Presentation is loading. Please wait.

Presentation is loading. Please wait.

ISO17799 Maturity. Confidentiality Confidentiality relates to the protection of sensitive data from unauthorized use and distribution. Examples include:

Published byMyron Wilcox Modified over 8 years ago

Similar presentations

Presentation on theme: "ISO17799 Maturity. Confidentiality Confidentiality relates to the protection of sensitive data from unauthorized use and distribution. Examples include:"— Presentation transcript:

1 ISO17799 Maturity

2 Confidentiality Confidentiality relates to the protection of sensitive data from unauthorized use and distribution. Examples include: Securing corporate data Securing personnel (payroll, health) information Secure Business – Need Security Infrastructures…

3 Confidentiality Integrity Integrity relates to maintaining the quality and validity of data. Examples include: Ensuring that the transactional systems aren’t modified by an unauthorized party Confidentiality relates to the protection of sensitive data from unauthorized use and distribution. Examples include: Securing corporate data Securing personnel (payroll, health) information Secure Business – Need Security Infrastructures…

4 Confidentiality Integrity Availability Availability relates to ensuring that data is accessible. Examples include: Ensuring that processing can take place 24 hours a day Integrity relates to maintaining the quality and validity of data. Examples include: Ensuring that the transactional systems aren’t modified by an unauthorized party Confidentiality relates to the protection of sensitive data from unauthorized use and distribution. Examples include: Securing corporate data Securing personnel (payroll, health) information Secure Business – Need Security Infrastructures…

5 Key facets of an information security program include: People – organization, responsibility, accountability, and leadership Process – policies, procedures, and practices Technology – scalable technical support for automation, integration, and enabling of information security operations. What Is Information Security?

6 Ultimately, information security is the method by which an organization ensures that it has control over its systems and data, thereby protecting its investment in information technology and its ability to maintain business operations. What Is Information Security?

7 Effective control requires executive sponsorship. Everyone must know and agree to their responsibilities for maintaining effective controls. Liability may depend on “due care”. If you’re going to be plugged in, you accept responsibility. Trust can’t be enforced. -- Policy can. What Is Information Security?

8 Corporate information protection is based on a multi-layered approach. The structure limits the exposure of any one security breach, however today, the Internet cuts across traditional layers and an unauthorized user could quickly exploit a weak layer. Internet Perimeter Network Host Application Data Security Program Overall foundation to protect environment and set policy for other security layers. Includes monitoring, detection and response. Perimeter Security First layer of physical protection (Voice & Data). If breached, access to data is possible. Network Security First Internal layer of protection. If breached, loss control of data movement is possible and/or data modification. Host Security Protects computer, application and data. If breached, data could be altered and/or deleted. Application Security Protects application and data. If breached, data could be altered and/or deleted. Internet Security Protects the data that is visible to the Internet from Web pages and via corporate communications. If breach, corporate image and/or communications can be compromised. Security Program Electronic Commerce E-Commerce Security Protects the data while communicating across the organization and outside the organization. If breach, all corporate layers of security can be compromised. …Having An Enterprise View

9 Began as UK Department of Trade and Industry (DTI) Code of Practice Facilitated trade in trusted environments Led to British Standard 7799 (BS7799) Adopted as ISO17799 in December 2000 Where did ISO17799 Originate?

10 What is ISO17799? A comprehensive set of controls comprising best practices in information security Controls-based policy Measurable Certifiable Risk-management based Internationally recognized

11 What is ISO17799? 10-Section Standard Security Policy Organizational Security Asset Classification & Control Personnel Security Physical and Environmental Security Computer & Operations Management Access Control System Development and Maintenance Business Continuity Planning Compliance

12 What is ISO17799? Security Policy To provide management direction and support for information security. »Policy - program

13 What is ISO17799? Security Organization To manage information security both in and out of the organization. »Infrastructure – leadership »Third party access – contracts »Outsourcing - SLAs

14 What is ISO17799? Asset Classification & Control To maintain appropriate protection of corporate assets and to ensure that information assets receive an appropriate level of protection. »Accountability – ownership »Information classification - appropriateness

15 What is ISO17799? Personnel Security To reduce risk of human error, maintain awareness, and minimize damage from incidents. »Job resourcing – background »User training – awareness »Incident response – procedures

