Introduction to Information Security - TKK

7/27/2019 Introduction to Information Security - TKK

1/23

Copyright 2013 BSI. All rights reserved.

Introduction By Natalia Evianti

Information Security Based onInformation Security Management System(BS ISO/IEC 27001:2005)
http://localhost/var/www/apps/conversion/tmp/scratch_9/Nap.pptxhttp://localhost/var/www/apps/conversion/tmp/scratch_9/Nap.pptxhttp://localhost/var/www/apps/conversion/tmp/scratch_9/Nap.pptx


2/23

Copyright 2013 BSI. All rights reserved.2


3/23


Information?

Information asset

Knowledge or data that has value tothe organisation

Printed or written on paper

Stored electronically

Transmitted by post or usingelectronic means

Shown on corporate videos

Verbal - spoken in conversations Whatever form the information takes, or means by which

it is shared or stored, it should always be appropriatelyprotected. (ISO 27002)


4/23


Information Security

Whats an ISMS?


5/23


ISO 27001 A Management System

Information Security Management System

Part of the overall management system,based on a business risk approach, to

establish, implement, operate, monitor,review, maintain and improveinformation security

ISO 27001IS ALL ABOUTRISK


6/23


Confidentiality Availability

Integrity

What is information security?

ISO 27001:2005 defines Information Security as

Preservation of

Confidentiality: information isnot made available or disclosed to unauthorizedindividuals, entities, or processes

Integrity: safeguarding the accuracy and

completeness of assets

Availability: being accessible and usable upon demand by anauthorized entity of information

Note: In addition, other properties such as authenticity,accountability, non-repudiation and reliability can also be involved


7/23


AIMS of ISO 27001

Provide Best Information Security Practices

To Enable Organization to develop, implement

and measure effective security management

practice To Provide confidence and trust between

organizations trading

Applicable to a wide range of organizations large, medium and small


8/23


Industries who can apply for ISO 27001

Bank

Insurance

Security service provider

University

Hospital

Telecommunication

Government department

Government subcontractor

Travel agency

Consultancy

IT service provider

Training course provider

Online shopping

Whole seller

Stock Exchange

Power station

Water supplier

Semiconductor

Finance service provider

Research center

Military

Medical service

Manufacturing

Automotive


9/23


Benefits of ISO 27001 & Certification

Systemic and Holistic approach Benefit from best practice as captured in the standard

Increase confidence of the organisation in its information securityprocesses

Neutral internationally recognised systemhelps overcome notinvented here syndrome

Eases challenges of bringing systems togetherin different parts of anorganisation, interoperability, etc

Helps avoid arguments about which way is best in one or another

persons opinion Improve information security management

Reduceprobability of information security breaches


10/23


Benefits of ISO 27001 & Certification

When there is a breach, being able to demonstrate that an ISMS is inplacemay be some defence

Protect reputation/brandeasy to lose, very hard to rebuild

Independent verification that the system is in place, meets the

requirements of ISO 27001 and is effective

Increase stakeholder confidence in the organisations ability toprotect their information

Independent view of the systems implementation and effectivenessthat can provoke continual improvement

When its demanded, satisfy customer requirement to have a certifiedISMS in place


11/23


The ISO 27001 family of standards

ISO 27000 Overview and vocabulary

ISO 27001 Audit Requirements

ISO 27002 Code of Practice (was ISO 17799:2005)

ISO 27003 Implementation Guidance

ISO 27004 Measurement ISO 27005 Risk Management

ISO 27006 Requirements for Bodies providing Audit and Certification of ISMSs

Also relevant:

