![Page 1: Information Security Management System-Business Seminar Security Management Syste… · What is Information and Information Security? Business Seminar Based on ISO/IEC 17799. What](https://reader030.vdocument.in/reader030/viewer/2022011800/5abddf527f8b9a3a428c4836/html5/thumbnails/1.jpg)
Information Security Management SystemInformation Security Management System
Based onBased onISO/IEC 17799ISO/IEC 17799
Houman Sadeghi KajiSpread Spectrum Communication System PhD. ,Spread Spectrum Communication System PhD. ,Cisco Certified Network Professional Security SpecialistCisco Certified Network Professional Security SpecialistBS7799 LABS7799 [email protected]@houmankaji.net
![Page 2: Information Security Management System-Business Seminar Security Management Syste… · What is Information and Information Security? Business Seminar Based on ISO/IEC 17799. What](https://reader030.vdocument.in/reader030/viewer/2022011800/5abddf527f8b9a3a428c4836/html5/thumbnails/2.jpg)
Agenda
• What is Information and Information Security?• BS 7799/ ISO 17799 Overview• BS 7799-2 Controls• Implementation Methodology• IT Security• The Internet threat• Setting the IT security policy framework with BS 7799• Defining the security requirement• Designing the security architecture• Security Project Lifecycle
![Page 3: Information Security Management System-Business Seminar Security Management Syste… · What is Information and Information Security? Business Seminar Based on ISO/IEC 17799. What](https://reader030.vdocument.in/reader030/viewer/2022011800/5abddf527f8b9a3a428c4836/html5/thumbnails/3.jpg)
What is Information and Information Security?
Business Seminar
Based onISO/IEC 17799
![Page 4: Information Security Management System-Business Seminar Security Management Syste… · What is Information and Information Security? Business Seminar Based on ISO/IEC 17799. What](https://reader030.vdocument.in/reader030/viewer/2022011800/5abddf527f8b9a3a428c4836/html5/thumbnails/4.jpg)
What is Information and Information Security?
“Information is an asset which, like other important business assets, has
value to an organization and consequently needs to be suitably
protected.”
![Page 5: Information Security Management System-Business Seminar Security Management Syste… · What is Information and Information Security? Business Seminar Based on ISO/IEC 17799. What](https://reader030.vdocument.in/reader030/viewer/2022011800/5abddf527f8b9a3a428c4836/html5/thumbnails/5.jpg)
Types of Information
Printed or written on paperStored electronicallyTransmitted by mail or electronic meansShown on corporate videosSpoken in conversations
![Page 6: Information Security Management System-Business Seminar Security Management Syste… · What is Information and Information Security? Business Seminar Based on ISO/IEC 17799. What](https://reader030.vdocument.in/reader030/viewer/2022011800/5abddf527f8b9a3a428c4836/html5/thumbnails/6.jpg)
Examples of Threats to Information
EmployeesLow awareness of security issuesGrowth in networking and distributed computingGrowth in complexity and effectiveness of hacking tools and virusesEmailFire, Flood, Earthquake
![Page 7: Information Security Management System-Business Seminar Security Management Syste… · What is Information and Information Security? Business Seminar Based on ISO/IEC 17799. What](https://reader030.vdocument.in/reader030/viewer/2022011800/5abddf527f8b9a3a428c4836/html5/thumbnails/7.jpg)
What is Information Security?
ISO 17799:2000 defines information security as the preservation of:– Confidentiality
• Ensuring that information is accessible only to those authorized to have access
– Integrity• Safeguarding the accuracy and completeness of information and
processing methods
– Availability• Ensuring that authorized users have access to information and
associated assets when required
![Page 8: Information Security Management System-Business Seminar Security Management Syste… · What is Information and Information Security? Business Seminar Based on ISO/IEC 17799. What](https://reader030.vdocument.in/reader030/viewer/2022011800/5abddf527f8b9a3a428c4836/html5/thumbnails/8.jpg)
Achieving Information Security
Implementing a suitable set of controls– Policies– Practices– Procedures
Controls need to be established to ensure that the specific security objectives of the organization are met
![Page 9: Information Security Management System-Business Seminar Security Management Syste… · What is Information and Information Security? Business Seminar Based on ISO/IEC 17799. What](https://reader030.vdocument.in/reader030/viewer/2022011800/5abddf527f8b9a3a428c4836/html5/thumbnails/9.jpg)
What is a Management System?
