Information security PROVIDING PERSONAL AND PROFESSIONAL DEVLOMENT FOR IT LEADERS
|
|
- Bryan Shannon Floyd
- 8 years ago
- Views:
Transcription
1 Information security 2005 PROVIDING PERSONAL AND PROFESSIONAL DEVLOMENT FOR IT LEADERS The National Computing Centre 2008
2 You can t undisclose a disclosure 1 ISO 9001 Act Quality Plan TickIT management Capability How do we do it systems Maturity What to do? better next time? ISO/IEC Model How to do it? System ISO Life Cycle EFQM BS Information security Processes Excellence IT service continuity management systems. Model Requirements BS Evidential ISO/IEC weight and legal admissibility ISO/IEC Information technology of electronic information Software Guidelines for requirements life cycle engineering tool capabilities BS ISO/IEC processes Corporate governance Towards of information technology STARTS Software Software Techniques ISO Excellence e-government Interoperability for Reliable, Software Framework (e-gif) Trusted process Systems assessment ISO Information security: risk management ISO/IEC TR All business or service processes need the ability to go ISO/IEC Framework for IT through iterative phases of plan-do-check-act. This chart shows IT service how the top 8 national and international standards (emboldened management security assurance: Analysis of assurance text) form part of the best practice framework in information technology. methods ISO/IEC This standards framework is the foundation for organisations Quality characteristics to accept the technical standards of particular Accredit UK technologies including those special to vendors. ISO/IEC Guidelines for ICT disaster Control recovery services Objectives ISO for Information Guidelines for the design and Related and preparation of user Check Technology documentation for Do (CobIT) Data Protection application software 9 Did it go according Act Do what was to plan? 1998 planned The National Computing Centre The National Computing Centre The landscape of Information Security standards Introduce a corporate information security programme step-by-step Good practice security controls for information management 2 1 Gerry O Neill, CEO, IISP
3 ITadviser Benchmarks Guidelines The National Computing Centre Corporate Advisory Service Seminars Home User Legal Guidance School User Intermediary User Home User Small Business User University User Best Practice Training Research Central Government User Local Government User National Infrastructure User Corporate User Small Business User Rapid Surveys RFI service Technical Consultant Round Tables System Developer System Analyst System Tester Technical Support Technical Support Bespoke Reports Advisory services Human Firewall 3No. The National Computing Centre doesn t do escrow!
4 History (Learning Lessons) 1994: Security Breaches Survey 1995: DTI Code of Practice/BS : BS 7799 Code of practice for information security (the catalogue of controls) 2000: ISO (aka BS 7799 Part 1) No certificates! 2002: BS 7799 Part 2 (Plan-Do-Check-Act) Specification for and information security management system 2005: ISO (Revised):= ISO (aka BS 7799 Part 2) 4
5 The landscape of Information Security standards 5
6 What they really mean ISO (BS 7799 Part 2) Information security management system requirements Plan-do-check-act Like ISO 9001/ISO Certification Benchmark ISO (ISO 17799; BS 7799 Part 1) Code of practice Catalogue of 135 controls! Pick and mix using ISO No certificates! 6
7 Quality policy Preventive action Customer feedback Responsibility, authority and communication Measurement Resource management Product realisation Design and development review Human resources 7 A taxonomy of treatment (not a wish list) Purchasing
8 TickIT ement Plan What to do? ISO/IEC How to do it? System 7001 Life Cycle BS n security Processes IT service continuity t systems. ments BS Evidential weight and legal admissibility ISO/IEC of electronic information Software life cycle BS ISO/IEC processes Corporate governance of information technology STARTS Software Techniques e-government Interoperability for Reliable, Framework (e-gif) Trusted Systems ISO Information security: risk management ocesses need the ability to go ISO/IEC do-check-act. This chart shows IT service ernational standards (emboldened management ractice framework in information nology. ISO/IEC the foundation for Quality organisations characteristics al standards of particular those special to vendors. ISO/IEC Guidelines for ICT disaster recovery services ISO Guidelines for the design and preparation of user documentation for ction application software 8 The National Computing Centre Do Do what was planned
9 ISO/IEC in 13 Steps 2005 PROVIDING PERSONAL AND PROFESSIONAL DEVLOMENT FOR IT LEADERS The National Computing Centre 2008
10 Project plan (1) Senior management acceptance and endorsement of security (2) Information security organisation and infrastructure (3) High level security policy (4) Staff training and education creating security awareness (5) Identify and classify the assets (6) Risk assessment (7) Risk treatment plan (8) Security standards document (control measures) (9) Statement of applicability (10) System security plans and procedures (11) Monitor and review the ISMS performance (12) Maintain the ISMS; continuous improvement (13) Extending the scope 10
11 Project plan (1) Senior management acceptance and endorsement of security (2) Information security organisation and infrastructure (3) High level security policy (4) Staff training and education creating security awareness (5) Identify and classify the assets (6) Risk assessment (7) Risk treatment plan (8) Security standards document (control measures) (9) Statement of applicability (10) System security plans and procedures (11) Monitor and review the ISMS performance (12) Maintain the ISMS; continuous improvement (13) Extending the scope 11
