SlideShare a Scribd company logo

ISMS End-User Training Presentation.pptx

Download as PPTX, PDF
C
comstarndt

ISMS End-User Training Presentation

Technology
1 of 29
June, 2022 Information Security Management System – ISO 27001:2013 ICT End-User Presentation
Agenda ISMS – ISO 27001:2013 Information & Information Security User Responsibility ISMS Implementation Q&A
3 Incidents…… Patient Health Information (PHI) of patients of Diatherix, providing clinical laboratory testing services was accessed by unauthorised external entity. Exposed Information included patient name, account number, address, date of test, insurance information and insured information Three persons indicted for their involvement in an International cybercrime scheme that used stolen information from banks, businesses and government agencies to steal $15 million. Tennessee Electric Company Inc., d.b.a. TEC Industrial Maintenance & Construction, in July filed a complaint against TriSummit Bank, a $278 million institution based in Tennessee for a series of fraudulent payroll drafts sent from TEC's account in 2012. TEC says the bank failed to have those ACH transactions approved by the utility before they were transmitted.
 The internet allows an attacker to attack from anywhere on the planet.  Risks caused by poor security knowledge and practice:  Data/ information breach  Unavailability of data/information  Unavailability of system, internet, application etc.  Identity Theft  Monetary Theft  Legal Ramifications (for yourself and companies) Why Information Security?
Solution to such situations.....?? Information Security Management System – ISO 27001
Information & Information Security 6
What is Information Information is an asset which, like other important business assets, has value to an organization and consequently needs to be suitably protected What is Information…
Information exists in many forms
9 Information can be…. Printed or written on paper Stored Electronically Transmitted by post/ courier or electronically Shown on corporate video Displayed / published on web Verbal – spoken in conversation Whatever form the information takes or means by which it is shared or stored, it should always be appropriately protected Transmitted through an individual
10 Information Lifecycle  Create  Store  Distribute (to authorized persons)  Modify (by authorized persons)  Archive  Delete (electronic) or Dispose (paper, disk, etc) Information may need protection through its entire lifecycle including deletion or disposal
Why Information Assets are the most important?  Business Requirements – Client / customer / stakeholder – Marketing – Trustworthy – Internal management tool  Legal Requirements – Revenue Department – Qatar Stock Exchange – Copyright, patents, ….  Contractual Security Obligations – Intranet connections to other BU – Extranets to business partners – Remote connections to staff – VPN – Customer networks – Supplier chains – SLA, contracts, outsourcing arrangement – Third party access
What is Information Security? “Information security is protecting the information through preserving their Confidentiality, Integrity and Availability along with the authenticity and reliability”
In some organizations integrity and/or availability may be more important than confidentiality Information Security is preservation of Confidentiality Ensuring that information is available only to those with authorized access. Integrity Safeguarding the accuracy and completeness of information and information processing methods and facilities Availability Ensuring authorized users have access to information when required 15 Information Security Triads/Components –CIA
Information is not made available to unauthorized individuals, entities or processes; Confidentiality Measures include encryption, social engineering best practices, Access rights, Secured storage, etc Safeguarding the accuracy and completeness of assets Integrity Measures include Access controls, Backups, etc. Asset being accessible and usable upon demand by authorized entity Availability Measures include Disaster Recovery Plan, Redundancy, High Availability, etc. Information Security Triads/Components – CIA
Information Security Management System –ISO 27001:2013 15
Information Security Management System
ISO 27001:2013 Information Security Management System Information Security Management System (ISMS) is :  That part of the overall management system, based on a business risk approach, to establish, implement, operate, monitor, review, maintain and improve information security  A management process  Not a technological process The purpose of an Information Security Management System is to secure an organization’s Information Assets by identifying, assessing and managing Risks resulting from Threats exploiting Vulnerabilities.