Business Seminar
Based onISO/IEC 17799
![Page 10: Information Security Management System-Business Seminar Security Management Syste… · What is Information and Information Security? Business Seminar Based on ISO/IEC 17799. What](https://reader030.vdocument.in/reader030/viewer/2022011800/5abddf527f8b9a3a428c4836/html5/thumbnails/10.jpg)
Elements of a Management System
Policy (demonstration of commitment and principles for action) Planning (identification of needs, resources, structure, responsibilities) Implementation and operation (awareness building and training) Performance assessment (monitoring and measuring, handling non-conformities, audits) Improvement (corrective and preventive action, continual improvement) Management review
![Page 11: Information Security Management System-Business Seminar Security Management Syste… · What is Information and Information Security? Business Seminar Based on ISO/IEC 17799. What](https://reader030.vdocument.in/reader030/viewer/2022011800/5abddf527f8b9a3a428c4836/html5/thumbnails/11.jpg)
BS 7799/ ISO 17799 Overview
Business Seminar
Based onISO/IEC 17799
![Page 12: Information Security Management System-Business Seminar Security Management Syste… · What is Information and Information Security? Business Seminar Based on ISO/IEC 17799. What](https://reader030.vdocument.in/reader030/viewer/2022011800/5abddf527f8b9a3a428c4836/html5/thumbnails/12.jpg)
Information Security Management
The ISO 17799 Way
Safeguarding the confidentiality, integrity, and availability of written,
spoken, and computer information
![Page 13: Information Security Management System-Business Seminar Security Management Syste… · What is Information and Information Security? Business Seminar Based on ISO/IEC 17799. What](https://reader030.vdocument.in/reader030/viewer/2022011800/5abddf527f8b9a3a428c4836/html5/thumbnails/13.jpg)
Information Security - Structure
Information security
Administrativesecurity IT - security
EDP - security Communication security
75% 25%
![Page 14: Information Security Management System-Business Seminar Security Management Syste… · What is Information and Information Security? Business Seminar Based on ISO/IEC 17799. What](https://reader030.vdocument.in/reader030/viewer/2022011800/5abddf527f8b9a3a428c4836/html5/thumbnails/14.jpg)
ISO 17799 Is
An internationally recognized structured methodology dedicated to information securityA defined process to evaluate, implement, maintain, and manage information securityA comprehensive set of controls comprised of best practices in information securityDeveloped by industry for industry
![Page 15: Information Security Management System-Business Seminar Security Management Syste… · What is Information and Information Security? Business Seminar Based on ISO/IEC 17799. What](https://reader030.vdocument.in/reader030/viewer/2022011800/5abddf527f8b9a3a428c4836/html5/thumbnails/15.jpg)
ISO 17799 Is Not
A technical standardProduct or technology drivenAn equipment evaluation methodology such as the Common Criteria/ISO 15408Related to the "Generally Accepted System Security Principles," or GASSP
![Page 16: Information Security Management System-Business Seminar Security Management Syste… · What is Information and Information Security? Business Seminar Based on ISO/IEC 17799. What](https://reader030.vdocument.in/reader030/viewer/2022011800/5abddf527f8b9a3a428c4836/html5/thumbnails/16.jpg)
BS 7799 –10 Domains of Information Management
Access control
Asset classificationand control
Security policyOrganizational
security
Personnel security
Physical and environmental
securityCommunications and operationsmanagement
Systems development &
maintenance
Business continuitymanagement
Compliance
Information
Integrity Confidentiality
Availability
![Page 17: Information Security Management System-Business Seminar Security Management Syste… · What is Information and Information Security? Business Seminar Based on ISO/IEC 17799. What](https://reader030.vdocument.in/reader030/viewer/2022011800/5abddf527f8b9a3a428c4836/html5/thumbnails/17.jpg)
The 10 Sections of ISO 17799
TECHNOLOGY PROTECTION & CONTINUITYPhysical & Environment ControlsContingency Planning Controls
