11 Domains

Version Control

Version No. Date Type of Changes Owner/ Author

Date of Review/Expiry

The information contained in this document is not to be used for any purpose other than the purposes for which this document is furnished by GENPACT, nor is this document (in whole or in part) to be reproduced or furnished to third parties or made public without the prior express written permission of GENPACT.

[Document Title]

NOTICE

Classification: Genpact Internal

ISMS


ISMS

INTRODUCTION

ISMS – INFORMATION SECURITY MANAGEMENT SYSTEM

BS 7799-2:2002 – BRITISH STANDARD (PREV-1999)VERSION 2, YEAR 2002

ISO/IEC 27001Issued in Dec-2005

REQUIREMENTS - Used as basis for certification

ISO/IEC 17799:2005 – CODE OF PRACTICEVERSION 2, YEAR 2005;

27002: 2008 - RECOMMENDATIONS -- Provides best practice guidance; Not for Certification


ISMS

INFORMATION

Recorded data, facts, knowledge

Processed Data, an asset having value

DATA

Basic facts, figures, statistics, details

Known facts used for inference or reckoning

INFORMATION / DATA


ISMS

INFORMATION

Information is an asset, like other important business assets, has value to an organization and consequently needs to be suitably protected.

•Data stored in computers

•Tx-ed across Networks

•Print-outs, FAX

•Written form

•Stored on Media – Disks, film etc

•Spoken in Conversations - TeleClassification: Genpact Internal

ISMS

Safety from danger, espionage, Invulnerability

Protection, safe-keeping

Security is a process of defining the parameters that are gauged by either

Individuals or Organizations as risks, and the process of reducing or eliminating the

same

SECURITY


ISMS

Is about protecting Information through selection of appropriate controls (measures)

•Protects info from a range of threats

•Ensures business continuity

•Minimizes financial loss

•Maximizes return on investments and business opportunities

INFORMATION SECURITY


ISMS

Preservation of Confidentiality, Integrity and Availability

(CIA) of Information

•Confidentiality: Ensuring information is accessible to only those authorized

•Integrity: Safeguarding the accuracy & completeness of Information & processing methods

•Availability: Ensuring that the authorized users have access to Information and associated assets when required

INFORMATION SECURITY OBJECTIVES


ISMSMANAGEMENT SYSTEM

ACHIEVEMENT OFORGANISATION’S POLICIES

AND OBJECTIVES

STRUCTURE

PROCESSES

RESOURCES PROCEDURES


ISMS

MANAGEMENT SYSTEMS

FINANCIAL

INFORMATION

H R

HEALTH&SAFETY

QUALITY

ENV

I

RONMENT

STRUCTURE

POLICY&

PROCEDURES

PROCESS

RESOURCES

Provide assurance through discipline of Compliance


ISMS

INFORMATION SECURITY MANAGEMENT SYSTEM

ESTABLISH

IMPLEMENTOPERATE

MAINTAINIMPROVE

MONITORREVIEW

ISMS is that part of overall management system based on a business risk approach to:

PLAN

DO

CHECK

ACT


ISMS

ISMS ENABLES AN ORGANISATION TO ADOPT A PROACTIVE APPROACH THROUGH A MECHANISM OF

AWARENESS

PLANNING

TRAINING

ACTION

MEASUREMENT & REPORTING

REVIEW ON A CONTINUOUS BASIS

ISMS MECHANISM


ISMS

A WORD OF CAUTION !

WITH AN ISMS WE ARE NOT INTENDING TO MAKE THE SYSTEM ‘HACKER-PROOF’, BUT DEVISE A SYSTEM WHICH CAN, TO A LARGE EXTENT

•ANTICIPATE POTENTIAL PROBLEMS

•PRE-EMPT THROUGH PROACTIVE MEASURES

•PROTECT AGAINST CONSIDERABLE DAMAGE

•ENSURE RECOVERY AND RESTORATION


ISMS

ISMS PROCESS (PDCA) MODEL

Interested parties

Requirements&

Expectations

Interested parties

ManagedInfo

Security

ESTABLISH

IMPLEMENTOPERATE

MAINTAINIMPROVE

MONITORREVIEW

PLAN

DO

CHECK

ACT


Plan : Establish The ISMS

Define ISMS ScopeDefine ISMS PolicySystematic approach to Risk AssessmentIdentify & Assess the RisksIdentify & Evaluate options for Risk TreatmentSelect control objectives & controlsPrepare Statement of Applicability

