Need for Information Security, Understanding Information security trends and Improving Security

Transcription

1 Need for Information Security, Understanding Information security trends and Improving Security 10 th December, Er. Sansar Jung Dewan

2

3 At First: InfoSec Basics with the Five W s What is Information Security? Why do you need Information Security? Who is responsible for Information Security? When is the right time to address Information Security? Where does Information Security apply?

4 Information Security definition Protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide Integrity, which means guarding against improper information modification or destruction, and includes ensuring information nonrepudiation and authenticity; Confidentiality, which means preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information; and Availability, which means ensuring timely and reliable access to and use of information. - FISMA 2002, US Federal Law as Title III of the E-Government Act 2002

5 Threat Environment Tools & Techniques Malicious Software (Malware)- trojans, spyware, botnets Actors Users Malicious Actors State-sponsored Actors Issue-motivated groups

6 Which threats have most increased your risk exposure over the last 12 months? Source: Get ahead of cybercrime EY s Global Information Security Survey 2014

7 Which vulnerabilities have most increased your risk exposure over the last 12 months? Source: Get ahead of cybercrime EY s Global Information Security Survey 2014

8 Source: INTERNET SECURITY THREAT REPORT 2014, Symantec

9 Motivation is increasing New Technologies will generate new vulnerabilities The Spectrum of malicious actors is expanding Capability is easier to acquire Security breaches levels decreased slightly but much more costly Cost of breaches nearly doubles in the last year Organizations of all sizes continue to suffer from external attacks Understanding, communication and awareness lead to effective security Organizations are seeking new ways to gain assurance over security Source: Executive Summary: 2014 Information Security Breach Survey, 2014 Australian Government InfoSec Manual Principles

10 Top Mgmt. need to consider What would a serious cyber security incident cost our organization? Who would benefit from having access to our information? What makes us secure against threats? Is the behavior of my staff enabling a strong security culture? Are we ready to respond to a cyber security incident? Source: 2014 Australian Government InfoSec Manual Principles

11 InfoSec Documentation Information Security Policy Security Risk Management Plan System Security Plan Standard Operating Procedures Incident Response Plan Emergency Procedures Business Continuity and disaster recovery Plans Source: 2014 Australian Government InfoSec Manual Principles

12

13 InfoSec Leadership & Support Organizational structure & top management Leadership commitment and policy Support

14 Organizational structure & top management with duties, roles & responsibilities, authorities of management, etc. Organization structure: ISO 27001:2013

15 Leadership commitment and policy Providing information security policy and objectives Ensuring the integration of ISMS requirement Ensuring that the resources needed for ISMS are available Communicate the importance of effective management of InfoSec and compliance with ISMS Ensuring that the ISMS allows you to achieve the appropriate result Treatment and support for people to enhance the efficiency of ISMS Promoting continuous improvement

16 Leadership commitment and policy Senior mgmt. need to establish an InfoSec policy that Is suitable for the organization Includes the goals and provides a framework for setting goals of InfoSec Includes a commitment to meet the appropriate requirements related to InfoSec Includes a commitment to continual improvement of ISMS Policy of information security should Be available as documented information Be communicated within the organization Be made available to interested parties

17 Support Management Commitment & Provision of Resources Establishing an ISMS policy Ensuring that ISMS objectives and plans are established Establishing roles and responsibilities for information security Communicating to the organization the importance of meeting information security objectives Conforming to the information security policy, its responsibilities under the law and the need for continual improvement Providing sufficient resources to establish, implement, operate, monitor, review, maintain and improve the ISMS Deciding the criteria for accepting risks and the acceptable levels of risk Ensuring that internal ISMS audits are conducted Conducting management reviews of the ISMS

18 Support Training Awareness & Competence The organization shall ensure that all personnel who are assigned responsibilities defined in the ISMS are competent to perform the required tasks by: determining the necessary competencies for personnel performing work effecting the ISMS; providing training or taking other actions (e.g. employing competent personnel) to satisfy these needs; evaluating the effectiveness of the actions taken; and maintaining records of education, training, skills, experience and qualifications

19 Framework for ISMS

20

21

22