Information security management system Trg 2.ppt
SmppMondha
17 views
73 slides
Feb 26, 2025
Slide 1 of 73
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
About This Presentation
ISMS Trg 2
Slide Content
Awareness Program on Information
Security management System
(ISO 27001 Understanding and Implementation)
STQC Directorate,
Department of Information Technology,
Min. of Comm. and IT
India
Security management System
(ISO 27001 Understanding and Implementation)
STQC Directorate,
Department of Information Technology,
Min. of Comm. and IT
India
Contents
ISMS Overview
ISMS Standards (ISO 27001 and other standards)
Implementing ISMS
Defining Security Policies
ISMS Certification
ISMS Awareness
ISMS Overview
ISMS Standards (ISO 27001 and other standards)
Implementing ISMS
Defining Security Policies
ISMS Certification
ISMS Awareness
02/26/25
ISMS Implementation and Certification
Present day Organizations are highly dependent on information systems to
manage business and deliver products/services
Dependence on IT and other information for
development, production and delivery
Various Internal Applications like
Financial databases
Employee time booking
Providing helpdesk and other services
Providing remote access to customers / employees
Remote Access of client systems
Interaction with the outside world through e-mail,
internet
Usage of information Systems to manage third parties
and outsourced suppliers
Dependence on Information Systems
ISMS Implementation and Certification
Present day Organizations are highly dependent on information systems to
manage business and deliver products/services
Dependence on IT and other information for
development, production and delivery
Various Internal Applications like
Financial databases
Employee time booking
Providing helpdesk and other services
Providing remote access to customers / employees
Remote Access of client systems
Interaction with the outside world through e-mail,
internet
Usage of information Systems to manage third parties
and outsourced suppliers
Dependence on Information Systems
02/26/25 ISMS Implementation and Certification
What is Information ?
Information is an asset that, like other important business assets, is essential to
an organization’s business and consequently needs to be suitably protected. (ISO/
IEC 27002)
Asset: Anything that has value to the organization
Can exist in many forms
data stored on computers
transmitted across networks
printed out
written on a paper
sent by fax
stored on disks
held on microfilm
spoken in conversations over the telephone
..
Information Life Cycle
Information can be :
Created Stored Destroyed ?
Processed Transmitted
Used–(for proper and improper purposes)
Lost!
Corrupted!
Copied
Whatever form the information takes, or means by which it is shared
or stored, it should always be appropriately protected throughout its
life cycle
What is Information ?
Information is an asset that, like other important business assets, is essential to
an organization’s business and consequently needs to be suitably protected. (ISO/
IEC 27002)
Asset: Anything that has value to the organization
Can exist in many forms
data stored on computers
transmitted across networks
printed out
written on a paper
sent by fax
stored on disks
held on microfilm
spoken in conversations over the telephone
..
Information Life Cycle
Information can be :
Created Stored Destroyed ?
Processed Transmitted
Used–(for proper and improper purposes)
Lost!
Corrupted!
Copied
Whatever form the information takes, or means by which it is shared
or stored, it should always be appropriately protected throughout its
life cycle
02/26/25 ISMS Implementation and Certification
Natural calamities
Virus
Version Control
Problems
INE T
Leased
Dial In
VSAT
Systems / Network
Failure
Theft , Sabotage,
Misuse, Hacking
Unrestricted Access
High User knowledge
of IT sys.
Security
Policies
Lack of documentation
Fire
Risk to Information Systems because of
Natural calamities
Virus
Version Control
Problems
INE T
Leased
Dial In
VSAT
Systems / Network
Failure
Theft , Sabotage,
Misuse, Hacking
Unrestricted Access
High User knowledge
of IT sys.
Security
Policies
Lack of documentation
Fire
Risk to Information Systems because of
How To Detect a Phisy Site
02/26/25
ISMS Implementation and Certification
•Verify Through Your Web Browser Properties
• On the Properties page, select “Certificates.” If an (EV)
SSL Certificate is being used, you’ll be able to review its
information here.
• If you are using a different Web browser, consult its help
function
• If you are using Internet Explorer, right-click anywhere on
the page and choose “Properties.” (You can also reach
“Properties” by selecting the “File” menu at the top of the
browser window and scrolling down to ”Properties.”)
02/26/25
ISMS Implementation and Certification
•Verify Through Your Web Browser Properties
• On the Properties page, select “Certificates.” If an (EV)
SSL Certificate is being used, you’ll be able to review its
information here.
• If you are using a different Web browser, consult its help
function
• If you are using Internet Explorer, right-click anywhere on
the page and choose “Properties.” (You can also reach
“Properties” by selecting the “File” menu at the top of the
browser window and scrolling down to ”Properties.”)
02/26/25 ISMS Implementation and Certification
And the Challenge is...
Provision and demonstration of secure environment to clients
Managing security between projects from competing clients
Preventing loss of product knowledge to external attacks, internal thefts
Preventing Leak of confidential information to competition
Meeting Parent company requirements
Ease of access to large mobile work force
Providing access to customers where off site development is undertaken with
the client.
Introduction of new technologies and tools
Managing Legal Compliance
Managing costs Vs risk
Protection of Information and Information Systems to
meet Business and Legal Requirement by
And the Challenge is...
Provision and demonstration of secure environment to clients
Managing security between projects from competing clients
Preventing loss of product knowledge to external attacks, internal thefts
Preventing Leak of confidential information to competition
Meeting Parent company requirements
Ease of access to large mobile work force
Providing access to customers where off site development is undertaken with
the client.
Introduction of new technologies and tools
Managing Legal Compliance
Managing costs Vs risk
Protection of Information and Information Systems to
meet Business and Legal Requirement by
02/26/25
ISMS Implementation and Certification
Are you a good neighbour?
Many companies would not want to implement strong security measures
thinking that they do not have anything that others would want – probably
what they do not realize is that they could become launch pads for
attacks on others
While firewalls can protect you from out side attacks, generally they are
not configured to protect outside world from yours
ISMS Implementation and Certification
Are you a good neighbour?
Many companies would not want to implement strong security measures
thinking that they do not have anything that others would want – probably
what they do not realize is that they could become launch pads for
attacks on others
While firewalls can protect you from out side attacks, generally they are
not configured to protect outside world from yours
02/26/25 ISMS Implementation and Certification
What is needed?