INFORMATION ASSET SECURITYApplication Security
Database/ Metadata SecurityHost Security
Internet Network SecurityNetwork Perimeter Security
USER MANAGEMENTUser ManagementUser Awareness
SECURITY MANAGEMENTSecurity OperationsSecurity Monitoring
SECURITY POLICIESSecurity Policies, Standards & Guidelines
SECURITY PROGRAMSecurity Program Structure
Security Program Resources & Skills-set
SECURITY LEADERSHIPSecurity Sponsorship/ Posture
Security Strategy
Support
Technologies
Knowledge
Management
Strategy
![Page 18: Information Security Management System-Business Seminar Security Management Syste… · What is Information and Information Security? Business Seminar Based on ISO/IEC 17799. What](https://reader030.vdocument.in/reader030/viewer/2022011800/5abddf527f8b9a3a428c4836/html5/thumbnails/18.jpg)
Complementarity with Other ISO Standards
Code of practice for information security management
ISO 17799
Guidelines for the management of IT security
ISO13335 (GMITS)
Products and systems certifiedby ISO 15408(CC)
IT Security
Information Security
![Page 19: Information Security Management System-Business Seminar Security Management Syste… · What is Information and Information Security? Business Seminar Based on ISO/IEC 17799. What](https://reader030.vdocument.in/reader030/viewer/2022011800/5abddf527f8b9a3a428c4836/html5/thumbnails/19.jpg)
BS 7799-2 Controls
Business Seminar
Based onISO/IEC 17799
![Page 20: Information Security Management System-Business Seminar Security Management Syste… · What is Information and Information Security? Business Seminar Based on ISO/IEC 17799. What](https://reader030.vdocument.in/reader030/viewer/2022011800/5abddf527f8b9a3a428c4836/html5/thumbnails/20.jpg)
Control Objectives and Controls
BS 7799-2 ISO 17799 contains:– 10 control clauses, 36 control objectives, and 127 controls
“Not all of the guidance and controls in this code of practice may be applicable. Furthermore, additional controls not included in this document may be required.”“They are either based on essential legislative requirements or considered to be common best practice for information security.”“…guiding principles providing a good starting point for implementing information security.”
![Page 21: Information Security Management System-Business Seminar Security Management Syste… · What is Information and Information Security? Business Seminar Based on ISO/IEC 17799. What](https://reader030.vdocument.in/reader030/viewer/2022011800/5abddf527f8b9a3a428c4836/html5/thumbnails/21.jpg)
Main Information Security Issues
Only 40% of organizations are confident they would detect a systems attack– A.9.7 Monitoring system access and use– Objective: To detect unauthorized activities
• A.9.7.1 Event logging• A.9.7.2 Monitoring system use• A.9.7.3 Clock synchronization
![Page 22: Information Security Management System-Business Seminar Security Management Syste… · What is Information and Information Security? Business Seminar Based on ISO/IEC 17799. What](https://reader030.vdocument.in/reader030/viewer/2022011800/5abddf527f8b9a3a428c4836/html5/thumbnails/22.jpg)
Main Information Security Issues
40% of organizations do not investigate information security incidents– A.6.3 Responding to security incidents and
malfunctions– Objective: To minimize the damage from incidents or
malfunctions and to monitor and learn from such incidents
• A.6.3.1 Reporting security incidents• A.6.3.4 Learning from incidents
![Page 23: Information Security Management System-Business Seminar Security Management Syste… · What is Information and Information Security? Business Seminar Based on ISO/IEC 17799. What](https://reader030.vdocument.in/reader030/viewer/2022011800/5abddf527f8b9a3a428c4836/html5/thumbnails/23.jpg)
Main Information Security Issues
Critical business systems are increasingly interrupted - over 75% of organizations experienced unexpected unavailability– A.8.2 System planning and acceptance– Objective: To minimize the risk of systems failures
• A.8.2.1 Capacity planning• A.8.2.2 System acceptance