Introduction to ISO 27001:2013 standard  ISO 27001 is the international standard that provides requirements for safeguarding an organization’s asset  ISO 27001:2005 was the first ISO standard for information security  ISO 27001:2013 was published on 25th September, 2013  Comprehensive set of Clauses and Controls comprising best practices in information security  A framework for building a risk based information security management system
ISO 27001:2013 Features Focus on continual improvement process Plan-Do-Check-Act Process Model Process based approach Scope covers Information Security not only IT Security 14 Domains, 35 Control Objectives and 114 Controls Covers People, Process & Technology
ISO 27001:2013 Requirements Requirements Clause 4 – Context of the organization Clause 5 – Leadership Clause 6 – Planning Clause 7 – Support Clause 8 – Operation Clause 9 – Performance Evaluation Clause 10 – Improvement Like other management system standards, ISO 27001:2013 has 10 clauses…. Additionally, ISO 27001:2013 has Controls in Annex A with 14 Domains, 35 Control Objectives & 114 Controls
21 A.5 Security Policy A.6 Organisation of Information Security A.7 Human Resources Security A.8 Asset Management A.9 Access Control A.10 Cryptography A.11 Physical and Environmental Security A.17 Information Security Aspects of BCM A.13 Communications Security A.14 System Acquisition, Development and Maintenance A.15 Supplier Relationships A.16 Information Security Incident Management A.12 Operations Security A.18 Compliance 14 Domains 35 Control Objectives 114 Controls Control Objectives & Controls (Annexure A of ISO 27001:2013) Availability INFORMATION
ISMS Implementation 22
Risk Management – The critical first step in ISO 27001 implementation RISK = ASSET VALUE X PROBABILITY X IMPACT Risk is the possibility that a threat exploits a vulnerability in an information asset, leading to an adverse impact on the organization
Information Assets & Types  Software  IT Hardware (Physical Assets)  Persons who support and use the IT system  Processes & support processes that deliver products and services  IT and other Infrastructure of the organization  System interfaces (internal and external connectivity)  Electronic media and, above all Data and Information An asset is any tangible or intangible thing or characteristic that has value to an organization
Classification of Information Asset Public Non-Sensitive Information Available for external release.. Examples include periodicals, bulletins, financial statements, press releases, etc. Internal/Protected Information that is generally available to employees and approved non-employees such as contractors, trainees. Examples include Staff memos, news letters, staff awareness program documentation or bulletins, etc. Confidential Information that is sensitive & related to project & personnel, is intended for use by employees, customer and approved non-employees such as contractors, trainees can be printed in hard copy format only with the approval of HODs. Examples include personal information, business plans, unpublished financial statements, etc. Restricted Information that is highly sensitive within and outside organization, Shall be applied to the documented information Leakage of which can cause damage to organization Security.Examples include Design documents , drawings, contracts etc.
Information Security Risk Assessment  Inherent Risk = Asset Value X Threat Value X Vulnerability Value X Probability Value X Impact Value  Asset Inventory  Asset Classification  Asset Value: Confidentiality Value + Integrity Value + Availability Value (each value will be assigned on a scale of 1 to 3, where 1 is low, 2 is medium & 3 is high)  Existing Controls Effectiveness will be assigned on a scale of 1 to 3, where  Treatment of Risk if it is Unacceptable  Risk Priority Number = Inherent Risk /Existing Controls Effectiveness  Residual Risk if risk is High or Moderate – will be signed by Management or Risk Owner
What is a Threat  An Expression of intention to inflict evil injury or damage  Attacks against key security services – Confidentiality, Integrity & Availability  Threat means something bad is coming your way – High threat means it is highly likely to hit you and it will be very bad .
Q & A
Thank You!