BS 7799-3:2006 Risk Management

BS 31100:2011 Risk Management Code of Practice

ISO TR 18044:2004 Information Security Incident Management


12/23


ISO 27001 General Clauses4 Information security

management system

4.1 General requirements4.2 Establishing and managing the

ISMS

4.2.1 Establish the

ISMS

4.2.2 Implement and operate theISMS

4.2.3 Monitor and review the ISMS

4.2.4 Maintain and improve the

ISMS

4.3 Documentation requirements

4.3.1 General

4.3.2 Control of

Documents

4.3.3 Control of records

5 Management responsibility

5.1 Management Commitment

5.2 Resource management

5.2.1 Provision of resources

5.2.2 Training,

awareness and

competence

6 Internal ISMS audits

7 Management review ofthe ISMS

7.1 General

7.2 Review input

7.3 Review output

8 ISMS improvement

8.1 Continual

Improvement

8.2 Corrective action

8.3 Preventive action


13/23


ISO 27001 Annex A

A.11 Access

Controls

A.7 Asset

Management

A.5 Security Policy

A.6 Organisation

A.8 HR Security

A.9 Physical

and Environmental

SecurityA.10 Communications

& Operations

Management

A.12 Systems Acquisition,

Development and

Maintenance

A.13 Security

Incident

Management

A.15 Compliance

A.14 Business Continuity

ManagementImplementImplement

ISO 27001:2005ISO 27001:2005


14/23


ISO 27001 Annex A

A.5 Security policy (1/2)

A.6 Organization of information security (2/11)

A.7 Asset management (2/5)

A.8 Human resources security (3/9)

A.9 Physical and environmental security (2/13)

A.10 Communications and operations management (10/32)

A.11 Access control (7/25)

A.12 Information systems acquisition, development and maintenance (6/16)

A.13 Information security incident management (2/5)

A.14 Business continuity management (1/5)

A.15 Compliance (3/10)

Total

11 Domains

39control objectives

133controls


15/23


Example of Control Requirements

A.5 IS Policy

Policy Document Approved by Management

A.6 Organization of IS Contact with Authorities, Specialist and

professionals

A.7 Asset Management

Inventory and Ownership of Asset

Classify and LabelAssets.


16/23



A.8 Human Resources Security

Background Investigation Before Recruitment, DisciplinaryActions

Training and Awareness

Termination and Separation

A.9 Physical and Environmental Security

Perimeter and Secure Areas.

Equipment, Facilities and Cabling Security.

Equipment Disposal


17/23



A.10 Communications and Operations

Change Management, Segregations of Duties

3rd Party Control

Capacity Management, Monitoring and Log Information Control against Malicious Codes

Back up

Network Security

Media Handling including Disposal

E commerce

Clock Synchronization


18/23



A.11 Access Control

User Registration and Privileges,

Password, Clear Desk and Clear Screen

Segregation in Networks

Session time out

A.12 Information Systems Acquisition,Development and Maintenance

Software control, Source Code Protection


19/23



A.13 Incident Management Reporting and Investigation

A.14 Business Continuity Management BC Plan and Testing

A.15 Compliance Intellectual Property Rights, Privacy of Personal

Information

Technical Compliance (Pen Test)


20/23


Important Documents/Records in ISO

27001:2005

Information Security Policies Risk Assessment

Statement of Applicability (SOA)


21/23


Risk Assessment Steps

Identification Assets,threats to the assets,

vulnerabilities that may beexploited by the threats and theimpact of loss of C I or A may have

on the assetsAssess likelihood of securityfailures

Estimate levels of risk

Risk treatment: AVOID,Transfer, Accept or Apply Controls


22/23


Statement of Applicability

Include the following: Control objectives and controls selected/ implemented

and reason

Exclusion of any control objectives and controls in Annex Aand the justification for their exclusion

Statement of Applicability against controls identified in Annex A of ISO 270

Clause Applicability Process Doc Comment

A.5.1.1 Yes Doc xxx

A.5.1.2 Yes Doc xxx

A.9.1.5 Yes Working in Secure Areas Doc

1.3 Issue 1 dated 04/09/04

A.12.3 Not Applicable Company currently does not use or

interface with any encryptedinformation

A.14.1.1 Yes Business Continuity

Manageme Process Doc 4.2

Issue 2 dated 22/10/04

A.15.1.6 Not Applicable Company currently does not use or

interface with any encrypted

information


23/23


Thank you for participating!

Information Security Management Systems

(BS ISO/IEC 27001:2005)

Date post:	14-Apr-2018
Category:	Documents
Upload:	dimas-ramananda
View:	227 times
Download:	0 times