1 Risk Assessment and Cloud Strategy Development: Getting it Right this Time! Barbara Endicott-Popovsky, PhD University of Washington Center of Information Assurance and Cybersecurity Kirsten Ferguson-Boucher Aberyswyth University, Wales Dept of Information Studies
2 If the Internet were a street, I wouldn t walk it in daytime 90% of traffic is spam 1-3% of all traffic is malicious Unprotected PC infected in minutes Organized crime makes more on the Internet than drugs fda7ha?docid=cng.a00f a06189a0276c763e93a4.131 Take from Internet >doubles e-commerce
3 It is not pretty out there CYBER-CRIME Courtesy: K. Bailey/E. Hayden, CISOs
5 Cyber Attack Sophistication Continues To Evolve High Intruder Knowledge Attack Sophistication Low disabling audits self-replicating code password guessing Source: CERT 2004 back doors sweepers exploiting known vulnerabilities password cracking packet spoofing burglaries sniffers hijacking sessions Cross site scripting stealth / advanced scanning techniques Staged denial of service attack distributed Tools attack tools www attacks automated probes/scans GUI network mgmt. diagnostics Attackers Technical Skills bots Courtesy: K. Bailey/E. Hayden, CISOs
6 What have we learned from our experiences with the Internet? DESIGN IN CYBER SECURITY!! 6
7 Internet Conceptual Design Requirements: Purpose: Connect limited number of trusted researchers Permit sharing of limited computer resources Survive subordinate-network losses Share research data Two communications Not considered: CYBER SECURITY! 7
8 What lessons can users transfer to the Cloud? DESIGN IN CYBER SECURITY!! 8
9 Center for Information Assurance and Cybersecurity NSA-CAE-R Projects Grants Publications Community Sponsors Research Research IP Consulting Directed Research Classes Workshops UW Certificates Agora Practitioner Community Community Outreach Academics PRCCDC IRMSCI Institute Unintended Consequences Lecture Series
10 The Ponemon Institute, April 2011 SECURITY OF CLOUD COMPUTING PROVIDERS STUDY 10
11 Summary Findings "These findings indicate that respondents overwhelmingly believe it is the responsibility of users of cloud computing to ensure the security of cloud resources they provide. The majority does not believe their cloud services include the protection of sensitive data. Further, only 19 percent of US cloud providers and 18 percent of European cloud providers strongly agree or agree that their organization perceives security as a competitive advantage in the cloud marketplace." 11
12 Cloud Provider Sample Size 12
13 Lack of Confidence in Security of Cloud Resources
14 Who is Most Responsible for Ensuring Security of Cloud Resources? 14
15 Country Locations of European Sample 15
16 Who is Most Concerned about Cloud Security
17 UK Perspective STORING INFORMATION IN THE CLOUD 17
18 Research aim: UK context Investigate the management, operational and technical issues surrounding the storage of information in the cloud and provide an overview of Cloud Computing uses and challenges relating to common records keeping practices Develop a toolkit to assist Information Professionals in assessing the risks and benefits of outsourcing information storage and processing in the cloud
19 Research methodology Literature Review on CC and Information Governance and Assurance Evidence still in early adoption stage in which technical concerns and product reviews dominate Consultations: Online questionnaire (further evidence of embryonic stage still to gain ground with information professionals in the UK ) Interviews (3 case studies Guardian Media Group, Melrose Resources and the Cabinet Office, UK government) Event Storing Information in the Cloud Unconference: Manchester, England
20 Survey results 30% have used CC for <1 17% are actively planning to use CC 41% interested but no active plans
21 Main concerns Destruction of data Loss of control over data Data protection Confidentiality Availability of service
22 Governance: What are the issues? Privacy/Data protection Compliance and e-discovery Integrity of data Confidentiality of data/unauthorised access Ability to audit service Loss of control over data and services
23 Unconference outcomes: RISK to the organisation Cloud computing is based on risk-assessment and establishing a trust relationship with providers Know the risks and make a choice!
