Presentation is loading. Please wait.

Presentation is loading. Please wait.

An Awareness Training on ISO 27001:2013

Similar presentations


Presentation on theme: "An Awareness Training on ISO 27001:2013"— Presentation transcript:

1 An Awareness Training on ISO 27001:2013
Official Title of ISO 27001:2013 "Information technology— Security techniques — Information security management systems — Requirements". An Awareness Training on ISO 27001:2013 11/20/2018

2 What is Information Security
The protection of information against unauthorized disclosure, transfer, modification, or destruction, whether accidental or intentional Information Assets Asset is something that has “value to the organization” Information assets of an organization can be: business data data Employee information Research records Price lists Tender documents Spoken in conversations over the telephone Organization must determine which assets can materially affect the delivery of product/service by their absence or degradation Information Security Management relates to all types of information, be it paper-based, electronic or other. It determines how information is processed, stored, transferred, archived and destroyed. A secure information is one which ensures Confidentiality, Integrity, and Availability. It is all about protecting information assets from potential security breaches. Data stored on computers Transmitted across networks Printed out Written on a paper, sent by fax Stored on disks Held on microfilm 11/20/2018

3 What is Information Security
Confidentiality Is my communication private? Ensuring that the data is read only by the intended person Protection of data against unauthorized access or disclosure Possible through access control and encryption Integrity Has my communication been altered? Protection of data against unauthorized modification or substitution If integrity is compromised, no point in protecting data A transparent envelope that is tamper evident Availability Are the systems responsible for delivering, storing and processing information accessible when needed Are the above systems accessible to only those who need them 11/20/2018

4 Security Measures/Controls
Need for ISMS Management Concerns Market reputation Business continuity Disaster recovery Business loss Loss of confidential data Loss of customer confidence Legal liability Cost of security Security Measures/Controls Technical Procedural Physical Logical Personnel Management All these can be addressed effectively and efficiently only by establishing a proper Information Security Management System (ISMS) 11/20/2018

5 Comparing ISO 27001:2005 to ISO 27001:2013 Structure
The specification is spread across 5 clauses, which approach the ISMS from a managerial perspective. Information security management system Management responsibility Internal ISMS audits Management review of the ISMS ISMS improvement Structure The specification is spread across 7 clauses, which do not have to be followed in the order they are listed. Context of the organization Leadership Planning Support Operation Performance evaluation Improvement 11/20/2018

6 Comparing ISO 27001:2005 to ISO 27001:2013 Process Process
The standard clearly states that it follows the PDCA (Plan-Do-Check-Act) model Process The standard does not specify any particular process model. The standard requires that a process of continual improvement is used Governance and management Senior management plays a major role. Management and board engagement is high but the separation between board and management is not clear. Governance and management Management roles are described as ‘management’ and ‘top management’, removing reference to the board. The organization is that part of the business that falls within the scope, and not necessarily the legal entity. The board initiates the ISMS; management oversees the implementation of the ISMS 11/20/2018

7 Comparing ISO 27001:2005 to ISO 27001:2013 Risk assessments
The definition of risk is the “combination of the probability of an event and its consequences”. The organization identifies risks against assets. The asset owner determines how to treat the risk, accepting residual risk. Controls are drawn from Annex A. Annex A is not exhaustive, so additional controls can be drawn from other sources. The Statement of Applicability records whether a control from Annex A is selected and why. Risk assessments The definition of risk is the “effect of uncertainty on objectives”, which may be positive or negative. Baseline controls based on regulatory, business and contractual obligations may be identified and implemented before the risk assessment is conducted. The organization identifies risks to the organization's information the assessment does not have to be asset-based. The risk owner determines how to treat the risk, accepting residual risk. Controls are drawn from any source or control Set Selected controls are compared to those in Annex A. The Statement of Applicability records whether a control from Annex A is selected and why 11/20/2018

8 Comparing ISO 27001:2005 to ISO 27001:2013 Controls Controls
Annex A contains 133 controls across 11 control categories. Controls from other sources are used to ‘plug gaps’ not covered by Annex A controls Controls Annex A contains 114 controls across 14 control categories Controls (from any source) are identified before referring to Annex A Documentation The standard recognizes two forms: documents and records. Documents include policies, procedures, process diagrams, etc. Records track work completed, audit schedules, etc. Documentation The standard makes no distinction between documents and records. Documents and records are subject to the same control requirements. 11/20/2018

