Uploaded byharigopala
PPTX, PDF43 views

ISO27k Awareness presentation.pptx

This document provides an overview of information security and ISO 27001. It discusses what information security is, the importance of protecting information assets, and introduces some of the key concepts from ISO 27001 such as risk management, the Plan-Do-Check-Act cycle, and control objectives. The document emphasizes that information security is everyone's responsibility.

Embed presentation

Download to read offline
Security awareness seminar An introduction to ISO27k I n f o r m a t i o n s e c u r i t y This work is copyright © 2012, Mohan Kamat and ISO27k Forum, some rights reserved. It is licensed under the Creative Commons Attribution-Noncommercial-Share Alike 3.0 License. You are welcome to reproduce, circulate, use and create derivative works from this provided that: (a) it is not sold or incorporated into a commercial product; (b) it is properly attributed to the ISO27k Forum (www.ISO27001security.com); and (c) any derivative works that are shared are subject to the same terms as this work.
 What is information?  What is information security?  What is risk?  Introduction to the ISO standards  Managing information security  Your security responsibilities A g e n d a 2
Information is an asset which, like other important business assets, has value to an organization and consequently needs to be suitably protected I N F O R M A T I O N 3 ISO/IEC 27002:2005
I n f o r m a t i o n t y p e s Information exists in many forms:  Printed or written on paper  Stored electronically  Transmitted by post or electronic means  Visual e.g. videos, diagrams  Published on the Web  Verbal/aural e.g. conversations, phone calls  Intangible e.g. knowledge, experience, expertise, ideas ‘Whatever form the information takes, or means by which it is shared or stored, it should always be appropriately protected’ (ISO/IEC 27002:2005) 4
I n f o l i f e c y c l e Information can be …  Created  Owned (it is an asset)  Stored  Processed  Transmitted/communicated  Used (for proper or improper purposes)  Modified or corrupted  Shared or disclosed (whether appropriately or not)  Destroyed or lost  Stolen  Controlled, secured and protected throughout its existence 5
K e y t e r m What is information security?  Information security is what keeps valuable information ‘free of danger’ (protected, safe from harm)  It is not something you buy, it is something you do o It’s a process not a product  It is achieved using a combination of suitable strategies and approaches: o Determining the risks to information and treating them accordingly (proactive risk management) o Protecting CIA (Confidentiality, Integrity and Availability) o Avoiding, preventing, detecting and recovering from incidents o Securing people, processes and technology … not just IT! 6
S e c u r i t y e l e m e n t s PEOPLE PROCESSES TECHNOLOGY Staff & management Business activities IT, phones, pens … 7
P e o p l e People People who use or have an interest in our information security include:  Shareholders / owners  Management & staff  Customers / clients, suppliers & business partners  Service providers, contractors, consultants & advisors  Authorities, regulators & judges Our biggest threats arise from people (social engineers, unethical competitors, hackers, fraudsters, careless workers, bugs, flaws …), yet our biggest asset is our people (e.g. security-aware employees who spot trouble early) 8
Processes Processes are work practices or workflows, the steps or activities needed to accomplish business objectives. • Processes are described in procedures. • Virtually all business processes involve and/or depend on information making information a critical business asset. Information security policies and procedures define how we secure information appropriately and repeatedly. P r o c e s s e s 9
Technology Information technologies  Cabling, data/voice networks and equipment  Telecommunications services (PABX, VoIP, ISDN, videoconferencing)  Phones, cellphones, PDAs  Computer servers, desktops and associated data storage devices (disks, tapes)  Operating system and application software  Paperwork, files  Pens, ink Security technologies  Locks, barriers, card-access systems, CCTV T e c h n o l o g y 10
• Protects information against various threats • Ensures business continuity • Minimizes financial losses and other impacts • Optimizes return on investments • Creates opportunities to do business safely • Maintains privacy and compliance V a l u e We all depend on information security 11 Information security is valuable because it …
Information security is defined as the preservation of: Confidentiality Making information accessible only to those authorized to use it Integrity Safeguarding the accuracy and completeness of information and processing methods Availability Ensuring that information is available when required C I A 12
• IT downtime, business interruption • Financial losses and costs • Devaluation of intellectual property • Breaking laws and regulations, leading to prosecutions, fines and penalties • Reputation and brand damage leading to loss of customer, market, business partner or owners’ confidence and lost business • Fear, uncertainty and doubt Security incidents cause … 13 I m p a c t s
K e y t e r m What is risk? Risk is the possibility that a threat exploits a vulnerability in an information asset, leading to an adverse impact on the organization Threat: something that might cause harm Vulnerability: a weakness that might be exploited Impact: financial damage etc. 14
