ISMS ISO27001:2005
24
1
-
Upload
asharrajpoot -
Category
Documents
-
view
214 -
download
2
description
What is ISO27001?þ An internationally recognized structuredmethodology dedicated to information securityþ A management process to evaluate, implementand maintain an Information Security ManagementSystem (ISMS)þ A comprehensive set of controls comprised of bestpractices in information securityþ Applicable to all industry sectorsþ Emphasis on preventionFeatures of ISO 27001 • Plan, Do, Check, Act (PDCA) Process Model• Process Based Approach • Stress on Continual Process Improvements• Scope covers Information Security not only IT Security• Covers People, Process and Technology• 5600 plus organizations worldwide have been certified
Transcript of ISMS ISO27001:2005
1
Information Security Management System (ISMS)
ISO/IEC 27001:2005
2
What is Information?
What is Information Security?
What is RISK?
An Introduction to ISO 27001:2005 (ISMS)
ISO 27001:2005 Feature
AGENDA
3
'Information is an asset which, like other important business assets, has value to an organization and consequently needs to be suitably protected’
(ISO 27002:2005)
INFORMATION
4
INFORMATIONLIFE
CYCLE
Information can be
Created Stored Destroyed
Processed
Transmitted
Used – (For proper & improper purposes)
Corrupted Lost Stolen
5
INFORMATIONTYPE
S
Printed or written on paper
Stored electronically
Transmitted by post or using electronics means
Shown on corporate videos
Displayed / published on web
Verbal – spoken in conversations
6
‘…Whatever form the information takes, or means by which it is shared or stored, it should always be appropriately protected’
(ISO 27002:2005)
INFORMATION
SECURIT
Y
What Is Information Security
Information security is the process of protecting the confidentiality , integrity and availability (CIA) of data.
Security is achieved using several strategies simultaneously or used in combination with one another
Security is not something you buy, it is something you do
Having People, Processes, Technology, policies, procedures,
Security is for PPT and not only for appliances or devices
7
1. Protects information from a range of threats2. Ensures business continuity3. Minimizes financial loss4. Optimizes return on investments5. Increases business opportunities
INFORMATION
SECURIT
Y
Business survival depends on information security.
Information Security Benefits
8
ISO 27002:2005 defines Information Security as the
preservation of:
– Confidentiality
Ensuring that information is accessible only to those authorized to have access
– Integrity
Safeguarding the accuracy and completeness of information and processing methods
– Availability
Ensuring that authorized users have access to information and associated assets when required
INFORMATIONATTRIBUT
ES
9
• Reputation loss
• Financial loss
• Intellectual property loss
• Legislative Breaches leading to legal actions (Cyber
Law)
• Loss of customer confidence
• Business interruption costs
Security breaches leads to…
LOSS OF GOODWILL10
• Information Security is “Organizational Problem” rather than “IT Problem”
• More than 70% of Threats are Internal
• More than 60% culprits are First Time fraudsters
• Biggest Risk : People
• Biggest Asset : People
INFO SECURITY SURVEY
11
WHAT IS RISK
What is Risk?
Risk: A possibility that a threat exploits a vulnerability in an asset and causes damage or loss to the asset.
Risk = Threat * Vulnerability * Asset value
Threat: Something that can potentially cause damage to the organization, IT Systems or network.
Vulnerability: A weakness in the organization, IT Systems, or network that can be exploited by a threat.
12
Threat Identification
To identify threats, think about the properties the organization might have: disclosure (improper maintenance procedures, hackers); interruption (earthquake, fire, flood, malicious code, power failure); modification (data entry errors, hackers, malicious code); destruction (power spikes, fire, natural disasters); and removal (theft of data or systems).
THREAT IDENTIFICATIO
N
13
Threats
• Employees
• External Parties
• Low awareness of security issues
• Growth in networking and distributed computing
• Growth in complexity and effectiveness of hacking tools and
viruses
• Natural Disasters eg. fire, flood, earthquake
THREATS
14
Threat SourcesSource Motivation Threat
External Hackers
Challenge Ego Game Playing
System hacking Social engineering Dumpster diving
Internal Hackers
Deadline Financial problems Disenchantment
Backdoors Fraud Poor documentation
TerroristRevenge Political
System attacks Social engineering Letter bombs Viruses Denial of service
Poorly trained employees
Unintentional errors Programming errors Data entry errors
Corruption of data Malicious code introduction System bugs Unauthorized access
15
No Categories of Threat Example
1 Human Errors or failures Accidents, Employee mistakes
2 Compromise to Intellectual Property Piracy, Copyright infringements
3 Deliberate Acts or espionage or trespass Unauthorized Access and/or data collection
4 Deliberate Acts of Information extortion Blackmail of information exposure / disclosure
5 Deliberate Acts of sabotage / vandalism Destruction of systems / information
6 Deliberate Acts of theft Illegal confiscation of equipment or information
7 Deliberate software attacks Viruses, worms, macros Denial of service
8 Deviations in quality of service from service provider
Power and WAN issues
9 Forces of nature Fire, flood, earthquake, lightening
10 Technical hardware failures or errors Equipment failures / errors
11 Technical software failures or errors Bugs, code problems, unknown loopholes
12 Technological Obsolesce Antiquated or outdated technologies
16
High User Knowledge of IT
Systems
Theft, Sabotage,
Misuse
Virus Attacks
Systems & Network Failure
Lack Of Documentation
Lapse in Physical Security
Natural Calamities &
Fire
RISKS &THR
EATS
17
SO HOW DO WE OVERCOME THESE PROBLEMS?
18
19
Information Security Management System (ISMS)
Early 1990• DTI (UK) established a working group• Information Security Management Code of Practice produced as
BSI-DISC publication
1995• BS 7799 published as UK Standard
1999• BS 7799 - 1:1999 second revision published
2000 • BS 7799 - 1 accepted by ISO as ISO - 17799 published• BS 7799-2:2002 published
INTRODUCTION
TO ISO
27001
History
20
• ISO 27001:2005
Information technology — Security techniques — Information security management systems — Requirements
INTRODUCTION
TO ISO
27001
• ISO 27002:2005
Information technology — Security techniques — Code of practice for information security management
History
21
ISO27001:2005
22
ISO 27001 provides a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an Information Security Management System (ISMS).
The adoption of an ISMS should be a strategic decision for an organization. The design and implementation of an organization’s ISMS is influenced by their needs and objectives, security requirements, the processes employed and the size and structure of the organization.
The ISO 27001 Standard can be used in order to assess conformance by interested internal and external parties.
Features of ISO 27001 • Plan, Do, Check, Act (PDCA) Process Model• Process Based Approach • Stress on Continual Process Improvements• Scope covers Information Security not only IT
Security• Covers People, Process and Technology• 5600 plus organizations worldwide have been
certified
FEATURES
Features
23
Human Wall Is Always Better Than A Firewall
. . . LET US BUILD A HUMAN WALL ALONG WITH FIREWALL24
THE END