16 What is ISO17799? Physical and Environmental Security To prevent unauthorized access, damage and interference to business premises and information. »Secure areas – physical control »Equipment security – individual »General controls – common sense

17 What is ISO17799? Computer & Operations Management To ensure the correct and secure operations of information systems. »Procedures / responsibilities – who & how »Planning & acceptance – capacity »Malicious software – virus »Housekeeping – backup »Network management – segregation of duties »Media handling – disposal »Information exchange – agreements

18 What is ISO17799? Access Control To control access to information. »Policy – existence »User access management – authorization »User registration – maintenance »User responsibilities – awareness »Network access – interfaces »Operating system access – foundation »Application access – segregation »Monitoring – detection »Mobile access – ubiquitousness

19 What is ISO17799? System Development and Maintenance To ensure that security is built into information systems »Security in applications – integrity »Cryptographic controls – confidentiality »Input / Output Controls »Security of system files – foundation »Security in development – change control

20 What is ISO17799? Business Continuity Planning To counteract interruptions to business activities and to protect critical business processes from the effects of major failures or disasters. »Management process – not tech! »Impact analysis – risk assessment »Continuity plans - existence »Planning framework - consistency »Test, test, test! - update

21 What is ISO17799? Compliance To avoid breaches of compliance with law & policy and maximize effectiveness of system audits. »Legal requirements – money »Reviews – policy and technology »System audit – impact

22 How Will Organizations Benefit? Standardization – efficiency & automation Competitive advantage Risk management – not security for the sake of security Cost-effectiveness Move from reactive to proactive Accepted framework for policy

23 How Will Organizations Benefit? 1)Driver for process improvement 2)Meet business partner requirements 3)Maintain regulatory compliance 4)Measure the effectiveness of information security efforts 5)(ROI!)

Download ppt "ISO17799 Maturity. Confidentiality Confidentiality relates to the protection of sensitive data from unauthorized use and distribution. Examples include:"

Similar presentations

Copyright © XiSEC, All rights reserved, 2002 Secure Computing Best Lifetime Achievement Award 2002 Ted Humphreys Information Security Management Goes Global.

Copyright © XiSEC, All rights reserved, 2002 Secure Computing Best Lifetime Achievement Award 2002 Ted Humphreys Information Security Management Goes Global.
Dr Lami Kaya LamiKaya@gmail.com ISO 27001 Information Security Management System (ISMS) Certification Overview Dr Lami Kaya LamiKaya@gmail.com.

Dr Lami Kaya ISO Information Security Management System (ISMS) Certification Overview Dr Lami Kaya
Why Security? A Commitment for [the Agency’s] Executives [CIO’s name] EC Presentation [date]

Why Security? A Commitment for [the Agency’s] Executives [CIO’s name] EC Presentation [date]
Secure Systems Research Group - FAU Process Standards (and Process Improvement)

Secure Systems Research Group - FAU Process Standards (and Process Improvement)
ISMS standards and control processes ISO27001 & ISO27002

ISMS standards and control processes ISO27001 & ISO27002
Chapter 5: Asset Classification

Chapter 5: Asset Classification
ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.

ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
ISO Information Security Management

ISO Information Security Management
Security Controls – What Works

Security Controls – What Works
1 An Overview of Computer Security computer security.

1 An Overview of Computer Security computer security.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.
Information Systems Security Officer

Information Systems Security Officer
23 January 2003© All rights Reserved, 2002 Understanding Facilitated Risk Analysis Process (FRAP) and Security Policies for Organizations Infocomm Security.

23 January 2003© All rights Reserved, 2002 Understanding Facilitated Risk Analysis Process (FRAP) and Security Policies for Organizations Infocomm Security.
COSO Framework A company should include IT in all five COSO components: –Control Environment –Risk Assessment –Control activities –Information and communication.

COSO Framework A company should include IT in all five COSO components: –Control Environment –Risk Assessment –Control activities –Information and communication.
Security Governance Technology Executive Club

Security Governance Technology Executive Club
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.
Chapter 3: Information Security Framework

Chapter 3: Information Security Framework
Session 3 – Information Security Policies

Session 3 – Information Security Policies
Information Systems Controls for System Reliability -Information Security-

Information Systems Controls for System Reliability -Information Security-

Similar presentations

Ads by Google