Download presentation
Presentation is loading. Please wait.
Published byKerry Reynolds Modified over 8 years ago
1
Information Security tools for records managers Frank Rankin
2
The CIA of information security Confidentiality Integrity Information Security Availability
3
The history of ISO27001 1992 UK DTI Code of Practice for Information Security Management 1995 British Standards Institute BS7799 2000 ISO/IEC 17799 2005 ISO/IEC 27001:2005 2013 ISO/IEC 27001:2013
4
ISO/IEC 27001:2013 Published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) International Organization for StandardizationInternational Electrotechnical Commission Promoted in UK by the British Standards Institution
5
ISO27001- What? “…provide requirements for establishing, implementing, maintaining and continually improving an information security management system.”
6
ISO27001 – Why? “The information security management system preserves the confidentiality, integrity and availability of information by applying a risk management process and gives confidence to interested parties that risks are adequately managed.”
7
Foreword Introduction Clause 1Scope 2Normative References 3Terms and definitions 4 Context of the organisation 5 Leadership 6 Planning 7 Support 8 Operation 9 Performance evaluation 10 Improvement Annex A ISO/IEC 27001:2013
8
PDCA
9
ISO/IEC 27001 Annex A ISO/IEC27002 Code of Practice 114 Controls 34 Objectives 14 Groups
10
A.5: Information security policies (2 controls) A.6: Organization of information security (7 controls) A.7: Human resource security – (6 controls) A.8: Asset management (10 controls) A.9: Access control (14 controls) A.10: Cryptography (2 controls) A.11: Physical and environmental security (15 controls) A.12: Operations security (14 controls) A.13: Communications security (7 controls) A.14: System acquisition, development and maintenance (13 controls) A.15: Supplier relationships (5 controls) A.16: Information security incident management (7 controls) A.17: Info sec aspects of business continuity management (4 controls) A.18: Compliance; with internal requirements, e.g. policies, and with external requirements, e.g. laws (8 controls)
11
Controls ISO27002 ControlDetail Secure development policy (A.14.2.1) Rules for the development of software and systems shall be established and applied to developments within the organisation. System change control procedures (A.14.2.2) Changes to systems within the development lifecycle shall be controlled by the use of formal change control procedures. Restriction on changes to software packages (A.14.2.4) Modifications to software packages shall be discouraged, limited to necessary changes and all changes to be strictly controlled. Secure system engineering principles (A.14.2.5) Principles for engineering secure systems shall be established, documented, maintained and applied to any information system implementation efforts.
12
Statement of Applicability
13
Gap analysis against ISO27k controls Is this control applicable to you? Do you need this control? Is the control documented? Is the control implemented?
14
Information Asset Register Name, description of asset Asset Owner, Users Date, status (Current/Closed) Purpose/Function Business Value Location/Format/Size/Requirements Retention Risks/Controls
15
Identify your assets Information assets Datasets, records, documents, information systems, paper files Physical assets Servers, network infrastructure, PCs, laptops, phones, flashdrives. Buildings, plant, office equipment Software assetsServices Power, gas, internet, phonelines, water People Staff, Users, Key personnel
16
UK Govt Security Policy Framework Security Outcomes Good Governance Culture and Awareness Risk Management Information Technology and Services Physical Security Responding to Incidents
17
10 Steps to Cyber Security
19
Cyber Essentials UK Government Aimed at Business 5 strategies Based on CESG Ten Steps to Cyber Security Certification scheme 1. Boundary firewalls and internet gateways 2. Secure configuration 3. User access control 4. Malware protection 5. Patch management
20
CIS 20 Critical Controls CSC 1: Inventory of Authorized and Unauthorized Devices CSC 2: Inventory of Authorized and Unauthorized Software CSC 3: Secure Configurations for Hardware & Software on Mobile Devices, Laptops, Workstations, and Servers CSC 4: Continuous Vulnerability Assessment and Remediation CSC 5: Controlled Use of Administrative Privileges CSC 6: Maintenance, Monitoring, and Analysis of Audit Logs CSC 7: Email and Web Browser Protections CSC 8: Malware Defenses CSC 9: Limitation and Control of Network Ports, Protocols, and Services CSC 10: Data Recovery Capability CSC 11: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches CSC 12: Boundary Defense CSC 13: Data Protection CSC 14: Controlled Access Based on the Need to Know CSC 15: Wireless Access Control CSC 16: Account Monitoring and Control CSC 17: Security Skills Assessment and Appropriate Training to Fill Gaps CSC 18: Application Software Security CSC 19: Incident Response and Management CSC 20: Penetration Tests and Red Team Exercises
21
Responsible for information Free eLearning from TNA Three modules General users IAOs/IROs General usersGeneral users Information Asset and Information Risk OwnersInformation Asset and Information Risk Owners Directors and Business Owners
22
Recommended starter for 10 MANAGEMENT/CORPORATE TECHNICAL
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.