Information security management system Trg 1.ppt
SmppMondha
31 views
64 slides
Feb 26, 2025
Slide 1 of 64
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
About This Presentation
ISMS Trg 1
Slide Content
Welcome To
The User Awareness Training Of
ISMS
ISO/IEC 27001:2005
This work is copyright © 2010, Mohan Kamat and ISO27k Implementers' forum, some rights reserved. It is licensed under the Creative Commons
Attribution-Noncommercial-Share Alike 3.0 License. You are welcome to reproduce, circulate, use and create derivative works from this provided that
(a) it is not sold or incorporated into a commercial product, (b) it is properly attributed to the ISO27k implementers' forum
www.ISO27001security.com), and (c) derivative works are shared under the same terms as this.).
The User Awareness Training Of
ISMS
ISO/IEC 27001:2005
This work is copyright © 2010, Mohan Kamat and ISO27k Implementers' forum, some rights reserved. It is licensed under the Creative Commons
Attribution-Noncommercial-Share Alike 3.0 License. You are welcome to reproduce, circulate, use and create derivative works from this provided that
(a) it is not sold or incorporated into a commercial product, (b) it is properly attributed to the ISO27k implementers' forum
www.ISO27001security.com), and (c) derivative works are shared under the same terms as this.).
What is Information?
What is Information Security?
What is RISK?
An Introduction to ISO 27001-2:2005
ISMS @ Organization
User Responsibilities
02/26/25 2Mohan Kamat
What is Information Security?
What is RISK?
An Introduction to ISO 27001-2:2005
ISMS @ Organization
User Responsibilities
02/26/25 2Mohan Kamat
'Information is an asset which, like other
important business assets, has value to
an organization and consequently needs
to be suitably protected’
BS ISO
27002:2005
02/26/25 3Mohan Kamat
important business assets, has value to
an organization and consequently needs
to be suitably protected’
BS ISO
27002:2005
02/26/25 3Mohan Kamat
Information can be
Created
Stored
Destroyed
Processed
Transmitted
Used – (For proper & improper purposes)
Corrupted
Lost
Stolen
02/26/25 4Mohan Kamat
Created
Stored
Destroyed
Processed
Transmitted
Used – (For proper & improper purposes)
Corrupted
Lost
Stolen
02/26/25 4Mohan Kamat
Printed or written on paper
Stored electronically
Transmitted by post or using electronics means
Shown on corporate videos
Displayed / published on web
Verbal – spoken in conversations
‘…Whatever form the information takes, or
means by which it is shared or stored, it
should always be appropriately protected’
(BS ISO 27002:2005)
02/26/25 5Mohan Kamat
Stored electronically
Transmitted by post or using electronics means
Shown on corporate videos
Displayed / published on web
Verbal – spoken in conversations
‘…Whatever form the information takes, or
means by which it is shared or stored, it
should always be appropriately protected’
(BS ISO 27002:2005)
02/26/25 5Mohan Kamat
What Is Information Security
The quality or state of being secure to be free from danger
Security is achieved using several strategies
Security is achieved using several strategies simultaneously or
used in combination with one another
Security is recognized as essential to protect vital processes
and the systems that provide those processes
Security is not something you buy, it is something you do
02/26/25 6
Mohan Kamat
The quality or state of being secure to be free from danger
Security is achieved using several strategies
Security is achieved using several strategies simultaneously or
used in combination with one another
Security is recognized as essential to protect vital processes
and the systems that provide those processes
Security is not something you buy, it is something you do
02/26/25 6
Mohan Kamat
The architecture where an integrated combination
of appliances, systems and solutions, software,
alarms, and vulnerability scans working together
What Is Information Security
Security is for PPT and not only for appliances or
devices
Monitored 24x7
Having People, Processes, Technology, policies,
procedures,
02/26/25 7Mohan Kamat
of appliances, systems and solutions, software,
alarms, and vulnerability scans working together
What Is Information Security
Security is for PPT and not only for appliances or
devices
Monitored 24x7
Having People, Processes, Technology, policies,
procedures,
02/26/25 7Mohan Kamat
PEOPLE
PROCESSES
TECHNOLOGY
O
r
g
a
n
i
z
a
t
i
o
n
S
t
a
f
f
B
u
s
i
n
e
s
s
P
r
o
c
e
s
s
e
s
T
e
c
h
n
o
l
o
g
y
u
s
e
d
b
y
O
r
g
a
n
i
s
a
t
i
o
n
02/26/25 8Mohan Kamat
PROCESSES
TECHNOLOGY
O
r
g
a
n
i
z
a
t
i
o
n
S
t
a
f
f
B
u
s
i
n
e
s
s
P
r
o
c
e
s
s
e
s
T
e
c
h
n
o
l
o
g
y
u
s
e
d
b
y
O
r
g
a
n
i
s
a
t
i
o
n
02/26/25 8Mohan Kamat
People “Who we are”
People who use or interact with the People who use or interact with the
Information include:Information include:
Share Holders / OwnersShare Holders / Owners
ManagementManagement
EmployeesEmployees
Business PartnersBusiness Partners
Service providersService providers
ContractorsContractors
Customers / ClientsCustomers / Clients
Regulators etc…Regulators etc…
02/26/25 9Mohan Kamat
People who use or interact with the People who use or interact with the
Information include:Information include:
Share Holders / OwnersShare Holders / Owners
ManagementManagement
EmployeesEmployees
Business PartnersBusiness Partners
Service providersService providers
ContractorsContractors
Customers / ClientsCustomers / Clients
Regulators etc…Regulators etc…
02/26/25 9Mohan Kamat
Process “what we do”
The processes refer to "work practices" or workflow. The processes refer to "work practices" or workflow.
Processes are the repeatable steps to accomplish Processes are the repeatable steps to accomplish
business objectives. Typical process in our IT business objectives. Typical process in our IT
Infrastructure could include:Infrastructure could include:
Helpdesk / Service managementHelpdesk / Service management
Incident Reporting and ManagementIncident Reporting and Management
Change Requests processChange Requests process
Request fulfillmentRequest fulfillment
Access managementAccess management
Identity managementIdentity management
Service Level / Third-party Services Service Level / Third-party Services
ManagementManagement
IT procurement process IT procurement process etc etc......
02/26/25 10Mohan Kamat
The processes refer to "work practices" or workflow. The processes refer to "work practices" or workflow.
Processes are the repeatable steps to accomplish Processes are the repeatable steps to accomplish
business objectives. Typical process in our IT business objectives. Typical process in our IT
Infrastructure could include:Infrastructure could include:
Helpdesk / Service managementHelpdesk / Service management
Incident Reporting and ManagementIncident Reporting and Management
Change Requests processChange Requests process
Request fulfillmentRequest fulfillment
Access managementAccess management
Identity managementIdentity management
Service Level / Third-party Services Service Level / Third-party Services
ManagementManagement
IT procurement process IT procurement process etc etc......
