Presentation is loading. Please wait.

Presentation is loading. Please wait.

Information Security 14 October 2005 IT Security Unit Ministry of IT & Telecommunications.

Published byRodney Powers Modified over 8 years ago

Similar presentations

Presentation on theme: "Information Security 14 October 2005 IT Security Unit Ministry of IT & Telecommunications."— Presentation transcript:

1 Information Security 14 October 2005 IT Security Unit Ministry of IT & Telecommunications

2 Agenda Information Security – Why ? Information Security – Why ? Security threats Security threats Types of Measures Types of Measures ISO 17799 & its evolution ISO 17799 & its evolution Information Security Management System Information Security Management System Status in Mauritius Status in Mauritius ISO 27000 series ISO 27000 series

3 Information Security – Why ? Information is an asset, has value & needs to be suitably protected Information exists in many forms Printed or written - transmitted by post Stored electronically – transmitted using electronic means Spoken in conversation Information security : protects information from a wide range of threats in order to ensure business continuity & minimise business damage maximize return on investments & business opportunities maintain competitive edge, legal compliance and commercial image

4 Information Security – Why ? characterised as the preservation of: confidentiality: ensuring that information is accessible only to those authorized to have access integrity: safeguarding the accuracy and completeness of information and processing methods availability: ensuring that authorized users have access to information and associated assets when required

5 Some Security Threats Usual (standard) threats : Theft Fraud Acts of God Errors IT related Threats : System failures Malware : Virus/Spyware Denial of Service Hacking Cybercrimes

6 Types of Measures Technology : IT solutions… Physical : Access control … People : Screen, Train, Monitor… Policies, Procedure: Info on a need to know basis… Comply to legislations Cybercrime Act, Data Protection Act, Copyright Act… Info Sec Mgt : integrate all in a structured way

7 ISO/IEC 17799 Roadmap to manage information security within an organisation Roadmap to manage information security within an organisation Serve as a single reference point for identifying the range of controls needed to be used Part 1: ISO 17799 – Code of Practice Part 1: ISO 17799 – Code of Practice Part 2: BS7799-2 – Requirements for an ISMS for Certification Part 2: BS7799-2 – Requirements for an ISMS for Certification 2000 version has 10 Domains, 36 Control Objectives, 127 Controls 2000 version has 10 Domains, 36 Control Objectives, 127 Controls 2005 version has 11 Domains, 39 Control objectives and 133 controls 2005 version has 11 Domains, 39 Control objectives and 133 controls

8 Access Controls Asset Classification Controls Information Security Policy Security Organisation Personnel Security Physical Security Communication & Operations Mgmt System Development & Maint. Bus. Continuity Planning Compliance Information IntegrityConfidentiality Availability ISO 17799 - 2000 3 Control Objectives Secure Areas Equipment Security General Controls 6 Controls Siting Power Supplies Cabling Maintenance Off-premises Disposal/reuse “all equipment should be protected from power failure & other electrical anomalies. A suitable electric supply should be provided that conforms to the equipment manufacturer specifications.”

9 Evolution of Stds Code of practice - 1993 Code of practice - 1993 British Standard - 1995 British Standard - 1995 BS 7799 Part 2 – 1998 BS 7799 Part 2 – 1998 BS 7799 Part1 and Part 2 revised – 1999 BS 7799 Part1 and Part 2 revised – 1999 ISO 17799 (BS 7799–1 : 2000) ISO 17799 (BS 7799–1 : 2000) BS 7799-2:2002 BS 7799-2:2002 ISO/IEC 17799-2000 revision –June 2005 ISO/IEC 17799-2000 revision –June 2005 ISO/IEC 27000 series ISO/IEC 27000 series

10 ISO/IEC 17799 Comparison 2000 & 2005 Security policy Security organisation Organising information security Asset classification & control Asset management Personnel security Human resources security Physical & environmental security Communications & operations management Access control Systems development & maintenance Information systems acquisition, development and maintenance Information security incident management Business continuity management ComplianceCompliance

11 ISMS Information Security Management System Information Security Management System The means to implement 7799 The means to implement 7799 Set an ISMS team – ISMS WG Set an ISMS team – ISMS WG Based on the Deming PDCA Cycle - Plan Do Check Act Based on the Deming PDCA Cycle - Plan Do Check Act Common to other ISO stds e.g. ISO 9000, ISO 14000 Common to other ISO stds e.g. ISO 9000, ISO 14000 The ingredient that allows the integration of the different management systems that these standards define. The ingredient that allows the integration of the different management systems that these standards define.

12 Establish the ISMS Monitor & Review ISMS Implement & operate the ISMS Maintain & improve ISMS ActDo Plan Check ISMS Process

13 Plan Phase Plan Phase Define the ISMS scope & the ISMS policy Define the ISMS scope & the ISMS policy Identify & assess the risks Identify & assess the risks Formulate a Risk Treatment Plan - outcome Formulate a Risk Treatment Plan - outcome Apply appropriate control to reduce risk Apply appropriate control to reduce risk Accept the risk – substantiate why Accept the risk – substantiate why Avoid the risk – do not allow action causing risk Avoid the risk – do not allow action causing risk Transfer the risk to a third party e.g. insurer Transfer the risk to a third party e.g. insurer Select control objectives and controls Select control objectives and controls Prepare a Statement of Applicability Prepare a Statement of Applicability Do Phase Do Phase Allocate resources & conduct training Allocate resources & conduct training Implement the Risk Treatment Plan Implement the Risk Treatment Plan Implement controls selected to meet the control objectives Implement controls selected to meet the control objectives ISMS Process