![Page 24: Information Security Management System-Business Seminar Security Management Syste… · What is Information and Information Security? Business Seminar Based on ISO/IEC 17799. What](https://reader030.vdocument.in/reader030/viewer/2022011800/5abddf527f8b9a3a428c4836/html5/thumbnails/24.jpg)
Main Information Security Issues
Business continuity plans exist in only 53% of organizations– A.11 Business continuity management– Objective: To counteract interruptions to business
activities and to protect critical business processes from the effects of major failures or disasters
• A.11.1.1 Business continuity management process• A.11.1.3 Writing and implementing continuity plans• A.11.1.5 Testing, maintaining, and re-assessing business
continuity plans
![Page 25: Information Security Management System-Business Seminar Security Management Syste… · What is Information and Information Security? Business Seminar Based on ISO/IEC 17799. What](https://reader030.vdocument.in/reader030/viewer/2022011800/5abddf527f8b9a3a428c4836/html5/thumbnails/25.jpg)
Main Information Security Issues
Only 41% of organizations are concerned about internal attacks on systems, despite overwhelming evidence of the high number of attacks from within organizations– A.6 Personnel Security
• Objective: To reduce the risks of human error, theft, fraud, ormisuse of facilities
– A.7 Physical and environmental security• Objective: To prevent unauthorized access, damage, and
interference to business premises and information
![Page 26: Information Security Management System-Business Seminar Security Management Syste… · What is Information and Information Security? Business Seminar Based on ISO/IEC 17799. What](https://reader030.vdocument.in/reader030/viewer/2022011800/5abddf527f8b9a3a428c4836/html5/thumbnails/26.jpg)
Main Information Security Issues
Less than 50% of organizations have information security training and awareness programs– A.6.2 User Training– Objective: To ensure that users are aware of
information security threats and concerns and are equipped to support organizational security policy in the course of their normal work
![Page 27: Information Security Management System-Business Seminar Security Management Syste… · What is Information and Information Security? Business Seminar Based on ISO/IEC 17799. What](https://reader030.vdocument.in/reader030/viewer/2022011800/5abddf527f8b9a3a428c4836/html5/thumbnails/27.jpg)
4 Information Security Management System
4.1 General requirements4.2 Establishing and managing the ISMS– Refer to the PDCA model
4.3 Documentation Requirements
![Page 28: Information Security Management System-Business Seminar Security Management Syste… · What is Information and Information Security? Business Seminar Based on ISO/IEC 17799. What](https://reader030.vdocument.in/reader030/viewer/2022011800/5abddf527f8b9a3a428c4836/html5/thumbnails/28.jpg)
5 Management Responsibility
5.1 Management commitment5.2 Resource management
تشکيالت تامين امنيت شبکهA1.pdf
![Page 29: Information Security Management System-Business Seminar Security Management Syste… · What is Information and Information Security? Business Seminar Based on ISO/IEC 17799. What](https://reader030.vdocument.in/reader030/viewer/2022011800/5abddf527f8b9a3a428c4836/html5/thumbnails/29.jpg)
6 Management Review of the ISMS
6.1 General6.2 Review input6.3 Review output6.4 Internal ISMS audits
![Page 30: Information Security Management System-Business Seminar Security Management Syste… · What is Information and Information Security? Business Seminar Based on ISO/IEC 17799. What](https://reader030.vdocument.in/reader030/viewer/2022011800/5abddf527f8b9a3a428c4836/html5/thumbnails/30.jpg)
7 ISMS Improvement
7.1 Continual improvement7.2 Corrective action7.3 Preventive action
![Page 31: Information Security Management System-Business Seminar Security Management Syste… · What is Information and Information Security? Business Seminar Based on ISO/IEC 17799. What](https://reader030.vdocument.in/reader030/viewer/2022011800/5abddf527f8b9a3a428c4836/html5/thumbnails/31.jpg)
BS 7799-2 Control Sections
A.3Security policyA.4Organizational securityA.5Asset classification and controlA.6Personnel securityA.7Physical and environmental security