12 Project plan (1) Senior management acceptance and endorsement of security (2) Information security organisation and infrastructure (3) High level security policy (4) Staff training and education creating security awareness (5) Identify and classify the assets (6) Risk assessment (7) Risk treatment plan (8) Security standards document (control measures) (9) Statement of applicability (10) System security plans and procedures (11) Monitor and review the ISMS performance (12) Maintain the ISMS; continuous improvement (13) Extending the scope 12
13 Project plan (1) Senior management acceptance and endorsement of security (2) Information security organisation and infrastructure (3) High level security policy (4) Staff training and education creating security awareness (5) Identify and classify the assets (6) Risk assessment (7) Risk treatment plan (8) Security standards document (control measures) (9) Statement of applicability (10) System security plans and procedures (11) Monitor and review the ISMS performance (12) Maintain the ISMS; continuous improvement (13) Extending the scope 13
14 Project plan (1) Senior management acceptance and endorsement of security (2) Information security organisation and infrastructure (3) High level security policy (4) Staff training and education creating security awareness (5) Identify and classify the assets (6) Risk assessment (7) Risk treatment plan (8) Security standards document (control measures) (9) Statement of applicability (10) System security plans and procedures (11) Monitor and review the ISMS performance (12) Maintain the ISMS; continuous improvement (13) Extending the scope 14
15 15
16 Project plan (1) Senior management acceptance and endorsement of security (2) Information security organisation and infrastructure (3) High level security policy (4) Staff training and education creating security awareness (5) Identify and classify the assets (6) Risk assessment (7) Risk treatment plan (8) Security standards document (control measures) (9) Statement of applicability (10) System security plans and procedures (11) Monitor and review the ISMS performance (12) Maintain the ISMS; continuous improvement (13) Extending the scope 16
17 Project plan (1) Senior management acceptance and endorsement of security (2) Information security organisation and infrastructure (3) High level security policy (4) Staff training and education creating security awareness (5) Identify and classify the assets (6) Risk assessment (7) Risk treatment plan (8) Security standards document (control measures) (9) Statement of applicability (10) System security plans and procedures (11) Monitor and review the ISMS performance (12) Maintain the ISMS; continuous improvement (13) Extending the scope 17
18 Project plan (1) Senior management acceptance and endorsement of security (2) Information security organisation and infrastructure (3) High level security policy (4) Staff training and education creating security awareness (5) Identify and classify the assets (6) Risk assessment (7) Risk treatment plan (8) Security standards document (control measures) (9) Statement of applicability (10) System security plans and procedures (11) Monitor and review the ISMS performance (12) Maintain the ISMS; continuous improvement (13) Extending the scope 18
19 Project plan (1) Senior management acceptance and endorsement of security (2) Information security organisation and infrastructure (3) High level security policy (4) Staff training and education creating security awareness (5) Identify and classify the assets (6) Risk assessment (7) Risk treatment plan (8) Security standards document (control measures) (9) Statement of applicability (10) System security plans and procedures (11) Monitor and review the ISMS performance (12) Maintain the ISMS; continuous improvement (13) Extending the scope 19
20 Project plan (1) Senior management acceptance and endorsement of security (2) Information security organisation and infrastructure (3) High level security policy (4) Staff training and education creating security awareness (5) Identify and classify the assets (6) Risk assessment (7) Risk treatment plan (8) Security standards document (control measures) (9) Statement of applicability (10) System security plans and procedures (11) Monitor and review the ISMS performance (12) Maintain the ISMS; continuous improvement (13) Extending the scope 20
21 Project plan (1) Senior management acceptance and endorsement of security (2) Information security organisation and infrastructure (3) High level security policy (4) Staff training and education creating security awareness (5) Identify and classify the assets (6) Risk assessment (7) Risk treatment plan (8) Security standards document (control measures) (9) Statement of applicability (10) System security plans and procedures (11) Monitor and review the ISMS performance (12) Maintain the ISMS; continuous improvement (13) Extending the scope 21
22 22 How serious are the threats to our assets? What is our commitment to security? What level of risk can we accept? Asset ownership? What assets are we protecting? 3. Risk Assessment 2. Policy 1. Scope How do we do all this? Reappraise How much risk can we accept for each asset? Test Management Security Incidents Security Incidents Controlled Cost 7. Processes Security Incidents (10) System security plans and procedures 4. Security Controls Update Invoke 6. Business Continuity How is risk kept to acceptable levels? 5. Applicability Which assets are protected by which controls? What are the priorities for the business? Are we achieving set service level measures?
