SlideShare a Scribd company logo

Chapter 12 iso 27001 awareness

N
newbie2019

This document provides an overview of information security based on ISO 27001. It defines key terms like information, information security, risk, threats and vulnerabilities. It discusses the people, processes, and technologies involved in information security. It also summarizes the main clauses of ISO 27001 for implementing an information security management system, including establishing policies, controls, documentation, and user responsibilities.

Education
1 of 34
Downloaded 14 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
Chapter 12 ISO 27001: Awareness 1 Information System Security Jupriyadi, S.Kom. M.T. jupriyadi@teknokrat.ac.id Bandarlampung, Agustus 2021
Agenda  What is information?  What is information security?  What is risk?  Introduction to the ISO standards  Managing information security  Your security responsibilities
Information Information is an asset which, like other important business assets, has value to an organization and consequently needs to be suitably protected
Information Types Information exists in many forms:  Printed or written on paper  Stored electronically  Transmitted by post or electronic means  Visual e.g. videos, diagrams  Published on the Web  Verbal/aural e.g. conversations, phone calls  Intangible e.g. knowledge, experience, expertise, ideas ‘Whatever form the information takes, or means by which it is shared or stored, it should always be appropriately protected’
Information Lifecycle  Created  Owned (it is an asset)  Stored  Processed  Transmitted/communicated  Used (for proper or improper purposes)  Modified or corrupted  Shared or disclosed (whether appropriately or not)  Destroyed or lost  Stolen  Controlled, secured and protected throughout its existence Information can be …
Key Term  Information security is what keeps valuable information ‘free of danger’ (protected, safe from harm)  It is not something you buy, it is something you do o It’s a process not a product  It is achieved using a combination of suitable strategies and approaches: o Determining the risks to information and treating them accordingly (proactive risk management) o Protecting CIA (Confidentiality, Integrity and Availability) o Avoiding, preventing, detecting and recovering from incidents o Securing people, processes and technology … not just IT! What is information security?
Security Elements PEOPLE Staff and Management PROCESSES Business Activities TECHNOLOGY IT, Phones, USB sticks
People People who use or have an interest in our information security include:  Shareholders / owners  Management & staff  Customers / clients, suppliers & business partners  Service providers, consultants & advisors  Authorities, regulators & judges Our biggest threats arise from people (social engineers, unethical competitors, hackers, fraudsters, careless workers, bugs, flaws …), yet our biggest asset is our people (e.g. security-aware employees who spot trouble early)
Processes Processes are work practices or workflows, the steps or activities needed to accomplish business objectives. • Processes are described in procedures. • Virtually all business processes involve and/or depend on information making information a critical business asset. Information security policies and procedures define how we secure information appropriately and repeatedly.
Technology Information technologies  Cabling, data/voice networks and equipment  Telecommunications services (PABX, VoIP, ISDN, videoconferencing)  Phones, cellphones, PDAs  Computer servers, desktops and associated data storage devices (disks, tapes)  Operating system and application software  Paperwork, files  Pens, ink Security technologies  Locks, barriers, card-access systems, CCTV
Value • Protects information against various threats • Ensures business continuity • Minimizes financial losses and other impacts • Optimizes return on investments • Creates opportunities to do business safely • Maintains privacy and compliance Information security is valuable because it … We all depend on information security
C I A Information security is defined as the preservation of: Confidentiality Making information accessible only to those authorized to use it Integrity Safeguarding the accuracy and completeness of information and processing methods Availability Ensuring that information is available when required
Impacts • IT downtime, business interruption • Financial losses and costs • Devaluation of intellectual property • Breaking laws and regulations, leading to prosecutions, fines and penalties • Reputation and brand damage leading to loss of customer, market, business partner or owners’ confidence and lost business • Fear, uncertainty and doubt Security Incidents Cause….
Key Term Risk is the possibility that a threat exploits a vulnerability in an information asset, leading to an adverse impact on the organization What is Risk? Threat: something that might cause harm Vulnerability: a weakness that might be exploited Impact: financial damage etc.
Threat Agent The ‘actor’ that represents, carries out or catalyzes the threat • Human • Machine • Nature
Threat Types Threat type Example Human error Typo, wrong attachment/email address, lost laptop or phone Intellectual property Piracy, industrial espionage Deliberate act Unauthorized access/trespass, data theft, extortion, blackmail, sabotage, vandalism, terrorist/activist/criminal activity Fraud Identity theft, expenses fraud System/network attack Viruses, worms, Trojans, hacks Service issue Power cuts, network outages Force of nature Fire, flood, storm, earthquake, lightning, tsunami, volcanic eruption Hardware issue Computer power supply failure, lack of capacity Software issue Bugs or design flaws, data corruption Obsolescence Windows XP Operating System?
