INFORMATION SECURITY

2. Sawsan Megahed

4. What is Information Security?

5. What is RISK?

6. An Introduction to ISO for information technology

7. User Responsibilities2

8. INFORMATION 'Information is an asset which, like other important business assets, has value to an organization and consequently needs to be suitably protected’ BS ISO 27002:2005 3

10. Stored

11. Destroyed

12. Processed

13. Transmitted

14. Used – (For proper & improper purposes)

15. Corrupted

16. Lost

17. Stolen4

19. Stored electronically

20. Transmitted by post or using electronics means

21. Shown on corporate videos

22. Displayed / published on web

23. Verbal – spoken in conversations‘…Whatever form the information takes, or means by which it is shared or stored, it should always be appropriately protected’ (BS ISO 27002:2005) 5

25. Security is achieved using several strategies

26. Security is achieved using several strategies simultaneously or used in combination with one another

27. Security is recognized as essential to protect vital processes and the systems that provide those processes

28. Security is not something you buy, it is something you do6

30. Monitored 24x7

31. Having People, Processes, Technology, policies, procedures,

32. Security is for PPT and not only for appliances or devices6/16/2011 7 Mohan Kamat

33. INFOSEC COMPONENTS Organization Staff PEOPLE Business Processes PROCESSES Technology used by Organisation TECHNOLOGY 6/16/2011 8 Mohan Kamat

35. Management

36. Employees

37. Business Partners

38. Service providers

39. Contractors

40. Customers / Clients

41. Regulators etc…6/16/2011 9 Mohan Kamat

43. Incident Reporting and Management

44. Change Requests process

45. Request fulfillment

46. Access management

47. Identity management

48. Service Level / Third-party Services Management

49. IT procurement process etc...10

51. Telecommunications services (PABX), including VoIP services , ISDN , Video Conferencing

52. Server computers and associated storage devices

53. Operating software for server computers

54. Communications equipment and related hardware.

55. Intranet and Internet connections

56. VPNs and Virtual environments

57. Remote access services

58. Wireless connectivity6/16/2011 11 Mohan Kamat

61. Clock in systems / Biometrics

62. Environmental management Systems: Humidity Control, Ventilation , Air Conditioning, Fire Control systems

64. Laptops, ultra-mobile laptops and PDAs

65. Thin client computing.

66. Digital cameras, Printers, Scanners, Photocopier etc.6/16/2011 12 Mohan Kamat

67. INFORMATION SECURITY INFORMATION SECURITY Protects information from a range of threats Ensures business continuity Minimizes financial loss Optimizes return on investments Increases business opportunities Business survival depends on information security. 6/16/2011 13 Mohan Kamat

70. Financial loss

71. Intellectual property loss

72. Legislative Breaches leading to legal actions (Cyber Law)

73. Loss of customer confidence

74. Business interruption costs LOSS OF GOODWILL 15 Mohan Kamat 6/16/2011

76. More than 60% culprits are First Time fraudsters

77. Biggest Risk : People

78. Biggest Asset : People

79. Social Engineering is major threat

80. More than 2/3rd express their inability to determine “Whether my systems are currently compromised?”6/16/2011 16 Mohan Kamat

81. WHAT IS RISK What is Risk? Risk: A possibility that a threat exploits a vulnerability in an asset and causes damage or loss to the asset. Threat: Something that can potentially cause damage to the organisation, IT Systems or network. Vulnerability: A weakness in the organization, IT Systems, or network that can be exploited by a threat. 17

82. Relationship between Risk, Threats, and Vulnerabilities exploit Threats Vulnerabilities increase increase protect against expose Risk Controls * Information assets reduce indicate increase met by have Asset values Protection Requirements * Controls: A practice, procedure or mechanism that reduces risk 18

83. THREAT IDENTIFICATION Threat Identification Elements of threats Agent : The catalyst that performs the threat. Human Machine Nature 6/16/2011 19 Mohan Kamat