24 Toolkit for outsourcing to the cloud Top ten questions 1. Which process, application and information can be moved to the cloud to gain efficiency and cost benefits while satisfying the organisation s security and compliance requirements? 2. How can the organisation be harmed if systems, applications, services or information are accessed by unauthorised people and information is being made available to the public? 3. How are information and systems protected against unauthorised access (e.g. hacking, interception, user misuse) by the cloud service provider? 4. How can the organisation ensure the integrity, authenticity and reliability of information stored in the cloud? 5. What are the organisation s responsibilities regarding the security of infrastructure and information in the cloud for the chosen cloud service and deployment models?
25 Toolkit for outsourcing to the cloud Top ten questions continued How can the organisation apply its records and information management programmes (e.g. classification, retention) to the cloud environment? What is the impact of outsourcing services and information to the cloud on the legislative and regulatory requirements of the organisation (e.g. DP, FOI, SOX, e-discovery, copyright, licensing etc.)? How should the organisation audit and monitor cloud services and establish relevant service level agreements? Will the organisation be able to negotiate contracts and agreements that fit their risk assessment and compliance environment? What are the total costs of setting up and managing the cloud services?
26 Top 10 of Cloud Computing Concerns these cluster loosely into those attendant with performance, specifically efficiency and cost, monitoring and total costs; those relating to alignment with organisational objectives i.e. organisational responsibility and impact of outsourcing; those associated with ensuring information assurance and value through information governance and assurance programmes and the protection of systems; the perceived risk to the organisation and the robustness of the contracts and outsourcing procedures figured highly in ranking.
27 Top 10 of Cloud Computing Concerns It is clear from the findings that many of the concerns associated with cloud computing relate to specifically to information governance and assurance, i.e. the handling of data in the cloud. Decisions must be taken after consideration of the wider context of organisational strategy.
28 Information Governance and Assurance They form part of a complex structure of assessments regarding information value, alignment, performance and assurance. All of these operate within an overreaching risk framework. VAAPR: pronounced Vapour: Value; Alignment, Assurance in Performance and Risk framework Holistic approach to information governance and assurance
29 Information Governance and Assurance Take advantage of changes in user practice for the organisational objectives Work in conjunction with existing processes and procedures Add value, but ensure assured and operating within performance and risk framework There are different concerns when preparing to use cloud computing services, to those most relevant when managing and ultimately operating in the cloud
30 Guide to data governance for privacy, confidentiality and compliance Data classification and quality; protective measures, data partitioning and processing; compliance and risk management, identity and access management; service integrity, endpoint integrity Moving into the cloud: viability, transparency, compliance Secure infrastructure, identity and access control, information protection, auditing and reporting Data privacy principles Risk/gap analysis
31 Toolkit for outsourcing to the cloud Preparing for the cloud Information classification Risk assessment Managing the cloud Information management Compliance Contract and cost Monitoring, auditing and reporting Operating in the cloud Security Availability Identity and access management
32 Preparing for the Cloud initial deliberations focus on alignment with business objectives: the legal framework in which organisations operate, the existing internal systems for staff and other resources, the IT infrastructure and central business drivers and current initiatives. different for each organisation, effective anticipation of the related risks and the identification of mitigation strategies. value added elements that information can bring to the organisation: identification of the information to be serviced in the cloud and some form of classification to enable its retrieval and effective usage.
33 Managing the Cloud assurance and performance aspects of information governance and assurance guarantees relating to the continuing authenticity, reliability and integrity of the information contracts and service agreements are the documents which embody these understandings and support the specific nature of these arrangements. cost/benefit analyses and indeed the wider performance measurements which can be used to assess how effective, efficient, flexible and therefore sufficient the cloud solution is proving necessitate constant monitoring. clear exit strategy continually reassessing and reapplying the risk criteria, across the spectrum of information governance concerns, a balanced approach to cloud usage is achievable.
34 Operating in the Cloud information assurance and information value: assessing policies and procedures for physical, personnel, infrastructure, information and access security. availability of the service, appropriate provision of access to information, business continuity: continuing access to information despite interruptions and failures at any stage of the lifecycle, combined approaches to governance and assurance challenges should ensure robust and comprehensive solutions.
35 Information management Consideration: ensure that information stored in the cloud will be managed according to the organisations information management and compliance programmes in order to maintain authenticity, reliability and integrity of information over time and to ensure that information is accessible and retrievable for legal and regulatory compliance.