ISMS


Do: Implement & Operate ISMS

Formulate a risk treatment PlanImplement the Risk Treatment PlanImplement selected control objectives & controlsImplement training & awareness ProgrammesMange OperationsManage Resources

ISMS


Check: Monitor & Review ISMS

Execute the monitoring ProceduresUndertake regular reviews of ISMS effectivenessReview the level of residual risk & acceptable riskConduct internal ISMS audits at Planned intervalsRegular management review of ISMSRecord actions & events that have an impact on ISMS

ISMS


Act: Maintain & Improve ISMS

Implement identified improvementsTake appropriate corrective & preventive actionsCommunicate results & actions and agree with all interested partiesEnsure that the improvements achieve the intended objectives

ISMS


ISMS

ISO 27001: 2005 STRUCTURE1. SCOPE

2. NORMATIVE REFS

3. TERMS&DEFINITIONS

4. ISMS

4.1GENERAL

4.2 ESTABLISH&MANAGE ISMS

4.3 DOCUMENT ISMS

4.3.3 CONTROL OF RECORDS

5. MANAGEMENT RESPONSIBILITY

5.1 MANAGEMENT COMMITMENT

5.2 RESOURCE MANAGEMENTContd... Classification: Genpact

Internal

ISMS

ISO 2701: 2005 STRUCTURE6. MANAGRMENT REVIEW OF ISMS

6.4 INTERNAL ISMS AUDITS

7. ISMS IMPROVEMENT

7.1 CONTINUOUS IMPROVEMENT

7.2 CORRECTIVE ACTION

7.3 PREVENTIVE ACTION

ANNEXURES

A. CONTROL OBJECTIVES & CONTROLS (Normative)

B. GUIDANCE ON USE OF STANDARD (Informative)

C. CORRESPONDENCE BETWEEN OTHER STANDARDS

D. CHANGES TO INTERNAL NUMBERING (Informative)Classification: Genpact

Internal

1. Scope2. Normative References3. Terms & Definitions4. Information Security Management

System4.1 General4.2 Establish and manage ISMS4.3 Document ISMS4.3.3 Control of Records

5. Management Responsibility5.1 Management Commitment5.2 Resource Management

6. Management Review Of the ISMS6.4 Internal ISMS Audits

7. ISMS Improvement7.1 Continual Improvement.7.2 Corrective Actions7.3 Preventive Actions

Annexures- A,B,C & D

MS Standards and BS 7799 reqmtsISMS Standards and BS 7799 reqmtsISMS Standards and BS 7799 reqmtsISMS Standards and BS 7799 reqmtsISMS Standards and BS 7799 reqmtsISMS Standards and BS 7799 reqmtsISMS Standards and BS 7799 reqmtsISMS Standards and BS 7799 reqmtsISMS Standards and BS 7799 reqmtsISMS Standards and BS 7799 reqmtsISMS Standards and BS 7799 reqmtsISMS Standards and BS 7799 reqmtsISMS Standards and BS 7799 reqmtsISMS Standards and BS 7799 reqmtsISMS Standards and BS 7799 reqmtsISMS Standards and BS 7799 reqmtsISMS Standards and BS 7799 reqmtsISMS Standards and BS 7799 reqmtsISMS Standards and BS 7799 reqmtsI

ISMSISO 27001: 2005 STRUCTURE


ISMS

CONTROL OBJECTIVES & CONTROLS

39 CONTROL OBIJECTIVES

133 CONTROLS

SPECIFIES REQUIREMENTS

SATISFIES OBJECTIVES

11 DOMAINS


ISMS

11 SECURITY DOMAINS OF ISO/IEC 27001:2005

A.5 SECURITY POLICY

A.6 ORGANIZATIONAL INFO SECURITY

A.7ASSET MANGEMENT

A.13 INFO SEC. INCIDENT MGMNT

A.11 ACCESS CONTROL

A.9 PHYSICAL &ENVRNMNTL

SECURITY

A.10 COMMUNICNS&OPS MGMT

A.8HR

SECURITY

A.14 BUSINESS CONTINUITY

A.12INFO SYS

ACQSN,DEV& MAINT

A.15 COMPLIANCEClassification: Genpact

Internal

ISMS

A.5 SECURITY POLICY

• INFORMATION SECURITY POLICY DOCUMENT

• REVIEW & EVALUATION


ISMS

A.6 ORGANIZATIONAL SECURITY

A.6.1 INFORMATION SECURITY INFRASTRUCTURE

•INFORMATION SECURITY FORUM

•INFORMATION SECURITY COORDINATION

•ALLOCATION OF RESPONSIBILITIES

•AUTHORIZATION PROCESS FOR IPF(INFO PROCESSING FACILITIES)

