isms - new - awareness presentation · information*security*awareness* ......
TRANSCRIPT
www.coralesecure.com
Information – Where is it?
Services
Software
Physical (Hardware)
Personnel
Paper
Service Provider
Information
Literally ..”everywhere”
www.coralesecure.com
ConFidentiality? Ensuring that information is accessible only to those authorised to have access.
Integrity? Safeguarding the accuracy and completeness of information and processing methods.
Availability? Ensuring that authorised users have access to information and associated assets when required.
What is CIA?
E x a m p l e?
www.coralesecure.com
Why is Information Security needed?
To prevent unauthorized modi>ication/alteration (Integrity)
To protect against Loss/Destruction natural/man-‐made (Availability)
To prevent unauthorised disclosure (ConFidentiality)
Business Requirements
Legislative Requirements
Bene>its of Information Security
1. Protects your job 2. Protects business – enables ‘Continuity’ 3. Partner Trust 4. Security in ‘everything’ we do 5. Reduce response time in case of ‘incident’ *Not exhaustive
www.coralesecure.com
Domains Control Objectives Controls
A.5 Security policy 1 2
A.6 Organization of information security 2 7
A.7 Human resource security 3 6
A.8 Asset management 3 10
A.9 Access control 4 14
A.10 Cryptography 1 2
A.11 Physical and environmental security 2 15
A.12 Operations Security 7 14
A.13 Communications security 2 7
A.14 System acquisition, development and maintenance 3 13
A.15 Supplier relationships 2 5
A. 16 Information security incident management 1 7
A. 17 Information security aspects of business continuity management 2 4
A. 18 Compliance 2 8
Total 14 35 114
ISO 27001 Domain & Controls
Physical security controls covers all aspects of physical security such as doors, access control systems, entry and exit areas, and associated processes (such as Fire evacuation, visitor management to name a few..) Technical controls can cover user ID and password, Antivirus, encryption, Firewall and associated processes (such as change management, access management) Personnel controls such as background screening, induction training, revocation of access upon employee departure (not exhaustive) Administrative controls such as asset identiFication, document classiFication, risk assessment, documentation to name a few.. Anything else?
16
Vulnerability Types
Process Vulnerability No formal change management process No induction process of information security
Implementation Flaw Door’s lock is not working No responsibility for Firewall configuration Unnecessary services running on the server Insecure Product/Protocol telnet instead of ssh http instead of https Plain text instead of encrypted data store
Insecure Practices/Usage No screen saver in the machines Irregular backups Wrong allocation of password rights Tail gating Irregular patch management Insecure Development Process Absence of security in development LC
No check in application for invalid
characters
Acceptable Usage Policy (AUP) – Table of Contents 1.! Purpose ............................................................................................................................ 3!2.! ISO.27001.–.2013.reference ............................................................................................. 3!3.! Definition.of.Information.Assets ...................................................................................... 3!4.! Responsibility ................................................................................................................... 3!5.! General.Security.Practices ................................................................................................ 3!6.! Userid.&.Password.Protection ......................................................................................... 3!7.! Usage.of.Electronic.Mail.(email) ...................................................................................... 4!8.! Prohibited.Actions.Using.Email ........................................................................................ 5!9.! Usage.of.Office.Network.&.Communication.Infrastructure ............................................ 5!10.! Usage.of.Desktop.Computer ............................................................................................ 6!11.! Usage.of.Notebook/Laptop.Computer ............................................................................. 6!12.! Connecting.to.Internet.from.Public.places ....................................................................... 7!13.! Secure.usage.of.mobile.devices ....................................................................................... 7!14.! Secure.usage.of.physical.access.cards ............................................................................. 8!15.! Secure.usage.of.cryptographic.keys ................................................................................. 8!16.! Internet.usage.policy ........................................................................................................ 8!17.! Clear.Desk.and.Clear.Screen.Policy .................................................................................. 8!18.! Teleworking.Policy ........................................................................................................... 9!19.! Social.Media/Social.networking.Policy ............................................................................ 9!20.! Weakness.&.Incident.Reporting ....................................................................................... 9!21.! Consequence.Management/Disciplinary.action.Procedure.(DAP) ................................ 10!22.! Intellectual.Property/ownership .................................................................................... 10!23.! Right.to.audit ................................................................................................................. 10!24.! Question/clarifications/improvements .......................................................................... 10!
Reading and accepting terms of AUP is mandatory!
Common End User Security Expectations
• You are ‘eyes’ and ‘ears’ for securing information/organisation • Clear desk and clear screen policy – Learn [Windows] + L! • Do not exploit a weakness – report it! • Use complex passwords • Protect your smartphone by adding password • Know your security manager • Read Policy -‐ Acceptable Usage