ADDRESSING CORPORATE CONCERNS

928 views

Published on

Presented By:

Ajai K. Srivastava
G.M. Marketing
BSI India

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
928
On SlideShare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Introduction slide Presentation will cover: WHY you need an Information Security System WHAT the 7799 series gives you HOW BSI can further assist you
  • Introduction slide Presentation will cover: WHY you need an Information Security System WHAT the 7799 series gives you HOW BSI can further assist you
  • Some of the businesses that did better in the wake of the WTC disaster, were able to re-host their business operations almost immediately using Business Continuance solutions. These solutions automatically relocated their data center operations in the minutes immediately following the loss of the data centers. This minimized the impact of the failure for businesses that had implemented these solutions, allowing them to quickly return to normal operations, and then to take the time that they needed to re-establish and recover their original data centers while the businesses continued to operate. These types of solutions can take advantage of redundant infrastructure that a business may have available, in other sites and locations or at partner sites. Many businesses had also outsourced this service from service providers that included IBM, Comdisco, and Sunguard.
  • Intended for use as a reference document. Provides a comprehensive set of security controls. The best information security practices in use. It comprises of 10 control sections.
  • Remember: - only first document is ISO and it is at least three years away before second document becomes ISO - 7 countries voted against ISO but majority rule carried the document through, (USA, Canada, France, Germany),
  • It is necessary for the management system to be effective in the organization. If the company has taken a standard of the shelf package it is not a good start. This would be quiet easily identified by the auditor. Then is the company serious about the subject matter, or are they just paying lip service to information security.
  • ADDRESSING CORPORATE CONCERNS

