ISO27k Awareness Presentation v2
-
Upload
amine-rached -
Category
Documents
-
view
246 -
download
2
Transcript of ISO27k Awareness Presentation v2
-
8/12/2019 ISO27k Awareness Presentation v2
1/41
Security awareness seminar
An introduction to ISO27k
I
n
f
o
rm
a
t
i
o
n
s
e
c
u
r
i
t
y
This work is copyright 2012, Mohan Kamatand ISO27k Forum, some rights reserved.
It is licensed under the Creative Commons Attribution-Noncommercial-Share Alike 3.0 License.
You are welcome to reproduce, circulate, use and create derivative works from this provided that:
(a) it is not sold or incorporated into a commercial product;
(b) it is properly attributed to the ISO27k Forum (www.ISO27001security.com); and(c) any derivative works that are shared are subject to the same terms as this work.
mailto:[email protected]://www.iso27001security.com/http://www.iso27001security.com/http://www.iso27001security.com/mailto:[email protected] -
8/12/2019 ISO27k Awareness Presentation v2
2/41
-
8/12/2019 ISO27k Awareness Presentation v2
3/41
Information is an asset which,like other important business
assets, has value to anorganization and consequently needsto be suitably protected
I
N
F
O
R
M
A
T
I
O
N
3
ISO/IEC 27002:2005
-
8/12/2019 ISO27k Awareness Presentation v2
4/41
I
n
f
o
rm
a
t
i
on
t
y
pe
s
Information exists in many forms:
Printed or written on paper
Stored electronically
Transmitted by post or electronic means
Visual e.g.videos, diagrams
Published on the Web
Verbal/aural e.g.conversations, phone calls Intangible e.g. knowledge, experience, expertise,
ideas
Whatever form the information takes, ormeans by which it is shared or stored, itshould always be appropriately protected
(ISO/IEC 27002:2005)
4
-
8/12/2019 ISO27k Awareness Presentation v2
5/41
I
n
fo
l
i
fe
c
y
c
le
Information can be
Created
Owned (it is an asset)
Stored
Processed
Transmitted/communicated
Used (for proper or improper purposes)
Modified or corrupted
Shared or disclosed (whether appropriately or not)
Destroyed or lost
Stolen
Controlled, secured and protected throughout its
existence5
-
8/12/2019 ISO27k Awareness Presentation v2
6/41
Ke
y
te
r
m
What is information security?
Informationsecurity is what keeps valuable informationfree of danger (protected, safe from harm)
It is not something you buy, it is something you doo Its aprocessnot aproduct
It is achieved using a combination of suitable strategiesand approaches:
o Determining the risks to information and treating themaccordingly (proactive risk management)
o
Protecting CIA(Confidentiality, Integrity and Availability)o Avoiding, preventing, detecting and recovering from incidents
o Securing people, processes and technology not just IT!
6
-
8/12/2019 ISO27k Awareness Presentation v2
7/41
S
e
c
u
r
i
t
y
e
l
e
m
e
n
t
s
PEOPLE
PROCESSES
TECHNOLOGY
Staff &management
Business activities
IT, phones, pens
7
-
8/12/2019 ISO27k Awareness Presentation v2
8/41
P
e
o
pl
e
People
People who use or have an interest in ourinformation security include:
Shareholders / owners
Management & staff
Customers / clients, suppliers & business partners
Service providers, contractors, consultants &advisors
Authorities, regulators & judges
Our biggest threats arise from people (socialengineers, unethical competitors, hackers, fraudsters,careless workers, bugs, flaws ), yet our biggest
asset is our people (e.g.security-aware employeeswho spot trouble early)
8
-
8/12/2019 ISO27k Awareness Presentation v2
9/41
-
8/12/2019 ISO27k Awareness Presentation v2
10/41
Technology
Information technologies
Cabling, data/voice networks and equipment
Telecommunications services (PABX, VoIP, ISDN,videoconferencing)
Phones, cellphones, PDAs
Computer servers, desktops and associated data storagedevices (disks, tapes)
Operating system and application software
Paperwork, files
Pens, ink
Security technologies
Locks, barriers, card-access systems, CCTV
T
ec
h
n
ol
o
g
y
10
-
8/12/2019 ISO27k Awareness Presentation v2
11/41
Protects information against various threats
Ensures business continuity
Minimizes financial losses and other impacts Optimizes return on investments
Creates opportunities to do business safely
Maintains privacy and compliance
V
a
l
u
e
We all depend oninformation security
11