So how do we secure our information assets?
ISO 27001 1990’s • Information Security Management Code of Practice produced by a UK government- sponsored working group • Based on the security policy used by Shell • Became British Standard BS7799 2000’s • Adopted by ISO/IEC • Became ISO/IEC 17799 (later renumbered ISO/IEC 27002) • ISO/IEC 27001 published & certification scheme started Now • Expanding into a suite of information security standards (known as “ISO27k”) • Updated and reissued every few years • Current standard is known as ISO 27001:2018 History of ISO27001
• Concerns the management of information security, not just IT/technical security • Formally specifies a management system • Uses Plan, Do, Check, Act (PDCA) to achieve, maintain and improve alignment of security with risks • Covers all types of organizations (e.g. commercial companies, government agencies, not-for-profit organizations) and all sizes • Thousands of organizations worldwide have been certified compliant ISO 27001
Plan Do Check Act (PDCA)
Control Clauses
Control Clauses • Information security policy - management direction • Organization of information security - management framework for implementation • Asset management – assessment, classification and protection of valuable information assets • HR security – security for joiners, movers and leavers • Physical & environmental security - prevents unauthorised access, theft, compromise, damage to information and computing facilities, power cuts
Control Clauses • Communications & operations management - ensures the correct and secure operation of IT • Access control – restrict unauthorized access to information assets • Information systems acquisition, development & maintenance – build security into systems • Information security incident management – deal sensibly with security incidents that arise • Business continuity management – maintain essential business processes and restore any that fail • Compliance - avoid breaching laws, regulations, policies and other security obligations
Implementation Process Cycle
• Demonstrable commitment to security by the organization • Legal and regulatory compliance • Better risk management • Commercial credibility, confidence, and assurance • Reduced costs • Clear employee direction and improved awareness Benefits
Key Documents • High level corporate security policy • Supporting policies e.g. physical & environmental, email, HR, incident management, compliance etc. • Standards e.g. Windows Security Standard • SOPs • Records e.g. security logs, security review reports, corrective actions
User Responsibilities • Read and follow security policies and procedures • Display identity cards while on the premises • Challenge or report anyone without an ID card • Visit the intranet Security Zone or call IT Help/Service Desk for advice on most information security matters • Allow unauthorized visitors onto the premises • Bring weapons, hazardous/combustible materials, recording devices etc., especially in secure areas • Use personal IT devices for work purposes, unless explicitly authorized by management Do Do Not
User Responsibilities Password Guidelines  Use strong passwords as suggested in the password management policy.  Change your password frequently. At least once every 3 months.  Each successive password must be unique. Don’t use the same password again.  Use short or easily-guessed passwords  Write down passwords or store them in plain text  Share passwords over phone or email
User Responsibilities Internet Usage Warning: Internet usage is routinely logged and monitored. Be careful which websites you visit and what you disclose.  Avoid websites that would be classed as obscene, racist, offensive or illegal – anything that would be embarrassing  Do not access online auction or shopping sites, except where authorized by your manager  Don’t hack!  Do not download or upload commercial software or other copyrighted material without the correct license and permission from your manager Use the corporate Internet facilities only for legitimate and authorized business purposes
User Responsibilities E-mail Usage Do not use your corporate email address for personal email Do not circulate chain letters, hoaxes, inappropriate jokes, videos etc. Do not send emails outside the organization unless you are authorized to do so Be very wary of email attachments and links, especially in unsolicited emails (most are virus-infected) Use corporate email for business purposes only Follow the email storage guidelines If you receive spam email, simply delete it. If it is offensive or you receive a lot, call the IT Help.
User Responsibilities Security Incidents Report information security incidents, concerns and near-misses to IT Email … Telephone … Anonymous drop-boxes … Take their advice on what to do Do not discuss security incidents with anyone outside the organisation Do not attempt to interfere with, obstruct or prevent anyone else from reporting incidents
User Responsibilities  Ensure your PC is getting antivirus updates and patches  Lock your keyboard (Windows L) before leaving your PC unattended, and shutdown your PC at the end of the day  Store laptops and valuable information (paperwork as well as CDs, USB sticks etc.) securely under lock and key  Keep your wits about you while traveling:  Keep your voice down on the cellphone  Be discreet about your IT equipment  Take regular information back ups  Fulfill your security obligations:  Comply with security and privacy laws, copyright and licenses,  Comply with corporate policies and procedures  Stay up to date on information security:
Chapter 12 iso 27001 awareness
34

