Presentation is loading. Please wait.

Presentation is loading. Please wait.

ISO 17799&ITS APPLICATION Prepared by Çağatay Boztürk 14.06.2005.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "ISO 17799&ITS APPLICATION Prepared by Çağatay Boztürk 14.06.2005."— Presentation transcript:

1 ISO 17799&ITS APPLICATION Prepared by Çağatay Boztürk 14.06.2005

2 Outline What is ISO 17799? History Who’s it for ? Implementation Conclusion

3 What is ISO 17799?. A set of controls based on the best practices in information security; An international standard covering every aspect of information security: –Equipment; –Management policies; –Human resources; –Legal aspects.

4 BS7799 or ISO 17799 ?. ISO 17799 (part 1) is a guide containing controls and recommendations by which an organization can ensure the security of its information. BS 7799 (part 2) proposes measures for an efficient information security management framework. BS 7799-2 helps an organization establish an information security management system (ISMS) and thus prepare for the audit.

5 Access control Asset classification and control Security policy Organizational security Personnel security Physical and environmental security Communications and operations management Systems development & maintenance Business continuity management Compliance Information Integrity Confidentiality Availability The Ten Key Contexts of ISO 17799

6 Organizational Operational 1. Security policy 2. Organizational security 3. Asset classification and control 7. Access control 4. Personnel security5. Physical and environmental security 8. Systems development and maintenance 6. Communications and operations management 9. Business continuity management 10. Compliance The Ten Key Contexts of ISO 17799

7 1. Security Policy - Provide guidelines and management advice for improving information security. 2. Organizational Security – Facilitate information security management within the organization. 3. Asset Classification and Control – Carry out an inventory of assets and protect these assets effectively. 4. Personnel Security - Minimize the risks of human error, theft, fraud or the abusive use of equipment. 5. Physical and Environmental Security -Prevent the violation, deterioration or disruption of industrial facilities and data. 6. Communications and Operations Management -Ensure the adequate and reliable operation of information processing devices. 7. Access Control - Control access to information. 8. Systems Development and Maintenance -Ensure that security is incorporated into information systems. 9. Business Continuity Management - Minimize the impact of business interruptions and protect the company’s essential processes from failure and major disasters. 10. Compliance - Avoid any breach of criminal or civil law, of statutory or contractual requirements, and of security requirements. The Ten Key Contexts of ISO 17799

8 1995 1998 BS 7799 Part 1 BS 7799 Part 2 Swedish standards SS 62 77 99 Parts 1 and 2 1999 Updated version of BS 7799 Parts 1 and 2 December 2000 ISO/IEC 17799:2000 2001 Review of BS 7799-2 September 2002 Updated version of BS 7799-2 (revised and corrected) History and Development of ISMS

9 Who’s it for ? BS 7799/ISO 17799 can be used by any organization or company. If your organization uses computer systems internally or externally, possesses confidential data, depends upon information systems in the context of its business activities, or simply wants to adopt a high level of security while complying with a standard, BS 7799/ISO 17799 is the solution.

10 Online Purchases of the ISO 17799 Standard 18 % 6 % 23 % (% by region) 9 % 35 % Others : 9 %

11 BS 7799 / ISO 17799 Audit and Certification ISO 17799 certification does not exist at the moment. A company can comply with ISO 17799 and then become BS 7799-2: 2002 certified. The audit process can be documented : Internal audit External audit (letter of opinion) BSI Registrar (official certification)

12 List of Certified Firms Over 80 000 firms around the world are BS 7799/ISO 17799 compliant: Fujitsu Limited; Insight Consulting Limited; KPMG ; Marconi Secure Systems ; Samsung Electronics Co Ltd; Sony Bank inc. ; Symantec Security Services ; Toshiba IS Corporate

13 Advantages Compliance with governance rules for risk management; Better protection of the company’s confidential information ; Reduced risk of hacker attacks ; Faster and easier recovery from attack.

14 Advantages (cont’d) Structured security methodology that has gained international recognition; Increased mutual confidence between partners; Potentially lower premiums for computer risk insurance; Improved privacy practices and compliance with privacy laws.

15 Management Approach (PDCA Model)

16 Methodology and Implementation Cycle Identify and evaluate threats and vulnerabilities; Calculate the value of associated risks; Diagnose the level of compliance with ISO 17799; Inventory and evaluate the assets to protect. Risk Assessment Identifying the scope and limits of the information security management framework is crucial to the success of the project. Definition of the ISMS (Information Security Management System) Ensure the commitment of upper management; Select and train members of the initial project team. Initiation of the Project DescriptionSteps of the methodology and cycle for implementing the standard

17 Methodology and Implementation Cycle (cont’d) Learn more about the steps performed by external auditors and about certification agencies accredited for BS 7799-2. Audit Learn how to validate your management framework and what must be done before you bring in an external auditor for BS 7799-2 certification. Audit Preparation Employees may be the weakest link in your organization’s information security. Training and Awareness Find out how selecting and implementing the right controls can enable an organization to reduce risk to an acceptable level. Risk Treatment DescriptionSteps of the methodology and cycle for implementing the standard

18 Implementation Aim:Examination of how ISO17799 is used and inspection of a company whether they apply the ISO17799 standarts and how it is applied. A audit is prepared for helping enterprises to measure their security level. Questions which are asked in the survey about the ISO 17799 (BS 7799- 1:2000) and BS 7799-2:2002 Information Security Management Systems are grouped under 10 main titles basing on 127 security control lists. In this direction, the survey is applied to the IT department of a company which has ISO 9001 and ISO 14001 certification. Company which applied the survey does not permit the use of its name because of the information security’s reasons.

