SlideShare uma empresa Scribd logo

Presentation1 110616195133-phpapp01(information security)

Transferir como PPTX, PDF
Bonagiri Rajitha
Bonagiri Rajitha

information security

Engenharia
1 de 59
INFORMATION SECURITY I N F O R M A T I O N S E C U R I T Y -Riham Yassin -Sawsan Megahed -Ahmed Moussa
What is Information? What is Information Security? What is RISK? An Introduction to ISO for information technology User Responsibilities A G E N D A 2
'Information is an asset which, like other important business assets, has value to an organization and consequently needs to be suitably protected’ BS ISO 27002:2005 I N F O R M A T I O N 3
I N F O R M A T I O N L I F E C Y C L E Information can be  Created  Stored  Destroyed  Processed  Transmitted  Used – (For proper & improper purposes)  Corrupted  Lost  Stolen 4
I N F O R M A T I O N T Y P E S Printed or written on paper Stored electronically  Transmitted by post or using electronics means Shown on corporate videos Displayed / published on web Verbal – spoken in conversations ‘…Whatever form the information takes, or means by which it is shared or stored, it should always be appropriately protected’ (BS ISO 27002:2005) 5
I N F O R M A T I O N S E C U R I T Y What Is Information Security  The quality or state of being secure to be free from danger  Security is achieved using several strategies  Security is achieved using several strategies simultaneously or used in combination with one another  Security is recognized as essential to protect vital processes and the systems that provide those processes  Security is not something you buy, it is something you do 6
 The architecture where an integrated combination of appliances, systems and solutions, software, alarms, and vulnerability scans working together What Is Information Security  Security is for PPT and not only for appliances or devices  Monitored 24x7  Having People, Processes, Technology, policies, procedures, I N F O R M A T I O N S E C U R I T Y 7/1/2015 7Mohan Kamat
I N F O S E C C O M P O N E N T S PEOPLE PROCESSES TECHNOLOGY 7/1/2015 8Mohan Kamat
P E O P L E People “Who we are” People who use or interact with the Information include:  Share Holders / Owners  Management  Employees  Business Partners  Service providers  Contractors  Customers / Clients  Regulators etc… 7/1/2015 9Mohan Kamat
Process “what we do” The processes refer to "work practices" or workflow. Processes are the repeatable steps to accomplish business objectives. Typical process in our IT Infrastructure could include:  Helpdesk / Service management  Incident Reporting and Management  Change Requests process  Request fulfillment  Access management  Identity management  Service Level / Third-party Services Management  IT procurement process etc... P R O C E S S 10
Technology “what we use to improve what we do” Network Infrastructure:  Cabling, Data/Voice Networks and equipment  Telecommunications services (PABX), including VoIP services , ISDN , Video Conferencing  Server computers and associated storage devices  Operating software for server computers  Communications equipment and related hardware.  Intranet and Internet connections  VPNs and Virtual environments  Remote access services  Wireless connectivity T E C H N O L O G Y 7/1/2015 11Mohan Kamat
Technology “what we use to improve what we do” T E C H N O L O G Y Application software:  Finance and assets systems, including Accounting packages, Inventory management, HR systems, Assessment and reporting systems  Software as a service (Sass) - instead of software as a packaged or custom-made product. Etc.. Physical Security components:  CCTV Cameras  Clock in systems / Biometrics  Environmental management Systems: Humidity Control, Ventilation , Air Conditioning, Fire Control systems  Electricity / Power backup Access devices:  Desktop computers  Laptops, ultra-mobile laptops and PDAs  Thin client computing.  Digital cameras, Printers, Scanners, Photocopier etc. 7/1/2015 12Mohan Kamat
1. Protects information from a range of threats 2. Ensures business continuity 3. Minimizes financial loss 4. Optimizes return on investments 5. Increases business opportunities I N F O R M A T I O N S E C U R I T Y Business survival depends on information security. INFORMATION SECURITY 7/1/2015 13Mohan Kamat
ISO 27002:2005 defines Information Security as the preservation of: – Confidentiality Ensuring that information is accessible only to those authorized to have access – Integrity Safeguarding the accuracy and completeness of information and processing methods – Availability Ensuring that authorized users have access to information and associated assets when required I N F O R M A T I O N A T T R I B U T E S 7/1/2015 14Mohan Kamat
• Reputation loss • Financial loss • Intellectual property loss • Legislative Breaches leading to legal actions (Cyber Law) • Loss of customer confidence • Business interruption costs Security breaches leads to… LOSS OF GOODWILL 7/1/2015 15Mohan Kamat
• Information Security is “Organizational Problem” rather than “IT Problem” • More than 70% of Threats are Internal • More than 60% culprits are First Time fraudsters • Biggest Risk : People • Biggest Asset : People • Social Engineering is major threat • More than 2/3rd express their inability to determine “Whether my systems are currently compromised?” I N F O S E C U R I T Y S U R V E Y 7/1/2015 16Mohan Kamat
W H A T I S R I S K What is Risk? Risk: A possibility that a threat exploits a vulnerability in an asset and causes damage or loss to the asset. Threat: Something that can potentially cause damage to the organisation, IT Systems or network. Vulnerability: A weakness in the organization, IT Systems, or network that can be exploited by a threat. 17
Relationship between Risk, Threats, and Vulnerabilities Threats Vulnerabilities exploit * Controls: A practice, procedure or mechanism that reduces risk Risk Asset valuesProtection Requirements Information assets Controls * reduce 18
T H R E A T I D E N T I F I C A T I O N Threat Identification Elements of threats Agent : The catalyst that performs the threat. Human Machine Nature 7/1/2015 19Mohan Kamat
Threat Identification Elements of threats Motive : Something that causes the agent to act. Accidental Intentional Only motivating factor that can be both accidental and intentional is human T H R E A T I D E N T I F I C A T I O N 7/1/2015 20Mohan Kamat
Threat Identification Elements of threats Results : The outcome of the applied threat. The results normally lead to the loss of CIA Confidentiality Integrity Availability T H R E A T I D E N T I F I C A T I O N 7/1/2015 21Mohan Kamat
Threats • Employees • External Parties • Low awareness of security issues • Growth in networking and distributed computing • Growth in complexity and effectiveness of hacking tools and viruses • Natural Disasters eg. fire, flood, earthquake T H R E A T S 7/1/2015 22Mohan Kamat
Threat Sources Source Motivation Threat External Hackers Challenge Ego Game Playing System hacking Social engineering Dumpster diving Internal Hackers Deadline Financial problems Disenchantment Backdoors Fraud Poor documentation Terrorist Revenge Political System attacks Social engineering Letter bombs Viruses Denial of service Poorly trained employees Unintentional errors Programming errors Data entry errors Corruption of data Malicious code introduction System bugs Unauthorized access7/1/2015 23Mohan Kamat
No Categories of Threat Example 1 Human Errors or failures Accidents, Employee mistakes 2 Compromise to Intellectual Property Piracy, Copyright infringements 3 Deliberate Acts or espionage or trespass Unauthorized Access and/or data collection 4 Deliberate Acts of Information extortion Blackmail of information exposure / disclosure 5 Deliberate Acts of sabotage / vandalism Destruction of systems / information 6 Deliberate Acts of theft Illegal confiscation of equipment or information 7 Deliberate software attacks Viruses, worms, macros Denial of service 8 Deviations in quality of service from service provider Power and WAN issues 9 Forces of nature Fire, flood, earthquake, lightening 10 Technical hardware failures or errors Equipment failures / errors 11 Technical software failures or errors Bugs, code problems, unknown loopholes 12 Technological Obsolesce Antiquated or outdated technologies 7/1/2015 24Mohan Kamat
High User Knowledge of IT Systems Theft, Sabotage, Misuse Virus Attacks Systems & Network Failure Lack Of Documentation Lapse in Physical Security Natural Calamities & Fire R I S K S & T H R E A T S 7/1/2015 25Mohan Kamat
SO HOW DO WE OVERCOME THESE PROBLEMS? 7/1/2015 26Mohan Kamat
Early 1990 • DTI (UK) established a working group • Information Security Management Code of Practice produced as BSI-DISC publication 1995 • BS 7799 published as UK Standard 1999 • BS 7799 - 1:1999 second revision published 2000 • BS 7799 - 1 accepted by ISO as ISO - 17799 published • BS 7799-2:2002 published I N T R O D U C T I O N T O I S O 2 7 0 0 1 History 7/1/2015 27Mohan Kamat
• ISO 27001:2005 Information technology — Security techniques — Information security management systems — Requirements I N T R O D U C T I O N T O I S O 2 7 0 0 1 • ISO 27002:2005 Information technology — Security techniques — Code of practice for information security management History 7/1/2015 28Mohan Kamat
ISO 27001: This International Standard covers all types of organizations (e.g. commercial enterprises, government agencies, non-profit organizations). This International Standard specifies the requirements for establishing; implementing, operating, monitoring, reviewing, maintaining and improving documented ISMS within the context of the organization’s overall business risks. It specifies requirements for the implementation of security controls customized to the needs of individual organizations or parts thereof. The ISMS is designed to ensure the selection of adequate and proportionate security controls that protect information assets and give confidence to interested parties ISO 27001 I S O 2 7 0 0 1 7/1/2015 29Mohan Kamat
Features of ISO 27001 • Plan, Do, Check, Act (PDCA) Process Model • Process Based Approach • Stress on Continual Process Improvements • Scope covers Information Security not only IT Security • Covers People, Process and Technology • 5600 plus organisations worldwide have been certified • 11 Domains, 39 Control objectives, 133 controls F E A T U R E S Features 7/1/2015 30Mohan Kamat
Interested Parties Information Security Requirements & Expectations PLAN Establish ISMS CHECK Monitor & Review ISMS ACT Maintain & Improve Management Responsibility ISMS PROCESS PDCA Process Interested Parties Managed Information Security DO Implement & Operate the ISMS P D C A P R O C E S S 7/1/2015 31Mohan Kamat
Information Security Policy Organisation of Information Security Asset Management Human Resource Security Physical Security Communication & Operations Management Access Control System Development & Maintenance Incident Management Business Continuity Planning Compliance Availability C O N T R O L C L A U S E S 32
• Information Security Policy - To provide management direction and support for Information security. • Organisation Of Information Security - Management framework for implementation • Asset Management - To ensure the security of valuable organisational IT and its related assets • Human Resources Security - To reduce the risks of human error, theft, fraud or misuse of facilities. • Physical & Environmental Security -To prevent unauthorised access, theft, compromise , damage, information and information processing facilities. C O N T R O L C L A U S E S 7/1/2015 33Mohan Kamat
• Communications & Operations Management - To ensure the correct and secure operation of information processing facilities. • Access Control - To control access to information and information processing facilities on ‘need to know’ and ‘need to do’ basis. • Information Systems Acquisition, Development & Maintenance - To ensure security built into information systems • Information Security Incident Management - To ensure information security events and weaknesses associated with information systems are communicated. C O N T R O L C L A U S E S 7/1/2015 34Mohan Kamat
•Business Continuity Management - To reduce disruption caused by disasters and security failures to an acceptable level. •Compliance - To avoid breaches of any criminal and civil law, statutory, regulatory or contractual obligations and of any security requirements. C O N T R O L C L A U S E S 7/1/2015 35Mohan Kamat
PLAN Establish ISMS CHECK Monitor & Review ISMS ACT Maintain & Improve DO Implement & Operate the ISMS IS POLICY SECURITY ORGANISATION ASSET IDENTIFICATION & CLASSIFICATION CONTROL SELECTION & IMPLEMENTATION OPERATIONALIZ E THE PROCESES MANAGEMENT REVIEW CORRECTIVE & PREVENTIVE ACTIONS CHECK PROCESSES I M P L E M E N T A T I O N P R O C E S S C Y C L E 7/1/2015 36Mohan Kamat
B E N E F I T S • At the organizational level – Commitment • At the legal level – Compliance • At the operating level - Risk management • At the commercial level - Credibility and confidence • At the financial level - Reduced costs • At the human level - Improved employee awareness 7/1/2015 37Mohan Kamat
U S E R R E S P O N S I B I L I T I E S WHO IS AT THE CENTRE OF SECU RITY U-R 7/1/2015 38Mohan Kamat
U S E R R E S P O N S I B I L I T I E S Information Security Policy IS Policy is approved by Top Management Policy is released on Intranet at http://xx.xx.xx.xx/ISMS/index.htm 7/1/2015 39Mohan Kamat
