iso27k awareness presentation v2

8/12/2019 ISO27k Awareness Presentation v2

1/41

Security awareness seminar

An introduction to ISO27k

I

n

f

o

rm

a

t

i

o

n

s

e

c

u

r

i

t

y

This work is copyright 2012, Mohan Kamatand ISO27k Forum, some rights reserved.

It is licensed under the Creative Commons Attribution-Noncommercial-Share Alike 3.0 License.

You are welcome to reproduce, circulate, use and create derivative works from this provided that:

(a) it is not sold or incorporated into a commercial product;

(b) it is properly attributed to the ISO27k Forum (www.ISO27001security.com); and(c) any derivative works that are shared are subject to the same terms as this work.
mailto:[email protected]://www.iso27001security.com/http://www.iso27001security.com/http://www.iso27001security.com/mailto:[email protected]


2/41


3/41

Information is an asset which,like other important business

assets, has value to anorganization and consequently needsto be suitably protected

I

N

F

O

R

M

A

T

I

O

N

3

ISO/IEC 27002:2005


4/41

I

n

f

o

rm

a

t

i

on

t

y

pe

s

Information exists in many forms:

Printed or written on paper

Stored electronically

Transmitted by post or electronic means

Visual e.g.videos, diagrams

Published on the Web

Verbal/aural e.g.conversations, phone calls Intangible e.g. knowledge, experience, expertise,

ideas

Whatever form the information takes, ormeans by which it is shared or stored, itshould always be appropriately protected

(ISO/IEC 27002:2005)

4


5/41

I

n

fo

l

i

fe

c

y

c

le

Information can be

Created

Owned (it is an asset)

Stored

Processed

Transmitted/communicated

Used (for proper or improper purposes)

Modified or corrupted

Shared or disclosed (whether appropriately or not)

Destroyed or lost

Stolen

Controlled, secured and protected throughout its

existence5


6/41

Ke

y

te

r

m

What is information security?

Informationsecurity is what keeps valuable informationfree of danger (protected, safe from harm)

It is not something you buy, it is something you doo Its aprocessnot aproduct

It is achieved using a combination of suitable strategiesand approaches:

o Determining the risks to information and treating themaccordingly (proactive risk management)

o

Protecting CIA(Confidentiality, Integrity and Availability)o Avoiding, preventing, detecting and recovering from incidents

o Securing people, processes and technology not just IT!

6


7/41

S

e

c

u

r

i

t

y

e

l

e

m

e

n

t

s

PEOPLE

PROCESSES

TECHNOLOGY

Staff &management

Business activities

IT, phones, pens

7


8/41

P

e

o

pl

e

People

People who use or have an interest in ourinformation security include:

Shareholders / owners

Management & staff

Customers / clients, suppliers & business partners

Service providers, contractors, consultants &advisors

Authorities, regulators & judges

Our biggest threats arise from people (socialengineers, unethical competitors, hackers, fraudsters,careless workers, bugs, flaws ), yet our biggest

asset is our people (e.g.security-aware employeeswho spot trouble early)

8


9/41


10/41

Technology

Information technologies

Cabling, data/voice networks and equipment

Telecommunications services (PABX, VoIP, ISDN,videoconferencing)

Phones, cellphones, PDAs

Computer servers, desktops and associated data storagedevices (disks, tapes)

Operating system and application software

Paperwork, files

Pens, ink

Security technologies

Locks, barriers, card-access systems, CCTV

T

ec

h

n

ol

o

g

y

10


11/41

Protects information against various threats

Ensures business continuity

Minimizes financial losses and other impacts Optimizes return on investments

Creates opportunities to do business safely

Maintains privacy and compliance

V

a

l

u

e

We all depend oninformation security

11

Information security isvaluable because it


12/41


13/41

IT downtime, business interruption

Financial losses and costs

Devaluation of intellectual property

Breaking laws and regulations, leadingto prosecutions, fines and penalties

Reputation and brand damage leadingto loss of customer, market, business

partner or owners confidence and lostbusiness

Fear, uncertainty and doubt

Security incidents cause

13

I

mp

a

c

t

s


14/41


15/41

R

e

la

t

i

o

n

s

h

i

ps

Risk relationships

Threats Vulnerabilities

exploit

Risk

ValueSecurityrequirements

Informationassets

Controlsreduce

15

to


16/41

T

h

re

a

t

a

g

e

n

t

Threat agent

The actor that represents, carries outor catalyzes the threat

Human Machine

Nature

16


17/41

Motive

Something that causes thethreat agent to act

Implies intentional/deliberateattacks but some are accidental

Mo

t

iv

e

17


18/41

Threat type Example

Human errorTypo, wrong attachment/email address,

lost laptop or phone

Intellectual property Piracy, industrial espionage

Deliberate act

Unauthorized access/trespass, data theft,

extortion, blackmail, sabotage, vandalism,

terrorist/activist/criminal activity

Fraud Identity theft, expenses fraudSystem/network attack Viruses, worms, Trojans, hacks

Service issue Power cuts, network outages

Force of natureFire, flood, storm, earthquake, lightning,

tsunami, volcanic eruption

Hardware issueComputer power supply failure,

lack of capacity

Software issue Bugs or design flaws, data corruption

Obsolescence iPhone 4?18

T

h

r

e

a

t

t

y

p

es


19/41

So how do wesecure our

informationassets?

