Presentation is loading. Please wait.

Presentation is loading. Please wait.

ISO Information Security Management

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "ISO Information Security Management"— Presentation transcript:

1 ISO Information Security Management
PRESENTATIONS IN NETWORK SECURITY ISO Information Security Management Saad Haj Bakry, PhD, CEng, FIEE Saad Haj Bakry, PhD, CEng, FIEE

2 Objectives / Contents Past Development Contents of ISO 17799
ISO Information Security Management Objectives / Contents Past Development Contents of ISO 17799 Refinement of Contents (12 Sections) Suggested Work References Saad Haj Bakry, PhD, CEng, FIEE

3 ISO: International Standards Organization
Past Development ISO Information Security Management ISO: International Standards Organization International Organization Started in 1946 Membership Over 90 countries: ANSI (USA) / BSI (UK) / SASO (SA) Technical Committee Over 200 TC(s) (for technical recommendations) ISO 9000 family Quality Management ISO family Environment Management ISO 17799 Information Security Management Saad Haj Bakry, PhD, CEng, FIEE

4 Past Development ISO Information Security Management BS 7799 / ISO 17799 BS 7799 Started 1995 British Standard Institute: BSI Part 1: Code of Practice for Information Security Management Part 2: Specification for Information Security Management Systems ISO 17799 1999 Adopted: BS Part 1 Part 2 In use for auditing “Information Security Management Systems” Saad Haj Bakry, PhD, CEng, FIEE

5 ISO 17799: Contents 1. Scope 7. Physical & Environmental Security
Contents of ISO 17799 ISO Information Security Management ISO 17799: Contents 1. Scope 7. Physical & Environmental Security 2. Terms & Definitions 8. Communications & Operations Management 3. Security Policy 9. Access Control 4. Organizational Security 10. Systems Development & Maintenance 5. Asset Classification & Control 11. Business Continuity Management 6. Personnel Security 12. Compliance Saad Haj Bakry, PhD, CEng, FIEE

6 Scope of ISO 17799 Objective For Who Output Use
ISO Information Security Management 1. Scope of ISO 17799 Scope of ISO 17799 Objective To provide recommendations for “information security management”. For Who Those concerned with initiating, implementing and maintaining security in their organizations. Output Common “base” for developing “organizational security standards”. Effective security management “practice”. “Confidence” in inter-organizational dealings. Use Select and use. Use in accordance with applicable laws and regulations. Saad Haj Bakry, PhD, CEng, FIEE

7 ISO 17799 Terms and Definitions
ISO Information Security Management 2. Terms and Definitions ISO Terms and Definitions Information Security (IS): Preserving “Information” CIA Confidentiality Integrity Availability Risk Assessment: “Risk” on Information & Information Processing Facilities (I&IPF) Threats to Impact on Vulnerability of Risk Management: “Management of Security Risks” for an “Acceptable Cost” Identifying Controlling Minimizing Eliminating Saad Haj Bakry, PhD, CEng, FIEE

8 ISO 17799 Security Policy Target “Information Security: (IS)”.
ISO Information Security Management 3. Security Policy ISO Security Policy Target “Information Security: (IS)”. Objectives Clear policy “directions”. Management “support”. Policy / Authority Policy “across the organization”. “Issue” & “approval” of policy. “Maintenance” of policy. Saad Haj Bakry, PhD, CEng, FIEE

9 ISO 17799 Security Policy (Continued)
ISO Information Security Management 3. Security Policy ISO Security Policy (Continued) Policy Document Periodic Reviews & Evaluations Definitions & Scope Management Statement Policy Effectiveness: “recorded security incidents” (nature / number / impact) Business Efficiency: “cost & impact” of security control. Effects of “Technology Changes” Requirements: Legal / Contractual Security education Virus / malicious software issues. Business continuity Security violation issues. Responsibilities & reporting. Appendices (details) & references. Saad Haj Bakry, PhD, CEng, FIEE

10 Organizational Security
ISO Information Security Management 4. Organizational Security Organizational Security Section IS Infrastructure Third Party Access Outsourcing Objective To manage “IS” within the organization To maintain the security of “I&IPF” accessed by 3rd party To maintain “IS” when some responsibility (s) are outsourced Approach Establishing “management framework” to initiate and implement IS. Applying “control” to access by Outsourcing contracts should address IS issues Saad Haj Bakry, PhD, CEng, FIEE

11 Asset Classification Control
ISO Information Security Management 5. Asset Classification Control Asset Classification Control Section Accountability of Assets Information Classification Objective To maintain appropriate protection of “organizational assets” To ensure that “information assets” receive an appropriate level of protection Approach Major information should be accounted for and have “nominated owner” Classifying information to indicate the “need, priorities, and degree of protection” Saad Haj Bakry, PhD, CEng, FIEE