Recommended

Responsible for information
Responsible for informationResponsible for information
Responsible for informationDunton Environmental
 
Proactive information security michael
Proactive information security michael Proactive information security michael
Proactive information security michael Priyanka Aash
 
2009 iapp-the corpprivacydeptmar13-2009
2009 iapp-the corpprivacydeptmar13-20092009 iapp-the corpprivacydeptmar13-2009
2009 iapp-the corpprivacydeptmar13-2009asundaram1
 
Information security
Information securityInformation security
Information securitySanjay Tiwari
 
Health Informatics- Module 5-Chapter 1.pptx
Health Informatics- Module 5-Chapter 1.pptxHealth Informatics- Module 5-Chapter 1.pptx
Health Informatics- Module 5-Chapter 1.pptxArti Parab Academics
 
Information security: importance of having defined policy & process
Information security: importance of having defined policy & processInformation security: importance of having defined policy & process
Information security: importance of having defined policy & processInformation Technology Society Nepal
 
Information Security Background
Information Security BackgroundInformation Security Background
Information Security BackgroundNicholas Davis
 
Information security background
Information security backgroundInformation security background
Information security backgroundNicholas Davis
 

Recommended

Responsible for information
Responsible for informationResponsible for information
Responsible for informationDunton Environmental
 
Proactive information security michael
Proactive information security michael Proactive information security michael
Proactive information security michael Priyanka Aash
 
2009 iapp-the corpprivacydeptmar13-2009
2009 iapp-the corpprivacydeptmar13-20092009 iapp-the corpprivacydeptmar13-2009
2009 iapp-the corpprivacydeptmar13-2009asundaram1
 
Information security
Information securityInformation security
Information securitySanjay Tiwari
 
Health Informatics- Module 5-Chapter 1.pptx
Health Informatics- Module 5-Chapter 1.pptxHealth Informatics- Module 5-Chapter 1.pptx
Health Informatics- Module 5-Chapter 1.pptxArti Parab Academics
 
Information security: importance of having defined policy & process
Information security: importance of having defined policy & processInformation security: importance of having defined policy & process
Information security: importance of having defined policy & processInformation Technology Society Nepal
 
Information Security Background
Information Security BackgroundInformation Security Background
Information Security BackgroundNicholas Davis
 
Information security background
Information security backgroundInformation security background
Information security backgroundNicholas Davis
 
Testing
TestingTesting
Testinglorenceman
 
D1 security and risk management v1.62
D1 security and risk management v1.62D1 security and risk management v1.62
D1 security and risk management v1.62AlliedConSapCourses
 
A to Z of Information Security Management
A to Z of Information Security ManagementA to Z of Information Security Management
A to Z of Information Security ManagementMark Conway
 
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to SuccessAddressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to SuccessSirius
 
Dr K Subramanian
Dr K SubramanianDr K Subramanian
Dr K Subramanianeletseditorial
 
Case study financial_services
Case study financial_servicesCase study financial_services
Case study financial_servicesG. Subramanian
 
Information security
Information securityInformation security
Information securityavinashbalakrishnan2
 
Fundamentals of-information-security
Fundamentals of-information-security Fundamentals of-information-security
Fundamentals of-information-security madunix
 
DATA PROTECTION IMPACT ASSESSMENT TEMPLATE (ODPC).docx
DATA PROTECTION IMPACT ASSESSMENT TEMPLATE (ODPC).docxDATA PROTECTION IMPACT ASSESSMENT TEMPLATE (ODPC).docx
DATA PROTECTION IMPACT ASSESSMENT TEMPLATE (ODPC).docxSteveNgigi2
 
Awareness Security Session 2023 v1.0.pptx.pdf
Awareness Security Session 2023 v1.0.pptx.pdfAwareness Security Session 2023 v1.0.pptx.pdf
Awareness Security Session 2023 v1.0.pptx.pdfAbdullahKanash
 
internet security and cyber lawUnit1
internet security and cyber lawUnit1internet security and cyber lawUnit1
internet security and cyber lawUnit1Royalzig Luxury Furniture
 
Dancyrityshy 1foundatioieh
Dancyrityshy 1foundatioiehDancyrityshy 1foundatioieh
Dancyrityshy 1foundatioiehAnne Starr
 
Isa Prog Need L
Isa Prog Need LIsa Prog Need L
Isa Prog Need LR_Yanus
 
GDPR and ISO 27001 - how to be compliant
GDPR and ISO 27001 - how to be compliantGDPR and ISO 27001 - how to be compliant
GDPR and ISO 27001 - how to be compliantIlesh Dattani
 
Information Risk Management Overview
Information Risk Management OverviewInformation Risk Management Overview
Information Risk Management Overviewelvinchan
 
2 Security And Internet Security
2 Security And Internet Security2 Security And Internet Security
2 Security And Internet SecurityAna Meskovska
 
Information Security Assessment Offering
Information Security Assessment OfferingInformation Security Assessment Offering
Information Security Assessment Offeringeeaches
 
What Is Digital Asset Security. What Are the Risks Associated With It.docx.pdf
What Is Digital Asset Security. What Are the Risks Associated With It.docx.pdfWhat Is Digital Asset Security. What Are the Risks Associated With It.docx.pdf
What Is Digital Asset Security. What Are the Risks Associated With It.docx.pdfSecureCurve
 
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...abhichowdary16
 
Business RISKS From IT
Business RISKS From IT Business RISKS From IT
Business RISKS From IT Sanjiv Arora
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 

