information security management system
DESCRIPTION
TRANSCRIPT
1
Information Security
Management System
S.Arani
S.Arani 2
Information Security Management
System - Overview
The Standard – ISO27001
ISO27001 – 11 Domains
Real World…
Agenda
S.Arani 3
Information Security Management System
Overview
S.Arani 4
Information Security Management System
Physical Information
e.g. paper forms / configure docs/ proposals /
project progress / user guides/ blue prints/ reports …
Electronic Information
e.g. financial data (accounting system)
student information (registry system)
payroll information (HR system) …
Information Security Management System
S.Arani 5
Information Security Management System
Information security means protecting information
and information systems from unauthorized access,
use, disclosure, disruption, modification, perusal,
inspection, recording or destruction.
-Wiki-
Information Security Management System
S.Arani 6
Information Security Management Systems
Information Security Management Systems (ISMS)
is a systematic and structured approach to managing
information so that it remains secure.
Information Security Management System
S.Arani 7
The core principles of information security
“Confidentiality” is keeping sensitive
information protected.
“Integrity “ is keeping information intact and
valid.
“Availability” is keeping information available
and accessible.
Information Security Management System
S.Arani 8
Why Manage Information Security???
IT Security Incidents Statistics
S.Arani 9
Banks
Call centers
IT companies
Government & classified organizations
Manufacturing concerns
Hospitals
Insurance companies, etc.
Who Needs ISMS (ISO 27001)?
S.Arani 10
Provide a structured way of managing information
security.
Provide an independent assessment.
Provide evidence and assurance.
Enhance information security governance.
Enhance the organization’s global positioning and
reputation.
Increase the level of information security in the
organization.
Advantages if an organization is ISMS Certified
S.Arani 11
The Standard – ISO27001
S.Arani 12
1995
1998
1999
Dec 2000
2002
2005
BS 7799 Part 1
BS 7799 Part 2
New issue of BS 7799 Part 1 & 2
ISO 17799:2000
New BS 7799-2
New ISO 17799:2005 released
ISO 27001:2005 released
ISO 27001 Evolution
S.Arani 13
ISO Member Countries
S.Arani 14
ISO 27000 – principles and vocabulary
ISO 27001 – ISMS requirements
ISO 27002 – ISO/ IEC 17799:2005- Code of practice for ISMS
(from 2007 onwards)
ISO 27003 – ISMS Implementation guidelines (due 2007)
ISO 27004 – ISMS Metrics and measurement (due 2007)
ISO 27005 – ISMS Risk Management
ISO 27006 – 27010 – allocation for future use
The ISO27001 Series
S.Arani 15
An internationally recognized structured methodology
dedicated to information security.
A management process to evaluate, implement and maintain
an Information Security Management System (ISMS).
A comprehensive set of controls comprised of best practices
in information security.
Applicable to all industry sectors.
Emphasis on prevention
Not A technical standard
Not a Product or technology driven
Overview of ISO 27001
S.Arani 16
ACTMaintain and improve framework
− Implement the identified improvements
− Preventive and Corrective Action
− Communicate the results
− Ensure the Improvements
CHECK
Monitor and review
the ISMS
− Monitoring Procedures
− Regular Reviews
− Internal ISMS Audit
− Management ReviewDO
Implement and
operate the ISMS
• Risk Treatment Plan
• Operate Controls
• Training & Awareness
• Manage Operations
PLANEstablish the ISMS
• Scope• Policy• Risk Assessment (RA)• Risks• Control Objectives• Statement Of
Applicability • Management Approval
ISO 27001:2005 – PDCA
S.Arani 17
ISO27001 – 11 Domains
S.Arani 18
Overall the standard
can be put in :
• Domain Areas – 11
• Control Objectives – 39
• Controls - 133
11 Domains of ISMS
S.Arani 19
Security Policy
Security Policy document approved and communicated.
Regular review of the policy document.
Organization of Information Security
Clear direction and visible management Support.
Managed implementation of security controls.
Information security responsibilities defined.
11 Domains (cont…)
S.Arani 20
Asset Management
Information, software & physical asset inventory
Information Classification
Information handling Procedures
Human Resource Security
Employment Checks
Confidentiality/ non-disclosure agreements
Information Security training
Disciplinary process for security violation
11 Domains (cont…)
S.Arani 21
Physical and Environment Security physical protection of premises/ facilities protection against natural disasters protection against communication interception clear desk policy
Communication and Operations Management Operating Procedures Security requirements for contractors Detection and prevention of malicious software Data backup Network, E-mail, portable media and disposal
management procedures
11 Domains (cont…)
S.Arani 22
Access Control User registration/ deregistration process Password controls User access review Remote access control Audit Logging
Information System Acquisition, Development and maintenance Data Validation Message authentication Cryptography management Control Over testing Data System change controls
11 Domains (cont…)
S.Arani 23
Information Security Incident Management
Incident prioritization & Classification
Channels for incident reporting
Incident escalation procedures
Contacts of regulatory bodies and law enforcement
agencies
Business Continuity Management
Business Continuity framework
Established business continuity plans
Regular business continuity test
11 Domains (cont…)
S.Arani 24
Compliance
Define compliance requirements
Procedures implemented to comply with
requirements(e.g. personal data/ privacy
protection)
Regular Compliance checks
11 Domains (cont…)
S.Arani 25
There are several reasons why an organization might seek this certification. Some of the key benefits include:
Increased credibility and trust
Improved partner, customer and stakeholder confidence
Organizational and trading partner assurance
Demonstration to competent authorities that the
organization observes all applicable laws and
regulations
Competitive advantage and market differentiation
Reduced regulation costs
ISO 27001:2005
S.Arani 26
Without genuine support from the top – a
failure
Without proper implementation – a burden
With full support, proper implementation and
ongoing commitment – a major benefit
ISO27001 can be…
S.Arani 27
Real World…
S.Arani 28
Information Security Management System
S.Arani 29
Information Security Management System
S.Arani 30
Questions ???
Information Security Management System