I N F O A S S E T C L A S S I F I C A T I O N CONFIDENTIAL: If this information is leaked outside Organisation, it will result in major financial and/or image loss. Compromise of this information will result in statutory, legal non- compliance. Access to this information must be restricted based on the concept of need-to-know. Disclosure requires the information owner’s approval. In case information needs to be disclosed to third parties a signed confidentiality agreement is also required. Examples include Customer contracts, rate tables, process documents and new product development plans. INTERNAL USE ONLY: If this information is leaked outside Organisation, it will result in Negligible financial loss and/or embarrassment. Disclosure of this information shall not cause serious harm to Organisation, and access is provided freely to all internal users. Examples include circulars, policies, training materials etc. PUBLIC: Non availability will have no effect. If this information is leaked outside Organisation, it will result in no loss. This information must be explicitly approved by the Corporate Communications Department or Marketing Department in case of marketing related information, as suitable for public dissemination. Examples include marketing brochures, press releases. 7/1/2015 40Mohan Kamat Information Asset Classification
Confidentiality - Information Asset Confidentiality Requirement Explanation Low Non-sensitive information available for public disclosure. The impact of unauthorized disclosure of such information shall not harm Organisation anyway. E.g. Press releases, Company’s News letters e.g. Information published on company’s website Medium Information belonging to the company and not for disclosure to public or external parties. The unauthorized disclosure of information here can cause a limited harm to the organization. e.g. Organization Charts, Internal Telephone Directory. High Information which is very sensitive or private, of highest value to the organization and intended to use by named individuals only. The unauthorized disclosure of such information can cause severe harm (e.g. Legal or financial liability, adverse competitive impact, loss of brand name). E.g. Client’s pricing information, Merger and Acquisition related information, Marketing strategy Confidentiality of information refers to the protection of information from unauthorized disclosure. The impact of unauthorized disclosure of confidential information can range from jeopardizing organization security to the disclosure of private data of employees. Following table provides guideline to determine Confidentiality requirements: I N F O A S S E T C L A S S I F I C A T I O N 7/1/2015 41Mohan Kamat
Integrity - Information Asset Integrity Requireme nt Explanation Low There is minimal impact on business if the accuracy and completeness of data is degraded. Medium There is significant impact on business if the asset if the accuracy and completeness of data is degraded. High The Integrity degradation is unacceptable. Integrity refers to the completeness and accuracy of Information. Integrity is lost if unauthorized changes are made to data or IT system by either intentional or accidental acts. If integrity of data is not restored back, continued use of the contaminated data could result in inaccuracy, fraud, or erroneous decisions. Integrity criteria of information can be determined with guideline established in the following Table. I N F O A S S E T C L A S S I F I C A T I O N 7/1/2015 42Mohan Kamat
Availability - Information Asset Availability Requireme nt Explanation Low There is minimal impact on business if the asset / information is not Available for up to 7 days Medium There is significant impact on business if the asset / information is not Available for up to 48 hours High The Asset / information is required on 24x7 basis Availability indicates how soon the information is required, in case the same is lost. If critical information is unavailable to its end users, the organization’s mission may be affected. Following Table provides guideline to determine availability criteria of information assets. I N F O A S S E T C L A S S I F I C A T I O N 7/1/2015 43Mohan Kamat
Non-information Assets [Physical] Information is processed with the help of technology. The assets, which are helpful in creating, processing, output generation and storage. Such assets need to be identified and valued for the purpose of their criticality in business process. Asset valuation of non information / physical Assets like software, Hardware, Services is carried out based on different criteria applicable to the specific group of physical assets involved in organization’s business processes. N O N I N F O A S S E T C L A S S I F I C A T I O N 7/1/2015 44Mohan Kamat
Confidentiality - Non-information Asset Confidentiality factor is to be determined by the services rendered by the particular asset in specific business process and the confidentiality requirement of the information / data processed or stored by the asset. This table provides a guideline to identify the Confidentiality requirements and its link to Classification label. Confidentiality Requirement Explanation Low Information processed / stored / carried or services rendered by the asset in the business process have confidentiality requirements as LOW. Medium Information processed / stored / carried or services rendered by the asset in the business process have confidentiality requirements as Medium. High Information processed / stored / carried or services rendered by the asset in the business process have confidentiality requirements as HIGH. N O N I N F O A S S E T C L A S S I F I C A T I O N 7/1/2015 45Mohan Kamat
Integrity - Non Information Asset Integrity factor is to be determined by the reliability and dependability of the particular asset in specific business process and the Integrity requirement of the information / data processed or stored by the asset. This table provides a guideline to identify the Integrity requirements and its link to Classification label. Integrity Requirement Explanation Low Dependency and reliability of the services rendered by the particular asset in a business process is LOW. Information processed / stored / carried or services rendered by the asset in the business process have Integrity requirements as LOW. Medium Dependency and reliability of the services rendered by the particular asset in a business process is Medium. Information processed / stored / carried or services rendered by the asset in the business process have Integrity requirements as Medium. High Dependency and reliability of the services rendered by the particular asset in a business process is HIGH. Information processed / stored / carried or services rendered by the asset in the business process have Integrity requirements as High. N O N I N F O A S S E T C L A S S I F I C A T I O N 7/1/2015 46Mohan Kamat
N O N I N F O A S S E T C L A S S I F I C A T I O N Availability - Non-information Asset Availability factor is to be determined on the basis of impact of non availability of the asset on the business process. This table provides a guideline to identify the Availability requirements and its link to Classification label. Integrity Requirement Explanation Low Impact of non availability of an asset in a business process is LOW. Information processed / stored / carried or services rendered by the asset in the business process have Availability requirements as LOW. Medium Impact of non availability of an asset in a business process is Medium. Information processed / stored / carried or services rendered by the asset in the business process have Availability requirements as MEDIUM. High Impact of non availability of an asset in a business process is HIGH. Information processed / stored / carried or services rendered by the asset in the business process have Availability requirements as HIGH. 7/1/2015 47Mohan Kamat
P E O P L E A S S E T C L A S S I F I C A T I O N People Assets Information is accessed or handled by the people from within the organisation as well as the people related to organisation for business requirements. It becomes necessary to identify such people from within the organisation as well as outside the organisation who handle the organization’s information assets. The analysis such people, who has access rights to the assets of the organisation, is to be done by Business Process Owner i.e. process / function head. The people assets shall include roles handled by a. Employees b. Contract Employees c. Contractors & his employees 7/1/2015 48Mohan Kamat
Confidentiality - People Assets Confidentialit y Requirement Explanation Low The role or third party identified has access limited to information assets classified as 'Public'. Security breach by individual/s whom the role is assigned would insignificantly affect the business operations. Medium The role or third party identified has access limited to information assets classified as 'Internal’ and 'Public'. Security breach by individual/s whom the role is assigned would moderately affect the business operations. High The role employee or third party identified has access to all types of information assets including information assets classified as 'Confidential' Or IT Assets classified as 'Critical'. Security breach by individual/s to whom the role is assigned would severely affect the business operations. P E O P L E A S S E T C L A S S I F I C A T I O N 7/1/2015 49Mohan Kamat
Integrity – People Assets Integrity Requirement Explanation Low The role or third party identified has limited privilege to change information assets classified as 'Internal' or 'Public' and the his work is supervised. Security breach by individual/s to whom the role is assigned would insignificantly affect the business operations. Medium The role or third party identified has privilege to change information assets classified as 'Internal', and 'Public' Security breach by individual/s whom the role is assigned would moderately affect the business operations. High The role or third party identified has privilege to change information assets classified as 'Confidential' Or Change the configuration of IT assets classified as 'Critical' Security breach by individual/s to whom the role is assigned would severely affect the business operations. P E O P L E A S S E T C L A S S I F I C A T I O N 7/1/2015 50Mohan Kamat
Availability – People Assets Availability Requiremen t Explanation Low Unavailability of the individual/s whom the role is assigned would have insignificant affect the business operations. Medium Unavailability of the individual/s whom the role is assigned would moderately affect the business operations. High Unavailability of the individual/s whom the role is assigned would severely affect the business operations. P E O P L E A S S E T C L A S S I F I C A T I O N 7/1/2015 51Mohan Kamat
U S E R R E S P O N S I B I L I T I E S Access Control - Physical • Follow Security Procedures • Wear Identity Cards and Badges • Ask unauthorized visitor his credentials • Attend visitors in Reception and Conference Room only • Bring visitors in operations area without prior permission • Bring hazardous and combustible material in secure area • Practice “Piggybacking” • Bring and use pen drives, zip drives, ipods, other storage devices unless and otherwise authorized to do so 7/1/2015 52Mohan Kamat
U S E R R E S P O N S I B I L I T I E S Password Guidelines  Always use at least 8 character password with combination of alphabets, numbers and special characters (*, %, @, #, $, ^)  Use passwords that can be easily remembered by you  Change password regularly as per policy  Use password that is significantly different from earlier passwords Use passwords which reveals your personal information or words found in dictionary Write down or Store passwords Share passwords over phone or Email Use passwords which do not match above complexity criteria 7/1/2015 53Mohan Kamat
U S E R R E S P O N S I B I L I T I E S Technology Department is continuously monitoring Internet Usage. Any illegal use of internet and other assets shall call for Disciplinary Action.  Do not access internet through dial-up connectivity  Do not use internet for viewing, storing or transmitting obscene or pornographic material  Do not use internet for accessing auction sites  Do not use internet for hacking other computer systems  Do not use internet to download / upload commercial software / copyrighted material  Use internet services for business purposes only Internet Usage 7/1/2015 54Mohan Kamat
U S E R R E S P O N S I B I L I T I E S E-mail Usage  Do not use official ID for any personal subscription purpose  Do not send unsolicited mails of any type like chain letters or E-mail Hoax  Do not send mails to client unless you are authorized to do so  Do not post non-business related information to large number of users  Do not open the mail or attachment which is suspected to be virus or received from an unidentified sender Use official mail for business purposes only Follow the mail storage guidelines to avoid blocking of E-mails  If you come across any junk / spam mail, do the following a) Remove the mail. b) Inform the security help desk c) Inform the same to server administrator d) Inform the sender that such mails are undesired 7/1/2015 55Mohan Kamat
U S E R R E S P O N S I B I L I T I E S Security Incidents Report Security Incidents (IT and Non-IT) to Helpdesk through • E-mail to info.sec@organisation.com • Telephone : xxxx-xxxx-xxxx • Anonymous Reporting through Drop boxes e.g.: IT Incidents: Mail Spamming, Virus attack, Hacking, etc. Non-IT Incidents: Unsupervised visitor movement, Information leakage, Bringing unauthorized Media •Do not discuss security incidents with any one outside organisation •Do not attempt to interfere with, obstruct or prevent anyone from reporting incidents 7/1/2015 56Mohan Kamat
U S E R R E S P O N S I B I L I T I E S  Ensure your Desktops are having latest antivirus updates  Ensure your system is locked when you are away  Always store laptops/ media in a lockable place  Be alert while working on laptops during travel  Ensure sensitive business information is under lock and key when unattended  Ensure back-up of sensitive and critical information assets  Understand Compliance Issues such as Cyber Law IPR, Copyrights, NDA Contractual Obligations with customer  Verify credentials, if the message is received from unknown sender  Always switch off your computer before leaving for the day  Keep your self updated on information security aspects 7/1/2015 57Mohan Kamat
Human Wall Is Always Better Than A Firewall . . . LET US BUILD A HUMAN WALL ALONG WITH FIREWALL 7/1/2015 58Mohan Kamat
7/1/2015 59Mohan Kamat

