Presentation is loading. Please wait.

Presentation is loading. Please wait.

“Limiting electronic fraud through an Information Security Management System (ISMS): An Introduction to ISO 27001" Presented to the ICGFM Annual Conference.

Published byIra Horn Modified over 9 years ago

Similar presentations

Presentation on theme: "“Limiting electronic fraud through an Information Security Management System (ISMS): An Introduction to ISO 27001" Presented to the ICGFM Annual Conference."— Presentation transcript:

1 “Limiting electronic fraud through an Information Security Management System (ISMS): An Introduction to ISO 27001" Presented to the ICGFM Annual Conference May 2006 James St. Clair Senior Manager Grant Thornton LLP Global Public Sector

2 Disclaimer The views expressed do not necessarily reflect the views of Grant Thornton LLP

3 Areas of Discussion Global trends in Electronic Finance (E-Finance) Risks to E-Finance Establishing a policy framework Overview of Information Security Management Questions?

4 Presentation Objectives Familiarize the audience with the pervasiveness of E-Finance Discuss how E-Finance is vulnerable Outline steps to implement a framework to limit risk Discuss the specifics of an Information Security Management System

5 The Growth of Electronic Finance

6 Electronic Finance is now the world standard E-Finance consists of four primary categories: –Electronic Funds Transfer (EFT) –Electronic Benefits Transfers (EBT) –Electronic Data Interchange (EDI) –Electronic Trade Confirmations (ETC) Additionally, the communications channels used for E-Finance have grown –Home PCs –E-Banking –Phones and PDAs

7 Growth of E-Finance has been tremendous E-Finance accounts for over $2 trillion a day Percentage of banking online has risen from 5% to 50% in 5 years Number of connect countries and individuals has exploded globally –Internet availability in developing countries –90% penetration of mobile phone markets –Wireless applications for daily business Proliferation of e-credit mechanisms

8 The Risks to Electronic Finance

9 Risks to E-Finance have also grown explosively Sheer number of global internet users have created a "wild west" for conducting business –"Open" nature of the Internet now its biggest flaw Tremendous growth in the technology to create financial havoc –Data and records theft that used to take days can be reduced to minutes Lack of appreciation in how accessible data can really be –What is your risk?

10 Primary types of threats Electronic Fraud –Identity theft –Access manipulation Security Breaches –Hacking –Viruses and "spy-ware"

11 Legal and Policy framework for Information Security

12 Policy and Law are the first step to limiting risk Legal framework –Countries and organizations have been active in developing the legal framework needed to prosecute electronic crime OECD UN OAS –Most importantly, efforts are made to enforce the laws once created

13 Policy and Law are the first step to limiting risk (cont'd) Policy requirements –Oorganizations must have an adequate policy framework to enforce good security –Policies are clearly understood and enforced and based on applicable law What should an information security policy framework look like?

14 ISO 27001: The framework for an Information Security Management System (ISMS)

15 ISO/IEC 27001:2005 - Specification Specifies requirements for establishing, implementing, and documenting Information Security Management Systems (ISMS) Specifies requirements for security controls to be implemented according to the needs of individual organizations Consists of 11 control sections, 39 control objectives, and 133 controls Is aligned with ISO/IEC 17799:2005 Source: BSI America

16 Development of ISO/IEC 270001 "family" of standards ISO/IEC Standard Description 27000Vocabulary and definitions 27001Specification (BS7799-2) Issued October 2005 27002Code of Practice (ISO17799:2005) 27003Implementation Guidance 27004Metrics and Measurement 27005Risk Management (BS 7799-3) Source: BSI America

17 Key considerations for ISO/IEC 27001:2005 Integrates IT security policy and procedures with existing organization practices Implements a means for continuous compliance and improvement Reinforces IT security as part of good corporate governance Built on internationally accepted standards –Implementation of OECD principles for privacy and security

18 Harmonization example Image courtesy of BSI America

19 Growing Acceptance Source: http://www.xisec.com/

20 Organizations are registered (or certificated) by a Registration Body in accordance with the requirements of a scheme such as exists for ISO 9001, ISO 14001, or ISO/IEC 27001 Registration Bodies (and in some instances auditors) are accredited by a recognized body (e.g., UKAS, IRCA, ANAB) to conduct assessment and certification to a recognized scheme Registration of ISMS

