ISO Information Security Management

Slides:



Advertisements
Similar presentations
Copyright © XiSEC, All rights reserved, 2002 Secure Computing Best Lifetime Achievement Award 2002 Ted Humphreys Information Security Management Goes Global.
Advertisements

Dr Lami Kaya ISO Information Security Management System (ISMS) Certification Overview Dr Lami Kaya
Secure Systems Research Group - FAU Process Standards (and Process Improvement)
ISMS standards and control processes ISO27001 & ISO27002
ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.
Auditing Computer Systems
DoD Information Technology Security Certification and Accreditation Process (DITSCAP) Phase III – Validation Thomas Howard Chris Pierce.
Network Management Functions
Security Controls – What Works
Information Security Policies and Standards
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.
Information Systems Security Officer
23 January 2003© All rights Reserved, 2002 Understanding Facilitated Risk Analysis Process (FRAP) and Security Policies for Organizations Infocomm Security.
ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.
Information Systems Security Policies & ISO 17799
NIST framework vs TENACE Protect Function (Sestriere, Gennaio 2015)
Computer Security: Principles and Practice
Chapter 3: Information Security Framework
Session 3 – Information Security Policies
Alter – Information Systems 4th ed. © 2002 Prentice Hall 1 E-Business Security.
SEC835 Database and Web application security Information Security Architecture.
Overview of Systems Audit
Evolving IT Framework Standards (Compliance and IT)
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Overview Of Information Security Management By BM RAO Senior Technical Director National Informatics Centre Ministry of Communications and Information.
Basics of OHSAS Occupational Health & Safety Management System
Information Systems Security Computer System Life Cycle Security.
Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
Roles and Responsibilities
Presented by : Miss Vrindah Chaundee
INFORMATION SECURITY & RISK MANAGEMENT SZABIST – Spring 2012.
Certification and Accreditation CS Phase-1: Definition Atif Sultanuddin Raja Chawat Raja Chawat.
Sample Security Model. Security Model Secure: Identity management & Authentication Filtering and Stateful Inspection Encryption and VPN’s Monitor: Intrusion.
ISO17799 Maturity. Confidentiality Confidentiality relates to the protection of sensitive data from unauthorized use and distribution. Examples include:
Information Systems Security Operational Control for Information Security.
Lesson 9-Information Security Best Practices. Overview Understanding administrative security. Security project plans. Understanding technical security.
Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.
Engineering Essential Characteristics Security Engineering Process Overview.
The Culture of Healthcare Privacy, Confidentiality, and Security Lecture d This material (Comp2_Unit9d) was developed by Oregon Health and Science University,
Risk Management & Corporate Governance 1. What is Risk?  Risk arises from uncertainty; but all uncertainties do not carry risk.  Possibility of an unfavorable.
Information Security 14 October 2005 IT Security Unit Ministry of IT & Telecommunications.
Data Governance 101. Agenda  Purpose  Presentation (Elijah J. Bell) Data Governance Data Policy Security Privacy Contracts  FERPA—The Law  Q & A.
ISO/IEC 27001:2013 Annex A.8 Asset management
International Security Management Standards. BS ISO/IEC 17799:2005 BS ISO/IEC 27001:2005 First edition – ISO/IEC 17799:2000 Second edition ISO/IEC 17799:2005.
IS 630 : Accounting Information Systems Auditing Computer-based Information Systems Lecture 10.
Information Security Measures Confidentiality IntegrityAccessibility Information cannot be available or disclosed to unauthorized persons, entities or.
Control and Security Frameworks Chapter Three Prepared by: Raval, Fichadia Raval Fichadia John Wiley & Sons, Inc
Chapter 3-Auditing Computer-based Information Systems.
Information Security tools for records managers Frank Rankin.
1 Information Governance (For Dental Practices) Norman Pottinger Information Governance Manager NHS Suffolk.
Alex Ezrakhovich Process Approach for an Integrated Management System Change driven.
HHS Security and Improvement Recommendations Insert Name CSIA 412 Final Project Final Project.
INFORMATION ASSURANCE POLICY. Information Assurance Information operations that protect and defend information and information systems by ensuring their.
COBIT. The Control Objectives for Information and related Technology (COBIT) A set of best practices (framework) for information technology (IT) management.
Lecturer: Eng. Mohamed Adam Isak PH.D Researcher in CS M.Sc. and B.Sc. of Information Technology Engineering, Lecturer in University of Somalia and Mogadishu.
Welcome to the ICT Department Unit 3_5 Security Policies.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.
ISO17799 / BS ISO / BS Introduction Information security has always been a major challenge to most organizations. Computer infections.
Information Security and Privacy in HRIS
Information Security Management Goes Global
Providing Access to Your Data: Handling sensitive data
Magister Sistem Informasi UNIKOM
Information Security Awareness
Introduction to the Federal Defense Acquisition Regulation
Network Management Functions
INFORMATION SYSTEMS SECURITY and CONTROL
Presentation transcript:

