Presentation is loading. Please wait.

Presentation is loading. Please wait.

Information Security Management Goes Global

Published byLaurence Melton Modified over 7 years ago

Similar presentations

Presentation on theme: "Information Security Management Goes Global"— Presentation transcript:

1 Information Security Management Goes Global
Business continuity Corporate governance Compliance with legislation Information assets Policy & procedures Management of risk Incident handling Best practice Protecting on-line business Managing 3rd party access Information Security Management Goes Global Ted Humphreys XiSEC

2 Information Security Management
Global Business Objectives Ensuring business continuity Minimise business damage Maximise return on investments These global objectives of information security management are also stated in ISO/IEC 17799

3 Information Security Management
Achieving the objectives by managing the risk

4 Assessing the Risk Risk is the potential that a threat will exploit a vulnerability and cause damage or loss to an asset The assessment includes: the value of the asset the level of corresponding vulnerabilities the likelihood of the relevant threats existing and planned controls which protect the asset

5 Managing the Risks Expenditure on information security needs to be balanced against and appropriate to The business value of the information and other business assets at risk, and The business harm/impact likely to result from security failures

6 Managing the Risk Risk acceptance Ignoring the risks Risk avoidance
Risk transfer Risk reduction

7 Managing the Risks with Controls
Reduce the vulnerabilities Reduce/eliminate the weaknesses Reduce the likelihood of occurrence Reduce/eliminate the cause Minimise the probability by preventative measures Reduce the consequences of impact Ensuring effective monitoring Taking steps to prevent, minimise or contain impact.

8 Information Security Management
Targets Access control, user identification & authentication, encryption, digital signatures,message authentication, backups, capacity planning, regular maintenance, virus protection software, information handing procedures, physical security etc Means of achieving targets Preserving the Confidentiality, Integrity/ authenticity & Availability of information

9 What is ISO/IEC 17799? NOT IT Security Its about Information Security A risk based approach for defining policy & procedures & selection of appropriate controls to manage risk Its a standard on best practice for information security management

10 Who looks after ISO/IEC 17799?
17799 is managed and maintain by ISO/IEC JTC 1/ SC 27 WG1 WG1 Convenor Ted Humphreys Editors Angelika Plate and Oliver Weissmann

11 WG1 managing 1st revision due 200x
Some ISO/IEC History WG1 managing 1st revision due 200x ISO/IEC 17799: 2000 BS 7799 Part 1: 1999 BS 7799 Part 1: 1995

12 What’s in ISO/IEC 17799? The Chapters Security policy
Security organisation Asset classification & control Business continuity Personnel security Physical & environmental security Access control Compliance Communications & operations management Systems development & maintenance Security policy Security organisation Asset classification & control Physical & environmental security Communications & operations management Systems development & maintenance Personnel security Access control Business continuity Compliance

13 ISO/IEC 17799 Chapter Structure
Control Objective Control satisfies the requirements of the objective Control Advice and help on implementation of the control Implementation Guidance Other supporting help and information Other Information

14 Control Example External facilities management
The risks of using external facilities management services should be identified in advance, and appropriate controls agreed with the contractor, and incorporated into the contract. Implementation Guidance Particular issues that should be addressed include: a)  Identifying sensitive or critical applications better retained in-house, b)   Obtaining the approval of business application owners, c)   Implications for business continuity plans, d)  Security standards to be specified, and the process for measuring compliance, e)  Allocation of specific responsibilities and procedures to effectively monitor all relevant security activities,responsibilities and procedures for reporting and handling security incidents Other Information The use of an external contractor to manage information processing facilities may introduce potential security exposures, such as the possibility of compromise, damage, or loss of data at the contractor’s site. See also and 4.3 for guidance on third party contracts involving access to organizational facilities and outsourcing contracts

15 ISO/IEC 17799 Policies & Procedures
Information security policy Access control Use of , Internet services & network connections Use of mobile computing

16 ISO/IEC 17799 Policies & Procedures
Security incident handling Business continuity Operational procedures Change control Housekeeping Information handling System acceptance

17 ISO/IEC 17799 Organisational Security
To manage information security within the organisation Security Forum Allocation of roles and responsibilities Co-ordination Security of 3rd party access Outsourcing, managed services etc Security conditions in contracts

18 ISO/IEC 17799 Asset Control Accountability of assets
To maintain an asset inventory Information classification Information handling procedures Maintain appropriate protection of assets Asset ownership and security responsibilities Delegation & accountability Outsourcing, managed services etc

19 ISO/IEC 17799 Operations Management
Procedures to ensure correct and secure operation Minimise the risk of system failures Safeguard the integrity of company information and software Maintain the integrity and availability of company services

20 ISO/IEC 17799 Operations Management
Ensure the protection of supporting system and networking infrastructures Prevent damage to computer media Incident management procedures System and capacity planning and acceptance Malicious software Backups

