital Marketing Trends in 2026: AI, Data, Content & Future Growth
byConacent Consulting
 
PDF
Navigating the Spectrum of Advanced AI – Agentic, Autonomous, and Autopoietic...
byScott M. Graffius
 
PDF
250 Prompts - ChatGPT acting as your Assistant
byMihir Nagarkar
 
PDF
Huawei Datacom – How To Pass H12-892 On Your First Try
by591lab
 
PPTX
AI Bot Traffic Surge: Retail Fraud Threat for Age-Restricted Websites
byFTx Identity
 
DOCX
Top Websites To ⭐Buy ⭐Old ⭐Gmail ⭐Accounts (PVA & Bulk) (5).docx
byBuy Old Gmail Accounts
 
PPTX
Spacecraft Guidance Quick Research Guide by Arthur Morgan
byArthur Morgan
 
PPT
Information and Communication Technologies and Power
byJeffrey Hart
 
PDF
Top Benefits of Using KVM VPS Hosting for Growing Businesses
byEthernet Servers
 
PPTX
Salesforce Spring 26 Release Key .pptx
byMehediHasan939830
 
PPTX
Cesium formate brine - A brief history - prepared by John Downs in May 2011
byJohn Downs
 
PDF
Groq Series A Investment Memo - Chamath Palihapitiya
byRazin Mustafiz
 
Cyber Security Overview-breif note .pptx
byxbitindiacom
 
Carole BirdCarole BirdCarole BirdCarole Bird.ppt
byk4n3kictf
 
The map to conquer linear algebra for IT engineer
byakipii ogaoga
 
Top 10 API Automation Testing Tools: Features, Pros & Cons
byhenrycavill30521
 
Industrial RFID Landscape for 2025 - Readers, Tags, Antennas, Printers, etc
byRich Rogers
 
What is Voice User Interface (VUI) Definition & Examples.pdf
byDesign Studio UI UX
 
Why 2026 Could Be a Turning Point for Decentralized Exchanges.pptx
bycalliemorgan193
 
Compare and contrast types of attacks.pptx
bysyednaqihassan14
 
Digital Marketing Trends in 2026: AI, Data, Content & Future Growth
byConacent Consulting
 
Navigating the Spectrum of Advanced AI – Agentic, Autonomous, and Autopoietic...
byScott M. Graffius
 
250 Prompts - ChatGPT acting as your Assistant
byMihir Nagarkar
 
Huawei Datacom – How To Pass H12-892 On Your First Try
by591lab
 
AI Bot Traffic Surge: Retail Fraud Threat for Age-Restricted Websites
byFTx Identity
 
Top Websites To ⭐Buy ⭐Old ⭐Gmail ⭐Accounts (PVA & Bulk) (5).docx
byBuy Old Gmail Accounts
 
Spacecraft Guidance Quick Research Guide by Arthur Morgan
byArthur Morgan
 
Information and Communication Technologies and Power
byJeffrey Hart
 
Top Benefits of Using KVM VPS Hosting for Growing Businesses
byEthernet Servers
 
Salesforce Spring 26 Release Key .pptx
byMehediHasan939830
 
Cesium formate brine - A brief history - prepared by John Downs in May 2011
byJohn Downs
 
