SlideShare a Scribd company logo

ISO27k Awareness presentation.pptx

Download as PPTX, PDF
H
harigopala

This document provides an overview of information security and ISO 27001. It discusses what information security is, the importance of protecting information assets, and introduces some of the key concepts from ISO 27001 such as risk management, the Plan-Do-Check-Act cycle, and control objectives. The document emphasizes that information security is everyone's responsibility.

Business
1 of 41
Security awareness seminar An introduction to ISO27k I n f o r m a t i o n s e c u r i t y This work is copyright © 2012, Mohan Kamat and ISO27k Forum, some rights reserved. It is licensed under the Creative Commons Attribution-Noncommercial-Share Alike 3.0 License. You are welcome to reproduce, circulate, use and create derivative works from this provided that: (a) it is not sold or incorporated into a commercial product; (b) it is properly attributed to the ISO27k Forum (www.ISO27001security.com); and (c) any derivative works that are shared are subject to the same terms as this work.
 What is information?  What is information security?  What is risk?  Introduction to the ISO standards  Managing information security  Your security responsibilities A g e n d a 2
Information is an asset which, like other important business assets, has value to an organization and consequently needs to be suitably protected I N F O R M A T I O N 3 ISO/IEC 27002:2005
I n f o r m a t i o n t y p e s Information exists in many forms:  Printed or written on paper  Stored electronically  Transmitted by post or electronic means  Visual e.g. videos, diagrams  Published on the Web  Verbal/aural e.g. conversations, phone calls  Intangible e.g. knowledge, experience, expertise, ideas ‘Whatever form the information takes, or means by which it is shared or stored, it should always be appropriately protected’ (ISO/IEC 27002:2005) 4
I n f o l i f e c y c l e Information can be …  Created  Owned (it is an asset)  Stored  Processed  Transmitted/communicated  Used (for proper or improper purposes)  Modified or corrupted  Shared or disclosed (whether appropriately or not)  Destroyed or lost  Stolen  Controlled, secured and protected throughout its existence 5
K e y t e r m What is information security?  Information security is what keeps valuable information ‘free of danger’ (protected, safe from harm)  It is not something you buy, it is something you do o It’s a process not a product  It is achieved using a combination of suitable strategies and approaches: o Determining the risks to information and treating them accordingly (proactive risk management) o Protecting CIA (Confidentiality, Integrity and Availability) o Avoiding, preventing, detecting and recovering from incidents o Securing people, processes and technology … not just IT! 6
S e c u r i t y e l e m e n t s PEOPLE PROCESSES TECHNOLOGY Staff & management Business activities IT, phones, pens … 7
P e o p l e People People who use or have an interest in our information security include:  Shareholders / owners  Management & staff  Customers / clients, suppliers & business partners  Service providers, contractors, consultants & advisors  Authorities, regulators & judges Our biggest threats arise from people (social engineers, unethical competitors, hackers, fraudsters, careless workers, bugs, flaws …), yet our biggest asset is our people (e.g. security-aware employees who spot trouble early) 8
Processes Processes are work practices or workflows, the steps or activities needed to accomplish business objectives. • Processes are described in procedures. • Virtually all business processes involve and/or depend on information making information a critical business asset. Information security policies and procedures define how we secure information appropriately and repeatedly. P r o c e s s e s 9
Technology Information technologies  Cabling, data/voice networks and equipment  Telecommunications services (PABX, VoIP, ISDN, videoconferencing)  Phones, cellphones, PDAs  Computer servers, desktops and associated data storage devices (disks, tapes)  Operating system and application software  Paperwork, files  Pens, ink Security technologies  Locks, barriers, card-access systems, CCTV T e c h n o l o g y 10
• Protects information against various threats • Ensures business continuity • Minimizes financial losses and other impacts • Optimizes return on investments • Creates opportunities to do business safely • Maintains privacy and compliance V a l u e We all depend on information security 11 Information security is valuable because it …
Information security is defined as the preservation of: Confidentiality Making information accessible only to those authorized to use it Integrity Safeguarding the accuracy and completeness of information and processing methods Availability Ensuring that information is available when required C I A 12
• IT downtime, business interruption • Financial losses and costs • Devaluation of intellectual property • Breaking laws and regulations, leading to prosecutions, fines and penalties • Reputation and brand damage leading to loss of customer, market, business partner or owners’ confidence and lost business • Fear, uncertainty and doubt Security incidents cause … 13 I m p a c t s
K e y t e r m What is risk? Risk is the possibility that a threat exploits a vulnerability in an information asset, leading to an adverse impact on the organization Threat: something that might cause harm Vulnerability: a weakness that might be exploited Impact: financial damage etc. 14
R e l a t i o n s h i p s Risk relationships Threats Vulnerabilities exploit Risk Value Security requirements Information assets Controls reduce 15 to
T h r e a t a g e n t Threat agent The actor that represents, carries out or catalyzes the threat • Human • Machine • Nature 16
Motive Something that causes the threat agent to act • Implies intentional/deliberate attacks but some are accidental M o t i v e 17
Threat type Example Human error Typo, wrong attachment/email address, lost laptop or phone Intellectual property Piracy, industrial espionage Deliberate act Unauthorized access/trespass, data theft, extortion, blackmail, sabotage, vandalism, terrorist/activist/criminal activity Fraud Identity theft, expenses fraud System/network attack Viruses, worms, Trojans, hacks Service issue Power cuts, network outages Force of nature Fire, flood, storm, earthquake, lightning, tsunami, volcanic eruption Hardware issue Computer power supply failure, lack of capacity Software issue Bugs or design flaws, data corruption Obsolescence iPhone 4? 18 T h r e a t t y p e s
So how do we secure our information assets? 19
1990’s • Information Security Management Code of Practice produced by a UK government-sponsored working group • Based on the security policy used by Shell • Became British Standard BS7799 2000’s • Adopted by ISO/IEC • Became ISO/IEC 17799 (later renumbered ISO/IEC 27002) • ISO/IEC 27001 published & certification scheme started Now • Expanding into a suite of information security standards (known as “ISO27k”) • Updated and reissued every few years I S O 2 7 k A brief history of ISO27k 20
• Concerns the management of information security, not just IT/technical security • Formally specifies a management system • Uses Plan, Do, Check, Act (PDCA) to achieve, maintain and improve alignment of security with risks • Covers all types of organizations (e.g. commercial companies, government agencies, not-for-profit organizations) and all sizes • Thousands of organizations worldwide have been certified compliant ISO 27001 I S O 2 7 0 0 1 21
Interested parties Information security requirements & expectations PLAN Establish ISMS CHECK Monitor & review ISMS ACT Maintain & improve Management responsibility ISMS PROCESS Plan-Do-Check-Act Interested parties Managed information security DO Implement & operate the ISMS P D C A 22
Information Security Policy Organisation of Information Security Asset Management Human Resource Security Physical Security Communication & Operations Management Access Control System Development & Maintenance Incident Management Business Continuity Planning Compliance Availability C O N T R O L C L A U S E S 23
