IT ISMS Workshop

ISO 27001:2005 - Information Security Management

System (ISMS) - Workshop

Agenda

Need for Information Security Management

Information Overview

Information Security Management System (ISMS)

Benefits

Implementation at Kahramaa

AGENDA


Rapid evolution and high level of innovation in emerging threats

Advanced techniques using a combination of technology, social engineering

Leads to monetary losses, loss of reputation, loss of customer confidence

Rising security threats, incidents

Enterprise today manages terabytes and peta bytes of data

Information exists in many forms including databases, physical documents, electronic files

Protection is a complex task

Information Explosion

Need to demonstrate that business process integrity is protected

Need to demonstrate that organization has adopted global best practices

Increased accountability for security

Need to demonstrate higher assurance to key

stake holders

An Information

Security

Management

system enables

an organization to

implement a

process driven

approach towards

consistent results

& improvements

Need for Information Management System


ISO 27001. Global Adaptation

* As of November-2011 (http://www.iso27001certificates.com/)


What is Information?

Information Security

is more than

IT security

Information is an asset which, like other important business assets, has

value to the organization and consequently needs to be suitably protected.

Information assets are not limited to computers and hard disks.

They can be in any form..


Information Risk

Information Assets are susceptible to risks which can impact confidentiality, integrity and/or

availability, impacting business operations

Availability Confidentiality

Integrity

Information

Printed

Electronic

Written

Spoken

Stored

Discarded

Accessible upon demand by an authorized entity

Fire

Network down time

Power Failure

Hardware Failure

Overloading

Accessible only to authorized entities

Stealing of classified

documents

Loss of laptops

Social Engineering attacks

Phishing

Information Leak

Network Attacks

Unrestricted access

User Error

Theft

Complete and Accurate

Insecure Communication Channel

Unauthorized DB access

Malicious Software

Uncontrolled systems changes

Media Failure

Configuration error

Information Security Management System

Why ISMS (ISO 27005:2005)?

Systematic Approach to manage

information risks. It is implemented using:

Organisational Structure

Policies & Guidelines

Necessary processes and resource allocations

Measurement methodology

Review processes for improvement


Approach for ISMS


ISO 27001:2005 Domains

Organizational Information Security

Asset Management

Human Resource Security

Physical & Environment Security

Communication & Operation Management

Information System Acquisitions,

Development, Maintenance

Access Control

Information Security & Incident

Management

Compliance

Business Continuity Management

Security Policy

Domains 11

Control Objectives 39

Controls -- 133

Control Selection Process

Asset Risk Reason Controls

Paper Documents Unauthorized Access Lack of Classification

Guidelines

Data Classification

Policy

Absence of Shredders Install Shredders

Configuration Files

(Routers, Switches etc)

Tampering Weak access control Privilege based access

for resources

System Event Logging

and Monitoring

Loss of data Environmental hazards Implementation of

redundancy of data

storage systems.

(Backup Management)

Information Security is Everyone's Responsibility

Benefits

Implementation of systematic risk based information security approach

Higher availability of systems

Assurance to Management

Better Customer Confidence & Satisfaction

Enhanced Security Awareness

Consistent improvements in security posture with time

Kahramaa Implementation

ISMS Implementation at Kahramaa

Scope Diagram

Kahramaa ImplementationPhase-IProject

Initiation and

System

Study

Phase-II

Risk

Assessment

& Risk

Treatment

Phase-III

Policy &

Procedure

Development

Phase-IV

Implementation

Support &

Knowledge

Transfer

Phase-V

Internal Audit ISO 27001

Certification

ISMS Implementation in Kahramaa

ISMS Implementation



Information Security Coordinators Designation - Section / Unit

Network Administrator Client Support &

Netwroks

System Analyst System Support

System Administrator System Development


Your Role in ISMS

Phase-I & IIExplain Business Processes

Information Assets Identification

Information Assets Valuation

Phase-VParticipate in Internal Audit

Support in Gap Mitigation

Participate in External Audit

Phase-III & IV

Provide required policy &

procedures for update

Implementation of identified controls

Work completed

System study

Scope finalization

Identification of SPOCs

Interviews with sections & units within scope

What is next?

Asset collection

Risk assessment methodology

Risk assessment

Security Testing (Vulnerability Assessment & Penetration Testing)

Risk treatment

SOA


&Thank You..!!!

IT ISMS Workshop

Documents

Transcript of IT ISMS Workshop