Groq Series A Investment Memo - Chamath Palihapitiya
byRazin Mustafiz
 

ISO27k Awareness presentation v2.pptx

  • 1.
    Security awareness seminar Anintroduction to ISO27k In fo r m at io n se cu rit y This work is copyright © 2012, Mohan Kamat and ISO27k Forum, some rights reserved. It is licensed under the Creative Commons Attribution-Noncommercial-Share Alike 3.0 License. You are welcome to reproduce, circulate, use and create derivative works from this provided that: (a) it is not sold or incorporated into a commercial product; (b) it is properly attributed to the ISO27k Forum (www.ISO27001security.com); and (c) any derivative works that are shared are subject to the same terms as this work.
  • 2.
    ▪ What isinformation? ▪ What is information security? ▪ What is risk? ▪ Introduction to the ISO standards ▪ Managing information security ▪ Your security responsibilities A ge nd a 2
  • 3.
    Information is anasset which, like other important business assets, has value to an organization and consequently needs to be suitably protected IN F O R M A TI O N 3 ISO/IEC 27002:2005
  • 4.
    In fo r m at io n ty pe s Information exists inmany forms: ▪ Printed or written on paper ▪ Stored electronically ▪ Transmitted by post or electronic means ▪ Visual e.g. videos, diagrams ▪ Published on the Web ▪ Verbal/aural e.g. conversations, phone calls ▪ Intangible e.g. knowledge, experience, expertise, ideas ‘Whatever form the information takes, or means by which it is shared or stored, it should always be appropriately protected’ (ISO/IEC 27002:2005) 4
  • 5.
    In fo lif ec yc le Information can be… ▪ Created ▪ Owned (it is an asset) ▪ Stored ▪ Processed ▪ Transmitted/communicated ▪ Used (for proper or improper purposes) ▪ Modified or corrupted ▪ Shared or disclosed (whether appropriately or not) ▪ Destroyed or lost ▪ Stolen ▪ Controlled, secured and protected throughout its existence 5
  • 6.
    Ke y te r m What is informationsecurity? ▪ Information security is what keeps valuable information ‘free of danger’ (protected, safe from harm) ▪ It is not something you buy, it is something you do o It’s a process not a product ▪ It is achieved using a combination of suitable strategies and approaches: o Determining the risks to information and treating them accordingly (proactive risk management) o Protecting CIA (Confidentiality, Integrity and Availability) o Avoiding, preventing, detecting and recovering from incidents o Securing people, processes and technology … not just IT! 6
  • 7.
  • 8.
    Pe op le People People who useor have an interest in our information security include: ∙ Shareholders / owners ∙ Management & staff ∙ Customers / clients, suppliers & business partners ∙ Service providers, contractors, consultants & advisors ∙ Authorities, regulators & judges Our biggest threats arise from people (social engineers, unethical competitors, hackers, fraudsters, careless workers, bugs, flaws …), yet our biggest asset is our people (e.g. security-aware employees who spot trouble early) 8
  • 9.
    Processes Processes are workpractices or workflows, the steps or activities needed to accomplish business objectives. • Processes are described in procedures. • Virtually all business processes involve and/or depend on information making information a critical business asset. Information security policies and procedures define how we secure information appropriately and repeatedly. Pr oc es se s 9
  • 10.
    Technology Information technologies ∙ Cabling,data/voice networks and equipment ∙ Telecommunications services (PABX, VoIP, ISDN, videoconferencing) ∙ Phones, cellphones, PDAs ∙ Computer servers, desktops and associated data storage devices (disks, tapes) ∙ Operating system and application software ∙ Paperwork, files ∙ Pens, ink Security technologies ∙ Locks, barriers, card-access systems, CCTV Te ch no lo gy 10
  • 11.
    • Protects informationagainst various threats • Ensures business continuity • Minimizes financial losses and other impacts • Optimizes return on investments • Creates opportunities to do business safely • Maintains privacy and compliance Va lu e We all depend on information security 11 Information security is valuable because it …
  • 12.
    Information security isdefined as the preservation of: Confidentiality Making information accessible only to those authorized to use it Integrity Safeguarding the accuracy and completeness of information and processing methods Availability Ensuring that information is available when required CI A 12
  • 13.
    • IT downtime,business interruption • Financial losses and costs • Devaluation of intellectual property • Breaking laws and regulations, leading to prosecutions, fines and penalties • Reputation and brand damage leading to loss of customer, market, business partner or owners’ confidence and lost business • Fear, uncertainty and doubt Security incidents cause … 13 I m pa ct s
  • 14.
    Ke y te r m What is risk? Riskis the possibility that a threat exploits a vulnerability in an information asset, leading to an adverse impact on the organization Threat: something that might cause harm Vulnerability: a weakness that might be exploited Impact: financial damage etc. 14
  • 15.
  • 16.
    Th re at ag en t Threat agent The actorthat represents, carries out or catalyzes the threat • Human • Machine • Nature 16
  • 17.
    Motive Something that causesthe threat agent to act • Implies intentional/deliberate attacks but some are accidental M ot iv e 17
