Presentation is loading. Please wait.

Presentation is loading. Please wait.

Overview Of Information Security Management By BM RAO Senior Technical Director National Informatics Centre Ministry of Communications and Information.

Similar presentations


Presentation on theme: "Overview Of Information Security Management By BM RAO Senior Technical Director National Informatics Centre Ministry of Communications and Information."— Presentation transcript:

1 Overview Of Information Security Management By BM RAO Senior Technical Director National Informatics Centre Ministry of Communications and Information Technology Government of India Email : bmrao@ap.nic.inbmrao@ap.nic.in Phone No : 040 23494406

2 INFORMATION SECURITY Generating information for the organization involves various components, processes and persons.

3 Prime things for the organization information processes are  People  Data center  Servers  Storage devices  Software  OS  Application software  Network INFORMATION SECURITY

4 Information that can exist in many forms  Data stored on computers  Transmitted Across Networks  Print Outs  Written on a Paper  Sent by Fax  Stored on Disks INFORMATION SECURITY

5 Information security is the protection against the loss/damage of information and preservation with Confidentiality Integrity Availability INFORMATION SECURITY

6 Information asset An information asset is a body of information, defined and managed as a single unit so it can be understood, shared, protected and exploited effectively. Information assets have certain value.

7 Value of asset Each organization has its own asset valuation scale (e.g. ‘high’, ‘medium’, ‘low’ etc.) The value expresses the potential impact and damage to the business from a loss of - Confidentiality - Integrity - Availability Values associated with breach of legislation

8 Dependent on loss/damage - Financial loss - Loss of sales/market share - Service availability & disruption to operations - Processing capability & productivity - Damage to image and reputation Value of asset

9 Vulnerabilities  Vulnerabilities are weaknesses associated organization’s assets.  Vulnerabilities may be identified in following areas  Processes and procedures  Personnel  Physical environment  Information system configuration  Hardware, software or communications equipment  Dependence on external parties

10 Threats Threats are anything that could cause damage/harm/loss to assets Threats can be accidental or deliberate Assets are subject to many kinds of threats which exploit vulnerabilities associated with them

11 Security Risk A security risk is the potential that a given threat will exploit vulnerabilities to cause loos/damage to asset. It is a function of the impact of the undesirable event and the probability the event occurred.

12 Information assets Security Safeguarding the accuracy and completeness of information and processing methods Confidentiality Ensuring that information is accessible only to those authorized to have access Ensuring that authorized users have access to information and associated assets when required Threats Security Risks Vulnerabilities INFORMATION SECURITY Integrity Availability

13 Threats & Vulnerabilities : Human Resources Security VulnerabilitiesThreats Unsupervised workTheft Insufficient security trainingOperational support staff error Poorly documented softwareOperational support staff error Lack of monitoring mechanismUse of facilities in unauthorised way Lack of policies for correct use of internet/ e-mail Use of facilities in unauthorised way

14 Threats & Vulnerabilities : Physical Security VulnerabilitiesThreats Unprotected storageTheft Unstable power gridPower fluctuation Lack of physical protection of buildingTheft Susceptibility to voltagePower fluctuation Susceptibility to temperature variationTemperature extremes Location in flood susceptible areaFlooding

15 Risk Assessment Assessment of threats to, impacts on and vulnerabilities of assets and the likelihood of their occurrence It produces an estimate of the risk to an asset at a given point in time.

16 Risk is function of asset value, Threat value and Vulnerability value R=f(A,T,V) R = Risk Value T = Threat Value A = Asset ValueV = Vulnerability Value Organization is free to chose the function ‘f’ as long as the out put of Risk Assessment is relevant. Risk Assessment Sometimes threats and vulnerabilities are commonly called as Security concern and assessed as single entry S(S c /S I /S A )

17 Security control Measures to Prevent, Detect or Reduce the Risk Effective security generally requires combinations of the following : detection Correction deterrencerecovery Preventionmonitoring Limitationawareness

18 Information Security Management Information security that can be achieved through technical means is limited Security also depends on people, policies, processes and procedures Resources are not unlimited It is not a once off exercise but an ongoing activity

19 Steps involved in establishing security management system for the organization Listing of information assets and categorization Identifying vulnerabilities Identifying threats Valuate threats Valuate vulnerabilities Valuate production policies Determine threat loss Arrival risk factors Select controls

20 Security Policy Organization of Information Security Asset Management Human Resource Security Physical & environmental security Communications & operations management Info. Systems Acquisition development & maintenance Access control Information Security Incident Management Business Continuity Management Compliance Security frame work

21 How to Select Controls Baseline controls ⁻ Gap analysis o Controls not or partially in place, but needed ⁻ Legal and business requirements Risk assessment controls ₋ Selected to reduce specific risks ₋ Aiming at identified security problems o Threats, vulnerabilities, assets protection, insurance etc.

22 Selection of Control Objectives and Controls Review the risk and identify control options The selection of controls should be made to bring down the risk to acceptable level The selection of controls should be cost effective

23 Implementing the controls A plan of implantation should be developed containing ‒Priorities (input from risk assessment) ‒Implementing schedule ‒The budget needed ‒Responsibilities ‒Necessary training activities

24 Setting of objectives and controls Example Physical and environmental security Secure areas Objective: To prevent unauthorized physical access, damage and interference to the organization’s premises and information. Physical security perimeterControl Security perimeters (barriers such as walls, card controlled entry gates or manned reception desks) shall be used to protect areas that contain information and information processing facilities. Physical entry controlsControl Secure areas shall be protected by appropriate entry controls to ensure that only authorized personnel are allowed access. Securing offices, room and facilities Control Physical security for offices, room and facilities shall be designed and applied.

25 Protecting against external and environmental threats Controls Physical protection against damage from fire, flood, earthquake, explosion, civil unrest and other forms of natural or natural or man-made disaster shall be designed and applied. Working in secure areasControls Physical protection and guidelines for working in secure areas shall be designed and applied. Public access, delivery and loading areas Controls Access points such as delivery and loading areas and other points where unauthorized persons may enter the premises shall be controlled and, if possible, isolated from information processing facilities to avoid unauthorized access. Setting of objectives and controls Example

26 ISMS is That part of overall management system based on a business risk approach to - Establish - Implement - Operate - Monitor - Review - Maintain & Improve

27 - ISO/IEC 27001 : 2005 - A Specification ( Specifies requirements for implementing, operating, monitoring, reviewing, maintaining & improving, a documented ISMS) - Specifies the requirements of implementing of Security control, customised to the needs of individual organisation of part thereof. - Used as a basis for certification - ISO/IEC 27002 : 2005 ( Originally ISO/IEC 17799 : 2005) - A code of practice for Information Security management - Provides best practice guidance ISMS Standards

28 A.5 Security Policy A.6 Organization of Information Security A.7 Asset Management A.8 Human Resource Security A.9 Physical & environmental security A.10 Communications & operations management A.12 Info. Systems Acquisition development & maintenance A.11 Access control A.13 Information Security Incident Management A.14 Business Continuity Management A.15 Compliance Security Control Clauses of ISO 27001

29 Effective Implementation of ISMS Management Commitment Organisation Resources Focus on Prevention Training Communication Participation System Review

30 THANK YOU


Download ppt "Overview Of Information Security Management By BM RAO Senior Technical Director National Informatics Centre Ministry of Communications and Information."

Similar presentations


Ads by Google