21 Government Benefits of an ISMS Helps build a positive image for government agencies, as well as a reinforce a country's political and financial status in the world market Provides satisfaction and confidence that citizens’ information security requirements are being met and privacy is being protected Reduces liability and risk due to implemented or enforced policies and procedures (due diligence) Gain improvement of process efficiency and the management of security costs

22 What steps are necessary to implement an ISMS? An organizational investment –Requires "buy-in" from all members of the organization Must be implemented with existing Risk management efforts Make sure you understand legal issues as well as technical

23 Questions to ask of your ISMS 1.Has your scope been defined? 2.Who should be involved in developing and maintaining our ISMS? a)Cannot be assigned like another IT project 3.Do IT Security plans exist for all agencies, and are they tested in any format? 4.Has proper resources been allocated?

24 Questions? Thank You! James A.St.Clair, CISM Senior Manager Global Public Sector Grant Thornton LLP T 703.637.3078 F 703.837.4455 C 703.727.6332 E Jim.StClair@gt.com

Download ppt "“Limiting electronic fraud through an Information Security Management System (ISMS): An Introduction to ISO 27001" Presented to the ICGFM Annual Conference."

Similar presentations

EXPERIENCES OF OTHER COUNTRIES IN REGULATION OF PAYMENT CARDS SYSTEM This section reviews the regulatory experiences of other countries with respect to.

EXPERIENCES OF OTHER COUNTRIES IN REGULATION OF PAYMENT CARDS SYSTEM This section reviews the regulatory experiences of other countries with respect to.
Information Privacy and Data Protection Lexpert Seminar David YoungDecember 9, 2013 Breach Prevention – Due Diligence and Risk Reduction.

Information Privacy and Data Protection Lexpert Seminar David YoungDecember 9, 2013 Breach Prevention – Due Diligence and Risk Reduction.
QA Programs for Local Health Departments

QA Programs for Local Health Departments
ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.

ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.
Mobile Technology & Cyber Threats Promoting E-Commerce in Ghana Ruby Saakor Tetteh Ministry of Trade & Industry, Ghana Sixth Annual African Dialogue Consumer.

Mobile Technology & Cyber Threats Promoting E-Commerce in Ghana Ruby Saakor Tetteh Ministry of Trade & Industry, Ghana Sixth Annual African Dialogue Consumer.
Auditor General’s Office One key audit focus area – Compliance with Laws and Regulations.

Auditor General’s Office One key audit focus area – Compliance with Laws and Regulations.
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
Advantages of IT Security Prof. Uldis Sukovskis, CISA Riga Information Technology Institute Secure information exchange in Electronic media Baltic IT&T.

Advantages of IT Security Prof. Uldis Sukovskis, CISA Riga Information Technology Institute Secure information exchange in Electronic media Baltic IT&T.
The Demand for Audit and Other Assurance Services Chapter 1.

The Demand for Audit and Other Assurance Services Chapter 1.
ISO 17799&ITS APPLICATION Prepared by Çağatay Boztürk 14.06.2005.

ISO 17799&ITS APPLICATION Prepared by Çağatay Boztürk
Information Systems Security Officer

Information Systems Security Officer
Copyright Security-Assessment.com 2004 Security Governance and Regulatory Controls by Peter Benson.

Copyright Security-Assessment.com 2004 Security Governance and Regulatory Controls by Peter Benson.
© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.

© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.
Training.

Training.
Quality Management Systems

Quality Management Systems
ISO 9000 and Total Quality: The Relationship Eng. Basel F. Qandeel.

ISO 9000 and Total Quality: The Relationship Eng. Basel F. Qandeel.
Mª ANGELA JIMENEZ 1 UNIT 4. EXTERNAL AUDIT BASIS CONCEPTS.

Mª ANGELA JIMENEZ 1 UNIT 4. EXTERNAL AUDIT BASIS CONCEPTS.
1Product certification CASCO Comms/061 2004-12-07 www.iso.org International Organization for Standardization.

1Product certification CASCO Comms/ International Organization for Standardization.
RISK MANAGEMENT SUPPORTED BY CORPORATE GOVERNANCE COLOMBIA Alfonso Parias, Risk Control Manager October 9, 2007.

RISK MANAGEMENT SUPPORTED BY CORPORATE GOVERNANCE COLOMBIA Alfonso Parias, Risk Control Manager October 9, 2007.

Similar presentations

Ads by Google