R e l a t i o n s h i p s Risk relationships Threats Vulnerabilities exploit Risk Value Security requirements Information assets Controls reduce 15 to
T h r e a t a g e n t Threat agent The actor that represents, carries out or catalyzes the threat • Human • Machine • Nature 16
Motive Something that causes the threat agent to act • Implies intentional/deliberate attacks but some are accidental M o t i v e 17
Threat type Example Human error Typo, wrong attachment/email address, lost laptop or phone Intellectual property Piracy, industrial espionage Deliberate act Unauthorized access/trespass, data theft, extortion, blackmail, sabotage, vandalism, terrorist/activist/criminal activity Fraud Identity theft, expenses fraud System/network attack Viruses, worms, Trojans, hacks Service issue Power cuts, network outages Force of nature Fire, flood, storm, earthquake, lightning, tsunami, volcanic eruption Hardware issue Computer power supply failure, lack of capacity Software issue Bugs or design flaws, data corruption Obsolescence iPhone 4? 18 T h r e a t t y p e s
So how do we secure our information assets? 19
1990’s • Information Security Management Code of Practice produced by a UK government-sponsored working group • Based on the security policy used by Shell • Became British Standard BS7799 2000’s • Adopted by ISO/IEC • Became ISO/IEC 17799 (later renumbered ISO/IEC 27002) • ISO/IEC 27001 published & certification scheme started Now • Expanding into a suite of information security standards (known as “ISO27k”) • Updated and reissued every few years I S O 2 7 k A brief history of ISO27k 20
• Concerns the management of information security, not just IT/technical security • Formally specifies a management system • Uses Plan, Do, Check, Act (PDCA) to achieve, maintain and improve alignment of security with risks • Covers all types of organizations (e.g. commercial companies, government agencies, not-for-profit organizations) and all sizes • Thousands of organizations worldwide have been certified compliant ISO 27001 I S O 2 7 0 0 1 21
Interested parties Information security requirements & expectations PLAN Establish ISMS CHECK Monitor & review ISMS ACT Maintain & improve Management responsibility ISMS PROCESS Plan-Do-Check-Act Interested parties Managed information security DO Implement & operate the ISMS P D C A 22
Information Security Policy Organisation of Information Security Asset Management Human Resource Security Physical Security Communication & Operations Management Access Control System Development & Maintenance Incident Management Business Continuity Planning Compliance Availability C O N T R O L C L A U S E S 23
• Information security policy - management direction • Organization of information security - management framework for implementation • Asset management – assessment, classification and protection of valuable information assets • HR security – security for joiners, movers and leavers • Physical & environmental security - prevents unauthorised access, theft, compromise, damage to information and computing facilities, power cuts C O N T R O L C L A U S E S 24
• Communications & operations management - ensures the correct and secure operation of IT • Access control – restrict unauthorized access to information assets • Information systems acquisition, development & maintenance – build security into systems • Information security incident management – deal sensibly with security incidents that arise • Business continuity management – maintain essential business processes and restore any that fail • Compliance - avoid breaching laws, regulations, policies and other security obligations C O N T R O L C L A U S E S 25
PLAN Establish ISMS CHECK Monitor & Review ISMS ACT Maintain & Improve DO Implement & Operate the ISMS IS POLICY SECURITY ORGANISATION ASSET IDENTIFICATION & CLASSIFICATION CONTROL SELECTION & IMPLEMENTATION OPERATIONALIZ E THE PROCESES MANAGEMENT REVIEW CORRECTIVE & PREVENTIVE ACTIONS CHECK PROCESSES I M P L E M E N T A T I O N P R O C E S S C Y C L E 26
B e n e f i t s • Demonstrable commitment to security by the organization • Legal and regulatory compliance • Better risk management • Commercial credibility, confidence, and assurance • Reduced costs • Clear employee direction and improved awareness 27
S c o p e ISMS scope • Data center & DR site • All information assets throughout the organization 28
Key ISMS documents K e y d o c u m e n t s • High level corporate security policy • Supporting policies e.g. physical & environmental, email, HR, incident management, compliance etc. • Standards e.g. Windows Security Standard • Procedures and guidelines • Records e.g. security logs, security review reports, corrective actions 29
Information security vision V I S I O N & M I S S I O N Vision The organization is acknowledged as an industry leader for information security. Mission To design, implement, operate, manage and maintain an Information Security Management System that complies with international standards, incorporating generally-accepted good security practices 30
Who is responsible? W h o • Information Security Management Committee • Information Security Manager/CISO and Department • Incident Response Team • Business Continuity Team • IT, Legal/Compliance, HR, Risk and other departments • Audit Committee • Last but not least, you! Bottom line: 31 Information security is everyone’s responsibility
P o l i c y Corporate Information Security Policy Policy is signed by the CEO and mandated by top management Find it on the intranet 32