36 Managing in the cloud: Information Management Rationale: The organisation needs to ensure that policies and procedures surrounding the management of the whole life-cycle of information are administered and validated for information stored in the cloud in the same way they are administered onsite. The main aspects of managing records are the classification, appraisal and disposal of information in order to improve efficiency and facilitate compliance
37 Questions - general What impact will the management of information stored in the cloud have on existing information management policies and procedures Can cloud providers assure that their information security systems can support the authenticity and reliability of the organization s information, including metadata and log files Will it be possible to show that information is fully encrypted and protected against unauthorised disclosure
38 Questions make and fix In what format is information created, transferred and stored in the cloud What implication does the format of information stored in the cloud have for access, retrieval and preservation What metadata can be applied to information stored in the cloud and can it be managed and searched Does the organisation need to apply additional metadata to information stored in the cloud than it would apply to information stored in-house? What kind of metadata would that be?
39 Questions keep and seek classified (full classification) and supplied with relevant metadata to ensure efficient identification and retrieval provisioned access and usage rights to categories of information retention and disposal schedules how are they applied and executed how will information be destroyed overwritten timescales available, audit and certification of destruction preservation needs permanent or long term retention transferred to digital archive? place of legal deposit? remain in the cloud?
40 Define the risks Legal Risk we don t ensure that the right stuff including the content, context and structure is selected to meet legal requirements Structural Risk we don t design systems and architecture so that the right stuff is suitably managed through out the lifecycle System Risk we don t monitor the activities throughout the lifecycle of the digital object Business Risk we don t monitor the activities sufficiently to ensure that the creators, managers and users are adhering to the rules and regulations that have been put in place
41 Risk framework Business Quadrant: data mining and security Legal Quadrant: data governance Controls Checks Access Appraisal Authenticity Confidentiality System Quadrant: data repositories/ warehousing Containers Preservation Availability Context Classification Reliability/ integrity Structure Quadrant: data classification and metadata
42 Solutions Business Quadrant: data mining and harvesting Legal Quadrant: data governance Controls: access security and enabling Checks: appraisal retention and disposal System Quadrant: data warehousing and repositories Containers: information assurance, digital preservation Context: Business classification schemesrecords plans and thesaurus Structure Quadrant: data classification and binding
43 Future Research little actual research has been undertaken to formally assess the impact of Cloud Computing on professional information management practice. Many existing publications focus predominantly on the technical issues and many of the wider compliance and organisational issues are not fully addressed issues relating to trust and understanding, relating to the benefits and also the challenges to organisational governance provided by moving digital assets to the cloud benefits in broadening the Cloud Computing Toolkit to include wider Information Governance and Assurance dimensions, which are of concern for all organisations in making any cloud or technology implementation decisions and which impact directly on the confidence of decision makers regarding their strategies genericized to for all information, regardless of format, to include data held on mobile technologies, social media and technologies of the future
44 Contact Information Kirsten Ferguson-Boucher Aberyswyth University, Wales Barbara Endicott-Popovsky University of Washington Center for Information Assurance and Cybersecurity 44
45 Questions? 45
46 Security of Cloud Computing Providers Study Ponemon Institute April,
47 (Cont d.)
