iso27001 - a business view
Post on 09-Jun-2015
868 Views
Preview:
DESCRIPTION
TRANSCRIPT
A Business View
Who Am IM.S.SripatiInformation Security Enthusiast and StudentISMS ImplementerCISA (cleared exam in June 2008)
What Am I NOT going to talk aboutNothing technicalNothing on what is information security (this is NULL
chapter, for god sake!)Not much on some basic terms (Google devo bhav||)
What Am I going to talk aboutSome cases where regular firewalls and web application
security measures failWhat is ISO 27001 and how does it helps us
Can you save your organization from these cases?
Someone using you ID card to enter into a secure premise and steal/alter/delete some information
Copy/paste by developerPassword sharingKevin Mitnick (!)Unlocked desktops/laptopsPassword re-useWriting passwords down on paperNatural CalamitiesLegal fines (in case of data breach – HIPAA, PCI-DSS)Work backlog in antivirus companiesSomeone trying to get your personal data so that he/she
can sell it in underground
Some unknown third party vendor working on your computer;Someone asking for a password posing as client;Some random mail asking you to click so that you can receive
some money immediately;Social networking sites;Farmville and other third party apps;Employee having high access to data/information and who has
a shady past;No frisking of housekeeping personnel, putting information
systems at risk (think about hardware key-loggers)Taking pictures of code using a camera phone and third party
app on it (think about an android app AD)Data getting lost because of a natural calamity (fire, flood,
earthquake, etc) and having a business requirement to start work as soon as possible;
So, what does it all mean?
Noteworthy pointsChanging nature of security incidents;System ownage through an un-suspecting user click;Info-sec as a business, both legit, and non-legit;Human as a weak link in info-sec chain;Changing legal landscape (HIPAA, PCI-DSS);Changing business landscape (threats to India from
BRIC);
Implementer’s Dilemma
http://gallery.trupela.com/
Legal Compliance (HIPAA, PCI-DSS,
Data Protection Act)
Web Application Security
Human Awareness Quotient (Technical and Non-technical)
Network Security (Firewall, IDS, IPS,
Antivirus, etc.)
Copied From:- http://pumapac.org/
Saving Private Ryan
What is ISO 27001Specifies the requirements for establishing a comprehensive
Information Security Management System (ISMS) helping to achieve information security and to give assurance to interested parties.
Interested Parties are-Share Holders / OwnersManagementEmployeesBusiness PartnersService providersContractorsCustomers / ClientsRegulators etc…
InterestedParties
InterestedParties
InformationSecurity
Requirements&
Expectations
InformationSecurity
Requirements&
Expectations
PLANEstablish
ISMS
PLANEstablish
ISMS
CHECKMonitor &
Review ISMS
CHECKMonitor &
Review ISMS
ACTMaintain &Improve
ACTMaintain &Improve
Management ResponsibilityManagement Responsibility
ISMS PROCESSISMS PROCESS
PDCA Process
InterestedParties
InterestedParties
ManagedInformation
Security
ManagedInformation
Security
DOImplement &Operate the
ISMS
DOImplement &Operate the
ISMS
Information Security Policy
Organisation of Information
Security
Asset Management
Human Resource Security
Physical Security
Communication & Operations
ManagementAccess Control
System Development &
Maintenance
Incident Management
Business Continuity Planning
Compliance
Confiden
tialit
y Integrity
Availability
Thank You
M.S.Sripati
top related