Management concerns
Market reputation
Business continuity
Disaster recovery
Business loss
Loss of confidential data
Loss of customer confidence
Legal liability
Cost of security
Security Measures/
Controls
Technical
Procedural
Physical
Logical
Personnel
Management
What is needed?
Management concerns
Market reputation
Business continuity
Disaster recovery
Business loss
Loss of confidential data
Loss of customer confidence
Legal liability
Cost of security
Security Measures/
Controls
Technical
Procedural
Physical
Logical
Personnel
Management
02/26/25 ISMS Implementation and Certification
Information Security ……
protects information from a range of threats
ensures business continuity
minimizes financial loss
maximizes return on
investments and business
opportunities IS A BUSINESS
ISSUE
Information Security is about protecting Information
through selection of appropriate Security Controls
Information
Systems
Se
S
Pr
Information Security ……
protects information from a range of threats
ensures business continuity
minimizes financial loss
maximizes return on
investments and business
opportunities IS A BUSINESS
ISSUE
Information Security is about protecting Information
through selection of appropriate Security Controls
Information
Systems
Se
S
Pr
Information Security - Some viewpoints
Security is risk management (no absolutes)
Security is a process
Human element : the source & soln. of the problem
Confidentiality, integrity, and availability = Security
Dependability and expected behavior
02/26/25
ISMS Implementation and Certification
Security is risk management (no absolutes)
Security is a process
Human element : the source & soln. of the problem
Confidentiality, integrity, and availability = Security
Dependability and expected behavior
02/26/25
ISMS Implementation and Certification
02/26/25 ISMS Implementation and Certification
Objectives of Information Security
Preservation of
Confidentiality :
Ensuring that information is available to only those authorised to have access.
Integrity :
Safeguarding the accuracy and completeness of information & processing
methods.
Availability :
Ensuring that information and vital services are available to authorised users
when required.
Objectives of Information Security
Preservation of
Confidentiality :
Ensuring that information is available to only those authorised to have access.
Integrity :
Safeguarding the accuracy and completeness of information & processing
methods.
Availability :
Ensuring that information and vital services are available to authorised users
when required.
02/26/25 ISMS Implementation and Certification
Information Security Model
Information Security Model
02/26/25 ISMS Implementation and Certification
But the Problem is….
“To determine how much is too much, so that we can
implement appropriate security measures to build
adequate confidence and trust”
But the Problem is….
“To determine how much is too much, so that we can
implement appropriate security measures to build
adequate confidence and trust”
02/26/25 ISMS Implementation and Certification
Why Information Security Management
System
Information security that can be achieved through
technical means is limited
Security also depends on people, policies, processes
and procedures
Resources are not unlimited
It is not a once off exercise, but an ongoing activity
All these can be addressed effectively and efficiently
only by establishing a proper Information Security
Management System(ISMS)
Why Information Security Management
System
Information security that can be achieved through
technical means is limited
Security also depends on people, policies, processes
and procedures
Resources are not unlimited
It is not a once off exercise, but an ongoing activity
All these can be addressed effectively and efficiently
only by establishing a proper Information Security
Management System(ISMS)
02/26/25 ISMS Implementation and Certification
Who needs ISMS ?
Every organization, company, firm institution handling
information :
–Banks
–Call Centers
–IT Companies
–Government (e.g. tax office)
–Manufacturing Companies
–Consultancy Firms
–Hospitals
–Schools and Universities
–Insurance Companies
–These are examples … Every company which values
information and needs to protect it
Who needs ISMS ?
Every organization, company, firm institution handling
information :
–Banks
–Call Centers
–IT Companies
–Government (e.g. tax office)
–Manufacturing Companies
–Consultancy Firms
–Hospitals
–Schools and Universities
–Insurance Companies
–These are examples … Every company which values
information and needs to protect it
02/26/25 ISMS Implementation and Certification
With an ISMS we are not intending to make the system ‘hacker
proof’, but develop a mechanism which can, to a large extent
Anticipate potential problems
Prepare through proactive measures
Protect against considerable damages
Ensure recovery and restoration
Information Security Management System
“Failure is not when you fall down, but when
you fail to get up”
With an ISMS we are not intending to make the system ‘hacker
proof’, but develop a mechanism which can, to a large extent
Anticipate potential problems
Prepare through proactive measures
Protect against considerable damages
Ensure recovery and restoration
Information Security Management System
“Failure is not when you fall down, but when
you fail to get up”
ISMS Implementation and Certification
ISMS Standards
ISO/ IEC 27001 : 2005
–A specification (specifies requirements for implementing,
operating, monitoring, reviewing, maintaining & improving a
documented ISMS)
–Specifies the requirements of implementing of Security control,
customised to the needs of individual organisation or part thereof.
–Used as a basis for certification
ISO/IEC 27002 : 2005 (Originally ISO/IEC 17799:2005)
–A code of practice for Information Security management
–Provides best practice guidance
–Use as required within your business
–Not for certification
Both ISO 27001 and ISO 27002 security control clauses are fully
harmonized
02/26/25
ISMS Standards
ISO/ IEC 27001 : 2005
–A specification (specifies requirements for implementing,
operating, monitoring, reviewing, maintaining & improving a
documented ISMS)
–Specifies the requirements of implementing of Security control,
customised to the needs of individual organisation or part thereof.
–Used as a basis for certification
ISO/IEC 27002 : 2005 (Originally ISO/IEC 17799:2005)
–A code of practice for Information Security management
–Provides best practice guidance
–Use as required within your business
–Not for certification
Both ISO 27001 and ISO 27002 security control clauses are fully
harmonized
02/26/25
ISMS Implementation and Certification
ISO/IEC 27000 family review including
future development
Information security management systems –
Overview and vocabulary
ISO/IEC 27000:2009
ISMS Measurement
ISO/IEC 27004:2009?
(FCD)
Risk management
ISO/IEC 27005:2008
ISMS Requirements
ISO/IEC 27001:2005
ISMS Code of practice
ISO/IEC 27002
(ISO/IEC17799 : 2005)
ISMS Implementation
guidelines
ISO/IEC 27003:2009
(FCD)(Sept,09?)
Guidelines on ISMS auditing
ISO/IEC 27007?
Specific standards and guidelines
Annex A
ISMS Certification scheme
ISO/IEC 27006:2007
Note : Status as on 13
th
Jul.,09
02/26/25
ISO/IEC 27000 family review including
future development
Information security management systems –
Overview and vocabulary
ISO/IEC 27000:2009
ISMS Measurement
ISO/IEC 27004:2009?