48 A list of cloud computing resources relevant to the records and information management community has been made available on Google Docs and can be accessed at CCg7uaZGRxczNybndfMTZjODM4bXhmNw&hl= en. Everyone can contribute further relevant resources to the Google document. Online resources have been bookmarked in Delicious and are available at
49 Outcomes of the unconference in the form of participants concerns and suggestions widely inform the findings and recommendations of this report. Speaker sessions and participant feedback have been recorded and are available at The toolkit: ents/cloud_computing_toolkit-2.pdf
Defense-in-Depth Strategies for Secure, Open Remote Access to Control System Networks A look at multi-vendor access strategies Joel Langill TÜV FSEng ID-1772/09, CEH, CPT, CCNA Security Consultant / Staff
Beyond the Noise: More Complex Issues with Incident Response IFIP WG Meeting, June 30, 2006 David Dittrich Center for Information Assurance and Cybersecurity/ The Information School University of Washington
Quelle sécurité dans une banque? " Sécurité des transactions électroniques sur Internet et KYC" Genève- UIPF 27 Nov.2010 La mission de WISeKey est de faciliter la croissance économique globale en sécurisant
Evolving Optical Transport Network Security May 15, 2012 Prepared by: John Kimmins Executive Director 732-699-6188 firstname.lastname@example.org Copyright 2012 All Rights reserved 1 Outline Overview of Optical
Joint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training- Session One Information Security and Challenges Agenda Overview of Information Security Management Information
Scotland s Commissioner for Children and Young People Records Management Policy 1 RECORDS MANAGEMENT POLICY OVERVIEW 2 Policy Statement 2 Scope 2 Relevant Legislation and Regulations 2 Policy Objectives
NETWORK SECURITY ASPECTS & VULNERABILITIES Luis Sousa Cardoso FIINA President Brdo pri Kranju, 19. in 20. maj 2003 1 Background Importance of Network Explosive growth of computers and network - To protect
Cyber Security - What Would a Breach Really Mean for your Business? August 2014 v1.0 As the internet has become increasingly important across every aspect of business, the risks posed by breaches to cyber
HACKING RELOADED Hacken IS simple! Christian H. Gresser email@example.com Agenda About NESEC IT-Security and control Systems Hacking is easy A short example where we currently are Possible solutions IT-security
Newcastle University Information Security Procedures Version 3 A Information Security Procedures 2 B Business Continuity 3 C Compliance 4 D Outsourcing and Third Party Access 5 E Personnel 6 F Operations
Why patch? If you have already deployed a network architecture, such as the one recommended by Rockwell Automation and Cisco in the Converged Plantwide Ethernet Design and Implementation Guide (http://www.ab.com/networks/architectures.html),
LEEDS BECKETT UNIVERSITY Information Security Policy 1.0 Introduction 1.1 Information in all of its forms is crucial to the effective functioning and good governance of our University. We are committed
Cloud Computing Security Considerations Roger Halbheer, Chief Security Advisor, Public Sector, EMEA Doug Cavit, Principal Security Strategist Lead, Trustworthy Computing, USA January 2010 1 Introduction
Information Commissioner s Office Information governance strategy 2014-16 Page 1 of 16 Contents 1.0 Executive summary 2.0 Introduction 3.0 ICO s corporate plan 2014-17 4.0 Regulatory environment 5.0 Scope
BotNets- Cyber Torrirism Battling the threats of internet Assoc. Prof. Dr. Sureswaran Ramadass National Advanced IPv6 Center - Director Why Talk About Botnets? Because Bot Statistics Suggest Assimilation
Information and records management NZQA Quality Management System Policy Purpose The purpose of this policy is to establish a framework for the management of corporate information and records within NZQA.
RECORDS MANAGEMENT POLICY Version 8.0 Purpose: For use by: This document is compliant with /supports compliance with: To outline the lifecycle of a record and to provide guidance on retention and disposal
Overview This policy sets out the requirements expected of third parties to effectively protect BBC information. Audience Owner Contacts This policy applies to all third parties and staff, including contractors,
DEPARTMENT OF INFORMATION STUDIES, ABERYSTWYTH UNIVERSITY Cloud Computing Toolkit Guidance for outsourcing information storage to the cloud Nicole Convery 26/08/2010 Toolkit to guide information professionals
CYBERSECURITY: ISSUES AND ISACA S RESPONSE Speaker: Renato Burazer, CISA,CISM,CRISC,CGEIT,CISSP KEY TRENDS AND DRIVERS OF SECURITY Consumerization Emerging Trends Continual Regulatory and Compliance Pressures
Data Protection Act 1998 Guidance on the use of cloud computing Contents Overview... 2 Introduction... 2 What is cloud computing?... 3 Definitions... 3 Deployment models... 4 Service models... 5 Layered
ICA Advanced Certificate in Cyber Security A professional qualification awarded in association with University of Manchester Business School An Introduction to the ICA Advanced Certificate In Cyber Security
6 th Floor, Tower A, 1 CyberCity, Ebene, Mauritius T + 230 403 6000 F + 230 403 6060 E ReachUs@abaxservices.com INFORMATION SECURITY POLICY DOCUMENT Information Security Policy Document Page 2 of 15 Introduction
INFORMATION GOVERNANCE AND SECURITY 1 POLICY DRAFTED BY: INFORMATION GOVERNANCE LEAD 2 ACCOUNTABLE DIRECTOR: SENIOR INFORMATION RISK OWNER 3 APPLIES TO: ALL STAFF 4 COMMITTEE & DATE APPROVED: AUDIT COMMITTEE
An Approach to Records Management Audit DOCUMENT CONTROL Reference Number Version 1.0 Amendments Document objectives: Guidance to help establish Records Management audits Date of Issue 7 May 2007 INTRODUCTION
Cyber Security and Privacy Services Working in partnership with you to protect your organisation from cyber security threats and data theft 2 Cyber Security and Privacy Services What drives your security
Quick Guide To Information Governance Policies Data Protection The Data Protection Act 1998 established principles and rights in relation to the collection, use and storage of personal information by organisations.
