information security management system

1

Information Security

Management System

S.Arani

S.Arani 2

Information Security Management

System - Overview

The Standard – ISO27001

ISO27001 – 11 Domains

Real World…

Agenda

S.Arani 3

Information Security Management System

Overview

S.Arani 4


Physical Information

e.g. paper forms / configure docs/ proposals /

project progress / user guides/ blue prints/ reports …

Electronic Information

e.g. financial data (accounting system)

student information (registry system)

payroll information (HR system) …


S.Arani 5


Information security means protecting information

and information systems from unauthorized access,

use, disclosure, disruption, modification, perusal,

inspection, recording or destruction.

-Wiki-


S.Arani 6

Information Security Management Systems

Information Security Management Systems (ISMS)

is a systematic and structured approach to managing

information so that it remains secure.


S.Arani 7

The core principles of information security

“Confidentiality” is keeping sensitive

information protected.

“Integrity “ is keeping information intact and

valid.

“Availability” is keeping information available

and accessible.


S.Arani 8

Why Manage Information Security???

IT Security Incidents Statistics

S.Arani 9

Banks

Call centers

IT companies

Government & classified organizations

Manufacturing concerns

Hospitals

Insurance companies, etc.

Who Needs ISMS (ISO 27001)?

S.Arani 10

Provide a structured way of managing information

security.

Provide an independent assessment.

Provide evidence and assurance.

Enhance information security governance.

Enhance the organization’s global positioning and

reputation.

Increase the level of information security in the

organization.

Advantages if an organization is ISMS Certified

S.Arani 11

The Standard – ISO27001

S.Arani 12

1995

1998

1999

Dec 2000

2002

2005

BS 7799 Part 1

BS 7799 Part 2

New issue of BS 7799 Part 1 & 2

ISO 17799:2000

New BS 7799-2

New ISO 17799:2005 released

ISO 27001:2005 released

ISO 27001 Evolution

S.Arani 13

ISO Member Countries

S.Arani 14

ISO 27000 – principles and vocabulary

ISO 27001 – ISMS requirements

ISO 27002 – ISO/ IEC 17799:2005- Code of practice for ISMS

(from 2007 onwards)

ISO 27003 – ISMS Implementation guidelines (due 2007)

ISO 27004 – ISMS Metrics and measurement (due 2007)

ISO 27005 – ISMS Risk Management

ISO 27006 – 27010 – allocation for future use

The ISO27001 Series

S.Arani 15

An internationally recognized structured methodology

dedicated to information security.

A management process to evaluate, implement and maintain

an Information Security Management System (ISMS).

A comprehensive set of controls comprised of best practices

in information security.

Applicable to all industry sectors.

Emphasis on prevention

Not A technical standard

Not a Product or technology driven

Overview of ISO 27001

S.Arani 16

ACTMaintain and improve framework

− Implement the identified improvements

− Preventive and Corrective Action

− Communicate the results

− Ensure the Improvements

CHECK

Monitor and review

the ISMS

− Monitoring Procedures

− Regular Reviews

− Internal ISMS Audit

− Management ReviewDO

Implement and

operate the ISMS

• Risk Treatment Plan

• Operate Controls

• Training & Awareness

• Manage Operations

PLANEstablish the ISMS

• Scope• Policy• Risk Assessment (RA)• Risks• Control Objectives• Statement Of

Applicability • Management Approval

ISO 27001:2005 – PDCA

S.Arani 17

ISO27001 – 11 Domains

S.Arani 18

Overall the standard

can be put in :

• Domain Areas – 11

• Control Objectives – 39

• Controls - 133

11 Domains of ISMS

S.Arani 19

Security Policy

Security Policy document approved and communicated.

Regular review of the policy document.

Organization of Information Security

Clear direction and visible management Support.

Managed implementation of security controls.

Information security responsibilities defined.

11 Domains (cont…)

S.Arani 20

Asset Management

Information, software & physical asset inventory

Information Classification

Information handling Procedures

Human Resource Security

Employment Checks

Confidentiality/ non-disclosure agreements

Information Security training

Disciplinary process for security violation


S.Arani 21

Physical and Environment Security physical protection of premises/ facilities protection against natural disasters protection against communication interception clear desk policy

Communication and Operations Management Operating Procedures Security requirements for contractors Detection and prevention of malicious software Data backup Network, E-mail, portable media and disposal

management procedures


S.Arani 22

Access Control User registration/ deregistration process Password controls User access review Remote access control Audit Logging

Information System Acquisition, Development and maintenance Data Validation Message authentication Cryptography management Control Over testing Data System change controls


S.Arani 23

Information Security Incident Management

Incident prioritization & Classification

Channels for incident reporting

Incident escalation procedures

Contacts of regulatory bodies and law enforcement

agencies

Business Continuity Management

Business Continuity framework

Established business continuity plans

Regular business continuity test


S.Arani 24

Compliance

Define compliance requirements

Procedures implemented to comply with

requirements(e.g. personal data/ privacy

protection)

Regular Compliance checks


S.Arani 25

There are several reasons why an organization might seek this certification. Some of the key benefits include:

Increased credibility and trust

Improved partner, customer and stakeholder confidence

Organizational and trading partner assurance

Demonstration to competent authorities that the

organization observes all applicable laws and

regulations

Competitive advantage and market differentiation

Reduced regulation costs

ISO 27001:2005

S.Arani 26

Without genuine support from the top – a

failure

Without proper implementation – a burden

With full support, proper implementation and

ongoing commitment – a major benefit

ISO27001 can be…

S.Arani 27

Real World…

S.Arani 28


S.Arani 29


S.Arani 30

Questions ???


information security management system

Documents

level of information

isms iso

information intact

security incidentsstatistics

isms risk management

new iso

isms requirements iso

vocabulary iso