I N F O A S S E T C L A S S I F I C A T I O N CONFIDENTIAL: If this information is leaked outside the organization, it will result in major financial and/or image loss. Compromise of this information may result in serious non-compliance (e.g. a privacy breach). Access to this information must be restricted based on the concept of need-to-know. Disclosure requires the information owner’s approval. In case information needs to be disclosed to third parties, a signed confidentiality agreement is required. Examples: customer contracts, pricing rates, trade secrets, personal information, new product development plans, budgets, financial reports (prior to publication), passwords, encryption keys. INTERNAL USE ONLY: Leakage or disclosure of this information outside the organization is unlikely to cause serious harm but may result in some financial loss and/or embarrassment. Examples: circulars, policies, training materials, general company emails, security policies and procedures, corporate intranet. PUBLIC: This information can be freely disclosed to anyone although publication must usually be explicitly approved by Corporate Communications or Marketing. Examples: marketing brochures, press releases, website. 33 Information Asset Classification
Confidentiality Confidentiality level Explanation High Information which is very sensitive or private, of great value to the organization and intended for specific individuals only. The unauthorized disclosure of such information can cause severe harm such as legal or financial liabilities, competitive disadvantage, loss of brand value e.g. merger and acquisition related information, marketing strategy Medium Information belonging to the company and not for disclosure to public or external parties. The unauthorized disclosure of this information may harm to the organization somewhat e.g. organization charts, internal contact lists. Low Non-sensitive information available for public disclosure. The impact of unauthorized disclosure of such information shall not harm Organisation anyway. E.g. Press releases, Company’s News letters e.g. Information published on company’s website Confidentiality of information concerns the protection of sensitive (and often highly valuable) information from unauthorized or inappropriate disclosure. C l a s s i f i c a t i o n 2/14/ 34 Mohan Kamat
U S E R R E S P O N S I B I L I T I E S Physical security • Read and follow security policies and procedures • Display identity cards while on the premises • Challenge or report anyone without an ID card • Visit the intranet Security Zone or call IT Help/Service Desk for advice on most information security matters • Allow unauthorized visitors onto the premises • Bring weapons, hazardous/combustible materials, recording devices etc., especially in secure areas • Use personal IT devices for work purposes, unless explicitly authorized by management 35 Do not Do
U S E R R E S P O N S I B I L I T I E S Password Guidelines  Use long, complicated passphrases - whole sentences if you can  Reserve your strongest passphrases for high security systems (don’t re-use the same passphrase everywhere)  Use famous quotes, lines from your favorite songs, poems etc. to make them memorable  Use short or easily-guessed passwords  Write down passwords or store them in plain text  Share passwords over phone or email 36
U S E R R E S P O N S I B I L I T I E S Warning: Internet usage is routinely logged and monitored. Be careful which websites you visit and what you disclose.  Avoid websites that would be classed as obscene, racist, offensive or illegal – anything that would be embarrassing  Do not access online auction or shopping sites, except where authorized by your manager  Don’t hack!  Do not download or upload commercial software or other copyrighted material without the correct license and permission from your manager  Use the corporate Internet facilities only for legitimate and authorized business purposes Internet usage 37
U S E R R E S P O N S I B I L I T I E S E-mail usage  Do not use your corporate email address for personal email  Do not circulate chain letters, hoaxes, inappropriate jokes, videos etc.  Do not send emails outside the organization unless you are authorized to do so  Be very wary of email attachments and links, especially in unsolicited emails (most are virus-infected) 38  Use corporate email for business purposes only  Follow the email storage guidelines  If you receive spam email, simply delete it. If it is offensive or you receive a lot, call the IT Help/Service Desk
U S E R R E S P O N S I B I L I T I E S Security incidents 39  Report information security incidents, concerns and near-misses to IT Help/Service Desk:  Email …  Telephone …  Anonymous drop-boxes …  Take their advice on what to do  Do not discuss security incidents with anyone outside the organization  Do not attempt to interfere with, obstruct or prevent anyone else from reporting incidents
R e s p o n s i b i l i t i e s  Ensure your PC is getting antivirus updates and patches  Lock your keyboard (Windows-L) before leaving your PC unattended, and log-off at the end of the day  Store laptops and valuable information (paperwork as well as CDs, USB sticks etc.) securely under lock and key  Keep your wits about you while traveling:  Keep your voice down on the cellphone  Be discreet about your IT equipment  Take regular information back ups  Fulfill your security obligations:  Comply with security and privacy laws, copyright and licenses, NDA (Non Disclosure Agreements) and contracts  Comply with corporate policies and procedures  Stay up to date on information security:  Visit the intranet Security Zone when you have a moment 40
41