(FCD)
Risk management
ISO/IEC 27005:2008
ISMS Requirements
ISO/IEC 27001:2005
ISMS Code of practice
ISO/IEC 27002
(ISO/IEC17799 : 2005)
ISMS Implementation
guidelines
ISO/IEC 27003:2009
(FCD)(Sept,09?)
Guidelines on ISMS auditing
ISO/IEC 27007?
Specific standards and guidelines
Annex A
ISMS Certification scheme
ISO/IEC 27006:2007
Note : Status as on 13
th
Jul.,09
02/26/25
02/26/25
ISMS Implementation and Certification
PDCA Model applied to ISMS processes
Interested
Parties
Interested
Parties
Information
Security
Requirements
& Expectations
Managed
Information
Security
Establish
ISMS
Implement &
Operate ISMS
Maintain &
Improve ISMS
Monitor &
Review ISMS
Plan
Do
Check
Act
Development,
Maintenance and
Improvement Cycle
ISMS Implementation and Certification
PDCA Model applied to ISMS processes
Interested
Parties
Interested
Parties
Information
Security
Requirements
& Expectations
Managed
Information
Security
Establish
ISMS
Implement &
Operate ISMS
Maintain &
Improve ISMS
Monitor &
Review ISMS
Plan
Do
Check
Act
Development,
Maintenance and
Improvement Cycle
02/26/25
ISMS Implementation and Certification
ISO 27001:2005 structure
1.Scope
2.Normative References
3.Terms & Definitions
4.Information Security Management System
4.1 General
4.2 Establish and manage ISMS
4.3 Documentation
5. Management Responsibility
5.1 Management Commitment
5.2 Resource Management
6. Internal ISMS Audits
7. Management Review of the ISMS
8. ISMS
Improvement
8.1 Continual
Improvement
8.2 Corrective
Actions
8.3 Preventive
Actions
Annexure A,B & C
I
S
O
2
7
0
0
1
:
2
0
0
5
IEEE/EIA 12207. 0-1996
Re pro du ce d by GLO BA L ( A Joint St an dar d D ev elo ped b y IE EE an d E IA)
E NGIN EE RING D OCU MEN TS
W it h Th e Pe rmi ss ion o f I E EE
Un de r Ro yal ty A greem en t
IEEE/EIA Standard
Ind ustry I mplementation of
Intern ational Stan dard
ISO/I EC 12207 : 1995
(I SO /I EC 12207) Standard for Info rmatio n
Techno log y-
Software life cycle p rocesses
Marc h 1 99 8
TH E I NS TI T UTE OF E LE CTR ICA L E LE CT RON I C I ND US TRI E S AS SOC IA TI ON
AN D E LEC TR ONI CS E NG IN E E RI N G DE P AR TME NT
ENGI N EE R S , I NC.
ISMS Implementation and Certification
ISO 27001:2005 structure
1.Scope
2.Normative References
3.Terms & Definitions
4.Information Security Management System
4.1 General
4.2 Establish and manage ISMS
4.3 Documentation
5. Management Responsibility
5.1 Management Commitment
5.2 Resource Management
6. Internal ISMS Audits
7. Management Review of the ISMS
8. ISMS
Improvement
8.1 Continual
Improvement
8.2 Corrective
Actions
8.3 Preventive
Actions
Annexure A,B & C
I
S
O
2
7
0
0
1
:
2
0
0
5
IEEE/EIA 12207. 0-1996
Re pro du ce d by GLO BA L ( A Joint St an dar d D ev elo ped b y IE EE an d E IA)
E NGIN EE RING D OCU MEN TS
W it h Th e Pe rmi ss ion o f I E EE
Un de r Ro yal ty A greem en t
IEEE/EIA Standard
Ind ustry I mplementation of
Intern ational Stan dard
ISO/I EC 12207 : 1995
(I SO /I EC 12207) Standard for Info rmatio n
Techno log y-
Software life cycle p rocesses
Marc h 1 99 8
TH E I NS TI T UTE OF E LE CTR ICA L E LE CT RON I C I ND US TRI E S AS SOC IA TI ON
AN D E LEC TR ONI CS E NG IN E E RI N G DE P AR TME NT
ENGI N EE R S , I NC.
02/26/25
ISMS Implementation and Certification
ISO 27001 requirements
Requirements contained in the ISMS
framework (Sections 4-8)
ISMS control requirements (Annexure A)
ISMS Implementation and Certification
ISO 27001 requirements
Requirements contained in the ISMS
framework (Sections 4-8)
ISMS control requirements (Annexure A)
ISMS Process Framework requirements
(ISO 27001)
Information security management system (Cl. 4.0)
–Establishing and managing the ISMS
–Documentation requirements
Management responsibility (Cl. 5.0)
–Management commitment
–Resource management
Internal ISMS audits (Cl. 6.0)
Management review of the ISMS (Cl. 7.0)
ISMS improvements (Cl. 8.0)
–Continual improvement
–Corrective action
–Preventive action
02/26/25
ISMS Implementation and Certification
(ISO 27001)
Information security management system (Cl. 4.0)
–Establishing and managing the ISMS
–Documentation requirements
Management responsibility (Cl. 5.0)
–Management commitment
–Resource management
Internal ISMS audits (Cl. 6.0)
Management review of the ISMS (Cl. 7.0)
ISMS improvements (Cl. 8.0)
–Continual improvement
–Corrective action
–Preventive action
02/26/25
ISMS Implementation and Certification
ISMS control requirements
Annexure – A : Control objectives
& controls
Annexure – A : Control objectives
& controls
02/26/25
ISMS Implementation and Certification
Security Control Clauses of ISO 27001
A.5 Security Policy
A.6 Organization of Information Security
A.7 Asset Management
A.8 Human
Resource
Security
A.9 Physical &
environmental
security
A.10 Communications
& operations
management
A.12 Info. Systems
Acquisition
development &
maintenance
A.11 Access control
A.13 Information Security Incident Management
A.14 Business Continuity Management
A.15 Compliance
ISMS Implementation and Certification
Security Control Clauses of ISO 27001
A.5 Security Policy
A.6 Organization of Information Security
A.7 Asset Management
A.8 Human
Resource
Security
A.9 Physical &
environmental
security
A.10 Communications
& operations
management
A.12 Info. Systems
Acquisition
development &
maintenance
A.11 Access control
A.13 Information Security Incident Management
A.14 Business Continuity Management
A.15 Compliance
02/26/25
ISMS Implementation and Certification
ISO 27001: Control objectives and
controls
39 Control
objectives
133 Controls
Satisfies
objectives
Specifies
requirements
11 Security Control clauses
ISMS Implementation and Certification
ISO 27001: Control objectives and
controls
39 Control
objectives
133 Controls
Satisfies
objectives
Specifies
requirements
11 Security Control clauses
ISO 27002 Structure
1 introductory clause on Risk assessment and Treatment.