9 ISO27001 Structure ISO27001 ISO/IEC 27001:2013 Auditable Standard
Clauses: Mandatory Processes Annex A: Control Objectives 4 Context of the organisation 5 Leadership 6 Planning 7 Support 14 Domains 35 Control Objectives 114 controls 8 Operation 9 Performance evaluation 10 ISMS Improvement

10 Number of Domains and Controls
Control Obj. Controls A5. Information Security policies 1 2 A6. Organization of information security 7 A7. Human resources security 3 6 A8. Asset management 10 A.9 Access control 4 14 A.10 Cryptography A.11 Physical and environmental security 15 A.12. Operations Security A.13 Communications Security A.14 Systems acquisition, development & Maint. 13 A.15 Supplier Relationship 5 A.16 Information security incident management A.17 Information Security aspect of Business continuity management A.18 Compliance 8 Total - 14 35 114

11 Clause 4: Context of the organization
ISO Main Clauses Clause 4: Context of the organization Understanding the organization and its context Understanding the needs and expectation of interested parties. Determining the scope of the information security management system Information security management system Clause 5: Leadership Leadership and Commitment Policy Organization, roles, responsibilities and authorties Clause 6: Planning Action to address Risk and Opportunities Information security objectives and Planning to achieve them Clause 7: Support Resource Competence Awareness Communication Documented Information 11/20/2018

12 Clause 9: Performance evaluation
ISO Main Clauses Clause 8: Operation Operation planning and control Information security Risk assessment Information security Risk Treatment Clause 9: Performance evaluation Monitoring, measurement, analysis and evaluation Internal Audit Management Review Clause 10: Improvement Non conformity and corrective action Continual improvement 11/20/2018

13 ISMS Scope The Information Security Management Systems covering all business functions and processes associated with information assets to provide customers, employees and business partners benefits and services in the organization. 11/20/2018

14 Quality Policy & Business Objectives
Quality & Security Policy : NST is committed to maintain high quality standards in delivering timely and cost effective solutions to our customers by continual improvement of our processes, instilling quality consciousness amongst all employees and recognizing the confidentiality, integrity and availability of information assets to relevant stakeholders including our customers. Business Objectives Key Objective 1: Provide high quality services to our clients. Key Objective 2: Continuous focus on employee satisfaction and competency development so as to reduce and stabilize employee attrition. Key Objective 3: Continual improvement of services to our internal & external customers. Key Objective 4: To secure its information assets and of its customers, NST shall deploy procedures to maintain confidentiality, integrity and availability of all information assets. Key Objective 5: To have year on year revenue increase while maintaining profitability.

15 Management framework policies
ISMS Documentation Procedure Work Instructions, checklists, forms, etc. Records ISMS Manual (Apex document) Policy, scope Risk Assessment, statement of applicability Describes processes who, what, when, where Describes how tasks and specific activities are done Provides objective evidence of compliance to ISMS requirements Management framework policies Level 2 Level 3 Level 4 Level 1 11/20/2018

16 Risk Assessment and Management
Identify all Stakeholders Identify Business Process Identify Operation Process Identify Assets Identify Risk on the basis of all Stakeholders Identify Threats and Vulnerabilities Evaluate Probability and Impact Calculate Risk Value Risk treatment Mitigate/Reduce risk Avoid risk Transfer risk Accept risk Risk Management Mitigate the risk by appropriate controls Evaluate controls periodically 11/20/2018

17 There are 14 domains 35 control objectives and 114 detail controls
ISO 27001:2013 Main Clauses-10 Clause 4: Context of the Organization Clause 5: Leadership Clause 6: Planning Clause 7: Support Clause 8: Operation Clause 9: Performance Evaluation Clause 10: Improvement Clause 11: Domain, Control Objective & Controls There are 14 domains 35 control objectives and 114 detail controls

18 Structure of ISO 27001:2013 Controls
14 Domains comprising 35 Control Objectives and 114 Controls A.5 Information security policies – controls on how the policies are written and reviewed A.6 Organization of information security – controls on how the responsibilities are assigned; also includes the controls for mobile devices and teleworking A.7 Human resources security – controls prior to employment, during, and after the employment A.8 Asset management – controls related to inventory of assets and acceptable use, also for information classification and media handling A.9 Access control – controls for Access control policy, user access management, system and application access control, and user Responsibilities A.10 Cryptography – controls related to encryption and key management A.11 Physical and environmental security – controls defining secure areas, entry controls, protection against threats, equipment security, secure disposal, clear desk and clear screen policy, etc. A.12 Operational security – lots of controls related to management of IT production: change management, capacity management, malware, backup, logging, monitoring, installation, vulnerabilities, etc. A.13 Communications security – controls related to network security, segregation, Network services, transfer of information, messaging, etc.