More Related Content

PPTX
ISO27k Awareness presentation v2.pptx
byNapoleon NV
 
PDF
ISO 27001 Awareness IGN Mantra 2nd Day, 1st Session.
byIGN MANTRA
 
PDF
Chapter 12 iso 27001 awareness
bynewbie2019
 
PPTX
ISO 27001 2022 REQUIREMENTS EXPLAINED 4.pptx
byJustinNickaf3
 
PDF
1678784047-mid_sem-2.pdf
byRimurutempest594985
 
PPTX
Information security
byavinashbalakrishnan2
 
PPTX
INFORMATION SECURITY
byAhmed Moussa
 
PPTX
Presentation1 110616195133-phpapp01(information security)
byBonagiri Rajitha
 
ISO27k Awareness presentation v2.pptx
byNapoleon NV
 
ISO 27001 Awareness IGN Mantra 2nd Day, 1st Session.
byIGN MANTRA
 
Chapter 12 iso 27001 awareness
bynewbie2019
 
ISO 27001 2022 REQUIREMENTS EXPLAINED 4.pptx
byJustinNickaf3
 
1678784047-mid_sem-2.pdf
byRimurutempest594985
 
Information security
byavinashbalakrishnan2
 
INFORMATION SECURITY
byAhmed Moussa
 
Presentation1 110616195133-phpapp01(information security)
byBonagiri Rajitha
 

Similar to ISO27k Awareness presentation.pptx

PPTX
Information Security Management System ISO/IEC 27001:2005
byControlCase
 
PPTX
ISMS User_Awareness Training.pptx
byMukesh Pant
 
PPTX
ISMS End-User Training Presentation.pptx
bycomstarndt
 
PPTX
Dancyrityshy 1foundatioieh
byAnne Starr
 
PDF
ISO 27001
byn|u - The Open Security Community
 
PPT
chapter 1. Introduction to Information Security
byelmuhammadmuhammad
 
PPTX
Security Foundation and Incident Mgmt and BCMS.pptx
byMohsenMojabi1
 
PDF
Chapter 7 Managing Secure System.pdf
byAbuHanifah59
 
PPT
Information Security
bychenpingling
 
PPTX
Information Security introduction and management.pptx
bydaudevarist18
 
PPTX
Chapter 1_Overview hhhhhhhhhhhhhhhhhhhhhhhhhh
byASKMEDIA
 
PPTX
c plus plus ssssssssssssssssssssssssssss
byASKMEDIA
 
PPTX
Information Security and Privacy-Unit-1.pptx
byNiharikaDubey17
 
PPTX
Information Security Induction Training.pptx
byCelDeleon1
 
PPTX
ke-1.pptx
byAhmadNaswin
 
PPTX
ke-1.pptx454545454545550515545456486498498498
byAhmadNaswin
 
PPT
Intro to Information Security.ppt
byAnuraagAwasthi3
 
PPTX
ke-1 - Copy cat massunu rahing.pptxdfdff
byAhmadNaswin
 
PPTX
17 info sec_ma_imt_27_2_2012
byRECIPA
 
PPT
MIS chap # 9.....
bySyed Muhammad Zeejah Hashmi
 
Information Security Management System ISO/IEC 27001:2005
byControlCase
 
ISMS User_Awareness Training.pptx
byMukesh Pant
 
ISMS End-User Training Presentation.pptx
bycomstarndt
 
Dancyrityshy 1foundatioieh
byAnne Starr
 
ISO 27001
byn|u - The Open Security Community
 
chapter 1. Introduction to Information Security
byelmuhammadmuhammad
 
Security Foundation and Incident Mgmt and BCMS.pptx
byMohsenMojabi1
 
Chapter 7 Managing Secure System.pdf
byAbuHanifah59
 
Information Security
bychenpingling
 
Information Security introduction and management.pptx
bydaudevarist18
 
Chapter 1_Overview hhhhhhhhhhhhhhhhhhhhhhhhhh
byASKMEDIA
 
c plus plus ssssssssssssssssssssssssssss
byASKMEDIA
 
Information Security and Privacy-Unit-1.pptx
byNiharikaDubey17
 
Information Security Induction Training.pptx
byCelDeleon1
 
ke-1.pptx
byAhmadNaswin
 
ke-1.pptx454545454545550515545456486498498498
byAhmadNaswin
 
Intro to Information Security.ppt
byAnuraagAwasthi3
 
ke-1 - Copy cat massunu rahing.pptxdfdff
byAhmadNaswin
 
17 info sec_ma_imt_27_2_2012
byRECIPA
 
MIS chap # 9.....
bySyed Muhammad Zeejah Hashmi
 

More from harigopala

PDF
Technical recruiter
byharigopala
 
PDF
Technical recruiter
byharigopala
 
PPTX
Electrical_PPT_v-03-01-17.pptx
byharigopala
 
PPT
Email etiquette
byharigopala
 
DOCX
Cordless telephone
byharigopala
 
PPT
Fire_Extinguisher.ppt
byharigopala
 
PPT
email_etiquette[1].ppt
byharigopala
 
Technical recruiter
byharigopala
 
Technical recruiter
byharigopala
 
Electrical_PPT_v-03-01-17.pptx
byharigopala
 
Email etiquette
byharigopala
 
Cordless telephone
byharigopala
 
Fire_Extinguisher.ppt
byharigopala
 
email_etiquette[1].ppt
byharigopala
 

Recently uploaded

PDF
IT Solutions for Startups & Small to Mid-Sized Businesses
byDevout Tech Consultants
 