02/26/25 10Mohan Kamat
Technology “what we use to improve what we do”
Network Infrastructure:Network Infrastructure:
Cabling, Data/Voice Networks and equipmentCabling, Data/Voice Networks and equipment
Telecommunications services (PABX), including VoIP services Telecommunications services (PABX), including VoIP services
, ISDN , Video Conferencing, ISDN , Video Conferencing
Server computers and associated storage devicesServer computers and associated storage devices
Operating software for server computersOperating software for server computers
Communications equipment and related hardware. Communications equipment and related hardware.
Intranet and Internet connectionsIntranet and Internet connections
VPNs and Virtual environmentsVPNs and Virtual environments
Remote access servicesRemote access services
Wireless connectivityWireless connectivity
02/26/25 11Mohan Kamat
Network Infrastructure:Network Infrastructure:
Cabling, Data/Voice Networks and equipmentCabling, Data/Voice Networks and equipment
Telecommunications services (PABX), including VoIP services Telecommunications services (PABX), including VoIP services
, ISDN , Video Conferencing, ISDN , Video Conferencing
Server computers and associated storage devicesServer computers and associated storage devices
Operating software for server computersOperating software for server computers
Communications equipment and related hardware. Communications equipment and related hardware.
Intranet and Internet connectionsIntranet and Internet connections
VPNs and Virtual environmentsVPNs and Virtual environments
Remote access servicesRemote access services
Wireless connectivityWireless connectivity
02/26/25 11Mohan Kamat
Technology “what we use to improve what we do”
Application software:Application software:
Finance and assets systems, including Accounting packages, Finance and assets systems, including Accounting packages,
Inventory management, HR systems, Assessment and reporting Inventory management, HR systems, Assessment and reporting
systemssystems
Software as a service (Sass) - instead of software as a packaged or Software as a service (Sass) - instead of software as a packaged or
custom-made productcustom-made product . Etc... Etc..
Physical Security components:Physical Security components:
CCTV CamerasCCTV Cameras
Clock in systems / BiometricsClock in systems / Biometrics
Environmental management Systems: Humidity Control, Ventilation , Environmental management Systems: Humidity Control, Ventilation ,
Air Conditioning, Fire Control systemsAir Conditioning, Fire Control systems
Electricity / Power backupElectricity / Power backup
Access devices:Access devices:
Desktop computersDesktop computers
Laptops, ultra-mobile laptops and PDAsLaptops, ultra-mobile laptops and PDAs
Thin client computing.Thin client computing.
Digital cameras, Printers, Scanners, Photocopier etc.Digital cameras, Printers, Scanners, Photocopier etc.
02/26/25 12Mohan Kamat
Application software:Application software:
Finance and assets systems, including Accounting packages, Finance and assets systems, including Accounting packages,
Inventory management, HR systems, Assessment and reporting Inventory management, HR systems, Assessment and reporting
systemssystems
Software as a service (Sass) - instead of software as a packaged or Software as a service (Sass) - instead of software as a packaged or
custom-made productcustom-made product . Etc... Etc..
Physical Security components:Physical Security components:
CCTV CamerasCCTV Cameras
Clock in systems / BiometricsClock in systems / Biometrics
Environmental management Systems: Humidity Control, Ventilation , Environmental management Systems: Humidity Control, Ventilation ,
Air Conditioning, Fire Control systemsAir Conditioning, Fire Control systems
Electricity / Power backupElectricity / Power backup
Access devices:Access devices:
Desktop computersDesktop computers
Laptops, ultra-mobile laptops and PDAsLaptops, ultra-mobile laptops and PDAs
Thin client computing.Thin client computing.
Digital cameras, Printers, Scanners, Photocopier etc.Digital cameras, Printers, Scanners, Photocopier etc.
02/26/25 12Mohan Kamat
1.Protects information from a range of threats
2.Ensures business continuity
3.Minimizes financial loss
4.Optimizes return on investments
5.Increases business opportunities
Business survival depends on information
security.
INFORMATION SECURITY
02/26/25 13Mohan Kamat
2.Ensures business continuity
3.Minimizes financial loss
4.Optimizes return on investments
5.Increases business opportunities
Business survival depends on information
security.
INFORMATION SECURITY
02/26/25 13Mohan Kamat
ISO 27002:2005 defines Information Security as the
preservation of:
–Confidentiality
Ensuring that information is
accessible only to those
authorized to have access
–Integrity
Safeguarding the accuracy
and completeness of
information and processing
methods
–Availability
Ensuring that authorized
users have access to
information and associated
assets when required
02/26/25 14Mohan Kamat
preservation of:
–Confidentiality
Ensuring that information is
accessible only to those
authorized to have access
–Integrity
Safeguarding the accuracy
and completeness of
information and processing
methods
–Availability
Ensuring that authorized
users have access to
information and associated
assets when required
02/26/25 14Mohan Kamat
•Reputation loss
•Financial loss
•Intellectual property loss
•Legislative Breaches leading to legal actions (Cyber
Law)
•Loss of customer confidence
•Business interruption costs
Security breaches leads to…
LOSS OF GOODWILL
02/26/25 15Mohan Kamat
•Financial loss
•Intellectual property loss
•Legislative Breaches leading to legal actions (Cyber
Law)
•Loss of customer confidence
•Business interruption costs
Security breaches leads to…
LOSS OF GOODWILL
02/26/25 15Mohan Kamat
• Information Security is “Organizational Problem”
rather than “IT Problem”
• More than 70% of Threats are Internal
• More than 60% culprits are First Time fraudsters
• Biggest Risk : People
• Biggest Asset : People
• Social Engineering is major threat
• More than 2/3
rd
express their inability to determine
“Whether my systems are currently compromised?”
02/26/25 16Mohan Kamat
rather than “IT Problem”
• More than 70% of Threats are Internal
• More than 60% culprits are First Time fraudsters
• Biggest Risk : People
• Biggest Asset : People
• Social Engineering is major threat
• More than 2/3
rd
express their inability to determine
“Whether my systems are currently compromised?”
02/26/25 16Mohan Kamat
What is Risk?
Risk: A possibility that a threat exploits a
vulnerability in an asset and causes damage or
loss to the asset.
Threat: Something that can potentially cause damage
to the organisation, IT Systems or network.
Vulnerability: A weakness in the organization, IT
Systems, or network that can be exploited
by a threat.
02/26/25 17Mohan Kamat
Risk: A possibility that a threat exploits a
vulnerability in an asset and causes damage or
loss to the asset.
