2. Agenda
ISMS – ISO 27001:2013
Information & Information Security
User Responsibility
ISMS Implementation
Q&A
3. 3
Incidents……
Patient Health Information (PHI) of
patients of Diatherix, providing clinical
laboratory testing services was accessed
by unauthorised external entity. Exposed
Information included patient name,
account number, address, date of test,
insurance information and insured
information
Three persons indicted for their
involvement in an International
cybercrime scheme that used stolen
information from banks, businesses
and government agencies to steal
$15 million.
Tennessee Electric Company Inc., d.b.a. TEC Industrial
Maintenance & Construction, in July filed a complaint against
TriSummit Bank, a $278 million institution based in Tennessee
for a series of fraudulent payroll drafts sent from TEC's
account in 2012. TEC says the bank failed to have those ACH
transactions approved by the utility before they were
transmitted.
4. The internet allows an attacker to attack from anywhere on
the planet.
Risks caused by poor security knowledge and practice:
Data/ information breach
Unavailability of data/information
Unavailability of system, internet, application etc.
Identity Theft
Monetary Theft
Legal Ramifications (for yourself and companies)
Why Information Security?
5. Solution to such situations.....??
Information Security Management System – ISO 27001
7. What is Information
Information is an asset which,
like other important business assets, has value to an
organization and consequently needs to be suitably
protected
What is Information…
9. 9
Information can be….
Printed or
written on
paper
Stored
Electronically
Transmitted by
post/ courier or
electronically
Shown on
corporate
video
Displayed /
published on
web
Verbal –
spoken in
conversation
Whatever form the information takes or means by which it is shared or
stored, it should always be appropriately protected
Transmitted
through an
individual
10. 10
Information Lifecycle
Create
Store
Distribute (to authorized persons)
Modify (by authorized persons)
Archive
Delete (electronic) or Dispose (paper, disk, etc)
Information may need protection through its entire lifecycle including
deletion or disposal
11. Why Information Assets are the most important?
Business Requirements
– Client / customer / stakeholder
– Marketing
– Trustworthy
– Internal management tool
Legal Requirements
– Revenue Department
– Qatar Stock Exchange
– Copyright, patents, ….
Contractual Security Obligations
– Intranet connections to other BU
– Extranets to business partners
– Remote connections to staff
– VPN
– Customer networks
– Supplier chains
– SLA, contracts, outsourcing arrangement
– Third party access
12. What is Information Security?
“Information security is protecting the
information through preserving their
Confidentiality, Integrity and Availability
along with the authenticity and reliability”
13. In some organizations integrity and/or availability may be more
important than confidentiality
Information Security is
preservation of
Confidentiality
Ensuring that information is available only to those
with authorized access.
Integrity
Safeguarding the accuracy and completeness of
information and information processing methods
and facilities
Availability
Ensuring authorized users have access to information
when required
15
Information Security Triads/Components –CIA
14. Information is not
made available to
unauthorized
individuals,
entities or
processes;
Confidentiality
Measures include encryption,
social engineering best practices,
Access rights, Secured storage, etc
Safeguarding the
accuracy and
completeness of
assets
Integrity
Measures include Access controls,
Backups, etc.
Asset being
accessible and
usable upon
demand by
authorized entity
Availability
Measures include Disaster
Recovery Plan, Redundancy, High
Availability, etc.
Information Security Triads/Components – CIA
17. ISO 27001:2013
Information Security Management System
Information Security Management System (ISMS) is :
That part of the overall management system, based on a business risk approach, to
establish, implement, operate, monitor, review, maintain and improve information
security
A management process
Not a technological process
The purpose of an Information Security Management System is to secure an
organization’s Information Assets by identifying, assessing and managing
Risks resulting from Threats exploiting Vulnerabilities.
18. Introduction to ISO 27001:2013 standard
ISO 27001 is the international standard that provides requirements for
safeguarding
an organization’s asset
ISO 27001:2005 was the first ISO standard for information security
ISO 27001:2013 was published on 25th September, 2013
Comprehensive set of Clauses and Controls comprising best practices in
information
security
A framework for building a risk based information security management
system
19. ISO 27001:2013 Features
Focus on continual improvement process
Plan-Do-Check-Act Process Model
Process based approach
Scope covers Information Security not only IT Security
14 Domains, 35 Control Objectives and 114 Controls
Covers People, Process & Technology
20. ISO 27001:2013 Requirements
Requirements
Clause 4 – Context of the organization
Clause 5 – Leadership
Clause 6 – Planning
Clause 7 – Support
Clause 8 – Operation
Clause 9 – Performance Evaluation
Clause 10 – Improvement
Like other management system standards, ISO 27001:2013 has 10 clauses….
Additionally, ISO 27001:2013 has Controls in Annex A with
14 Domains, 35 Control Objectives & 114 Controls
23. Risk Management – The critical first step in
ISO 27001 implementation
RISK = ASSET VALUE X PROBABILITY X IMPACT
Risk is the possibility that a threat exploits a
vulnerability in an information asset,
leading to an adverse impact on the
organization
24. Information Assets & Types
Software
IT Hardware (Physical Assets)
Persons who support and use the IT system
Processes & support processes that deliver products and services
IT and other Infrastructure of the organization
System interfaces (internal and external connectivity)
Electronic media
and,
above all
Data and Information
An asset is any tangible or intangible thing or
characteristic that has value to an organization
25. Classification of Information Asset
Public
Non-Sensitive Information Available for external release..
Examples include periodicals, bulletins, financial statements, press releases, etc.
Internal/Protected
Information that is generally available to employees and approved non-employees such as
contractors, trainees. Examples include Staff memos, news letters, staff awareness
program documentation or bulletins, etc.
Confidential
Information that is sensitive & related to project & personnel, is intended for use by
employees, customer and approved non-employees such as contractors, trainees can be
printed in hard copy format only with the approval of HODs. Examples include personal
information, business plans, unpublished financial statements, etc.
Restricted
Information that is highly sensitive within and outside organization, Shall be applied to the
documented information Leakage of which can cause damage to organization Security.Examples
include Design documents , drawings, contracts etc.
26. Information Security Risk Assessment
Inherent Risk = Asset Value X Threat Value X Vulnerability Value X Probability Value X
Impact Value
Asset Inventory
Asset Classification
Asset Value: Confidentiality Value + Integrity Value + Availability Value
(each value will be assigned on a scale of 1 to 3, where 1 is low, 2 is medium & 3 is high)
Existing Controls Effectiveness will be assigned on a scale of 1 to 3, where
Treatment of Risk if it is Unacceptable
Risk Priority Number = Inherent Risk /Existing Controls Effectiveness
Residual Risk if risk is High or Moderate – will be signed by Management or Risk Owner
27. What is a Threat
An Expression of intention to inflict evil injury or damage
Attacks against key security services – Confidentiality, Integrity & Availability
Threat means something bad is coming your way – High threat means it is
highly likely to hit you and it will be very bad .