•SPECIALIST INFORMATION SECURITY ADVICE

•CO-OPERATION BETWEEN DEPARTMENTS

•INDEPENDENT REVIEW OF INFORMATION SECURITY


ISMS

A.6.2 SECURITY OF THIRD PARTY ACCESS

•IDENTIFICATION OF RISKS FROM THIRD PARTY ACCESS

•SECURITY REQUIREMENTS IN THIRD PARTY CONTRACTS

A.6.3 OUTSOURCING

•SECURITY REQUIREMENTS IN OUTSOURCING CONTRACTS

A.6 ORGANIZATIONAL SECURITY


ISMS

A.7 ASSET CLASSIFICATION & CONTROL

A.7.1 ACCOUNTABILITY OF ASSETS

> INVENTORY OF ASSETS

A.7.2 INFORMATION CLASSIFICATION

> CLASSIFICATION GUDELINES

> INFORMATION LABELLING & HANDLING

TOP SECRET

SECRET

CONFIDENTIAL

RESTRICTED

UNCLASSIFIED


ISMS

A.8 HR SECURITY

A.8.1 SECURITY IN JOB DEFINITION & RE-SOURCING

•INCLUDING SECURITY IN JOB RESPONSIBILITIES

•PERSONNEL SCREENING AND POLICY

•NON-DISCLOSURE AGREEMENTS

•TERMS & CONDITION OF EMPLOYMENT

A.8.2 USER TRAINING

•INFORMATION SECURITY EDUCATION & TRAINING

(PART OF INDUCTION MODULE)


ISMS

A.9 PHYSICAL & ENVIRONMENTAL SECURITY

A.9.1 SECURE AREAS

PERIMETER,ENTRY/EXIT, LOCKING OFFICES, DELIVERY PT

A.9.2 EQUIPMENT SECURITY

PROTECTION,POWER,CABLING,MAINT,OFF-PREMISES, SECURE DISPOSAL

A.9.3 GENERAL CONTROLS

CLEAR DESK &SCREEN, REMOVAL OF PROPERTY


ISMS

A.10 COMMUNICATIONS & OPERATIONS MGMT

A.10.1 OPERATIONAL PROCEDURES & RESPONSIBILITIES

A.10.2 SYSTEMS PLANNING & ACCEPTANCE

A.10.3 PROTECTION AGAINST MALICIOUS SOFTWARE

A.10.4 HOUSEKEEPING (INFO BACK-UP, LOGS)

A.10.5 NETWORK MANAGEMENT

A.10.6 MEDIA HANDLING & SECURITY

REMOVABLE MEDIA,DISPOSAL,INFO HANDLING ETC

A.10.7 EXCHANGE OF INFORMATION & SOFTWARE

MEDIA IN TRANSIT, E-MAIL, E-COMMERCE ETC

CLEAR DESK &SCREEN, REMOVAL OF PROPERTY


ISMS

A.11 ACCESS CONTROL (Virtual)

