Upload File

w w w . t u v . c o misms sectors in organizations (bs7799-2:2002) management-security policy...

  • Home
  • Documents
  • w w w . t u v . c o mISMS Sectors in Organizations (BS7799-2:2002) Management-Security Policy (A.3)-Organizational security (A.4)-Asset classification and control (A.5)-Compliance
18
w w w . t u v . c o m

Upload: others

Post on 05-Jul-2020

0 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: w w w . t u v . c o mISMS Sectors in Organizations (BS7799-2:2002) Management-Security Policy (A.3)-Organizational security (A.4)-Asset classification and control (A.5)-Compliance

w w w . t u v . c o m

Page 2: w w w . t u v . c o mISMS Sectors in Organizations (BS7799-2:2002) Management-Security Policy (A.3)-Organizational security (A.4)-Asset classification and control (A.5)-Compliance

w w w . t u v . c o m

2 / 18© TÜV Secure iT GmbH 2003

Agenda

TÜV Secure iT GmbH – short introduction

Risk Analysis – Case Study

Certification Procedure

Page 3: w w w . t u v . c o mISMS Sectors in Organizations (BS7799-2:2002) Management-Security Policy (A.3)-Organizational security (A.4)-Asset classification and control (A.5)-Compliance

w w w . t u v . c o m

3 / 18© TÜV Secure iT GmbH 2003

Let TÜV Secure iT Be Your GuideWho we are.

Subsidiary of TÜV Rheinland Group

TÜV Secure iT: Specialists in durable securityfor IT Infrastructure design and operation

Staff of approx. 30 expertsExperienceSpecialists

Competence Center on services in the areas of IT ProcessesIT Security ManagementIT Security Testing

Page 4: w w w . t u v . c o mISMS Sectors in Organizations (BS7799-2:2002) Management-Security Policy (A.3)-Organizational security (A.4)-Asset classification and control (A.5)-Compliance

w w w . t u v . c o m

4 / 18© TÜV Secure iT GmbH 2003

Security Management for Agencies and Enterprises

Page 5: w w w . t u v . c o mISMS Sectors in Organizations (BS7799-2:2002) Management-Security Policy (A.3)-Organizational security (A.4)-Asset classification and control (A.5)-Compliance

w w w . t u v . c o m

5 / 18© TÜV Secure iT GmbH 2003

AnalysisMonitoring

Certification

Testing Advice and Implementation

Concepts

Consulting

IT Security Management creates Added Value for existing and future business processes

Verif

icat

ion

Page 6: w w w . t u v . c o mISMS Sectors in Organizations (BS7799-2:2002) Management-Security Policy (A.3)-Organizational security (A.4)-Asset classification and control (A.5)-Compliance

w w w . t u v . c o m

6 / 18© TÜV Secure iT GmbH 2003

Agenda

TÜV Secure iT GmbH – short introduction

Risk Analysis – Case Study

Certification Procedure

Page 7: w w w . t u v . c o mISMS Sectors in Organizations (BS7799-2:2002) Management-Security Policy (A.3)-Organizational security (A.4)-Asset classification and control (A.5)-Compliance

w w w . t u v . c o m

7 / 18© TÜV Secure iT GmbH 2003

Assessed Organization

Government Institution (Administration)1 HQ, 2 subsidiaries, 1300 Employees total, 700 in administrative sector, 1 CISO

Page 8: w w w . t u v . c o mISMS Sectors in Organizations (BS7799-2:2002) Management-Security Policy (A.3)-Organizational security (A.4)-Asset classification and control (A.5)-Compliance

w w w . t u v . c o m

8 / 18© TÜV Secure iT GmbH 2003

Protection Requirements

Infrastructure

Hardware

System Software

Applications

area, eletric power, air condition, access, cabling

Mainframe, Midrange, Intel, Storage-Sys., Network components

OS/390, Unix, Windows, Nutzersys.

DB/DC-Systems, Middleware

DB2, ORACLE, MQ-Series, IMS, CICS, ...

ERP Systems, ...

