ISMS End-User Training Presentation.pptx
comstarndt
144 views
29 slides
Apr 25, 2024
Slide 1 of 29
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
About This Presentation
ISMS End-User Training Presentation
Slide Content
June, 2022 Information Security Management System – ISO 27001:2013 ICT End-User Presentation
Agenda ISMS – ISO 27001:2013 Information & Information Security User Responsibility ISMS Implementation Q&A
3 Incidents…… Patient Health Information (PHI) of patients of Diatherix , providing clinical laboratory testing services was accessed by unauthorised external entity. Exposed Information included patient name, account number, address, date of test, insurance information and insured information Three persons indicted for their involvement in an International cybercrime scheme that used stolen information from banks, businesses and government agencies to steal $15 million. Tennessee Electric Company Inc., d.b.a. TEC Industrial Maintenance & Construction, in July filed a complaint against TriSummit Bank, a $278 million institution based in Tennessee for a series of fraudulent payroll drafts sent from TEC's account in 2012. TEC says the bank failed to have those ACH transactions approved by the utility before they were transmitted.
The internet allows an attacker to attack from anywhere on the planet. Risks caused by poor security knowledge and practice: Data/ information breach Unavailability of data/information Unavailability of system, internet, application etc. Identity Theft Monetary Theft Legal Ramifications (for yourself and companies) Why Information Security?
Solution to such situations.....?? Information Security Management System – ISO 27001
Information & Information Security 6
What is Information Information is an asset which, like other important business assets , has value to an organization and consequently needs to be suitably protected What is Information…
Information exists in many forms
9 Information can be…. Printed or written on paper Stored Electronically Transmitted by post/ courier or electronically Shown on corporate video Displayed / published on web Verbal – spoken in conversation Whatever form the information takes or means by which it is shared or stored, it should always be appropriately protected Transmitted through an individual
10 Information Lifecycle Create Store Distribute (to authorized persons) Modify (by authorized persons) Archive Delete (electronic) or Dispose (paper, disk, etc ) Information may need protection through its entire lifecycle including deletion or disposal
Why Information Assets are the most important? Business Requirements Client / customer / stakeholder Marketing Trustworthy Internal management tool Legal Requirements Revenue Department Qatar Stock Exchange Copyright, patents, … . Business Continuity Management Compliance with Legal Requirement Contractual Security Obligations Intranet connections to other BU Extranets to business partners Remote connections to staff VPN Customer networks Supplier chains SLA, contracts, outsourcing arrangement Third party access Information Security Infrastructure
What is Information Security? “Information security is protecting the information through preserving their Confidentiality, Integrity and Availability along with the authenticity and reliability ” Confidentiality Integrity Availability
In some organizations integrity and/or availability may be more important than confidentiality Information Security is preservation of Confidentiality Ensuring that information is available only to those with authorized access. Integrity Safeguarding the accuracy and completeness of information and information processing methods and facilities Availability Ensuring authorized users have access to information when required 15 Information Security Triads/Components –CIA
Information is not made available to unauthorized individuals, entities or processes; Confidentiality Measures include encryption, social engineering best practices, Access rights, Secured storage, etc Safeguarding the accuracy and completeness of assets Integrity Measures include Access controls, Backups, etc. Asset being accessible and usable upon demand by authorized entity Availability Measures include Disaster Recovery Plan, Redundancy, High A vailability, etc. Information Security Triads/Components – CIA
Information Security Management System –ISO 27001:2013 15
Information Security Management System
ISO 27001:2013 Information Security Management System Information Security Management System (ISMS) is : That part of the overall management system, based on a business risk approach, to establish, implement, operate, monitor, review, maintain and improve information security A management process Not a technological process The purpose of an Information Security Management System is to secure an organization’s Information Assets by identifying, assessing and managing Risks resulting from Threats exploiting Vulnerabilities .
Introduction to ISO 27001:2013 standard ISO 27001 is the international standard that provides requirements for safeguarding an organization’s asset ISO 27001:2005 was the first ISO standard for information security ISO 27001:2013 was published on 25 th September, 2013 Comprehensive set of Clauses and Controls comprising best practices in information security A framework for building a risk based information security management system
ISO 27001:2013 Features
ISO 27001:2013 Requirements Requirements Clause 4 – C ontext of the organization Clause 5 – L eadership Clause 6 – Planning Clause 7 – Support Clause 8 – O peration Clause 9 – P erformance Evaluation Clause 10 – Improvement Like other management system standards, ISO 27001:2013 has 10 clauses…. Additionally, ISO 27001:2013 has Controls in Annex A with 14 Domains, 35 Control Objectives & 114 Controls
21 A.5 Security Policy A.6 Organisation of Information Security A.7 Human Resources Security A.8 Asset Management A.9 Access Control A.10 Cryptography A.11 Physical and Environmental Security A.17 Information Security Aspects of BCM A.13 Communications Security A.14 System Acquisition, Development and Maintenance A.15 Supplier Relationships A.16 Information Security Incident Management A.12 Operations Security A.18 Compliance 14 Domains 35 Control Objectives 114 Controls Control Objectives & Controls (Annexure A of ISO 27001:2013) Confidentiality Integrity Availability INFORMATION
ISMS Implementation 22
Risk Management – The critical first step in ISO 27001 implementation RISK = ASSET VALUE X PROBABILITY X IMPACT Risk is the possibility that a threat exploits a vulnerability in an information asset, leading to an adverse impact on the organization
Information Assets & Types Software IT Hardware (Physical Assets) Persons who support and use the IT system Processes & support processes that deliver products and services IT and other Infrastructure of the organization System interfaces (internal and external connectivity) Electronic media and, above all Data and Information An asset is any tangible or intangible thing or characteristic that has value to an organization
Classification of Information Asset
Information Security Risk Assessment Inherent Risk = Asset Value X Threat Value X Vulnerability Value X Probability Value X Impact Value Asset Inventory Asset Classification Asset Value : Confidentiality Value + Integrity Value + Availability Value (each value will be assigned on a scale of 1 to 3, where 1 is low, 2 is medium & 3 is high) Existing Controls Effectiveness will be assigned on a scale of 1 to 3, where Treatment of Risk if it is Unacceptable Risk Priority Number = Inherent Risk /Existing Controls Effectiveness Residual Risk if risk is High or Moderate – will be signed by Management or Risk Owner
What is a Threat An Expression of intention to inflict evil injury or damage Attacks against key security services – Confidentiality, Integrity & Availability Threat means something bad is coming your way – High threat means it is highly likely to hit you and it will be very bad .
Q & A
Thank You!
Categories
TechnologyDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 144
- Slides 29
- Age 585 days
Related Slideshows
11
8-top-ai-courses-for-customer-support-representatives-in-2025.pptx
JeroenErne2
44 views
10
7-essential-ai-courses-for-call-center-supervisors-in-2025.pptx
JeroenErne2
45 views
13
25-essential-ai-courses-for-user-support-specialists-in-2025.pptx
JeroenErne2
36 views
11
8-essential-ai-courses-for-insurance-customer-service-representatives-in-2025.pptx
JeroenErne2
33 views
21
Know for Certain
DaveSinNM
19 views
17
PPT OPD LES 3ertt4t4tqqqe23e3e3rq2qq232.pptx
novasedanayoga46
23 views