Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
fo
r
m
at
io
n
se
Security awareness seminar
cu
rit
y
An introduction to ISO27k
This work is copyright 2012, Mohan Kamat and ISO27k Forum, some rights reserved.
It is licensed under the Creative Commons Attribution-Noncommercial-Share Alike 3.0 License.
You are welcome to reproduce, circulate, use and create derivative works from this provided that:
(a) it is not sold or incorporated into a commercial product;
(b) it is properly attributed to the ISO27k Forum (www.ISO27001security.com); and
(c) any derivative works that are shared are subject to the same terms as this work.
A
ge
nd
a
What is information?
What is information security?
What is risk?
Introduction to the ISO standards
Managing information security
Your security responsibilities
2
IN
F
O
R
M
A
TI
O Information is an asset which,
N
like other important business
assets, has value to an
organization and consequently needs
to be suitably protected
ISO/IEC 27002:2005
3
In
fo
r
m
Information exists in many forms:
at Printed or written on paper
io Stored electronically
n
ty Transmitted by post or electronic means
pe Visual e.g. videos, diagrams
s Published on the Web
Verbal/aural e.g. conversations, phone calls
Intangible e.g. knowledge, experience, expertise,
ideas
4
In
fo
lif Information can be
ec
yc Created
le
Owned (it is an asset)
Stored
Processed
Transmitted/communicated
Used (for proper or improper purposes)
Modified or corrupted
Shared or disclosed (whether appropriately or not)
Destroyed or lost
Stolen
Controlled, secured and protected throughout its
existence
5
Ke
y
te
What is information security?
r
m Information security is what keeps valuable information free of danger
(protected, safe from harm)
6
Se
cu
rit
y
el
e
m
en
ts PEOPLE
Staff &
management
PROCESSES
Business activities
TECHNOLOGY
7
Pe
op
le
People
People who use or have an interest in our
information security include:
Shareholders / owners
Management & staff
Customers / clients, suppliers & business
partners
Service providers, contractors, consultants &
advisors
Authorities, regulators & judges
9
Te
ch
no Technology
lo
gy Information technologies
Cabling, data/voice networks and equipment
Telecommunications services (PABX, VoIP, ISDN,
videoconferencing)
Phones, cellphones, PDAs
Computer servers, desktops and associated data
storage devices (disks, tapes)
Operating system and application software
Paperwork, files
Pens, ink
Security technologies
Locks, barriers, card-access systems, CCTV
10
Va
lu Information security is
e valuable because it
Protects information against various threats
Ensures business continuity
Minimizes financial losses and other impacts
Optimizes return on investments
Creates opportunities to do business safely
Maintains privacy and compliance
We all depend on
information security
11
CI
A Information security is defined
as the preservation of:
Confidentiality
Making information accessible
only to those authorized to
use it
Integrity
Safeguarding the accuracy and
completeness of information and
processing methods
Availability
Ensuring that information is
available when required
12
I
m Security incidents cause
pa
ct IT downtime, business interruption
13
Ke
y What is risk?
te
r
m Risk is the possibility that a threat exploits a
vulnerability in an information asset,
leading to an adverse impact on the organization
14
R
el
at
Risk relationships
io
ns exploit
Vulnerabilities
Threats
Threats Vulnerabilities
hi
ps
co
t
ins
se
mp
a
in
ga
e
rom
cr
c re
ta
in
as
is i
c
e
ote
ng
pr
Risk
reduce to Information
Information
Controls
Controls assets
assets
in
m
cr
te ea
et
e
c a
v
se
di
by
ha
in
Security
Security Value
Value
requirements
requirements
15
Th
re
at Threat agent
ag
en
t
The actor that represents, carries out
or catalyzes the threat
Human
Machine
Nature
16
M
ot Motive
iv
e
17
Th
re Threat type Example
at Typo, wrong attachment/email
ty Human error address,
pe lost laptop or phone
s Intellectual
Piracy, industrial espionage
property
Unauthorized access/trespass, data
theft, extortion, blackmail, sabotage,
Deliberate act
vandalism, terrorist/activist/criminal
activity
Fraud Identity theft, expenses fraud
System/network
Viruses, worms, Trojans, hacks
attack
Service issue Power cuts, network outages
Fire, flood, storm, earthquake,
Force of nature
lightning, tsunami, volcanic eruption
Computer power supply failure,
Hardware issue
lack of capacity 18
So how do we
secure our
information
assets?