• Information security policy - management direction • Organization of information security - management framework for implementation • Asset management – assessment, classification and protection of valuable information assets • HR security – security for joiners, movers and leavers • Physical & environmental security - prevents unauthorised access, theft, compromise, damage to information and computing facilities, power cuts C O N T R O L C L A U S E S 24
• Communications & operations management - ensures the correct and secure operation of IT • Access control – restrict unauthorized access to information assets • Information systems acquisition, development & maintenance – build security into systems • Information security incident management – deal sensibly with security incidents that arise • Business continuity management – maintain essential business processes and restore any that fail • Compliance - avoid breaching laws, regulations, policies and other security obligations C O N T R O L C L A U S E S 25
PLAN Establish ISMS CHECK Monitor & Review ISMS ACT Maintain & Improve DO Implement & Operate the ISMS IS POLICY SECURITY ORGANISATION ASSET IDENTIFICATION & CLASSIFICATION CONTROL SELECTION & IMPLEMENTATION OPERATIONALIZ E THE PROCESES MANAGEMENT REVIEW CORRECTIVE & PREVENTIVE ACTIONS CHECK PROCESSES I M P L E M E N T A T I O N P R O C E S S C Y C L E 26
B e n e f i t s • Demonstrable commitment to security by the organization • Legal and regulatory compliance • Better risk management • Commercial credibility, confidence, and assurance • Reduced costs • Clear employee direction and improved awareness 27
S c o p e ISMS scope • Data center & DR site • All information assets throughout the organization 28
Key ISMS documents K e y d o c u m e n t s • High level corporate security policy • Supporting policies e.g. physical & environmental, email, HR, incident management, compliance etc. • Standards e.g. Windows Security Standard • Procedures and guidelines • Records e.g. security logs, security review reports, corrective actions 29
Information security vision V I S I O N & M I S S I O N Vision The organization is acknowledged as an industry leader for information security. Mission To design, implement, operate, manage and maintain an Information Security Management System that complies with international standards, incorporating generally-accepted good security practices 30
Who is responsible? W h o • Information Security Management Committee • Information Security Manager/CISO and Department • Incident Response Team • Business Continuity Team • IT, Legal/Compliance, HR, Risk and other departments • Audit Committee • Last but not least, you! Bottom line: 31 Information security is everyone’s responsibility
P o l i c y Corporate Information Security Policy Policy is signed by the CEO and mandated by top management Find it on the intranet 32
I N F O A S S E T C L A S S I F I C A T I O N CONFIDENTIAL: If this information is leaked outside the organization, it will result in major financial and/or image loss. Compromise of this information may result in serious non-compliance (e.g. a privacy breach). Access to this information must be restricted based on the concept of need-to-know. Disclosure requires the information owner’s approval. In case information needs to be disclosed to third parties, a signed confidentiality agreement is required. Examples: customer contracts, pricing rates, trade secrets, personal information, new product development plans, budgets, financial reports (prior to publication), passwords, encryption keys. INTERNAL USE ONLY: Leakage or disclosure of this information outside the organization is unlikely to cause serious harm but may result in some financial loss and/or embarrassment. Examples: circulars, policies, training materials, general company emails, security policies and procedures, corporate intranet. PUBLIC: This information can be freely disclosed to anyone although publication must usually be explicitly approved by Corporate Communications or Marketing. Examples: marketing brochures, press releases, website. 33 Information Asset Classification
Confidentiality Confidentiality level Explanation High Information which is very sensitive or private, of great value to the organization and intended for specific individuals only. The unauthorized disclosure of such information can cause severe harm such as legal or financial liabilities, competitive disadvantage, loss of brand value e.g. merger and acquisition related information, marketing strategy Medium Information belonging to the company and not for disclosure to public or external parties. The unauthorized disclosure of this information may harm to the organization somewhat e.g. organization charts, internal contact lists. Low Non-sensitive information available for public disclosure. The impact of unauthorized disclosure of such information shall not harm Organisation anyway. E.g. Press releases, Company’s News letters e.g. Information published on company’s website Confidentiality of information concerns the protection of sensitive (and often highly valuable) information from unauthorized or inappropriate disclosure. C l a s s i f i c a t i o n 2/14/ 34 Mohan Kamat
U S E R R E S P O N S I B I L I T I E S Physical security • Read and follow security policies and procedures • Display identity cards while on the premises • Challenge or report anyone without an ID card • Visit the intranet Security Zone or call IT Help/Service Desk for advice on most information security matters • Allow unauthorized visitors onto the premises • Bring weapons, hazardous/combustible materials, recording devices etc., especially in secure areas • Use personal IT devices for work purposes, unless explicitly authorized by management 35 Do not Do
U S E R R E S P O N S I B I L I T I E S Password Guidelines  Use long, complicated passphrases - whole sentences if you can  Reserve your strongest passphrases for high security systems (don’t re-use the same passphrase everywhere)  Use famous quotes, lines from your favorite songs, poems etc. to make them memorable  Use short or easily-guessed passwords  Write down passwords or store them in plain text  Share passwords over phone or email 36
U S E R R E S P O N S I B I L I T I E S Warning: Internet usage is routinely logged and monitored. Be careful which websites you visit and what you disclose.  Avoid websites that would be classed as obscene, racist, offensive or illegal – anything that would be embarrassing  Do not access online auction or shopping sites, except where authorized by your manager  Don’t hack!  Do not download or upload commercial software or other copyrighted material without the correct license and permission from your manager  Use the corporate Internet facilities only for legitimate and authorized business purposes Internet usage 37
U S E R R E S P O N S I B I L I T I E S E-mail usage  Do not use your corporate email address for personal email  Do not circulate chain letters, hoaxes, inappropriate jokes, videos etc.  Do not send emails outside the organization unless you are authorized to do so  Be very wary of email attachments and links, especially in unsolicited emails (most are virus-infected) 38  Use corporate email for business purposes only  Follow the email storage guidelines  If you receive spam email, simply delete it. If it is offensive or you receive a lot, call the IT Help/Service Desk
U S E R R E S P O N S I B I L I T I E S Security incidents 39  Report information security incidents, concerns and near-misses to IT Help/Service Desk:  Email …  Telephone …  Anonymous drop-boxes …  Take their advice on what to do  Do not discuss security incidents with anyone outside the organization  Do not attempt to interfere with, obstruct or prevent anyone else from reporting incidents
R e s p o n s i b i l i t i e s  Ensure your PC is getting antivirus updates and patches  Lock your keyboard (Windows-L) before leaving your PC unattended, and log-off at the end of the day  Store laptops and valuable information (paperwork as well as CDs, USB sticks etc.) securely under lock and key  Keep your wits about you while traveling:  Keep your voice down on the cellphone  Be discreet about your IT equipment  Take regular information back ups  Fulfill your security obligations:  Comply with security and privacy laws, copyright and licenses, NDA (Non Disclosure Agreements) and contracts  Comply with corporate policies and procedures  Stay up to date on information security:  Visit the intranet Security Zone when you have a moment 40
41