Recomendados

Information security in todays world
Information security in todays worldInformation security in todays world
Information security in todays world
Sibghatullah Khattak
 
20100224 Presentation at RGIT Mumbai - Information Security Awareness
20100224 Presentation at RGIT Mumbai - Information Security Awareness20100224 Presentation at RGIT Mumbai - Information Security Awareness
20100224 Presentation at RGIT Mumbai - Information Security Awareness
Dinesh O Bareja
 
Information Security and Privacy - Public Sector actions, policies and regula...
Information Security and Privacy - Public Sector actions, policies and regula...Information Security and Privacy - Public Sector actions, policies and regula...
Information Security and Privacy - Public Sector actions, policies and regula...
The University of Texas (UTRGV)
 
Best Practice For Public Sector Information Security And Compliance
Best Practice For Public Sector Information Security And ComplianceBest Practice For Public Sector Information Security And Compliance
Best Practice For Public Sector Information Security And Compliance
Oracle
 
Information Security For Small Business
Information Security For Small BusinessInformation Security For Small Business
Information Security For Small Business
Julius Clark, CISSP, CISA
 
ICS Supply Chain Security: Learning from Recent Incidents and Other Sectors
ICS Supply Chain Security: Learning from Recent Incidents and Other SectorsICS Supply Chain Security: Learning from Recent Incidents and Other Sectors
ICS Supply Chain Security: Learning from Recent Incidents and Other Sectors
EnergySec
 
Best Practices For Information Security Management 2011
Best Practices For Information Security Management 2011Best Practices For Information Security Management 2011
Best Practices For Information Security Management 2011
Tony Richardson CISSP
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness Training
Daniel P Wallace
 

Recomendados

Information security in todays world
Information security in todays worldInformation security in todays world
Information security in todays world
Sibghatullah Khattak
 
20100224 Presentation at RGIT Mumbai - Information Security Awareness
20100224 Presentation at RGIT Mumbai - Information Security Awareness20100224 Presentation at RGIT Mumbai - Information Security Awareness
20100224 Presentation at RGIT Mumbai - Information Security Awareness
Dinesh O Bareja
 
