Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lecture 09 Network Security Management through the ISMS

Published byChad Lucas Modified over 6 years ago

Similar presentations

Presentation on theme: "Lecture 09 Network Security Management through the ISMS"— Presentation transcript:

1 Lecture 09 Network Security Management through the ISMS
Asst.Prof.Supakorn Kungpisdan, Ph.D. NETE0519-ITEC4614

2 Learning Objectives Explain the purpose of an ISMS and the process for: Establishing Implementing Operating Monitoring Reviewing Improving the ISMS Explain the purpose and the contents of ISO27001, ISO27002, ISO27005 and their relationship NETE0519-ITEC4614

3 Asset Identification Exercise Give example of Asset NETE0519-ITEC4614
Personnel Buildings Equipment Furniture Software (purchased and home-grown) Intellectual property Inventory Cash Processes Reputation NETE0519-ITEC4614

4 Asset Valuation The cost to design and develop or acquire, install, maintain, protect the asset Acquired value; information assets may increase in value over time The cost of collecting and processing data for information assets The value to a competitor The value of lost business opportunity if the asset is compromised The value of providing information to customers A reduction in productivity while the asset is unavailable The cost to replace or repair the asset Depreciation; most assets lose value over time NETE0519-ITEC4614

5 Information Information asset
Knowledge or data that has value to the organization NETE0519-ITEC4614

6 Storing and communicating information
Printed or written on paper Stored electronically Transmitted by post or using electronic means Shown on corporate videos Verbal-spoken in conversations “Whatever form the information takes, or means by which it is shared or stored, it should always be appropriated protected” NETE0519-ITEC4614

7 What is Information Security?
ISO27001:2005 defines Information Security as Preservation of Confidentiality: the property that information is not made available or disclosed to unauthorized individuals, entities, or processes Integrity: the property of safeguarding the accuracy and completeness of assets Availability: the property of being accessible and usable upon demand by an authorized party of information NETE0519-ITEC4614

8 What is Information Security? (cont.)
Authenticity Non-repudiation Accountability Reliability NETE0519-ITEC4614

9 Exercise Give an example of networking technologies, activities, or processes that are related to Confidentiality Integrity availability NETE0519-ITEC4614

10 Sensitive or critical information
Assessment can identify sensitive and critical information based on value to the organization Sensitive or critical information can be based on time. Some financial information will be very sensitive before reporting to the stock market, but have no sensitivity after once reported Sensitivity reflects data classification level Assessment involves in valuation of information assets in order to calculate risks and security level required to protect these assets using appropriate controls NETE0519-ITEC4614

11 Management System includes..
Organization Resources Structures Policies Planning activities Responsibilities Practices Procedures Processes NETE0519-ITEC4614

12 Information Security Management System
Part of the overall management system, based on a business risk approach, to establish, implement, operate, monitor, review, maintain and improve information security Information security should be seen as an ongoing activity of continual improvement ISMS adoption should be a strategic decision by the top management NETE0519-ITEC4614

13 ISMS (cont.) ISMS requires that everyone is clear about what is required of them, that: they are trained in what they are meant to do, they have the facilities and resources they need, etc. ISMS to initiate the production of standard set of (broad) requirements which all have to be complied with. NETE0519-ITEC4614

14 Consideration on overall performance of the organization may impact…
CIA of information Competitive advantages through improved organizational capabilities Customer loyalty Repeat business and referral Understanding and motivation of people towards the organizational goals and objectives, as well as participation in continual improvement Operational results e.g. revenue and market share Reviewing threats and vulnerabilities on a regular basis Efficient and effective use of resources Alignment of processes which will best achieve desired results NETE0519-ITEC4614

15 Consideration on overall performance of the organization may impact…
Confidence of interested parties in the effectiveness and efficiency of the organization Ability to create value for both the organization and its suppliers by optimization of cost and resources as well as flexibility and speed of joint responses to changing markets NETE0519-ITEC4614

16 Notes Information security protects information from a wide range of threats in order to ensure business continuity, minimize business damage and maximize return on investment and business opportunities Every organization will have a differing set of requirements in terms of control requirements and the level of confidentiality, integrity, and availability From the Introduction section of ISO27002 NETE0519-ITEC4614

17 History and Family of ISO 27001 Standards
NETE0519-ITEC4614

18 ISO27001 Standard ISO/IEC 27001, part of a growing family of ISO/IEC standards, is an information security management system (ISMS) standard published in October 2005 by the ISO and the International Electrotechnical Commission (IEC). Its full name is ISO/IEC 27001:2005—Information technology—Security techniques—Information security management systems—Requirements but it is com- monly known as ISO NETE0519-ITEC4614

19 History of ISMS Standards
1992: BSI approached by industry sectors and service providers with concerns over the increase of electronic office systems and potential problems related to controls over these systems Jan 1993: set up an industry working group to review the concerns raised by the industry. The results published is called “Code of Practice” Feb 1995: Code of Practice had become BS standard Feb 1998: BSI produced BS to form basis for organization to be registered for an ISMS system (focused on audit) April 1999: both BS and BS were aligned and republished as BS :1999 and BS :1999 2000: BS had become ISO17799:2000 2005: ISO17799:2000 were revised and re-numbered to ISO 27002:2005 2005: BS has been adopted as ISO 27001:2005 NETE0519-ITEC4614

20 The ISO27001 family of standards
ISO27000 – Overview and vocabulary ISO27001 – Audit requirements ISO27002 – Code of Practices (was ISO17799:2005) ISO27003 – Implementation Guidance ISO27004 – Measurement ISO27005 – Risk Management ISO27006 – Requirements for Bodies providing Audit and Certification of ISMSs NETE0519-ITEC4614