84. THREAT IDENTIFICATION Threat Identification Elements of threats Motive : Something that causes the agent to act. Accidental Intentional Only motivating factor that can be both accidental and intentional is human 6/16/2011 20 Mohan Kamat

85. THREAT IDENTIFICATION Threat Identification Elements of threats Results : The outcome of the applied threat. The results normally lead to the loss of CIA Confidentiality Integrity Availability 6/16/2011 21 Mohan Kamat

87. External Parties

88. Low awareness of security issues

89. Growth in networking and distributed computing

90. Growth in complexity and effectiveness of hacking tools and viruses

91. Natural Disasters eg. fire, flood, earthquake6/16/2011 22 Mohan Kamat

92. Threat Sources 6/16/2011 23 Mohan Kamat

93. 6/16/2011 24 Mohan Kamat

94. RISKS & THREATS High User Knowledge of IT Systems Theft, Sabotage, Misuse Virus Attacks Natural Calamities & Fire Systems & Network Failure Lack Of Documentation Lapse in Physical Security 25 Mohan Kamat 6/16/2011

95. SO HOW DO WE OVERCOME THESE PROBLEMS? 6/16/2011 26 Mohan Kamat

98. BS 7799-2:2002 published6/16/2011 27 Mohan Kamat

100. ISO 27001 ISO 27001 ISO 27001: This International Standard covers all types of organizations (e.g. commercial enterprises, government agencies, non-profit organizations). This International Standard specifies the requirements for establishing; implementing, operating, monitoring, reviewing, maintaining and improving documented ISMS within the context of the organization’s overall business risks. It specifies requirements for the implementation of security controls customized to the needs of individual organizations or parts thereof. The ISMS is designed to ensure the selection of adequate and proportionate security controls that protect information assets and give confidence to interested parties 6/16/2011 29 Mohan Kamat

101. FEATURES Features Features of ISO 27001 • Plan, Do, Check, Act (PDCA) Process Model • Process Based Approach • Stress on Continual Process Improvements • Scope covers Information Security not only IT Security • Covers People, Process and Technology • 5600 plus organisations worldwide have been certified • 11 Domains, 39 Control objectives, 133 controls 6/16/2011 30 Mohan Kamat

102. PDCA PROCESS PDCA Process ISMS PROCESS Interested Parties Interested Parties Management Responsibility PLAN Establish ISMS ACT Maintain & Improve DO Implement & Operate the ISMS Information Security Requirements & Expectations Managed Information Security CHECK Monitor & Review ISMS 6/16/2011 31 Mohan Kamat

103. CONTROL CLAUSES Information Security Policy Organisation of Information Security Compliance Asset Management Business Continuity Planning Integrity Confidentiality INFORMATION Human Resource Security Incident Management Availability Physical Security System Development & Maintenance Communication & Operations Management Access Control 32

105. Organisation Of Information Security - Management framework for implementation

106. Asset Management - To ensure the security of valuable organisational IT and its related assets

107. Human Resources Security - To reduce the risks of human error, theft, fraud or misuse of facilities.

108. Physical & Environmental Security -To prevent unauthorised access, theft, compromise , damage, information and information processing facilities.6/16/2011 33 Mohan Kamat

110. Access Control - To control access to information and information processing facilities on ‘need to know’ and ‘need to do’ basis.

111. Information Systems Acquisition, Development & Maintenance - To ensure security built into information systems

112. Information Security Incident Management - To ensure information security events and weaknesses associated with information systems are communicated.6/16/2011 34 Mohan Kamat

114. Compliance - To avoid breaches of any criminal and civil law, statutory, regulatory or contractual obligations and of any security requirements.6/16/2011 35 Mohan Kamat