21 ISO/IEC 17799 – Security Incidents
Responding to incidents To minimise the damage from security incidents, system malfunctions, software weaknesses, virus attacks, denial of service attacks, breaches of law, data theft etc Monitoring, detecting, reporting, responding to and learning from security incidents

22 ISO/IEC 17799 Controlling Access
To control access to the company’s information based on agreed access control policy and procedures User access management User registration User responsibilities, rights and privileges, review

23 ISO/IEC 17799 Controlling Access
Access policy, procedures and technical controls Network services (internal and external), Web sites etc Computer systems Applications On-site and off-site (remote) access Monitoring system access and use

24 ISO/IEC 17799 Systems Dev/Maintenance
Building security into the company’s systems and processes Application systems Input/output data validation Internal processing validation Cryptographic mechanisms Non-cryptographic mechanisms

25 ISO/IEC 17799 Systems Dev/Maintenance
Building security into the company’s systems and processes System files Control of software and protection of test data Development and support environments Change control procedures Review of operating system changes Restrictions on software changes

26 ISO/IEC 17799 Business Continuity
To protect critical company processes and assets and to counteract interruptions to business activities from the effects of system failures, serious breaches of security, disasters etc

27 ISO/IEC 17799 Business Continuity
A managed planning process should be in place Procedures (for handling customers/suppliers, relocation, emergency control, fallback, resumption and recovery etc) should be developed and regularly tested Plans and procedures should be regularly reviewed and updated as necessary

28 ISO/IEC Compliance Compliance with legislation and contractual requirements To avoid breaches of any statutory, criminal or civil obligations and related security requirements

29 In Summary - Why use ISO/IEC 17799?
Ensure business continuity Minimise business damage & protect business assets Maximise return on investments & business opportunities Good corporate governance “fit to manage risk”

30 Q&A Gestão da Segurança da Informação
Riktlinjer för ledning av informationssäkerhet Leitfaden zum Management von Informationssicherheit Managementsystem voor informatiebeveiliging Q&A La sécurité informatique Gestão da Segurança da Informação

Download ppt "Information Security Management Goes Global"

Similar presentations

Copyright © XiSEC, All rights reserved, 2002 Secure Computing Best Lifetime Achievement Award 2002 Ted Humphreys Information Security Management Goes Global.

Copyright © XiSEC, All rights reserved, 2002 Secure Computing Best Lifetime Achievement Award 2002 Ted Humphreys Information Security Management Goes Global.
A Joint Code of Practice Objectives and Summary Presentation

A Joint Code of Practice Objectives and Summary Presentation
Dr Lami Kaya LamiKaya@gmail.com ISO 27001 Information Security Management System (ISMS) Certification Overview Dr Lami Kaya LamiKaya@gmail.com.

Dr Lami Kaya ISO Information Security Management System (ISMS) Certification Overview Dr Lami Kaya
Secure Systems Research Group - FAU Process Standards (and Process Improvement)

Secure Systems Research Group - FAU Process Standards (and Process Improvement)
ISMS standards and control processes ISO27001 & ISO27002

ISMS standards and control processes ISO27001 & ISO27002
Information System Audit : © South-Asian Management Technologies Foundation Chapter 4: Information System Audit Requirements.

Information System Audit : © South-Asian Management Technologies Foundation Chapter 4: Information System Audit Requirements.
ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.

ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.
ISO Information Security Management

ISO Information Security Management
Security Controls – What Works

Security Controls – What Works
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
23 January 2003© All rights Reserved, 2002 Understanding Facilitated Risk Analysis Process (FRAP) and Security Policies for Organizations Infocomm Security.

23 January 2003© All rights Reserved, 2002 Understanding Facilitated Risk Analysis Process (FRAP) and Security Policies for Organizations Infocomm Security.
NIST framework vs TENACE Protect Function (Sestriere, 21-23 Gennaio 2015)

NIST framework vs TENACE Protect Function (Sestriere, Gennaio 2015)
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Session 3 – Information Security Policies

Session 3 – Information Security Policies
Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.

Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.
Author: Andy Reedftp://topsurf.co.uk/reed FdSc IT/Computer Networking & IT(e-commerce) Communications Network Management An Introduction to Security.

Author: Andy Reedftp://topsurf.co.uk/reed FdSc IT/Computer Networking & IT(e-commerce) Communications Network Management An Introduction to Security.
BS 7799 - Information Security Management  2000 3 & 4 August 2000 Brasilia Peter Restell Business Programme Manager Responsible for: BS 7799-1 & 2 c-cure.

BS Information Security Management  & 4 August 2000 Brasilia Peter Restell Business Programme Manager Responsible for: BS & 2 c-cure.
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.
Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.

Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.

Similar presentations

Ads by Google