Recommended

ISO27k Awareness presentation v2.pptx
ISO27k Awareness presentation v2.pptxISO27k Awareness presentation v2.pptx
ISO27k Awareness presentation v2.pptx
Napoleon NV
 
ISO 27001 Awareness IGN Mantra 2nd Day, 1st Session.
ISO 27001 Awareness IGN Mantra 2nd Day, 1st Session.ISO 27001 Awareness IGN Mantra 2nd Day, 1st Session.
ISO 27001 Awareness IGN Mantra 2nd Day, 1st Session.
IGN MANTRA
 
Meeting the cyber risk challenge
Meeting the cyber risk challengeMeeting the cyber risk challenge
Meeting the cyber risk challengeFERMA
 
Information security
Information securityInformation security
Information security
avinashbalakrishnan2
 
Pci Europe 2009 Underside Of The Compliance Ecosystem
Pci Europe 2009 Underside Of The Compliance EcosystemPci Europe 2009 Underside Of The Compliance Ecosystem
Pci Europe 2009 Underside Of The Compliance Ecosystem
kpatrickwheeler
 
Item46763
Item46763Item46763
Item46763
madunix
 
Cissp- Security and Risk Management
Cissp- Security and Risk ManagementCissp- Security and Risk Management
Cissp- Security and Risk Management
Hamed Moghaddam
 
CCA study group
CCA study groupCCA study group
CCA study group
IIBA UK Chapter
 

Recommended

ISO27k Awareness presentation v2.pptx
ISO27k Awareness presentation v2.pptxISO27k Awareness presentation v2.pptx
ISO27k Awareness presentation v2.pptx
Napoleon NV
 
ISO 27001 Awareness IGN Mantra 2nd Day, 1st Session.
ISO 27001 Awareness IGN Mantra 2nd Day, 1st Session.ISO 27001 Awareness IGN Mantra 2nd Day, 1st Session.
ISO 27001 Awareness IGN Mantra 2nd Day, 1st Session.
IGN MANTRA
 
Meeting the cyber risk challenge
Meeting the cyber risk challengeMeeting the cyber risk challenge
Meeting the cyber risk challengeFERMA
 
Information security
Information securityInformation security
Information security
avinashbalakrishnan2
 
Pci Europe 2009 Underside Of The Compliance Ecosystem
Pci Europe 2009 Underside Of The Compliance EcosystemPci Europe 2009 Underside Of The Compliance Ecosystem
Pci Europe 2009 Underside Of The Compliance Ecosystem
kpatrickwheeler
 
Item46763
Item46763Item46763
Item46763
madunix
 
Cissp- Security and Risk Management
Cissp- Security and Risk ManagementCissp- Security and Risk Management
Cissp- Security and Risk Management
Hamed Moghaddam
 
CCA study group
CCA study groupCCA study group
CCA study group
IIBA UK Chapter
 
Chapter 12 iso 27001 awareness
Chapter 12 iso 27001 awarenessChapter 12 iso 27001 awareness
Chapter 12 iso 27001 awareness
newbie2019
 
ISMS End-User Training Presentation.pptx
ISMS End-User Training Presentation.pptxISMS End-User Training Presentation.pptx
ISMS End-User Training Presentation.pptx
comstarndt
 
Information Security vs IT - Key Roles & Responsibilities
Information Security vs IT - Key Roles & ResponsibilitiesInformation Security vs IT - Key Roles & Responsibilities
Information Security vs IT - Key Roles & Responsibilities
Kroll
 
Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...
Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...
Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...
EC-Council
 
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAEIT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
360 BSI
 
Infocon Bangladesh 2016
Infocon Bangladesh 2016Infocon Bangladesh 2016
Infocon Bangladesh 2016
Prime Infoserv
 
What Is Digital Asset Security. What Are the Risks Associated With It.docx.pdf
What Is Digital Asset Security. What Are the Risks Associated With It.docx.pdfWhat Is Digital Asset Security. What Are the Risks Associated With It.docx.pdf
What Is Digital Asset Security. What Are the Risks Associated With It.docx.pdf
SecureCurve
 
Presentation 1.pptx
Presentation 1.pptxPresentation 1.pptx
Presentation 1.pptx
rabeetkashif
 
Information & Cyber Security Risk
Information & Cyber Security RiskInformation & Cyber Security Risk
Information & Cyber Security Risk
Murray Security Services
 
Selling security to the C-level
Selling security to the C-levelSelling security to the C-level
Selling security to the C-level
Donald Tabone
 
A to Z of Information Security Management
A to Z of Information Security ManagementA to Z of Information Security Management
A to Z of Information Security Management
Mark Conway
 
Security architecture frameworks
Security architecture frameworksSecurity architecture frameworks
Security architecture frameworks
John Arnold
 
2 Security And Internet Security
2 Security And Internet Security2 Security And Internet Security
2 Security And Internet SecurityAna Meskovska
 
Information security
Information securityInformation security
Information security
AlaaMahmoud108
 
Presentation1 110616195133-phpapp01(information security)
Presentation1 110616195133-phpapp01(information security)Presentation1 110616195133-phpapp01(information security)
Presentation1 110616195133-phpapp01(information security)
Bonagiri Rajitha
 
Awareness Security Session 2023 v1.0.pptx.pdf
Awareness Security Session 2023 v1.0.pptx.pdfAwareness Security Session 2023 v1.0.pptx.pdf
Awareness Security Session 2023 v1.0.pptx.pdf
AbdullahKanash
 
Breaking down the cyber security framework closing critical it security gaps
Breaking down the cyber security framework closing critical it security gapsBreaking down the cyber security framework closing critical it security gaps
Breaking down the cyber security framework closing critical it security gaps
IBM Security
 
Information security: importance of having defined policy & process
Information security: importance of having defined policy & processInformation security: importance of having defined policy & process
Information security: importance of having defined policy & process
Information Technology Society Nepal
 
Building and implementing a successful information security policy
Building and implementing a successful information security policyBuilding and implementing a successful information security policy
Building and implementing a successful information security policy
RossMob1
 
NUS-ISS Learning Day 2019-Architecting security in the digital age
NUS-ISS Learning Day 2019-Architecting security in the digital ageNUS-ISS Learning Day 2019-Architecting security in the digital age
NUS-ISS Learning Day 2019-Architecting security in the digital age
NUS-ISS
 