More Related Content

PPTX
Cybersecurity Priorities and Roadmap: Recommendations to DHS
John Gilligan
 
PDF
Cybersecurity Roadmap Development for Executives
Krist Davood - Principal - CIO
 
PDF
Mergers and Acquisition Security - Areas of Interest
Matthew Rosenquist
 
PDF
IT Risk Management
Tudor Damian
 
PPTX
MIS: Information Security Management
Jonathan Coleman
 
PDF
Identifying Code Risks in Software M&A
Matt Tortora
 
PPTX
Logging, monitoring and auditing
Piyush Jain
 
PPTX
Security management concepts and principles
Divya Tiwari
 
Cybersecurity Priorities and Roadmap: Recommendations to DHS
John Gilligan
 
Cybersecurity Roadmap Development for Executives
Krist Davood - Principal - CIO
 
Mergers and Acquisition Security - Areas of Interest
Matthew Rosenquist
 
IT Risk Management
Tudor Damian
 
MIS: Information Security Management
Jonathan Coleman
 
Identifying Code Risks in Software M&A
Matt Tortora
 
Logging, monitoring and auditing
Piyush Jain
 
Security management concepts and principles
Divya Tiwari
 

What's hot (20)

PPTX
Cissp- Security and Risk Management
Hamed Moghaddam
 
PPTX
Understanding the security_organization
Dan Morrill
 
PPTX
Build an Information Security Strategy
Andrew Byers
 
PPTX
Cybertopic_1security
Anne Starr
 
PPTX
Risk Management Approach to Cyber Security
Ernest Staats
 
PDF
Business case for information security program
William Godwin
 
PDF
Simplifying the data privacy governance quagmire building automated privacy ...
Avinash Ramineni
 
PPTX
Soc
Mukesh Chaudhari
 
PPTX
Security Organization/ Infrastructure
Priyank Hada
 
PDF
Cybersecurity solution-guide
AdilsonSuende
 
PDF
M&A security - E-crime Congress 2017
EQS Group
 
PPT
Information security management
UMaine
 
PPT
Information Security
chenpingling
 
PDF
IT Risk Management & Leadership 23 - 26 June 2013 Dubai
360 BSI
 
PDF
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
IBM Security
 
PPT
Ca world 2007 SOC integration
Michael Nickle
 
PDF
Strategy considerations for building a security operations center
CMR WORLD TECH
 