115. IMPLEMENTATION PROCESS CYCLE PLAN Establish ISMS ACT Maintain & Improve DO Implement & Operate the ISMS CHECK Monitor & Review ISMS IS POLICY SECURITY ORGANISATION MANAGEMENT REVIEW ASSET IDENTIFICATION & CLASSIFICATION CORRECTIVE & PREVENTIVE ACTIONS CONTROL SELECTION & IMPLEMENTATION CHECK PROCESSES OPERATIONALIZE THE PROCESES 6/16/2011 36 Mohan Kamat

117. At the legal level – Compliance

118. At the operating level - Risk management

119. At the commercial level - Credibility and confidence

120. At the financial level - Reduced costs

121. At the human level - Improved employee awareness6/16/2011 37 Mohan Kamat

122. USER RESPONSIBILITIES WHO IS AT THE CENTRE OF SECU RITY U R - 6/16/2011 38 Mohan Kamat

123. USER RESPONSIBILITIES Information Security Policy IS Policy is approved by Top Management Policy is released on Intranet at http://xx.xx.xx.xx/ISMS/index.htm 6/16/2011 39 Mohan Kamat

124. INFO ASSET CLASSIFICATION CONFIDENTIAL: If this information is leaked outside Organisation, it will result in major financial and/or image loss. Compromise of this information will result in statutory, legal non- compliance. Access to this information must be restricted based on the concept of need-to-know. Disclosure requires the information owner’s approval. In case information needs to be disclosed to third parties a signed confidentiality agreement is also required. Examples include Customer contracts, rate tables, process documents and new product development plans. INTERNAL USE ONLY: If this information is leaked outside Organisation, it will result in Negligible financial loss and/or embarrassment. Disclosure of this information shall not cause serious harm to Organisation, and access is provided freely to all internal users. Examples include circulars, policies, training materials etc. PUBLIC: Non availability will have no effect. If this information is leaked outside Organisation, it will result in no loss. This information must be explicitly approved by the Corporate Communications Department or Marketing Department in case of marketing related information, as suitable for public dissemination. Examples include marketing brochures, press releases. 6/16/2011 40 Mohan Kamat Information Asset Classification

125. INFO ASSET CLASSIFICATION Confidentiality - Information Asset Confidentiality of information refers to the protection of information from unauthorized disclosure. The impact of unauthorized disclosure of confidential information can range from jeopardizing organization security to the disclosure of private data of employees. Following table provides guideline to determine Confidentiality requirements: 6/16/2011 41 Mohan Kamat

126. INFO ASSET CLASSIFICATION Integrity - Information Asset Integrity refers to the completeness and accuracy of Information. Integrity is lost if unauthorized changes are made to data or IT system by either intentional or accidental acts. If integrity of data is not restored back, continued use of the contaminated data could result in inaccuracy, fraud, or erroneous decisions. Integrity criteria of information can be determined with guideline established in the following Table. 6/16/2011 42 Mohan Kamat

127. Availability - Information Asset INFO ASSET CLASSIFICATION Availability indicates how soon the information is required, in case the same is lost. If critical information is unavailable to its end users, the organization’s mission may be affected. Following Table provides guideline to determine availability criteria of information assets. 6/16/2011 43 Mohan Kamat

128. NON INFO ASSET CLASSIFICATION Non-information Assets [Physical] Information is processed with the help of technology. The assets, which are helpful in creating, processing, output generation and storage. Such assets need to be identified and valued for the purpose of their criticality in business process. Asset valuation of non information / physical Assets like software, Hardware, Services is carried out based on different criteria applicable to the specific group of physical assets involved in organization’s business processes. 6/16/2011 44 Mohan Kamat

129. NON INFO ASSET CLASSIFICATION Confidentiality - Non-information Asset Confidentiality factor is to be determined by the services rendered by the particular asset in specific business process and the confidentiality requirement of the information / data processed or stored by the asset. This table provides a guideline to identify the Confidentiality requirements and its link to Classification label. 6/16/2011 45 Mohan Kamat