Technical recruiter
Technical recruiterTechnical recruiter
Technical recruiter
harigopala
 
Technical recruiter
Technical recruiter Technical recruiter
Technical recruiter
harigopala
 

More Related Content

Similar to ISO27k Awareness presentation.pptx

Chapter 12 iso 27001 awareness
Chapter 12 iso 27001 awarenessChapter 12 iso 27001 awareness
Chapter 12 iso 27001 awareness
newbie2019
 
ISMS End-User Training Presentation.pptx
ISMS End-User Training Presentation.pptxISMS End-User Training Presentation.pptx
ISMS End-User Training Presentation.pptx
comstarndt
 
Information Security vs IT - Key Roles & Responsibilities
Information Security vs IT - Key Roles & ResponsibilitiesInformation Security vs IT - Key Roles & Responsibilities
Information Security vs IT - Key Roles & Responsibilities
Kroll
 
Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...
Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...
Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...
EC-Council
 
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAEIT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
360 BSI
 
Infocon Bangladesh 2016
Infocon Bangladesh 2016Infocon Bangladesh 2016
Infocon Bangladesh 2016
Prime Infoserv
 
What Is Digital Asset Security. What Are the Risks Associated With It.docx.pdf
What Is Digital Asset Security. What Are the Risks Associated With It.docx.pdfWhat Is Digital Asset Security. What Are the Risks Associated With It.docx.pdf
What Is Digital Asset Security. What Are the Risks Associated With It.docx.pdf
SecureCurve
 
Presentation 1.pptx
Presentation 1.pptxPresentation 1.pptx
Presentation 1.pptx
rabeetkashif
 
Information & Cyber Security Risk
Information & Cyber Security RiskInformation & Cyber Security Risk
Information & Cyber Security Risk
Murray Security Services
 
Selling security to the C-level
Selling security to the C-levelSelling security to the C-level
Selling security to the C-level
Donald Tabone
 
A to Z of Information Security Management
A to Z of Information Security ManagementA to Z of Information Security Management
A to Z of Information Security Management
Mark Conway
 
Security architecture frameworks
Security architecture frameworksSecurity architecture frameworks
Security architecture frameworks
John Arnold
 
2 Security And Internet Security
2 Security And Internet Security2 Security And Internet Security
2 Security And Internet SecurityAna Meskovska
 
Information security
Information securityInformation security
Information security
AlaaMahmoud108
 
Presentation1 110616195133-phpapp01(information security)
Presentation1 110616195133-phpapp01(information security)Presentation1 110616195133-phpapp01(information security)
Presentation1 110616195133-phpapp01(information security)
Bonagiri Rajitha
 
Awareness Security Session 2023 v1.0.pptx.pdf
Awareness Security Session 2023 v1.0.pptx.pdfAwareness Security Session 2023 v1.0.pptx.pdf
Awareness Security Session 2023 v1.0.pptx.pdf
AbdullahKanash
 
Breaking down the cyber security framework closing critical it security gaps
Breaking down the cyber security framework closing critical it security gapsBreaking down the cyber security framework closing critical it security gaps
Breaking down the cyber security framework closing critical it security gaps
IBM Security
 
Information security: importance of having defined policy & process
Information security: importance of having defined policy & processInformation security: importance of having defined policy & process
Information security: importance of having defined policy & process
Information Technology Society Nepal
 
Building and implementing a successful information security policy
Building and implementing a successful information security policyBuilding and implementing a successful information security policy
Building and implementing a successful information security policy
RossMob1
 
NUS-ISS Learning Day 2019-Architecting security in the digital age
NUS-ISS Learning Day 2019-Architecting security in the digital ageNUS-ISS Learning Day 2019-Architecting security in the digital age
NUS-ISS Learning Day 2019-Architecting security in the digital age
NUS-ISS
 

Similar to ISO27k Awareness presentation.pptx (20)

Chapter 12 iso 27001 awareness
Chapter 12 iso 27001 awarenessChapter 12 iso 27001 awareness
Chapter 12 iso 27001 awareness
 
ISMS End-User Training Presentation.pptx
ISMS End-User Training Presentation.pptxISMS End-User Training Presentation.pptx
ISMS End-User Training Presentation.pptx
 
Information Security vs IT - Key Roles & Responsibilities
Information Security vs IT - Key Roles & ResponsibilitiesInformation Security vs IT - Key Roles & Responsibilities
Information Security vs IT - Key Roles & Responsibilities
 
Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...
Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...
Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...
 
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAEIT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
 
Infocon Bangladesh 2016
Infocon Bangladesh 2016Infocon Bangladesh 2016
Infocon Bangladesh 2016
 
What Is Digital Asset Security. What Are the Risks Associated With It.docx.pdf
What Is Digital Asset Security. What Are the Risks Associated With It.docx.pdfWhat Is Digital Asset Security. What Are the Risks Associated With It.docx.pdf
What Is Digital Asset Security. What Are the Risks Associated With It.docx.pdf
 
Presentation 1.pptx
Presentation 1.pptxPresentation 1.pptx
Presentation 1.pptx
 
Information & Cyber Security Risk
Information & Cyber Security RiskInformation & Cyber Security Risk
Information & Cyber Security Risk
 
Selling security to the C-level
Selling security to the C-levelSelling security to the C-level
Selling security to the C-level
 
A to Z of Information Security Management
A to Z of Information Security ManagementA to Z of Information Security Management
A to Z of Information Security Management
 
Security architecture frameworks
Security architecture frameworksSecurity architecture frameworks
Security architecture frameworks
 
2 Security And Internet Security
2 Security And Internet Security2 Security And Internet Security
2 Security And Internet Security
 
Information security
Information securityInformation security
Information security
 
Presentation1 110616195133-phpapp01(information security)
Presentation1 110616195133-phpapp01(information security)Presentation1 110616195133-phpapp01(information security)
Presentation1 110616195133-phpapp01(information security)
 
Awareness Security Session 2023 v1.0.pptx.pdf
Awareness Security Session 2023 v1.0.pptx.pdfAwareness Security Session 2023 v1.0.pptx.pdf
Awareness Security Session 2023 v1.0.pptx.pdf
 
Breaking down the cyber security framework closing critical it security gaps
Breaking down the cyber security framework closing critical it security gapsBreaking down the cyber security framework closing critical it security gaps
Breaking down the cyber security framework closing critical it security gaps
 
Information security: importance of having defined policy & process
Information security: importance of having defined policy & processInformation security: importance of having defined policy & process
Information security: importance of having defined policy & process
 
Building and implementing a successful information security policy
Building and implementing a successful information security policyBuilding and implementing a successful information security policy
Building and implementing a successful information security policy
 
