ISO/IEC 27000 BRIEFING.
Objectives To enhance understanding information and information security. To enhance understanding of the different kind of information and information media. To enhance understanding information life cycle in relation to ISMS.
Isms is a part of overall management system not technical. What is ISMS ? I:-Information S:-Security M:-Management S:-System Isms is a part of overall management system not technical.
What is information Information is an ASSET existing in many forms and has a great value to an organization thus calls for proper protection.
Types of information Internal information;-Is a type of information in an organization which MUST be protected at any cost. Confidential information;-This is an information in an organization exempted from disclosure to an authorized persons. Shared/Public:-This is a type of information which can be made available to the public and other .
Examples of information Names ,addresses, phone numbers, personal information. Password. Designs, Patents(rights)technical research. Credit cards, bank account numbers. Plans . Contract bids, competitive analysis, market research. Commercial details(strategies ,finances ,business performance. Intelligence. Security information(risk assessment, network diagrams, facilities plans).
Types of information media Mail/e-mails. Papers (printed or handwritten) CD, Memory card sticks, DvDs, tapes, diskettes etc Data base Conversation (one on one /phone calls/chats) Websites/blogs/social networks/sites.
Information cycle Creation->Store->Distribute->Modify->Archive->Delete. Information MUST maintain C.I.A throughout the life cyle for it to remain protected/secured.
Information threat If information is not well protected it can suffer: Unauthorized disclosure Loss Accidental disclosure Theft Lack of integrity Unavailability Unauthorized modification.
What is information security This is the preservation of Confidentiality, Integrity and Availability of information. An information is said to be secured when it fully contain the C I A aspect in it.
C.I.A C-confidentiality;-It’s a property that entails an information is not made available or undisclosed to unauthorized persons but ONLY to authorized persons. I-Integrity;-It’s a property of protecting the accuracy and completeness of an information. A-Availability;-It’s a property of an information being readly accessible in usable form upon request/demand by an authorized person
Benefits of information security in an orgarnization Good decision making. Competitive advantage. Order. Proper information relay. Control. Safety. Self esteem (personal level).
Any valuable thing to an organization. Asset What is an asset? Any valuable thing to an organization.
Asset categories Organization image. Information. Physical. Human resource (Human capital). Software.
Context of the organization
CONTEXT OF THE ORGANIZATION Understanding the organization and its context. The internal, external issues and interested parties that affect and are affected by the organization.
Internal issues Organizational structure Strategic objectives Internal stake holders Contractual relationship Policies and governance Organizational culture
Social culture Legal Technological Political Ecological Competition External issues Social culture Legal Technological Political Ecological Competition
Interested parties Stake holders. Consumer. Suppliers. Competitors. Intermediaries. The organization shall determine interested parties that are relevant to the information security management system and the requirements of these interested parties relevant to the information security.
Defining the scope The organization shall determine the boundaries and applicability of the information security management system to establish its scope. When defining the scope we need to consider. The internal and external issues Needs and expectations of interested parties. Interfaces and dependencies between activities performed by the organization and those that are performed by other organizations. Note: The scope shall be available as a documented information which must clearly show the processes, boundary and assets .
The scope (Example) To provide quality tertiary education through teaching and research at main and town campuses in Eldoret. It also includes consultancy and common outreach services . Asset of the university are human capital ,land infrastructure state of the art equipment and use of enterprise resources, planning to support the delivery of is mandate.
Leadership commitment Top management shall demonstrate leadership and commitment with respect to ISMS by ; Ensuring resources needed for ISMS are available. Communicating the importance of ISMS and of conforming to the ISMS requirements. Ensuring that the ISMS achieves it intended outcome(s) Ensuring the integration of ISMS requirements in the organization’s processes. Directing and supporting persons to contribute to the effectiveness of the ISMS. Promoting continual improvement. Ensuring information security policy and the information security objectives are established and are compatible with the strategic direction of the organization. Supporting other relevant management roles to demonstrate their leadership as it applies to their areas of responsibility.
Information Security policy Is a high level statement of organization’s beliefs, goals and objectives and the general means for their attainment.
Characteristics of an informationsecurity policy It has to be;- Directive Brief Catches readers eye Be an A4 size
Policy The policy’s goal is to protect UoE organization’s information assets against all internal external deliberate and accidental threats. The VC shall approve the information security policy. The security policy ensures that:- In formation will be protected against unauthorized access . Confidentiality of information is assured. Integrity of information will be maintained. Awareness of information will be provided to all personnel on a regular basis. Legislative and regulatory requirements will be met. The policy will be reviewed by responsible team yearly and incase of any changes. All heads of units are directly responsible for implementing the policy at their respective levels and for the adherence of their staff. VC’ SIGNATURE