11 security Control Clauses (fully harmonised with ISO 27001)
39 main Security categories each containing
–Control Objective and
–One or more control to support achievement of control objective
Control descriptions each containing
–Control statement
–Implementation Guidance
–Other Information
02/26/25
ISMS Implementation and Certification
1 introductory clause on Risk assessment and Treatment.
11 security Control Clauses (fully harmonised with ISO 27001)
39 main Security categories each containing
–Control Objective and
–One or more control to support achievement of control objective
Control descriptions each containing
–Control statement
–Implementation Guidance
–Other Information
02/26/25
ISMS Implementation and Certification
02/26/25
ISMS Implementation and Certification
A.5Security policy
A.5.1 Information security policy
Objective : To provide management direction and support
for information security.
Controls :
–Information security policy document
–Review of policy
ISMS Implementation and Certification
A.5Security policy
A.5.1 Information security policy
Objective : To provide management direction and support
for information security.
Controls :
–Information security policy document
–Review of policy
02/26/25
ISMS Implementation and Certification
A.6Organization of information security
A.6.1 Internal organization
A.6.2 External parties
Third Party
Agreements
Examples of External parties?
ISMS Implementation and Certification
A.6Organization of information security
A.6.1 Internal organization
A.6.2 External parties
Third Party
Agreements
Examples of External parties?
02/26/25
ISMS Implementation and Certification
A.7 Asset management
A.7.1 Responsibility for assets
A.7.2 Information classification
Top secret
Secret
Confidential
Restricted
Public
ISMS Implementation and Certification
A.7 Asset management
A.7.1 Responsibility for assets
A.7.2 Information classification
Top secret
Secret
Confidential
Restricted
Public
02/26/25
ISMS Implementation and Certification
A.8 Human resources security
A.8.1 Prior to employment
A.8.2 During employment
A.8.3 Termination or change of
employment
√
√
√
Employees
Contractors
Third party
users
COVERS
ISMS Implementation and Certification
A.8 Human resources security
A.8.1 Prior to employment
A.8.2 During employment
A.8.3 Termination or change of
employment
√
√
√
Employees
Contractors
Third party
users
COVERS
02/26/25
ISMS Implementation and Certification
A.9 Physical and environmental security
A.9.1 Secure areas
A.9.2 Equipment security
I.D.
ISMS Implementation and Certification
A.9 Physical and environmental security
A.9.1 Secure areas
A.9.2 Equipment security
I.D.
02/26/25
ISMS Implementation and Certification
A.10 Communications and operations
management
A.10.1 Operational procedures and responsibilities
A.10.2 Third party service delivery management
A.10.3 System planning and acceptance
A.10.4 Protection against malicious and mobile code
A.10.5 Back-up
A.10.6 Network security management
A.10.7 Media handling
A.10.8 Exchange of information
A.10.9 Electronic commerce services
A.10.10 Monitoring
Too much load !
ISMS Implementation and Certification
A.10 Communications and operations
management
A.10.1 Operational procedures and responsibilities
A.10.2 Third party service delivery management
A.10.3 System planning and acceptance
A.10.4 Protection against malicious and mobile code
A.10.5 Back-up
A.10.6 Network security management
A.10.7 Media handling
A.10.8 Exchange of information
A.10.9 Electronic commerce services
A.10.10 Monitoring
Too much load !
02/26/25
ISMS Implementation and Certification
A.11 Access control
A.11.1 Business requirement for access control
A.11.2 User access management
A.11.3 User responsibilities
A.11.4 Network access control
A.11.5 Operating system access control
A.11.6 Application and information access control
A.11.7 Mobile computing and teleworking
Internet
ISMS Implementation and Certification
A.11 Access control
A.11.1 Business requirement for access control
A.11.2 User access management
A.11.3 User responsibilities
A.11.4 Network access control
A.11.5 Operating system access control
A.11.6 Application and information access control
A.11.7 Mobile computing and teleworking
Internet
02/26/25
ISMS Implementation and Certification
A.12 Information systems acquisitions,
development and maintenance
A.12.1 Security requirements of information systems
A.12.2 Correct processing in applications
A.12.3 Cryptographic controls
A.12.4 Security of system files
A.12.5 Security in development and support processes
A.12.6 Technical vulnerability management
ISMS Implementation and Certification
A.12 Information systems acquisitions,
development and maintenance
A.12.1 Security requirements of information systems
A.12.2 Correct processing in applications
A.12.3 Cryptographic controls
A.12.4 Security of system files
A.12.5 Security in development and support processes
A.12.6 Technical vulnerability management
02/26/25
ISMS Implementation and Certification
A.13 Information security incident
management
A.13.1 Reporting information security events
and weaknesses
A.13.2 Management of information security
incidents & improvements
• What is an information security event?
• What is an information security incident?
• Examples?
• Incident management process?
ISMS Implementation and Certification
A.13 Information security incident
management
A.13.1 Reporting information security events
and weaknesses
A.13.2 Management of information security
incidents & improvements
• What is an information security event?
• What is an information security incident?
• Examples?
• Incident management process?
02/26/25
ISMS Implementation and Certification
A.14 Business continuity management
Objective : To counteract interruptions to business
activities and to protect critical business processes from
the effect of major failure or disasters and to ensure
their timely resumption.
Controls :
–Including information security in the BCM management
process
–Business continuity and risk assessment
–Developing and implementing continuity plans including
Information security
–Business continuity planning framework
–Testing, maintaining and re-assessing business continuity
plans
Difference between incident and disaster ?
A.14.1 Information security aspects of BCM
ISMS Implementation and Certification
A.14 Business continuity management
Objective : To counteract interruptions to business
activities and to protect critical business processes from
the effect of major failure or disasters and to ensure
their timely resumption.