ISO Information Security Management PRESENTATIONS IN NETWORK SECURITY ISO Information Security Management Saad Haj Bakry, PhD, CEng, FIEE Saad Haj Bakry, PhD, CEng, FIEE

Objectives / Contents Past Development Contents of ISO 17799 ISO Information Security Management Objectives / Contents Past Development Contents of ISO 17799 Refinement of Contents (12 Sections) Suggested Work References Saad Haj Bakry, PhD, CEng, FIEE

ISO: International Standards Organization Past Development ISO Information Security Management ISO: International Standards Organization International Organization Started in 1946 www.iso.org Membership Over 90 countries: ANSI (USA) / BSI (UK) / SASO (SA) Technical Committee Over 200 TC(s) (for technical recommendations) ISO 9000 family Quality Management ISO 14000 family Environment Management ISO 17799 Information Security Management Saad Haj Bakry, PhD, CEng, FIEE

Past Development ISO Information Security Management BS 7799 / ISO 17799 BS 7799 Started 1995 British Standard Institute: BSI Part 1: Code of Practice for Information Security Management Part 2: Specification for Information Security Management Systems ISO 17799 1999 Adopted: BS 7799 Part 1 Part 2 In use for auditing “Information Security Management Systems” Saad Haj Bakry, PhD, CEng, FIEE

ISO 17799: Contents 1. Scope 7. Physical & Environmental Security Contents of ISO 17799 ISO Information Security Management ISO 17799: Contents 1. Scope 7. Physical & Environmental Security 2. Terms & Definitions 8. Communications & Operations Management 3. Security Policy 9. Access Control 4. Organizational Security 10. Systems Development & Maintenance 5. Asset Classification & Control 11. Business Continuity Management 6. Personnel Security 12. Compliance Saad Haj Bakry, PhD, CEng, FIEE

Scope of ISO 17799 Objective For Who Output Use ISO Information Security Management 1. Scope of ISO 17799 Scope of ISO 17799 Objective To provide recommendations for “information security management”. For Who Those concerned with initiating, implementing and maintaining security in their organizations. Output Common “base” for developing “organizational security standards”. Effective security management “practice”. “Confidence” in inter-organizational dealings. Use Select and use. Use in accordance with applicable laws and regulations. Saad Haj Bakry, PhD, CEng, FIEE

ISO 17799 Terms and Definitions ISO Information Security Management 2. Terms and Definitions ISO 17799 Terms and Definitions Information Security (IS): Preserving “Information” CIA Confidentiality Integrity Availability Risk Assessment: “Risk” on Information & Information Processing Facilities (I&IPF) Threats to Impact on Vulnerability of Risk Management: “Management of Security Risks” for an “Acceptable Cost” Identifying Controlling Minimizing Eliminating Saad Haj Bakry, PhD, CEng, FIEE

ISO 17799 Security Policy Target “Information Security: (IS)”. ISO Information Security Management 3. Security Policy ISO 17799 Security Policy Target “Information Security: (IS)”. Objectives Clear policy “directions”. Management “support”. Policy / Authority Policy “across the organization”. “Issue” & “approval” of policy. “Maintenance” of policy. Saad Haj Bakry, PhD, CEng, FIEE

ISO 17799 Security Policy (Continued) ISO Information Security Management 3. Security Policy ISO 17799 Security Policy (Continued) Policy Document Periodic Reviews & Evaluations Definitions & Scope Management Statement Policy Effectiveness: “recorded security incidents” (nature / number / impact) Business Efficiency: “cost & impact” of security control. Effects of “Technology Changes” Requirements: Legal / Contractual Security education Virus / malicious software issues. Business continuity Security violation issues. Responsibilities & reporting. Appendices (details) & references. Saad Haj Bakry, PhD, CEng, FIEE