    1. 1. ADDRESSING CORPORATE CONCERNS ON INFORMATION SECURITY MANAGEMENT WITH ISO 17799/ BS 7799. Ajai K. Srivastava G.M. Marketing BSI India
    2. 2. <ul><li>The Global Information Village </li></ul><ul><li>The Need for Protection </li></ul><ul><li>BS 779 9 – An Overview </li></ul><ul><li>Implementing an ISMS based on BS7799 </li></ul><ul><li>Benefits of using BS7799 </li></ul>Presentation Outline
    3. 3. 1.THE GLOBAL INFORMATION VILLAGE
    4. 4. The Global Information Village
    5. 5. The Paradigm Shift in the Nature of Information <ul><li>INDUSTRIAL ECONOMY </li></ul><ul><li>INFORMATION AS NOUN </li></ul><ul><li>Static:e.g. memo; financial report etc </li></ul><ul><li>Automation : An Idiot Savant – assisting in managing repetitive discrete steps </li></ul><ul><li>INFORMATION ECONOMY </li></ul><ul><li>INFORMATION AS VERB </li></ul><ul><li>Dertouzos: “Information Work” e.g. Designing a building </li></ul><ul><li>Dominates the terrain; 50 to 60 % of an Industrialised country’s GNP </li></ul>
    6. 6. THE DIGITAL NERVOUS SYSTEM DIGITAL NERVOUS SYSTEM Strategic Thinking Business Reflexes Basic Operations Customer Interaction BUSINESS @ THE SPEED OF THOUGHT
    7. 7. INFORMATION FLOW IS THE LIFEBLOOD OF YOUR BUSINESS
    8. 8. <ul><li>Information tends to be the most undervalued asset a business has. </li></ul><ul><li>Information can directly affect the most valuable asset a business has </li></ul>IMAGE
    9. 9. “ Information is an asset which, like other important business assets, has value to an organization and consequently needs to be suitably protected .” ISO/IEC 17799:2000
    10. 10. 2.THE NEED FOR PROTECTION
    11. 11. INFORMATION INFORMATION Information Security TECHNOLOGY ENVIRONMENT ATTACK ATTACK ATTACK ATTACK ATTACK ATTACK
    12. 12. Typical Technology Responses
    13. 13. Information Security HUMAN FIREWALL HUMAN FIREWALL INFORMATION TECHNOLOGY ENVIRONMENT INFORMATION ATTACK ATTACK ATTACK ATTACK ATTACK ATTACK POLICIES PROCESSES STANDARDS TRAINING
    14. 14. Information Security POLICIES PROCESSES STANDARDS TRAINING HUMAN FIREWALL HUMAN FIREWALL INFORMATION TECHNOLOGY ENVIRONMENT INFORMATION ATTACK ATTACK ATTACK ATTACK ATTACK ATTACK ATTACK ATTACK ATTACK ATTACK
    15. 15. Information Security MANAGEMENT MANAGEMENT POLICIES PROCESSES STANDARDS TRAINING HUMAN FIREWALL HUMAN FIREWALL INFORMATION TECHNOLOGY ENVIRONMENT INFORMATION
    16. 16. Management System – Building Blocks Core Processes Inputs Support Processes Management Resource Outputs Total Business Management System
    17. 17. Business Management System Quality Environment Health and Safety Risk Information Security People Improvement
    18. 18. Business Management System BSI - IMS Risk BSI Risk Mgmt H & S OHSAS 18001 Improvement ISO 9004 Customers BS 8600 Info Sec BS 7799 Environment ISO 14001 Quality ISO9001:2000 QS-9000 / TS 16949 AS9000 / AS9100 TL9000
    19. 19. ISO 9004 Performance Improvement All Interested Parties ISO 17799 Information Security Management OHSAS 18001 Health and Safety Management ISO 14001 Environmental Management ISO 9001 Quality Management Stakeholders Involved Increasing Aspects Covered Management Systems & Standards
    20. 20. Managing your Risks
    21. 21. Information Security Assurance <ul><li>3 different layers </li></ul><ul><ul><ul><li>PRODUCT LEVEL ASSURANCE </li></ul></ul></ul><ul><ul><ul><ul><li>e.g. Firewall- Product is fit for its Purpose </li></ul></ul></ul></ul><ul><ul><ul><li>PROCESS LEVEL ASSURANCE </li></ul></ul></ul><ul><ul><ul><ul><li>e.g. Credit card Transactions- Robust Processes to protect interested parties </li></ul></ul></ul></ul><ul><ul><ul><li>MANAGEMENT SYSTEM LEVEL ASSURANCE </li></ul></ul></ul><ul><ul><ul><ul><li>e.g ISMS- Systemic Proactive responses aligned to business objectives to protect ALL stakeholders :Management,Employees,Customers,Suppliers,Users, Regulatory etc. </li></ul></ul></ul></ul>
    22. 22. The Virtuous M S Spiral Commitment and Policy Planning Implementation and Operation Checking and Corrective Action Management Review Continual Improvement
    23. 23. Information Security Management must be viewed as a strategic dimension of your business <ul><li>Managing Risks to Information Assets to: </li></ul><ul><li>Protect Brand </li></ul><ul><li>Retain Customers, and </li></ul><ul><li>Enhance Market Capitalization </li></ul>ISMS – Your Competitive Edge
    24. 24. The First Global Information Security Survey –KPMG 2002 Critical Security Concerns VIRUSES –22% HACKERS – 21% R.A.CONTROLS-17% INTERNET SECURITY-17% DATA PRIVACY- 10 %
    25. 25. What is the damage The First Global Information Security Survey – KPMG 2002 QUANTIFIABLE The average direct loss of all breaches suffered by each organization is USD$108,000. GBP 30,000 INR 500,000
    26. 26. What is the damage <ul><li>The Loss Of </li></ul><ul><li>Productivity </li></ul><ul><li>Recovery Costs </li></ul><ul><li>Customers </li></ul><ul><li>Market Capitalisation </li></ul><ul><li>Shareholder Value </li></ul><ul><li>Credibility </li></ul>INCALCULABLE
    27. 27. <ul><li>Myth 1: </li></ul><ul><ul><li>Information Security is the concern and responsibility of the MIS/IT manager </li></ul></ul><ul><li>Myth 2: </li></ul><ul><ul><li>Security Threats from outsiders are the greatest source of risks </li></ul></ul><ul><li>  Myth 3: </li></ul><ul><ul><li>Information Security is assured by safeguarding networks and the IT infrastructure </li></ul></ul><ul><li>Myth 4: </li></ul><ul><ul><li>Managing People issues is not as important </li></ul></ul><ul><li>Myth 5: </li></ul><ul><ul><li>Adopting latest technological solutions will increase security </li></ul></ul>Common Myths About Information Security
    28. 28. 3.BS 7799 – AN OVERVIEW
    29. 29. What is Information Security <ul><li>ISO 17799:2000 defines this as the preservation of: </li></ul><ul><ul><li>Confidentiality </li></ul></ul><ul><ul><ul><li>Ensuring that information is accessible only to those authorized to have access </li></ul></ul></ul><ul><ul><li>Integrity </li></ul></ul><ul><ul><ul><li>Safeguarding the accuracy and completeness of information and processing methods </li></ul></ul></ul><ul><ul><li>Availability </li></ul></ul><ul><ul><ul><li>Ensuring that authorized users have access to information and associated assets when required </li></ul></ul></ul>ISO/IEC 17799:2000