PDF
Best 12 Ways to Buy Verified Chime Bank Accounts in 2025.pdf
by4b6fi2jol3skajahxend
 
PDF
Easy Ways to Buy Old Gmail Accounts Smartly Start in 2026.pdf
byUSAALLHUB Digital Marketer in 2026
 
PDF
Top 7 Place to Buy Verified MoonPay Accounts.pdf
by2h6w4ottve01a8x2u23v
 
PPTX
LESSON BUSINESS MODEL business mode.pptx
byeraldacompagnonsdude
 
PDF
How To Buy, Verified Wise Account in 2026 .pdf
bymdlaltukhan929
 
PDF
How to open a checking and savings bank account with ....pdf
by4b6fi2jol3skajahxend
 
PDF
Online 24 Best Consider To Buy LinkedIn Account Services .pdf
byGoogle Business Site is usaallhub
 
PDF
FINANCIAL LITERACY Practices | Excellence Foundation for South Sudan
byExcellence Foundation for South Sudan
 
DOCX
How To Buy Verified Payoneer Accounts In 2026 Top 1 ....docx
by390625rkl2ieyrgvftta
 
PDF
Trusted Platforms For Buying Verified OnlyFans Accounts in 2026.pdf
bysy33nn1pvm0ykdle9x4r
 
PDF
5 sites To Buy Instagram Accounts Safely_ 2025 Guide..pdf
bysy33nn1pvm0ykdle9x4r
 
PDF
5 Easiest Ways to Buy Snapchat Accounts in the US.pdf
byGoogle Business Site is usaallhub
 
PDF
Buy TikTok Seller Account in usa 2026.pdf
bysy33nn1pvm0ykdle9x4r
 
PDF
Dimi Design Intelligence Parts V and VI.pdf
byBrij Consulting, LLC
 
PDF
2026 Food Procurement Roadmap: Resilience, Transparency & TCO Optimization | ...
byflamingohk1998
 
PDF
Dimi Design Intelligence Addendum, All Parts.pdf
byBrij Consulting, LLC
 
PDF
Comments on Dimi Design Intelligence Addendum, All Parts.pdf
byBrij Consulting, LLC
 
PDF
Avocado Farming and Exporting Project Proposal (Investment Proposal) in Teppi...
byReyan Business Consultancy
 
PDF
Pension Schemes Bill.pdf Have you forgotten me
byHenry Tapper
 
IT Solutions for Startups & Small to Mid-Sized Businesses
byDevout Tech Consultants
 
Best 12 Ways to Buy Verified Chime Bank Accounts in 2025.pdf
by4b6fi2jol3skajahxend
 
Easy Ways to Buy Old Gmail Accounts Smartly Start in 2026.pdf
byUSAALLHUB Digital Marketer in 2026
 
Top 7 Place to Buy Verified MoonPay Accounts.pdf
by2h6w4ottve01a8x2u23v
 
LESSON BUSINESS MODEL business mode.pptx
byeraldacompagnonsdude
 
How To Buy, Verified Wise Account in 2026 .pdf
bymdlaltukhan929
 
How to open a checking and savings bank account with ....pdf
by4b6fi2jol3skajahxend
 
Online 24 Best Consider To Buy LinkedIn Account Services .pdf
byGoogle Business Site is usaallhub
 
FINANCIAL LITERACY Practices | Excellence Foundation for South Sudan
byExcellence Foundation for South Sudan
 
How To Buy Verified Payoneer Accounts In 2026 Top 1 ....docx
by390625rkl2ieyrgvftta
 
Trusted Platforms For Buying Verified OnlyFans Accounts in 2026.pdf
bysy33nn1pvm0ykdle9x4r
 
5 sites To Buy Instagram Accounts Safely_ 2025 Guide..pdf
bysy33nn1pvm0ykdle9x4r
 
5 Easiest Ways to Buy Snapchat Accounts in the US.pdf
byGoogle Business Site is usaallhub
 
Buy TikTok Seller Account in usa 2026.pdf
bysy33nn1pvm0ykdle9x4r
 
Dimi Design Intelligence Parts V and VI.pdf
byBrij Consulting, LLC
 
2026 Food Procurement Roadmap: Resilience, Transparency & TCO Optimization | ...
byflamingohk1998
 
Dimi Design Intelligence Addendum, All Parts.pdf
byBrij Consulting, LLC
 
Comments on Dimi Design Intelligence Addendum, All Parts.pdf
byBrij Consulting, LLC
 
