Date post: | 15-Jul-2015 |
Category: |
Technology |
Upload: | intellisenseit |
View: | 975 times |
Download: | 0 times |
INFORMATION SECURITY Management System Dr Kalpesh Parikh
What is Information?
“Information is an asset which, like other important business assets, has value to an organisation and consequently needs to be suitably protected.”
BS 7799-1:2000
INFORMATION SECURITY Management System Dr Kalpesh Parikh
Types of Information
• Printed or written on paper• Stored electronically• Transmitted by post or using electronic means
• Shown on corporate videos
• Verbal - spoken in conversations
“…...Whatever form the information takes, or means by which it is shared or stored, it should always be appropriately protected”
(ISO/IEC 17799: 2000)
INFORMATION SECURITY Management System Dr Kalpesh Parikh
Information Lifecycle
Information can be:
Created Stored Destroyed ?
Processed Transmitted
Used (for proper and improper purposes)
Lost ! Corrupted !
INFORMATION SECURITY Management System Dr Kalpesh Parikh
What is Information Security
Integrity
Safeguarding the accuracy & completeness of information and processing methods
Availability
Ensuring that authorized users have access to information and associated assets when required
Confidentiality
Ensuring thatinformation isaccessible onlyto thoseauthorized tohave access
INFORMATION SECURITY Management System Dr Kalpesh Parikh
How to Achieve Information Security•Attitude Building
•Efforts v/s Value of Asset
•Segmentation
•Harmonization
•Concept of Insurance
•Managing Risk
•Objective Evidence through Monitoring and Analysis
INFORMATION SECURITY Management System Dr Kalpesh Parikh
Why Information Security Management System?Information is an Asset
• Not known even if stolen
• Challenge is you don’t know – how to know
• Theoretically any information can get stolen
• Affects every one
• Technical and Technology is subset of complete domain
• Dynamic in nature
• Very complex to manage
INFORMATION SECURITY Management System Dr Kalpesh Parikh
ISMS - Commitment You have my fullcommitment…..
Apart from money, timeresources and attention
and just so long as I don’thave to be involved
INFORMATION SECURITY Management System Dr Kalpesh Parikh
ISG - Risk Management – Onion Structure
Technology
Environment
Information
Human Firewall
Standards
Policies
Training
Processes
Management
INFORMATION SECURITY Management System Dr Kalpesh Parikh
ISMS – Information assets and Valuation• An inventory of all important assets shall be drawn up and maintained. Accountability shall be defined.
• What are Assets ? Organisation assigns value to something Eg. Information assets, paper doc, s/w , physical, people, company image and reputation, services.
• Which Assets ? Asset materially affect delivery of product/service by their absence or degradation.
• Valuation What System – 0 to 5 (Quantitative) - low to very high (Qualitative)
INFORMATION SECURITY Management System Dr Kalpesh Parikh
ISMS - Risk AssessmentThreat :
“Potential to cause an unwanted incident which may result in harm to a system or organization and its assets”
Eg. Natural disaster, Human, Technological, Theft/Loss
Vulnerability:
A vulnerability is a weakness/hole in an organisation’s Information System.
Eg. Unprotected cabling, unstable power grid, wrong allocation of password
INFORMATION SECURITY Management System Dr Kalpesh Parikh
Risk: The possibility of incurring misfortune or loss; hazard (to expose to danger or loss)
At Risk: Vulnerable; likely to be lost /damaged
Security Risk:
Potential that a given threat will exploit vulnerabilities to cause loss or damage to an asset or group of Info Asset.
Measuring Risk:
Risk = Value X Threat X Vulnerability X Probability of asset of Happening
ISMS - Risk Assessment
INFORMATION SECURITY Management System Dr Kalpesh Parikh
ISMS - Risk Treatment PlanCoordinated document defining the actions to reduce unacceptable risks and implement the required controls to protect information.Direction : Treat, Transfer, Terminate, Tolerate
Treatment : Define an acceptable level of residual risk constantly review Threat and Vulnerabilities Review exiting controls apply additional security controls introducing policy and procedures
Controls: Which Controls ? / Selection of Control
INFORMATION SECURITY Management System Dr Kalpesh Parikh
ISMS - Statement of Applicability (SOA)
•The statement of Applicability is a critique of the objectives and controls, which the organization has selected as suitable to its business needs. The statement will also record exclusion of any controls.
• Risk Assessment will determine which controls should be implemented
• Justification of which controls are relevant and not relevant
INFORMATION SECURITY Management System Dr Kalpesh Parikh
ISO 27001 (ISMS) Control Areas1. Security Policy2. Security Organization3. Asset Classification and Control4. Personnel Security5. Physical and Environmental Security6. Communications and Operations Management7. Access Control8. Systems Development and Maintenance9. Business Continuity Planning10. Compliance