More Related Content

Similar to ISMS End-User Training Presentation.pptx

D1 security and risk management v1.62
D1 security and risk management v1.62D1 security and risk management v1.62
D1 security and risk management v1.62AlliedConSapCourses
 
A to Z of Information Security Management
A to Z of Information Security ManagementA to Z of Information Security Management
A to Z of Information Security ManagementMark Conway
 
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to SuccessAddressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to SuccessSirius
 
Case study financial_services
Case study financial_servicesCase study financial_services
Case study financial_servicesG. Subramanian
 
Fundamentals of-information-security
Fundamentals of-information-security Fundamentals of-information-security
Fundamentals of-information-security madunix
 
DATA PROTECTION IMPACT ASSESSMENT TEMPLATE (ODPC).docx
DATA PROTECTION IMPACT ASSESSMENT TEMPLATE (ODPC).docxDATA PROTECTION IMPACT ASSESSMENT TEMPLATE (ODPC).docx
DATA PROTECTION IMPACT ASSESSMENT TEMPLATE (ODPC).docxSteveNgigi2
 
Awareness Security Session 2023 v1.0.pptx.pdf
Awareness Security Session 2023 v1.0.pptx.pdfAwareness Security Session 2023 v1.0.pptx.pdf
Awareness Security Session 2023 v1.0.pptx.pdfAbdullahKanash
 
Dancyrityshy 1foundatioieh
Dancyrityshy 1foundatioiehDancyrityshy 1foundatioieh
Dancyrityshy 1foundatioiehAnne Starr
 
Isa Prog Need L
Isa Prog Need LIsa Prog Need L
Isa Prog Need LR_Yanus
 
GDPR and ISO 27001 - how to be compliant
GDPR and ISO 27001 - how to be compliantGDPR and ISO 27001 - how to be compliant
GDPR and ISO 27001 - how to be compliantIlesh Dattani
 
Information Risk Management Overview
Information Risk Management OverviewInformation Risk Management Overview
Information Risk Management Overviewelvinchan
 
2 Security And Internet Security
2 Security And Internet Security2 Security And Internet Security
2 Security And Internet SecurityAna Meskovska
 
Information Security Assessment Offering
Information Security Assessment OfferingInformation Security Assessment Offering
Information Security Assessment Offeringeeaches
 
What Is Digital Asset Security. What Are the Risks Associated With It.docx.pdf
What Is Digital Asset Security. What Are the Risks Associated With It.docx.pdfWhat Is Digital Asset Security. What Are the Risks Associated With It.docx.pdf
What Is Digital Asset Security. What Are the Risks Associated With It.docx.pdfSecureCurve
 
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...abhichowdary16
 
Business RISKS From IT
Business RISKS From IT Business RISKS From IT
Business RISKS From IT Sanjiv Arora
 

Similar to ISMS End-User Training Presentation.pptx (20)

Testing
TestingTesting
Testing
 
D1 security and risk management v1.62
D1 security and risk management v1.62D1 security and risk management v1.62
D1 security and risk management v1.62
 
A to Z of Information Security Management
A to Z of Information Security ManagementA to Z of Information Security Management
A to Z of Information Security Management
 
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to SuccessAddressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
 
Dr K Subramanian
Dr K SubramanianDr K Subramanian
Dr K Subramanian
 
Case study financial_services
Case study financial_servicesCase study financial_services
Case study financial_services
 
Information security
Information securityInformation security
Information security
 
Fundamentals of-information-security
Fundamentals of-information-security Fundamentals of-information-security
Fundamentals of-information-security
 
DATA PROTECTION IMPACT ASSESSMENT TEMPLATE (ODPC).docx
DATA PROTECTION IMPACT ASSESSMENT TEMPLATE (ODPC).docxDATA PROTECTION IMPACT ASSESSMENT TEMPLATE (ODPC).docx
DATA PROTECTION IMPACT ASSESSMENT TEMPLATE (ODPC).docx
 
Awareness Security Session 2023 v1.0.pptx.pdf
Awareness Security Session 2023 v1.0.pptx.pdfAwareness Security Session 2023 v1.0.pptx.pdf
Awareness Security Session 2023 v1.0.pptx.pdf
 
internet security and cyber lawUnit1
internet security and cyber lawUnit1internet security and cyber lawUnit1
internet security and cyber lawUnit1
 
Dancyrityshy 1foundatioieh
Dancyrityshy 1foundatioiehDancyrityshy 1foundatioieh
Dancyrityshy 1foundatioieh
 