Threat: Something that can potentially cause damage
to the organisation, IT Systems or network.
Vulnerability: A weakness in the organization, IT
Systems, or network that can be exploited
by a threat.
02/26/25 17Mohan Kamat
Relationship between Risk, Threats, and Vulnerabilities
Threats Vulnerabilities
exploit
* Controls: A practice, procedure or mechanism that reduces risk
Risk
Asset valuesProtection
Requirements
i
n
c
r
e
a
s
e in
cre
a
se
Information
assets
Controls *
e
x
p
o
s
e
p
r
o
t
e
c
t
a
g
a
in
s
t
reduce
h
a
v
e
i
n
c
r
e
a
s
ein
d
ica
te
m
e
t
b
y
02/26/25 18Mohan Kamat
Threats Vulnerabilities
exploit
* Controls: A practice, procedure or mechanism that reduces risk
Risk
Asset valuesProtection
Requirements
i
n
c
r
e
a
s
e in
cre
a
se
Information
assets
Controls *
e
x
p
o
s
e
p
r
o
t
e
c
t
a
g
a
in
s
t
reduce
h
a
v
e
i
n
c
r
e
a
s
ein
d
ica
te
m
e
t
b
y
02/26/25 18Mohan Kamat
Threat Identification
Elements of threats
Agent : The catalyst that performs the
threat.
Human
Machine
Nature
02/26/25 19Mohan Kamat
Elements of threats
Agent : The catalyst that performs the
threat.
Human
Machine
Nature
02/26/25 19Mohan Kamat
Threat Identification
Elements of threats
Motive : Something that causes the agent
to act.
Accidental
Intentional
Only motivating factor that can be both
accidental and intentional is human
02/26/25 20Mohan Kamat
Elements of threats
Motive : Something that causes the agent
to act.
Accidental
Intentional
Only motivating factor that can be both
accidental and intentional is human
02/26/25 20Mohan Kamat
Threat Identification
Elements of threats
Results : The outcome of the applied
threat. The results normally lead to the
loss of CIA
Confidentiality
Integrity
Availability
02/26/25 21Mohan Kamat
Elements of threats
Results : The outcome of the applied
threat. The results normally lead to the
loss of CIA
Confidentiality
Integrity
Availability
02/26/25 21Mohan Kamat
Threats
•Employees
•External Parties
•Low awareness of security issues
•Growth in networking and distributed computing
•Growth in complexity and effectiveness of hacking tools and
viruses
•Natural Disasters eg. fire, flood, earthquake
02/26/25 22Mohan Kamat
•Employees
•External Parties
•Low awareness of security issues
•Growth in networking and distributed computing
•Growth in complexity and effectiveness of hacking tools and
viruses
•Natural Disasters eg. fire, flood, earthquake
02/26/25 22Mohan Kamat
Threat Sources
Source Motivation Threat
External Hackers
Challenge
Ego
Game Playing
System hacking
Social engineering
Dumpster diving
Internal Hackers
Deadline
Financial problems
Disenchantment
Backdoors
Fraud
Poor documentation
Terrorist
Revenge
Political
System attacks
Social engineering
Letter bombs
Viruses
Denial of service
Poorly trained
employees
Unintentional errors
Programming errors
Data entry errors
Corruption of data
Malicious code introduction
System bugs
Unauthorized access
02/26/25 23Mohan Kamat
Source Motivation Threat
External Hackers
Challenge
Ego
Game Playing
System hacking
Social engineering
Dumpster diving
Internal Hackers
Deadline
Financial problems
Disenchantment
Backdoors
Fraud
Poor documentation
Terrorist
Revenge
Political
System attacks
Social engineering
Letter bombs
Viruses
Denial of service
Poorly trained
employees
Unintentional errors
Programming errors
Data entry errors
Corruption of data
Malicious code introduction
System bugs
Unauthorized access
02/26/25 23Mohan Kamat
No Categories of Threat Example
1 Human Errors or failures Accidents, Employee mistakes
2 Compromise to Intellectual Property Piracy, Copyright infringements
3 Deliberate Acts or espionage or trespassUnauthorized Access and/or data collection
4 Deliberate Acts of Information extortionBlackmail of information exposure / disclosure
5 Deliberate Acts of sabotage / vandalismDestruction of systems / information
6 Deliberate Acts of theft Illegal confiscation of equipment or information
7 Deliberate software attacks Viruses, worms, macros Denial of service
8 Deviations in quality of service from service
provider
Power and WAN issues
9 Forces of nature Fire, flood, earthquake, lightening
10Technical hardware failures or errorsEquipment failures / errors
11Technical software failures or errorsBugs, code problems, unknown loopholes
12Technological Obsolence Antiquated or outdated technologies
02/26/25 24Mohan Kamat
1 Human Errors or failures Accidents, Employee mistakes
2 Compromise to Intellectual Property Piracy, Copyright infringements
3 Deliberate Acts or espionage or trespassUnauthorized Access and/or data collection
4 Deliberate Acts of Information extortionBlackmail of information exposure / disclosure
5 Deliberate Acts of sabotage / vandalismDestruction of systems / information
6 Deliberate Acts of theft Illegal confiscation of equipment or information
7 Deliberate software attacks Viruses, worms, macros Denial of service
8 Deviations in quality of service from service
provider
Power and WAN issues
9 Forces of nature Fire, flood, earthquake, lightening
10Technical hardware failures or errorsEquipment failures / errors
11Technical software failures or errorsBugs, code problems, unknown loopholes
12Technological Obsolence Antiquated or outdated technologies
02/26/25 24Mohan Kamat
High User
Knowledge of IT
Systems
Theft, Sabotage,
Misuse
Virus Attacks
Systems &
Network
Failure
Lack Of
Documentation
Lapse in
Physical
Security
Natural
Calamities &
Fire
02/26/25 25Mohan Kamat
Knowledge of IT
Systems
Theft, Sabotage,
Misuse
Virus Attacks
Systems &
Network
Failure
Lack Of
Documentation
Lapse in
Physical
Security
Natural
Calamities &
Fire
02/26/25 25Mohan Kamat
SO HOW DO
WE
OVERCOME
THESE
PROBLEMS?
02/26/25 26Mohan Kamat
WE
OVERCOME
THESE
PROBLEMS?