12 Security in Job Definition & Responding to Incidents & Malfunctions
ISO Information Security Management 6. Personnel Security Personnel Security Section Security in Job Definition & Re-sourcing User Training Responding to Incidents & Malfunctions Objective To reduce the risks of “human errors, theft, fraud, or misuse” of facilities To ensure that users are “aware” of IS threats & concerns, and are equipped to support “organizational security policy”. To minimize the“damage” from incidents & malfunctions , and to “monitor & learn from them”. Approach Security responsibilities are addressed at recruitment, and monitored at work Users should be trained in “security procedures” and correct use of “facilities” to “minimize risk” Incidents affecting security should be reported on time, & through appropriate channels Saad Haj Bakry, PhD, CEng, FIEE

13 Physical & Environmental Security
ISO Information Security Management 7. Physical & Environmental Security Physical & Environmental Security Section Secure Areas Equipment Security General Controls Objective To prevent “unauthorized access, damage, & interference” to “business premises & information” To prevent “loss, damage, or compromise” of “assets” and “interruption” to “business activities”. To prevent “compromise” or “theft” of “I&IPF” Approach Housing critical “I&IPF” in secure areas with a defined “security perimeter”, “barriers”, & “entry controls”. Equipment should be “physically” protected from “threats and environmental hazards”. Protecting “I&IPF” from “disclosure to modifications, or theft”; minimizing “loss or damage” Saad Haj Bakry, PhD, CEng, FIEE

14 Communications & Operations Management
ISO Information Security Management 8. Communications & Operations Management Communications & Operations Management Section Operational Procedures & Responsibilities System Planning & Acceptance Objective To ensure correct and secure operations of “IPF” To minimize the risk of systems failures Advanced system planning Projection of capacity to avoid overloading Testing new systems before acceptance. Approach Assignment of responsibilities & development of procedures, including operating instructions & incident response procedures. Saad Haj Bakry, PhD, CEng, FIEE

15 Protection from Malicious Software
ISO Information Security Management 8. Communications & Operations Management Communications & Operations Management Section Protection from Malicious Software Housekeeping Network Management Objective To protect the “integrity of software & information” To maintain the “availability” of “information processing and communications”. To protect: information in networks; and the supporting infrastructure. Approach Detect / prevent “malicious software” (e.g. Viruses) Back-up strategy. Back-up copies. Environment. Faults. Testing. Network protection beyond organizational boundaries. (e.g. Data flow in public networks) Saad Haj Bakry, PhD, CEng, FIEE

16 Media Handling & Security Exchanges of Information & Software
ISO Information Security Management 8. Communications & Operations Management Communications & Operations Management Section Media Handling & Security Exchanges of Information & Software Objective To prevent damage to assets and interruption of business: media control & physical protection. To prevent loss, modifications, or misuse of information exchanged between organizations. Control of information exchange, according to relevant legislations. Examples: , EDI, e-Commerce (applications) Approach Operating procedure to protect: computer media & data, from damage, theft & unauthorized access. Saad Haj Bakry, PhD, CEng, FIEE

17 Business Requirements for Access Control User Access Management
ISO Information Security Management 9. Access Control Access Control Section Business Requirements for Access Control User Access Management Objective To “control access to information”. To “prevent unauthorized access to information” Approach Access according to “business security requirements” & “policies of information dissemination & authorization” Procedures for “access rights” from registration to de-registration. Special attention to “privileged access” Saad Haj Bakry, PhD, CEng, FIEE

18 Access Control (Continued)
ISO Information Security Management 9. Access Control Access Control (Continued) Section User Responsibilities Network Access Control Operating System Access Control Objective To “prevent unauthorized user access” To “protect network services” To “prevent unauthorized network access”. Approach Awareness & responsibilities of users Password rules Cooperation of users Interfacing with other networks. Authentication: users / equipment User access to services. User: identity / location Recording: success/ failure. Quality passwords. Limiting connection time (if appropriate) Saad Haj Bakry, PhD, CEng, FIEE

19 Access Control (Continued)
ISO Information Security Management 9. Access Control Access Control (Continued) Section Application Access Control Monitoring System Access & Use Mobile Computing & Tele-working Objective To “prevent unauthorized access to information in information systems” To detect unauthorized activities. To “insure IS in mobile computing & tele-working” Approach User access control Attention: access to critical SW Security of related systems (shared). Restricting access. Monitoring deviations from access policy. Control effectiveness Important Issues: Environment. Special risks. Tele-working sites Saad Haj Bakry, PhD, CEng, FIEE

20 System Development & Maintenance
ISO Information Security Management 10. System Development & Maintenance System Development & Maintenance Section Security Requirements of Systems Security in Application Systems Objective To “ensure that security is built into information systems”. To “prevent loss, modification, or misuse of user data in application systems”. Approach Infrastructure Business applications User-development applications. Security requirements: identified & agreed early Application systems design: include control & audit. Validation of: input data; internal processing; output results. Saad Haj Bakry, PhD, CEng, FIEE

