Information Security Awareness ISO 27001 Awareness Information Security Awareness
Contents What is Information and Information Security? CIA Triad Why Information Security? Impact of Security Incidents Introduction to ISO 27001
What is Information? Processed form of data is Information Valuable asset to an organization which is to be protected is Information Information may exist in several forms – Tangible Documented (printed or written on paper) Published on web Electronically stored (stored on laptop, mobile, tablet etc.) Stored in emails, servers, documents, diagrams etc. In-Tangible Ideas Knowledge and expertise etc. Information can be processed, stored, transmitted, modified, shared, deleted, destroyed, leaked, controlled, used properly or improperly
Information Security Protection against the unauthorized use of information is Information Security Information Security is prevent your organization from any risk/danger. Information Security can be achieved by – Identification of the risk to information and performing corrective/preventive actions Protection of Confidentiality, Integrity, and Availability Security of assets, processes, accounts, people, and infrastructure etc. Implementing and continuously improving the processes
CIA Triad Confidentiality Prevents unauthorized disclosure of information Integrity Assure that data cannot be modified in an unauthorized manner. Availability Information should be readily available for the authorized users.
Why Information Security? Protection of information against threats Privacy of information and 100% compliance Better processes, reduced cost Minimizes financial and business loss Ensures business continuity Maintain Confidentiality, Integrity, and Availability of information
Impacts of Security Incidents Loss of confidential information Fines and penalties Civil and criminal liability Breaking of rules and regulations Downtime of business and IT services Reputation damage and adverse publicity Less effective processes, hence increased costs Loss of customers, business partners, confidence, credibility, and assurance
About ISO ISO – International Organization for Standardization is an NGO Came into existence on Feb 23, 1947 Operates in 162 countries 3923 technical bodies to take care of standards development Published 21578 International Standards till now Create standards for all the industries applicable across the globe
ISO/IEC 27001:2013 ISO/IEC 27001:2013 ISO – International Organization for Standardization IEC – International Electrotechnical Commission ISO 27001 is Information Security Management Systems initially published by ISO for IT industry only ISO/IEC made it possible to implement it in any industry like IT, Aerospace, Pharmaceutical, Electronics, Mechanical, Civil, and Production etc. Specifies the requirements for improving a documented ISMS within an organisation with 11 domains, 39 control objectives, and 114 controls Ensure selection of adequate security controls to protect information assets from various threats & risks. International Organization for Standardization Publishing / Reissued Year Standard Code for Information Security Management System International Electrotechnical Commission
PDCA Cycle PDCA Plan – Establishment of the ISMS Do – Implementation of the ISMS Check – Monitoring and review of the ISMS Act – Continuous improvement of the ISMS PDCA Plan Do Check Act
11 Control Domains Information Security Information Security Policy Organization of Information Security Asset Management Human Resource Security Physical security Communication & Operations Management Access Control System Development and Maintenance Incident Management Business Continuity Plan Compliance
Control Domains (continued) Information security policy – states management direction Organization of information security – information security management framework for implementation Asset management – assessment, classification and protection of valuable information assets HR security – security for employees, new joiners, and separated employees Physical & environmental security - prevents unauthorised access, theft, compromise, damage to information and computing facilities, power cuts Communications & operations management - ensures the correct and secure operation of IT Access control – restrict unauthorized access to information assets
Control Domains (continued) Information system development & maintenance – build security into systems Incident management – track security incidents and take necessary actions Business continuity management – maintain business processes and restore if any failure occurs Compliance - avoid breaching of laws, rules & regulations, policies and other obligations
Key Documents for ISO 27001 Information Security Management Manual and Information Security Policy Statement of Applicability (SOA) document Internal policies and procedure documents for all the departments like Human Resource Information Technology Business development Quality Assurance Manufacturing and Production etc. Policies for Risk Management, Incident Management, Change Management, Physical and Environmental, Internet usage etc. Logs and reports like security logs, antivirus logs, security review reports, risk assessment logs, corrective and preventive actions.
Who is Responsible? Information Security Management committee CEO/COO/CTO/CMO Information Security Management Representative Information Security Team/Department Information Security Officer Business Continuity Team Incident Management Team And all the departments like HR, IT, Accounts, Business, Legal etc.
Risk Management Risk is the possibility that a threat exploits a vulnerability leading to adverse impact Threat – that might cause harm like human error, software compliance, intellectual property, infrastructure issues, environmental factors etc. Vulnerability – a weakness that may be exploited Impact – damage to an asset of an organization Risk assessment table Risk ID Risk Category Description Severity of Impact Likelihood Risk Factor RF=S*L Corrective Action Severity IT-01 Internet Downtime IT Internet Issues 5 25 Other Internet Providers 1 HR-02 Employee Turnover HR Employee exit is increasing 4 2 8 Strict policies to stop employee turnover
Physical Security Do’s Don’ts Follow security policies and procedures Use biometrics and wear identity cards while in premises. Inform incident management team or information security team in case of any incident. Do not allow unauthorized visitors in your premises Do not bring electronic media or banned devices in secure zones Do no use personal devices unless authorized by higher management.
Email usage Do’s Don’ts Use official email IDs for official purpose only Follow IT/Email guidelines for email usage Delete spam email and report to IT team if you receive any spam email Do not allow unauthorized visitors in your premises Do not bring electronic media or banned devices in secure zones Do no use personal devices unless authorized by higher management Do not respond to spam email and be aware of email attachments or links
Key points to remember Keep your computer system updated with operating system and antivirus Lock your system locked when unattended, and always log-off at the end of the day Clear cache and temporary files, restart your system twice a week Take regular backup of your important information Keep your system information in encrypted drive/folder Always comply with the policies and procedures of your organization Always comply with the security and privacy laws, copyrights, Non disclosure agreements, contracts, Master service agreements, and software licences Use conference rooms for official meetings and phone calls Do not bring eatables at your workstations Contact Information Security team in case of any security incident
Thank You Should you have any queries / suggestions / recommendations, feel free to contact Email – Er.YogeshChauhan@Yahoo.com Website – Https://www.Qualitians.com