Information Security based on International Standard ISO 27001 September 17, 2018 Information Security based on International Standard ISO 27001 Tony Chebli, CISSP Credit Libanais Head of Information Security

September 17, 2018 Our Mission “INFORMATION is an asset which, like other important business assets, has value to an organization and consequently needs to be suitably PROTECTED” “…...Whatever form the information takes, or means by which it is shared or stored, it should always be appropriately protected”

Information Security Objectives

The Pain

Vulnerabilities! Lack of appreciation of threats Arrogance: It won’t happen to us Staff / Contractors / Employees E-mail and Internet access Physical Security Outsourcing Remote working Rush to market Growth in networking and distributed computing Low awareness of security issues Poor Controls

Shareholder Relations Legal and Regulatory action Business Risks! Fraud Disclosure Denial of Service Damage to Reputation Loss of Customers Shareholder Relations Legal and Regulatory action = Financial Loss

Cost of none Compliance! Regulatory fines Loss of information Unauthorized disclosure of intellectual property Loss of customers Loss of business Damage to Image

When it happens! Who is responsible for appropriately protecting information? Who will be held accountable if information is inappropriately protected and disclosed? What would be the impact on the Banks/Organizations?

The Medicine

What is ISO 27002? ISO 27002 is the only internationally accepted standard for information security management ISO 27002 is about safeguarding your business information ISO 27002 is a Code of Practice for Information Security Management and may be regarded as a starting point for developing organization specific guidance. 114 controls +

What is ISO 27001? ISO 27001 is a process to develop and implement an information security management system (ISMS) ISO 27001 is the only auditing specification for information security management systems

What is ISO 27001? It does not insist that organizations should have firewalls or even computers. It does not say that organizations’ systems are the same It does not dictate anything. ‘precautions are required to prevent and detect the introduction of malicious software’ ‘It is essential that organizations identifies their own security requirements’

Information Security Management System (ISMS) What is ISO 27001? is a management tool…! To manage problems with an: Information Security Management System (ISMS)

What is ISMS? The ISO27001 specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization. The International Standard also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization. The requirements set out in the Standard are generic and are intended to be applicable to all organizations, regardless of type, size or nature.

The roadmap

Benefits

Benefits Confidence Competitive Edge Enforced regulations Gain new customers Focused staff responsibilities Survival IMAGE Profitability $

Benefits Provides excellent checklist of available controls Forms a sound basis for Information Security Policy Tangible demonstration of appropriate practices To business clients To end-user clients To auditors To Regulators

Benefits Safeguard information assets appropriately Controls driven by risk No under protection No over protection

Demand for Certification Financial Services, Banking Telecommunications IT sector- outsourcing E-commerce Networking Public Service Authorities Police Force

References: ISO27001-2013 Pictures from the Internet