1

Information Security Management System (ISMS)

ISO/IEC 27001:2005

2

What is Information?

What is Information Security?

What is RISK?

An Introduction to ISO 27001:2005 (ISMS)

ISO 27001:2005 Feature

AGENDA

3

'Information is an asset which, like other important business assets, has value to an organization and consequently needs to be suitably protected’

(ISO 27002:2005)

INFORMATION

4

INFORMATIONLIFE

CYCLE

Information can be

Created Stored Destroyed

Processed

Transmitted

Used – (For proper & improper purposes)

Corrupted Lost Stolen

5

INFORMATIONTYPE

S

Printed or written on paper

Stored electronically

Transmitted by post or using electronics means

Shown on corporate videos

Displayed / published on web

Verbal – spoken in conversations

6

‘…Whatever form the information takes, or means by which it is shared or stored, it should always be appropriately protected’

(ISO 27002:2005)

INFORMATION

SECURIT

Y

What Is Information Security

Information security is the process of protecting the confidentiality , integrity and availability (CIA) of data.

Security is achieved using several strategies simultaneously or used in combination with one another

Security is not something you buy, it is something you do

Having People, Processes, Technology, policies, procedures,

Security is for PPT and not only for appliances or devices

7

1. Protects information from a range of threats2. Ensures business continuity3. Minimizes financial loss4. Optimizes return on investments5. Increases business opportunities

INFORMATION

SECURIT

Y

Business survival depends on information security.

Information Security Benefits

8

ISO 27002:2005 defines Information Security as the

preservation of:

– Confidentiality

Ensuring that information is accessible only to those authorized to have access

– Integrity

Safeguarding the accuracy and completeness of information and processing methods

– Availability

Ensuring that authorized users have access to information and associated assets when required

INFORMATIONATTRIBUT

ES

9

• Reputation loss

• Financial loss

• Intellectual property loss

• Legislative Breaches leading to legal actions (Cyber

Law)

• Loss of customer confidence

• Business interruption costs

Security breaches leads to…

LOSS OF GOODWILL10

• Information Security is “Organizational Problem” rather than “IT Problem”

• More than 70% of Threats are Internal

• More than 60% culprits are First Time fraudsters

• Biggest Risk : People

• Biggest Asset : People

INFO SECURITY SURVEY

11

WHAT IS RISK

What is Risk?

Risk: A possibility that a threat exploits a vulnerability in an asset and causes damage or loss to the asset.

Risk = Threat * Vulnerability * Asset value

Threat: Something that can potentially cause damage to the organization, IT Systems or network.

Vulnerability: A weakness in the organization, IT Systems, or network that can be exploited by a threat.

12

Threat Identification

To identify threats, think about the properties the organization might have: disclosure (improper maintenance procedures, hackers); interruption (earthquake, fire, flood, malicious code, power failure); modification (data entry errors, hackers, malicious code); destruction (power spikes, fire, natural disasters); and removal (theft of data or systems).

THREAT IDENTIFICATIO

N

13

Threats

• Employees

• External Parties

• Low awareness of security issues

• Growth in networking and distributed computing

• Growth in complexity and effectiveness of hacking tools and

viruses

• Natural Disasters eg. fire, flood, earthquake

THREATS

14

Threat SourcesSource Motivation Threat

External Hackers

Challenge Ego Game Playing

System hacking Social engineering Dumpster diving

Internal Hackers

Deadline Financial problems Disenchantment

Backdoors Fraud Poor documentation

TerroristRevenge Political

System attacks Social engineering Letter bombs Viruses Denial of service

Poorly trained employees

Unintentional errors Programming errors Data entry errors

Corruption of data Malicious code introduction System bugs Unauthorized access

15

No Categories of Threat Example

1 Human Errors or failures Accidents, Employee mistakes

2 Compromise to Intellectual Property Piracy, Copyright infringements

3 Deliberate Acts or espionage or trespass Unauthorized Access and/or data collection

4 Deliberate Acts of Information extortion Blackmail of information exposure / disclosure

5 Deliberate Acts of sabotage / vandalism Destruction of systems / information

6 Deliberate Acts of theft Illegal confiscation of equipment or information

7 Deliberate software attacks Viruses, worms, macros Denial of service

8 Deviations in quality of service from service provider

Power and WAN issues

9 Forces of nature Fire, flood, earthquake, lightening

10 Technical hardware failures or errors Equipment failures / errors

11 Technical software failures or errors Bugs, code problems, unknown loopholes

12 Technological Obsolesce Antiquated or outdated technologies

16

High User Knowledge of IT

Systems

Theft, Sabotage,

Misuse

Virus Attacks

Systems & Network Failure

Lack Of Documentation

Lapse in Physical Security

Natural Calamities &

Fire

RISKS &THR

EATS

17

SO HOW DO WE OVERCOME THESE PROBLEMS?

18

19

Information Security Management System (ISMS)

Early 1990• DTI (UK) established a working group• Information Security Management Code of Practice produced as

BSI-DISC publication

1995• BS 7799 published as UK Standard

1999• BS 7799 - 1:1999 second revision published

2000 • BS 7799 - 1 accepted by ISO as ISO - 17799 published• BS 7799-2:2002 published

INTRODUCTION

TO ISO

27001

History

20

• ISO 27001:2005

Information technology — Security techniques — Information security management systems — Requirements

INTRODUCTION

TO ISO

27001

• ISO 27002:2005

Information technology — Security techniques — Code of practice for information security management

History

21

ISO27001:2005

22

ISO 27001 provides a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an Information Security Management System (ISMS).

The adoption of an ISMS should be a strategic decision for an organization. The design and implementation of an organization’s ISMS is influenced by their needs and objectives, security requirements, the processes employed and the size and structure of the organization.

The ISO 27001 Standard can be used in order to assess conformance by interested internal and external parties.

Features of ISO 27001  • Plan, Do, Check, Act (PDCA) Process Model• Process Based Approach • Stress on Continual Process Improvements• Scope covers Information Security not only IT

Security• Covers People, Process and Technology• 5600 plus organizations worldwide have been

certified

FEATURES

Features

23

Human Wall Is Always Better Than A Firewall

. . . LET US BUILD A HUMAN WALL ALONG WITH FIREWALL24

THE END