Information Security and Privacy - Public Sector actions, policies and regula...
Information Security and Privacy - Public Sector actions, policies and regula...Information Security and Privacy - Public Sector actions, policies and regula...
Information Security and Privacy - Public Sector actions, policies and regula...
The University of Texas (UTRGV)
 
Best Practice For Public Sector Information Security And Compliance
Best Practice For Public Sector Information Security And ComplianceBest Practice For Public Sector Information Security And Compliance
Best Practice For Public Sector Information Security And Compliance
Oracle
 
Information Security For Small Business
Information Security For Small BusinessInformation Security For Small Business
Information Security For Small Business
Julius Clark, CISSP, CISA
 
ICS Supply Chain Security: Learning from Recent Incidents and Other Sectors
ICS Supply Chain Security: Learning from Recent Incidents and Other SectorsICS Supply Chain Security: Learning from Recent Incidents and Other Sectors
ICS Supply Chain Security: Learning from Recent Incidents and Other Sectors
EnergySec
 
Best Practices For Information Security Management 2011
Best Practices For Information Security Management 2011Best Practices For Information Security Management 2011
Best Practices For Information Security Management 2011
Tony Richardson CISSP
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness Training
Daniel P Wallace
 
S nandakumar
S nandakumarS nandakumar
S nandakumar
IPPAI
 
S nandakumar_banglore
S nandakumar_bangloreS nandakumar_banglore
S nandakumar_banglore
IPPAI
 
INFORMATION SECURITY
INFORMATION SECURITYINFORMATION SECURITY
INFORMATION SECURITY
Ahmed Moussa
 
Isms awareness training
Isms awareness trainingIsms awareness training
Isms awareness training
SAROJ BEHERA
 
Information security.pptx
Information security.pptxInformation security.pptx
Information security.pptx
Govt. P.G. College Sendhwa, Barwani (M.P.)
 
Information Security for Small Business
Information Security for Small BusinessInformation Security for Small Business
Information Security for Small Business
Julius Clark, CISSP, CISA
 
Julius Clark is Making Criminal Hackers Miserable
Julius Clark is Making Criminal Hackers MiserableJulius Clark is Making Criminal Hackers Miserable
Julius Clark is Making Criminal Hackers Miserable
Julius Clark, CISSP, CISA
 
Chapter 8 securing information systems MIS
Chapter 8 securing information systems MISChapter 8 securing information systems MIS
Chapter 8 securing information systems MIS
Amirul Shafiq Ahmad Zuperi
 
8 - Securing Info Systems
8 - Securing Info Systems8 - Securing Info Systems
8 - Securing Info Systems
Hemant Nagwekar
 
Information Security
Information SecurityInformation Security
Information Security
We Learn - A Continuous Learning Forum from Welingkar's Distance Learning Program.
 
Information security
Information securityInformation security
Information security
LJ PROJECTS
 
Chapter 5 MIS
Chapter 5 MISChapter 5 MIS
Chapter 5 MIS
Amirul Shafiq Ahmad Zuperi
 
IT Security Presentation - IIMC 2014 Conference
IT Security Presentation - IIMC 2014 ConferenceIT Security Presentation - IIMC 2014 Conference
IT Security Presentation - IIMC 2014 Conference
Jeff Lemmermann
 
Good-cyber-hygiene-at-scale-and-speed
Good-cyber-hygiene-at-scale-and-speedGood-cyber-hygiene-at-scale-and-speed
Good-cyber-hygiene-at-scale-and-speed
James '​-- Mckinlay
 
Edith Turuka: Cyber-Security, An Eye Opener to the Society
Edith Turuka: Cyber-Security, An Eye Opener to the SocietyEdith Turuka: Cyber-Security, An Eye Opener to the Society
Edith Turuka: Cyber-Security, An Eye Opener to the Society
Hamisi Kibonde
 
Basics of Information System Security
Basics of Information System SecurityBasics of Information System Security
Basics of Information System Security
chauhankapil
 
Maloney Slides
Maloney SlidesMaloney Slides
Maloney Slides
ecommerce
 
Implementing an Information Security Program
Implementing an Information Security ProgramImplementing an Information Security Program
Implementing an Information Security Program
Raymond Cunningham
 
Information security
Information securityInformation security
Information security
avinashbalakrishnan2
 
SEC440: Incident Response Plan
SEC440: Incident Response PlanSEC440: Incident Response Plan
SEC440: Incident Response Plan
Thomas Christopher Ty
 
ke-1.pptx
ke-1.pptxke-1.pptx
ke-1.pptx
AhmadNaswin
 
Information security overview
Information security overviewInformation security overview
Information security overview
Ponum Raja
 

Mais conteúdo relacionado

Mais procurados

S nandakumar
S nandakumarS nandakumar
S nandakumar
IPPAI
 
S nandakumar_banglore
S nandakumar_bangloreS nandakumar_banglore
S nandakumar_banglore
IPPAI
 
8 - Securing Info Systems
8 - Securing Info Systems8 - Securing Info Systems
8 - Securing Info Systems
Hemant Nagwekar
 
Edith Turuka: Cyber-Security, An Eye Opener to the Society
Edith Turuka: Cyber-Security, An Eye Opener to the SocietyEdith Turuka: Cyber-Security, An Eye Opener to the Society
Edith Turuka: Cyber-Security, An Eye Opener to the Society
Hamisi Kibonde
 
Maloney Slides
Maloney SlidesMaloney Slides
Maloney Slides
ecommerce
 

Mais procurados (20)

S nandakumar
S nandakumarS nandakumar
S nandakumar
 
S nandakumar_banglore
S nandakumar_bangloreS nandakumar_banglore
S nandakumar_banglore
 
INFORMATION SECURITY
INFORMATION SECURITYINFORMATION SECURITY
INFORMATION SECURITY
 
Isms awareness training
Isms awareness trainingIsms awareness training
Isms awareness training
 
Information security.pptx
Information security.pptxInformation security.pptx
Information security.pptx
 
Information Security for Small Business
Information Security for Small BusinessInformation Security for Small Business
Information Security for Small Business
 
Julius Clark is Making Criminal Hackers Miserable
Julius Clark is Making Criminal Hackers MiserableJulius Clark is Making Criminal Hackers Miserable
Julius Clark is Making Criminal Hackers Miserable
 
Chapter 8 securing information systems MIS
Chapter 8 securing information systems MISChapter 8 securing information systems MIS
Chapter 8 securing information systems MIS
 
8 - Securing Info Systems
8 - Securing Info Systems8 - Securing Info Systems
8 - Securing Info Systems
 
Information Security
Information SecurityInformation Security
Information Security
 
Information security
Information securityInformation security
Information security
 
Chapter 5 MIS
Chapter 5 MISChapter 5 MIS
Chapter 5 MIS
 
IT Security Presentation - IIMC 2014 Conference
IT Security Presentation - IIMC 2014 ConferenceIT Security Presentation - IIMC 2014 Conference
IT Security Presentation - IIMC 2014 Conference
 
Good-cyber-hygiene-at-scale-and-speed
Good-cyber-hygiene-at-scale-and-speedGood-cyber-hygiene-at-scale-and-speed
Good-cyber-hygiene-at-scale-and-speed
 
Edith Turuka: Cyber-Security, An Eye Opener to the Society
Edith Turuka: Cyber-Security, An Eye Opener to the SocietyEdith Turuka: Cyber-Security, An Eye Opener to the Society
Edith Turuka: Cyber-Security, An Eye Opener to the Society
 
Basics of Information System Security
Basics of Information System SecurityBasics of Information System Security
Basics of Information System Security
 
Maloney Slides
Maloney SlidesMaloney Slides
Maloney Slides
 
Implementing an Information Security Program
Implementing an Information Security ProgramImplementing an Information Security Program
Implementing an Information Security Program
 
Information security
Information securityInformation security
Information security
 
SEC440: Incident Response Plan
SEC440: Incident Response PlanSEC440: Incident Response Plan
SEC440: Incident Response Plan
 

Semelhante a Presentation1 110616195133-phpapp01(information security)

Isms awareness training
Isms awareness trainingIsms awareness training
Isms awareness training
SAROJ BEHERA
 
IT Security for the Physical Security Professional
IT Security for the Physical Security ProfessionalIT Security for the Physical Security Professional
IT Security for the Physical Security Professional
ciso_insights
 
FROM STRATEGY TO ACTION - Vasil Tsvimitidze
FROM STRATEGY TO ACTION - Vasil Tsvimitidze FROM STRATEGY TO ACTION - Vasil Tsvimitidze
FROM STRATEGY TO ACTION - Vasil Tsvimitidze
DataExchangeAgency
 
Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...
Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...
Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...
IBM Security
 