Identification of critical IT Infrastructure

Business processes(Management Workshop, 1 day, 2 experts)

(Detailed Analysis, 2 days, 2 experts)

Page 9: w w w . t u v . c o mISMS Sectors in Organizations (BS7799-2:2002) Management-Security Policy (A.3)-Organizational security (A.4)-Asset classification and control (A.5)-Compliance

w w w . t u v . c o m

9 / 18© TÜV Secure iT GmbH 2003

Identify Threats (Selection)

HumanHackersTheft (electronically and physically)Non-technical staff (financial/accounting)AccidentalInadequately trained IT staffBackup operatorsTechnicians, Electricians

Non-HumanFloodsLightning strikesPlumbingVirusesFireElectricalAir (dust)Heat control

(Detailed Analysis, 4 days, 2 auditors)

Page 10: w w w . t u v . c o mISMS Sectors in Organizations (BS7799-2:2002) Management-Security Policy (A.3)-Organizational security (A.4)-Asset classification and control (A.5)-Compliance

w w w . t u v . c o m

10 / 18© TÜV Secure iT GmbH 2003

Risk matrix (1/2)

Likelihood of occurrence

high

medium

low

Extend of damage< 500K. 500k - < 1 Mio. 1 - <10 Mio. > 10 Mio.

(risk assessment, 3 days, 1 expert)

Page 11: w w w . t u v . c o mISMS Sectors in Organizations (BS7799-2:2002) Management-Security Policy (A.3)-Organizational security (A.4)-Asset classification and control (A.5)-Compliance

w w w . t u v . c o m

11 / 18© TÜV Secure iT GmbH 2003

Risk matrix (2/2)

Likelihood of occurrence

high

medium

low

Extent of damage< 500K. 500k - < 1 Mio. 1 - <10 Mio. > 10 Mio.

Page 12: w w w . t u v . c o mISMS Sectors in Organizations (BS7799-2:2002) Management-Security Policy (A.3)-Organizational security (A.4)-Asset classification and control (A.5)-Compliance

w w w . t u v . c o m

12 / 18© TÜV Secure iT GmbH 2003

countermeasures

risk identification evaluation measures monitoring

Risk C

Risk A 1Risk A 2Risk A 3...

Risk B 1Risk B 2Risk B 3Risk B 4...

Risk B

risk A

Risk C 1Risk C 2...

EUR(EBIT)

Likelihood of occurrence

Extent of damage

RiskA 1 Risk

B 3

RiskC 2

RisikoB 4

measure 1

measure 2

measure 3

Security level

Security levellow

high

Security level

(risk treatment plan, 2 days, 1 expert)

Page 13: w w w . t u v . c o mISMS Sectors in Organizations (BS7799-2:2002) Management-Security Policy (A.3)-Organizational security (A.4)-Asset classification and control (A.5)-Compliance

w w w . t u v . c o m

13 / 18© TÜV Secure iT GmbH 2003

ISMS Sectors in Organizations (BS7799-2:2002)

Management -Security Policy (A.3)

-Organizational security (A.4)

-Asset classification and control (A.5)

-Compliance / laws, regulations, agreements (A.12)

Personnel Security(A.6)

Business processes -Risk Management (4.2.1)

-Business Continuity Management (A.11)

Access ControlAccess Control (A.9)

Communicationsand OperationsManagement (A.8)

Planning / Projects

System Developmentand maintenance(A.10)

Facility Management

Physical and environmental security(A.7)

Page 14: w w w . t u v . c o mISMS Sectors in Organizations (BS7799-2:2002) Management-Security Policy (A.3)-Organizational security (A.4)-Asset classification and control (A.5)-Compliance

w w w . t u v . c o m

14 / 18© TÜV Secure iT GmbH 2003

Agenda

TÜV Secure iT GmbH – short introduction

Risk Analysis – Case Study

Certification Procedure

Page 15: w w w . t u v . c o mISMS Sectors in Organizations (BS7799-2:2002) Management-Security Policy (A.3)-Organizational security (A.4)-Asset classification and control (A.5)-Compliance

w w w . t u v . c o m

15 / 18© TÜV Secure iT GmbH 2003

BS 7799-Certification by TÜV Secure iT

Pre-AssessmentAssessment of protection requirements

Appropriateness of security measures

Assessment

CertificationIssuing of the certificate

Monitoring

Phase 1Phase 1

Phase 4Phase 4

Phase 3Phase 3

Phase 2Phase 2

validation of documentation1

validation of documentation2

validation of documentation3

spot check audits

project-related documentation

validation

Page 16: w w w . t u v . c o mISMS Sectors in Organizations (BS7799-2:2002) Management-Security Policy (A.3)-Organizational security (A.4)-Asset classification and control (A.5)-Compliance

w w w . t u v . c o m

16 / 18© TÜV Secure iT GmbH 2003

Time Frame

Stage 1

Stage 2

implementation / Improvement ISMS

Certification

January 2005 June 2005

(certification assessment, 4 days, 2 auditors)

Page 17: w w w . t u v . c o mISMS Sectors in Organizations (BS7799-2:2002) Management-Security Policy (A.3)-Organizational security (A.4)-Asset classification and control (A.5)-Compliance

w w w . t u v . c o m

17 / 18© TÜV Secure iT GmbH 2003

TÜV Rheinland Group certification body issues a certificate that is internationally recognized, provided an information security management system is effectively implemented and auditing was completed successfully.

