IT ISMS Workshop
description
Transcript of IT ISMS Workshop
-
ISO 27001:2005 - Information Security Management
System (ISMS) - Workshop
-
Agenda
Need for Information Security Management
Information Overview
Information Security Management System (ISMS)
Benefits
Implementation at Kahramaa
AGENDA
-
Need for Information Security Management
Rapid evolution and high level of innovation in emerging threats
Advanced techniques using a combination of technology, social engineering
Leads to monetary losses, loss of reputation, loss of customer confidence
Rising security threats, incidents
Enterprise today manages terabytes and peta bytes of data
Information exists in many forms including databases, physical documents, electronic files
Protection is a complex task
Information Explosion
Need to demonstrate that business process integrity is protected
Need to demonstrate that organization has adopted global best practices
Increased accountability for security
Need to demonstrate higher assurance to key
stake holders
An Information
Security
Management
system enables
an organization to
implement a
process driven
approach towards
consistent results
& improvements
Need for Information Management System
-
Need for Information Security Management
ISO 27001. Global Adaptation
* As of November-2011 (http://www.iso27001certificates.com/)
-
Information Overview
What is Information?
Information Security
is more than
IT security
Information is an asset which, like other important business assets, has
value to the organization and consequently needs to be suitably protected.
Information assets are not limited to computers and hard disks.
They can be in any form..
-
Information Overview
Information Risk
Information Assets are susceptible to risks which can impact confidentiality, integrity and/or
availability, impacting business operations
Availability Confidentiality
Integrity
Information
Printed
Electronic
Written
Spoken
Stored
Discarded
Accessible upon demand by an authorized entity
Fire
Network down time
Power Failure
Hardware Failure
Overloading
Accessible only to authorized entities
Stealing of classified
documents
Loss of laptops
Social Engineering attacks
Phishing
Information Leak
Network Attacks
Unrestricted access
User Error
Theft
Complete and Accurate
Insecure Communication Channel
Unauthorized DB access
Malicious Software
Uncontrolled systems changes
Media Failure
Configuration error
-
Information Security Management System
Why ISMS (ISO 27005:2005)?
Systematic Approach to manage
information risks. It is implemented using:
Organisational Structure
Policies & Guidelines
Necessary processes and resource allocations
Measurement methodology
Review processes for improvement
-
Information Security Management System
Approach for ISMS
-
Information Security Management System
ISO 27001:2005 Domains
Organizational Information Security
Asset Management
Human Resource Security
Physical & Environment Security
Communication & Operation Management
Information System Acquisitions,
Development, Maintenance
Access Control
Information Security & Incident
Management
Compliance
Business Continuity Management
Security Policy
Domains 11
Control Objectives 39
Controls -- 133
-
Control Selection Process
Asset Risk Reason Controls
Paper Documents Unauthorized Access Lack of Classification
Guidelines
Data Classification
Policy
Absence of Shredders Install Shredders
Configuration Files
(Routers, Switches etc)
Tampering Weak access control Privilege based access
for resources
System Event Logging
and Monitoring
Loss of data Environmental hazards Implementation of
redundancy of data
storage systems.
(Backup Management)
Information Security is Everyone's Responsibility
-
Benefits
Implementation of systematic risk based information security approach
Higher availability of systems
Assurance to Management
Better Customer Confidence & Satisfaction
Enhanced Security Awareness
Consistent improvements in security posture with time
-
Kahramaa Implementation
ISMS Implementation at Kahramaa
Scope Diagram
-
Kahramaa ImplementationPhase-IProject
Initiation and
System
Study
Phase-II
Risk
Assessment
& Risk
Treatment
Phase-III
Policy &
Procedure
Development
Phase-IV
Implementation
Support &
Knowledge
Transfer
Phase-V
Internal Audit ISO 27001
Certification
ISMS Implementation in Kahramaa
ISMS Implementation
-
Kahramaa Implementation
ISMS Implementation in Kahramaa
-
Kahramaa Implementation
ISMS Implementation in Kahramaa
Information Security Coordinators Designation - Section / Unit
Network Administrator Client Support &
Netwroks
System Analyst System Support
System Administrator System Development
-
Kahramaa Implementation
Your Role in ISMS
Phase-I & IIExplain Business Processes
Information Assets Identification
Information Assets Valuation
Phase-VParticipate in Internal Audit
Support in Gap Mitigation
Participate in External Audit
Phase-III & IV
Provide required policy &
procedures for update
Implementation of identified controls
-
Work completed
System study
Scope finalization
Identification of SPOCs
Interviews with sections & units within scope
What is next?
Asset collection
Risk assessment methodology
Risk assessment
Security Testing (Vulnerability Assessment & Penetration Testing)
Risk treatment
SOA
ISMS Implementation in Kahramaa
-
&Thank You..!!!