Avocado Farming and Exporting Project Proposal (Investment Proposal) in Teppi...
byReyan Business Consultancy
 
Pension Schemes Bill.pdf Have you forgotten me
byHenry Tapper
 

ISO27k Awareness presentation.pptx

  • 1.
    Security awareness seminar Anintroduction to ISO27k I n f o r m a t i o n s e c u r i t y This work is copyright © 2012, Mohan Kamat and ISO27k Forum, some rights reserved. It is licensed under the Creative Commons Attribution-Noncommercial-Share Alike 3.0 License. You are welcome to reproduce, circulate, use and create derivative works from this provided that: (a) it is not sold or incorporated into a commercial product; (b) it is properly attributed to the ISO27k Forum (www.ISO27001security.com); and (c) any derivative works that are shared are subject to the same terms as this work.
  • 2.
     What isinformation?  What is information security?  What is risk?  Introduction to the ISO standards  Managing information security  Your security responsibilities A g e n d a 2
  • 3.
    Information is anasset which, like other important business assets, has value to an organization and consequently needs to be suitably protected I N F O R M A T I O N 3 ISO/IEC 27002:2005
  • 4.
    I n f o r m a t i o n t y p e s Information exists inmany forms:  Printed or written on paper  Stored electronically  Transmitted by post or electronic means  Visual e.g. videos, diagrams  Published on the Web  Verbal/aural e.g. conversations, phone calls  Intangible e.g. knowledge, experience, expertise, ideas ‘Whatever form the information takes, or means by which it is shared or stored, it should always be appropriately protected’ (ISO/IEC 27002:2005) 4
  • 5.
    I n f o l i f e c y c l e Information can be…  Created  Owned (it is an asset)  Stored  Processed  Transmitted/communicated  Used (for proper or improper purposes)  Modified or corrupted  Shared or disclosed (whether appropriately or not)  Destroyed or lost  Stolen  Controlled, secured and protected throughout its existence 5
  • 6.
    K e y t e r m What is informationsecurity?  Information security is what keeps valuable information ‘free of danger’ (protected, safe from harm)  It is not something you buy, it is something you do o It’s a process not a product  It is achieved using a combination of suitable strategies and approaches: o Determining the risks to information and treating them accordingly (proactive risk management) o Protecting CIA (Confidentiality, Integrity and Availability) o Avoiding, preventing, detecting and recovering from incidents o Securing people, processes and technology … not just IT! 6
  • 7.
  • 8.
    P e o p l e People People who useor have an interest in our information security include:  Shareholders / owners  Management & staff  Customers / clients, suppliers & business partners  Service providers, contractors, consultants & advisors  Authorities, regulators & judges Our biggest threats arise from people (social engineers, unethical competitors, hackers, fraudsters, careless workers, bugs, flaws …), yet our biggest asset is our people (e.g. security-aware employees who spot trouble early) 8
  • 9.
    Processes Processes are workpractices or workflows, the steps or activities needed to accomplish business objectives. • Processes are described in procedures. • Virtually all business processes involve and/or depend on information making information a critical business asset. Information security policies and procedures define how we secure information appropriately and repeatedly. P r o c e s s e s 9
  • 10.
    Technology Information technologies  Cabling,data/voice networks and equipment  Telecommunications services (PABX, VoIP, ISDN, videoconferencing)  Phones, cellphones, PDAs  Computer servers, desktops and associated data storage devices (disks, tapes)  Operating system and application software  Paperwork, files  Pens, ink Security technologies  Locks, barriers, card-access systems, CCTV T e c h n o l o g y 10
  • 11.
    • Protects informationagainst various threats • Ensures business continuity • Minimizes financial losses and other impacts • Optimizes return on investments • Creates opportunities to do business safely • Maintains privacy and compliance V a l u e We all depend on information security 11 Information security is valuable because it …
  • 12.
    Information security isdefined as the preservation of: Confidentiality Making information accessible only to those authorized to use it Integrity Safeguarding the accuracy and completeness of information and processing methods Availability Ensuring that information is available when required C I A 12
  • 13.
    • IT downtime,business interruption • Financial losses and costs • Devaluation of intellectual property • Breaking laws and regulations, leading to prosecutions, fines and penalties • Reputation and brand damage leading to loss of customer, market, business partner or owners’ confidence and lost business • Fear, uncertainty and doubt Security incidents cause … 13 I m p a c t s
  • 14.
    K e y t e r m What is risk? Riskis the possibility that a threat exploits a vulnerability in an information asset, leading to an adverse impact on the organization Threat: something that might cause harm Vulnerability: a weakness that might be exploited Impact: financial damage etc. 14
  • 15.
  • 16.
    T h r e a t a g e n t Threat agent The actorthat represents, carries out or catalyzes the threat • Human • Machine • Nature 16
  • 17.
    Motive Something that causesthe threat agent to act • Implies intentional/deliberate attacks but some are accidental M o t i v e 17