NUS-ISS Learning Day 2019-Architecting security in the digital age
NUS-ISS Learning Day 2019-Architecting security in the digital ageNUS-ISS Learning Day 2019-Architecting security in the digital age
NUS-ISS Learning Day 2019-Architecting security in the digital age
 

More from harigopala

Technical recruiter
Technical recruiterTechnical recruiter
Technical recruiter
harigopala
 
Technical recruiter
Technical recruiter Technical recruiter
Technical recruiter
harigopala
 
Electrical_PPT_v-03-01-17.pptx
Electrical_PPT_v-03-01-17.pptxElectrical_PPT_v-03-01-17.pptx
Electrical_PPT_v-03-01-17.pptx
harigopala
 
email_etiquette[1].ppt
email_etiquette[1].pptemail_etiquette[1].ppt
email_etiquette[1].ppt
harigopala
 
Fire_Extinguisher.ppt
Fire_Extinguisher.pptFire_Extinguisher.ppt
Fire_Extinguisher.ppt
harigopala
 
Email etiquette
Email etiquetteEmail etiquette
Email etiquette
harigopala
 
Cordless telephone
Cordless telephoneCordless telephone
Cordless telephoneharigopala
 

More from harigopala (7)

Technical recruiter
Technical recruiterTechnical recruiter
Technical recruiter
 
Technical recruiter
Technical recruiter Technical recruiter
Technical recruiter
 
Electrical_PPT_v-03-01-17.pptx
Electrical_PPT_v-03-01-17.pptxElectrical_PPT_v-03-01-17.pptx
Electrical_PPT_v-03-01-17.pptx
 
email_etiquette[1].ppt
email_etiquette[1].pptemail_etiquette[1].ppt
email_etiquette[1].ppt
 
Fire_Extinguisher.ppt
Fire_Extinguisher.pptFire_Extinguisher.ppt
Fire_Extinguisher.ppt
 
Email etiquette
Email etiquetteEmail etiquette
Email etiquette
 
Cordless telephone
Cordless telephoneCordless telephone
Cordless telephone
 

Recently uploaded

Set off and carry forward of losses and assessment of individuals.pptx
Set off and carry forward of losses and assessment of individuals.pptxSet off and carry forward of losses and assessment of individuals.pptx
Set off and carry forward of losses and assessment of individuals.pptx
HARSHITHV26
 
Discover the innovative and creative projects that highlight my journey throu...
Discover the innovative and creative projects that highlight my journey throu...Discover the innovative and creative projects that highlight my journey throu...
Discover the innovative and creative projects that highlight my journey throu...
dylandmeas
 
VAT Registration Outlined In UAE: Benefits and Requirements
VAT Registration Outlined In UAE: Benefits and RequirementsVAT Registration Outlined In UAE: Benefits and Requirements
VAT Registration Outlined In UAE: Benefits and Requirements
uae taxgpt
 
Search Disrupted Google’s Leaked Documents Rock the SEO World.pdf
Search Disrupted Google’s Leaked Documents Rock the SEO World.pdfSearch Disrupted Google’s Leaked Documents Rock the SEO World.pdf
Search Disrupted Google’s Leaked Documents Rock the SEO World.pdf
Arihant Webtech Pvt. Ltd
 
The Influence of Marketing Strategy and Market Competition on Business Perfor...
The Influence of Marketing Strategy and Market Competition on Business Perfor...The Influence of Marketing Strategy and Market Competition on Business Perfor...
The Influence of Marketing Strategy and Market Competition on Business Perfor...
Adam Smith
 
Mastering B2B Payments Webinar from BlueSnap
Mastering B2B Payments Webinar from BlueSnapMastering B2B Payments Webinar from BlueSnap
Mastering B2B Payments Webinar from BlueSnap
Norma Mushkat Gaffin
 
Meas_Dylan_DMBS_PB1_2024-05XX_Revised.pdf
Meas_Dylan_DMBS_PB1_2024-05XX_Revised.pdfMeas_Dylan_DMBS_PB1_2024-05XX_Revised.pdf
Meas_Dylan_DMBS_PB1_2024-05XX_Revised.pdf
dylandmeas
 
-- June 2024 is National Volunteer Month --
-- June 2024 is National Volunteer Month ---- June 2024 is National Volunteer Month --
-- June 2024 is National Volunteer Month --
NZSG
 
Premium MEAN Stack Development Solutions for Modern Businesses
Premium MEAN Stack Development Solutions for Modern BusinessesPremium MEAN Stack Development Solutions for Modern Businesses
Premium MEAN Stack Development Solutions for Modern Businesses
SynapseIndia
 
The effects of customers service quality and online reviews on customer loyal...
The effects of customers service quality and online reviews on customer loyal...The effects of customers service quality and online reviews on customer loyal...
The effects of customers service quality and online reviews on customer loyal...
balatucanapplelovely
 
FINAL PRESENTATION.pptx12143241324134134
FINAL PRESENTATION.pptx12143241324134134FINAL PRESENTATION.pptx12143241324134134
FINAL PRESENTATION.pptx12143241324134134
LR1709MUSIC
 
Helen Lubchak: Тренди в управлінні проєктами та miltech (UA)
Helen Lubchak: Тренди в управлінні проєктами та miltech (UA)Helen Lubchak: Тренди в управлінні проєктами та miltech (UA)
Helen Lubchak: Тренди в управлінні проєктами та miltech (UA)
Lviv Startup Club
 
LA HUG - Video Testimonials with Chynna Morgan - June 2024
LA HUG - Video Testimonials with Chynna Morgan - June 2024LA HUG - Video Testimonials with Chynna Morgan - June 2024
LA HUG - Video Testimonials with Chynna Morgan - June 2024
Lital Barkan
 
Authentically Social Presented by Corey Perlman
Authentically Social Presented by Corey PerlmanAuthentically Social Presented by Corey Perlman
Authentically Social Presented by Corey Perlman
Corey Perlman, Social Media Speaker and Consultant
 
Hamster Kombat' Telegram Game Surpasses 100 Million Players—Token Release Sch...
Hamster Kombat' Telegram Game Surpasses 100 Million Players—Token Release Sch...Hamster Kombat' Telegram Game Surpasses 100 Million Players—Token Release Sch...
Hamster Kombat' Telegram Game Surpasses 100 Million Players—Token Release Sch...
SOFTTECHHUB
 
ModelingMarketingStrategiesMKS.CollumbiaUniversitypdf
ModelingMarketingStrategiesMKS.CollumbiaUniversitypdfModelingMarketingStrategiesMKS.CollumbiaUniversitypdf
ModelingMarketingStrategiesMKS.CollumbiaUniversitypdf
fisherameliaisabella
 