Protecting Official Records as Evidence in the Cloud Environment Anne Thurston Introduction In a cloud computing environment, government records are held in virtual storage. A service provider looks after
Information and records management NZQA Quality Management System Policy Purpose The purpose of this policy is to establish a framework for the management of information and records within NZQA and assign
Microsoft s cybersecurity commitment Published January 2015 At Microsoft, we take the security and privacy of our customers data seriously. This focus has been core to our culture for more than a decade
Data Protection Act 1998 Bring your own device (BYOD) Contents Introduction... 3 Overview... 3 What the DPA says... 3 What is BYOD?... 4 What are the risks?... 4 What are the benefits?... 5 What to consider?...
RECORDS MANAGEMENT POLICY POLICY STATEMENT The records of Legal Aid NSW are a major component of its corporate memory and risk management strategies. They are a vital asset that support ongoing operations
Document Reference Number Date Title Author Owning Department Version Approval Date Review Date Approving Body UoG/ILS/IS 001 January 2016 Information Security and Assurance Policy Information Security
We help organizations protect INFORMATION The BorderHawk Team has significant experience assessing, analyzing, and designing information protection programs especially in Critical Infrastructure environments.
Information Security Manager: Architecture, Planning, and Governance (Instructor-led; 3 Days) Module I. Information Security Governance A. Introduction to Information Security Governance B. Overview of
Discard Create Inactive Life Cycle of Records Current Retain Use Semi-current Records Management Policy April 2014 Document title Records Management Policy April 2014 Document author and department Responsible
Overview Information in all its forms is a vital component of the digital environment in which we live and work. The protection of information in its physical form is well understood but the protection
G i Information Management Information Management Planning March 2005 Produced by Information Management Branch Open Government Service Alberta 3 rd Floor, Commerce Place 10155 102 Street Edmonton, Alberta,
Policy Statement Information is a strategic business resource that the must manage as a public trust on behalf of Nova Scotians. Effective information management makes program and service delivery more
SITA Information Security SITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA September, 2012 Contents 1. Introduction... 3 1.1 Overview...
Monitoring and Logging Policy Document Status Security Classification Version 1.0 Level 1 - PUBLIC Status DRAFT Approval Life 3 Years Review By June 2012 Owner Secure Research Database Analyst Change History
Technical Competency Framework for Information Management (IM) Office of the Chief Information Officer (OCIO) June 15, 2009 Table of contents IM Competency Framework...1 Competency 1: Information Management
Digital Continuity Plan Ensuring that your business information remains accessible and usable for as long as it is needed Accessible and usable information Digital continuity Digital continuity is an approach
Reference number RM001 Approved by Information Management and Technology Board Date approved 23 rd November 2012 Version 1.1 Last revised July 2013 Review date May 2015 Category Records Management Owner
Four Top Emagined Security Services. www.emagined.com Emagined Security offers a variety of Security Services designed to support growing security needs. This brochure highlights four key Emagined Security
How to ensure control and security when moving to SaaS/cloud applications Stéphane Hurtaud Partner Information & Technology Risk Deloitte Laurent de la Vaissière Directeur Information & Technology Risk
WHAT ARE THE BENEFITS OF OUTSOURCING NETWORK SECURITY? Contents Introduction.... 3 What Types of Network Security Services are Available?... 4 Penetration Testing and Vulnerability Assessment... 4 Cyber
Information Technology Engineers Examination Information Security Specialist Examination (Level 4) Syllabus Details of Knowledge and Skills Required for the Information Technology Engineers Examination
Automating policy enforcement to prevent endpoint data loss IBM Data Security Services for endpoint data protection endpoint data loss prevention solution Highlights Protecting your business value from