Art Hathaway - Artificial Intelligence - Real Threat Prevention
Art Hathaway - Artificial Intelligence - Real Threat PreventionArt Hathaway - Artificial Intelligence - Real Threat Prevention
Art Hathaway - Artificial Intelligence - Real Threat Prevention
centralohioissa
 
ISO27k Awareness presentation v2.pptx
ISO27k Awareness presentation v2.pptxISO27k Awareness presentation v2.pptx
ISO27k Awareness presentation v2.pptx
Napoleon NV
 

Semelhante a Presentation1 110616195133-phpapp01(information security) (20)

ke-1.pptx
ke-1.pptxke-1.pptx
ke-1.pptx
 
Information security overview
Information security overviewInformation security overview
Information security overview
 
2015 Cyber security solutions vs cyber criminals @WOHIT2015 (EU eHealth week)
2015 Cyber security solutions vs cyber criminals @WOHIT2015 (EU eHealth week)2015 Cyber security solutions vs cyber criminals @WOHIT2015 (EU eHealth week)
2015 Cyber security solutions vs cyber criminals @WOHIT2015 (EU eHealth week)
 
Isms awareness training
Isms awareness trainingIsms awareness training
Isms awareness training
 
IT Security for the Physical Security Professional
IT Security for the Physical Security ProfessionalIT Security for the Physical Security Professional
IT Security for the Physical Security Professional
 
ISO 27001 Awareness IGN Mantra 2nd Day, 1st Session.
ISO 27001 Awareness IGN Mantra 2nd Day, 1st Session.ISO 27001 Awareness IGN Mantra 2nd Day, 1st Session.
ISO 27001 Awareness IGN Mantra 2nd Day, 1st Session.
 
FROM STRATEGY TO ACTION - Vasil Tsvimitidze
FROM STRATEGY TO ACTION - Vasil Tsvimitidze FROM STRATEGY TO ACTION - Vasil Tsvimitidze
FROM STRATEGY TO ACTION - Vasil Tsvimitidze
 
Information security for small business
Information security for small businessInformation security for small business
Information security for small business
 
ISO27k Awareness presentation.pptx
ISO27k Awareness presentation.pptxISO27k Awareness presentation.pptx
ISO27k Awareness presentation.pptx
 
ISACA ISSA Presentation
ISACA ISSA PresentationISACA ISSA Presentation
ISACA ISSA Presentation
 
Cyber security do your part be the resistance
Cyber security do your part be the resistanceCyber security do your part be the resistance
Cyber security do your part be the resistance
 
Kevin Wharram Security Summit
Kevin Wharram Security SummitKevin Wharram Security Summit
Kevin Wharram Security Summit
 
Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...
Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...
Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...
 
Cyber security general perspective a
Cyber security general perspective aCyber security general perspective a
Cyber security general perspective a
 
Information security
Information securityInformation security
Information security
 
Main Menu
Main MenuMain Menu
Main Menu
 
Cobit 2
Cobit 2Cobit 2
Cobit 2
 
Art Hathaway - Artificial Intelligence - Real Threat Prevention
Art Hathaway - Artificial Intelligence - Real Threat PreventionArt Hathaway - Artificial Intelligence - Real Threat Prevention
Art Hathaway - Artificial Intelligence - Real Threat Prevention
 
Guard Era Security Overview Preso (Draft)
Guard Era Security Overview Preso (Draft)Guard Era Security Overview Preso (Draft)
Guard Era Security Overview Preso (Draft)
 
ISO27k Awareness presentation v2.pptx
ISO27k Awareness presentation v2.pptxISO27k Awareness presentation v2.pptx
ISO27k Awareness presentation v2.pptx
 

Último

Standard vs Custom Battery Packs - Decoding the Power Play
Standard vs Custom Battery Packs - Decoding the Power PlayStandard vs Custom Battery Packs - Decoding the Power Play
Standard vs Custom Battery Packs - Decoding the Power Play
Epec Engineered Technologies
 
Verification of thevenin's theorem for BEEE Lab (1).pptx
Verification of thevenin's theorem for BEEE Lab (1).pptxVerification of thevenin's theorem for BEEE Lab (1).pptx
Verification of thevenin's theorem for BEEE Lab (1).pptx
chumtiyababu
 
School management system project Report.pdf
School management system project Report.pdfSchool management system project Report.pdf
School management system project Report.pdf
Kamal Acharya
 
Bhubaneswar🌹Call Girls Bhubaneswar ❤Komal 9777949614 💟 Full Trusted CALL GIRL...
Bhubaneswar🌹Call Girls Bhubaneswar ❤Komal 9777949614 💟 Full Trusted CALL GIRL...Bhubaneswar🌹Call Girls Bhubaneswar ❤Komal 9777949614 💟 Full Trusted CALL GIRL...
Bhubaneswar🌹Call Girls Bhubaneswar ❤Komal 9777949614 💟 Full Trusted CALL GIRL...
Call Girls Mumbai
 
Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...
Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...
Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...
Arindam Chakraborty, Ph.D., P.E. (CA, TX)
 
1_Introduction + EAM Vocabulary + how to navigate in EAM.pdf
1_Introduction + EAM Vocabulary + how to navigate in EAM.pdf1_Introduction + EAM Vocabulary + how to navigate in EAM.pdf
1_Introduction + EAM Vocabulary + how to navigate in EAM.pdf
AldoGarca30
 
"Lesotho Leaps Forward: A Chronicle of Transformative Developments"
"Lesotho Leaps Forward: A Chronicle of Transformative Developments""Lesotho Leaps Forward: A Chronicle of Transformative Developments"
"Lesotho Leaps Forward: A Chronicle of Transformative Developments"
mphochane1998
 

Último (20)

S1S2 B.Arch MGU - HOA1&2 Module 3 -Temple Architecture of Kerala.pptx
S1S2 B.Arch MGU - HOA1&2 Module 3 -Temple Architecture of Kerala.pptxS1S2 B.Arch MGU - HOA1&2 Module 3 -Temple Architecture of Kerala.pptx
S1S2 B.Arch MGU - HOA1&2 Module 3 -Temple Architecture of Kerala.pptx
 
Double Revolving field theory-how the rotor develops torque
Double Revolving field theory-how the rotor develops torqueDouble Revolving field theory-how the rotor develops torque
Double Revolving field theory-how the rotor develops torque
 
kiln thermal load.pptx kiln tgermal load
kiln thermal load.pptx kiln tgermal loadkiln thermal load.pptx kiln tgermal load
kiln thermal load.pptx kiln tgermal load
 
GEAR TRAIN- BASIC CONCEPTS AND WORKING PRINCIPLE
GEAR TRAIN- BASIC CONCEPTS AND WORKING PRINCIPLEGEAR TRAIN- BASIC CONCEPTS AND WORKING PRINCIPLE
GEAR TRAIN- BASIC CONCEPTS AND WORKING PRINCIPLE
 
Online electricity billing project report..pdf
Online electricity billing project report..pdfOnline electricity billing project report..pdf
Online electricity billing project report..pdf
 
Standard vs Custom Battery Packs - Decoding the Power Play
Standard vs Custom Battery Packs - Decoding the Power PlayStandard vs Custom Battery Packs - Decoding the Power Play
Standard vs Custom Battery Packs - Decoding the Power Play
 
Verification of thevenin's theorem for BEEE Lab (1).pptx
Verification of thevenin's theorem for BEEE Lab (1).pptxVerification of thevenin's theorem for BEEE Lab (1).pptx
Verification of thevenin's theorem for BEEE Lab (1).pptx
 
Unleashing the Power of the SORA AI lastest leap
Unleashing the Power of the SORA AI lastest leapUnleashing the Power of the SORA AI lastest leap
Unleashing the Power of the SORA AI lastest leap
 
School management system project Report.pdf
School management system project Report.pdfSchool management system project Report.pdf
School management system project Report.pdf
 
Bhubaneswar🌹Call Girls Bhubaneswar ❤Komal 9777949614 💟 Full Trusted CALL GIRL...
Bhubaneswar🌹Call Girls Bhubaneswar ❤Komal 9777949614 💟 Full Trusted CALL GIRL...Bhubaneswar🌹Call Girls Bhubaneswar ❤Komal 9777949614 💟 Full Trusted CALL GIRL...
Bhubaneswar🌹Call Girls Bhubaneswar ❤Komal 9777949614 💟 Full Trusted CALL GIRL...
 
Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...
Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...
Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...
 