3.0 Project 2_ Developing My Brand Identity Kit.pptx
3.0 Project 2_ Developing My Brand Identity Kit.pptx3.0 Project 2_ Developing My Brand Identity Kit.pptx
3.0 Project 2_ Developing My Brand Identity Kit.pptx
tanyjahb
 
Exploring Patterns of Connection with Social Dreaming
Exploring Patterns of Connection with Social DreamingExploring Patterns of Connection with Social Dreaming
Exploring Patterns of Connection with Social Dreaming
Nicola Wreford-Howard
 
Digital Transformation and IT Strategy Toolkit and Templates
Digital Transformation and IT Strategy Toolkit and TemplatesDigital Transformation and IT Strategy Toolkit and Templates
Digital Transformation and IT Strategy Toolkit and Templates
Aurelien Domont, MBA
 
Maksym Vyshnivetskyi: PMO Quality Management (UA)
Maksym Vyshnivetskyi: PMO Quality Management (UA)Maksym Vyshnivetskyi: PMO Quality Management (UA)
Maksym Vyshnivetskyi: PMO Quality Management (UA)
Lviv Startup Club
 

Recently uploaded (20)

Set off and carry forward of losses and assessment of individuals.pptx
Set off and carry forward of losses and assessment of individuals.pptxSet off and carry forward of losses and assessment of individuals.pptx
Set off and carry forward of losses and assessment of individuals.pptx
 
Discover the innovative and creative projects that highlight my journey throu...
Discover the innovative and creative projects that highlight my journey throu...Discover the innovative and creative projects that highlight my journey throu...
Discover the innovative and creative projects that highlight my journey throu...
 
VAT Registration Outlined In UAE: Benefits and Requirements
VAT Registration Outlined In UAE: Benefits and RequirementsVAT Registration Outlined In UAE: Benefits and Requirements
VAT Registration Outlined In UAE: Benefits and Requirements
 
Search Disrupted Google’s Leaked Documents Rock the SEO World.pdf
Search Disrupted Google’s Leaked Documents Rock the SEO World.pdfSearch Disrupted Google’s Leaked Documents Rock the SEO World.pdf
Search Disrupted Google’s Leaked Documents Rock the SEO World.pdf
 
The Influence of Marketing Strategy and Market Competition on Business Perfor...
The Influence of Marketing Strategy and Market Competition on Business Perfor...The Influence of Marketing Strategy and Market Competition on Business Perfor...
The Influence of Marketing Strategy and Market Competition on Business Perfor...
 
Mastering B2B Payments Webinar from BlueSnap
Mastering B2B Payments Webinar from BlueSnapMastering B2B Payments Webinar from BlueSnap
Mastering B2B Payments Webinar from BlueSnap
 
Meas_Dylan_DMBS_PB1_2024-05XX_Revised.pdf
Meas_Dylan_DMBS_PB1_2024-05XX_Revised.pdfMeas_Dylan_DMBS_PB1_2024-05XX_Revised.pdf
Meas_Dylan_DMBS_PB1_2024-05XX_Revised.pdf
 
-- June 2024 is National Volunteer Month --
-- June 2024 is National Volunteer Month ---- June 2024 is National Volunteer Month --
-- June 2024 is National Volunteer Month --
 
Premium MEAN Stack Development Solutions for Modern Businesses
Premium MEAN Stack Development Solutions for Modern BusinessesPremium MEAN Stack Development Solutions for Modern Businesses
Premium MEAN Stack Development Solutions for Modern Businesses
 
The effects of customers service quality and online reviews on customer loyal...
The effects of customers service quality and online reviews on customer loyal...The effects of customers service quality and online reviews on customer loyal...
The effects of customers service quality and online reviews on customer loyal...
 
FINAL PRESENTATION.pptx12143241324134134
FINAL PRESENTATION.pptx12143241324134134FINAL PRESENTATION.pptx12143241324134134
FINAL PRESENTATION.pptx12143241324134134
 
Helen Lubchak: Тренди в управлінні проєктами та miltech (UA)
Helen Lubchak: Тренди в управлінні проєктами та miltech (UA)Helen Lubchak: Тренди в управлінні проєктами та miltech (UA)
Helen Lubchak: Тренди в управлінні проєктами та miltech (UA)
 
LA HUG - Video Testimonials with Chynna Morgan - June 2024
LA HUG - Video Testimonials with Chynna Morgan - June 2024LA HUG - Video Testimonials with Chynna Morgan - June 2024
LA HUG - Video Testimonials with Chynna Morgan - June 2024
 
Authentically Social Presented by Corey Perlman
Authentically Social Presented by Corey PerlmanAuthentically Social Presented by Corey Perlman
Authentically Social Presented by Corey Perlman
 
Hamster Kombat' Telegram Game Surpasses 100 Million Players—Token Release Sch...
Hamster Kombat' Telegram Game Surpasses 100 Million Players—Token Release Sch...Hamster Kombat' Telegram Game Surpasses 100 Million Players—Token Release Sch...
Hamster Kombat' Telegram Game Surpasses 100 Million Players—Token Release Sch...
 
ModelingMarketingStrategiesMKS.CollumbiaUniversitypdf
ModelingMarketingStrategiesMKS.CollumbiaUniversitypdfModelingMarketingStrategiesMKS.CollumbiaUniversitypdf
ModelingMarketingStrategiesMKS.CollumbiaUniversitypdf
 
3.0 Project 2_ Developing My Brand Identity Kit.pptx
3.0 Project 2_ Developing My Brand Identity Kit.pptx3.0 Project 2_ Developing My Brand Identity Kit.pptx
3.0 Project 2_ Developing My Brand Identity Kit.pptx
 
Exploring Patterns of Connection with Social Dreaming
Exploring Patterns of Connection with Social DreamingExploring Patterns of Connection with Social Dreaming
Exploring Patterns of Connection with Social Dreaming
 
Digital Transformation and IT Strategy Toolkit and Templates
Digital Transformation and IT Strategy Toolkit and TemplatesDigital Transformation and IT Strategy Toolkit and Templates
Digital Transformation and IT Strategy Toolkit and Templates
 
Maksym Vyshnivetskyi: PMO Quality Management (UA)
Maksym Vyshnivetskyi: PMO Quality Management (UA)Maksym Vyshnivetskyi: PMO Quality Management (UA)
Maksym Vyshnivetskyi: PMO Quality Management (UA)
 