19 Structure of ISO 27001:2013 Controls
A.14 System acquisition, development and maintenance – controls defining security requirements and security in development and support processes A.15 Supplier relationships – controls on what to include in agreements, and how to monitor the suppliers A.16 Information security incident management – controls for reporting events and weaknesses, defining responsibilities, response procedures, and collection of evidence A.17 Information security aspects of business continuity management – controls requiring the planning of business continuity, procedures, verification and reviewing, and IT redundancy A.18 Compliance – controls requiring the identification of applicable laws and regulations, intellectual property protection, personal data protection, and reviews of information security

20 Guidelines for using the Risk Register Sheet-13
Risk analysis is an evaluation of the identified risk events to determine the likelihood of the events occurring and their impact, to assign a risk rating based on the project criteria and to prioritize the risks. For each risk event, the following risk analysis guidelines can be used: 1 2 Probability Vulnerability (Impact)value The likelihood of occurrence can be categorized as: The vulnerability of each risk are attributed to a characterization value as follows: Rating Description Score Near certainty Event that has a greater than 75% chance of occurring 5 Showstopper The effect is catastrophic; the organization may face significant loss and impact. The project will fail. 4 Highly likely Event that has between a 51 – 75% chance of occurring Critical The impact is serious and the project may be largely affected due to the risk. There could be huge delays and the project could be postponed due to it. 3 Likely Event that has between a 20 – 50% chance of occurring Marginal The risks could affect in small delays in schedule . 2 Unlikely Event that has between a 10 – 20% chance of occurring Negligible The impact of these risks on the project could be minimal. 1 Remote Event that has a 0 – 10% chance of occurring Risk Value = (probability of event) + ( Vulnerability) +(CIA Value) Probability (P) Levels Vulnerability (V) Values CIA Value (C) Risk Values (P+I+C) 1 - (R)emote 1 - (N)egligible 1- Low 3 to 5 - Normal/Trivial 2 - (U)nlikely 2 - (M)arginal 2- Medium 6 to 7 – Low 3 - (L)ikely 3 - (C)ritical 3- High 8 to 10 – Medium 4 - (H)ighly likely 4 - (S)howstopper 11 to 12 - High 5 - (N)ear certainty 3 Risk Level Value definition 3 to 5: No action required 6 to 7: To be reviewed regularly and Organization will accept risk up to this level 8 to 10: Medium level risk, mitigation to be planned in a period of six months 11 to 12: High Level risk, Mitigation immediately required 11/20/2018

21 Understanding the Needs and Expectation from Interested Parties
Stake holders Issues Internal Management Governance, Resource availability, organization structure, roles and accountabilities, Policies, objectives, and the strategies Employees Fulfillment of commitments, adherence to organization policies, processes and guidelines and to ensure seamless / uninterrupted operations. Expectation of employees in terms of commitment made by the organization need to be fulfilled. Shareholders Relationship with, and perceptions and values of, internal stakeholder’s Board of Directors  Maintaining commitment to customers, goodwill and repute of the organization, and maintaining return on investment committed on the business, in totality Corporate requirements Standards, guidelines and models adopted by the organization Users / Other departments Information technology related requirements to the organization such as access right, IT infra availability to internal users and other departments. HR Resource availability, resource competence, training, background verification etc., Finance Approval of financial commitments Legal Vetting of Legal contracts and protecting the organization from non-compliance of legal, regulatory and contractual requirements External Customers Service delivery Vendors Supply of goods and services to enable the organization to meet the requirement of the customer Users / Public Information technology related requirements to the organization such as access right, IT infra availability to internal users and other departments. Government Submission of desired reports and statements and approvals to carry out the business. Fulfilling the legal, and regulatory requirement. Society and environment Natural and competitive environment, Key drives and trends having impact on the objectives of the organization, Political, financial status of the country. 11/20/2018

22 Communication What to communicate When to communicate With whom to communicate Who shall communicate Processes by which communication shall be effected. Technical matters To seek clarification, communicate execution and discussing options of delivery Customer Delivery Manager / Technical Lead / Hard copy/Phone Non-Technical Business Development when communicating upgrades / updates and offers of NST Account Manager Financial Information such as Invoices, Payment reminder, Proposal, upgrade offer etc. As and when the event takes place Accounts Manager To get the action initiated on completion of delivery Accounts Manager / Business Head Performance report Monthly / quarterly Business Head Account Manager and Delivery Manager PPT / Word / Excel  - /Phone Technical Matters Project Manager Developer/Tester Communications provide the statement to the Organization of the Information Security of the business that highlighting the importance of information s protection. Users shall be made aware about the risk of Information Security while exchanging information through Voice, , Fax, and Video Communication facility 11/20/2018