  • 18.
    Threat type Example Humanerror Typo, wrong attachment/email address, lost laptop or phone Intellectual property Piracy, industrial espionage Deliberate act Unauthorized access/trespass, data theft, extortion, blackmail, sabotage, vandalism, terrorist/activist/criminal activity Fraud Identity theft, expenses fraud System/network attack Viruses, worms, Trojans, hacks Service issue Power cuts, network outages Force of nature Fire, flood, storm, earthquake, lightning, tsunami, volcanic eruption Hardware issue Computer power supply failure, lack of capacity Software issue Bugs or design flaws, data corruption Obsolescence iPhone 4? 18 T h r e a t t y p e s
  • 19.
    So how dowe secure our information assets? 19
  • 20.
    1990’s • Information SecurityManagement Code of Practice produced by a UK government-sponsored working group • Based on the security policy used by Shell • Became British Standard BS7799 2000’s • Adopted by ISO/IEC • Became ISO/IEC 17799 (later renumbered ISO/IEC 27002) • ISO/IEC 27001 published & certification scheme started Now • Expanding into a suite of information security standards (known as “ISO27k”) • Updated and reissued every few years I S O 2 7 k A brief history of ISO27k 20
  • 21.
    • Concerns themanagement of information security, not just IT/technical security • Formally specifies a management system • Uses Plan, Do, Check, Act (PDCA) to achieve, maintain and improve alignment of security with risks • Covers all types of organizations (e.g. commercial companies, government agencies, not-for-profit organizations) and all sizes • Thousands of organizations worldwide have been certified compliant ISO 27001 I S O 2 7 0 0 1 21
  • 22.
    Interested parties Information security requirements & expectations PLAN Establish ISMS CHECK Monitor & reviewISMS ACT Maintain & improve Management responsibility ISMS PROCESS Plan-Do-Check-Act Interested parties Managed information security DO Implement & operate the ISMS P D C A 22
  • 23.
    Information Security Policy Organisation of Information Security Asset Management Human Resource Security Physical Security Communication &Operations Management Access Control System Development & Maintenance Incident Management Business Continuity Planning Compliance Availability C O N T R O L C L A U S E S 23
  • 24.
    • Information securitypolicy - management direction • Organization of information security - management framework for implementation • Asset management – assessment, classification and protection of valuable information assets • HR security – security for joiners, movers and leavers • Physical & environmental security - prevents unauthorised access, theft, compromise, damage to information and computing facilities, power cuts C O N T R O L C L A U S E S 24
  • 25.
    • Communications &operations management - ensures the correct and secure operation of IT • Access control – restrict unauthorized access to information assets • Information systems acquisition, development & maintenance – build security into systems • Information security incident management – deal sensibly with security incidents that arise • Business continuity management – maintain essential business processes and restore any that fail • Compliance - avoid breaching laws, regulations, policies and other security obligations C O N T R O L C L A U S E S 25
  • 26.
    PLAN Establish ISMS CHECK Monitor & Review ISMS ACT Maintain& Improve DO Implement & Operate the ISMS IS POLICY SECURITY ORGANISATION ASSET IDENTIFICATION & CLASSIFICATION CONTROL SELECTION & IMPLEMENTATION OPERATIONALIZ E THE PROCESES MANAGEMENT REVIEW CORRECTIVE & PREVENTIVE ACTIONS CHECK PROCESSES I M P L E M E N T A T I O N P R O C E S S C Y C L E 26
  • 27.
    B e n e f i t s • Demonstrable commitmentto security by the organization • Legal and regulatory compliance • Better risk management • Commercial credibility, confidence, and assurance • Reduced costs • Clear employee direction and improved awareness 27
  • 28.
    S c o p e ISMS scope • Datacenter & DR site • All information assets throughout the organization 28
  • 29.
    Key ISMS documents K e y d o c u m e n t s •High level corporate security policy • Supporting policies e.g. physical & environmental, email, HR, incident management, compliance etc. • Standards e.g. Windows Security Standard • Procedures and guidelines • Records e.g. security logs, security review reports, corrective actions 29
  • 30.
    Information security vision V I S I O N & M I S S I O N Vision Theorganization is acknowledged as an industry leader for information security. Mission To design, implement, operate, manage and maintain an Information Security Management System that complies with international standards, incorporating generally-accepted good security practices 30
  • 31.
    Who is responsible? W h o •Information Security Management Committee • Information Security Manager/CISO and Department • Incident Response Team • Business Continuity Team • IT, Legal/Compliance, HR, Risk and other departments • Audit Committee • Last but not least, you! Bottom line: 31 Information security is everyone’s responsibility
  • 32.
    P o l i c y Corporate Information SecurityPolicy Policy is signed by the CEO and mandated by top management Find it on the intranet 32
  • 33.