Organizational Security ISO Information Security Management 4. Organizational Security Organizational Security Section IS Infrastructure Third Party Access Outsourcing Objective To manage “IS” within the organization To maintain the security of “I&IPF” accessed by 3rd party To maintain “IS” when some responsibility (s) are outsourced Approach Establishing “management framework” to initiate and implement IS. Applying “control” to access by Outsourcing contracts should address IS issues Saad Haj Bakry, PhD, CEng, FIEE

Asset Classification Control ISO Information Security Management 5. Asset Classification Control Asset Classification Control Section Accountability of Assets Information Classification Objective To maintain appropriate protection of “organizational assets” To ensure that “information assets” receive an appropriate level of protection Approach Major information should be accounted for and have “nominated owner” Classifying information to indicate the “need, priorities, and degree of protection” Saad Haj Bakry, PhD, CEng, FIEE

Security in Job Definition & Responding to Incidents & Malfunctions ISO Information Security Management 6. Personnel Security Personnel Security Section Security in Job Definition & Re-sourcing User Training Responding to Incidents & Malfunctions Objective To reduce the risks of “human errors, theft, fraud, or misuse” of facilities To ensure that users are “aware” of IS threats & concerns, and are equipped to support “organizational security policy”. To minimize the“damage” from incidents & malfunctions , and to “monitor & learn from them”. Approach Security responsibilities are addressed at recruitment, and monitored at work Users should be trained in “security procedures” and correct use of “facilities” to “minimize risk” Incidents affecting security should be reported on time, & through appropriate channels Saad Haj Bakry, PhD, CEng, FIEE

Physical & Environmental Security ISO Information Security Management 7. Physical & Environmental Security Physical & Environmental Security Section Secure Areas Equipment Security General Controls Objective To prevent “unauthorized access, damage, & interference” to “business premises & information” To prevent “loss, damage, or compromise” of “assets” and “interruption” to “business activities”. To prevent “compromise” or “theft” of “I&IPF” Approach Housing critical “I&IPF” in secure areas with a defined “security perimeter”, “barriers”, & “entry controls”. Equipment should be “physically” protected from “threats and environmental hazards”. Protecting “I&IPF” from “disclosure to modifications, or theft”; minimizing “loss or damage” Saad Haj Bakry, PhD, CEng, FIEE

Communications & Operations Management ISO Information Security Management 8. Communications & Operations Management Communications & Operations Management Section Operational Procedures & Responsibilities System Planning & Acceptance Objective To ensure correct and secure operations of “IPF” To minimize the risk of systems failures Advanced system planning Projection of capacity to avoid overloading Testing new systems before acceptance. Approach Assignment of responsibilities & development of procedures, including operating instructions & incident response procedures. Saad Haj Bakry, PhD, CEng, FIEE

Protection from Malicious Software ISO Information Security Management 8. Communications & Operations Management Communications & Operations Management Section Protection from Malicious Software Housekeeping Network Management Objective To protect the “integrity of software & information” To maintain the “availability” of “information processing and communications”. To protect: information in networks; and the supporting infrastructure. Approach Detect / prevent “malicious software” (e.g. Viruses) Back-up strategy. Back-up copies. Environment. Faults. Testing. Network protection beyond organizational boundaries. (e.g. Data flow in public networks) Saad Haj Bakry, PhD, CEng, FIEE

Media Handling & Security Exchanges of Information & Software ISO Information Security Management 8. Communications & Operations Management Communications & Operations Management Section Media Handling & Security Exchanges of Information & Software Objective To prevent damage to assets and interruption of business: media control & physical protection. To prevent loss, modifications, or misuse of information exchanged between organizations. Control of information exchange, according to relevant legislations. Examples: e-Mail, EDI, e-Commerce (applications) Approach Operating procedure to protect: computer media & data, from damage, theft & unauthorized access. Saad Haj Bakry, PhD, CEng, FIEE