Information security isvaluable because it
-
8/12/2019 ISO27k Awareness Presentation v2
12/41
-
8/12/2019 ISO27k Awareness Presentation v2
13/41
IT downtime, business interruption
Financial losses and costs
Devaluation of intellectual property
Breaking laws and regulations, leadingto prosecutions, fines and penalties
Reputation and brand damage leadingto loss of customer, market, business
partner or owners confidence and lostbusiness
Fear, uncertainty and doubt
Security incidents cause
13
I
mp
a
c
t
s
-
8/12/2019 ISO27k Awareness Presentation v2
14/41
-
8/12/2019 ISO27k Awareness Presentation v2
15/41
R
e
la
t
i
o
n
s
h
i
ps
Risk relationships
Threats Vulnerabilities
exploit
Risk
ValueSecurityrequirements
Informationassets
Controlsreduce
15
to
-
8/12/2019 ISO27k Awareness Presentation v2
16/41
T
h
re
a
t
a
g
e
n
t
Threat agent
The actor that represents, carries outor catalyzes the threat
Human Machine
Nature
16
-
8/12/2019 ISO27k Awareness Presentation v2
17/41
Motive
Something that causes thethreat agent to act
Implies intentional/deliberateattacks but some are accidental
Mo
t
iv
e
17
-
8/12/2019 ISO27k Awareness Presentation v2
18/41
Threat type Example
Human errorTypo, wrong attachment/email address,
lost laptop or phone
Intellectual property Piracy, industrial espionage
Deliberate act
Unauthorized access/trespass, data theft,
extortion, blackmail, sabotage, vandalism,
terrorist/activist/criminal activity
Fraud Identity theft, expenses fraudSystem/network attack Viruses, worms, Trojans, hacks
Service issue Power cuts, network outages
Force of natureFire, flood, storm, earthquake, lightning,
tsunami, volcanic eruption
Hardware issueComputer power supply failure,
lack of capacity
Software issue Bugs or design flaws, data corruption
Obsolescence iPhone 4?18
T
h
r
e
a
t
t
y
p
es
-
8/12/2019 ISO27k Awareness Presentation v2
19/41
So how do wesecure our
informationassets?
19
-
8/12/2019 ISO27k Awareness Presentation v2
20/41
1990s Information Security Management Code of Practice
produced by a UK government-sponsored working group
Based on the security policy used by Shell Became British Standard BS7799
2000s Adopted by ISO/IEC Became ISO/IEC 17799 (later renumbered ISO/IEC 27002) ISO/IEC 27001 published & certification scheme started
Now Expanding into a suite of information security standards
(known as ISO27k)
Updated and reissued every few years
I
S
O
27
k
A brief history of ISO27k
20
-
8/12/2019 ISO27k Awareness Presentation v2
21/41
Concerns the management of informationsecurity, not just IT/technical security
Formally specifies a management system
Uses Plan, Do, Check, Act (PDCA) to achieve,maintain and improve alignment of security withrisks
Covers all types of organizations (e.g. commercialcompanies, government agencies, not-for-profit
organizations) and all sizes
Thousands of organizations worldwide have beencertified compliant
ISO 27001
IS
O
2
70
0
1
21
-
8/12/2019 ISO27k Awareness Presentation v2
22/41
Interested
parties
Information
security
requirements
& expectations
PLANEstablish
ISMS
CHECKMonitor &
review ISMS
ACTMaintain &
improve
Management responsibility
ISMS PROCESS
Plan-Do-Check-Act
Interested
parties
Managed
information
security
DOImplement &
operate the
ISMS
P
D
C
A
22
C
-
8/12/2019 ISO27k Awareness Presentation v2
23/41
InformationSecurity Policy
Organisationof Information
Security
AssetManagement
HumanResourceSecurity
PhysicalSecurity
Communication& OperationsManagement
Access Control
SystemDevelopment
&Maintenance
IncidentManagement
BusinessContinuityPlanning
Compliance
Availability
C
O
N
T
RO
L
C
L
A
U
S
E
S
23
C
-
8/12/2019 ISO27k Awareness Presentation v2
24/41
Information security policy- managementdirection
Organization of information security-
management framework for implementation
Asset managementassessment, classification
and protection of valuable information assets
HR securitysecurity for joiners, movers and
leavers Physical & environmental security- prevents
unauthorised access, theft, compromise, damage to
information and computing facilities, power cuts
C
O
N
T
RO
L
C
L
A
U
S
E
S
24
C
-
8/12/2019 ISO27k Awareness Presentation v2
25/41
Communications & operations management-
ensures the correct and secure operation of IT