Moment Distribution Method For Btech Civil
Moment Distribution Method For Btech CivilMoment Distribution Method For Btech Civil
Moment Distribution Method For Btech Civil
 
1_Introduction + EAM Vocabulary + how to navigate in EAM.pdf
1_Introduction + EAM Vocabulary + how to navigate in EAM.pdf1_Introduction + EAM Vocabulary + how to navigate in EAM.pdf
1_Introduction + EAM Vocabulary + how to navigate in EAM.pdf
 
AIRCANVAS[1].pdf mini project for btech students
AIRCANVAS[1].pdf mini project for btech studentsAIRCANVAS[1].pdf mini project for btech students
AIRCANVAS[1].pdf mini project for btech students
 
Introduction to Serverless with AWS Lambda
Introduction to Serverless with AWS LambdaIntroduction to Serverless with AWS Lambda
Introduction to Serverless with AWS Lambda
 
FEA Based Level 3 Assessment of Deformed Tanks with Fluid Induced Loads
FEA Based Level 3 Assessment of Deformed Tanks with Fluid Induced LoadsFEA Based Level 3 Assessment of Deformed Tanks with Fluid Induced Loads
FEA Based Level 3 Assessment of Deformed Tanks with Fluid Induced Loads
 
HOA1&2 - Module 3 - PREHISTORCI ARCHITECTURE OF KERALA.pptx
HOA1&2 - Module 3 - PREHISTORCI ARCHITECTURE OF KERALA.pptxHOA1&2 - Module 3 - PREHISTORCI ARCHITECTURE OF KERALA.pptx
HOA1&2 - Module 3 - PREHISTORCI ARCHITECTURE OF KERALA.pptx
 
Work-Permit-Receiver-in-Saudi-Aramco.pptx
Work-Permit-Receiver-in-Saudi-Aramco.pptxWork-Permit-Receiver-in-Saudi-Aramco.pptx
Work-Permit-Receiver-in-Saudi-Aramco.pptx
 
Thermal Engineering -unit - III & IV.ppt
Thermal Engineering -unit - III & IV.pptThermal Engineering -unit - III & IV.ppt
Thermal Engineering -unit - III & IV.ppt
 
"Lesotho Leaps Forward: A Chronicle of Transformative Developments"
"Lesotho Leaps Forward: A Chronicle of Transformative Developments""Lesotho Leaps Forward: A Chronicle of Transformative Developments"
"Lesotho Leaps Forward: A Chronicle of Transformative Developments"
 

Presentation1 110616195133-phpapp01(information security)