19


20/41

1990s Information Security Management Code of Practice

produced by a UK government-sponsored working group

Based on the security policy used by Shell Became British Standard BS7799

2000s Adopted by ISO/IEC Became ISO/IEC 17799 (later renumbered ISO/IEC 27002) ISO/IEC 27001 published & certification scheme started

Now Expanding into a suite of information security standards

(known as ISO27k)

Updated and reissued every few years

I

S

O

27

k

A brief history of ISO27k

20


21/41

Concerns the management of informationsecurity, not just IT/technical security

Formally specifies a management system

Uses Plan, Do, Check, Act (PDCA) to achieve,maintain and improve alignment of security withrisks

Covers all types of organizations (e.g. commercialcompanies, government agencies, not-for-profit

organizations) and all sizes

Thousands of organizations worldwide have beencertified compliant

ISO 27001

IS

O

2

70

0

1

21


22/41

Interested

parties

Information

security

requirements

& expectations

PLANEstablish

ISMS

CHECKMonitor &

review ISMS

ACTMaintain &

improve

Management responsibility

ISMS PROCESS

Plan-Do-Check-Act

Interested

parties

Managed

information

security

DOImplement &

operate the

ISMS

P

D

C

A

22

C


23/41

InformationSecurity Policy

Organisationof Information

Security

AssetManagement

HumanResourceSecurity

PhysicalSecurity

Communication& OperationsManagement

Access Control

SystemDevelopment

&Maintenance

IncidentManagement

BusinessContinuityPlanning

Compliance

Availability

C

O

N

T

RO

L

C

L

A

U

S

E

S

23

C


24/41

Information security policy- managementdirection

Organization of information security-

management framework for implementation

Asset managementassessment, classification

and protection of valuable information assets

HR securitysecurity for joiners, movers and

leavers Physical & environmental security- prevents

unauthorised access, theft, compromise, damage to

information and computing facilities, power cuts

C

O

N

T

RO

L

C

L

A

U

S

E

S

24

C


25/41

Communications & operations management-

ensures the correct and secure operation of IT

Access controlrestrict unauthorized access to

information assets Information systems acquisition, development &

maintenancebuild security into systems

Information security incident management deal

sensibly with security incidents that arise

Business continuity managementmaintain

essential business processes and restore any that fail

Compliance- avoid breaching laws, regulations,

policies and other security obligations

C

O

N

T

RO

L

C

L

A

U

S

E

S

25


26/41


27/41

Be

n

e

fi

t

s

Demonstrable commitment to security by theorganization

Legal and regulatory compliance

Better risk management

Commercial credibility, confidence, andassurance

Reduced costs

Clear employee direction and improved

awareness

27


28/41

S

c

o

pe

ISMS scope

Data center & DR site

All information assets

throughout the organization

28


29/41

Key ISMS documentsKe

y

d

o

c

u

m

e

n

ts

High level corporate security policy

Supporting policies e.g.physical &environmental, email, HR, incident

management, compliance etc.

Standards e.g. Windows Security Standard

Procedures and guidelines

Records e.g. security logs, security reviewreports, corrective actions

29

I f ti it i iV


30/41

Information security visionVI

S

I

O

N

&

M

I

S

S

IO

N

Vision

The organization is acknowledged as anindustry leader for information security.

Mission

To design, implement, operate, manage and

maintain an Information SecurityManagement System that complies withinternational standards, incorporating

generally-accepted good security practices

30


31/41

Who is responsible?

W

h

o

Information Security Management Committee

Information Security Manager/CISO and Department

Incident Response Team

Business Continuity Team

IT, Legal/Compliance, HR, Risk and other departments

Audit Committee

Last but not least, you!

Bottom line:

31Information security is everyones responsibility


32/41

P

o

l

ic

y

Corporate Information Security Policy

Policy is signed by the CEO andmandated by top management

Find it on the intranet

32

I


33/41

I

N

F

O

A

S

S

E

T

C

L

A

S

S

IF

I

C

A

T

I

O

N

CONFIDENTIAL:If this information is leaked outside the organization, it will result in major financial and/or imageloss. Compromise of this information may result in serious non-compliance (e.g. a privacy

breach). Access to this information must be restricted based on the concept of need-to-know.Disclosure requires the information ownersapproval. In case information needs to be disclosedto third parties, a signed confidentiality agreement is required.Examples: customer contracts, pricing rates, trade secrets, personal information, new productdevelopment plans, budgets, financial reports (prior to publication), passwords, encryption keys.