02/26/25 26Mohan Kamat
Early 1990
• DTI (UK) established a working group
•Information Security Management Code of Practice produced
as BSI-DISC publication
1995
• BS 7799 published as UK Standard
1999
• BS 7799 - 1:1999 second revision published
2000
• BS 7799 - 1 accepted by ISO as ISO - 17799 published
• BS 7799-2:2002 published
History
02/26/25 27Mohan Kamat
• DTI (UK) established a working group
•Information Security Management Code of Practice produced
as BSI-DISC publication
1995
• BS 7799 published as UK Standard
1999
• BS 7799 - 1:1999 second revision published
2000
• BS 7799 - 1 accepted by ISO as ISO - 17799 published
• BS 7799-2:2002 published
History
02/26/25 27Mohan Kamat
•ISO 27001:2005
Information technology — Security techniques —
Information security management systems —
Requirements
•ISO 27002:2005
Information technology — Security techniques — Code of
practice for information security management
History
02/26/25 28Mohan Kamat
Information technology — Security techniques —
Information security management systems —
Requirements
•ISO 27002:2005
Information technology — Security techniques — Code of
practice for information security management
History
02/26/25 28Mohan Kamat
ISO 27001: This International Standard covers all types of
organizations (e.g. commercial enterprises, government
agencies, non-profit organizations). This
International Standard specifies the requirements for
establishing; implementing, operating, monitoring, reviewing,
maintaining and improving documented ISMS within the context
of the organization’s overall business risks. It specifies
requirements for the implementation of security controls
customized to the needs of individual organizations or parts
thereof.
The ISMS is designed to ensure the selection of adequate and
proportionate security controls that protect information assets
and give confidence to interested parties
ISO 27001
02/26/25 29Mohan Kamat
organizations (e.g. commercial enterprises, government
agencies, non-profit organizations). This
International Standard specifies the requirements for
establishing; implementing, operating, monitoring, reviewing,
maintaining and improving documented ISMS within the context
of the organization’s overall business risks. It specifies
requirements for the implementation of security controls
customized to the needs of individual organizations or parts
thereof.
The ISMS is designed to ensure the selection of adequate and
proportionate security controls that protect information assets
and give confidence to interested parties
ISO 27001
02/26/25 29Mohan Kamat
Features of ISO 27001
•Plan, Do, Check, Act (PDCA) Process Model
•Process Based Approach
•Stress on Continual Process Improvements
•Scope covers Information Security not only IT
Security
•Covers People, Process and Technology
•5600 plus organisations worldwide have been
certified
•11 Domains, 39 Control objectives, 133 controls
Features
02/26/25 30Mohan Kamat
•Plan, Do, Check, Act (PDCA) Process Model
•Process Based Approach
•Stress on Continual Process Improvements
•Scope covers Information Security not only IT
Security
•Covers People, Process and Technology
•5600 plus organisations worldwide have been
certified
•11 Domains, 39 Control objectives, 133 controls
Features
02/26/25 30Mohan Kamat
Interested
Parties
Information
Security
Requirements
&
Expectations
PLAN
Establish
ISMS
CHECK
Monitor &
Review ISMS
ACT
Maintain &
Improve
Management Responsibility
ISMS PROCESSISMS PROCESS
PDCA Process
Interested
Parties
Managed
Information
Security
DO
Implement &
Operate the
ISMS
02/26/25 31Mohan Kamat
Parties
Information
Security
Requirements
&
Expectations
PLAN
Establish
ISMS
CHECK
Monitor &
Review ISMS
ACT
Maintain &
Improve
Management Responsibility
ISMS PROCESSISMS PROCESS
PDCA Process
Interested
Parties
Managed
Information
Security
DO
Implement &
Operate the
ISMS
02/26/25 31Mohan Kamat
Information
Security Policy
Organisation
of Information
Security
Asset
Management
Human
Resource
Security
Physical
Security
Communication
& Operations
Management
Access Control
System
Development
& Maintenance
Incident
Management
Business
Continuity
Planning
Compliance
C
o
n
f i d
e
n
t i a
l i t y
I
n
t
e
g
r
i
t
y
Availability
02/26/25 32Mohan Kamat
Security Policy
Organisation
of Information
Security
Asset
Management
Human
Resource
Security
Physical
Security
Communication
& Operations
Management
Access Control
System
Development
& Maintenance
Incident
Management
Business
Continuity
Planning
Compliance
C
o
n
f i d
e
n
t i a
l i t y
I
n
t
e
g
r
i
t
y
Availability
02/26/25 32Mohan Kamat
•Information Security Policy - To provide
management direction and support for Information
security.
•Organisation Of Information Security -
Management framework for implementation
•Asset Management - To ensure the security of
valuable organisational IT and its related assets
•Human Resources Security - To reduce the risks
of human error, theft, fraud or misuse of facilities.
•Physical & Environmental Security -To prevent
unauthorised access, theft, compromise , damage,
information and information processing facilities.
02/26/25 33Mohan Kamat
management direction and support for Information
security.
•Organisation Of Information Security -
Management framework for implementation
•Asset Management - To ensure the security of
valuable organisational IT and its related assets
•Human Resources Security - To reduce the risks
of human error, theft, fraud or misuse of facilities.
•Physical & Environmental Security -To prevent
unauthorised access, theft, compromise , damage,
information and information processing facilities.
02/26/25 33Mohan Kamat
•Communications & Operations Management - To
ensure the correct and secure operation of
information processing facilities.
•Access Control - To control access to information
and information processing facilities on ‘need to
know’ and ‘need to do’ basis.
•Information Systems Acquisition, Development
& Maintenance - To ensure security built into
information systems
•Information Security Incident Management - To
ensure information security events and weaknesses
associated with information systems are
communicated.
02/26/25 34Mohan Kamat
ensure the correct and secure operation of
information processing facilities.
•Access Control - To control access to information
and information processing facilities on ‘need to
know’ and ‘need to do’ basis.
•Information Systems Acquisition, Development
& Maintenance - To ensure security built into
information systems
•Information Security Incident Management - To
ensure information security events and weaknesses
associated with information systems are
communicated.
02/26/25 34Mohan Kamat
•Business Continuity Management - To reduce
disruption caused by disasters and security failures to an
acceptable level.
•Compliance - To avoid breaches of any criminal and
civil law, statutory, regulatory or contractual obligations
and of any security requirements.
02/26/25 35Mohan Kamat
disruption caused by disasters and security failures to an
acceptable level.
•Compliance - To avoid breaches of any criminal and
civil law, statutory, regulatory or contractual obligations
and of any security requirements.