Access controlrestrict unauthorized access to
information assets Information systems acquisition, development &
maintenancebuild security into systems
Information security incident management deal
sensibly with security incidents that arise
Business continuity managementmaintain
essential business processes and restore any that fail
Compliance- avoid breaching laws, regulations,
policies and other security obligations
C
O
N
T
RO
L
C
L
A
U
S
E
S
25
-
8/12/2019 ISO27k Awareness Presentation v2
26/41
-
8/12/2019 ISO27k Awareness Presentation v2
27/41
Be
n
e
fi
t
s
Demonstrable commitment to security by theorganization
Legal and regulatory compliance
Better risk management
Commercial credibility, confidence, andassurance
Reduced costs
Clear employee direction and improved
awareness
27
-
8/12/2019 ISO27k Awareness Presentation v2
28/41
S
c
o
pe
ISMS scope
Data center & DR site
All information assets
throughout the organization
28
-
8/12/2019 ISO27k Awareness Presentation v2
29/41
Key ISMS documentsKe
y
d
o
c
u
m
e
n
ts
High level corporate security policy
Supporting policies e.g.physical &environmental, email, HR, incident
management, compliance etc.
Standards e.g. Windows Security Standard
Procedures and guidelines
Records e.g. security logs, security reviewreports, corrective actions
29
I f ti it i iV
-
8/12/2019 ISO27k Awareness Presentation v2
30/41
Information security visionVI
S
I
O
N
&
M
I
S
S
IO
N
Vision
The organization is acknowledged as anindustry leader for information security.
Mission
To design, implement, operate, manage and
maintain an Information SecurityManagement System that complies withinternational standards, incorporating
generally-accepted good security practices
30
-
8/12/2019 ISO27k Awareness Presentation v2
31/41
Who is responsible?
W
h
o
Information Security Management Committee
Information Security Manager/CISO and Department
Incident Response Team
Business Continuity Team
IT, Legal/Compliance, HR, Risk and other departments
Audit Committee
Last but not least, you!
Bottom line:
31Information security is everyones responsibility
-
8/12/2019 ISO27k Awareness Presentation v2
32/41
P
o
l
ic
y
Corporate Information Security Policy
Policy is signed by the CEO andmandated by top management
Find it on the intranet
32
I
-
8/12/2019 ISO27k Awareness Presentation v2
33/41
I
N
F
O
A
S
S
E
T
C
L
A
S
S
IF
I
C
A
T
I
O
N
CONFIDENTIAL:If this information is leaked outside the organization, it will result in major financial and/or imageloss. Compromise of this information may result in serious non-compliance (e.g. a privacy
breach). Access to this information must be restricted based on the concept of need-to-know.Disclosure requires the information ownersapproval. In case information needs to be disclosedto third parties, a signed confidentiality agreement is required.Examples: customer contracts, pricing rates, trade secrets, personal information, new productdevelopment plans, budgets, financial reports (prior to publication), passwords, encryption keys.
INTERNAL USE ONLY:Leakage or disclosure of this information outside the organization is unlikely to cause seriousharm but may result in some financial loss and/or embarrassment.
Examples: circulars, policies, training materials, general company emails, security policies andprocedures, corporate intranet.
PUBLIC:This information can be freely disclosed to anyone although publication must usually be explicitlyapproved by Corporate Communications or Marketing.Examples:marketing brochures, press releases, website.
33
Information Asset Classification
Confidentiality
-
8/12/2019 ISO27k Awareness Presentation v2
34/41
Confidentiality
Confidentialitylevel Explanation
HighInformation which is very sensitive or private, ofgreat value to the organization and intended forspecific individuals only. The unauthorizeddisclosure of such information can cause severeharm such as legal or financial liabilities,
competitive disadvantage, loss of brand value e.g.merger and acquisition related information,marketing strategy
MediumInformation belonging to the company and not fordisclosure to public or external parties. Theunauthorized disclosure of this information mayharm to the organization somewhat e.g.organization charts, internal contact lists.