Business Requirements for Access Control User Access Management ISO Information Security Management 9. Access Control Access Control Section Business Requirements for Access Control User Access Management Objective To “control access to information”. To “prevent unauthorized access to information” Approach Access according to “business security requirements” & “policies of information dissemination & authorization” Procedures for “access rights” from registration to de-registration. Special attention to “privileged access” Saad Haj Bakry, PhD, CEng, FIEE

Access Control (Continued) ISO Information Security Management 9. Access Control Access Control (Continued) Section User Responsibilities Network Access Control Operating System Access Control Objective To “prevent unauthorized user access” To “protect network services” To “prevent unauthorized network access”. Approach Awareness & responsibilities of users Password rules Cooperation of users Interfacing with other networks. Authentication: users / equipment User access to services. User: identity / location Recording: success/ failure. Quality passwords. Limiting connection time (if appropriate) Saad Haj Bakry, PhD, CEng, FIEE

Access Control (Continued) ISO Information Security Management 9. Access Control Access Control (Continued) Section Application Access Control Monitoring System Access & Use Mobile Computing & Tele-working Objective To “prevent unauthorized access to information in information systems” To detect unauthorized activities. To “insure IS in mobile computing & tele-working” Approach User access control Attention: access to critical SW Security of related systems (shared). Restricting access. Monitoring deviations from access policy. Control effectiveness Important Issues: Environment. Special risks. Tele-working sites Saad Haj Bakry, PhD, CEng, FIEE

System Development & Maintenance ISO Information Security Management 10. System Development & Maintenance System Development & Maintenance Section Security Requirements of Systems Security in Application Systems Objective To “ensure that security is built into information systems”. To “prevent loss, modification, or misuse of user data in application systems”. Approach Infrastructure Business applications User-development applications. Security requirements: identified & agreed early Application systems design: include control & audit. Validation of: input data; internal processing; output results. Saad Haj Bakry, PhD, CEng, FIEE

System Development & Maintenance ISO Information Security Management 10. System Development & Maintenance System Development & Maintenance Section Cryptographic Control Security in System Files Security in Development & Support Processes Objective To “protect the confidentiality, authenticity, and integrity of IS” To “ensure that IT projects and support activities are conducted in a secure manner”. To “maintain the security of application system software & information” Approach Use of cryptographic techniques. Control access to system files. Responsibility of application owner. Strict control on: project development Reviewing, testing & checking. Saad Haj Bakry, PhD, CEng, FIEE

Business Continuity Management ISO Information Security Management 11. Business Continuity Management Business Continuity Management Section Aspects of Business Continuity Management Objective To “counterattack interruption of business activities”. To “protect critical business processes from the effect of major failures or disasters”. Approach Implementation of “business continuity management process” using “prevention & recovery” controls Problems: Disasters Security failures. Saad Haj Bakry, PhD, CEng, FIEE

Compliance Section Compliance with Legal Requirements ISO Information Security Management 12. Compliance Compliance Section Compliance with Legal Requirements Security Policy & Technical Compliance System Audit Considerations Objective To “avoid breaches of any criminal & civil law, statutory, regulatory, or contractual obligations, and of any security requirements”. To “ensure compliance with organizational security policies & standards” To “maximize the effectiveness & minimize the interference to/from system audit process” Approach Regular review of security policy: Standards / Technical Platform No misuse of audit tools. Operation control during audit Saad Haj Bakry, PhD, CEng, FIEE

Suggested Work Detailed Review Considering: Derivation of Procedures: ISO Information Security Management Suggested Work Detailed Review Considering: Strategy / Technology / Organization / People / Environment Challenges / Protection Techniques / Security Measures Main Levels / System Levels BS 7799 Part 2 Derivation of Procedures: Investigation of current state. Diagnosing problems. Proposing solutions ISO Compatibility / Accreditation. Saad Haj Bakry, PhD, CEng, FIEE

ISO Information Security Management References ISO/IEC 17799: Information Technology: Code of Practice for Information Security Management. Reference number: ISO/IEC 17799:2000(E). www.iso.org www.liontech-it.com www.eu_didata.com www.rsasecurity.ie S.H. Bakry, “Development of a security policy for private networks”, International Journal of Network Management, Vol. 12, 2002. Saad Haj Bakry, PhD, CEng, FIEE

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.