A.11.1 BUSINESS REQUIREMENTS FOR ACCESS CONTROL

A.11.2 USER ACCESS MANAGEMENT

A.11.3 USER RESPONSIBILITIES

A.11.4 NETWORK ACCESS CONTROL

A.11.5 O/S SYSTEM ACCESS CONTROL

A.11.6 APPLICATION ACCESS CONTROL A11.7 MONITORING SYSTEM ACCESS & USE

A.11.10MOBILE COMPUTING & TELEWORKINGClassification: Genpact Internal

ISMS

A.12 SYSTEM DEVELOPMENT&MAINTENANCE

A.12.1 SECURITY REQUIREMENTS OF SYSTEMS

A.12.2 SECURITY IN APPLICATION SYSTEMS

A.12.3 CRYPTOGRAPHIC CONTROLS

A.12.4 SECURITY OF SYSTEM FILES

A.12.5 SECURITY IN DEVELOPMENT & SUPPORT PROCESSES


A.13.1 REPORTING INFO SECURITY EVENTS & WEAKNESSES

A.13.2 MANAGEMENT OF INFO SECURITY INCIDENTS & IMPROVEMENTS

A.13 INFO SECURITY INCIDENT MANAGEMENT


ISMS

A.14 BUSINESS CONTINUITY MANAGEMENT

A.14.1 ASPECTS OF BUSINESS CONTINUITY MANAGEMENT

BUSINESS CONTINUITY MANAGEMENT PROCESS

BUSINESS CONTINUITY AND IMPACT ANALYSIS

FORMULATING AND IMPLEMENTING CONTINUITY PLANS

BUSINESS CONTINUITY PLANNING FRAMEWORK

TESTING, MAINTAINING & RE-ASSESSING BUSINESS CONTINUITY PLANS


ISMS

A.15 COMPLIANCE

A.15.1 COMPLIANCE WITH LEGAL REQUIREMENTS

A.15.2 COMPLIANCE WITH SECURITY POLICIES & STANDARDS and TECHNICAL COMPLIANCE

A.15.3 INFO SYSTEM AUDIT CONSIDERATIONS


ISMS

RISK ASSESSMENT& MANAGEMENT PROCESS

Asset ID & Valuation

IdentifyVulnerabilities

Evaluate Impacts

IdentifyThreats

Level of Acceptable Risk

Business Risks

Rating/RankingOf Risks


Process For Developing an ISMS

Selection Of Controls(ISO 27001)

Legal Requirements

Business Requirements

Security Requirements

Risk Assessment

Threats &Vulnerabilities

Assessment

AssetsIdentification& Valuation

InformationSecurity

ManagementSystem

Policy Procedures & Controls

ISMS


STEPS IN ISMS IMPLEMENTATION

ISMS SCOPEPolicy

STMNT

BIA BCP

RISKANALYSIS

PPT

CONTROLS

Client’s

Legal, Statutory

Business

Requirements

ISMS


ISMS

BENEFITS OF ISO 27001

•A SINGLE REFERENCE POINT FOR IDENTIFYING A RANGE OF CONTROLS NEEDED FOR MOST SITUATIONS WHERE INFORMATION SYSTEMS ARE USED

•FACILITATION OF TRADING IN TRUSTED ENVIRONMENT

•INTERNATIONALLY RECOGNIZED STRUCTURED METHODOLOGY

•WELL DEFINED PROCESS TO EVALUATE, IMPLEMENT, MAINTAIN AND MANAGE INFORMATION SECURITY

•A SET OF TAILORED POLICY, STANDARDS, PROCEDURES AND GUIDELINES

•THE STANDARD PROVIDES A YARDSTICK AGAINST WHICH SECURITY CAN BE JUDGED


CERTIFICATION ADVANTAGES

ISMS

ISO-27001COMPLIANTCERTIFICATE

COMPETETIVE EDGE

PUBLIC DEMONSTRATION

ENHANCED CORPORATE IMAGE

ACCOUNTABILITY / REASSURANCE

IMPROVEMENT PROCESS

ENSURES MANAGEMENT COMMITMENT

POSITIVE RESPONSE FROM POTENTIAL CLIENTS

EMPLOYELE MOTIVATION

ISMS


BETTERMENT AFTER IMPLEMENTATION

ENHANCES KNOWLEDGE & IMPORTANCE OF SECURITY RELATED ISSUES

IMPROVES UNDERSTANDING OF BUSINESS ASPECTS

REDUCTION IN SECURITY BREACHES

IDENTIFICATION OF CRITICAL ASSETS

ENHANCES INFO SECURITY – INTERNALLY & EXTERNALLY

IMPROVES INSURANCE RATING

PROVIDES A STRUCTURE FOR CONTINUOUS IMPROVEMENT

ISMS


ROLE AS CISO / COMPLIANCE OFFICER

ENSURE SYSTEMATIC ESTABLISHMENT OF ISMS, WITH MANAGEMENT COMMITMENT, COOPERATION & COORDINATION WITH ALL DIVISIONS.

SMOOTH & SUCCESSFUL IMPLEMENTATION AND OPERATION OF ISMS

OMBUDSMAN ON ALL MATTERS RELATING TO INFO SECURITY

MONITOR & REVIEW ISMS THROUGH INTERNAL AUDIT USING

BS 7799, ISO 17799 TOOLS

ASSIST TO MAINTAIN & IMPROVE CONTINUALLY, THE ISMS

OBTAIN BS 7799 CERTIFICATION AND MAINTAIN THE STANDARD

ISMS


ISMS

CONCLUSION

SECURITY IS EVERYBODY’S CONCERN &

INFORMATION SECURITY IS PARAMOUNT

IN OUR CONCERN (COMPANY)

OR ELSE

THE CONCERN ITSELF MAY

CEASE TO EXISTClassification: Genpact

Internal

QUESTIONS, IF ANY ISMSISMS


ISMSISMS


11 Domains

Documents

Transcript of 11 Domains