LowNon-sensitive information available for publicdisclosure. The impact of unauthorized disclosure ofsuch information shall not harm Organisationanyway. E.g. Press releases, Companys Newsletters e.g. Information published on companys
website
Confidentiality of information concerns the protection of sensitive (and often highlyvaluable) information from unauthorized or inappropriate disclosure.
C
l
a
ss
i
f
ic
a
t
i
o
n
3/10/34Mohan Kamat
U
-
8/12/2019 ISO27k Awareness Presentation v2
35/41
S
E
R
R
E
S
P
O
N
S
I
B
I
L
I
TI
E
S
Physical security
Read and follow security policies and procedures Display identity cards while on the premises
Challenge or report anyone without an ID card
Visit the intranet Security Zone or call IT Help/Service Deskfor advice on most information security matters
Allow unauthorized visitors onto the premises
Bring weapons, hazardous/combustible materials, recordingdevices etc., especially in secure areas
Use personal IT devices for work purposes, unless explicitlyauthorized by management
35
Do not
Do
U
-
8/12/2019 ISO27k Awareness Presentation v2
36/41
S
E
R
R
E
S
P
O
N
S
I
B
I
L
I
TI
E
S
Password Guidelines
Use long, complicated passphrases - whole sentences if you can Reserve your strongest passphrases for high security systems (dont
re-use the same passphrase everywhere)
Use famous quotes, lines from your favorite songs, poems etc. tomake them memorable
Use short or easily-guessed passwords
Write down passwords or store them in plain text
Share passwords over phone or email
36
U
I t t
-
8/12/2019 ISO27k Awareness Presentation v2
37/41
S
E
R
R
E
S
P
O
N
S
I
B
I
L
I
TI
E
S
Warning: Internet usage is routinely logged and monitored.Be careful which websites you visit and what you disclose.
Avoid websites that would be classed as obscene, racist,offensive or illegal anything that would be embarrassing
Do not access online auction or shopping sites, except where
authorized by your manager Donthack!
Do not download or upload commercial software or othercopyrighted material without the correct license andpermission from your manager
Use the corporate Internet facilities only for legitimate and
authorized business purposes
Internet usage
37
U
E il
-
8/12/2019 ISO27k Awareness Presentation v2
38/41
S
E
R
R
E
S
P
O
N
S
I
B
I
L
I
TI
E
S
E-mail usage
Do not use your corporate email address for personal email Do not circulate chain letters, hoaxes, inappropriate jokes,
videos etc. Do not send emails outside the organization unless you are
authorized to do so Be very wary of email attachments and links, especially inunsolicited emails (most are virus-infected)
38
Use corporate email for business purposes only
Follow the email storage guidelines If you receive spam email, simply delete it. If it is
offensive or you receive a lot, call the IT Help/ServiceDesk
U
-
8/12/2019 ISO27k Awareness Presentation v2
39/41
S
E
R
R
E
S
P
O
N
S
I
B
I
L
I
TI
E
S
Security incidents
39
Report information security incidents, concerns and
near-misses to IT Help/Service Desk: Email
Telephone
Anonymous drop-boxes
Take their advice on what to do
Do not discuss security incidents with anyone outside theorganization
Do not attempt to interfere with, obstruct or prevent anyoneelse from reporting incidents
-
8/12/2019 ISO27k Awareness Presentation v2
40/41
R
e
s
p
o
n
s
i
b
i
l
i
t
i
e
s
Ensure your PC is getting antivirus updates and patches
Lock your keyboard (Windows-L) before leaving your PCunattended, and log-off at the end of the day
Store laptops and valuable information (paperwork as well asCDs, USB sticks etc.) securely under lock and key
Keep your wits about you while traveling:
Keep your voice down on the cellphone
Be discreet about your IT equipment
Take regular information back ups
Fulfill your security obligations:
Comply with security and privacy laws, copyright and licenses,
NDA (Non Disclosure Agreements) and contracts
Comply with corporate policies and procedures
Stay up to date on information security:
Visit the intranet Security Zone when you have a moment
40
-
8/12/2019 ISO27k Awareness Presentation v2
41/41