19 Deliverables – ISO 17799 Results of Survey SECURITY POLICY The company has 2 NO over 2 questions on this step. ORGANIZATIONAL SECURITY The company has 7 NO over 10 questions on this step. ASSET CLASSIFICATION & CONTROL The company has 2 NO over 3 questions on this step. PERSONNEL SECURITY The company has 3 NO over 10 questions on this step. PHYSICAL & ENVIRONMENTAL SECURITY The company has 7 NO over 13 questions on this step. COMMUNICATIONS AND OPERATIONS MANAGEMENT The company has 12 NO over 24 questions on this step. ACCESS CONTROL The company has 14 NO over 31 questions on this step. SYSTEMS DEVELOPMENT & MAINTENANCE The company has 7 NO over 18 questions on this step. BUSINESS CONTINUITY MANAGEMENT The company has 1 NO over 5 questions on this step. COMPLIANCE The company has 5 NO over 11 questions on this step. At the end of the survey, Total of YES is 66 over 127 question. This result shows that company’s security status is POOR.

20 Potential Obstacles /Success Factors Dedicated personnel and resources; External expertise; Good understanding of risk management functions (management) and processes (operations); Frequent communication; Manager and employee awareness; Commitment from upper management; Structured approach. Fear, resistance to change; Risk of contiguity; Increased costs; Insufficient knowledge for the approach selected; Seemingly insurmountable task.

21 Conclusion Now more than ever, it is essential to align information security with the corporate mission. The confidentiality, integrity and availability of information are crucial factors in conserving a competitive edge, cash flow, legal compliance and a good business image. Seeking certification is also a demonstration that business executives and upper management are showing due diligence in protecting corporate assets. Development of information security policy based on ISO 17799 is thus at the very core of information security management. BS 7799 / ISO 17799 is especially pertinent in this context. Simply by learning the requirements of the standard, companies will improve their understanding of information security management.

22 References BSI documents (www.bsi.org.uk/index.xhtml) Information Security Management: An Introduction (PD3000) Provides an overview of the accredited certification process and serves as a useful preface to the other guides. Guide to BS7799 Risk Assessment and Risk Management (PD3002) Describes the concepts underlying the BS 7799 risk assessment, including terminology, the evaluation process and risk management. ISO/IEC Guidelines for the Management of IT Security (GMITS) Selecting BS7799 Controls (PD3005) Describes the process for selecting appropriate controls.

23 Thanks for listening

24 Gantt Chart of the Project

25 Critical Path of The Project

Download ppt "ISO 17799&ITS APPLICATION Prepared by Çağatay Boztürk 14.06.2005."

Similar presentations

Museum Presentation Intermuseum Conservation Association.

Museum Presentation Intermuseum Conservation Association.
Dr Lami Kaya LamiKaya@gmail.com ISO 27001 Information Security Management System (ISMS) Certification Overview Dr Lami Kaya LamiKaya@gmail.com.

Dr Lami Kaya ISO Information Security Management System (ISMS) Certification Overview Dr Lami Kaya
What is GARP®? GARP® is an Acronym for Generally Accepted Recordkeeping Principles ARMA understands that records must be.

What is GARP®? GARP® is an Acronym for Generally Accepted Recordkeeping Principles ARMA understands that records must be.
ORGANIZATION. 2 Problem scenario  Develop an organizational chart for your laboratory showing lines of authority from the head of the organization to.

ORGANIZATION. 2 Problem scenario  Develop an organizational chart for your laboratory showing lines of authority from the head of the organization to.
ORGANIZATION. 2 Purchasing & Inventory Assessment Occurrence Management Information Management Process Improvement Customer Service Facilities & Safety.

ORGANIZATION. 2 Purchasing & Inventory Assessment Occurrence Management Information Management Process Improvement Customer Service Facilities & Safety.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Auditor General’s Office One key audit focus area – Compliance with Laws and Regulations.

Auditor General’s Office One key audit focus area – Compliance with Laws and Regulations.
BS Information Systems – University of Redlands BS Information Systems – University of Redlands AS Electronic Technology AS Electronic Technology Project.

BS Information Systems – University of Redlands BS Information Systems – University of Redlands AS Electronic Technology AS Electronic Technology Project.
“Limiting electronic fraud through an Information Security Management System (ISMS): An Introduction to ISO 27001 Presented to the ICGFM Annual Conference.

“Limiting electronic fraud through an Information Security Management System (ISMS): An Introduction to ISO 27001" Presented to the ICGFM Annual Conference.
Environmental Management Systems An Overview With Practical Applications.

Environmental Management Systems An Overview With Practical Applications.
Security Controls – What Works

Security Controls – What Works
ISO/IEC 27001 Winnie Chan BADM 559 Professor Shaw 12/15/2008.

ISO/IEC Winnie Chan BADM 559 Professor Shaw 12/15/2008.
Environmental Management Systems Refresher

Environmental Management Systems Refresher
© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.

© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.
ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.

ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.
First Practice - Information Security Management System Implementation and ISO 27001 Certification.

First Practice - Information Security Management System Implementation and ISO Certification.
SOX & ISO 27001 Protect your data and be ready to be audited!!!

SOX & ISO Protect your data and be ready to be audited!!!
Session 3 – Information Security Policies

Session 3 – Information Security Policies
THE PRINCIPLES OF QUALITY MANAGEMENT. DEFINING QUALITY Good Appearance? High Price? The Best? Particular Specification? Not necessarily, but always: Fitness.

THE PRINCIPLES OF QUALITY MANAGEMENT. DEFINING QUALITY Good Appearance? High Price? The Best? Particular Specification? Not necessarily, but always: Fitness.
Fraud Prevention and Risk Management

Fraud Prevention and Risk Management

Similar presentations

Ads by Google