ISO 17799 / BS 7799Certification

Page 18: w w w . t u v . c o mISMS Sectors in Organizations (BS7799-2:2002) Management-Security Policy (A.3)-Organizational security (A.4)-Asset classification and control (A.5)-Compliance

w w w . t u v . c o m

18 / 18© TÜV Secure iT GmbH 2003

Thank you for your attention!

Now I am ready to answer your questions


(SEC316) Harden Your Architecture w/ Security Incident Response Simulations

5 c It w Security Issues

Working Electronically with the Social Security · PDF fileWorking Electronically with the Social Security Administration – Filing Forms W-2/W-3 and. Verifying Names and Numbers

W ITH SECURITY - SySS - The Pentest Experts

Polecane Anonimizery w Necie _ Echelon - Anonymous Security

D@W REST security

Addressing Systemic Complexity with SOA and Cloud...W S-Notification W S-Addressing Security W S-Security W S-SecureConversation W S-Federation SAM L Liberty Alliance IDFF W S-Trust

Spring 2012  · Firewalls Wireless security ... Webpage: ... Course book: W. Stallings – “Cryptography and network security”

W Kplace Violence & Security Presentation

DS-KH6320-WTE2-W Indoor Station - Security Tec

Hybrid Signcryption with Outsider Security Alexander W. Dent

HCL in the Hi-Tech Industry - a5.mndcdn.coma5.mndcdn.com/image/upload/nztyjmdrvxlhw1chh3yw.pdf · Design practice repertoireof IP-softwareandDSP ... DO254, BS7799 210+ global

Improve Your Network Security w/ 4 Firewall Optimizing Techniques

W i reless LAN Security

Social Security With You - Internal Revenue Service...2019 W-2 Reminders • Employee FICA Withholding - 6.2% • Social Security Wage Maximum - $128,400 • W-2s to Employees –

Innova ve W ireless Security Products Easy VU.pdfInnova ve W ireless Security Products The need for protection, security and safety is vital to our everyday lives. Not only for our

#113 – Building an ISMS based on ISO/IEC 27001 an ISMS based on ISO/IEC 27001 & ISO/IEC 17799 Almost every IT security professional has heard or read about BS7799-2 and/or ISO 17799

BS7799-2:2002 to ISO 27001:2005 ISMS Converter

W&M 2009 – Best practices for wireless network security

BS7799 SBI

Advanced Security w/ Joshua Peskay by Idealware & Lsntap.org

W&M 2009 – Top Ten Wireless Security Myths

Information security management, standards and compliance. · 2019-03-26 · 1. Statement of Interpretation of the BS7799 / ISO 27001 objectives and controls as applied in your environment

PCCW Solutions is the ICT flagship of PCCW. It represents ... · PDF fileIt represents the integrated information, communications and technology ... • Experience in ISO27001 / BS7799

“Biometrics” Harj Singh CLAS CISSP Security Architect & BS7799 Lead Auditor [email protected]

14W Security light wallpack 33H470 - W. W. Grainger › ec › pdf › LumaPro-33H470... · 14W LED Security Light Wall Pack Manufactured for Grainger International, Inc. Printed

Norma ISO BS7799 – ISO 17799

SECURITY ENGINEERING 2 April 2013 William W. McMillan

Contents A Brief introduction to BSi Recent Developments with BS7799 ISO/IEC 17799 and BS15000 A Personal View on Outsourcing Service Management Relationship

Seminario de Seguridad de la Información ISO 17799/BS7799 2004 Copyright 2001-2004 / I-SEC Information Security SA. - Argentina Conferencia de Seguridad

2003 ISQ Handbook - ETH Zürich · of the ISN Information Security Qualifi cations Handbook is to guide and ... Incident handling: GCIH, CERT Audit: GSNA, CISA, GSAE, BS7799 LA,

Take Security to the Next Level w/ Lightning Login

Jeffrey W. Mirick, PhD. SPIE – Defense, Security, and Sensing Conference - 2010 8 April 2010 Jeffrey W. Mirick, PhD. SPIE – Defense, Security, and Sensing

TAG Speaker Series: Cloud Security w/ Jim Reavis

A Short History of Unix Stephen W. Nuchia Center for Information Security The University of Tulsa Stephen W. Nuchia Center for Information Security The