19
IS
O A brief history of ISO27k
27
k
1990s
Information Security Management Code of Practice produced
by a UK government-sponsored working group
Based on the security policy used by Shell
Became British Standard BS7799
2000s
Adopted by ISO/IEC
Became ISO/IEC 17799 (later renumbered ISO/IEC 27002)
ISO/IEC 27001 published & certification scheme started
Now
Expanding into a suite of information security standards
(known as ISO27k)
Updated and reissued every few years
20
IS
O
27 ISO 27001
00
1
Concerns the management of information
security, not just IT/technical security
Formally specifies a management system
Uses Plan, Do, Check, Act (PDCA) to achieve,
maintain and improve alignment of security with
risks
Covers all types of organizations (e.g. commercial
companies, government agencies, not-for-profit
organizations) and all sizes
Thousands of organizations worldwide have been
certified compliant
21
P Plan-Do-Check-Act
D
ISMS PROCESS
C
A Interested
Interested
parties
parties
Management
Management responsibility
responsibility Interested
Interested
parties
parties
PLAN
PLAN
Establish
Establish
ISMS
ISMS
DO
DO ACT
Implement
ACT
Implement && Maintain
Maintain &
&
operate the
operate the improve
improve
ISMS
ISMS
Information
Information Managed
Managed
security
security CHECK
CHECK information
information
requirements
requirements Monitor
Monitor &
& security
security
&
& expectations
expectations review ISMS
review ISMS
22
CON
TRO
L Information
CLA Security Policy
USE Organisation
Compliance of Information
S Security
y
alit In
t
Business t i eg
Asset
Continuity den r ity
i Management
Planning
onf
C
INFORMATION
Human
Incident
Resource
Management
Security
Availability
System
Physical
Development
Security
& Maintenance
Communication
Access Control & Operations
Management
23
CON
TRO
L Information security policy - management
CLA direction
USE Organization of information security -
S
management framework for implementation
Asset management assessment, classification
and protection of valuable information assets
HR security security for joiners, movers and
leavers
Physical & environmental security - prevents
unauthorised access, theft, compromise, damage to
information and computing facilities, power cuts
24
CON
TRO Communications & operations management -
L ensures the correct and secure operation of IT
CLA Access control restrict unauthorized access to
USE
S information assets
Information systems acquisition, development &
maintenance build security into systems
Information security incident management deal
sensibly with security incidents that arise
Business continuity management maintain
essential business processes and restore any that fail
Compliance - avoid breaching laws, regulations,
policies and other security obligations
25
IMPL
EME
NTA
TIO IS POLICY
N
PRO
CESS SECURITY
ORGANISATION
MANAGEMENT
REVIEW
CYCL
E PLAN
PLAN
Establish
Establish
ISMS
ISMS
DO
ASSET
DO
Implement
Implement & &
ACT
ACT
Maintain CORRECTIVE &
IDENTIFICATION Operate
Operate the
the Maintain &
& PREVENTIVE
& ISMS Improve
Improve
CLASSIFICATION
ISMS ACTIONS
CHECK
CHECK
Monitor
Monitor &
&
Review
Review ISMS
ISMS
CONTROL
CHECK
SELECTION &
PROCESSES
IMPLEMENTATION
OPERATIONALIZ
E THE PROCESES
26
Be
ne
fit
s
27
Sc
op ISMS scope
e
28
Ke
y
do Key ISMS documents
cu
m
en High level corporate security policy
ts
Supporting policies e.g. physical &
environmental, email, HR, incident
management, compliance etc.