Isa Prog Need L
Isa Prog Need LIsa Prog Need L
Isa Prog Need L
 
GDPR and ISO 27001 - how to be compliant
GDPR and ISO 27001 - how to be compliantGDPR and ISO 27001 - how to be compliant
GDPR and ISO 27001 - how to be compliant
 
Information Risk Management Overview
Information Risk Management OverviewInformation Risk Management Overview
Information Risk Management Overview
 
2 Security And Internet Security
2 Security And Internet Security2 Security And Internet Security
2 Security And Internet Security
 
Information Security Assessment Offering
Information Security Assessment OfferingInformation Security Assessment Offering
Information Security Assessment Offering
 
What Is Digital Asset Security. What Are the Risks Associated With It.docx.pdf
What Is Digital Asset Security. What Are the Risks Associated With It.docx.pdfWhat Is Digital Asset Security. What Are the Risks Associated With It.docx.pdf
What Is Digital Asset Security. What Are the Risks Associated With It.docx.pdf
 
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
 
Business RISKS From IT
Business RISKS From IT Business RISKS From IT
Business RISKS From IT
 

Recently uploaded

🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 

Recently uploaded (20)

🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 

ISMS End-User Training Presentation.pptx

  • 1. June, 2022 Information Security Management System – ISO 27001:2013 ICT End-User Presentation
  • 2. Agenda ISMS – ISO 27001:2013 Information & Information Security User Responsibility ISMS Implementation Q&A
  • 3. 3 Incidents…… Patient Health Information (PHI) of patients of Diatherix, providing clinical laboratory testing services was accessed by unauthorised external entity. Exposed Information included patient name, account number, address, date of test, insurance information and insured information Three persons indicted for their involvement in an International cybercrime scheme that used stolen information from banks, businesses and government agencies to steal $15 million. Tennessee Electric Company Inc., d.b.a. TEC Industrial Maintenance & Construction, in July filed a complaint against TriSummit Bank, a $278 million institution based in Tennessee for a series of fraudulent payroll drafts sent from TEC's account in 2012. TEC says the bank failed to have those ACH transactions approved by the utility before they were transmitted.
  • 4.  The internet allows an attacker to attack from anywhere on the planet.  Risks caused by poor security knowledge and practice:  Data/ information breach  Unavailability of data/information  Unavailability of system, internet, application etc.  Identity Theft  Monetary Theft  Legal Ramifications (for yourself and companies) Why Information Security?
  • 5. Solution to such situations.....?? Information Security Management System – ISO 27001
  • 7. What is Information Information is an asset which, like other important business assets, has value to an organization and consequently needs to be suitably protected What is Information…
  • 9. 9 Information can be…. Printed or written on paper Stored Electronically Transmitted by post/ courier or electronically Shown on corporate video Displayed / published on web Verbal – spoken in conversation Whatever form the information takes or means by which it is shared or stored, it should always be appropriately protected Transmitted through an individual
  • 10. 10 Information Lifecycle  Create  Store  Distribute (to authorized persons)  Modify (by authorized persons)  Archive  Delete (electronic) or Dispose (paper, disk, etc) Information may need protection through its entire lifecycle including deletion or disposal
  • 11. Why Information Assets are the most important?  Business Requirements – Client / customer / stakeholder – Marketing – Trustworthy – Internal management tool  Legal Requirements – Revenue Department – Qatar Stock Exchange – Copyright, patents, ….  Contractual Security Obligations – Intranet connections to other BU – Extranets to business partners – Remote connections to staff – VPN – Customer networks – Supplier chains – SLA, contracts, outsourcing arrangement – Third party access
  • 12. What is Information Security? “Information security is protecting the information through preserving their Confidentiality, Integrity and Availability along with the authenticity and reliability”
  • 13. In some organizations integrity and/or availability may be more important than confidentiality Information Security is preservation of Confidentiality Ensuring that information is available only to those with authorized access. Integrity Safeguarding the accuracy and completeness of information and information processing methods and facilities Availability Ensuring authorized users have access to information when required 15 Information Security Triads/Components –CIA
  • 14. Information is not made available to unauthorized individuals, entities or processes; Confidentiality Measures include encryption, social engineering best practices, Access rights, Secured storage, etc Safeguarding the accuracy and completeness of assets Integrity Measures include Access controls, Backups, etc. Asset being accessible and usable upon demand by authorized entity Availability Measures include Disaster Recovery Plan, Redundancy, High Availability, etc. Information Security Triads/Components – CIA