21 System Development & Maintenance
ISO Information Security Management 10. System Development & Maintenance System Development & Maintenance Section Cryptographic Control Security in System Files Security in Development & Support Processes Objective To “protect the confidentiality, authenticity, and integrity of IS” To “ensure that IT projects and support activities are conducted in a secure manner”. To “maintain the security of application system software & information” Approach Use of cryptographic techniques. Control access to system files. Responsibility of application owner. Strict control on: project development Reviewing, testing & checking. Saad Haj Bakry, PhD, CEng, FIEE

22 Business Continuity Management
ISO Information Security Management 11. Business Continuity Management Business Continuity Management Section Aspects of Business Continuity Management Objective To “counterattack interruption of business activities”. To “protect critical business processes from the effect of major failures or disasters”. Approach Implementation of “business continuity management process” using “prevention & recovery” controls Problems: Disasters Security failures. Saad Haj Bakry, PhD, CEng, FIEE

23 Compliance Section Compliance with Legal Requirements
ISO Information Security Management 12. Compliance Compliance Section Compliance with Legal Requirements Security Policy & Technical Compliance System Audit Considerations Objective To “avoid breaches of any criminal & civil law, statutory, regulatory, or contractual obligations, and of any security requirements”. To “ensure compliance with organizational security policies & standards” To “maximize the effectiveness & minimize the interference to/from system audit process” Approach Regular review of security policy: Standards / Technical Platform No misuse of audit tools. Operation control during audit Saad Haj Bakry, PhD, CEng, FIEE

24 Suggested Work Detailed Review Considering: Derivation of Procedures:
ISO Information Security Management Suggested Work Detailed Review Considering: Strategy / Technology / Organization / People / Environment Challenges / Protection Techniques / Security Measures Main Levels / System Levels BS 7799 Part 2 Derivation of Procedures: Investigation of current state. Diagnosing problems. Proposing solutions ISO Compatibility / Accreditation. Saad Haj Bakry, PhD, CEng, FIEE

25 ISO Information Security Management
References ISO/IEC 17799: Information Technology: Code of Practice for Information Security Management. Reference number: ISO/IEC 17799:2000(E). S.H. Bakry, “Development of a security policy for private networks”, International Journal of Network Management, Vol. 12, 2002. Saad Haj Bakry, PhD, CEng, FIEE

Download ppt "ISO Information Security Management"

Similar presentations

Copyright © XiSEC, All rights reserved, 2002 Secure Computing Best Lifetime Achievement Award 2002 Ted Humphreys Information Security Management Goes Global.

Copyright © XiSEC, All rights reserved, 2002 Secure Computing Best Lifetime Achievement Award 2002 Ted Humphreys Information Security Management Goes Global.
Dr Lami Kaya LamiKaya@gmail.com ISO 27001 Information Security Management System (ISMS) Certification Overview Dr Lami Kaya LamiKaya@gmail.com.

Dr Lami Kaya ISO Information Security Management System (ISMS) Certification Overview Dr Lami Kaya
Secure Systems Research Group - FAU Process Standards (and Process Improvement)

Secure Systems Research Group - FAU Process Standards (and Process Improvement)
ISMS standards and control processes ISO27001 & ISO27002

ISMS standards and control processes ISO27001 & ISO27002
ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.

ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.
Auditing Computer Systems

Auditing Computer Systems
DoD Information Technology Security Certification and Accreditation Process (DITSCAP) Phase III – Validation Thomas Howard Chris Pierce.

DoD Information Technology Security Certification and Accreditation Process (DITSCAP) Phase III – Validation Thomas Howard Chris Pierce.
Network Management Functions

Network Management Functions
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.
Information Systems Security Officer

Information Systems Security Officer
23 January 2003© All rights Reserved, 2002 Understanding Facilitated Risk Analysis Process (FRAP) and Security Policies for Organizations Infocomm Security.

23 January 2003© All rights Reserved, 2002 Understanding Facilitated Risk Analysis Process (FRAP) and Security Policies for Organizations Infocomm Security.
ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.

ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.
Information Systems Security Policies & ISO 17799

Information Systems Security Policies & ISO 17799
NIST framework vs TENACE Protect Function (Sestriere, 21-23 Gennaio 2015)

NIST framework vs TENACE Protect Function (Sestriere, Gennaio 2015)
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Chapter 3: Information Security Framework

Chapter 3: Information Security Framework
Session 3 – Information Security Policies

Session 3 – Information Security Policies
Alter – Information Systems 4th ed. © 2002 Prentice Hall 1 E-Business Security.

Alter – Information Systems 4th ed. © 2002 Prentice Hall 1 E-Business Security.

Similar presentations

Ads by Google