INTERNAL USE ONLY:Leakage or disclosure of this information outside the organization is unlikely to cause seriousharm but may result in some financial loss and/or embarrassment.

Examples: circulars, policies, training materials, general company emails, security policies andprocedures, corporate intranet.

PUBLIC:This information can be freely disclosed to anyone although publication must usually be explicitlyapproved by Corporate Communications or Marketing.Examples:marketing brochures, press releases, website.

33

Information Asset Classification

Confidentiality


34/41

Confidentiality

Confidentialitylevel Explanation

HighInformation which is very sensitive or private, ofgreat value to the organization and intended forspecific individuals only. The unauthorizeddisclosure of such information can cause severeharm such as legal or financial liabilities,

competitive disadvantage, loss of brand value e.g.merger and acquisition related information,marketing strategy

MediumInformation belonging to the company and not fordisclosure to public or external parties. Theunauthorized disclosure of this information mayharm to the organization somewhat e.g.organization charts, internal contact lists.

LowNon-sensitive information available for publicdisclosure. The impact of unauthorized disclosure ofsuch information shall not harm Organisationanyway. E.g. Press releases, Companys Newsletters e.g. Information published on companys

website

Confidentiality of information concerns the protection of sensitive (and often highlyvaluable) information from unauthorized or inappropriate disclosure.

C

l

a

ss

i

f

ic

a

t

i

o

n

3/10/34Mohan Kamat

U


35/41

S

E

R

R

E

S

P

O

N

S

I

B

I

L

I

TI

E

S

Physical security

Read and follow security policies and procedures Display identity cards while on the premises

Challenge or report anyone without an ID card

Visit the intranet Security Zone or call IT Help/Service Deskfor advice on most information security matters

Allow unauthorized visitors onto the premises

Bring weapons, hazardous/combustible materials, recordingdevices etc., especially in secure areas

Use personal IT devices for work purposes, unless explicitlyauthorized by management

35

Do not

Do

U


36/41

S

E

R

R

E

S

P

O

N

S

I

B

I

L

I

TI

E

S

Password Guidelines

Use long, complicated passphrases - whole sentences if you can Reserve your strongest passphrases for high security systems (dont

re-use the same passphrase everywhere)

Use famous quotes, lines from your favorite songs, poems etc. tomake them memorable

Use short or easily-guessed passwords

Write down passwords or store them in plain text

Share passwords over phone or email

36

U

I t t


37/41

S

E

R

R

E

S

P

O

N

S

I

B

I

L

I

TI

E

S

Warning: Internet usage is routinely logged and monitored.Be careful which websites you visit and what you disclose.

Avoid websites that would be classed as obscene, racist,offensive or illegal anything that would be embarrassing

Do not access online auction or shopping sites, except where

authorized by your manager Donthack!

Do not download or upload commercial software or othercopyrighted material without the correct license andpermission from your manager

Use the corporate Internet facilities only for legitimate and

authorized business purposes

Internet usage

37

U

E il


38/41

S

E

R

R

E

S

P

O

N

S

I

B

I

L

I

TI

E

S

E-mail usage

Do not use your corporate email address for personal email Do not circulate chain letters, hoaxes, inappropriate jokes,

videos etc. Do not send emails outside the organization unless you are

authorized to do so Be very wary of email attachments and links, especially inunsolicited emails (most are virus-infected)

38

Use corporate email for business purposes only

Follow the email storage guidelines If you receive spam email, simply delete it. If it is

offensive or you receive a lot, call the IT Help/ServiceDesk

U


39/41

S

E

R

R

E

S

P

O

N

S

I

B

I

L

I

TI

E

S

Security incidents

39

Report information security incidents, concerns and

near-misses to IT Help/Service Desk: Email

Telephone

Anonymous drop-boxes

Take their advice on what to do

Do not discuss security incidents with anyone outside theorganization

Do not attempt to interfere with, obstruct or prevent anyoneelse from reporting incidents


40/41

R

e

s

p

o

n

s

i

b

i

l

i

t

i

e

s

Ensure your PC is getting antivirus updates and patches

Lock your keyboard (Windows-L) before leaving your PCunattended, and log-off at the end of the day

Store laptops and valuable information (paperwork as well asCDs, USB sticks etc.) securely under lock and key

Keep your wits about you while traveling:

Keep your voice down on the cellphone

Be discreet about your IT equipment

Take regular information back ups

Fulfill your security obligations:

Comply with security and privacy laws, copyright and licenses,

NDA (Non Disclosure Agreements) and contracts

Comply with corporate policies and procedures

Stay up to date on information security:

Visit the intranet Security Zone when you have a moment

40


41/41

iso27k awareness presentation v2

Documents