Documentos de Académico
Documentos de Profesional
Documentos de Cultura
A G E N D A
What is Information?
What is Information Security? What is RISK? An Introduction to ISO 27001:2005 (ISMS)
I N F O R M A T I O N
'Information is an asset which, like other important business assets, has value to an organization and consequently needs to be suitably protected (ISO 27002:2005)
I N F O R M A T I O N
Information can be
L I F E C Y C L E
I N F O R M A T I T O Y N P E S
Printed or written on paper Stored electronically Transmitted by post or using electronics means
Whatever form the information takes, or means by which it is shared or stored, it should always be appropriately protected (ISO 27002:2005)
6
I N F O R M A T I O S N E C U R I T Y
Information security is the process of protecting the confidentiality , integrity and availability (CIA) of data. Security is achieved using several strategies simultaneously or used in combination with one another Security is not something you buy, it is something you do Having People, Processes, Technology, policies, procedures,
I N F O R M A T I O N
S E C U R I T Y
1. 2. 3. 4. 5.
Protects information from a range of threats Ensures business continuity Minimizes financial loss Optimizes return on investments Increases business opportunities
I N F O R M A T I O N
Confidentiality
Integrity
Availability
LOSS OF GOODWILL
10
I N F O S E C U R I T Y
11
W H A T I S R I S K
What is Risk?
Vulnerability: A weakness in the organization, IT Systems, or network that can be exploited by a threat. Threat: Something that can potentially cause damage to the organization, IT Systems or network. Risk: A possibility that a threat exploits a vulnerability in an asset and causes damage or loss to the asset. Risk = Threat * Vulnerability * Asset value
12
T H R E A T
I D E N T I F I C A T I O N
Threat Identification
To identify threats, think about the properties the organization might have: disclosure (improper maintenance procedures, hackers); interruption (earthquake, fire, flood, malicious code, power failure); modification (data entry errors, hackers, malicious code); destruction (power spikes, fire, natural disasters); and removal (theft of data or systems).
13
T H R E A T S
Threats
Employees
External Parties
14
Threat Sources
Source Motivation
Challenge Ego Game Playing Deadline Financial problems Disenchantment
Threat
System hacking Social engineering Dumpster diving Backdoors Fraud Poor documentation System attacks Social engineering Letter bombs Viruses Denial of service Corruption of data Malicious code introduction System bugs Unauthorized access
15
External Hackers
Internal Hackers
Terrorist
No 1 2 3 4 5 6 7 8 9 10 11
Categories of Threat Human Errors or failures Compromise to Intellectual Property Deliberate Acts or espionage or trespass Deliberate Acts of Information extortion Deliberate Acts of sabotage / vandalism Deliberate Acts of theft Deliberate software attacks Deviations in quality of service from service provider Forces of nature Technical hardware failures or errors Technical software failures or errors
Example Accidents, Employee mistakes Piracy, Copyright infringements Unauthorized Access and/or data collection Blackmail of information exposure / disclosure Destruction of systems / information Illegal confiscation of equipment or information Viruses, worms, macros Denial of service Power and WAN issues Fire, flood, earthquake, lightening Equipment failures / errors Bugs, code problems, unknown loopholes
12
Technological Obsolesce
16
R I S K S & T H R E A T S
High User Knowledge of IT Systems Theft, Sabotage, Misuse Virus Attacks
Lack Of Documentation
19
I N T R O D U C T I O N
History
T O I S O 2 7 0 0 1
Early 1990
DTI (UK) established a working group Information Security Management Code of Practice produced as
BSI-DISC publication
1995
BS 7799 published as UK Standard
1999
BS 7799 - 1:1999 second revision published
2000
BS 7799 - 1 accepted by ISO as ISO - 17799 published BS 7799-2:2002 published
20
I N T R O D U C T I O N
History
T O I S O
2 7 0 0 1 ISO 27001:2005 Information technology Security techniques Information security management systems Requirements
ISO 27002:2005 Information technology Security techniques Code of practice for information security management
21
I S O 2 7 0 0 1 : 2 0 0 5
ISO 27001 provides a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an Information Security Management System (ISMS). The adoption of an ISMS should be a strategic decision for an organization. The design and implementation of an organizations ISMS is influenced by their needs and objectives, security requirements, the processes employed and the size and structure of the organization. The ISO 27001 Standard can be used in order to assess conformance by interested internal and external parties.
22
Features
F E A T U R E S
23
T H E E N D