PPTX
Information risk management
Akash Saraswat
 
PPT
2008: Web Application Security Tutorial
Neil Matatall
 
PDF
A Case Study of the Capital One Data Breach
Anchises Moraes
 
Cissp- Security and Risk Management
Hamed Moghaddam
 
Understanding the security_organization
Dan Morrill
 
Build an Information Security Strategy
Andrew Byers
 
Cybertopic_1security
Anne Starr
 
Risk Management Approach to Cyber Security
Ernest Staats
 
Business case for information security program
William Godwin
 
Simplifying the data privacy governance quagmire building automated privacy ...
Avinash Ramineni
 
Soc
Mukesh Chaudhari
 
Security Organization/ Infrastructure
Priyank Hada
 
Cybersecurity solution-guide
AdilsonSuende
 
M&A security - E-crime Congress 2017
EQS Group
 
Information security management
UMaine
 
Information Security
chenpingling
 
IT Risk Management & Leadership 23 - 26 June 2013 Dubai
360 BSI
 
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
IBM Security
 
Ca world 2007 SOC integration
Michael Nickle
 
Strategy considerations for building a security operations center
CMR WORLD TECH
 
Information risk management
Akash Saraswat
 
2008: Web Application Security Tutorial
Neil Matatall
 
A Case Study of the Capital One Data Breach
Anchises Moraes
 
Ad

Similar to Chapter 12 iso 27001 awareness (20)

PDF
ISO 27001 Awareness IGN Mantra 2nd Day, 1st Session.
IGN MANTRA
 
PPTX
ISO27k Awareness presentation.pptx
harigopala
 
PPTX
ISO27k Awareness presentation v2.pptx
Napoleon NV
 
PPTX
Awareness Training on Information Security
Ken Holmes
 
PPTX
Information security
avinashbalakrishnan2
 
PPTX
17 info sec_ma_imt_27_2_2012
RECIPA
 
PPT
Intro to Information Security.ppt
AnuraagAwasthi3
 
PDF
1678784047-mid_sem-2.pdf
Rimurutempest594985
 
PDF
ISO / IEC 27001:2005 – An Intorduction
n|u - The Open Security Community
 
PPTX
Overview of ISO 27001 [null Bangalore] [Dec 2013 meet]
n|u - The Open Security Community
 
PPTX
Information security: importance of having defined policy & process
Information Technology Society Nepal
 
PPTX
INFORMATION SECURITY
Ahmed Moussa
 
PPTX
Information Security and Privacy-Unit-1.pptx
NiharikaDubey17
 
PPTX
Security Foundation and Incident Mgmt and BCMS.pptx
MohsenMojabi1
 
PPTX
ke-1 - Copy cat massunu rahing.pptxdfdff
AhmadNaswin
 
PPTX
ke-1.pptx454545454545550515545456486498498498
AhmadNaswin
 
PPTX
ke-1.pptx
AhmadNaswin
 
PDF
Information Security
Dio Pratama
 
PPTX
Presentation1 110616195133-phpapp01(information security)
Bonagiri Rajitha
 
PPT
chapter 1. Introduction to Information Security
elmuhammadmuhammad
 
ISO 27001 Awareness IGN Mantra 2nd Day, 1st Session.
IGN MANTRA
 
ISO27k Awareness presentation.pptx
harigopala
 
ISO27k Awareness presentation v2.pptx
Napoleon NV
 
Awareness Training on Information Security
Ken Holmes
 
Information security
avinashbalakrishnan2
 
17 info sec_ma_imt_27_2_2012
RECIPA
 
Intro to Information Security.ppt
AnuraagAwasthi3
 
1678784047-mid_sem-2.pdf
Rimurutempest594985
 
ISO / IEC 27001:2005 – An Intorduction
n|u - The Open Security Community
 
Overview of ISO 27001 [null Bangalore] [Dec 2013 meet]
n|u - The Open Security Community
 
Information security: importance of having defined policy & process
Information Technology Society Nepal
 
