A Business View

Who Am IM.S.SripatiInformation Security Enthusiast and StudentISMS ImplementerCISA (cleared exam in June 2008)

What Am I NOT going to talk aboutNothing technicalNothing on what is information security (this is NULL

chapter, for god sake!)Not much on some basic terms (Google devo bhav||)

What Am I going to talk aboutSome cases where regular firewalls and web application

security measures failWhat is ISO 27001 and how does it helps us

Can you save your organization from these cases?

Someone using you ID card to enter into a secure premise and steal/alter/delete some information

Copy/paste by developerPassword sharingKevin Mitnick (!)Unlocked desktops/laptopsPassword re-useWriting passwords down on paperNatural CalamitiesLegal fines (in case of data breach – HIPAA, PCI-DSS)Work backlog in antivirus companiesSomeone trying to get your personal data so that he/she

can sell it in underground

Some unknown third party vendor working on your computer;Someone asking for a password posing as client;Some random mail asking you to click so that you can receive

some money immediately;Social networking sites;Farmville and other third party apps;Employee having high access to data/information and who has

a shady past;No frisking of housekeeping personnel, putting information

systems at risk (think about hardware key-loggers)Taking pictures of code using a camera phone and third party

app on it (think about an android app AD)Data getting lost because of a natural calamity (fire, flood,

earthquake, etc) and having a business requirement to start work as soon as possible;

So, what does it all mean?

Noteworthy pointsChanging nature of security incidents;System ownage through an un-suspecting user click;Info-sec as a business, both legit, and non-legit;Human as a weak link in info-sec chain;Changing legal landscape (HIPAA, PCI-DSS);Changing business landscape (threats to India from

BRIC);

Implementer’s Dilemma

http://gallery.trupela.com/

Legal Compliance (HIPAA, PCI-DSS,

Data Protection Act)

Web Application Security

Human Awareness Quotient (Technical and Non-technical)

Network Security (Firewall, IDS, IPS,

Antivirus, etc.)

Copied From:- http://pumapac.org/

Saving Private Ryan

What is ISO 27001Specifies the requirements for establishing a comprehensive

Information Security Management System (ISMS) helping to achieve information security and to give assurance to interested parties.

Interested Parties are-Share Holders / OwnersManagementEmployeesBusiness PartnersService providersContractorsCustomers / ClientsRegulators etc…

InterestedParties

InterestedParties

InformationSecurity

Requirements&

Expectations

InformationSecurity

Requirements&

Expectations

PLANEstablish

ISMS

PLANEstablish

ISMS

CHECKMonitor &

Review ISMS

CHECKMonitor &

Review ISMS

ACTMaintain &Improve

ACTMaintain &Improve

Management ResponsibilityManagement Responsibility

ISMS PROCESSISMS PROCESS

PDCA Process

InterestedParties

InterestedParties

ManagedInformation

Security

ManagedInformation

Security

DOImplement &Operate the

ISMS

DOImplement &Operate the

ISMS

Information Security Policy

Organisation of Information

Security

Asset Management

Human Resource Security

Physical Security

Communication & Operations

ManagementAccess Control

System Development &

Maintenance

Incident Management

Business Continuity Planning

Compliance

Confiden

tialit

y Integrity

Availability

Thank You

M.S.Sripati