  • 2. What is Information? What is Information Security? What is RISK? An Introduction to ISO for information technology User Responsibilities A G E N D A 2
  • 3. 'Information is an asset which, like other important business assets, has value to an organization and consequently needs to be suitably protected’ BS ISO 27002:2005 I N F O R M A T I O N 3
  • 4. I N F O R M A T I O N L I F E C Y C L E Information can be  Created  Stored  Destroyed  Processed  Transmitted  Used – (For proper & improper purposes)  Corrupted  Lost  Stolen 4
  • 5. I N F O R M A T I O N T Y P E S Printed or written on paper Stored electronically  Transmitted by post or using electronics means Shown on corporate videos Displayed / published on web Verbal – spoken in conversations ‘…Whatever form the information takes, or means by which it is shared or stored, it should always be appropriately protected’ (BS ISO 27002:2005) 5
  • 6. I N F O R M A T I O N S E C U R I T Y What Is Information Security  The quality or state of being secure to be free from danger  Security is achieved using several strategies  Security is achieved using several strategies simultaneously or used in combination with one another  Security is recognized as essential to protect vital processes and the systems that provide those processes  Security is not something you buy, it is something you do 6
  • 7.  The architecture where an integrated combination of appliances, systems and solutions, software, alarms, and vulnerability scans working together What Is Information Security  Security is for PPT and not only for appliances or devices  Monitored 24x7  Having People, Processes, Technology, policies, procedures, I N F O R M A T I O N S E C U R I T Y 7/1/2015 7Mohan Kamat
  • 9. P E O P L E People “Who we are” People who use or interact with the Information include:  Share Holders / Owners  Management  Employees  Business Partners  Service providers  Contractors  Customers / Clients  Regulators etc… 7/1/2015 9Mohan Kamat
  • 10. Process “what we do” The processes refer to "work practices" or workflow. Processes are the repeatable steps to accomplish business objectives. Typical process in our IT Infrastructure could include:  Helpdesk / Service management  Incident Reporting and Management  Change Requests process  Request fulfillment  Access management  Identity management  Service Level / Third-party Services Management  IT procurement process etc... P R O C E S S 10
  • 11. Technology “what we use to improve what we do” Network Infrastructure:  Cabling, Data/Voice Networks and equipment  Telecommunications services (PABX), including VoIP services , ISDN , Video Conferencing  Server computers and associated storage devices  Operating software for server computers  Communications equipment and related hardware.  Intranet and Internet connections  VPNs and Virtual environments  Remote access services  Wireless connectivity T E C H N O L O G Y 7/1/2015 11Mohan Kamat
  • 12. Technology “what we use to improve what we do” T E C H N O L O G Y Application software:  Finance and assets systems, including Accounting packages, Inventory management, HR systems, Assessment and reporting systems  Software as a service (Sass) - instead of software as a packaged or custom-made product. Etc.. Physical Security components:  CCTV Cameras  Clock in systems / Biometrics  Environmental management Systems: Humidity Control, Ventilation , Air Conditioning, Fire Control systems  Electricity / Power backup Access devices:  Desktop computers  Laptops, ultra-mobile laptops and PDAs  Thin client computing.  Digital cameras, Printers, Scanners, Photocopier etc. 7/1/2015 12Mohan Kamat
  • 13. 1. Protects information from a range of threats 2. Ensures business continuity 3. Minimizes financial loss 4. Optimizes return on investments 5. Increases business opportunities I N F O R M A T I O N S E C U R I T Y Business survival depends on information security. INFORMATION SECURITY 7/1/2015 13Mohan Kamat
  • 14. ISO 27002:2005 defines Information Security as the preservation of: – Confidentiality Ensuring that information is accessible only to those authorized to have access – Integrity Safeguarding the accuracy and completeness of information and processing methods – Availability Ensuring that authorized users have access to information and associated assets when required I N F O R M A T I O N A T T R I B U T E S 7/1/2015 14Mohan Kamat
  • 15. • Reputation loss • Financial loss • Intellectual property loss • Legislative Breaches leading to legal actions (Cyber Law) • Loss of customer confidence • Business interruption costs Security breaches leads to… LOSS OF GOODWILL 7/1/2015 15Mohan Kamat
  • 16. • Information Security is “Organizational Problem” rather than “IT Problem” • More than 70% of Threats are Internal • More than 60% culprits are First Time fraudsters • Biggest Risk : People • Biggest Asset : People • Social Engineering is major threat • More than 2/3rd express their inability to determine “Whether my systems are currently compromised?” I N F O S E C U R I T Y S U R V E Y 7/1/2015 16Mohan Kamat
  • 17. W H A T I S R I S K What is Risk? Risk: A possibility that a threat exploits a vulnerability in an asset and causes damage or loss to the asset. Threat: Something that can potentially cause damage to the organisation, IT Systems or network. Vulnerability: A weakness in the organization, IT Systems, or network that can be exploited by a threat. 17
  • 18. Relationship between Risk, Threats, and Vulnerabilities Threats Vulnerabilities exploit * Controls: A practice, procedure or mechanism that reduces risk Risk Asset valuesProtection Requirements Information assets Controls * reduce 18
  • 19. T H R E A T I D E N T I F I C A T I O N Threat Identification Elements of threats Agent : The catalyst that performs the threat. Human Machine Nature 7/1/2015 19Mohan Kamat
  • 20. Threat Identification Elements of threats Motive : Something that causes the agent to act. Accidental Intentional Only motivating factor that can be both accidental and intentional is human T H R E A T I D E N T I F I C A T I O N 7/1/2015 20Mohan Kamat
  • 21. Threat Identification Elements of threats Results : The outcome of the applied threat. The results normally lead to the loss of CIA Confidentiality Integrity Availability T H R E A T I D E N T I F I C A T I O N 7/1/2015 21Mohan Kamat
  • 22. Threats • Employees • External Parties • Low awareness of security issues • Growth in networking and distributed computing • Growth in complexity and effectiveness of hacking tools and viruses • Natural Disasters eg. fire, flood, earthquake T H R E A T S 7/1/2015 22Mohan Kamat
  • 23. Threat Sources Source Motivation Threat External Hackers Challenge Ego Game Playing System hacking Social engineering Dumpster diving Internal Hackers Deadline Financial problems Disenchantment Backdoors Fraud Poor documentation Terrorist Revenge Political System attacks Social engineering Letter bombs Viruses Denial of service Poorly trained employees Unintentional errors Programming errors Data entry errors Corruption of data Malicious code introduction System bugs Unauthorized access7/1/2015 23Mohan Kamat
  • 24. No Categories of Threat Example 1 Human Errors or failures Accidents, Employee mistakes 2 Compromise to Intellectual Property Piracy, Copyright infringements 3 Deliberate Acts or espionage or trespass Unauthorized Access and/or data collection 4 Deliberate Acts of Information extortion Blackmail of information exposure / disclosure 5 Deliberate Acts of sabotage / vandalism Destruction of systems / information 6 Deliberate Acts of theft Illegal confiscation of equipment or information 7 Deliberate software attacks Viruses, worms, macros Denial of service 8 Deviations in quality of service from service provider Power and WAN issues 9 Forces of nature Fire, flood, earthquake, lightening 10 Technical hardware failures or errors Equipment failures / errors 11 Technical software failures or errors Bugs, code problems, unknown loopholes 12 Technological Obsolesce Antiquated or outdated technologies 7/1/2015 24Mohan Kamat
  • 25. High User Knowledge of IT Systems Theft, Sabotage, Misuse Virus Attacks Systems & Network Failure Lack Of Documentation Lapse in Physical Security Natural Calamities & Fire R I S K S & T H R E A T S 7/1/2015 25Mohan Kamat
  • 27. Early 1990 • DTI (UK) established a working group • Information Security Management Code of Practice produced as BSI-DISC publication 1995 • BS 7799 published as UK Standard 1999 • BS 7799 - 1:1999 second revision published 2000 • BS 7799 - 1 accepted by ISO as ISO - 17799 published • BS 7799-2:2002 published I N T R O D U C T I O N T O I S O 2 7 0 0 1 History 7/1/2015 27Mohan Kamat
  • 28. • ISO 27001:2005 Information technology — Security techniques — Information security management systems — Requirements I N T R O D U C T I O N T O I S O 2 7 0 0 1 • ISO 27002:2005 Information technology — Security techniques — Code of practice for information security management History 7/1/2015 28Mohan Kamat
  • 29. ISO 27001: This International Standard covers all types of organizations (e.g. commercial enterprises, government agencies, non-profit organizations). This International Standard specifies the requirements for establishing; implementing, operating, monitoring, reviewing, maintaining and improving documented ISMS within the context of the organization’s overall business risks. It specifies requirements for the implementation of security controls customized to the needs of individual organizations or parts thereof. The ISMS is designed to ensure the selection of adequate and proportionate security controls that protect information assets and give confidence to interested parties ISO 27001 I S O 2 7 0 0 1 7/1/2015 29Mohan Kamat
  • 30. Features of ISO 27001 • Plan, Do, Check, Act (PDCA) Process Model • Process Based Approach • Stress on Continual Process Improvements • Scope covers Information Security not only IT Security • Covers People, Process and Technology • 5600 plus organisations worldwide have been certified • 11 Domains, 39 Control objectives, 133 controls F E A T U R E S Features 7/1/2015 30Mohan Kamat
  • 31. Interested Parties Information Security Requirements & Expectations PLAN Establish ISMS CHECK Monitor & Review ISMS ACT Maintain & Improve Management Responsibility ISMS PROCESS PDCA Process Interested Parties Managed Information Security DO Implement & Operate the ISMS P D C A P R O C E S S 7/1/2015 31Mohan Kamat
  • 32. Information Security Policy Organisation of Information Security Asset Management Human Resource Security Physical Security Communication & Operations Management Access Control System Development & Maintenance Incident Management Business Continuity Planning Compliance Availability C O N T R O L C L A U S E S 32
  • 33. • Information Security Policy - To provide management direction and support for Information security. • Organisation Of Information Security - Management framework for implementation • Asset Management - To ensure the security of valuable organisational IT and its related assets • Human Resources Security - To reduce the risks of human error, theft, fraud or misuse of facilities. • Physical & Environmental Security -To prevent unauthorised access, theft, compromise , damage, information and information processing facilities. C O N T R O L C L A U S E S 7/1/2015 33Mohan Kamat
  • 34. • Communications & Operations Management - To ensure the correct and secure operation of information processing facilities. • Access Control - To control access to information and information processing facilities on ‘need to know’ and ‘need to do’ basis. • Information Systems Acquisition, Development & Maintenance - To ensure security built into information systems • Information Security Incident Management - To ensure information security events and weaknesses associated with information systems are communicated. C O N T R O L C L A U S E S 7/1/2015 34Mohan Kamat
  • 35. •Business Continuity Management - To reduce disruption caused by disasters and security failures to an acceptable level. •Compliance - To avoid breaches of any criminal and civil law, statutory, regulatory or contractual obligations and of any security requirements. C O N T R O L C L A U S E S 7/1/2015 35Mohan Kamat
  • 36. PLAN Establish ISMS CHECK Monitor & Review ISMS ACT Maintain & Improve DO Implement & Operate the ISMS IS POLICY SECURITY ORGANISATION ASSET IDENTIFICATION & CLASSIFICATION CONTROL SELECTION & IMPLEMENTATION OPERATIONALIZ E THE PROCESES MANAGEMENT REVIEW CORRECTIVE & PREVENTIVE ACTIONS CHECK PROCESSES I M P L E M E N T A T I O N P R O C E S S C Y C L E 7/1/2015 36Mohan Kamat
  • 37. B E N E F I T S • At the organizational level – Commitment • At the legal level – Compliance • At the operating level - Risk management • At the commercial level - Credibility and confidence • At the financial level - Reduced costs • At the human level - Improved employee awareness 7/1/2015 37Mohan Kamat
  • 38. U S E R R E S P O N S I B I L I T I E S WHO IS AT THE CENTRE OF SECU RITY U-R 7/1/2015 38Mohan Kamat
  • 39. U S E R R E S P O N S I B I L I T I E S Information Security Policy IS Policy is approved by Top Management Policy is released on Intranet at http://xx.xx.xx.xx/ISMS/index.htm 7/1/2015 39Mohan Kamat
  • 40. I N F O A S S E T C L A S S I F I C A T I O N CONFIDENTIAL: If this information is leaked outside Organisation, it will result in major financial and/or image loss. Compromise of this information will result in statutory, legal non- compliance. Access to this information must be restricted based on the concept of need-to-know. Disclosure requires the information owner’s approval. In case information needs to be disclosed to third parties a signed confidentiality agreement is also required. Examples include Customer contracts, rate tables, process documents and new product development plans. INTERNAL USE ONLY: If this information is leaked outside Organisation, it will result in Negligible financial loss and/or embarrassment. Disclosure of this information shall not cause serious harm to Organisation, and access is provided freely to all internal users. Examples include circulars, policies, training materials etc. PUBLIC: Non availability will have no effect. If this information is leaked outside Organisation, it will result in no loss. This information must be explicitly approved by the Corporate Communications Department or Marketing Department in case of marketing related information, as suitable for public dissemination. Examples include marketing brochures, press releases. 7/1/2015 40Mohan Kamat Information Asset Classification
