Presentation is loading. Please wait.

Presentation is loading. Please wait.

Information Security Awareness

Published byPeregrine Gallagher Modified over 6 years ago

Similar presentations

Presentation on theme: "Information Security Awareness"— Presentation transcript:

1 Information Security Awareness
ISO Awareness Information Security Awareness

2 Contents What is Information and Information Security? CIA Triad
Why Information Security? Impact of Security Incidents Introduction to ISO 27001

3 What is Information? Processed form of data is Information
Valuable asset to an organization which is to be protected is Information Information may exist in several forms – Tangible Documented (printed or written on paper) Published on web Electronically stored (stored on laptop, mobile, tablet etc.) Stored in s, servers, documents, diagrams etc. In-Tangible Ideas Knowledge and expertise etc. Information can be processed, stored, transmitted, modified, shared, deleted, destroyed, leaked, controlled, used properly or improperly

4 Information Security Protection against the unauthorized use of information is Information Security Information Security is prevent your organization from any risk/danger. Information Security can be achieved by – Identification of the risk to information and performing corrective/preventive actions Protection of Confidentiality, Integrity, and Availability Security of assets, processes, accounts, people, and infrastructure etc. Implementing and continuously improving the processes

5 CIA Triad Confidentiality Prevents unauthorized disclosure of information Integrity Assure that data cannot be modified in an unauthorized manner. Availability Information should be readily available for the authorized users.

6 Why Information Security?
Protection of information against threats Privacy of information and 100% compliance Better processes, reduced cost Minimizes financial and business loss Ensures business continuity Maintain Confidentiality, Integrity, and Availability of information

7 Impacts of Security Incidents
Loss of confidential information Fines and penalties Civil and criminal liability Breaking of rules and regulations Downtime of business and IT services Reputation damage and adverse publicity Less effective processes, hence increased costs Loss of customers, business partners, confidence, credibility, and assurance

8 About ISO ISO – International Organization for Standardization is an NGO Came into existence on Feb 23, 1947 Operates in 162 countries 3923 technical bodies to take care of standards development Published International Standards till now Create standards for all the industries applicable across the globe

9 ISO/IEC 27001:2013 ISO/IEC 27001:2013 ISO – International Organization for Standardization IEC – International Electrotechnical Commission ISO is Information Security Management Systems initially published by ISO for IT industry only ISO/IEC made it possible to implement it in any industry like IT, Aerospace, Pharmaceutical, Electronics, Mechanical, Civil, and Production etc. Specifies the requirements for improving a documented ISMS within an organisation with 11 domains, 39 control objectives, and 114 controls Ensure selection of adequate security controls to protect information assets from various threats & risks. International Organization for Standardization Publishing / Reissued Year Standard Code for Information Security Management System International Electrotechnical Commission

10 PDCA Cycle PDCA Plan – Establishment of the ISMS
Do – Implementation of the ISMS Check – Monitoring and review of the ISMS Act – Continuous improvement of the ISMS PDCA Plan Do Check Act

11 11 Control Domains Information Security Information Security Policy
Organization of Information Security Asset Management Human Resource Security Physical security Communication & Operations Management Access Control System Development and Maintenance Incident Management Business Continuity Plan Compliance

12 Control Domains (continued)
Information security policy – states management direction Organization of information security – information security management framework for implementation Asset management – assessment, classification and protection of valuable information assets HR security – security for employees, new joiners, and separated employees Physical & environmental security - prevents unauthorised access, theft, compromise, damage to information and computing facilities, power cuts Communications & operations management - ensures the correct and secure operation of IT Access control – restrict unauthorized access to information assets

13 Control Domains (continued)
Information system development & maintenance – build security into systems Incident management – track security incidents and take necessary actions Business continuity management – maintain business processes and restore if any failure occurs Compliance - avoid breaching of laws, rules & regulations, policies and other obligations

14 Key Documents for ISO 27001 Information Security Management Manual and Information Security Policy Statement of Applicability (SOA) document Internal policies and procedure documents for all the departments like Human Resource Information Technology Business development Quality Assurance Manufacturing and Production etc. Policies for Risk Management, Incident Management, Change Management, Physical and Environmental, Internet usage etc. Logs and reports like security logs, antivirus logs, security review reports, risk assessment logs, corrective and preventive actions.

15 Who is Responsible? Information Security Management committee
CEO/COO/CTO/CMO Information Security Management Representative Information Security Team/Department Information Security Officer Business Continuity Team Incident Management Team And all the departments like HR, IT, Accounts, Business, Legal etc.