21 Why Implement ISO27001:2005 Without suitable protection, information can be: Given away, leaked or disclosed in an authorized way Modified without your knowledge to become less valuable Loss without trace or hope of recovery Can be rendered unavailable when needed Information should be protected and properly managed like other business asset of the organization NETE0519-ITEC4614

22 ISMS Implementation and ISO 27001 Certification Process
NETE0519-ITEC4614

23 ISMS Implementation and ISO 27001 Certification Process
See ISO27k ISMS implementation and certification process.ppt NETE0519-ITEC4614

24 Establishing the ISMS NETE0519-ITEC4614

25 Continual improvement of the management system
PDCA Cycle Continual improvement of the management system NETE0519-ITEC4614

26 PDCA (cont.) NETE0519-ITEC4614

27 Meeting ISO 27001:2005 Requirements
NETE0519-ITEC4614

28 Meeting ISO 27001:2005 Requirements
The requirements contained in the ISMS process, that are described in clauses 4-8 of ISO :2005. ISMS process requirements address how an organization should establish and maintain their ISMS, based on PDCA model Any organization wants to achieve ISO 27001:2005 certification need to comply with all these requirements, exclusions are not acceptable NETE0519-ITEC4614

29 Meeting ISO 27001:2005 Requirements (cont.)
The ISMS control requirements, contained in Annex A of ISO 27001:2005 ISMS control requirements are applicable for an organization unless the risk assessment and risk acceptance criteria prove that this is not the case “Any exclusions of controls found to be necessary to satisfy the risk acceptance criteria need to be justified and evidence need to be provided that the associated risks have been properly accepted by accountable person.” NETE0519-ITEC4614

30 Steps of ISO27001 Establish the ISMS (clause 4.2.1)
Implement and operate the ISMS (clause 4.2.2) Monitor and review the ISMS (clause 4.2.3) Maintain and improve the ISMS (clause 4.2.4) NETE0519-ITEC4614

31 4.2.1 Establish the ISMS See ISO 27001 document for details
NETE0519-ITEC4614

32 4.2.1 Establish the ISMS (cont.)
In terms of: Characteristics of the business The organization Its location Its assets Its technology Define scope and boundaries of the ISMS Define an ISMS policy NETE0519-ITEC4614

33 ISMS Policy Example See example from ISO27001 toolkit
NETE0519-ITEC4614

34 Control Objectives A.5 Security policy
A.6 Organization of information security A.7 Asset management A.8 Human resources security A.9 Physical and environmental security A.10 Communications and operations management A.11 Access control A.12 Information systems acquisition, development and maintenance A.13 Information security incident management A.14 Business continuity management A.15 Compliance NETE0519-ITEC4614

35 Implementing and operating the ISMS
NETE0519-ITEC4614

36 4.2.2 Implement and operate the ISMS
See ISO document for details NETE0519-ITEC4614

37 4.2.3 Monitor and review the ISMS
See ISO document for details NETE0519-ITEC4614

38 Maintain and improve the ISMS
See ISO document for details NETE0519-ITEC4614

39 Questions? NETE0519-ITEC4614

Download ppt "Lecture 09 Network Security Management through the ISMS"

Similar presentations

Innovation or Necessity? ISM 158 By: Sepehr Saeb.

Innovation or Necessity? ISM 158 By: Sepehr Saeb.
Dr Lami Kaya LamiKaya@gmail.com ISO 27001 Information Security Management System (ISMS) Certification Overview Dr Lami Kaya LamiKaya@gmail.com.

Dr Lami Kaya ISO Information Security Management System (ISMS) Certification Overview Dr Lami Kaya
The International Security Standard

The International Security Standard
Secure Systems Research Group - FAU Process Standards (and Process Improvement)

Secure Systems Research Group - FAU Process Standards (and Process Improvement)
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group 209-754-9130

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
ISO 9001 : 2000.

ISO 9001 : 2000.
Chapter 5: Asset Classification

Chapter 5: Asset Classification
ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.

ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.
Security Controls – What Works

Security Controls – What Works
ISO/IEC 27001 Winnie Chan BADM 559 Professor Shaw 12/15/2008.

ISO/IEC Winnie Chan BADM 559 Professor Shaw 12/15/2008.
First Practice - Information Security Management System Implementation and ISO 27001 Certification.

First Practice - Information Security Management System Implementation and ISO Certification.
Session 3 – Information Security Policies

Session 3 – Information Security Policies
Information Systems Controls for System Reliability -Information Security-

Information Systems Controls for System Reliability -Information Security-
Fraud Prevention and Risk Management

Fraud Prevention and Risk Management
Eng R. L. Nkumbwa-2010 Copperbelt University 1 ISO 9001 - 2008 Quality Management Systems.

Eng R. L. Nkumbwa-2010 Copperbelt University 1 ISO Quality Management Systems.
Consultancy.

Consultancy.
© 2010 Plexent – All rights reserved. 1 Change –The addition, modification or removal of approved, supported or baselined CIs Request for Change –Record.

© 2010 Plexent – All rights reserved. 1 Change –The addition, modification or removal of approved, supported or baselined CIs Request for Change –Record.
Information Security Framework & Standards

Information Security Framework & Standards
Evolving IT Framework Standards (Compliance and IT)

Evolving IT Framework Standards (Compliance and IT)
Overview Of Information Security Management By BM RAO Senior Technical Director National Informatics Centre Ministry of Communications and Information.

Overview Of Information Security Management By BM RAO Senior Technical Director National Informatics Centre Ministry of Communications and Information.

Similar presentations

Ads by Google