سياست هاي امنيتي کاربران شبکه A2.pdf
![Page 32: Information Security Management System-Business Seminar Security Management Syste… · What is Information and Information Security? Business Seminar Based on ISO/IEC 17799. What](https://reader030.vdocument.in/reader030/viewer/2022011800/5abddf527f8b9a3a428c4836/html5/thumbnails/32.jpg)
BS 7799-2 Control Sections
A.8Communications and operations management
A.9Access controlA.10 System development and
maintenanceA.11 Business continuity managementA.12 Compliance
چارچوب پيشنهادي برای طرح پشتيباني حوادث شبکه A3.pdf
![Page 33: Information Security Management System-Business Seminar Security Management Syste… · What is Information and Information Security? Business Seminar Based on ISO/IEC 17799. What](https://reader030.vdocument.in/reader030/viewer/2022011800/5abddf527f8b9a3a428c4836/html5/thumbnails/33.jpg)
Implementation Methodology
Business Seminar
Based onISO/IEC 17799
![Page 34: Information Security Management System-Business Seminar Security Management Syste… · What is Information and Information Security? Business Seminar Based on ISO/IEC 17799. What](https://reader030.vdocument.in/reader030/viewer/2022011800/5abddf527f8b9a3a428c4836/html5/thumbnails/34.jpg)
Establishing Security Requirements
Assessment of risks to the organization– Identify threats to assets, vulnerability to and
likelihood of occurrence, potential impact
Legal, statutory, regulatory, contractual requirements– These requirements must be met by the organization,
trading partners, contractors, and service providers
Set of principles, objectives, and requirements for information processing developed by the organization in order to support its operations
![Page 35: Information Security Management System-Business Seminar Security Management Syste… · What is Information and Information Security? Business Seminar Based on ISO/IEC 17799. What](https://reader030.vdocument.in/reader030/viewer/2022011800/5abddf527f8b9a3a428c4836/html5/thumbnails/35.jpg)
Implementation Process
Purchase the
standard
Consider training
Assemble a team and agree upon
strategy
Identify information
assets
Determine the value of
information assets
Determine risk
Determine policy and the degree of
assurance required from controls
Identify control objectives and
controls
Define the scope
Review consultancy
options
![Page 36: Information Security Management System-Business Seminar Security Management Syste… · What is Information and Information Security? Business Seminar Based on ISO/IEC 17799. What](https://reader030.vdocument.in/reader030/viewer/2022011800/5abddf527f8b9a3a428c4836/html5/thumbnails/36.jpg)
ISMS Documentation
Procedures
Work instructions,checklists,
forms, etc.
Records
Security manualPolicy, scope
risk assessment,statement of applicability
Describes processes – who,what, when, where (4.1- 4.10)
Describes how tasks and specific activities are done
Provides objective evidence of compliance with ISMS requirements (clause 3.6)
Management frameworkpolicies relating to
BS 7799-2Clause 4
Level 2
Level 3
Level 4
Level 1
![Page 37: Information Security Management System-Business Seminar Security Management Syste… · What is Information and Information Security? Business Seminar Based on ISO/IEC 17799. What](https://reader030.vdocument.in/reader030/viewer/2022011800/5abddf527f8b9a3a428c4836/html5/thumbnails/37.jpg)
IT Security
Business Seminar
Based onISO/IEC 17799
![Page 38: Information Security Management System-Business Seminar Security Management Syste… · What is Information and Information Security? Business Seminar Based on ISO/IEC 17799. What](https://reader030.vdocument.in/reader030/viewer/2022011800/5abddf527f8b9a3a428c4836/html5/thumbnails/38.jpg)
Process View of Security
Architecture
People
Awareness
Technologies
People: Everyone has a role in information security.Architecture: Aligns security with business, sets management expectations.Awareness: For expectations to be adhered to they have to be communicated.Technologies: Security is enforced through selection of products that support the architecture requirements.
