ISO27001Introduction to Information

Security

Who has day-to-day responsibility?

All of us!

Why Information Security?

Control risk,limit liability

What is our involvement?

The confidential, availability and integrity

of information

How do we check we’re compliant?Regular Internal and

External audits

Information Security Overview

What is ISO27001?

How can we protect information?

How does this affect mywork?

Examples Summary

Introduction to Information Security

An International Information Security Standard

What is ISO27001?

Documented Operational Procedures

Prerequisite for working with clients

Designed to identify, manage and reduce threats to restricted information

Certificated by an external certification body

ISO27001:2005 Information Security Management System (ISMS)Co-ordinated for Transversal by an Information Security Forum

How can we protect information?

Availability - Ensure the availability of information at point of need, e.g. through our recording and reporting processes

Confidentiality - Protect confidentiality by ensuring that all information is locked away or stored on Transversal’s Servers and dispose of information safely

Integrity - Verify the integrity of information received or produced

Confidentiality

•Loss of client data•Loss of contract data•Loss of personal data

Integrity

•Accuracy of data handling•Accuracy of client data handling•Data input error

Availability

•Power failure•Information misfiling•Information loss (Backup)•Communications loss

How can we protect information?Examples of Confidentiality, Integrity and Availability

Observe information security standards in using our systems https://isms.cluster.local

What can we do to protect information?

Keep confidential or restricted information locked away when not in use

Report Breaches, actual or suspected, and any issues to your team leader or manager

Use Complex Passwords and Lock the Computer Desktop on leaving desk

How does this affect my work?

The implemented procedures are there to protect you, not hinder you!

Co-operate with external auditors, they are reviewing the system not you!

Assist Management to identify areas for review and comply with the resulting procedural changes

How does this affect my work?

Where information confidentiality, integrity or availability might be at risk - report it to your team leader/manager

Familiarise yourself with the ISMS Manual and all relevant Information Security Policies and Procedures

RESTRICTED

•Any information that should only be viewed by authorised persons.

•Any information which relates to an identifiable individual and, hence, is covered by the Data Protection Act.

OTHER

•Any information that could reasonably be made available to the general public.

How does this affect my work?Transversal has two information classifications, these are:

RESTRICTED

•Internal communications, Intranet site information, internal operational information.•Management reports, organisation plans & personnel files•Financial Records•Backups•Customers Information & Records.•Commercially sensitive data such as contract proposal’s or agreements, customer contact lists.

OTHER

•Annual Reports, publicity material, brochures, advice leaflets and Internet site information.

How does this affect my work?Examples of information types within the classifications are:

Examples for Information Security Incidents

The FSA has fined Zurich £2,275,000 for the loss of

46,000 customers’ personal details from the loss an

unencrypted back-up tape during a routine transfer

to a storage facility.”

“The FSA has fined Norwich Union Life £1.26 million for not having effective systems and controls in place to protect customers' confidential information. These failings resulted in a number of actual and attempted frauds against Norwich Union Life's customers.”

“The FSA fined Nationwide £980,000 for failing to manage its information security risks following the theft of a laptop from an employee's home.”

Merchant Securities Group stockbroker has been fined £77,000 by the FSA for failing to protect its customers from identity fraud – despite the firm not having had a data breach.

Summary ISO27001Information Security Management

International Standard for the management of information security

Customers expectation and potential contractual requirement

We are all responsible for the security of information

Confidentiality, Integrity and Availability

Documented Policies and Procedures

Report suspected issues to team leader/manager

Co-operate with internal and external auditors

Raising the bar, delivering excellence