130. NON INFO ASSET CLASSIFICATION Integrity - Non Information Asset Integrity factor is to be determined by the reliability and dependability of the particular asset in specific business process and the Integrity requirement of the information / data processed or stored by the asset. This table provides a guideline to identify the Integrity requirements and its link to Classification label. 6/16/2011 46 Mohan Kamat

131. NON INFO ASSET CLASSIFICATION Availability - Non-information Asset Availability factor is to be determined on the basis of impact of non availability of the asset on the business process. This table provides a guideline to identify the Availability requirements and its link to Classification label. 6/16/2011 47 Mohan Kamat

132. PEOPLE ASSET CLASSIFICATION People Assets Information is accessed or handled by the people from within the organisation as well as the people related to organisation for business requirements. It becomes necessary to identify such people from within the organisation as well as outside the organisation who handle the organization’s information assets. The analysis such people, who has access rights to the assets of the organisation, is to be done by Business Process Owner i.e. process / function head. The people assets shall include roles handled by a. Employees b. Contract Employees c. Contractors & his employees 6/16/2011 48 Mohan Kamat

133. PEOPLE ASSET CLASSIFICATION Confidentiality - People Assets 6/16/2011 49 Mohan Kamat

134. PEOPLE ASSET CLASSIFICATION Integrity – People Assets 6/16/2011 50 Mohan Kamat

135. PEOPLE ASSET CLASSIFICATION Availability – People Assets 6/16/2011 51 Mohan Kamat

137. Wear Identity Cards and Badges

138. Ask unauthorized visitor his credentials

139. Attend visitors in Reception and Conference Room only

140. Bring visitors in operations area without prior permission

141. Bring hazardous and combustible material in secure area

142. Practice “Piggybacking”

143. Bring and use pen drives, zip drives, ipods, other storage devices unless and otherwise authorized to do so6/16/2011 52 Mohan Kamat

145. Use passwords that can be easily remembered by you

146. Change password regularly as per policy

147. Use password that is significantly different from earlier passwords

148. Use passwords which reveals your personal information or words found in dictionary

149. Write down or Store passwords

150. Share passwords over phone or Email

151. Use passwords which do not match above complexity criteria6/16/2011 53 Mohan Kamat

153. Do not access internet through dial-up connectivity

154. Do not use internet for viewing, storing or transmitting obscene or pornographic material

155. Do not use internet for accessing auction sites

156. Do not use internet for hacking other computer systems

157. Do not use internet to download / upload commercial software / copyrighted materialTechnology Department is continuously monitoring Internet Usage. Any illegal use of internet and other assets shall call for Disciplinary Action. 6/16/2011 54 Mohan Kamat

159. Follow the mail storage guidelines to avoid blocking of E-mails

161. Do not send unsolicited mails of any type like chain letters or E-mail Hoax

162. Do not send mails to client unless you are authorized to do so

163. Do not post non-business related information to large number of users

164. Do not open the mail or attachment which is suspected to be virus or received from an unidentified sender6/16/2011 55 Mohan Kamat

166. Telephone : xxxx-xxxx-xxxx

168. Do not attempt to interfere with, obstruct or prevent anyone from reporting incidents6/16/2011 56 Mohan Kamat

170. Ensure your system is locked when you are away

171. Always store laptops/ media in a lockable place

172. Be alert while working on laptops during travel

173. Ensure sensitive business information is under lock and key when unattended

174. Ensure back-up of sensitive and critical information assets

176. Always switch off your computer before leaving for the day

177. Keep your self updated on information security aspects6/16/2011 57 Mohan Kamat

178. Human Wall Is Always Better Than A Firewall . . . LET US BUILD A HUMAN WALL ALONG WITH FIREWALL 6/16/2011 58 Mohan Kamat

179. 6/16/2011 59 Mohan Kamat

INFORMATION SECURITY

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (20)

Similar to INFORMATION SECURITY

Similar to INFORMATION SECURITY (20)

More from Ahmed Moussa

More from Ahmed Moussa (12)

Recently uploaded

Recently uploaded (20)

INFORMATION SECURITY