Download - Introduction to Information Security - TKK
-
7/27/2019 Introduction to Information Security - TKK
1/23
Copyright 2013 BSI. All rights reserved.
Introduction By Natalia Evianti
Information Security Based onInformation Security Management System(BS ISO/IEC 27001:2005)
http://localhost/var/www/apps/conversion/tmp/scratch_9/Nap.pptxhttp://localhost/var/www/apps/conversion/tmp/scratch_9/Nap.pptxhttp://localhost/var/www/apps/conversion/tmp/scratch_9/Nap.pptx -
7/27/2019 Introduction to Information Security - TKK
2/23
Copyright 2013 BSI. All rights reserved.2
-
7/27/2019 Introduction to Information Security - TKK
3/23
Copyright 2013 BSI. All rights reserved.3
Information?
Information asset
Knowledge or data that has value tothe organisation
Printed or written on paper
Stored electronically
Transmitted by post or usingelectronic means
Shown on corporate videos
Verbal - spoken in conversations Whatever form the information takes, or means by which
it is shared or stored, it should always be appropriatelyprotected. (ISO 27002)
-
7/27/2019 Introduction to Information Security - TKK
4/23
Copyright 2013 BSI. All rights reserved.
Information Security
Whats an ISMS?
-
7/27/2019 Introduction to Information Security - TKK
5/23
Copyright 2013 BSI. All rights reserved.5
ISO 27001 A Management System
Information Security Management System
Part of the overall management system,based on a business risk approach, to
establish, implement, operate, monitor,review, maintain and improveinformation security
ISO 27001IS ALL ABOUTRISK
-
7/27/2019 Introduction to Information Security - TKK
6/23
Copyright 2013 BSI. All rights reserved.6
Confidentiality Availability
Integrity
What is information security?
ISO 27001:2005 defines Information Security as
Preservation of
Confidentiality: information isnot made available or disclosed to unauthorizedindividuals, entities, or processes
Integrity: safeguarding the accuracy and
completeness of assets
Availability: being accessible and usable upon demand by anauthorized entity of information
Note: In addition, other properties such as authenticity,accountability, non-repudiation and reliability can also be involved
-
7/27/2019 Introduction to Information Security - TKK
7/23
Copyright 2013 BSI. All rights reserved.7
AIMS of ISO 27001
Provide Best Information Security Practices
To Enable Organization to develop, implement
and measure effective security management
practice To Provide confidence and trust between
organizations trading
Applicable to a wide range of organizations large, medium and small
-
7/27/2019 Introduction to Information Security - TKK
8/23
Copyright 2013 BSI. All rights reserved.8
Industries who can apply for ISO 27001
Bank
Insurance
Security service provider
University
Hospital
Telecommunication
Government department
Government subcontractor
Travel agency
Consultancy
IT service provider
Training course provider
Online shopping
Whole seller
Stock Exchange
Power station
Water supplier
Semiconductor
Finance service provider
Research center
Military
Medical service
Manufacturing
Automotive
-
7/27/2019 Introduction to Information Security - TKK
9/23
Copyright 2013 BSI. All rights reserved.9
Benefits of ISO 27001 & Certification
Systemic and Holistic approach Benefit from best practice as captured in the standard
Increase confidence of the organisation in its information securityprocesses
Neutral internationally recognised systemhelps overcome notinvented here syndrome
Eases challenges of bringing systems togetherin different parts of anorganisation, interoperability, etc
Helps avoid arguments about which way is best in one or another
persons opinion Improve information security management
Reduceprobability of information security breaches
-
7/27/2019 Introduction to Information Security - TKK
10/23
Copyright 2013 BSI. All rights reserved.10
Benefits of ISO 27001 & Certification
When there is a breach, being able to demonstrate that an ISMS is inplacemay be some defence
Protect reputation/brandeasy to lose, very hard to rebuild
Independent verification that the system is in place, meets the
requirements of ISO 27001 and is effective
Increase stakeholder confidence in the organisations ability toprotect their information
Independent view of the systems implementation and effectivenessthat can provoke continual improvement
When its demanded, satisfy customer requirement to have a certifiedISMS in place
-
7/27/2019 Introduction to Information Security - TKK
11/23
Copyright 2013 BSI. All rights reserved.11
The ISO 27001 family of standards
ISO 27000 Overview and vocabulary
ISO 27001 Audit Requirements
ISO 27002 Code of Practice (was ISO 17799:2005)
ISO 27003 Implementation Guidance
ISO 27004 Measurement ISO 27005 Risk Management
ISO 27006 Requirements for Bodies providing Audit and Certification of ISMSs
Also relevant:
BS 7799-3:2006 Risk Management
BS 31100:2011 Risk Management Code of Practice
ISO TR 18044:2004 Information Security Incident Management
-
7/27/2019 Introduction to Information Security - TKK
12/23
Copyright 2013 BSI. All rights reserved.12
ISO 27001 General Clauses4 Information security
management system
4.1 General requirements4.2 Establishing and managing the
ISMS