INFORMATION SECURITY
Ahmed Moussa
 
Information Security and Privacy-Unit-1.pptx
NiharikaDubey17
 
Security Foundation and Incident Mgmt and BCMS.pptx
MohsenMojabi1
 
ke-1 - Copy cat massunu rahing.pptxdfdff
AhmadNaswin
 
ke-1.pptx454545454545550515545456486498498498
AhmadNaswin
 
ke-1.pptx
AhmadNaswin
 
Information Security
Dio Pratama
 
Presentation1 110616195133-phpapp01(information security)
Bonagiri Rajitha
 
chapter 1. Introduction to Information Security
elmuhammadmuhammad
 
Ad

More from newbie2019 (20)

PDF
Digital forensic principles and procedure
newbie2019
 
PDF
Fundamental digital forensik
newbie2019
 
PDF
Pendahuluan it forensik
newbie2019
 
PDF
Chapter 15 incident handling
newbie2019
 
PDF
Chapter 14 sql injection
newbie2019
 
PDF
Chapter 13 web security
newbie2019
 
PDF
NIST Framework for Information System
newbie2019
 
PDF
Nist.sp.800 37r2
newbie2019
 
PDF
Chapter 10 security standart
newbie2019
 
PDF
Chapter 8 cryptography lanjutan
newbie2019
 
PDF
Pertemuan 7 cryptography
newbie2019
 
PDF
Chapter 6 information hiding (steganography)
newbie2019
 
PDF
Vulnerability threat and attack
newbie2019
 
PDF
Chapter 4 vulnerability threat and attack
newbie2019
 
PDF
C02
newbie2019
 
PDF
Chapter 3 security principals
newbie2019
 
PDF
Chapter 2 konsep dasar keamanan
newbie2019
 
PDF
Fundamentals of information systems security ( pdf drive ) chapter 1
newbie2019
 
PDF
Chapter 1 introduction
newbie2019
 
PDF
CCNA RSE Routing concept
newbie2019
 
Digital forensic principles and procedure
newbie2019
 
Fundamental digital forensik
newbie2019
 
Pendahuluan it forensik
newbie2019
 
Chapter 15 incident handling
newbie2019
 
Chapter 14 sql injection
newbie2019
 
Chapter 13 web security
newbie2019
 
NIST Framework for Information System
newbie2019
 
Nist.sp.800 37r2
newbie2019
 
Chapter 10 security standart
newbie2019
 
Chapter 8 cryptography lanjutan
newbie2019
 
Pertemuan 7 cryptography
newbie2019
 
Chapter 6 information hiding (steganography)
newbie2019
 
Vulnerability threat and attack
newbie2019
 
Chapter 4 vulnerability threat and attack
newbie2019
 
C02
newbie2019
 
Chapter 3 security principals
newbie2019
 
Chapter 2 konsep dasar keamanan
newbie2019
 
Fundamentals of information systems security ( pdf drive ) chapter 1
newbie2019
 
Chapter 1 introduction
newbie2019
 
CCNA RSE Routing concept
newbie2019
 

Recently uploaded (20)

PDF
Business Ethics Teaching Materials for college
CynthiaCastillo40
 
PPTX
Introduction_to_Human_Anatomy_and_Physiology_for_B.Pharm.pptx
chetansingh379583
 
PDF
FourierSeries-QuestionsWithAnswers(Part-A).pdf
Raji Murugan
 
PDF
The Lost Whites of Pakistan by Jahanzaib Mughal.pdf
jahanzaibmughal6
 
PDF
O5-L3 Freight Transport Ops (International) V1.pdf
labyankof
 
PDF
Complications of Minimal Access Surgery at WLH
mohitsuren827
 
PPTX
Introduction to Child Health Nursing – Unit I | Child Health Nursing I | B.Sc...
RAKESH SAJJAN
 
PDF
3rd Neelam Sanjeevareddy Memorial Lecture.pdf
Academy of Grassroots Studies and Research of India (AGRASRI)
 
PDF
Origin of periodic table-Mendeleev’s Periodic-Modern Periodic table
Mithil Fal Desai
 
PDF
2.FourierTransform-ShortQuestionswithAnswers.pdf
Raji Murugan
 
PPTX
human mycosis Human fungal infections are called human mycosis..pptx
shilpa939953
 