23 Statement of Applicability
Document describing the control objectives and controls that are relevant and applicable to the organization’s ISMS, based on the results of risk assessment and risk treatment processes. 11/20/2018

24 Probability of Happening
Exercise Given below are various risks that may faced by an organization. Go through the list of clauses and map them against each risk. Threat / Concern Threat impact Impact Rating Probability of Happening Probability Rating Unauthorised Access It will/may change the functionality of s/w High Can happen Occasionaly Medium Loss of Source code Sytem breakdown / Competitive access Occasionally Maintenance support' Lack of customer satisfaction, Frequently Training and awareness Wrong / errorneous operation Meium frequently A11, A12, A10, 5 11/20/2018

25 Generic Changes from ISO 27001:2005 standard
Puts more emphasis on measuring and evaluating how well an organization's ISMS is performing New section on Outsourcing Does not emphasize the Plan-Do-Check-Act cycle. More attention is paid to the organizational context of information security. Risk assessment has changed. Management commitment requirements have a focus on “leadership” Preventive action has been replaced with “actions to address, risks and opportunities” SOA requirements are similar, with more clarity on the need to determine controls by the risk treatment process Controls in Annex A have been modified to reflect changing threats, remove duplication and have a more logical grouping. Stress on maintaining documented information, rather than information record Greater emphasis is on setting objectives, monitoring performance and metric

26 Risk assessment and risk treatment
Risk management is the activities to make clear what kind of information security risks may occur, determine the risk treatment and manage the risks. The activities to make the risks clear are referred to as "risk assessment". Identify the risk owners The actions taken for the risks, which are made clear, are referred to as "risk treatment". Avoiding: Withdrawal of business, etc. Taking or increasing risk in order to pursue an opportunity: Additional investment, etc. Changing the likelihood of risks: Performing preventive measures, etc. Removing the risk sources: Performing preventive measures, etc. Changing the consequences of risks: Preparing the actions taken for the possible situations, etc. Sharing the risks with another parties: Insuring the risks, etc. Retaining the risk as they are: Accepting the risks upon recognition This is the same as the "management judgment" conventionally conducted by Management.

27 New controls Secure development policy – rules for development of software and information systems Secure system engineering principles – principles for system engineering Secure development environment – establishing and protecting development environment System security testing – tests of security functionality Assessment of and decision on information security events – this is part of incident management Availability of information processing facilities – achieving redundancy

28 Conceptual changes New/Updated Concepts Explanation
Context of the organization The environment in which the organization operates Issues, risks and opportunities Replaces preventive action Interested parties Replaces stakeholders Leadership Requirements specific to top management Communication There are explicit requirements for both internal and external communications Information security objectives Information security objectives are now to be set at relevant functions and levels Risk assessment Identification of assets, threats and vulnerabilities is no longer a prerequisite for the identification of information security risks.(6.1.2 d) – Now emphasis is on impact and Probability Risk owner Replaces asset owner Risk treatment plan The effectiveness of the risk treatment plan is now regarded as being more important than the effectiveness of controls Controls Now determined during the process of risk treatment. Documented information Replaces documents and records Performance evaluation Covers the measurement of ISMS and risk treatment plan effectiveness Continual improvement Methodologies other than Plan-Do-Check-Act (PDCA) may be used

29 List of controls removed from ISO 27001:2005
A Management commitment to information security A Network Connection control A Information security coordination A Network routing control A Authorization process for information processing facilities A User identification and authentication A Identification of risks related to external parties A Session time-out A Addressing security when dealing with customers A Limitation of connection time A Service delivery A Sensitive system isolation A : Controls against Mobile code A : Input data validation A Security of system documentation A Control of internal processing A Business Information Systems A Message integrity A Publicly available information A Output data validation A Monitoring system use A Information leakage A Administrator and operator logs A Including information security in the business continuity management process A Fault logging A Developing and implementing continuity plans including formation security. A User authentication for external connections A Business continuity planning framework A Equipment identification in networks A Prevention of misuse of information processing facilities A Remote Diagnostic and configuration port protection A Protection of information systems audit tools

30 Thank you


Download ppt "An Awareness Training on ISO 27001:2013"

Similar presentations


Ads by Google