Controls :
–Including information security in the BCM management
process
–Business continuity and risk assessment
–Developing and implementing continuity plans including
Information security
–Business continuity planning framework
–Testing, maintaining and re-assessing business continuity
plans
Difference between incident and disaster ?
A.14.1 Information security aspects of BCM
02/26/25
ISMS Implementation and Certification
A.15 Compliance
A.15.1 Compliance with legal requirements
A.15.2 Compliance with security policies and
standards, and technical compliance
A.15.3 Information systems audit considerations
ISMS Implementation and Certification
A.15 Compliance
A.15.1 Compliance with legal requirements
A.15.2 Compliance with security policies and
standards, and technical compliance
A.15.3 Information systems audit considerations
02/26/25
ISMS Implementation and Certification
Control objectives and controls
“Not all the controls described will be relevant to
every situation, nor can they take account of local
environmental or technological constraints, or be
present in a form that suits every potential user in
an organization.”
ISMS Implementation and Certification
Control objectives and controls
“Not all the controls described will be relevant to
every situation, nor can they take account of local
environmental or technological constraints, or be
present in a form that suits every potential user in
an organization.”
02/26/25
ISMS Implementation and Certification
Benefits of ISO 27001
A single reference point for identifying a range of controls
needed for most situations where information systems
are used
Facilitation of trading in trusted environment
An internationally recognized structured methodology
A defined process to evaluate, implement, maintain and
manage information security
A set of tailored policy, standards, procedures and
guidelines
The standard provides a yardstick against which security
can be judged
ISMS Implementation and Certification
Benefits of ISO 27001
A single reference point for identifying a range of controls
needed for most situations where information systems
are used
Facilitation of trading in trusted environment
An internationally recognized structured methodology
A defined process to evaluate, implement, maintain and
manage information security
A set of tailored policy, standards, procedures and
guidelines
The standard provides a yardstick against which security
can be judged
02/26/25
ISMS Implementation and Certification
Security Requirements
Business Requirements
Legal Requirements
Assets
identification
& valuation
Threats &
Vulnerabilities
Assessment
Risk Assessment
Information
Security
Management
System
Policy,
Procedures
& Controls
Selection of controls
(ISO 27001)
Process for developing an ISMS
ISMS Implementation and Certification
Security Requirements
Business Requirements
Legal Requirements
Assets
identification
& valuation
Threats &
Vulnerabilities
Assessment
Risk Assessment
Information
Security
Management
System
Policy,
Procedures
& Controls
Selection of controls
(ISO 27001)
Process for developing an ISMS
02/26/25
ISMS Implementation and Certification
Action Plan for ISMS Implementation
Project Initiation
Formation of Security organization including CISO
Identify roles and responsibilities of groups
Management intent on ISO 27001 initiative communicated to all
Framing and Approval of Scope and Security Policy Statement
Communication to all
Risk Analysis/Assessment
–Methodology of RA
–Asset Identification
–Training on RA
–Actual RA
–Asset classification guideline (Labeling/Handling)
–Risk Treatment Plan & Actual implementation
Preparation of SOA
ISMS Implementation and Certification
Action Plan for ISMS Implementation
Project Initiation
Formation of Security organization including CISO
Identify roles and responsibilities of groups
Management intent on ISO 27001 initiative communicated to all
Framing and Approval of Scope and Security Policy Statement
Communication to all
Risk Analysis/Assessment
–Methodology of RA
–Asset Identification
–Training on RA
–Actual RA
–Asset classification guideline (Labeling/Handling)
–Risk Treatment Plan & Actual implementation
Preparation of SOA
02/26/25
ISMS Implementation and Certification
Action Plan for ISMS Implementation-2
Gap Analysis / Status Appraisal (May also be done before RA )
Vulnerability assessment, Application Security Testing (May also be done
before RA )
Documentation of Policies and Procedures
Identification and documentation of Legal requirements and Business
Requirements
Security Awareness training
Implementation of Policies and Procedures
Business Continuity Planning
–Carrying out BIA
–Writing BCP
–BCP Organisation
–Training
–BCP Testing and Updation
ISMS Implementation and Certification
Action Plan for ISMS Implementation-2
Gap Analysis / Status Appraisal (May also be done before RA )
Vulnerability assessment, Application Security Testing (May also be done
before RA )
Documentation of Policies and Procedures
Identification and documentation of Legal requirements and Business
Requirements
Security Awareness training
Implementation of Policies and Procedures
Business Continuity Planning
–Carrying out BIA
–Writing BCP
–BCP Organisation
–Training
–BCP Testing and Updation
02/26/25
ISMS Implementation and Certification
Monitor and Review ISMS effectiveness
–Internal ISMS Audits
–Management Reviews
Improve ISMS
Apply for Certification
Action Plan for ISMS Implementation-3
ISMS Implementation and Certification
Monitor and Review ISMS effectiveness
–Internal ISMS Audits
–Management Reviews
Improve ISMS
Apply for Certification
Action Plan for ISMS Implementation-3
02/26/25
ISMS Implementation and Certification
ISMS Documentation
Documented statements of the ISMS policy and
objectives.
Procedures and controls in support of the ISMS
Risk Assessment methodology
Risk Assessment Report
Risk Treatment Plan
documented procedures needed to ensure effective planning, operation
and control of information security processes. e.g
–Incident management
–Business Continuity Planning
–Change Control Procedure
Records
….
Documents and records can be in any form or type of medium
ISMS Implementation and Certification
ISMS Documentation
Documented statements of the ISMS policy and
objectives.
Procedures and controls in support of the ISMS
Risk Assessment methodology
Risk Assessment Report
Risk Treatment Plan
documented procedures needed to ensure effective planning, operation
and control of information security processes. e.g
–Incident management
–Business Continuity Planning
–Change Control Procedure
Records
….
Documents and records can be in any form or type of medium
Defining Information security
policies
policies
02/26/25
ISMS Implementation and Certification
What is a Policy?
The term policy is defined as a high-level statement
of an organization's beliefs, goals and objectives
and the general means for attainment for a
specified subject area. A policy is brief
(recommended) and set at a high level.
ISMS Implementation and Certification
What is a Policy?
The term policy is defined as a high-level statement
of an organization's beliefs, goals and objectives
and the general means for attainment for a
specified subject area. A policy is brief
(recommended) and set at a high level.
02/26/25
ISMS Implementation and Certification
“The best security technology with a bad policy like a grass hut
with a steel gate.”