PPTX
PPH.pptx obstetrics and gynecology in nursing
SrideviDevaraj5
 
PPTX
Pharma ospi slides which help in ospi learning
rameetkumar304
 
PPTX
Renaissance Architecture: A Journey from Faith to Humanism
DrMonicaSharma
 
PPTX
Final Presentation General Medicine 03-08-2024.pptx
ZaheerAhmad228692
 
PDF
RMMM.pdf make it easy to upload and study
sajedul2
 
PDF
Pre independence Education in Inndia.pdf
goofy5603
 
PDF
Module 4: Burden of Disease Tutorial Slides S2 2025
Jonathan Hallett
 
PDF
STATICS OF THE RIGID BODIES Hibbelers.pdf
pascualasturiaskaye4
 
PDF
TR - Agricultural Crops Production NC III.pdf
avgilmegino3
 
Business Ethics Teaching Materials for college
CynthiaCastillo40
 
Introduction_to_Human_Anatomy_and_Physiology_for_B.Pharm.pptx
chetansingh379583
 
FourierSeries-QuestionsWithAnswers(Part-A).pdf
Raji Murugan
 
The Lost Whites of Pakistan by Jahanzaib Mughal.pdf
jahanzaibmughal6
 
O5-L3 Freight Transport Ops (International) V1.pdf
labyankof
 
Complications of Minimal Access Surgery at WLH
mohitsuren827
 
Introduction to Child Health Nursing – Unit I | Child Health Nursing I | B.Sc...
RAKESH SAJJAN
 
3rd Neelam Sanjeevareddy Memorial Lecture.pdf
Academy of Grassroots Studies and Research of India (AGRASRI)
 
Origin of periodic table-Mendeleev’s Periodic-Modern Periodic table
Mithil Fal Desai
 
2.FourierTransform-ShortQuestionswithAnswers.pdf
Raji Murugan
 
human mycosis Human fungal infections are called human mycosis..pptx
shilpa939953
 
