Embed Size (px)
Transcript of ISMS ISO27001:2005
Information Security Management System (ISMS)
What is Information?
What is Information Security?
What is RISK?
An Introduction to ISO 27001:2005 (ISMS)
ISO 27001:2005 Feature
'Information is an asset which, like other important business assets, has value to an organization and consequently needs to be suitably protected’
Information can be
Created Stored Destroyed
Used – (For proper & improper purposes)
Corrupted Lost Stolen
Printed or written on paper
Transmitted by post or using electronics means
Shown on corporate videos
Displayed / published on web
Verbal – spoken in conversations
‘…Whatever form the information takes, or means by which it is shared or stored, it should always be appropriately protected’
What Is Information Security
Information security is the process of protecting the confidentiality , integrity and availability (CIA) of data.
Security is achieved using several strategies simultaneously or used in combination with one another
Security is not something you buy, it is something you do
Having People, Processes, Technology, policies, procedures,
Security is for PPT and not only for appliances or devices
1. Protects information from a range of threats2. Ensures business continuity3. Minimizes financial loss4. Optimizes return on investments5. Increases business opportunities
Business survival depends on information security.
Information Security Benefits
ISO 27002:2005 defines Information Security as the
Ensuring that information is accessible only to those authorized to have access
Safeguarding the accuracy and completeness of information and processing methods
Ensuring that authorized users have access to information and associated assets when required
• Reputation loss
• Financial loss
• Intellectual property loss
• Legislative Breaches leading to legal actions (Cyber
• Loss of customer confidence
• Business interruption costs
Security breaches leads to…
LOSS OF GOODWILL10
• Information Security is “Organizational Problem” rather than “IT Problem”
• More than 70% of Threats are Internal
• More than 60% culprits are First Time fraudsters
• Biggest Risk : People
• Biggest Asset : People
INFO SECURITY SURVEY
WHAT IS RISK
What is Risk?
Risk: A possibility that a threat exploits a vulnerability in an asset and causes damage or loss to the asset.
Risk = Threat * Vulnerability * Asset value
Threat: Something that can potentially cause damage to the organization, IT Systems or network.
Vulnerability: A weakness in the organization, IT Systems, or network that can be exploited by a threat.
To identify threats, think about the properties the organization might have: disclosure (improper maintenance procedures, hackers); interruption (earthquake, fire, flood, malicious code, power failure); modification (data entry errors, hackers, malicious code); destruction (power spikes, fire, natural disasters); and removal (theft of data or systems).
• External Parties
• Low awareness of security issues
• Growth in networking and distributed computing
• Growth in complexity and effectiveness of hacking tools and
• Natural Disasters eg. fire, flood, earthquake
Threat SourcesSource Motivation Threat
Challenge Ego Game Playing
System hacking Social engineering Dumpster diving
Deadline Financial problems Disenchantment
Backdoors Fraud Poor documentation
System attacks Social engineering Letter bombs Viruses Denial of service
Poorly trained employees
Unintentional errors Programming errors Data entry errors
Corruption of data Malicious code introduction System bugs Unauthorized access
No Categories of Threat Example
1 Human Errors or failures Accidents, Employee mistakes
2 Compromise to Intellectual Property Piracy, Copyright infringements
3 Deliberate Acts or espionage or trespass Unauthorized Access and/or data collection
4 Deliberate Acts of Information extortion Blackmail of information exposure / disclosure
5 Deliberate Acts of sabotage / vandalism Destruction of systems / information
6 Deliberate Acts of theft Illegal confiscation of equipment or information
7 Deliberate software attacks Viruses, worms, macros Denial of service
8 Deviations in quality of service from service provider
Power and WAN issues
9 Forces of nature Fire, flood, earthquake, lightening
10 Technical hardware failures or errors Equipment failures / errors
11 Technical software failures or errors Bugs, code problems, unknown loopholes
12 Technological Obsolesce Antiquated or outdated technologies
High User Knowledge of IT
Systems & Network Failure
Lack Of Documentation
Lapse in Physical Security
Natural Calamities &
SO HOW DO WE OVERCOME THESE PROBLEMS?
Information Security Management System (ISMS)
Early 1990• DTI (UK) established a working group• Information Security Management Code of Practice produced as
1995• BS 7799 published as UK Standard
1999• BS 7799 - 1:1999 second revision published
2000 • BS 7799 - 1 accepted by ISO as ISO - 17799 published• BS 7799-2:2002 published
• ISO 27001:2005
Information technology — Security techniques — Information security management systems — Requirements
• ISO 27002:2005
Information technology — Security techniques — Code of practice for information security management
ISO 27001 provides a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an Information Security Management System (ISMS).
The adoption of an ISMS should be a strategic decision for an organization. The design and implementation of an organization’s ISMS is influenced by their needs and objectives, security requirements, the processes employed and the size and structure of the organization.
The ISO 27001 Standard can be used in order to assess conformance by interested internal and external parties.
Features of ISO 27001 • Plan, Do, Check, Act (PDCA) Process Model• Process Based Approach • Stress on Continual Process Improvements• Scope covers Information Security not only IT
Security• Covers People, Process and Technology• 5600 plus organizations worldwide have been
Human Wall Is Always Better Than A Firewall
. . . LET US BUILD A HUMAN WALL ALONG WITH FIREWALL24