  • 18.
    Threat type Example Humanerror Typo, wrong attachment/email address, lost laptop or phone Intellectual property Piracy, industrial espionage Deliberate act Unauthorized access/trespass, data theft, extortion, blackmail, sabotage, vandalism, terrorist/activist/criminal activity Fraud Identity theft, expenses fraud System/network attack Viruses, worms, Trojans, hacks Service issue Power cuts, network outages Force of nature Fire, flood, storm, earthquake, lightning, tsunami, volcanic eruption Hardware issue Computer power supply failure, lack of capacity Software issue Bugs or design flaws, data corruption Obsolescence iPhone 4? 18 Th re at ty pe s
  • 19.
    So how dowe secure our information assets? 19
  • 20.
    1990’s • Information SecurityManagement Code of Practice produced by a UK government-sponsored working group • Based on the security policy used by Shell • Became British Standard BS7799 2000’s • Adopted by ISO/IEC • Became ISO/IEC 17799 (later renumbered ISO/IEC 27002) • ISO/IEC 27001 published & certification scheme started Now • Expanding into a suite of information security standards (known as “ISO27k”) • Updated and reissued every few years IS O 27 k A brief history of ISO27k 20
  • 21.
    • Concerns themanagement of information security, not just IT/technical security • Formally specifies a management system • Uses Plan, Do, Check, Act (PDCA) to achieve, maintain and improve alignment of security with risks • Covers all types of organizations (e.g. commercial companies, government agencies, not-for-profit organizations) and all sizes • Thousands of organizations worldwide have been certified compliant ISO 27001 IS O 27 00 1 21
  • 22.
    Interested parties Information security requirements & expectations PLAN Establish ISMS CHECK Monitor & review ISMS ACT Maintain& improve Management responsibility ISMS PROCESS Plan-Do-Check-Act Interested parties Managed information security DO Implement & operate the ISMS PD CA 22
  • 23.
    Information Security Policy Organisation of Information Security Asset Management Human Resource Security Physical Security Communication &Operations Management Access Control System Development & Maintenance Incident Management Business Continuity Planning Compliance Availability CON TRO L CLA USE S 23
  • 24.
    • Information securitypolicy - management direction • Organization of information security - management framework for implementation • Asset management – assessment, classification and protection of valuable information assets • HR security – security for joiners, movers and leavers • Physical & environmental security - prevents unauthorised access, theft, compromise, damage to information and computing facilities, power cuts CON TRO L CLA USE S 24
  • 25.
    • Communications &operations management - ensures the correct and secure operation of IT • Access control – restrict unauthorized access to information assets • Information systems acquisition, development & maintenance – build security into systems • Information security incident management – deal sensibly with security incidents that arise • Business continuity management – maintain essential business processes and restore any that fail • Compliance - avoid breaching laws, regulations, policies and other security obligations CON TRO L CLA USE S 25
  • 26.
    PLAN Establish ISMS CHECK Monitor & Review ISMS ACT Maintain & Improve DO Implemen t & Operate the ISMS ISPOLICY SECURITY ORGANISATION ASSET IDENTIFICATION & CLASSIFICATION CONTROL SELECTION & IMPLEMENTATION OPERATIONALIZ E THE PROCESES MANAGEMENT REVIEW CORRECTIVE & PREVENTIVE ACTIONS CHECK PROCESSES IMPL EME NTA TIO N PRO CESS CYCL E 26
  • 27.
    Be ne fit s • Demonstrable commitmentto security by the organization • Legal and regulatory compliance • Better risk management • Commercial credibility, confidence, and assurance • Reduced costs • Clear employee direction and improved awareness 27
  • 28.
    Sc op e ISMS scope • Datacenter & DR site • All information assets throughout the organization 28
  • 29.
    Key ISMS documents Ke y do cu m en ts •High level corporate security policy • Supporting policies e.g. physical & environmental, email, HR, incident management, compliance etc. • Standards e.g. Windows Security Standard • Procedures and guidelines • Records e.g. security logs, security review reports, corrective actions 29
  • 30.
    Information security vision VISI ON & MIS SIO N Vision Theorganization is acknowledged as an industry leader for information security. Mission To design, implement, operate, manage and maintain an Information Security Management System that complies with international standards, incorporating generally-accepted good security practices 30
  • 31.
    Who is responsible? W ho •Information Security Management Committee • Information Security Manager/CISO and Department • Incident Response Team • Business Continuity Team • IT, Legal/Compliance, HR, Risk and other departments • Audit Committee • Last but not least, you! Bottom line: 31 Information security is everyone’s responsibility
  • 32.
    Po lic y Corporate Information SecurityPolicy Policy is signed by the CEO and mandated by top management Find it on the intranet 32
  • 33.
