ISO27001 Introduction to Information Security. Who has day-to-day responsibility? All of us! Why...
-
Upload
nickolas-patrick -
Category
Documents
-
view
218 -
download
0
Transcript of ISO27001 Introduction to Information Security. Who has day-to-day responsibility? All of us! Why...
ISO27001Introduction to Information
Security
Who has day-to-day responsibility?
All of us!
Why Information Security?
Control risk,limit liability
What is our involvement?
The confidential, availability and integrity
of information
How do we check we’re compliant?Regular Internal and
External audits
Information Security Overview
What is ISO27001?
How can we protect information?
How does this affect mywork?
Examples Summary
Introduction to Information Security
An International Information Security Standard
What is ISO27001?
Documented Operational Procedures
Prerequisite for working with clients
Designed to identify, manage and reduce threats to restricted information
Certificated by an external certification body
ISO27001:2005 Information Security Management System (ISMS)Co-ordinated for Transversal by an Information Security Forum
How can we protect information?
Availability - Ensure the availability of information at point of need, e.g. through our recording and reporting processes
Confidentiality - Protect confidentiality by ensuring that all information is locked away or stored on Transversal’s Servers and dispose of information safely
Integrity - Verify the integrity of information received or produced
Confidentiality
•Loss of client data•Loss of contract data•Loss of personal data
Integrity
•Accuracy of data handling•Accuracy of client data handling•Data input error
Availability
•Power failure•Information misfiling•Information loss (Backup)•Communications loss
How can we protect information?Examples of Confidentiality, Integrity and Availability
Observe information security standards in using our systems https://isms.cluster.local
What can we do to protect information?
Keep confidential or restricted information locked away when not in use
Report Breaches, actual or suspected, and any issues to your team leader or manager
Use Complex Passwords and Lock the Computer Desktop on leaving desk
How does this affect my work?
The implemented procedures are there to protect you, not hinder you!
Co-operate with external auditors, they are reviewing the system not you!
Assist Management to identify areas for review and comply with the resulting procedural changes
How does this affect my work?
Where information confidentiality, integrity or availability might be at risk - report it to your team leader/manager
Familiarise yourself with the ISMS Manual and all relevant Information Security Policies and Procedures
RESTRICTED
•Any information that should only be viewed by authorised persons.
•Any information which relates to an identifiable individual and, hence, is covered by the Data Protection Act.
OTHER
•Any information that could reasonably be made available to the general public.
How does this affect my work?Transversal has two information classifications, these are:
RESTRICTED
•Internal communications, Intranet site information, internal operational information.•Management reports, organisation plans & personnel files•Financial Records•Backups•Customers Information & Records.•Commercially sensitive data such as contract proposal’s or agreements, customer contact lists.
OTHER
•Annual Reports, publicity material, brochures, advice leaflets and Internet site information.
How does this affect my work?Examples of information types within the classifications are:
Examples for Information Security Incidents
The FSA has fined Zurich £2,275,000 for the loss of
46,000 customers’ personal details from the loss an
unencrypted back-up tape during a routine transfer
to a storage facility.”
“The FSA has fined Norwich Union Life £1.26 million for not having effective systems and controls in place to protect customers' confidential information. These failings resulted in a number of actual and attempted frauds against Norwich Union Life's customers.”
“The FSA fined Nationwide £980,000 for failing to manage its information security risks following the theft of a laptop from an employee's home.”
Merchant Securities Group stockbroker has been fined £77,000 by the FSA for failing to protect its customers from identity fraud – despite the firm not having had a data breach.
Summary ISO27001Information Security Management
International Standard for the management of information security
Customers expectation and potential contractual requirement
We are all responsible for the security of information
Confidentiality, Integrity and Availability
Documented Policies and Procedures
Report suspected issues to team leader/manager
Co-operate with internal and external auditors
Raising the bar, delivering excellence