iso17799 maturity. confidentiality confidentiality relates to the protection of sensitive data from...
Post on 13-Jan-2016
218 Views
Preview:
TRANSCRIPT
ISO17799 Maturity
Confidentiality
Confidentiality relates to the protection of sensitive data from unauthorized use and distribution.
Examples include:
Securing corporate data
Securing personnel (payroll, health) information
Secure Business –Need Security Infrastructures…
Confidentiality
Integrity
Integrity relates to maintaining the quality and validity of data.
Examples include:
Ensuring that the transactional systems aren’t modified by an unauthorized party
Confidentiality relates to the protection of sensitive data from unauthorized use and distribution.
Examples include:
Securing corporate data
Securing personnel (payroll, health) information
Secure Business –Need Security Infrastructures…
Confidentiality
Integrity
Availability
Availability relates to ensuring that data is accessible.
Examples include:
Ensuring that processing can take place 24 hours a day
Integrity relates to maintaining the quality and validity of data.
Examples include:
Ensuring that the transactional systems aren’t modified by an unauthorized party
Confidentiality relates to the protection of sensitive data from unauthorized use and distribution.
Examples include:
Securing corporate data
Securing personnel (payroll, health) information
Secure Business –Need Security Infrastructures…
Key facets of an information security program include:
People – organization, responsibility, accountability, and leadership
Process – policies, procedures, and practices
Technology – scalable technical support for automation, integration, and enabling of information security operations.
What Is Information Security?
Ultimately, information security is the method by which an organization ensures that it has control over its systems and data, thereby protecting its investment in information technology and its ability to maintain business operations.
What Is Information Security?
Effective control requires executive sponsorship.
Everyone must know and agree to their responsibilities for maintaining effective controls.
Liability may depend on “due care”.
If you’re going to be plugged
in, you accept responsibility.
Trust can’t be enforced.
-- Policy can.
What Is Information Security?
Corporate information protection is based on a multi-layered approach. The structure limits the exposure of any one security breach, however today, the Internet cuts across traditional layers and an unauthorized user could quickly exploit a weak layer.
Internet
Perimeter
Network
Host
Application
Data
Security ProgramOverall foundation to protect environment and set policy for other security layers. Includes monitoring, detection and response.
Perimeter SecurityFirst layer of physical protection (Voice & Data). If breached, access to data is possible.
Network SecurityFirst Internal layer of protection. If breached, loss control of data movement is possible and/or data modification.
Host SecurityProtects computer, application and data. If breached, data could be altered and/or deleted.
Application SecurityProtects application and data. If breached, data could be altered and/or deleted.
Internet SecurityProtects the data that is visible to the Internet from Web pages and via corporate communications. If breach, corporate image and/or communications can be compromised.
Security Program
Electronic Commerce
E-Commerce SecurityProtects the data while communicating across the organization and outside the organization. If breach, all corporate layers of security can be compromised.
…Having An Enterprise View
Began as UK Department of Trade and Industry (DTI) Code of Practice
Facilitated trade in trusted environments
Led to British Standard 7799 (BS7799)
Adopted as ISO17799 in December 2000
Where did ISO17799 Originate?
What is ISO17799?
A comprehensive set of controls comprising best practices
in information securityControls-based policyMeasurableCertifiableRisk-management based Internationally recognized
What is ISO17799?
10-Section Standard• Security Policy• Organizational Security• Asset Classification & Control • Personnel Security • Physical and Environmental Security • Computer & Operations Management• Access Control • System Development and Maintenance • Business Continuity Planning• Compliance
What is ISO17799?
Security Policy• To provide management direction and support for information
security.» Policy - program
What is ISO17799?
Security Organization• To manage information security both in and out of the
organization.» Infrastructure – leadership
» Third party access – contracts
» Outsourcing - SLAs
What is ISO17799?
Asset Classification & Control• To maintain appropriate protection of corporate assets and to
ensure that information assets receive an appropriate level of protection.
» Accountability – ownership
» Information classification - appropriateness
What is ISO17799?
Personnel Security• To reduce risk of human error, maintain awareness, and
minimize damage from incidents.» Job resourcing – background» User training – awareness» Incident response – procedures
What is ISO17799?
Physical and Environmental Security• To prevent unauthorized access, damage and interference to
business premises and information.» Secure areas – physical control
» Equipment security – individual
» General controls – common sense
What is ISO17799?
Computer & Operations Management• To ensure the correct and secure operations of information
systems.» Procedures / responsibilities – who & how» Planning & acceptance – capacity» Malicious software – virus» Housekeeping – backup» Network management – segregation of duties» Media handling – disposal» Information exchange – agreements
What is ISO17799?
Access Control• To control access to information.
» Policy – existence
» User access management – authorization
» User registration – maintenance
» User responsibilities – awareness
» Network access – interfaces
» Operating system access – foundation
» Application access – segregation
» Monitoring – detection
» Mobile access – ubiquitousness
What is ISO17799?
System Development and Maintenance• To ensure that security is built into information systems
» Security in applications – integrity
» Cryptographic controls – confidentiality
» Input / Output Controls
» Security of system files – foundation
» Security in development – change control
What is ISO17799?
Business Continuity Planning• To counteract interruptions to business activities and to
protect critical business processes from the effects of major failures or disasters.
» Management process – not tech!
» Impact analysis – risk assessment
» Continuity plans - existence
» Planning framework - consistency
» Test, test, test! - update
What is ISO17799?
Compliance• To avoid breaches of compliance with law & policy and
maximize effectiveness of system audits.» Legal requirements – money
» Reviews – policy and technology
» System audit – impact
How Will Organizations Benefit?
Standardization – efficiency & automation
Competitive advantage
Risk management – not security for the sake of security
Cost-effectiveness
Move from reactive to proactive
Accepted framework for policy
How Will Organizations Benefit?
1) Driver for process improvement
2) Meet business partner requirements
3) Maintain regulatory compliance
4) Measure the effectiveness of information security efforts
5) (ROI!)
top related