02/26/25 35Mohan Kamat
PLAN
Establish
ISMS
CHECK
Monitor &
Review ISMS
ACT
Maintain &
Improve
DO
Implement &
Operate the
ISMS
IS POLICY
SECURITY
ORGANISATION
ASSET
IDENTIFICATION
&
CLASSIFICATION
CONTROL
SELECTION &
IMPLEMENTATION
OPERATIONALIZ
E THE PROCESES
MANAGEMENT
REVIEW
CORRECTIVE &
PREVENTIVE
ACTIONS
CHECK
PROCESSES
02/26/25 36Mohan Kamat
Establish
ISMS
CHECK
Monitor &
Review ISMS
ACT
Maintain &
Improve
DO
Implement &
Operate the
ISMS
IS POLICY
SECURITY
ORGANISATION
ASSET
IDENTIFICATION
&
CLASSIFICATION
CONTROL
SELECTION &
IMPLEMENTATION
OPERATIONALIZ
E THE PROCESES
MANAGEMENT
REVIEW
CORRECTIVE &
PREVENTIVE
ACTIONS
CHECK
PROCESSES
02/26/25 36Mohan Kamat
•At the organizational level – Commitment
•At the legal level – Compliance
•At the operating level - Risk management
•At the commercial level - Credibility and
confidence
•At the financial level - Reduced costs
•At the human level - Improved employee
awareness
02/26/25 37Mohan Kamat
•At the legal level – Compliance
•At the operating level - Risk management
•At the commercial level - Credibility and
confidence
•At the financial level - Reduced costs
•At the human level - Improved employee
awareness
02/26/25 37Mohan Kamat
ISMS @ ORGANISATION
Scope of ISMS
•Data Center
•DR site
•All Information, IT, Service and People
Asset
02/26/25 38Mohan Kamat
Scope of ISMS
•Data Center
•DR site
•All Information, IT, Service and People
Asset
02/26/25 38Mohan Kamat
ISMS @ ORGANISATION
Documented ISMS
•Apex Security Policy
•Specific policies eg. Physical & Environment
Policy, E-mail Policy, HR, Incident
Management etc
•Procedures, Guidelines and Records
02/26/25 39Mohan Kamat
Documented ISMS
•Apex Security Policy
•Specific policies eg. Physical & Environment
Policy, E-mail Policy, HR, Incident
Management etc
•Procedures, Guidelines and Records
02/26/25 39Mohan Kamat
ISMS @ ORGANISATION
Vision
ORGANISATION would be a role model for having robust
Information Security Management System Implementation
with continual improvements, which assure and pervade very
sphere of its activities and functional domains.
Mission
Empowerment of Information Security Management System
through implementing best practices for People, Process and
Technology.
Information Security is responsibility of everyone
02/26/25 40Mohan Kamat
Vision
ORGANISATION would be a role model for having robust
Information Security Management System Implementation
with continual improvements, which assure and pervade very
sphere of its activities and functional domains.
Mission
Empowerment of Information Security Management System
through implementing best practices for People, Process and
Technology.
Information Security is responsibility of everyone
02/26/25 40Mohan Kamat
ISMS @ ORGANISATION
Security Organisation
•Apex Committee
•ISMS Forum
•ISMS Task Force
•Incident Response
•BCP Team
•DRP Team
•Audit Committee
02/26/25 41Mohan Kamat
Security Organisation
•Apex Committee
•ISMS Forum
•ISMS Task Force
•Incident Response
•BCP Team
•DRP Team
•Audit Committee
02/26/25 41Mohan Kamat
Security Organization
•Apex Committee :
–CEO
–CTO/CISO
•ISMS Forum:
–Service Head
–Technology Head (CTO)
–Head HR
•IS Task Force :
–Project Managers
–Administrators
–IS Team Member
•Audit Committee:
–Appointed by Apex Committee
•BCP Team:
–Appointed by Apex Committee /ISMS Forum
•DRP Team:
–Appointed by Apex Committee /ISMS Forum
ISMS @ ORGANISATION
02/26/25 42Mohan Kamat
•Apex Committee :
–CEO
–CTO/CISO
•ISMS Forum:
–Service Head
–Technology Head (CTO)
–Head HR
•IS Task Force :
–Project Managers
–Administrators
–IS Team Member
•Audit Committee:
–Appointed by Apex Committee
•BCP Team:
–Appointed by Apex Committee /ISMS Forum
•DRP Team:
–Appointed by Apex Committee /ISMS Forum
ISMS @ ORGANISATION
02/26/25 42Mohan Kamat
WHO IS AT THE CENTRE OF
SECU RITY
U-R
02/26/25 43Mohan Kamat
SECU RITY
U-R
02/26/25 43Mohan Kamat
Information Security Policy
IS Policy is approved by Top
Management
Policy is released on Intranet at
http://xx.xx.xx.xx/ISMS/index.htm
02/26/25 44Mohan Kamat
IS Policy is approved by Top
Management
Policy is released on Intranet at
http://xx.xx.xx.xx/ISMS/index.htm
02/26/25 44Mohan Kamat
CONFIDENTIAL :
If this information is leaked outside Organisation, it will result in major financial and/or image loss.
Compromise of this information will result in statutory, legal non- compliance.
Access to this information must be restricted based on the concept of need-to-know. Disclosure
requires the information owner’s approval. In case information needs to be disclosed to third
parties a signed confidentiality agreement is also required. Examples include Customer contracts,
rate tables, process documents and new product development plans.
INTERNAL USE ONLY:
If this information is leaked outside Organisation, it will result in Negligible financial loss and/or
embarrassment.
Disclosure of this information shall not cause serious harm to Organisation, and access is provided
freely to all internal users. Examples include circulars, policies, training materials etc.
PUBLIC:
Non availability will have no effect. If this information is leaked outside Organisation, it will result
in no loss.
This information must be explicitly approved by the Corporate Communications Department or
Marketing Department in case of marketing related information, as suitable for public
dissemination. Examples include marketing brochures, press releases.
02/26/25 45Mohan Kamat
Information Asset Classification
If this information is leaked outside Organisation, it will result in major financial and/or image loss.
Compromise of this information will result in statutory, legal non- compliance.
Access to this information must be restricted based on the concept of need-to-know. Disclosure
requires the information owner’s approval. In case information needs to be disclosed to third
parties a signed confidentiality agreement is also required. Examples include Customer contracts,
rate tables, process documents and new product development plans.
INTERNAL USE ONLY:
If this information is leaked outside Organisation, it will result in Negligible financial loss and/or
embarrassment.
Disclosure of this information shall not cause serious harm to Organisation, and access is provided
freely to all internal users. Examples include circulars, policies, training materials etc.
PUBLIC:
Non availability will have no effect. If this information is leaked outside Organisation, it will result
in no loss.
This information must be explicitly approved by the Corporate Communications Department or
Marketing Department in case of marketing related information, as suitable for public
dissemination. Examples include marketing brochures, press releases.
02/26/25 45Mohan Kamat
Information Asset Classification
Confidentiality - Information Asset
Confidentiality
Requirement Explanation
Low Non-sensitive information available for public disclosure. The impact
of unauthorized disclosure of such information shall not harm
Organisation anyway. E.g. Press releases, Company’s News letters
e.g. Information published on company’s website
Medium Information belonging to the company and not for disclosure to
public or external parties. The unauthorized disclosure of information
here can cause a limited harm to the organization.
e.g. Organization Charts, Internal Telephone Directory.
