Documentos de Académico
Documentos de Profesional
Documentos de Cultura
fo
r
m
at
io
n
se
cu
rit
y
An introduction to ISO27k
This work is copyright 2012, Mohan Kamat and ISO27k Forum, some rights reserved.
It is licensed under the Creative Commons Attribution-Noncommercial-Share Alike 3.0 License.
You are welcome to reproduce, circulate, use and create derivative works from this provided that:
(a) it is not sold or incorporated into a commercial product;
(b) it is properly attributed to the ISO27k Forum (www.ISO27001security.com); and
(c) any derivative works that are shared are subject to the same terms as this work.
A
ge
nd
a
What is information?
What is information security?
What is risk?
Introduction to the ISO standards
Managing information security
Your security responsibilities
IN
F
O
R
M
A
TI
O
N
Information
is an
asset
which,
ISO/IEC 27002:2005
In
fo
r
m
at
io
n
ty
pe
s
In
fo
lif
ec
yc
le
Information can be
Created
Owned (it is an asset)
Stored
Processed
Transmitted/communicated
Used (for proper or improper purposes)
Modified or corrupted
Shared or disclosed (whether appropriately or not)
Destroyed or lost
Stolen
Controlled, secured and protected throughout its
existence
5
Ke
y
te
r
m
Se
cu
rit
y
el
e
m
en
ts
PEOPLE
Staff &
management
PROCESSES
Business activities
TECHNOLOGY
IT, phones, pens
Pe
op
le
People
People who use or have an interest in our
information security include:
Shareholders / owners
Management & staff
Customers / clients, suppliers & business
partners
Service providers, contractors, consultants &
advisors
Authorities, regulators & judges
Our biggest threats arise from people (social
engineers, unethical competitors, hackers,
fraudsters, careless workers, bugs, flaws ), yet
our biggest asset is our people (e.g. securityaware employees who spot trouble early)
8
Pr
oc
es
se
s
Processes
Processes are work practices or workflows,
the steps or activities needed to
accomplish business objectives.
Processes are described in procedures.
Virtually all business processes involve
and/or depend on information making
information a critical business asset.
Te
ch
no
lo
gy
Technology
Information technologies
Cabling, data/voice networks and equipment
Telecommunications services (PABX, VoIP, ISDN,
videoconferencing)
Phones, cellphones, PDAs
Computer servers, desktops and associated data
storage devices (disks, tapes)
Operating system and application software
Paperwork, files
Pens, ink
Security technologies
Locks, barriers, card-access systems, CCTV
10
Va
lu
e
Information security is
valuable because it
Protects information against various threats
Ensures business continuity
Minimizes financial losses and other impacts
Optimizes return on investments
Creates opportunities to do business safely
Maintains privacy and compliance
We all depend on
information security
11
CI
A
Confidentiality
Making information accessible
only to those authorized to
use it
Integrity
Availability
Ensuring that information is
available when required
12
I
m
pa
ct
s
Ke
y
te
r
m
What is risk?
Risk is the possibility that a
vulnerability
leading to an adverse
threat
exploits a
in an information asset,
impact
on the organization
14
R
el
at
io
ns
hi
ps
Risk relationships
exploit
e
as
re
se
a
e
cr
in
pr
ng
ote
c
Vulnerabilities
Vulnerabilities
is i
rom
mp
co
c
in
ta
ga
ins
t
Threats
Threats
et
m
by
di
n
i
te
a
c
Security
Security
requirements
requirements
Risk
to
in
cr
ea
Information
Information
assets
assets
e
reduce
se
ha
v
Controls
Controls
Value
Value
15
Th
re
at
ag
en
t
Threat agent
16
M
ot
iv
e
Motive
17
Th
re
at
ty
pe
s
Hardware issue
So how do we
secure our
information
assets?