ISO27k Awareness presentation.pptx

  • 1. Security awareness seminar An introduction to ISO27k I n f o r m a t i o n s e c u r i t y This work is copyright © 2012, Mohan Kamat and ISO27k Forum, some rights reserved. It is licensed under the Creative Commons Attribution-Noncommercial-Share Alike 3.0 License. You are welcome to reproduce, circulate, use and create derivative works from this provided that: (a) it is not sold or incorporated into a commercial product; (b) it is properly attributed to the ISO27k Forum (www.ISO27001security.com); and (c) any derivative works that are shared are subject to the same terms as this work.
  • 2.  What is information?  What is information security?  What is risk?  Introduction to the ISO standards  Managing information security  Your security responsibilities A g e n d a 2
  • 3. Information is an asset which, like other important business assets, has value to an organization and consequently needs to be suitably protected I N F O R M A T I O N 3 ISO/IEC 27002:2005
  • 4. I n f o r m a t i o n t y p e s Information exists in many forms:  Printed or written on paper  Stored electronically  Transmitted by post or electronic means  Visual e.g. videos, diagrams  Published on the Web  Verbal/aural e.g. conversations, phone calls  Intangible e.g. knowledge, experience, expertise, ideas ‘Whatever form the information takes, or means by which it is shared or stored, it should always be appropriately protected’ (ISO/IEC 27002:2005) 4
  • 5. I n f o l i f e c y c l e Information can be …  Created  Owned (it is an asset)  Stored  Processed  Transmitted/communicated  Used (for proper or improper purposes)  Modified or corrupted  Shared or disclosed (whether appropriately or not)  Destroyed or lost  Stolen  Controlled, secured and protected throughout its existence 5
  • 6. K e y t e r m What is information security?  Information security is what keeps valuable information ‘free of danger’ (protected, safe from harm)  It is not something you buy, it is something you do o It’s a process not a product  It is achieved using a combination of suitable strategies and approaches: o Determining the risks to information and treating them accordingly (proactive risk management) o Protecting CIA (Confidentiality, Integrity and Availability) o Avoiding, preventing, detecting and recovering from incidents o Securing people, processes and technology … not just IT! 6
  • 8. P e o p l e People People who use or have an interest in our information security include:  Shareholders / owners  Management & staff  Customers / clients, suppliers & business partners  Service providers, contractors, consultants & advisors  Authorities, regulators & judges Our biggest threats arise from people (social engineers, unethical competitors, hackers, fraudsters, careless workers, bugs, flaws …), yet our biggest asset is our people (e.g. security-aware employees who spot trouble early) 8
  • 9. Processes Processes are work practices or workflows, the steps or activities needed to accomplish business objectives. • Processes are described in procedures. • Virtually all business processes involve and/or depend on information making information a critical business asset. Information security policies and procedures define how we secure information appropriately and repeatedly. P r o c e s s e s 9
  • 10. Technology Information technologies  Cabling, data/voice networks and equipment  Telecommunications services (PABX, VoIP, ISDN, videoconferencing)  Phones, cellphones, PDAs  Computer servers, desktops and associated data storage devices (disks, tapes)  Operating system and application software  Paperwork, files  Pens, ink Security technologies  Locks, barriers, card-access systems, CCTV T e c h n o l o g y 10
  • 11. • Protects information against various threats • Ensures business continuity • Minimizes financial losses and other impacts • Optimizes return on investments • Creates opportunities to do business safely • Maintains privacy and compliance V a l u e We all depend on information security 11 Information security is valuable because it …
  • 12. Information security is defined as the preservation of: Confidentiality Making information accessible only to those authorized to use it Integrity Safeguarding the accuracy and completeness of information and processing methods Availability Ensuring that information is available when required C I A 12
  • 13. • IT downtime, business interruption • Financial losses and costs • Devaluation of intellectual property • Breaking laws and regulations, leading to prosecutions, fines and penalties • Reputation and brand damage leading to loss of customer, market, business partner or owners’ confidence and lost business • Fear, uncertainty and doubt Security incidents cause … 13 I m p a c t s
  • 14. K e y t e r m What is risk? Risk is the possibility that a threat exploits a vulnerability in an information asset, leading to an adverse impact on the organization Threat: something that might cause harm Vulnerability: a weakness that might be exploited Impact: financial damage etc. 14
  • 16. T h r e a t a g e n t Threat agent The actor that represents, carries out or catalyzes the threat • Human • Machine • Nature 16
  • 17. Motive Something that causes the threat agent to act • Implies intentional/deliberate attacks but some are accidental M o t i v e 17
  • 18. Threat type Example Human error Typo, wrong attachment/email address, lost laptop or phone Intellectual property Piracy, industrial espionage Deliberate act Unauthorized access/trespass, data theft, extortion, blackmail, sabotage, vandalism, terrorist/activist/criminal activity Fraud Identity theft, expenses fraud System/network attack Viruses, worms, Trojans, hacks Service issue Power cuts, network outages Force of nature Fire, flood, storm, earthquake, lightning, tsunami, volcanic eruption Hardware issue Computer power supply failure, lack of capacity Software issue Bugs or design flaws, data corruption Obsolescence iPhone 4? 18 T h r e a t t y p e s
  • 19. So how do we secure our information assets? 19
  • 20. 1990’s • Information Security Management Code of Practice produced by a UK government-sponsored working group • Based on the security policy used by Shell • Became British Standard BS7799 2000’s • Adopted by ISO/IEC • Became ISO/IEC 17799 (later renumbered ISO/IEC 27002) • ISO/IEC 27001 published & certification scheme started Now • Expanding into a suite of information security standards (known as “ISO27k”) • Updated and reissued every few years I S O 2 7 k A brief history of ISO27k 20
  • 21. • Concerns the management of information security, not just IT/technical security • Formally specifies a management system • Uses Plan, Do, Check, Act (PDCA) to achieve, maintain and improve alignment of security with risks • Covers all types of organizations (e.g. commercial companies, government agencies, not-for-profit organizations) and all sizes • Thousands of organizations worldwide have been certified compliant ISO 27001 I S O 2 7 0 0 1 21
  • 22. Interested parties Information security requirements & expectations PLAN Establish ISMS CHECK Monitor & review ISMS ACT Maintain & improve Management responsibility ISMS PROCESS Plan-Do-Check-Act Interested parties Managed information security DO Implement & operate the ISMS P D C A 22
  • 23. Information Security Policy Organisation of Information Security Asset Management Human Resource Security Physical Security Communication & Operations Management Access Control System Development & Maintenance Incident Management Business Continuity Planning Compliance Availability C O N T R O L C L A U S E S 23
  • 24. • Information security policy - management direction • Organization of information security - management framework for implementation • Asset management – assessment, classification and protection of valuable information assets • HR security – security for joiners, movers and leavers • Physical & environmental security - prevents unauthorised access, theft, compromise, damage to information and computing facilities, power cuts C O N T R O L C L A U S E S 24