![Page 39: Information Security Management System-Business Seminar Security Management Syste… · What is Information and Information Security? Business Seminar Based on ISO/IEC 17799. What](https://reader030.vdocument.in/reader030/viewer/2022011800/5abddf527f8b9a3a428c4836/html5/thumbnails/39.jpg)
Secure Computing in the Internet age
The Internet threat
Setting the IT security policy framework with BS 7799
Assessing and managing risks
Defining the security requirement
Designing the security architecture
Enabling secure e-business
Implementing and managing secure e-business solutions
Security Lifecycle
![Page 40: Information Security Management System-Business Seminar Security Management Syste… · What is Information and Information Security? Business Seminar Based on ISO/IEC 17799. What](https://reader030.vdocument.in/reader030/viewer/2022011800/5abddf527f8b9a3a428c4836/html5/thumbnails/40.jpg)
The Internet Threat
Business Seminar
Based onISO/IEC 17799
![Page 41: Information Security Management System-Business Seminar Security Management Syste… · What is Information and Information Security? Business Seminar Based on ISO/IEC 17799. What](https://reader030.vdocument.in/reader030/viewer/2022011800/5abddf527f8b9a3a428c4836/html5/thumbnails/41.jpg)
Security Breaches
All Systems– Viruses 85%– Insider abuse of Internet Access 79%– Denial of Service 27%
Web sites– Vandalism 64%– Denial of Service 60%– Theft of transactional information 8%– Financial Fraud 3%
![Page 42: Information Security Management System-Business Seminar Security Management Syste… · What is Information and Information Security? Business Seminar Based on ISO/IEC 17799. What](https://reader030.vdocument.in/reader030/viewer/2022011800/5abddf527f8b9a3a428c4836/html5/thumbnails/42.jpg)
Challenges
Internet transactions need to achievePrivacyMaintainability– Requires constant changing– Standards and Technologies Evolving– Intruders becoming more sophisticatedSecurity– Confidentiality– Integrity– Availability– Non-repudation
![Page 43: Information Security Management System-Business Seminar Security Management Syste… · What is Information and Information Security? Business Seminar Based on ISO/IEC 17799. What](https://reader030.vdocument.in/reader030/viewer/2022011800/5abddf527f8b9a3a428c4836/html5/thumbnails/43.jpg)
Setting the IT security policy framework
Business Seminar
Based onISO/IEC 17799
![Page 44: Information Security Management System-Business Seminar Security Management Syste… · What is Information and Information Security? Business Seminar Based on ISO/IEC 17799. What](https://reader030.vdocument.in/reader030/viewer/2022011800/5abddf527f8b9a3a428c4836/html5/thumbnails/44.jpg)
Setting the IT security policy framework
BS7799 (ISO 17799)Define Security PolicyDefine Scope of Information Security Management SystemConduct Risk AssessmentSelect controls form section 4 of BS7799 part 2Prepare statement of applicability
![Page 45: Information Security Management System-Business Seminar Security Management Syste… · What is Information and Information Security? Business Seminar Based on ISO/IEC 17799. What](https://reader030.vdocument.in/reader030/viewer/2022011800/5abddf527f8b9a3a428c4836/html5/thumbnails/45.jpg)
Setting the IT security policy framework
Information security policyInformation security
InfrastructureInformation classification &
ControlPersonnel Security
Policy for physical and environmental securityResponding to security
incidents and malfunctionsOperational procedures
and responsibilities
BS7799 (ISO 17799)
![Page 46: Information Security Management System-Business Seminar Security Management Syste… · What is Information and Information Security? Business Seminar Based on ISO/IEC 17799. What](https://reader030.vdocument.in/reader030/viewer/2022011800/5abddf527f8b9a3a428c4836/html5/thumbnails/46.jpg)
Case Study
Policy : B1.pdf
Procedure : B2.pdf
Form : B3.pdf
![Page 47: Information Security Management System-Business Seminar Security Management Syste… · What is Information and Information Security? Business Seminar Based on ISO/IEC 17799. What](https://reader030.vdocument.in/reader030/viewer/2022011800/5abddf527f8b9a3a428c4836/html5/thumbnails/47.jpg)
Defining the security requirement
Business Seminar
Based onISO/IEC 17799
![Page 48: Information Security Management System-Business Seminar Security Management Syste… · What is Information and Information Security? Business Seminar Based on ISO/IEC 17799. What](https://reader030.vdocument.in/reader030/viewer/2022011800/5abddf527f8b9a3a428c4836/html5/thumbnails/48.jpg)
Defining the security requirement
IT Security Framework
AuthenticationFramework
Network DefenceSecurity
Requirements
BusinessServicesSecurity
Framework
ConfidentialityFramework
Trust ServiceFramework
![Page 49: Information Security Management System-Business Seminar Security Management Syste… · What is Information and Information Security? Business Seminar Based on ISO/IEC 17799. What](https://reader030.vdocument.in/reader030/viewer/2022011800/5abddf527f8b9a3a428c4836/html5/thumbnails/49.jpg)
IT Security Framework
Authentication Framework– Users Uniquely and unambiguously identified and granted access only
when authorisation grantedTrust Services Framework
– Transactions traceable and accountable to authenticated individuals
Confidentiality Framework– Information stored and transferred safely
Business Services Security Framework– Applications should be designed, and operated in a secure manner
and their information assets properly protected. Business applications should include the web servers which host them.