4.2.1 Establish the
ISMS
4.2.2 Implement and operate theISMS
4.2.3 Monitor and review the ISMS
4.2.4 Maintain and improve the
ISMS
4.3 Documentation requirements
4.3.1 General
4.3.2 Control of
Documents
4.3.3 Control of records
5 Management responsibility
5.1 Management Commitment
5.2 Resource management
5.2.1 Provision of resources
5.2.2 Training,
awareness and
competence
6 Internal ISMS audits
7 Management review ofthe ISMS
7.1 General
7.2 Review input
7.3 Review output
8 ISMS improvement
8.1 Continual
Improvement
8.2 Corrective action
8.3 Preventive action
-
7/27/2019 Introduction to Information Security - TKK
13/23
Copyright 2013 BSI. All rights reserved.13
ISO 27001 Annex A
A.11 Access
Controls
A.7 Asset
Management
A.5 Security Policy
A.6 Organisation
A.8 HR Security
A.9 Physical
and Environmental
SecurityA.10 Communications
& Operations
Management
A.12 Systems Acquisition,
Development and
Maintenance
A.13 Security
Incident
Management
A.15 Compliance
A.14 Business Continuity
ManagementImplementImplement
ISO 27001:2005ISO 27001:2005
-
7/27/2019 Introduction to Information Security - TKK
14/23
Copyright 2013 BSI. All rights reserved.14
ISO 27001 Annex A
A.5 Security policy (1/2)
A.6 Organization of information security (2/11)
A.7 Asset management (2/5)
A.8 Human resources security (3/9)
A.9 Physical and environmental security (2/13)
A.10 Communications and operations management (10/32)
A.11 Access control (7/25)
A.12 Information systems acquisition, development and maintenance (6/16)
A.13 Information security incident management (2/5)
A.14 Business continuity management (1/5)
A.15 Compliance (3/10)
Total
11 Domains
39control objectives
133controls
-
7/27/2019 Introduction to Information Security - TKK
15/23
Copyright 2013 BSI. All rights reserved.15
Example of Control Requirements
A.5 IS Policy
Policy Document Approved by Management
A.6 Organization of IS Contact with Authorities, Specialist and
professionals
A.7 Asset Management
Inventory and Ownership of Asset
Classify and LabelAssets.
-
7/27/2019 Introduction to Information Security - TKK
16/23
Copyright 2013 BSI. All rights reserved.16
Example of Control Requirements
A.8 Human Resources Security
Background Investigation Before Recruitment, DisciplinaryActions
Training and Awareness
Termination and Separation
A.9 Physical and Environmental Security
Perimeter and Secure Areas.
Equipment, Facilities and Cabling Security.
Equipment Disposal
-
7/27/2019 Introduction to Information Security - TKK
17/23
Copyright 2013 BSI. All rights reserved.17
Example of Control Requirements
A.10 Communications and Operations
Change Management, Segregations of Duties
3rd Party Control
Capacity Management, Monitoring and Log Information Control against Malicious Codes
Back up
Network Security
Media Handling including Disposal
E commerce
Clock Synchronization
-
7/27/2019 Introduction to Information Security - TKK
18/23
Copyright 2013 BSI. All rights reserved.18
Example of Control Requirements
A.11 Access Control
User Registration and Privileges,
Password, Clear Desk and Clear Screen
Segregation in Networks
Session time out
A.12 Information Systems Acquisition,Development and Maintenance
Software control, Source Code Protection
-
7/27/2019 Introduction to Information Security - TKK
19/23
Copyright 2013 BSI. All rights reserved.19
Example of Control Requirements
A.13 Incident Management Reporting and Investigation
A.14 Business Continuity Management BC Plan and Testing
A.15 Compliance Intellectual Property Rights, Privacy of Personal
Information
Technical Compliance (Pen Test)
-
7/27/2019 Introduction to Information Security - TKK
20/23
Copyright 2013 BSI. All rights reserved.20
Important Documents/Records in ISO
27001:2005
Information Security Policies Risk Assessment
Statement of Applicability (SOA)
-
7/27/2019 Introduction to Information Security - TKK
21/23
Copyright 2013 BSI. All rights reserved.21
Risk Assessment Steps
Identification Assets,threats to the assets,
vulnerabilities that may beexploited by the threats and theimpact of loss of C I or A may have
on the assetsAssess likelihood of securityfailures
Estimate levels of risk
Risk treatment: AVOID,Transfer, Accept or Apply Controls
-
7/27/2019 Introduction to Information Security - TKK
22/23
Copyright 2013 BSI. All rights reserved.22
Statement of Applicability
Include the following: Control objectives and controls selected/ implemented
and reason
Exclusion of any control objectives and controls in Annex Aand the justification for their exclusion
Statement of Applicability against controls identified in Annex A of ISO 270
Clause Applicability Process Doc Comment
A.5.1.1 Yes Doc xxx
A.5.1.2 Yes Doc xxx
A.9.1.5 Yes Working in Secure Areas Doc
1.3 Issue 1 dated 04/09/04
A.12.3 Not Applicable Company currently does not use or
interface with any encryptedinformation
A.14.1.1 Yes Business Continuity
Manageme Process Doc 4.2
Issue 2 dated 22/10/04
A.15.1.6 Not Applicable Company currently does not use or
interface with any encrypted
information
-
7/27/2019 Introduction to Information Security - TKK
23/23
Copyright 2013 BSI. All rights reserved.
Thank you for participating!
Information Security Management Systems
(BS ISO/IEC 27001:2005)