High Information which is very sensitive or private, of highest value to the
organization and intended to use by named individuals only. The
unauthorized disclosure of such information can cause severe harm
(e.g. Legal or financial liability, adverse competitive impact, loss of
brand name). E.g. Client’s pricing information, Merger and
Acquisition related information, Marketing strategy
Confidentiality of information refers to the protection of information from unauthorized
disclosure. The impact of unauthorized disclosure of confidential information can range
from jeopardizing organization security to the disclosure of private data of employees.
Following table provides guideline to determine Confidentiality requirements:
02/26/25 46Mohan Kamat
Confidentiality
Requirement Explanation
Low Non-sensitive information available for public disclosure. The impact
of unauthorized disclosure of such information shall not harm
Organisation anyway. E.g. Press releases, Company’s News letters
e.g. Information published on company’s website
Medium Information belonging to the company and not for disclosure to
public or external parties. The unauthorized disclosure of information
here can cause a limited harm to the organization.
e.g. Organization Charts, Internal Telephone Directory.
High Information which is very sensitive or private, of highest value to the
organization and intended to use by named individuals only. The
unauthorized disclosure of such information can cause severe harm
(e.g. Legal or financial liability, adverse competitive impact, loss of
brand name). E.g. Client’s pricing information, Merger and
Acquisition related information, Marketing strategy
Confidentiality of information refers to the protection of information from unauthorized
disclosure. The impact of unauthorized disclosure of confidential information can range
from jeopardizing organization security to the disclosure of private data of employees.
Following table provides guideline to determine Confidentiality requirements:
02/26/25 46Mohan Kamat
Integrity - Information Asset
Integrity
Requirement Explanation
Low There is minimal impact on business if the
accuracy and completeness of data is
degraded.
Medium There is significant impact on business if the
asset if the accuracy and completeness of
data is degraded.
High The Integrity degradation is unacceptable.
Integrity refers to the completeness and accuracy of Information. Integrity is lost if
unauthorized changes are made to data or IT system by either intentional or accidental
acts. If integrity of data is not restored back, continued use of the contaminated data
could result in inaccuracy, fraud, or erroneous decisions. Integrity criteria of information
can be determined with guideline established in the following Table.
02/26/25 47Mohan Kamat
Integrity
Requirement Explanation
Low There is minimal impact on business if the
accuracy and completeness of data is
degraded.
Medium There is significant impact on business if the
asset if the accuracy and completeness of
data is degraded.
High The Integrity degradation is unacceptable.
Integrity refers to the completeness and accuracy of Information. Integrity is lost if
unauthorized changes are made to data or IT system by either intentional or accidental
acts. If integrity of data is not restored back, continued use of the contaminated data
could result in inaccuracy, fraud, or erroneous decisions. Integrity criteria of information
can be determined with guideline established in the following Table.
02/26/25 47Mohan Kamat
Availability - Information Asset
Availability
Requirement Explanation
Low There is minimal impact on business if the asset /
information is not Available for up to 7 days
Medium There is significant impact on business if the asset /
information is not Available for up to 48 hours
High The Asset / information is required on 24x7 basis
Availability indicates how soon the information is required, in case
the same is lost. If critical information is unavailable to its end
users, the organization’s mission may be affected. Following Table
provides guideline to determine availability criteria of information
assets.
02/26/25 48Mohan Kamat
Availability
Requirement Explanation
Low There is minimal impact on business if the asset /
information is not Available for up to 7 days
Medium There is significant impact on business if the asset /
information is not Available for up to 48 hours
High The Asset / information is required on 24x7 basis
Availability indicates how soon the information is required, in case
the same is lost. If critical information is unavailable to its end
users, the organization’s mission may be affected. Following Table
provides guideline to determine availability criteria of information
assets.
02/26/25 48Mohan Kamat
Non-information Assets [Physical]
Information is processed with the help of technology. The
assets, which are helpful in creating, processing, output
generation and storage. Such assets need to be identified
and valued for the purpose of their criticality in business
process.
Asset valuation of non information / physical Assets like
software, Hardware, Services is carried out based on
different criteria applicable to the specific group of physical
assets involved in organization’s business processes.
02/26/25 49Mohan Kamat
Information is processed with the help of technology. The
assets, which are helpful in creating, processing, output
generation and storage. Such assets need to be identified
and valued for the purpose of their criticality in business
process.
Asset valuation of non information / physical Assets like
software, Hardware, Services is carried out based on
different criteria applicable to the specific group of physical
assets involved in organization’s business processes.
02/26/25 49Mohan Kamat
Confidentiality - Non-information Asset
Confidentiality factor is to be determined by the services rendered by the particular
asset in specific business process and the confidentiality requirement of the
information / data processed or stored by the asset. This table provides a guideline to
identify the Confidentiality requirements and its link to Classification label.
Confidentiality
Requirement Explanation
Low Information processed / stored / carried or services
rendered by the asset in the business process have
confidentiality requirements as LOW.
Medium Information processed / stored / carried or services
rendered by the asset in the business process have
confidentiality requirements as Medium.
High Information processed / stored / carried or services
rendered by the asset in the business process have
confidentiality requirements as HIGH.
02/26/25 50Mohan Kamat
Confidentiality factor is to be determined by the services rendered by the particular
asset in specific business process and the confidentiality requirement of the
information / data processed or stored by the asset. This table provides a guideline to
identify the Confidentiality requirements and its link to Classification label.
Confidentiality
Requirement Explanation
Low Information processed / stored / carried or services
rendered by the asset in the business process have
confidentiality requirements as LOW.
Medium Information processed / stored / carried or services
rendered by the asset in the business process have
confidentiality requirements as Medium.
High Information processed / stored / carried or services
rendered by the asset in the business process have
confidentiality requirements as HIGH.
02/26/25 50Mohan Kamat
Integrity - Non Information Asset
Integrity factor is to be determined by the reliability and dependability of
the particular asset in specific business process and the Integrity
requirement of the information / data processed or stored by the asset. This
table provides a guideline to identify the Integrity requirements and its link
to Classification label.
Integrity
Requirement Explanation
Low Dependency and reliability of the services rendered by the particular
asset in a business process is LOW.
Information processed / stored / carried or services rendered by the
asset in the business process have Integrity requirements as LOW.
Medium Dependency and reliability of the services rendered by the particular
asset in a business process is Medium.
Information processed / stored / carried or services rendered by the
asset in the business process have Integrity requirements as Medium.
High Dependency and reliability of the services rendered by the particular
asset in a business process is HIGH.