19
IS
O
27
k
1990s
Information Security Management Code of Practice produced
by a UK government-sponsored working group
Based on the security policy used by Shell
Became British Standard BS7799
2000s
Adopted by ISO/IEC
Became ISO/IEC 17799 (later renumbered ISO/IEC 27002)
ISO/IEC 27001 published & certification scheme started
Now
Expanding into a suite of information security standards
(known as ISO27k)
Updated and reissued every few years
20
IS
O
27
00
1
ISO 27001
Concerns the
management of information
management system
21
P
D
C
A
Plan-Do-Check-Act
ISMS PROCESS
Interested
Interested
parties
parties
Interested
Interested
parties
parties
Management
Management responsibility
responsibility
PLAN
PLAN
Establish
Establish
ISMS
ISMS
DO
DO
ACT
ACT
Implement
Implement &
&
operate
the
operate the
ISMS
ISMS
Information
Information
security
security
requirements
requirements
&
& expectations
expectations
Maintain
Maintain &
&
improve
improve
Managed
Managed
information
information
security
security
CHECK
CHECK
Monitor
Monitor &
&
review
ISMS
review ISMS
22
CON
TRO
L
CLA
USE
S
Information
Security Policy
Organisation
of Information
Security
Compliance
Business
Continuity
Planning
t
en
d
i
nf
o
C
y
lit
a
i
In
t
eg
r
ity
Asset
Management
INFORMATION
Human
Resource
Security
Incident
Management
Availability
System
Development
& Maintenance
Physical
Security
Access Control
Communication
& Operations
Management
23
CON
TRO
L
CLA
USE
S
24
CON
TRO
L
CLA
USE
S
Communications & operations management ensures the correct and secure operation of IT
Access control restrict unauthorized access to
information assets
Information systems acquisition, development &
maintenance build security into systems
Information security incident management deal
sensibly with security incidents that arise
Business continuity management maintain
essential business processes and restore any that fail
Compliance - avoid breaching laws, regulations,
policies and other security obligations
25
IMPL
EME
NTA
TIO
N
PRO
CESS
CYCL
E
IS POLICY
SECURITY
ORGANISATION
MANAGEMENT
REVIEW
PLAN
PLAN
Establish
Establish
ISMS
ISMS
ASSET
IDENTIFICATION
&
CLASSIFICATION
DO
DO
ACT
ACT
Implement
Implement &
&
Operate
Operate the
the
ISMS
ISMS
CORRECTIVE &
PREVENTIVE
ACTIONS
Maintain
Maintain &
&
Improve
Improve
CHECK
CHECK
Monitor
Monitor &
&
Review
Review ISMS
ISMS
CONTROL
SELECTION &
IMPLEMENTATION
CHECK
PROCESSES
OPERATIONALIZ
E THE PROCESES
26
Be
ne
fit
s
27
Sc
op
e
ISMS scope
28
Ke
y
do
cu
m
en
ts
29
VISI
ON
&
MIS
SIO
N
30
W
ho
Who is responsible?
Information Security Management Committee
Information Security Manager/CISO and Department
Incident Response Team
Business Continuity Team
IT, Legal/Compliance, HR, Risk and other departments
Audit Committee
you!
Bottom line:
Information security is everyones responsibility
31
Po
lic
y
32
INF
O
ASSE
T
CLAS
SIFI
CATI
ON
33
Cl
as
sif
ic
at
io
n
Confidentiality
Confidentiality of information concerns the protection of sensitive (and often highly
valuable) information from unauthorized or inappropriate disclosure.
Confidentiality
level
High
Medium
Low
8/24/
Explanation
Information which is very sensitive or private, of
great value to the organization and intended for
specific
individuals
only.
The
unauthorized
disclosure of such information can cause severe
harm such as legal or financial liabilities,
competitive disadvantage, loss of brand value e.g.
merger and acquisition related information,
marketing strategy
Information belonging to the company and not for
disclosure to public or external parties. The
unauthorized disclosure of this information may
harm
to
the
organization
somewhat
e.g.
organization charts, internal contact lists.
Non-sensitive information available for public
disclosure. The impact of unauthorized disclosure of
such information shall not harm Organisation
anyway. E.g. Press releases, Companys News
letters e.g. Information published on companys
website
Mohan Kamat
34
USE
R
Physical security
RESP
ONSI
BILI
TIES
Do
Do not
35
USE
R
RESP
ONSI
BILI
TIES
Password Guidelines
Use long, complicated passphrases - whole sentences if you can
Reserve your strongest passphrases for high security systems (dont
re-use the same passphrase everywhere)
Use famous quotes, lines from your favorite songs, poems etc. to
make them memorable
36
USE
R
RESP
ONSI
BILI
TIES
Internet usage
Use the corporate Internet facilities only for legitimate and
authorized business purposes
37
USE
R
RESP
ONSI
BILI
TIES
E-mail usage
Use corporate email for business purposes only
Follow the email storage guidelines
If you receive spam email, simply delete it.
If it is
offensive or you receive a lot, call the IT Help/Service Desk
38
USE
R
RESP
ONSI
BILI
TIES
Security incidents
Report information security incidents, concerns and
near-misses to IT Help/Service Desk:
Email
Telephone
Anonymous drop-boxes
Take their advice on what to do
39
Re
sp
on
si
bil
iti
es
41