TOP MANAGEMENT BRIEFING ISO/IEC 27001:2013 Information security management system.

General objectives To brief members to the concept of information security, information security management system. Members to understand requirements of ISO/IEC 27001:2013 standard and how to implement it in our organization. To provide members with steps to certification overview.

Session objectives To enhance understanding information and information security. To enhance understanding of the different kind of information and information media. To enhance understanding information life cycle in relation to ISMS.

What is ISMS Information security management system(ISMS). It is a part of the overall management system, based on risk approach , to establish ,implement ,maintain and continually improve information security.

Why do we need ISMS ? It is a requirement for ISO/IEC27001:2013 stand certification. To make us understand requirements of ISO/IEC27001:2013 stand and how to implement them in our organization. To make us be able to develop the ISO/27001:2013 Risk assessment process. To provide us with steps to certification overview.

Information Information: is an asset existing in many forms and has value to an organization thus it requires proper protection. Asset: Is anything that has value to an organization

Information Security What is information security? It is the preservation of Confidentiality, Integrity and Availability (C.I.A) of information. These three information aspects (C.I.A) MUST be preserved through out the information cycle .

C.I.A C-cofidentiality. Its when information is not made available or disclosed to unauthorized persons or processes I-integrity; Is the property of protecting the accuracy and completeness of information assets. A-availability; Is the property of information being accessible and usable upon demand by authorized person.

Types of information Internal; Information that must be protected due to ownership ,ethical or privacy consideration. Confidential; Information that is exempted from disclosure. Shared/Public; Information regarded as publicly available.

Information cycle Create Store Distribute Modify Archive Delete

Cont. Information MUST maintain C.I.A throughout its life cycle for it to remain protected/secured and retain authenticity. Information may need protection from creation to deletion or disposal.

Information can suffer Loss, theft. Unauthorized disclosure. Accidental disclosure. Unauthorized modification. Unavailability. Lack of integrity.

Common most information security mistakes made by individuals . Over trusting people. Living doors open. Scribbling a lot on papers. Carry office work home. Talking loud on phone. Sharing of offices. Not having clear desk policy. Grapevine information. Printing information unnecessarily.

Cont….. Power of ethanol. Unattended unsecured computers. Updating too much on social media. Using office computer for personal work or vise versa.

Examples of information Names,addresses,phone,numbers Bank accounts numbers,credit cards details Personal details (health ,etc). Designs ,patents ,technical research Passwords Plans Intelligence( on criminal activities ,hostile nation etc) Bids of contract,market research competitive analysis Security information(Facilities plans etc)

Types of information media Mails/e-mails Dvds Database People conversations Websites/blogs/social networking sites Memory sticks and Flash disks. CD Roms Papers(printed,handwritten etc)

Context of the organization

Context of organisation Understanding the organization and its context. The internal, external issues and interested parties that affect and are affected by the organization.

Internal issues Organizational structure Strategic objectives Internal stake holders Contractual relationship Policies and governance Organizational culture

Social culture Legal Technological Political Ecological Competition External issues Social culture Legal Technological Political Ecological Competition

Interested parties Stake holders Consumer Suppliers Competitors Intermediaries The organization shall determine interested parties that are relevant to the information security management system and the requirements of these interested parties relevant to the information security.

The scope It is a document which clearly state an organization range(boundaries),mandate and infrastructure(Assets) in place to support delivery of its mandate. Note: The scope shall be available as a documented information which must clearly show the processes, boundary and assets .

Defining the ISMS scope The organization shall determine the boundaries and applicability of the information security management system to establish its scope. When defining the scope we need to consider. The internal and external issues Needs and expectations of interested parties. Interfaces and dependencies between activities performed by the organization and those that are performed by other organizations.

Example To provide quality tertiary education through teaching and research at main and town campuses in Eldoret. It also includes consultancy and common outreach services . Asset of the university are human capital ,land infrastructure state of the art equipment and use of enterprise resources, planning to support the delivery of its mandate.

LEADERSHIP

Leadership commitment Top management shall demonstrate leadership and commitment with respect to ISMS by ; Ensuring resources needed for ISMS are available. Communicating the importance of ISMS and of conforming to the ISMS requirements. Ensuring that the ISMS achieves it intended outcome(s). Ensuring the integration of ISMS requirements in the organization’s processes.

Cont….. Directing and supporting persons to contribute to the effectiveness of the ISMS. Promoting continual improvement. Ensuring information security policy and the information security objectives are established and are compatible with the strategic direction of the organization. Supporting other relevant management roles to demonstrate their leadership as it applies to their areas of responsibility.

Information security policy It is a high level statement of organization’s beliefs, goals , objectives and means for their attainment for a specific subject area.

Characteristics of an information security policy. Brief Written at broad level Directive Catches readers eye Be an A4 size document.

Example of an information security policy The policy’s goal is to protect UoE organization’s information assets against all internal external deliberate and accidental threats. The VC shall approve the information security policy. The security policy ensures that:- In formation will be protected against unauthorized access . Confidentiality of information is assured. Integrity of information will be maintained. Awareness of information will be provided to all personnel on a regular basis. Legislative and regulatory requirements will be met. The policy will be reviewed by responsible team yearly and incase of any changes. All heads of units are directly responsible for implementing the policy at their respective levels and for the adherence of their staff. VC SIGNATURE

Risk-based thinking Risk-based thinking, describes the tools for identifying and managing risks. It also refers to a coordinated set of activities and methods that an organization put in place to manage and control the many risks that affect organization’s ability to achieve objectives. Risk-based thinking replaces what earlier version of the standard called preventive action.

Risk assesment assists organizations in risk management to:- Recognize the best and most relevant input data. Understand the benefits of the process. Recognize risks and their potential impacts to the organization in attaining its goals. Provide information for decision-makers.

Risk assessment procedure Identify asset(Asset inventory). Identify asset owner. Identify location of the asset. Identify the risk. Identify the vulnerabilities. Evaluate the asset(calculating the risk). Make a record of the findings(Risk assessment matrix). React to non conformities (corrective action plan).

Tools Documentation Reviews. Information Gathering Techniques. Brainstorming. Interviewing. Excel . Root Cause Analysis. S.w.o.t Analysis (Strength, Weakness, Opportunities and Threats) . P.E.S.T.E.L Analysis ( Political, Economical, Social, Technological , Environmental and legal) Checklist Analysis.

Things to consider when choosing a (RA) tool. Should be :- Able to collect data. Able to analyze data. Repeatable. Have clear instructions to use and analyze. Able to help in selection of controls Able to report results in a clear and accurate manner. Installed and configured correctly Be compatible with organization’s hardware and software in use.