    30. 30. ISO/IEC 17799 ? <ul><li>What it is: </li></ul><ul><li>An internationally recognized structured methodology dedicated to information security </li></ul><ul><li>A defined process to evaluate, implement, maintain, and manage information security </li></ul><ul><li>A comprehensive set of controls comprised of best practices in information security </li></ul><ul><li>Developed by industry for industry </li></ul><ul><li>What it is not: </li></ul><ul><li>A technical standard </li></ul><ul><li>Product or technology driven </li></ul><ul><li>An equipment evaluation methodology such as the Common Criteria/ISO 15408 ) </li></ul><ul><li>Related to the &quot;Generally Accepted System Security Principles,&quot; or GASSP </li></ul><ul><li>Related to the five-part &quot;Guidelines for the Management of IT Security,&quot; or GMITS/ISO TR 13335 </li></ul>
    31. 31. What does it comprise ? <ul><li>ISO/IEC 17799:2000 Code of Practice for Information Security </li></ul><ul><li>BS 7799-2:2002 Specification for information security management systems </li></ul>
    32. 32. BS 7799-2:2002 <ul><li>MMeasure Performance of the ISMS </li></ul><ul><li>IIdentify Improvements in the ISMS and effectively implement them. </li></ul><ul><li>TTake appropriate corrective & preventive action </li></ul><ul><li>CCommunicate the results and actions and consult with all parties involved. </li></ul><ul><li>RRevise the ISMS where necessary </li></ul><ul><li>EEnsure that the revision achieve their intended objectives. </li></ul><ul><li>DDefine ISMS Scope and Policy </li></ul><ul><li>DD e fine a systematic approach to risk assessment </li></ul><ul><li>IIdentify the risk </li></ul><ul><li>AApply the systematic approach for assessing the risk </li></ul><ul><li>IIdentify and Evaluate options for the treatment of risk. </li></ul><ul><li>SSelect Control Objectives and Controls for the treatment of risks. </li></ul>Act <ul><li>EExecute Procedures to and Other Controls </li></ul><ul><li>UUndertake regular reviews of the effectiveness of the ISMS </li></ul><ul><li>RReview the level of residual risk and acceptable risk </li></ul><ul><li>EExecute the management procedure </li></ul><ul><li>R Record and report all actions and events </li></ul>Check <ul><li>IImplement a specific management program </li></ul><ul><li>IImplement controls that have been selected </li></ul><ul><li>MManage Operations </li></ul><ul><li>MManage Resources </li></ul><ul><li>IImplement Procedures and Other Control Processes </li></ul>Do Plan
    33. 33. BS 7799 –10 Domains of Information Management System Development Access Controls Asset Classification Controls Information Security Policy Security Organisation Personnel Security Physical Security Continuity Planning Compliance INFORMATION Staff Records Client Records Financial Records Communications Management
    34. 34. 4.IMPLEMENTING AN ISMS BASED ON BS 7799
    35. 35. BS 7799Registrations Around the Globe
    36. 36. BS 7799Registrations In India
    37. 37. Measure/Analyse Progress Building a Management System INPUT Client Business Awareness OUTPUT BSI Certification Business Improvement Develop Management System Build Process BSI Consultant Client
    38. 38. Initiating BS 7799 Implementation <ul><li>Step 1 ISMS – Defining Policy & Organization Structure </li></ul><ul><li>Step 2 ISMS – Defining the Scope </li></ul><ul><li>Step 3 ISMS - Risk Assessment </li></ul><ul><li>Step 4 ISMS - Risk Management </li></ul><ul><li>Step 5 ISMS – Choosing Controls </li></ul><ul><li>Step 6 </li></ul><ul><li>IS MS - Statement of Applicability </li></ul>
    39. 39. Risk Assessment and Risk Management Process
    40. 40. BS 7799 Implementation Security Organisation Classify Assets Information Security Policy Apply the Controls Operationalise Process Check Process Corrective Action Management Review Plan Act Check Do
    41. 41. ISMS Documentation Procedure Work Instructions, checklists, forms, etc. Records <ul><ul><li>Security Manual </li></ul></ul>Policy, scope risk assessment, statement of applicability Describes processes – who, what, when, where Describes how tasks and specific activities are done Provides objective evidence of compliance to ISMS requirements Management framework policies relating to BS 7799-2 Level 2 Level 3 Level 4 Level 1
    42. 42. Critical Success Factors <ul><li>Security policy that reflects business objectives </li></ul><ul><li>Implementation approach is consistent with company culture </li></ul><ul><li>Visible support and commitment from management </li></ul><ul><li>Good understanding of security requirements, risk assessment and risk management </li></ul><ul><li>Effective marketing of security to all managers and employees </li></ul><ul><li>Providing appropriate training and education </li></ul><ul><li>A comprehensive and balanced system of measurement which is used to evaluate performance in information security management and feedback suggestions for improvement </li></ul>
    43. 43. 5.BENEFITS OF BS 7799
    44. 44. <ul><li>Opportunity to identify and fix weaknesses </li></ul><ul><li>Senior Management take ownership of information Security </li></ul><ul><li>Provides confidence to trading partners and customers </li></ul><ul><li>Independent review of your information Security Management System </li></ul>Benefits of BS 7799 certification
    45. 45. <ul><ul><li>Enterprises must manage threats to Information security across many fields while attackers can choose to specialize in narrow fields of competencies </li></ul></ul><ul><ul><li>F ractured Corporate response to such focused attacks </li></ul></ul><ul><ul><li>To t hink precisely about the concept of threat in the security context of the organization </li></ul></ul><ul><ul><li>Executives must develop non traditional competencies in strategic risk management </li></ul></ul><ul><ul><li>Executives must manage </li></ul></ul><ul><li>ENTERPRISE SECURITY PROACTIVELY </li></ul>Key Challenges facing executives
    46. 46. Further Information Email: ajai . srivastava @ bsiindia .com Tel: +11 2371 9002/3 Fax: +11 2373 9003

    ×