Information processed / stored / carried or services rendered by the
asset in the business process have Integrity requirements as High.
02/26/25 51Mohan Kamat
Integrity factor is to be determined by the reliability and dependability of
the particular asset in specific business process and the Integrity
requirement of the information / data processed or stored by the asset. This
table provides a guideline to identify the Integrity requirements and its link
to Classification label.
Integrity
Requirement Explanation
Low Dependency and reliability of the services rendered by the particular
asset in a business process is LOW.
Information processed / stored / carried or services rendered by the
asset in the business process have Integrity requirements as LOW.
Medium Dependency and reliability of the services rendered by the particular
asset in a business process is Medium.
Information processed / stored / carried or services rendered by the
asset in the business process have Integrity requirements as Medium.
High Dependency and reliability of the services rendered by the particular
asset in a business process is HIGH.
Information processed / stored / carried or services rendered by the
asset in the business process have Integrity requirements as High.
02/26/25 51Mohan Kamat
Availability - Non-information Asset
Availability factor is to be determined on the basis of impact of non
availability of the asset on the business process. This table provides a
guideline to identify the Availability requirements and its link to
Classification label.
Integrity
Requirement Explanation
Low Impact of non availability of an asset in a business process is LOW.
Information processed / stored / carried or services rendered by
the asset in the business process have Availability requirements as
LOW.
Medium Impact of non availability of an asset in a business process is
Medium.
Information processed / stored / carried or services rendered by
the asset in the business process have Availability requirements as
MEDIUM.
High Impact of non availability of an asset in a business process is HIGH.
Information processed / stored / carried or services rendered by
the asset in the business process have Availability requirements as
HIGH.
02/26/25 52Mohan Kamat
Availability factor is to be determined on the basis of impact of non
availability of the asset on the business process. This table provides a
guideline to identify the Availability requirements and its link to
Classification label.
Integrity
Requirement Explanation
Low Impact of non availability of an asset in a business process is LOW.
Information processed / stored / carried or services rendered by
the asset in the business process have Availability requirements as
LOW.
Medium Impact of non availability of an asset in a business process is
Medium.
Information processed / stored / carried or services rendered by
the asset in the business process have Availability requirements as
MEDIUM.
High Impact of non availability of an asset in a business process is HIGH.
Information processed / stored / carried or services rendered by
the asset in the business process have Availability requirements as
HIGH.
02/26/25 52Mohan Kamat
People Assets
Information is accessed or handled by the people from within the
organisation as well as the people related to organisation for business
requirements.
It becomes necessary to identify such people from within the organisation
as well as outside the organisation who handle the organization’s
information assets.
The analysis such people, who has access rights to the assets of the
organisation, is to be done by Business Process Owner i.e. process /
function head.
The people assets shall include roles handled by
a. Employees
b. Contract Employees
c. Contractors & his employees
02/26/25 53Mohan Kamat
Information is accessed or handled by the people from within the
organisation as well as the people related to organisation for business
requirements.
It becomes necessary to identify such people from within the organisation
as well as outside the organisation who handle the organization’s
information assets.
The analysis such people, who has access rights to the assets of the
organisation, is to be done by Business Process Owner i.e. process /
function head.
The people assets shall include roles handled by
a. Employees
b. Contract Employees
c. Contractors & his employees
02/26/25 53Mohan Kamat
Confidentiality - People Assets
Confidentiality
Requirement Explanation
Low The role or third party identified has access limited to
information assets classified as 'Public'. Security breach by
individual/s whom the role is assigned would insignificantly
affect the business operations.
Medium The role or third party identified has access limited to
information assets classified as 'Internal’ and 'Public'.
Security breach by individual/s whom the role is assigned
would moderately affect the business operations.
High The role employee or third party identified has access to all
types of information assets including information assets
classified as 'Confidential' Or IT Assets classified as
'Critical'. Security breach by individual/s to whom the role is
assigned would severely affect the business operations.
02/26/25 54Mohan Kamat
Confidentiality
Requirement Explanation
Low The role or third party identified has access limited to
information assets classified as 'Public'. Security breach by
individual/s whom the role is assigned would insignificantly
affect the business operations.
Medium The role or third party identified has access limited to
information assets classified as 'Internal’ and 'Public'.
Security breach by individual/s whom the role is assigned
would moderately affect the business operations.
High The role employee or third party identified has access to all
types of information assets including information assets
classified as 'Confidential' Or IT Assets classified as
'Critical'. Security breach by individual/s to whom the role is
assigned would severely affect the business operations.
02/26/25 54Mohan Kamat
Integrity – People Assets
Integrity
Requirement Explanation
Low The role or third party identified has limited privilege to
change information assets classified as 'Internal' or 'Public'
and the his work is supervised. Security breach by
individual/s to whom the role is assigned would insignificantly
affect the business operations.
Medium The role or third party identified has privilege to change
information assets classified as 'Internal', and 'Public'
Security breach by individual/s whom the role is assigned
would moderately affect the business operations.
High The role or third party identified has privilege to change
information assets classified as 'Confidential' Or Change the
configuration of IT assets classified as 'Critical' Security
breach by individual/s to whom the role is assigned would
severely affect the business operations.
02/26/25 55Mohan Kamat
Integrity
Requirement Explanation
Low The role or third party identified has limited privilege to
change information assets classified as 'Internal' or 'Public'
and the his work is supervised. Security breach by
individual/s to whom the role is assigned would insignificantly
affect the business operations.
Medium The role or third party identified has privilege to change
information assets classified as 'Internal', and 'Public'
Security breach by individual/s whom the role is assigned
would moderately affect the business operations.
High The role or third party identified has privilege to change
information assets classified as 'Confidential' Or Change the
configuration of IT assets classified as 'Critical' Security
breach by individual/s to whom the role is assigned would
severely affect the business operations.
02/26/25 55Mohan Kamat
Availability – People Assets
Availability
Requirement Explanation
Low Unavailability of the individual/s whom the role is
assigned would have insignificant affect the
business operations.
Medium Unavailability of the individual/s whom the role is
assigned would moderately affect the business
operations.
High Unavailability of the individual/s whom the role is
assigned would severely affect the business
operations.
02/26/25 56Mohan Kamat
Availability
Requirement Explanation
Low Unavailability of the individual/s whom the role is
assigned would have insignificant affect the
business operations.
Medium Unavailability of the individual/s whom the role is
assigned would moderately affect the business
operations.
High Unavailability of the individual/s whom the role is
assigned would severely affect the business
operations.