Office of the Chief Information Officer Online File Storage BACKGROUND Online file storage services offer powerful and convenient methods to share files among collaborators, various computers, and mobile
CYBER SECURITY AND RISK MANAGEMENT An Executive level responsibility Cyberspace poses risks as well as opportunities Cyber security risks are a constantly evolving threat to an organisation s ability to
Overview This standard covers the competencies required to conduct security testing under supervision. In order to contribute to the determination of the level of resilience of an information system to
It is a well-known fact in computer security that security problems are very often a direct result of software bugs. That leads security researches to pay lots of attention to software engineering. The
Records Management Plan April 2015 Prepared in accordance with the Public Records (Scotland) Act 2011 and submitted to the Keeper of the Records of Scotland for their agreement on 28 April 2015 (Revised
Public Record Office Victoria Cloud Computing Policy Guideline 1 Cloud Computing Decision Making Version Number: 1.0 Issue Date: 26/06/2013 Expiry Date: 26/06/2018 State of Victoria 2013 Version 1.0 Table
PARLIAMENTARY AND HEALTH SERVICE OMBUDSMAN Records Management Policy Version 4.0 Page 1 of 11 Document Control Title: Original Author(s): Owner: Reviewed by: Quality Assured by: File Location: Approval
CYBERSECURITY: ISSUES AND ISACA S RESPONSE June 2014 BILL S BIO Over 20 years experience in Information Security Management, Risk Management, Third Party Oversight and IT Audit. Vice President Controls
June 2006 Tiger Teams! The new face of Penetration Testing Justin Clarke CISSP CISM AIISP Ivan Phillips MSc MBCS CITP NCSA 1 Agenda Our talk will cover the following topics: Web Application Hacking PBX,
IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: 1. IT Cost Containment 84 topics 2. Cloud Computing Readiness 225
Introduction This reference document for the University of Birmingham lists the control objectives, specific controls and background information, as given in Annex A to ISO/IEC 27001:2005. As such, the
CYBERSECURITY: ISSUES AND ISACA S RESPONSE June 2014 KEY TRENDS AND DRIVERS OF SECURITY Consumerization Emerging Trends Continual Regulatory and Compliance Pressures Mobile devices Social media Cloud services
Introduction This tool is designed to cover all the relevant control areas of ISO / IEC 27001:2013. All sorts of organisations and Because it is a general tool, you may find the language challenging at
The Significance of Information Security and Privacy Controls on Law Firms as Third Party Service Providers and Collaborative Opportunities for Resolution April 2015 Abstract As regulators increase pressure
FINAL May 2005 Guideline on Security Systems for Safeguarding Customer Information Table of Contents 1 Introduction 1 1.1 Purpose of Guideline 1 2 Definitions 2 3 Internal Controls and Procedures 2 3.1
GPO Box 2343 Adelaide SA 5001 Tel (+61 8) 8204 8773 Fax (+61 8) 8204 8777 DX:336 firstname.lastname@example.org www.archives.sa.gov.au Cloud Computing and Records Management June 2015 Version 1 Version
Security Controls What Works Southside Virginia Community College: Security Awareness Session Overview Identification of Information Security Drivers Identification of Regulations and Acts Introduction
University of Sunderland Business Assurance Information Security Policy Document Classification: Public Policy Reference Central Register Policy Reference Faculty / Service IG 003 Policy Owner Assistant
ISO27032 Guidelines for Cyber Security Deloitte Point of View on analysing and implementing the guidelines Deloitte LLP Enterprise Risk Services Security & Resilience Contents Foreword 1 Cyber governance
University of Liverpool Information Security Policy Reference Number Title CSD-003 Information Security Policy Version Number 3.0 Document Status Document Classification Active Open Effective Date 01 October
Cloud security: A matter of trust? Dr Mark Ian Williams CEO, Muon Consulting I wandered lonely as a cloud... The academic, globe-trotting years: 1992 1993: Parallel software for PET scanner images in Geneva
Directorate of Performance Assurance INFORMATION GOVERNANCE POLICY Reference: DCP074 Version: 2.5 This version issued: 27/03/15 Result of last review: Minor changes Date approved by owner (if applicable):
ISO 27001 s and Objectives A.5 Security policy A.5.1 Information security policy Objective: To provide management direction and support for information security in accordance with business requirements