ISO/IEC 27001:2005 A brief introduction Kaushik Majumder Information Security Group Datamatics Global Services Limited September,2009

Agenda Information & Information Security......????? Achieving Information Security ISO 27001 Overview ISMS @ Datamatics Who has certified Us.....???????? Datamatics Roadmap to ISO 270001 Roles & Responsibilities ( Information Security Cell)

Information Printed or written on paper Stored electronically “Information is an asset which, like other important business assets, has value to an organization and consequently needs to be suitably protected.” Printed or written on paper Stored electronically Transmitted by mail or electronic means Spoken in conversations Need for Information Security

What is Information Security ISO 27001 defines this as the preservation of: Threats Ensuring that information is accessible only to those authorized to have access Ensuring that authorized users have access to information and associated assets when required Safeguarding the accuracy and completeness of information and processing methods Vulnerabilities Risks

Achieving Information Security 4 Ps of Information Security Policy & Procedures Products People

What is ISO27001? An internationally recognized structured methodology dedicated to information security A management process to evaluate, implement and maintain an Information Security Management System (ISMS) A comprehensive set of controls comprised of best Practices in information security Applicable to all industry sectors Emphasis on prevention

ISO 27001:2005 Structure Five Mandatory requirements of the standard: Information Security Management System • General requirements • Establishing and managing the ISMS (e.g. Risk Assessment) • Documentation Requirements Management Responsibility • Management Commitment • Resource Management (e.g. Training, Awareness) Internal ISMS Audits Management Review of the ISMS • Review Input (e.g. Audits, Measurement, Recommendations) • Review Output (e.g. Update Risk Treatment Plan, New Recourses) ISMS Improvement Continual Improvement Corrective Action Preventive Action

The 11 Domains of Information Management Overall the standard can be put in : • Domain Areas – 11 • Control Objectives – 39 and • Controls – 133

ISMS @ Datamatics DGSL Security Policy DGSL is committed to maintain an effective information security management system, which will enable dissemination of information throughout the organization, to its associates, and to its customers, as required for its business, while ensuring, as appropriate, its confidentiality, integrity and availability.

Organization Structure CEO MISF CHAIRPERSON Mem 1 ISM Mem 2 Mem 3 ISC:Nashik ISC:Mumbai ISC:Chennai ISM/ISC:USA

Certification Body and Certificate Validity STQC - Standardization Testing and Quality Certification DGSL achieved its 1st certification in Nov 2003 on BS7799 standard. Migrated to new standard “ ISO 27001” in July 2006. According to new Policy Surveillance audits are conducted after 12,24,and 36 months. Certification is valid for 3 years. Our next certification is due in October 2009.

ISO 27001:2005@Datamatics - PDCA Plan Establish ISMS scope, policy, objectives, processes and procedures Define risk assessment approach Perform risk assessment Select controls for treatment of risks Obtain management approval of residual risks

PDCA :Do Formulate and implement RTP (Risk Treatment Plan) Implement ISMS policy, objectives, processes and procedures Define how to measure the effectiveness Implement training and awareness program

PDCA :Check Monitor and review procedures Measure effectiveness of controls Review risk assessment and residual risks Conduct internal ISMS audit Undertake management review

PDCA :Act Take corrective and preventive actions Apply lessons learnt Communicate actions for improvement to interested parties VA/PT( Coordinating the closure of vulnerabilities found in the report) , Closure of NC’s

Roles & Responsibilities Maintain Information security documentation as well as forms. Liasoning with SSG to improve processes Keeping a tab on the status of the requests. Documenting reports like ( Firewall review, Additional Access rights , IDS review , Antivirus logs review, CPU/Bandwidth review, server access logs review, backup-logs review) Reviewing forms like (Server patches update , Laptop requisition , backup register , server room register , Data verification form , server configuration form) Monitoring of Server’s Monitoring Critical server alerts Monitoring Syslog servers Monitoring Firewalls & IDS for severe intrusions & Events Liasoning with CITNO to resolve all the issues and monitoring Review of Deleted User-id’s from exit list Document and report review ISMS Improvement (Continuous Improvement) Evaluation/Testing and deployment of security software's on critical laptops Planning & implementation of network security including Configuring firewalls, file permissions and adding and deleting users. Liasoning with vendors for negotiating technical requirements & establishing Prices.

Roles & Responsibilities Internal Audits Planning , conducting and verification audits ( Coordinating with respective LOB’s for closure of NC’s) Develop and conduct awareness training Helping Organization user’s for any ISMS related queries. Ensure that security activities are executed in compliance with the information security policy. Identify how to handle non-compliances Co-ordinate vulnerability assessment /Penetration testing exercise Liasoning with the Vendor coordinating with CITNO to resolve problems Close down the vulnerabilities associated with systems/networks by discussing with third party service provider or otherwise through online assistance provided by various security forums Co-ordinate the implementation of information security controls Facilitating in External Audit Active Participation and involvement in BUPA audit.

Please Visit….. http://dlnet/dlintranet/Login.do?method=showLogin/ISMS ISMS Manual P&G Manual

Q&A

THANK YOU