02/26/25 56Mohan Kamat
Access Control - Physical
•Follow Security Procedures
•Wear Identity Cards and Badges
•Ask unauthorized visitor his credentials
•Attend visitors in Reception and Conference Room only
•Bring visitors in operations area without prior permission
•Bring hazardous and combustible material in secure area
•Practice “Piggybacking”
•Bring and use pen drives, zip drives, ipods, other storage
devices unless and otherwise authorized to do so
02/26/25 57Mohan Kamat
•Follow Security Procedures
•Wear Identity Cards and Badges
•Ask unauthorized visitor his credentials
•Attend visitors in Reception and Conference Room only
•Bring visitors in operations area without prior permission
•Bring hazardous and combustible material in secure area
•Practice “Piggybacking”
•Bring and use pen drives, zip drives, ipods, other storage
devices unless and otherwise authorized to do so
02/26/25 57Mohan Kamat
Password Guidelines
Always use at least 8 character password with combination of
alphabets, numbers and special characters (*, %, @, #, $, ^)
Use passwords that can be easily remembered by you
Change password regularly as per policy
Use password that is significantly different from earlier passwords
Use passwords which reveals your personal
information or words found in dictionary
Write down or Store passwords
Share passwords over phone or Email
Use passwords which do not match above complexity
criteria
02/26/25 58Mohan Kamat
Always use at least 8 character password with combination of
alphabets, numbers and special characters (*, %, @, #, $, ^)
Use passwords that can be easily remembered by you
Change password regularly as per policy
Use password that is significantly different from earlier passwords
Use passwords which reveals your personal
information or words found in dictionary
Write down or Store passwords
Share passwords over phone or Email
Use passwords which do not match above complexity
criteria
02/26/25 58Mohan Kamat
Technology Department is continuously monitoring Internet
Usage. Any illegal use of internet and other assets shall call
for Disciplinary Action.
Do not access internet through dial-up connectivity
Do not use internet for viewing, storing or transmitting
obscene or pornographic material
Do not use internet for accessing auction sites
Do not use internet for hacking other computer systems
Do not use internet to download / upload commercial
software / copyrighted material
Use internet services for business purposes only
Internet Usage
02/26/25 59Mohan Kamat
Usage. Any illegal use of internet and other assets shall call
for Disciplinary Action.
Do not access internet through dial-up connectivity
Do not use internet for viewing, storing or transmitting
obscene or pornographic material
Do not use internet for accessing auction sites
Do not use internet for hacking other computer systems
Do not use internet to download / upload commercial
software / copyrighted material
Use internet services for business purposes only
Internet Usage
02/26/25 59Mohan Kamat
E-mail Usage
Do not use official ID for any personal subscription purpose
Do not send unsolicited mails of any type like chain letters or
E-mail Hoax
Do not send mails to client unless you are authorized to do so
Do not post non-business related information to large number
of users
Do not open the mail or attachment which is suspected to be
virus or received from an unidentified sender
Use official mail for business purposes only
Follow the mail storage guidelines to avoid blocking of E-mails
If you come across any junk / spam mail, do the following
a)Remove the mail.
b)Inform the security help desk
c)Inform the same to server administrator
d)Inform the sender that such mails are undesired
02/26/25 60Mohan Kamat
Do not use official ID for any personal subscription purpose
Do not send unsolicited mails of any type like chain letters or
E-mail Hoax
Do not send mails to client unless you are authorized to do so
Do not post non-business related information to large number
of users
Do not open the mail or attachment which is suspected to be
virus or received from an unidentified sender
Use official mail for business purposes only
Follow the mail storage guidelines to avoid blocking of E-mails
If you come across any junk / spam mail, do the following
a)Remove the mail.
b)Inform the security help desk
c)Inform the same to server administrator
d)Inform the sender that such mails are undesired
02/26/25 60Mohan Kamat
Security Incidents
Report Security Incidents (IT and Non-IT) to
Helpdesk through
•E-mail to [email protected]
•Telephone : xxxx-xxxx-xxxx
•Anonymous Reporting through Drop boxes
e.g.:
IT Incidents: Mail Spamming, Virus attack, Hacking, etc.
Non-IT Incidents: Unsupervised visitor movement, Information
leakage, Bringing unauthorized Media
•Do not discuss security incidents with any one outside organisation
•Do not attempt to interfere with, obstruct or prevent anyone from reporting
incidents
02/26/25 61Mohan Kamat
Report Security Incidents (IT and Non-IT) to
Helpdesk through
•E-mail to [email protected]
•Telephone : xxxx-xxxx-xxxx
•Anonymous Reporting through Drop boxes
e.g.:
IT Incidents: Mail Spamming, Virus attack, Hacking, etc.
Non-IT Incidents: Unsupervised visitor movement, Information
leakage, Bringing unauthorized Media
•Do not discuss security incidents with any one outside organisation
•Do not attempt to interfere with, obstruct or prevent anyone from reporting
incidents
02/26/25 61Mohan Kamat
Ensure your Desktops are having latest antivirus updates
Ensure your system is locked when you are away
Always store laptops/ media in a lockable place
Be alert while working on laptops during travel
Ensure sensitive business information is under lock and key
when unattended
Ensure back-up of sensitive and critical information assets
Understand Compliance Issues such as
Cyber Law
IPR, Copyrights, NDA
Contractual Obligations with customer
Verify credentials, if the message is received from unknown
sender
Always switch off your computer before leaving for the day
Keep your self updated on information security aspects
02/26/25 62Mohan Kamat
Ensure your system is locked when you are away
Always store laptops/ media in a lockable place
Be alert while working on laptops during travel
Ensure sensitive business information is under lock and key
when unattended
Ensure back-up of sensitive and critical information assets
Understand Compliance Issues such as
Cyber Law
IPR, Copyrights, NDA
Contractual Obligations with customer
Verify credentials, if the message is received from unknown
sender
Always switch off your computer before leaving for the day
Keep your self updated on information security aspects
02/26/25 62Mohan Kamat
Human Wall Is Always Better Than A Firewall
. . . LET US BUILD A HUMAN WALL ALONG WITH FIREWALL
02/26/25 63Mohan Kamat
. . . LET US BUILD A HUMAN WALL ALONG WITH FIREWALL
02/26/25 63Mohan Kamat
02/26/25 64Mohan Kamat
Tags
Categories
GeneralDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 31
- Slides 64
- Age 279 days
Related Slideshows
22
Pray For The Peace Of Jerusalem and You Will Prosper
RodolfoMoralesMarcuc
32 views
26
Don_t_Waste_Your_Life_God.....powerpoint
chalobrido8
33 views
31
VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf
JaiJai148317
31 views
14
Fertility awareness methods for women in the society
Isaiah47
30 views
35
Chapter 5 Arithmetic Functions Computer Organisation and Architecture
RitikSharma297999
27 views
5
syakira bhasa inggris (1) (1).pptx.......
ourcommunity56
29 views