Presentation on theme: "Innovation or Necessity? ISM 158 By: Sepehr Saeb."— Presentation transcript:
Innovation or Necessity? ISM 158 By: Sepehr Saeb
In 2006, Nationwide building society was fined nearly £1 million by the FSA (Financial Services Authority) for failing to have effective systems and controls to manage information security risks. Why? The laptop of one of the employees got stolen from his house so that put the customers into a high risk of financial crime
Today, information is considered as an essential asset for businesses not only as the success factor, but also as an surviving factor. Different Types of Information: 1. Printed or written 2. Stored electronically 3. Transmitted by post 4. Shown on films 5. Spoken in conversation
As soon as the necessity of information is realized by the leaders of a business, Security must be embedded into the system and become standard. If it is implemented correctly: 1. Increased efficiency 2. Greater clarity and visibility of processes 3. Risk reduction 4. Direct improvement 5. Higher credibility within clients
Implementing an Information Security Management System (ISMS) What ISMS Does? Identify and reduce security risks Focus information security Protect information
The Core work needs to be done in implementing ISMS: Scope out the extent of the system and its boundaries in order to protect data A thorough and detailed risk assessment needs to be prepared by identifying the valuable information with possible threats and vulnerabilities followed by the existing controls. The result of these steps will show us which section of business need stronger and more developed security.
After gathering all necessary requirements to implement ISMS: Staff training and awareness Publishing the security policy Documenting the final set of security controls Periodic review of the system is essential to maintain the integrity of the system
Reduction in security breaches Improved understanding of business operations and related critical assets Ensuring compliance to regulatory and legislative requirements Reduced risk to reputation in the market sector Increased protection of key IT assets and related data Enforcing a systematic approach to identifying and handling security incidents. Providing confidence to external financial auditors that security controls are in place and effective.
Security of back up data Staff training and awareness Limited tools to characterize security performance Lack of effective testing systems Poor software licensing controls
Since information is dramatically increasing and getting larger Security risks also is increasing As a result, having a good ISMS is necessity The main issue is to avoid security breaches in the gap between a new vulnerability being published and implementing a patch to fix it which is time consuming