Network Defence– Computer equipment and data are protected against malicious attack
and non malicious failures.
![Page 50: Information Security Management System-Business Seminar Security Management Syste… · What is Information and Information Security? Business Seminar Based on ISO/IEC 17799. What](https://reader030.vdocument.in/reader030/viewer/2022011800/5abddf527f8b9a3a428c4836/html5/thumbnails/50.jpg)
Designing the security architecture
Business Seminar
Based onISO/IEC 17799
![Page 51: Information Security Management System-Business Seminar Security Management Syste… · What is Information and Information Security? Business Seminar Based on ISO/IEC 17799. What](https://reader030.vdocument.in/reader030/viewer/2022011800/5abddf527f8b9a3a428c4836/html5/thumbnails/51.jpg)
Designing the security architecture
FirewallsVirus protectionSecurity standardsAccess controlsAudit & monitoring
Secure sockets layerDigital signaturesX509 certificatesCertificate managementIntranetsExtranets (VPN)
![Page 52: Information Security Management System-Business Seminar Security Management Syste… · What is Information and Information Security? Business Seminar Based on ISO/IEC 17799. What](https://reader030.vdocument.in/reader030/viewer/2022011800/5abddf527f8b9a3a428c4836/html5/thumbnails/52.jpg)
Organisations consider the following
1. Security policies must be in place2. Conducted risk analysis3. The system must be accredited !!4. Authentication & access controls
implemented5. Regular accounting & auditing (internally &
mailguards/firewalls)6. Strictly controlled external connections to
other systems/ organisations
![Page 53: Information Security Management System-Business Seminar Security Management Syste… · What is Information and Information Security? Business Seminar Based on ISO/IEC 17799. What](https://reader030.vdocument.in/reader030/viewer/2022011800/5abddf527f8b9a3a428c4836/html5/thumbnails/53.jpg)
Security Project Life Cycle
Business Seminar
Based onISO/IEC 17799
![Page 54: Information Security Management System-Business Seminar Security Management Syste… · What is Information and Information Security? Business Seminar Based on ISO/IEC 17799. What](https://reader030.vdocument.in/reader030/viewer/2022011800/5abddf527f8b9a3a428c4836/html5/thumbnails/54.jpg)
Implementing & managing secure IT Business solutions
Security Project Life Cycle
Require-ments
Analysis
Risk Assessment
Technical Options
Identify SecurityProducts
Design
IntegrateSecurity
Develop Implement
DesignSecurityServices
Set-up Security
LiveSystem
Manage Security
Security Policy &
Procedures
Test
TestSecurity
![Page 55: Information Security Management System-Business Seminar Security Management Syste… · What is Information and Information Security? Business Seminar Based on ISO/IEC 17799. What](https://reader030.vdocument.in/reader030/viewer/2022011800/5abddf527f8b9a3a428c4836/html5/thumbnails/55.jpg)
The Secure IT Business
PKI, DS, and CA
PBX
Telco
TelcoModem
Pool
Policy
Policy
Policy
Policy
Policy
Policy
Policy
Policy
Policy
Policy
Internal Network Scanner
Policy
Event Logger
Log Analyzer
Office Work-station
Modem Scanner
External Network Scanner
DSL & Cable
Modems
Internet
Admin Computing
E-mail Web FTP
Dorms
IDS
DMZ
Policy
Dept. Connections
Policy