16 Risk Management Risk is the possibility that a threat exploits a vulnerability leading to adverse impact Threat – that might cause harm like human error, software compliance, intellectual property, infrastructure issues, environmental factors etc. Vulnerability – a weakness that may be exploited Impact – damage to an asset of an organization Risk assessment table Risk ID Risk Category Description Severity of Impact Likelihood Risk Factor RF=S*L Corrective Action Severity IT-01 Internet Downtime IT Internet Issues 5 25 Other Internet Providers 1 HR-02 Employee Turnover HR Employee exit is increasing 4 2 8 Strict policies to stop employee turnover

17 Physical Security Do’s Don’ts Follow security policies and procedures
Use biometrics and wear identity cards while in premises. Inform incident management team or information security team in case of any incident. Do not allow unauthorized visitors in your premises Do not bring electronic media or banned devices in secure zones Do no use personal devices unless authorized by higher management.

18 Email usage Do’s Don’ts
Use official IDs for official purpose only Follow IT/ guidelines for usage Delete spam and report to IT team if you receive any spam Do not allow unauthorized visitors in your premises Do not bring electronic media or banned devices in secure zones Do no use personal devices unless authorized by higher management Do not respond to spam and be aware of attachments or links

19 Key points to remember Keep your computer system updated with operating system and antivirus Lock your system locked when unattended, and always log-off at the end of the day Clear cache and temporary files, restart your system twice a week Take regular backup of your important information Keep your system information in encrypted drive/folder Always comply with the policies and procedures of your organization Always comply with the security and privacy laws, copyrights, Non disclosure agreements, contracts, Master service agreements, and software licences Use conference rooms for official meetings and phone calls Do not bring eatables at your workstations Contact Information Security team in case of any security incident

20 Thank You Should you have any queries / suggestions / recommendations, feel free to contact – Website –

Download ppt "Information Security Awareness"

Similar presentations

Dr Lami Kaya LamiKaya@gmail.com ISO 27001 Information Security Management System (ISMS) Certification Overview Dr Lami Kaya LamiKaya@gmail.com.

Dr Lami Kaya ISO Information Security Management System (ISMS) Certification Overview Dr Lami Kaya
Information Privacy and Data Protection Lexpert Seminar David YoungDecember 9, 2013 Breach Prevention – Due Diligence and Risk Reduction.

Information Privacy and Data Protection Lexpert Seminar David YoungDecember 9, 2013 Breach Prevention – Due Diligence and Risk Reduction.
Secure Systems Research Group - FAU Process Standards (and Process Improvement)

Secure Systems Research Group - FAU Process Standards (and Process Improvement)
ISMS standards and control processes ISO27001 & ISO27002

ISMS standards and control processes ISO27001 & ISO27002
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Security Controls – What Works

Security Controls – What Works
Personal Data Protection and Security Measures Justin Law IT Services - Information Security Team 18, 20 & 25 March 2015.

Personal Data Protection and Security Measures Justin Law IT Services - Information Security Team 18, 20 & 25 March 2015.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.
First Practice - Information Security Management System Implementation and ISO 27001 Certification.

First Practice - Information Security Management System Implementation and ISO Certification.
ACCEPTABLE An acceptable use policy (AUP), also known as an acceptable usage policy or fair use policy, is a set of rules applied by the owner or manager.

ACCEPTABLE An acceptable use policy (AUP), also known as an acceptable usage policy or fair use policy, is a set of rules applied by the owner or manager.
Chapter 3: Information Security Framework

Chapter 3: Information Security Framework
Session 3 – Information Security Policies

Session 3 – Information Security Policies
Property of Common Sense Privacy - all rights reserved 01875340890 THE DATA PROTECTION ACT 1998 A QUESTION OF PRINCIPLES Sheelagh F M.

Property of Common Sense Privacy - all rights reserved THE DATA PROTECTION ACT 1998 A QUESTION OF PRINCIPLES Sheelagh F M.
Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.

Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.
Agenda  Introduce key concepts in information security from the practitioner’s viewpoint.  Discuss identifying and prioritizing information assets through.

Agenda  Introduce key concepts in information security from the practitioner’s viewpoint.  Discuss identifying and prioritizing information assets through.
Program Objective Security Basics

Program Objective Security Basics
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.
Teresa Macklin Information Security Officer 27 May, 2009 Campus-wide Information Security Activities.

Teresa Macklin Information Security Officer 27 May, 2009 Campus-wide Information Security Activities.
Evolving IT Framework Standards (Compliance and IT)

Evolving IT Framework Standards (Compliance and IT)
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.

Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.

Similar presentations

Ads by Google