Why Security Policy
“The policy on security is the organization’s statement of
intent that provides the foundation for management
and staff alike.”
ISMS Implementation and Certification
“The best security technology with a bad policy like a grass hut
with a steel gate.”
Why Security Policy
“The policy on security is the organization’s statement of
intent that provides the foundation for management
and staff alike.”
02/26/25
ISMS Implementation and Certification
Security Policy Framework
Policies define appropriate behavior
Policies set the stage in terms of what tools and
procedures are needed.
Policies communicate a consensus.
Policies provide a foundation for HR action in
response to in appropriate behavior.
Policies may help prosecute cases.
ISMS Implementation and Certification
Security Policy Framework
Policies define appropriate behavior
Policies set the stage in terms of what tools and
procedures are needed.
Policies communicate a consensus.
Policies provide a foundation for HR action in
response to in appropriate behavior.
Policies may help prosecute cases.
Example : Policies required
Information security
Policy on Outsourcing
Acceptable Use Policy
E-mail security
Internet Policy
Password Policy
Clear Desk and Clear
Screen
Access Control
Mobile computing
/Teleworking
Freeware Policy
Anti- Virus Policy
Desktop Security Policy
Backup Policy
Media Disposal Policy
Business Continuity
management
Remote authentication
Policy
Cryptographic Control
02/26/25
ISMS Implementation and Certification
Information security
Policy on Outsourcing
Acceptable Use Policy
E-mail security
Internet Policy
Password Policy
Clear Desk and Clear
Screen
Access Control
Mobile computing
/Teleworking
Freeware Policy
Anti- Virus Policy
Desktop Security Policy
Backup Policy
Media Disposal Policy
Business Continuity
management
Remote authentication
Policy
Cryptographic Control
02/26/25
ISMS Implementation and Certification
02/26/25
ISMS Implementation and Certification
Basic policy requirements
Policies must:
–be implementable and enforceable
–be concise and easy to understand
–balance protection with productivity
–be updated regularly to reflect the evolution of the organization
Policies should:
–state reasons why policy is needed
–describe what is covered by the policies - whom, what, and where
–define contacts and responsibilities to outside agencies
–discuss how violations will be handled
–be able to meet business objectives.
ISMS Implementation and Certification
Basic policy requirements
Policies must:
–be implementable and enforceable
–be concise and easy to understand
–balance protection with productivity
–be updated regularly to reflect the evolution of the organization
Policies should:
–state reasons why policy is needed
–describe what is covered by the policies - whom, what, and where
–define contacts and responsibilities to outside agencies
–discuss how violations will be handled
–be able to meet business objectives.
02/26/25
ISMS Implementation and Certification
Policies
–are not specific and detailed descriptions of a problem,
–do not provide steps that are needed to implement the
policy
Therefore, an organization must develop
standards, guidelines and procedures that offer
employees, management and others, a clearer
method of implementing the policy and meeting
the business needs.
Other Policies and documentation
ISMS Implementation and Certification
Policies
–are not specific and detailed descriptions of a problem,
–do not provide steps that are needed to implement the
policy
Therefore, an organization must develop
standards, guidelines and procedures that offer
employees, management and others, a clearer
method of implementing the policy and meeting
the business needs.
Other Policies and documentation
02/26/25
ISMS Implementation and Certification
Security procedures
Policies only define "what" is to be protected.
Procedures define "how" to protect resources
and are the mechanisms to enforce policy.
Procedures define detailed actions to take for
specific incidents.
Procedures provide a quick reference in times of
crisis.
Procedures help eliminate the problem of a
single point of failure (e.g., an employee
suddenly leaves or is unavailable in a time of
crisis).
ISMS Implementation and Certification
Security procedures
Policies only define "what" is to be protected.
Procedures define "how" to protect resources
and are the mechanisms to enforce policy.
Procedures define detailed actions to take for
specific incidents.
Procedures provide a quick reference in times of
crisis.
Procedures help eliminate the problem of a
single point of failure (e.g., an employee
suddenly leaves or is unavailable in a time of
crisis).
02/26/25
ISMS Implementation and Certification
Example: Procedures required by
organization
Information labelling & Handling
Reporting s/w Malfunction
Disciplinary Process Incident
Management Migration of software
Acceptance criteria for new info.
Sys
Control against Malicious s/w
Handling & storage of info
Authorization of publicly avail.
Systems
Information Exch. Thru fax, voice
User Reg. & de-Reg
Allocation of Passwords
Review of User access rights
Monitoring of Use of Info. System
Key management system
Control of operational software
Change control
Identification of appl. Legislation
ISMS Implementation and Certification
Example: Procedures required by
organization
Information labelling & Handling
Reporting s/w Malfunction
Disciplinary Process Incident
Management Migration of software
Acceptance criteria for new info.
Sys
Control against Malicious s/w
Handling & storage of info
Authorization of publicly avail.
Systems
Information Exch. Thru fax, voice
User Reg. & de-Reg
Allocation of Passwords
Review of User access rights
Monitoring of Use of Info. System
Key management system
Control of operational software
Change control
Identification of appl. Legislation
02/26/25
ISMS Implementation and Certification
Records
Evidence generated as a consequence of the
operation of the ISMS to identify the path through a
process and
to demonstrate compliance.
Manual
Automatic
• Provide evidence of conformance to requirements
• Demonstrate effective operation of Security system
ISMS Implementation and Certification
Records
Evidence generated as a consequence of the
operation of the ISMS to identify the path through a
process and
to demonstrate compliance.
Manual
Automatic
• Provide evidence of conformance to requirements
• Demonstrate effective operation of Security system
02/26/25
ISMS Implementation and Certification
Examples : Records generated
Inventory of assets
Confidentiality agreement
Terms and conditions of
employment
Equipment maintenance
Incident related data
Risk identification & control in
contract
Testing record for acceptance of
new systems
Testing of backup copies
Maintenance of operator log
Review of user access rights
Capacity utilisation Logs)
Process performance records
(e.g. Internal audits,
Management review, Training
etc.)
ISMS Implementation and Certification
Examples : Records generated
Inventory of assets
Confidentiality agreement
Terms and conditions of
employment
Equipment maintenance
Incident related data
Risk identification & control in
contract
Testing record for acceptance of
new systems
Testing of backup copies
Maintenance of operator log
Review of user access rights
Capacity utilisation Logs)
Process performance records
(e.g. Internal audits,
Management review, Training
etc.)