    I N F O A S S E T C L A S S I F I C A T I O N CONFIDENTIAL: If this informationis leaked outside the organization, it will result in major financial and/or image loss. Compromise of this information may result in serious non-compliance (e.g. a privacy breach). Access to this information must be restricted based on the concept of need-to-know. Disclosure requires the information owner’s approval. In case information needs to be disclosed to third parties, a signed confidentiality agreement is required. Examples: customer contracts, pricing rates, trade secrets, personal information, new product development plans, budgets, financial reports (prior to publication), passwords, encryption keys. INTERNAL USE ONLY: Leakage or disclosure of this information outside the organization is unlikely to cause serious harm but may result in some financial loss and/or embarrassment. Examples: circulars, policies, training materials, general company emails, security policies and procedures, corporate intranet. PUBLIC: This information can be freely disclosed to anyone although publication must usually be explicitly approved by Corporate Communications or Marketing. Examples: marketing brochures, press releases, website. 33 Information Asset Classification
  • 34.
    Confidentiality Confidentiality level Explanation High Information whichis very sensitive or private, of great value to the organization and intended for specific individuals only. The unauthorized disclosure of such information can cause severe harm such as legal or financial liabilities, competitive disadvantage, loss of brand value e.g. merger and acquisition related information, marketing strategy Medium Information belonging to the company and not for disclosure to public or external parties. The unauthorized disclosure of this information may harm to the organization somewhat e.g. organization charts, internal contact lists. Low Non-sensitive information available for public disclosure. The impact of unauthorized disclosure of such information shall not harm Organisation anyway. E.g. Press releases, Company’s News letters e.g. Information published on company’s website Confidentiality of information concerns the protection of sensitive (and often highly valuable) information from unauthorized or inappropriate disclosure. C l a s s i f i c a t i o n 2/14/ 34 Mohan Kamat
  • 35.
    U S E R R E S P O N S I B I L I T I E S Physical security • Readand follow security policies and procedures • Display identity cards while on the premises • Challenge or report anyone without an ID card • Visit the intranet Security Zone or call IT Help/Service Desk for advice on most information security matters • Allow unauthorized visitors onto the premises • Bring weapons, hazardous/combustible materials, recording devices etc., especially in secure areas • Use personal IT devices for work purposes, unless explicitly authorized by management 35 Do not Do
  • 36.
    U S E R R E S P O N S I B I L I T I E S Password Guidelines  Uselong, complicated passphrases - whole sentences if you can  Reserve your strongest passphrases for high security systems (don’t re-use the same passphrase everywhere)  Use famous quotes, lines from your favorite songs, poems etc. to make them memorable  Use short or easily-guessed passwords  Write down passwords or store them in plain text  Share passwords over phone or email 36
  • 37.
    U S E R R E S P O N S I B I L I T I E S Warning: Internet usageis routinely logged and monitored. Be careful which websites you visit and what you disclose.  Avoid websites that would be classed as obscene, racist, offensive or illegal – anything that would be embarrassing  Do not access online auction or shopping sites, except where authorized by your manager  Don’t hack!  Do not download or upload commercial software or other copyrighted material without the correct license and permission from your manager  Use the corporate Internet facilities only for legitimate and authorized business purposes Internet usage 37
  • 38.
    U S E R R E S P O N S I B I L I T I E S E-mail usage  Donot use your corporate email address for personal email  Do not circulate chain letters, hoaxes, inappropriate jokes, videos etc.  Do not send emails outside the organization unless you are authorized to do so  Be very wary of email attachments and links, especially in unsolicited emails (most are virus-infected) 38  Use corporate email for business purposes only  Follow the email storage guidelines  If you receive spam email, simply delete it. If it is offensive or you receive a lot, call the IT Help/Service Desk
  • 39.
    U S E R R E S P O N S I B I L I T I E S Security incidents 39  Reportinformation security incidents, concerns and near-misses to IT Help/Service Desk:  Email …  Telephone …  Anonymous drop-boxes …  Take their advice on what to do  Do not discuss security incidents with anyone outside the organization  Do not attempt to interfere with, obstruct or prevent anyone else from reporting incidents
  • 40.
    R e s p o n s i b i l i t i e s  Ensure yourPC is getting antivirus updates and patches  Lock your keyboard (Windows-L) before leaving your PC unattended, and log-off at the end of the day  Store laptops and valuable information (paperwork as well as CDs, USB sticks etc.) securely under lock and key  Keep your wits about you while traveling:  Keep your voice down on the cellphone  Be discreet about your IT equipment  Take regular information back ups  Fulfill your security obligations:  Comply with security and privacy laws, copyright and licenses, NDA (Non Disclosure Agreements) and contracts  Comply with corporate policies and procedures  Stay up to date on information security:  Visit the intranet Security Zone when you have a moment 40
  • 41.