    INF O ASS ET CLAS SIFI CATI ON CONFIDENTIAL: If this informationis leaked outside the organization, it will result in major financial and/or image loss. Compromise of this information may result in serious non-compliance (e.g. a privacy breach). Access to this information must be restricted based on the concept of need-to-know. Disclosure requires the information owner’s approval. In case information needs to be disclosed to third parties, a signed confidentiality agreement is required. Examples: customer contracts, pricing rates, trade secrets, personal information, new product development plans, budgets, financial reports (prior to publication), passwords, encryption keys. INTERNAL USE ONLY: Leakage or disclosure of this information outside the organization is unlikely to cause serious harm but may result in some financial loss and/or embarrassment. Examples: circulars, policies, training materials, general company emails, security policies and procedures, corporate intranet. PUBLIC: This information can be freely disclosed to anyone although publication must usually be explicitly approved by Corporate Communications or Marketing. Examples: marketing brochures, press releases, website. 33 Information Asset Classification
  • 34.
    Confidentiality Confidentiality level Explanation High Information whichis very sensitive or private, of great value to the organization and intended for specific individuals only. The unauthorized disclosure of such information can cause severe harm such as legal or financial liabilities, competitive disadvantage, loss of brand value e.g. merger and acquisition related information, marketing strategy Medium Information belonging to the company and not for disclosure to public or external parties. The unauthorized disclosure of this information may harm to the organization somewhat e.g. organization charts, internal contact lists. Low Non-sensitive information available for public disclosure. The impact of unauthorized disclosure of such information shall not harm Organisation anyway. E.g. Press releases, Company’s News letters e.g. Information published on company’s website Confidentiality of information concerns the protection of sensitive (and often highly valuable) information from unauthorized or inappropriate disclosure. Cl as sif ic at io n 10/13 34 Mohan Kamat
  • 35.
    USE R RESP ONSI BILI TIES Physical security • Readand follow security policies and procedures • Display identity cards while on the premises • Challenge or report anyone without an ID card • Visit the intranet Security Zone or call IT Help/Service Desk for advice on most information security matters • Allow unauthorized visitors onto the premises • Bring weapons, hazardous/combustible materials, recording devices etc., especially in secure areas • Use personal IT devices for work purposes, unless explicitly authorized by management 35 Do not Do
  • 36.
    USE R RESP ONSI BILI TIES Password Guidelines ⮚ Uselong, complicated passphrases - whole sentences if you can ⮚ Reserve your strongest passphrases for high security systems (don’t re-use the same passphrase everywhere) ⮚ Use famous quotes, lines from your favorite songs, poems etc. to make them memorable ⮚ Use short or easily-guessed passwords ⮚ Write down passwords or store them in plain text ⮚ Share passwords over phone or email 36
  • 37.
    USE R RESP ONSI BILI TIES Warning: Internet usageis routinely logged and monitored. Be careful which websites you visit and what you disclose. ⮚ Avoid websites that would be classed as obscene, racist, offensive or illegal – anything that would be embarrassing ⮚ Do not access online auction or shopping sites, except where authorized by your manager ⮚ Don’t hack! ⮚ Do not download or upload commercial software or other copyrighted material without the correct license and permission from your manager ⮚ Use the corporate Internet facilities only for legitimate and authorized business purposes Internet usage 37
  • 38.
    USE R RESP ONSI BILI TIES E-mail usage ⮚ Donot use your corporate email address for personal email ⮚ Do not circulate chain letters, hoaxes, inappropriate jokes, videos etc. ⮚ Do not send emails outside the organization unless you are authorized to do so ⮚ Be very wary of email attachments and links, especially in unsolicited emails (most are virus-infected) 38 ⮚ Use corporate email for business purposes only ⮚ Follow the email storage guidelines ⮚ If you receive spam email, simply delete it. If it is offensive or you receive a lot, call the IT Help/Service Desk
  • 39.
    USE R RESP ONSI BILI TIES Security incidents 39 ⮚ Reportinformation security incidents, concerns and near-misses to IT Help/Service Desk: ⮚ Email … ⮚ Telephone … ⮚ Anonymous drop-boxes … ⮚ Take their advice on what to do ⮚ Do not discuss security incidents with anyone outside the organization ⮚ Do not attempt to interfere with, obstruct or prevent anyone else from reporting incidents
  • 40.
    R es po ns ibi lit ie s ✔ Ensure yourPC is getting antivirus updates and patches ✔ Lock your keyboard (Windows-L) before leaving your PC unattended, and log-off at the end of the day ✔ Store laptops and valuable information (paperwork as well as CDs, USB sticks etc.) securely under lock and key ✔ Keep your wits about you while traveling: ▪ Keep your voice down on the cellphone ▪ Be discreet about your IT equipment ✔ Take regular information back ups ✔ Fulfill your security obligations: ▪ Comply with security and privacy laws, copyright and licenses, NDA (Non Disclosure Agreements) and contracts ▪ Comply with corporate policies and procedures ✔ Stay up to date on information security: ▪ Visit the intranet Security Zone when you have a moment 40
  • 41.