02/26/25
ISMS Implementation and Certification
Policy deployment
should be supported by
Process
People
Technology
Technology
Process
People
ISMS Implementation and Certification
Policy deployment
should be supported by
Process
People
Technology
Technology
Process
People
90
User Responsibilities
User Responsibilities
Are you aware of your own Policies ?
Acceptable use policy
Password policy
File encryption policy for mobile devices
Clear desk and Clear Screen Policy
Disciplinary Policy
02/26/25
ISMS Implementation and Certification
Acceptable use policy
Password policy
File encryption policy for mobile devices
Clear desk and Clear Screen Policy
Disciplinary Policy
02/26/25
ISMS Implementation and Certification
02/26/25
ISMS Implementation and Certification
Training and Awareness on ISMS
The need for training and awareness must be
identified
Input should come from everywhere in the
organization
–Users, security personnel, management
The programme should be implemented when the
controls are implemented
There can be detailed Function Specific Trainings
also.
ISMS Implementation and Certification
Training and Awareness on ISMS
The need for training and awareness must be
identified
Input should come from everywhere in the
organization
–Users, security personnel, management
The programme should be implemented when the
controls are implemented
There can be detailed Function Specific Trainings
also.
02/26/25
ISMS Implementation and Certification
Awareness Training : Issues that need
to be addressed
Information security, its needs, its importance to the company
–Importance of Information to the business of the organisation
–Concept of C,I,A
–ISMS Policy
–Do’s and Don’ts
–Security incident, Security weaknesses, software malfunctions.
General security controls as practiced in the company: Physical entry controls, ID Badges,
Visitor policy, Fire Drills/ Fire Safety
Asset Identification, Information Labelling and handling.
Correct use of Information processing facilities
Policies like e-mail, internet, Freeware policy, virus protection, backup, Password
management, media handling, mobile computing (if applicable)
Incident reporting; Help Desk reporting etc.
Clear screen clear desk policy
Any Legal responsibility
Repercussions for Violations/ Disciplinary process for violation
ISMS Implementation and Certification
Awareness Training : Issues that need
to be addressed
Information security, its needs, its importance to the company
–Importance of Information to the business of the organisation
–Concept of C,I,A
–ISMS Policy
–Do’s and Don’ts
–Security incident, Security weaknesses, software malfunctions.
General security controls as practiced in the company: Physical entry controls, ID Badges,
Visitor policy, Fire Drills/ Fire Safety
Asset Identification, Information Labelling and handling.
Correct use of Information processing facilities
Policies like e-mail, internet, Freeware policy, virus protection, backup, Password
management, media handling, mobile computing (if applicable)
Incident reporting; Help Desk reporting etc.
Clear screen clear desk policy
Any Legal responsibility
Repercussions for Violations/ Disciplinary process for violation
94
Do’s and Don’ts
Do keep your use of the Internet to a minimum
Do check that any information you access on the Internet is accurate, complete and
current.
Do check the validity of the information found.
Do respect the legal protections to data and software provided by copyright and
licenses.
Do inform the I.T. Department immediately of any unusual occurrence.
Do not download text or images which contain material of a pornographic, racist or
extreme political nature, or which incites violence, hatred or any illegal activity.
Do not download content from Internet sites unless it is work related.
Do not download software from the Internet and install it upon the Organisation’s
computer equipment.
Do not use the Organisation’s computers to make unauthorised entry into any other
computer or network.
Do not disrupt or interfere with other computers or network users, services, or
equipment.
Do not represent yourself as another person.
Do not use Internet access to transmit confidential, political, obscene, threatening, or
harassing materials.
Do’s and Don’ts
Do keep your use of the Internet to a minimum
Do check that any information you access on the Internet is accurate, complete and
current.
Do check the validity of the information found.
Do respect the legal protections to data and software provided by copyright and
licenses.
Do inform the I.T. Department immediately of any unusual occurrence.
Do not download text or images which contain material of a pornographic, racist or
extreme political nature, or which incites violence, hatred or any illegal activity.
Do not download content from Internet sites unless it is work related.
Do not download software from the Internet and install it upon the Organisation’s
computer equipment.
Do not use the Organisation’s computers to make unauthorised entry into any other
computer or network.
Do not disrupt or interfere with other computers or network users, services, or
equipment.
Do not represent yourself as another person.
Do not use Internet access to transmit confidential, political, obscene, threatening, or
harassing materials.
95
Users Responsibility
Adhering to policies, guidelines and procedures pertaining to the
protection of Institutional Data.
Reporting actual or suspected vulnerabilities in the confidentiality,
integrity or availability of Institutional Data to a manager or the
Information Security Office.
Reporting actual or suspected breaches in the confidentiality,
integrity or availability of Institutional Data to the Information
Security Office.
You are individually responsible for protecting the data and
information in your hands. Security is everyone's responsibility.
Recognise which data is sensitive. If you do not know or are not
sure, ask.
Even though you cannot touch it, information is an asset, sometimes
a priceless asset.
Use the resources at your disposal only for the benefit of the
Organisation.
Understand that you are accountable for what you do on the system.
Users Responsibility
Adhering to policies, guidelines and procedures pertaining to the
protection of Institutional Data.
Reporting actual or suspected vulnerabilities in the confidentiality,
integrity or availability of Institutional Data to a manager or the
Information Security Office.
Reporting actual or suspected breaches in the confidentiality,
integrity or availability of Institutional Data to the Information
Security Office.
You are individually responsible for protecting the data and
information in your hands. Security is everyone's responsibility.
Recognise which data is sensitive. If you do not know or are not
sure, ask.
Even though you cannot touch it, information is an asset, sometimes
a priceless asset.
Use the resources at your disposal only for the benefit of the
Organisation.
Understand that you are accountable for what you do on the system.
96
Data Custodian
Understanding and reporting on how Data is stored,
processed and transmitted by the organization and by
third-party Agents.
Implementing appropriate physical and technical
safeguards to protect the confidentiality, integrity and
availability of organization’s Data.
Documenting and disseminating administrative and
operational procedures to ensure consistent storage,
processing and transmission of organization’s Data.
Provisioning and de-provisioning access to
organization’s Data as authorized by the Data Owner.
Understanding and reporting on security risks and how
they impact the confidentiality, integrity and availability
of organization’s Data.