Standards e.g. Windows Security Standard
Procedures and guidelines
Records e.g. security logs, security review
reports, corrective actions
29
VISI
ON
Information security vision
&
MIS
SIO Vision
N The organization is acknowledged as an
industry leader for information security.
Mission
To design, implement, operate, manage and
maintain an Information Security
Management System that complies with
international standards, incorporating
generally-accepted good security practices
30
W
Who is responsible?
ho
Information Security Management Committee
Information Security Manager/CISO and Department
Incident Response Team
Business Continuity Team
IT, Legal/Compliance, HR, Risk and other departments
Audit Committee
Last but not least, you!
Bottom line:
Information security is everyones responsibility
31
Po
lic Corporate Information Security Policy
y
32
INF
O Information Asset Classification
ASSE
T
CONFIDENTIAL:
CLAS If this information is leaked outside the organization, it will result in major financial and/or image
SIFI loss. Compromise of this information may result in serious non-compliance (e.g. a privacy
CATI breach). Access to this information must be restricted based on the concept of need-to-know.
Disclosure requires the information owners approval. In case information needs to be disclosed to
ON third parties, a signed confidentiality agreement is required.
Examples: customer contracts, pricing rates, trade secrets, personal information, new product
development plans, budgets, financial reports (prior to publication), passwords, encryption keys.
PUBLIC:
This information can be freely disclosed to anyone although publication must usually be explicitly
approved by Corporate Communications or Marketing.
Examples: marketing brochures, press releases, website.
33
Cl Confidentiality
as
Confidentiality of information concerns the protection of sensitive (and often highly
sif valuable) information from unauthorized or inappropriate disclosure.
ic
at Confidentiality
io level Explanation
Information which is very sensitive or private, of
n
great value to the organization and intended for
specific individuals only. The unauthorized
disclosure of such information can cause severe
High harm such as legal or financial liabilities,
competitive disadvantage, loss of brand value e.g.
merger and acquisition related information,
marketing strategy
Information belonging to the company and not for
disclosure to public or external parties. The
Medium unauthorized disclosure of this information may
harm to the organization somewhat e.g.
organization charts, internal contact lists.
Non-sensitive information available for public
disclosure. The impact of unauthorized disclosure of
such information shall not harm Organisation
Low anyway. E.g. Press releases, Companys News
letters e.g. Information published on companys
website
5/22/ Mohan Kamat 34
USE
R
RESP
ONSI
Physical security
BILI
TIES
35
USE
R
RESP
ONSI
Password Guidelines
BILI
TIES
36
USE
R
RESP
Internet usage
ONSI
BILI
TIES
Use the corporate Internet facilities only for legitimate and
authorized business purposes
37
USE
R
RESP
E-mail usage
ONSI
BILI
TIES
Use corporate email for business purposes only
Follow the email storage guidelines
If you receive spam email, simply delete it. If it is
offensive or you receive a lot, call the IT Help/Service Desk
38
USE
R
RESP
ONSI
Security incidents
BILI
TIES
Report information security incidents, concerns and
near-misses to IT Help/Service Desk:
Email
Telephone
Anonymous drop-boxes
Take their advice on what to do
39
Re
sp
on Ensure your PC is getting antivirus updates and patches
si
bil Lock your keyboard (Windows-L) before leaving your PC
iti unattended, and log-off at the end of the day
es
Store laptops and valuable information (paperwork as well as
CDs, USB sticks etc.) securely under lock and key
Keep your wits about you while traveling:
Keep your voice down on the cellphone
Be discreet about your IT equipment
Take regular information back ups
Fulfill your security obligations:
Comply with security and privacy laws, copyright and licenses,
NDA (Non Disclosure Agreements) and contracts
Comply with corporate policies and procedures
Stay up to date on information security:
Visit the intranet Security Zone when you have a moment
40
41