14 Check Phase Check Phase Execute monitoring processes Execute monitoring processes Conduct internal audits of the ISMS at planned intervals Conduct internal audits of the ISMS at planned intervals Undertake regular mgt reviews of the effectiveness of the ISMS Undertake regular mgt reviews of the effectiveness of the ISMS Review levels of residual risk and acceptable risk Review levels of residual risk and acceptable risk Act Phase Act Phase Implement improvements identified Implement improvements identified Take appropriate preventive and corrective actions Take appropriate preventive and corrective actions Communicate the results and actions Communicate the results and actions Ensure improvements meet their intended objectives Ensure improvements meet their intended objectives ISMS Process

15 Level 1 Level 2 Level 3 Level 4 Procedures, Guidelines Forms, Template, etc. Records providing evidence of ISMS implementation ISMS Manual, ISMS Policy SoA ISMS Documentation

16 ISMS WG3 rd party Auditor(s) ISMS WG Surveillance & Re-assessment: Follow Up Stage 2 Audit Stage 1 Audit Development Implementatio n Steps Towards Certification

17 Steps to follow Purchase the standard (ISO 17799:2000, BS7799- 2:2002) Purchase the standard (ISO 17799:2000, BS7799- 2:2002) Read the standards Read the standards Assemble a team –ISMS WG Assemble a team –ISMS WG Attend an ISMS workshop Attend an ISMS workshop Appoint technical consultant or own technical Expert Appoint technical consultant or own technical Expert Undertake risk assessment Undertake risk assessment Develop ISMS documents Develop ISMS documents Apply ISMS certification Apply ISMS certification

18 Benefits Improved enterprise security Improved enterprise security More effective security planning and management More effective security planning and management Better risk management Better risk management Enhanced user confidence Enhanced user confidence Promote development of a business continuity plan Promote development of a business continuity plan Deeper knowledge of different aspects of security Deeper knowledge of different aspects of security Broader user level awareness on security threats and measures Broader user level awareness on security threats and measures

19 Mauritius ISO 17799:2000 & BS 7799-2 2002, was adopted as a national standard in 2005 ISO 17799:2000 & BS 7799-2 2002, was adopted as a national standard in 2005 Adoption of ISO 17799 June 2005 version in progress Adoption of ISO 17799 June 2005 version in progress MSB gearing up for providing certification services MSB gearing up for providing certification services Government Government Adopted ISO 17799 for rollout in Ministries & Departments Adopted ISO 17799 for rollout in Ministries & Departments 4-5 pilot sites ISMS done 4-5 pilot sites ISMS done Facilitated by IT Security Unit Facilitated by IT Security Unit

20 ISO 27000 series Information Security Series Information Security Series 27001:will replace BS7799-2 2002 27001:will replace BS7799-2 2002 27002: Earmarked for ISO 17799 (code of practice) 27002: Earmarked for ISO 17799 (code of practice) 27003: To cover risk management 27003: To cover risk management 27004: To cover information security mgt metrics & measurements 27004: To cover information security mgt metrics & measurements 27005: To provide implementation guidelines 27005: To provide implementation guidelines

21 Thank You

Download ppt "Information Security 14 October 2005 IT Security Unit Ministry of IT & Telecommunications."

Similar presentations

Dr Lami Kaya LamiKaya@gmail.com ISO 27001 Information Security Management System (ISMS) Certification Overview Dr Lami Kaya LamiKaya@gmail.com.

Dr Lami Kaya ISO Information Security Management System (ISMS) Certification Overview Dr Lami Kaya
Developing a Risk-Based Information Security Program

Developing a Risk-Based Information Security Program
Environmental Management System Implementation

Environmental Management System Implementation
[Organisation’s Title] Environmental Management System

[Organisation’s Title] Environmental Management System
Massachusetts Digital Government Summit October 19, 2009 IT Management Frameworks An Overview of ISO 27001:2005.

Massachusetts Digital Government Summit October 19, 2009 IT Management Frameworks An Overview of ISO 27001:2005.
Environmental Management System (EMS)

Environmental Management System (EMS)
ISO 9001 : 2000.

ISO 9001 : 2000.
Risk Management a Case Study DATALAWS Information Technology Law Consultants Presented by F. F Akinsuyi (MSc, LLM)MBCS.

Risk Management a Case Study DATALAWS Information Technology Law Consultants Presented by F. F Akinsuyi (MSc, LLM)MBCS.
Dr. Julian Lo Consulting Director ITIL v3 Expert

Dr. Julian Lo Consulting Director ITIL v3 Expert
Security Controls – What Works

Security Controls – What Works
ISO/IEC 27001 Winnie Chan BADM 559 Professor Shaw 12/15/2008.

ISO/IEC Winnie Chan BADM 559 Professor Shaw 12/15/2008.
The ISO 9002 Quality Assurance Management System

The ISO 9002 Quality Assurance Management System
ISO General Awareness Training

ISO General Awareness Training
ISO 17799&ITS APPLICATION Prepared by Çağatay Boztürk 14.06.2005.

ISO 17799&ITS APPLICATION Prepared by Çağatay Boztürk
Environmental Management Systems Refresher

Environmental Management Systems Refresher
/ Information Security Seminar

/ Information Security Seminar
First Practice - Information Security Management System Implementation and ISO 27001 Certification.

First Practice - Information Security Management System Implementation and ISO Certification.
SOX & ISO 27001 Protect your data and be ready to be audited!!!

SOX & ISO Protect your data and be ready to be audited!!!
Session 3 – Information Security Policies

Session 3 – Information Security Policies
Fraud Prevention and Risk Management

Fraud Prevention and Risk Management

Similar presentations

Ads by Google