PPH.pptx obstetrics and gynecology in nursing
SrideviDevaraj5
 
Pharma ospi slides which help in ospi learning
rameetkumar304
 
Renaissance Architecture: A Journey from Faith to Humanism
DrMonicaSharma
 
Final Presentation General Medicine 03-08-2024.pptx
ZaheerAhmad228692
 
RMMM.pdf make it easy to upload and study
sajedul2
 
Pre independence Education in Inndia.pdf
goofy5603
 
Module 4: Burden of Disease Tutorial Slides S2 2025
Jonathan Hallett
 
STATICS OF THE RIGID BODIES Hibbelers.pdf
pascualasturiaskaye4
 
TR - Agricultural Crops Production NC III.pdf
avgilmegino3
 

Chapter 12 iso 27001 awareness

  • 1. Chapter 12 ISO 27001: Awareness 1 Information System Security Jupriyadi, S.Kom. M.T. jupriyadi@teknokrat.ac.id Bandarlampung, Agustus 2021
  • 2. Agenda  What is information?  What is information security?  What is risk?  Introduction to the ISO standards  Managing information security  Your security responsibilities
  • 3. Information Information is an asset which, like other important business assets, has value to an organization and consequently needs to be suitably protected
  • 4. Information Types Information exists in many forms:  Printed or written on paper  Stored electronically  Transmitted by post or electronic means  Visual e.g. videos, diagrams  Published on the Web  Verbal/aural e.g. conversations, phone calls  Intangible e.g. knowledge, experience, expertise, ideas ‘Whatever form the information takes, or means by which it is shared or stored, it should always be appropriately protected’
  • 5. Information Lifecycle  Created  Owned (it is an asset)  Stored  Processed  Transmitted/communicated  Used (for proper or improper purposes)  Modified or corrupted  Shared or disclosed (whether appropriately or not)  Destroyed or lost  Stolen  Controlled, secured and protected throughout its existence Information can be …
  • 6. Key Term  Information security is what keeps valuable information ‘free of danger’ (protected, safe from harm)  It is not something you buy, it is something you do o It’s a process not a product  It is achieved using a combination of suitable strategies and approaches: o Determining the risks to information and treating them accordingly (proactive risk management) o Protecting CIA (Confidentiality, Integrity and Availability) o Avoiding, preventing, detecting and recovering from incidents o Securing people, processes and technology … not just IT! What is information security?
  • 7. Security Elements PEOPLE Staff and Management PROCESSES Business Activities TECHNOLOGY IT, Phones, USB sticks
  • 8. People People who use or have an interest in our information security include:  Shareholders / owners  Management & staff  Customers / clients, suppliers & business partners  Service providers, consultants & advisors  Authorities, regulators & judges Our biggest threats arise from people (social engineers, unethical competitors, hackers, fraudsters, careless workers, bugs, flaws …), yet our biggest asset is our people (e.g. security-aware employees who spot trouble early)
  • 9. Processes Processes are work practices or workflows, the steps or activities needed to accomplish business objectives. • Processes are described in procedures. • Virtually all business processes involve and/or depend on information making information a critical business asset. Information security policies and procedures define how we secure information appropriately and repeatedly.
  • 10. Technology Information technologies  Cabling, data/voice networks and equipment  Telecommunications services (PABX, VoIP, ISDN, videoconferencing)  Phones, cellphones, PDAs  Computer servers, desktops and associated data storage devices (disks, tapes)  Operating system and application software  Paperwork, files  Pens, ink Security technologies  Locks, barriers, card-access systems, CCTV
  • 11. Value • Protects information against various threats • Ensures business continuity • Minimizes financial losses and other impacts • Optimizes return on investments • Creates opportunities to do business safely • Maintains privacy and compliance Information security is valuable because it … We all depend on information security
  • 12. C I A Information security is defined as the preservation of: Confidentiality Making information accessible only to those authorized to use it Integrity Safeguarding the accuracy and completeness of information and processing methods Availability Ensuring that information is available when required
  • 13. Impacts • IT downtime, business interruption • Financial losses and costs • Devaluation of intellectual property • Breaking laws and regulations, leading to prosecutions, fines and penalties • Reputation and brand damage leading to loss of customer, market, business partner or owners’ confidence and lost business • Fear, uncertainty and doubt Security Incidents Cause….
  • 14. Key Term Risk is the possibility that a threat exploits a vulnerability in an information asset, leading to an adverse impact on the organization What is Risk? Threat: something that might cause harm Vulnerability: a weakness that might be exploited Impact: financial damage etc.
  • 15. Threat Agent The ‘actor’ that represents, carries out or catalyzes the threat • Human • Machine • Nature
  • 16. Threat Types Threat type Example Human error Typo, wrong attachment/email address, lost laptop or phone Intellectual property Piracy, industrial espionage Deliberate act Unauthorized access/trespass, data theft, extortion, blackmail, sabotage, vandalism, terrorist/activist/criminal activity Fraud Identity theft, expenses fraud System/network attack Viruses, worms, Trojans, hacks Service issue Power cuts, network outages Force of nature Fire, flood, storm, earthquake, lightning, tsunami, volcanic eruption Hardware issue Computer power supply failure, lack of capacity Software issue Bugs or design flaws, data corruption Obsolescence Windows XP Operating System?