  • 25. • Communications & operations management - ensures the correct and secure operation of IT • Access control – restrict unauthorized access to information assets • Information systems acquisition, development & maintenance – build security into systems • Information security incident management – deal sensibly with security incidents that arise • Business continuity management – maintain essential business processes and restore any that fail • Compliance - avoid breaching laws, regulations, policies and other security obligations C O N T R O L C L A U S E S 25
  • 26. PLAN Establish ISMS CHECK Monitor & Review ISMS ACT Maintain & Improve DO Implement & Operate the ISMS IS POLICY SECURITY ORGANISATION ASSET IDENTIFICATION & CLASSIFICATION CONTROL SELECTION & IMPLEMENTATION OPERATIONALIZ E THE PROCESES MANAGEMENT REVIEW CORRECTIVE & PREVENTIVE ACTIONS CHECK PROCESSES I M P L E M E N T A T I O N P R O C E S S C Y C L E 26
  • 27. B e n e f i t s • Demonstrable commitment to security by the organization • Legal and regulatory compliance • Better risk management • Commercial credibility, confidence, and assurance • Reduced costs • Clear employee direction and improved awareness 27
  • 28. S c o p e ISMS scope • Data center & DR site • All information assets throughout the organization 28
  • 29. Key ISMS documents K e y d o c u m e n t s • High level corporate security policy • Supporting policies e.g. physical & environmental, email, HR, incident management, compliance etc. • Standards e.g. Windows Security Standard • Procedures and guidelines • Records e.g. security logs, security review reports, corrective actions 29
  • 30. Information security vision V I S I O N & M I S S I O N Vision The organization is acknowledged as an industry leader for information security. Mission To design, implement, operate, manage and maintain an Information Security Management System that complies with international standards, incorporating generally-accepted good security practices 30
  • 31. Who is responsible? W h o • Information Security Management Committee • Information Security Manager/CISO and Department • Incident Response Team • Business Continuity Team • IT, Legal/Compliance, HR, Risk and other departments • Audit Committee • Last but not least, you! Bottom line: 31 Information security is everyone’s responsibility
  • 32. P o l i c y Corporate Information Security Policy Policy is signed by the CEO and mandated by top management Find it on the intranet 32
  • 33. I N F O A S S E T C L A S S I F I C A T I O N CONFIDENTIAL: If this information is leaked outside the organization, it will result in major financial and/or image loss. Compromise of this information may result in serious non-compliance (e.g. a privacy breach). Access to this information must be restricted based on the concept of need-to-know. Disclosure requires the information owner’s approval. In case information needs to be disclosed to third parties, a signed confidentiality agreement is required. Examples: customer contracts, pricing rates, trade secrets, personal information, new product development plans, budgets, financial reports (prior to publication), passwords, encryption keys. INTERNAL USE ONLY: Leakage or disclosure of this information outside the organization is unlikely to cause serious harm but may result in some financial loss and/or embarrassment. Examples: circulars, policies, training materials, general company emails, security policies and procedures, corporate intranet. PUBLIC: This information can be freely disclosed to anyone although publication must usually be explicitly approved by Corporate Communications or Marketing. Examples: marketing brochures, press releases, website. 33 Information Asset Classification
  • 34. Confidentiality Confidentiality level Explanation High Information which is very sensitive or private, of great value to the organization and intended for specific individuals only. The unauthorized disclosure of such information can cause severe harm such as legal or financial liabilities, competitive disadvantage, loss of brand value e.g. merger and acquisition related information, marketing strategy Medium Information belonging to the company and not for disclosure to public or external parties. The unauthorized disclosure of this information may harm to the organization somewhat e.g. organization charts, internal contact lists. Low Non-sensitive information available for public disclosure. The impact of unauthorized disclosure of such information shall not harm Organisation anyway. E.g. Press releases, Company’s News letters e.g. Information published on company’s website Confidentiality of information concerns the protection of sensitive (and often highly valuable) information from unauthorized or inappropriate disclosure. C l a s s i f i c a t i o n 2/14/ 34 Mohan Kamat
  • 35. U S E R R E S P O N S I B I L I T I E S Physical security • Read and follow security policies and procedures • Display identity cards while on the premises • Challenge or report anyone without an ID card • Visit the intranet Security Zone or call IT Help/Service Desk for advice on most information security matters • Allow unauthorized visitors onto the premises • Bring weapons, hazardous/combustible materials, recording devices etc., especially in secure areas • Use personal IT devices for work purposes, unless explicitly authorized by management 35 Do not Do
  • 36. U S E R R E S P O N S I B I L I T I E S Password Guidelines  Use long, complicated passphrases - whole sentences if you can  Reserve your strongest passphrases for high security systems (don’t re-use the same passphrase everywhere)  Use famous quotes, lines from your favorite songs, poems etc. to make them memorable  Use short or easily-guessed passwords  Write down passwords or store them in plain text  Share passwords over phone or email 36
  • 37. U S E R R E S P O N S I B I L I T I E S Warning: Internet usage is routinely logged and monitored. Be careful which websites you visit and what you disclose.  Avoid websites that would be classed as obscene, racist, offensive or illegal – anything that would be embarrassing  Do not access online auction or shopping sites, except where authorized by your manager  Don’t hack!  Do not download or upload commercial software or other copyrighted material without the correct license and permission from your manager  Use the corporate Internet facilities only for legitimate and authorized business purposes Internet usage 37
  • 38. U S E R R E S P O N S I B I L I T I E S E-mail usage  Do not use your corporate email address for personal email  Do not circulate chain letters, hoaxes, inappropriate jokes, videos etc.  Do not send emails outside the organization unless you are authorized to do so  Be very wary of email attachments and links, especially in unsolicited emails (most are virus-infected) 38  Use corporate email for business purposes only  Follow the email storage guidelines  If you receive spam email, simply delete it. If it is offensive or you receive a lot, call the IT Help/Service Desk
  • 39. U S E R R E S P O N S I B I L I T I E S Security incidents 39  Report information security incidents, concerns and near-misses to IT Help/Service Desk:  Email …  Telephone …  Anonymous drop-boxes …  Take their advice on what to do  Do not discuss security incidents with anyone outside the organization  Do not attempt to interfere with, obstruct or prevent anyone else from reporting incidents
  • 40. R e s p o n s i b i l i t i e s  Ensure your PC is getting antivirus updates and patches  Lock your keyboard (Windows-L) before leaving your PC unattended, and log-off at the end of the day  Store laptops and valuable information (paperwork as well as CDs, USB sticks etc.) securely under lock and key  Keep your wits about you while traveling:  Keep your voice down on the cellphone  Be discreet about your IT equipment  Take regular information back ups  Fulfill your security obligations:  Comply with security and privacy laws, copyright and licenses, NDA (Non Disclosure Agreements) and contracts  Comply with corporate policies and procedures  Stay up to date on information security:  Visit the intranet Security Zone when you have a moment 40
  • 41. 41