Está en la página 1de 24

1

Information Security Management System (ISMS) ISO/IEC 27001:2005

A G E N D A

What is Information?
What is Information Security? What is RISK? An Introduction to ISO 27001:2005 (ISMS)

ISO 27001:2005 Feature

I N F O R M A T I O N

'Information is an asset which, like other important business assets, has value to an organization and consequently needs to be suitably protected (ISO 27002:2005)

I N F O R M A T I O N

Information can be
L I F E C Y C L E

Created Stored Destroyed


Processed Transmitted

Used (For proper & improper purposes)


Corrupted Lost Stolen
5

I N F O R M A T I T O Y N P E S

Printed or written on paper Stored electronically Transmitted by post or using electronics means

Shown on corporate videos


Displayed / published on web

Verbal spoken in conversations

Whatever form the information takes, or means by which it is shared or stored, it should always be appropriately protected (ISO 27002:2005)
6

I N F O R M A T I O S N E C U R I T Y

What Is Information Security

Information security is the process of protecting the confidentiality , integrity and availability (CIA) of data. Security is achieved using several strategies simultaneously or used in combination with one another Security is not something you buy, it is something you do Having People, Processes, Technology, policies, procedures,

Security is for PPT and not only for appliances or devices

I N F O R M A T I O N

Information Security Benefits

S E C U R I T Y

1. 2. 3. 4. 5.

Protects information from a range of threats Ensures business continuity Minimizes financial loss Optimizes return on investments Increases business opportunities

Business survival depends on information security.


8

I N F O R M A T I O N

ISO 27002:2005 defines Information Security as the A T T R I B U T E S preservation of:

Confidentiality

Ensuring that information is accessible only to those authorized to have access


Safeguarding the accuracy and completeness of information and processing methods Ensuring that authorized users have access to information and associated assets when required
9

Integrity

Availability

Security breaches leads to


Reputation loss
Financial loss Intellectual property loss

Legislative Breaches leading to legal actions (Cyber


Law) Loss of customer confidence Business interruption costs

LOSS OF GOODWILL
10

I N F O S E C U R I T Y

Information Security is Organizational Problem


rather than IT Problem More than 70% of Threats are Internal More than 60% culprits are First Time fraudsters
S U R V E Y

Biggest Risk : People Biggest Asset : People

11

W H A T I S R I S K

What is Risk?
Vulnerability: A weakness in the organization, IT Systems, or network that can be exploited by a threat. Threat: Something that can potentially cause damage to the organization, IT Systems or network. Risk: A possibility that a threat exploits a vulnerability in an asset and causes damage or loss to the asset. Risk = Threat * Vulnerability * Asset value

12

T H R E A T

I D E N T I F I C A T I O N

Threat Identification
To identify threats, think about the properties the organization might have: disclosure (improper maintenance procedures, hackers); interruption (earthquake, fire, flood, malicious code, power failure); modification (data entry errors, hackers, malicious code); destruction (power spikes, fire, natural disasters); and removal (theft of data or systems).

13

T H R E A T S

Threats
Employees
External Parties

Low awareness of security issues


Growth in networking and distributed computing Growth in complexity and effectiveness of hacking tools and viruses Natural Disasters eg. fire, flood, earthquake

14

Threat Sources
Source Motivation
Challenge Ego Game Playing Deadline Financial problems Disenchantment

Threat
System hacking Social engineering Dumpster diving Backdoors Fraud Poor documentation System attacks Social engineering Letter bombs Viruses Denial of service Corruption of data Malicious code introduction System bugs Unauthorized access
15

External Hackers

Internal Hackers

Terrorist

Revenge Political Unintentional errors Programming errors Data entry errors

Poorly trained employees

No 1 2 3 4 5 6 7 8 9 10 11

Categories of Threat Human Errors or failures Compromise to Intellectual Property Deliberate Acts or espionage or trespass Deliberate Acts of Information extortion Deliberate Acts of sabotage / vandalism Deliberate Acts of theft Deliberate software attacks Deviations in quality of service from service provider Forces of nature Technical hardware failures or errors Technical software failures or errors

Example Accidents, Employee mistakes Piracy, Copyright infringements Unauthorized Access and/or data collection Blackmail of information exposure / disclosure Destruction of systems / information Illegal confiscation of equipment or information Viruses, worms, macros Denial of service Power and WAN issues Fire, flood, earthquake, lightening Equipment failures / errors Bugs, code problems, unknown loopholes

12

Technological Obsolesce

Antiquated or outdated technologies

16

R I S K S & T H R E A T S
High User Knowledge of IT Systems Theft, Sabotage, Misuse Virus Attacks

Systems & Network Failure

Lack Of Documentation

Lapse in Physical Security

Natural Calamities & Fire


17

SO HOW DO WE OVERCOME THESE PROBLEMS?


18

Information Security Management System (ISMS)

19

I N T R O D U C T I O N

History
T O I S O 2 7 0 0 1

Early 1990
DTI (UK) established a working group Information Security Management Code of Practice produced as
BSI-DISC publication

1995
BS 7799 published as UK Standard

1999
BS 7799 - 1:1999 second revision published

2000
BS 7799 - 1 accepted by ISO as ISO - 17799 published BS 7799-2:2002 published
20

I N T R O D U C T I O N

History
T O I S O
2 7 0 0 1 ISO 27001:2005 Information technology Security techniques Information security management systems Requirements

ISO 27002:2005 Information technology Security techniques Code of practice for information security management

21

I S O 2 7 0 0 1 : 2 0 0 5

ISO 27001 provides a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an Information Security Management System (ISMS). The adoption of an ISMS should be a strategic decision for an organization. The design and implementation of an organizations ISMS is influenced by their needs and objectives, security requirements, the processes employed and the size and structure of the organization. The ISO 27001 Standard can be used in order to assess conformance by interested internal and external parties.

22

Features
F E A T U R E S

Features of ISO 27001


Plan, Do, Check, Act (PDCA) Process Model Process Based Approach Stress on Continual Process Improvements Scope covers Information Security not only IT Security Covers People, Process and Technology 5600 plus organizations worldwide have been certified

23

T H E E N D

Human Wall Is Always Better Than A Firewall

. . . LET US BUILD A HUMAN WALL ALONG WITH FIREWALL


24

También podría gustarte