  • 17. ISO 27001:2013 Information Security Management System Information Security Management System (ISMS) is :  That part of the overall management system, based on a business risk approach, to establish, implement, operate, monitor, review, maintain and improve information security  A management process  Not a technological process The purpose of an Information Security Management System is to secure an organization’s Information Assets by identifying, assessing and managing Risks resulting from Threats exploiting Vulnerabilities.
  • 18. Introduction to ISO 27001:2013 standard  ISO 27001 is the international standard that provides requirements for safeguarding an organization’s asset  ISO 27001:2005 was the first ISO standard for information security  ISO 27001:2013 was published on 25th September, 2013  Comprehensive set of Clauses and Controls comprising best practices in information security  A framework for building a risk based information security management system
  • 19. ISO 27001:2013 Features Focus on continual improvement process Plan-Do-Check-Act Process Model Process based approach Scope covers Information Security not only IT Security 14 Domains, 35 Control Objectives and 114 Controls Covers People, Process & Technology
  • 20. ISO 27001:2013 Requirements Requirements Clause 4 – Context of the organization Clause 5 – Leadership Clause 6 – Planning Clause 7 – Support Clause 8 – Operation Clause 9 – Performance Evaluation Clause 10 – Improvement Like other management system standards, ISO 27001:2013 has 10 clauses…. Additionally, ISO 27001:2013 has Controls in Annex A with 14 Domains, 35 Control Objectives & 114 Controls
  • 21. 21 A.5 Security Policy A.6 Organisation of Information Security A.7 Human Resources Security A.8 Asset Management A.9 Access Control A.10 Cryptography A.11 Physical and Environmental Security A.17 Information Security Aspects of BCM A.13 Communications Security A.14 System Acquisition, Development and Maintenance A.15 Supplier Relationships A.16 Information Security Incident Management A.12 Operations Security A.18 Compliance 14 Domains 35 Control Objectives 114 Controls Control Objectives & Controls (Annexure A of ISO 27001:2013) Availability INFORMATION
  • 23. Risk Management – The critical first step in ISO 27001 implementation RISK = ASSET VALUE X PROBABILITY X IMPACT Risk is the possibility that a threat exploits a vulnerability in an information asset, leading to an adverse impact on the organization
  • 24. Information Assets & Types  Software  IT Hardware (Physical Assets)  Persons who support and use the IT system  Processes & support processes that deliver products and services  IT and other Infrastructure of the organization  System interfaces (internal and external connectivity)  Electronic media and, above all Data and Information An asset is any tangible or intangible thing or characteristic that has value to an organization
  • 25. Classification of Information Asset Public Non-Sensitive Information Available for external release.. Examples include periodicals, bulletins, financial statements, press releases, etc. Internal/Protected Information that is generally available to employees and approved non-employees such as contractors, trainees. Examples include Staff memos, news letters, staff awareness program documentation or bulletins, etc. Confidential Information that is sensitive & related to project & personnel, is intended for use by employees, customer and approved non-employees such as contractors, trainees can be printed in hard copy format only with the approval of HODs. Examples include personal information, business plans, unpublished financial statements, etc. Restricted Information that is highly sensitive within and outside organization, Shall be applied to the documented information Leakage of which can cause damage to organization Security.Examples include Design documents , drawings, contracts etc.
  • 26. Information Security Risk Assessment  Inherent Risk = Asset Value X Threat Value X Vulnerability Value X Probability Value X Impact Value  Asset Inventory  Asset Classification  Asset Value: Confidentiality Value + Integrity Value + Availability Value (each value will be assigned on a scale of 1 to 3, where 1 is low, 2 is medium & 3 is high)  Existing Controls Effectiveness will be assigned on a scale of 1 to 3, where  Treatment of Risk if it is Unacceptable  Risk Priority Number = Inherent Risk /Existing Controls Effectiveness  Residual Risk if risk is High or Moderate – will be signed by Management or Risk Owner
  • 27. What is a Threat  An Expression of intention to inflict evil injury or damage  Attacks against key security services – Confidentiality, Integrity & Availability  Threat means something bad is coming your way – High threat means it is highly likely to hit you and it will be very bad .
  • 28. Q & A