  • 41. Confidentiality - Information Asset Confidentiality Requirement Explanation Low Non-sensitive information available for public disclosure. The impact of unauthorized disclosure of such information shall not harm Organisation anyway. E.g. Press releases, Company’s News letters e.g. Information published on company’s website Medium Information belonging to the company and not for disclosure to public or external parties. The unauthorized disclosure of information here can cause a limited harm to the organization. e.g. Organization Charts, Internal Telephone Directory. High Information which is very sensitive or private, of highest value to the organization and intended to use by named individuals only. The unauthorized disclosure of such information can cause severe harm (e.g. Legal or financial liability, adverse competitive impact, loss of brand name). E.g. Client’s pricing information, Merger and Acquisition related information, Marketing strategy Confidentiality of information refers to the protection of information from unauthorized disclosure. The impact of unauthorized disclosure of confidential information can range from jeopardizing organization security to the disclosure of private data of employees. Following table provides guideline to determine Confidentiality requirements: I N F O A S S E T C L A S S I F I C A T I O N 7/1/2015 41Mohan Kamat
  • 42. Integrity - Information Asset Integrity Requireme nt Explanation Low There is minimal impact on business if the accuracy and completeness of data is degraded. Medium There is significant impact on business if the asset if the accuracy and completeness of data is degraded. High The Integrity degradation is unacceptable. Integrity refers to the completeness and accuracy of Information. Integrity is lost if unauthorized changes are made to data or IT system by either intentional or accidental acts. If integrity of data is not restored back, continued use of the contaminated data could result in inaccuracy, fraud, or erroneous decisions. Integrity criteria of information can be determined with guideline established in the following Table. I N F O A S S E T C L A S S I F I C A T I O N 7/1/2015 42Mohan Kamat
  • 43. Availability - Information Asset Availability Requireme nt Explanation Low There is minimal impact on business if the asset / information is not Available for up to 7 days Medium There is significant impact on business if the asset / information is not Available for up to 48 hours High The Asset / information is required on 24x7 basis Availability indicates how soon the information is required, in case the same is lost. If critical information is unavailable to its end users, the organization’s mission may be affected. Following Table provides guideline to determine availability criteria of information assets. I N F O A S S E T C L A S S I F I C A T I O N 7/1/2015 43Mohan Kamat
  • 44. Non-information Assets [Physical] Information is processed with the help of technology. The assets, which are helpful in creating, processing, output generation and storage. Such assets need to be identified and valued for the purpose of their criticality in business process. Asset valuation of non information / physical Assets like software, Hardware, Services is carried out based on different criteria applicable to the specific group of physical assets involved in organization’s business processes. N O N I N F O A S S E T C L A S S I F I C A T I O N 7/1/2015 44Mohan Kamat
  • 45. Confidentiality - Non-information Asset Confidentiality factor is to be determined by the services rendered by the particular asset in specific business process and the confidentiality requirement of the information / data processed or stored by the asset. This table provides a guideline to identify the Confidentiality requirements and its link to Classification label. Confidentiality Requirement Explanation Low Information processed / stored / carried or services rendered by the asset in the business process have confidentiality requirements as LOW. Medium Information processed / stored / carried or services rendered by the asset in the business process have confidentiality requirements as Medium. High Information processed / stored / carried or services rendered by the asset in the business process have confidentiality requirements as HIGH. N O N I N F O A S S E T C L A S S I F I C A T I O N 7/1/2015 45Mohan Kamat
  • 46. Integrity - Non Information Asset Integrity factor is to be determined by the reliability and dependability of the particular asset in specific business process and the Integrity requirement of the information / data processed or stored by the asset. This table provides a guideline to identify the Integrity requirements and its link to Classification label. Integrity Requirement Explanation Low Dependency and reliability of the services rendered by the particular asset in a business process is LOW. Information processed / stored / carried or services rendered by the asset in the business process have Integrity requirements as LOW. Medium Dependency and reliability of the services rendered by the particular asset in a business process is Medium. Information processed / stored / carried or services rendered by the asset in the business process have Integrity requirements as Medium. High Dependency and reliability of the services rendered by the particular asset in a business process is HIGH. Information processed / stored / carried or services rendered by the asset in the business process have Integrity requirements as High. N O N I N F O A S S E T C L A S S I F I C A T I O N 7/1/2015 46Mohan Kamat
  • 47. N O N I N F O A S S E T C L A S S I F I C A T I O N Availability - Non-information Asset Availability factor is to be determined on the basis of impact of non availability of the asset on the business process. This table provides a guideline to identify the Availability requirements and its link to Classification label. Integrity Requirement Explanation Low Impact of non availability of an asset in a business process is LOW. Information processed / stored / carried or services rendered by the asset in the business process have Availability requirements as LOW. Medium Impact of non availability of an asset in a business process is Medium. Information processed / stored / carried or services rendered by the asset in the business process have Availability requirements as MEDIUM. High Impact of non availability of an asset in a business process is HIGH. Information processed / stored / carried or services rendered by the asset in the business process have Availability requirements as HIGH. 7/1/2015 47Mohan Kamat
  • 48. P E O P L E A S S E T C L A S S I F I C A T I O N People Assets Information is accessed or handled by the people from within the organisation as well as the people related to organisation for business requirements. It becomes necessary to identify such people from within the organisation as well as outside the organisation who handle the organization’s information assets. The analysis such people, who has access rights to the assets of the organisation, is to be done by Business Process Owner i.e. process / function head. The people assets shall include roles handled by a. Employees b. Contract Employees c. Contractors & his employees 7/1/2015 48Mohan Kamat
  • 49. Confidentiality - People Assets Confidentialit y Requirement Explanation Low The role or third party identified has access limited to information assets classified as 'Public'. Security breach by individual/s whom the role is assigned would insignificantly affect the business operations. Medium The role or third party identified has access limited to information assets classified as 'Internal’ and 'Public'. Security breach by individual/s whom the role is assigned would moderately affect the business operations. High The role employee or third party identified has access to all types of information assets including information assets classified as 'Confidential' Or IT Assets classified as 'Critical'. Security breach by individual/s to whom the role is assigned would severely affect the business operations. P E O P L E A S S E T C L A S S I F I C A T I O N 7/1/2015 49Mohan Kamat
  • 50. Integrity – People Assets Integrity Requirement Explanation Low The role or third party identified has limited privilege to change information assets classified as 'Internal' or 'Public' and the his work is supervised. Security breach by individual/s to whom the role is assigned would insignificantly affect the business operations. Medium The role or third party identified has privilege to change information assets classified as 'Internal', and 'Public' Security breach by individual/s whom the role is assigned would moderately affect the business operations. High The role or third party identified has privilege to change information assets classified as 'Confidential' Or Change the configuration of IT assets classified as 'Critical' Security breach by individual/s to whom the role is assigned would severely affect the business operations. P E O P L E A S S E T C L A S S I F I C A T I O N 7/1/2015 50Mohan Kamat
  • 51. Availability – People Assets Availability Requiremen t Explanation Low Unavailability of the individual/s whom the role is assigned would have insignificant affect the business operations. Medium Unavailability of the individual/s whom the role is assigned would moderately affect the business operations. High Unavailability of the individual/s whom the role is assigned would severely affect the business operations. P E O P L E A S S E T C L A S S I F I C A T I O N 7/1/2015 51Mohan Kamat
  • 52. U S E R R E S P O N S I B I L I T I E S Access Control - Physical • Follow Security Procedures • Wear Identity Cards and Badges • Ask unauthorized visitor his credentials • Attend visitors in Reception and Conference Room only • Bring visitors in operations area without prior permission • Bring hazardous and combustible material in secure area • Practice “Piggybacking” • Bring and use pen drives, zip drives, ipods, other storage devices unless and otherwise authorized to do so 7/1/2015 52Mohan Kamat
  • 53. U S E R R E S P O N S I B I L I T I E S Password Guidelines  Always use at least 8 character password with combination of alphabets, numbers and special characters (*, %, @, #, $, ^)  Use passwords that can be easily remembered by you  Change password regularly as per policy  Use password that is significantly different from earlier passwords Use passwords which reveals your personal information or words found in dictionary Write down or Store passwords Share passwords over phone or Email Use passwords which do not match above complexity criteria 7/1/2015 53Mohan Kamat
  • 54. U S E R R E S P O N S I B I L I T I E S Technology Department is continuously monitoring Internet Usage. Any illegal use of internet and other assets shall call for Disciplinary Action.  Do not access internet through dial-up connectivity  Do not use internet for viewing, storing or transmitting obscene or pornographic material  Do not use internet for accessing auction sites  Do not use internet for hacking other computer systems  Do not use internet to download / upload commercial software / copyrighted material  Use internet services for business purposes only Internet Usage 7/1/2015 54Mohan Kamat
  • 55. U S E R R E S P O N S I B I L I T I E S E-mail Usage  Do not use official ID for any personal subscription purpose  Do not send unsolicited mails of any type like chain letters or E-mail Hoax  Do not send mails to client unless you are authorized to do so  Do not post non-business related information to large number of users  Do not open the mail or attachment which is suspected to be virus or received from an unidentified sender Use official mail for business purposes only Follow the mail storage guidelines to avoid blocking of E-mails  If you come across any junk / spam mail, do the following a) Remove the mail. b) Inform the security help desk c) Inform the same to server administrator d) Inform the sender that such mails are undesired 7/1/2015 55Mohan Kamat
  • 56. U S E R R E S P O N S I B I L I T I E S Security Incidents Report Security Incidents (IT and Non-IT) to Helpdesk through • E-mail to info.sec@organisation.com • Telephone : xxxx-xxxx-xxxx • Anonymous Reporting through Drop boxes e.g.: IT Incidents: Mail Spamming, Virus attack, Hacking, etc. Non-IT Incidents: Unsupervised visitor movement, Information leakage, Bringing unauthorized Media •Do not discuss security incidents with any one outside organisation •Do not attempt to interfere with, obstruct or prevent anyone from reporting incidents 7/1/2015 56Mohan Kamat
  • 57. U S E R R E S P O N S I B I L I T I E S  Ensure your Desktops are having latest antivirus updates  Ensure your system is locked when you are away  Always store laptops/ media in a lockable place  Be alert while working on laptops during travel  Ensure sensitive business information is under lock and key when unattended  Ensure back-up of sensitive and critical information assets  Understand Compliance Issues such as Cyber Law IPR, Copyrights, NDA Contractual Obligations with customer  Verify credentials, if the message is received from unknown sender  Always switch off your computer before leaving for the day  Keep your self updated on information security aspects 7/1/2015 57Mohan Kamat
  • 58. Human Wall Is Always Better Than A Firewall . . . LET US BUILD A HUMAN WALL ALONG WITH FIREWALL 7/1/2015 58Mohan Kamat