  • 17. So how do we secure our information assets?
  • 18. ISO 27001 1990’s • Information Security Management Code of Practice produced by a UK government- sponsored working group • Based on the security policy used by Shell • Became British Standard BS7799 2000’s • Adopted by ISO/IEC • Became ISO/IEC 17799 (later renumbered ISO/IEC 27002) • ISO/IEC 27001 published & certification scheme started Now • Expanding into a suite of information security standards (known as “ISO27k”) • Updated and reissued every few years • Current standard is known as ISO 27001:2018 History of ISO27001
  • 19. • Concerns the management of information security, not just IT/technical security • Formally specifies a management system • Uses Plan, Do, Check, Act (PDCA) to achieve, maintain and improve alignment of security with risks • Covers all types of organizations (e.g. commercial companies, government agencies, not-for-profit organizations) and all sizes • Thousands of organizations worldwide have been certified compliant ISO 27001
  • 20. Plan Do Check Act (PDCA)
  • 22. Control Clauses • Information security policy - management direction • Organization of information security - management framework for implementation • Asset management – assessment, classification and protection of valuable information assets • HR security – security for joiners, movers and leavers • Physical & environmental security - prevents unauthorised access, theft, compromise, damage to information and computing facilities, power cuts
  • 23. Control Clauses • Communications & operations management - ensures the correct and secure operation of IT • Access control – restrict unauthorized access to information assets • Information systems acquisition, development & maintenance – build security into systems • Information security incident management – deal sensibly with security incidents that arise • Business continuity management – maintain essential business processes and restore any that fail • Compliance - avoid breaching laws, regulations, policies and other security obligations
  • 25. • Demonstrable commitment to security by the organization • Legal and regulatory compliance • Better risk management • Commercial credibility, confidence, and assurance • Reduced costs • Clear employee direction and improved awareness Benefits
  • 26. Key Documents • High level corporate security policy • Supporting policies e.g. physical & environmental, email, HR, incident management, compliance etc. • Standards e.g. Windows Security Standard • SOPs • Records e.g. security logs, security review reports, corrective actions
  • 27. User Responsibilities • Read and follow security policies and procedures • Display identity cards while on the premises • Challenge or report anyone without an ID card • Visit the intranet Security Zone or call IT Help/Service Desk for advice on most information security matters • Allow unauthorized visitors onto the premises • Bring weapons, hazardous/combustible materials, recording devices etc., especially in secure areas • Use personal IT devices for work purposes, unless explicitly authorized by management Do Do Not
  • 28. User Responsibilities Password Guidelines  Use strong passwords as suggested in the password management policy.  Change your password frequently. At least once every 3 months.  Each successive password must be unique. Don’t use the same password again.  Use short or easily-guessed passwords  Write down passwords or store them in plain text  Share passwords over phone or email
  • 29. User Responsibilities Internet Usage Warning: Internet usage is routinely logged and monitored. Be careful which websites you visit and what you disclose.  Avoid websites that would be classed as obscene, racist, offensive or illegal – anything that would be embarrassing  Do not access online auction or shopping sites, except where authorized by your manager  Don’t hack!  Do not download or upload commercial software or other copyrighted material without the correct license and permission from your manager Use the corporate Internet facilities only for legitimate and authorized business purposes
  • 30. User Responsibilities E-mail Usage Do not use your corporate email address for personal email Do not circulate chain letters, hoaxes, inappropriate jokes, videos etc. Do not send emails outside the organization unless you are authorized to do so Be very wary of email attachments and links, especially in unsolicited emails (most are virus-infected) Use corporate email for business purposes only Follow the email storage guidelines If you receive spam email, simply delete it. If it is offensive or you receive a lot, call the IT Help.
  • 31. User Responsibilities Security Incidents Report information security incidents, concerns and near-misses to IT Email … Telephone … Anonymous drop-boxes … Take their advice on what to do Do not discuss security incidents with anyone outside the organisation Do not attempt to interfere with, obstruct or prevent anyone else from reporting incidents
  • 32. User Responsibilities  Ensure your PC is getting antivirus updates and patches  Lock your keyboard (Windows L) before leaving your PC unattended, and shutdown your PC at the end of the day  Store laptops and valuable information (paperwork as well as CDs, USB sticks etc.) securely under lock and key  Keep your wits about you while traveling:  Keep your voice down on the cellphone  Be discreet about your IT equipment  Take regular information back ups  Fulfill your security obligations:  Comply with security and privacy laws, copyright and licenses,  Comply with corporate policies and procedures  Stay up to date on information security:
  • 34. 34