Data Custodian
Understanding and reporting on how Data is stored,
processed and transmitted by the organization and by
third-party Agents.
Implementing appropriate physical and technical
safeguards to protect the confidentiality, integrity and
availability of organization’s Data.
Documenting and disseminating administrative and
operational procedures to ensure consistent storage,
processing and transmission of organization’s Data.
Provisioning and de-provisioning access to
organization’s Data as authorized by the Data Owner.
Understanding and reporting on security risks and how
they impact the confidentiality, integrity and availability
of organization’s Data.
97
How to select a good password
Use at least Eight characters – 15 is better
Use random mixture of characters – upper and lower
case letters, numbers, punctuation, spaces and symbols
Do not use a word found in a dictionary, English or
foreign
How to select a good password
Use at least Eight characters – 15 is better
Use random mixture of characters – upper and lower
case letters, numbers, punctuation, spaces and symbols
Do not use a word found in a dictionary, English or
foreign
98
Things to Avoid in Password
Do not add a single digit or symbol before or after a
word – for example, “microsoft1”
Do not double up a single word – for example,
“msoftmsoft”
Do not simply reverse a word- tfosorcim
Do not remove the vowels – “io”
Key sequences that can easily be repeated – for
example, “qwerty”, “asdf” etc
Do not garble letters – for example, converting e to 3, L
or I to 1, o to 0 as in “z3r0-10v3”
Things to Avoid in Password
Do not add a single digit or symbol before or after a
word – for example, “microsoft1”
Do not double up a single word – for example,
“msoftmsoft”
Do not simply reverse a word- tfosorcim
Do not remove the vowels – “io”
Key sequences that can easily be repeated – for
example, “qwerty”, “asdf” etc
Do not garble letters – for example, converting e to 3, L
or I to 1, o to 0 as in “z3r0-10v3”
99
Changing you password
Change your password regularly such as once a month
Change your password after you return from a trip
You should also change your password whenever you
suspect that somebody knows it or even that they may
guess it – for example, if someone stood behind you
while you typed it
Changing you password
Change your password regularly such as once a month
Change your password after you return from a trip
You should also change your password whenever you
suspect that somebody knows it or even that they may
guess it – for example, if someone stood behind you
while you typed it
100
Protecting password
Do not store your password on your computer, except in
an encrypted form
Password cache that comes with windows (.pwl files) is
NOT secure; so whenever prompts you to “save
password,” don’t
Do not tell anyone your password, not even your system
administrator
Never send your password via email or other unsecured
channels
Write your password down, but do not leave the paper
lying around; lock the paper away somewhere
Be very careful when entering your password with
somebody else in the same room
Protecting password
Do not store your password on your computer, except in
an encrypted form
Password cache that comes with windows (.pwl files) is
NOT secure; so whenever prompts you to “save
password,” don’t
Do not tell anyone your password, not even your system
administrator
Never send your password via email or other unsecured
channels
Write your password down, but do not leave the paper
lying around; lock the paper away somewhere
Be very careful when entering your password with
somebody else in the same room
101
Password Good Sense
Password Good Sense
02/26/25
ISMS Implementation and Certification
Route to ISMS certification
Step 1 - Preliminary information
Step 2 - Application
Step 3 - Pre-assessment(Optional)
Step 4 – Assessment
–Assessment stage 1
•(gaining understanding of the ISMS)
–Assessment stage 2
•(verifying conformity))
Step 5 - Post assessment
–Decision on Certification,
–Issue of Certificate
–Certfificate Validity,
Step 6 - Surveillance
Step 7 - Reassessment
ISMS Implementation and Certification
Route to ISMS certification
Step 1 - Preliminary information
Step 2 - Application
Step 3 - Pre-assessment(Optional)
Step 4 – Assessment
–Assessment stage 1
•(gaining understanding of the ISMS)
–Assessment stage 2
•(verifying conformity))
Step 5 - Post assessment
–Decision on Certification,
–Issue of Certificate
–Certfificate Validity,
Step 6 - Surveillance
Step 7 - Reassessment
02/26/25
ISMS Implementation and Certification
Benefits of Certification
Public demonstration
Enhanced corporate image
Accountability/ re-assurance
Drives forward improvement process
Ensures management commitment
A positive response from potential customers
Can be part of integrated approach
9001/14001/ISMS
Staff motivation
ISMS
ISMS Implementation and Certification
Benefits of Certification
Public demonstration
Enhanced corporate image
Accountability/ re-assurance
Drives forward improvement process
Ensures management commitment
A positive response from potential customers
Can be part of integrated approach
9001/14001/ISMS
Staff motivation
ISMS
02/26/25
ISMS Implementation and Certification
Some sources for additional Information
CERT (www.cert.org)
SANS (www.sans.org)
CIAC (www.ciac.llnl.gov/ciac)
AUSCERT (www.auscert.org.au)
SURFNET (http://cert.surfnet.nl/home-eng.html)
NIST (http://icat.nist.gov/icat.taf)
FIRST (www.first.org)
BSI (www.bsi.org)
STQC(www.stqc.nic.in)
www.cisecurity.com
www.csrtnist.com
ISMS Implementation and Certification
Some sources for additional Information
CERT (www.cert.org)
SANS (www.sans.org)
CIAC (www.ciac.llnl.gov/ciac)
AUSCERT (www.auscert.org.au)
SURFNET (http://cert.surfnet.nl/home-eng.html)
NIST (http://icat.nist.gov/icat.taf)
FIRST (www.first.org)
BSI (www.bsi.org)
STQC(www.stqc.nic.in)
www.cisecurity.com
www.csrtnist.com
02/26/25
ISMS Implementation and Certification
Thank U for your attention!
Contact :[email protected]
ISMS Implementation and Certification
Thank U for your attention!
Contact :[email protected]
Tags
Categories
GeneralDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 17
- Slides 73
- Age 280 days
Related Slideshows
22
Pray For The Peace Of Jerusalem and You Will Prosper
RodolfoMoralesMarcuc
32 views
26
Don_t_Waste_Your_Life_God.....powerpoint
chalobrido8
35 views
31
VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf
JaiJai148317
32 views
14
Fertility awareness methods for women in the society
Isaiah47
30 views
35
Chapter 5 Arithmetic Functions Computer Organisation and Architecture
RitikSharma297999
29 views
5
syakira bhasa inggris (1) (1).pptx.......
ourcommunity56
30 views