23 Project plan (1) Senior management acceptance and endorsement of security (2) Information security organisation and infrastructure (3) High level security policy (4) Staff training and education creating security awareness (5) Identify and classify the assets (6) Risk assessment (7) Risk treatment plan (8) Security standards document (control measures) (9) Statement of applicability (10) System security plans and procedures (11) Monitor and review the ISMS performance (12) Maintain the ISMS; continuous improvement (13) Extending the scope 23
24 Project plan (1) Senior management acceptance and endorsement of security (2) Information security organisation and infrastructure time (3) High level security policy (4) Staff training and education creating security awareness (5) Identify quality and classify the assets (6) Risk assessment cost content (7) Risk treatment plan (8) Security standards document (control measures) (9) Statement of applicability (10) System security plans and procedures (11) Monitor and review the ISMS performance (12) Maintain the ISMS; continuous improvement (13) Extending the scope 24
25 Project plan (1) Senior management acceptance and endorsement of security (2) Information security organisation and infrastructure (3) High level security policy (4) Staff training and education creating security awareness (5) Identify and classify the assets (6) Risk assessment (7) Risk treatment plan (8) Security standards document (control measures) (9) Statement of applicability (10) System security plans and procedures (11) Monitor and review the ISMS performance (12) Maintain the ISMS; continuous improvement (13) Extending the scope 25
26 Protection of organizational records (ISO/IEC 27002:2007) Categorise records manage according to impact level Protect against deterioration Long term storage - use paper and microfiche (encrypt?!) Guide retention, storage media type, handling, and disposal to meet business, statutory, regulatory or contractual requirements Keep inventory of sources of key information Implement procedures (with/without technology) to protect records and information from: Loss Destruction Falsification. Store cryptographic keys and programs to enable decryption See ISO ISMS=RMS ISMS IT
27 Final thought 2008 The year of lost data (UK) 2009 The year of encryption 2010 The year of lost encryption keys Think: Retrieval and retention not loss 27 Good security is an enabler
28 You can t undisclose a disclosure ISO 9001 Act Quality Plan TickIT management Capability How do we do it systems Maturity What to do? better next time? ISO/IEC Model How to do it? System ISO Life Cycle EFQM BS Information security Processes Excellence IT service continuity management systems. Model Requirements BS Evidential ISO/IEC weight and legal admissibility ISO/IEC Information technology of electronic information Software Guidelines for requirements life cycle engineering tool capabilities BS ISO/IEC processes Corporate governance Towards of information technology STARTS Software Software Techniques ISO Excellence e-government Interoperability for Reliable, Software Framework (e-gif) Trusted process Systems assessment ISO Information security: risk management ISO/IEC TR All business or service processes need the ability to go ISO/IEC Framework for IT through iterative phases of plan-do-check-act. This chart shows IT service how the top 8 national and international standards (emboldened management security assurance: Analysis of assurance text) form part of the best practice framework in information technology. methods ISO/IEC This standards framework is the foundation for organisations Quality characteristics to accept the technical standards of particular Accredit UK technologies including those special to vendors. ISO/IEC Guidelines for ICT disaster Control recovery services Objectives ISO for Information Guidelines for the design and Related and preparation of user Check Technology documentation for Do (CobIT) Data Protection application software 9 Did it go according Act Do what was to plan? 1998 planned The National Computing Centre The National Computing Centre The landscape of Information Security standards Introduce a corporate information security programme step-by-step Good practice security controls for information management 28
29 PAS 77:2006 IT Service continuity 29
30 30
WEST LOTHIAN COUNCIL RECORDS MANAGEMENT POLICY. Data Label: Public
WEST LOTHIAN COUNCIL RECORDS MANAGEMENT POLICY RECORDS MANAGEMENT POLICY CONTENTS 1. POLICY STATEMENT... 3 2. PRINCIPLES... 3 DEFINITIONS... 4 3. OBJECTIVES... 4 4. SCOPE... 4 5. OWNERSHIP & RESPONSIBILITIES...
More informationCourse: Information Security Management in e-governance. Day 1. Session 3: Models and Frameworks for Information Security Management
Course: Information Security Management in e-governance Day 1 Session 3: Models and Frameworks for Information Security Management Agenda Introduction to Enterprise Security framework Overview of security
More informationBenchmark of controls over IT activities. 2011 Report. ABC Ltd
www.pwc.com/cy Benchmark of controls over IT activities 2011 Report ABC Ltd... 2012 Scope and approach We wish to provide you with our IT Benchmarking report over IT activities at ABC Ltd (the Company)
More informationInformation Security: Business Assurance Guidelines
Information Security: Business Assurance Guidelines The DTI drives our ambition of prosperity for all by working to create the best environment for business success in the UK. We help people and companies
More informationInformation security controls. Briefing for clients on Experian information security controls
Information security controls Briefing for clients on Experian information security controls Introduction Security sits at the core of Experian s operations. The vast majority of modern organisations face
More informationGuideline for Roles & Responsibilities in Information Asset Management
ISO 27001 Implementer s Forum Guideline for Roles & Responsibilities in Information Asset Management Document ID ISMS/GL/ 003 Classification Internal Use Only Version Number Initial Owner Issue Date 07-08-2009
More informationInformation Security Management Systems
Information Security Management Systems Øivind Høiem CISA, CRISC, ISO27001 Lead Implementer Senior Advisor Information Security UNINETT, the Norwegian NREN About Øivind Senior Adviser at the HE sector
More informationInformation Technology Security Program
Information Technology Security Program Office of the CIO December, 2008 1 AGENDA What is it? Why do we need it? An international Standard Program Components Current Status Next Steps 2 What is It? A Policy
More informationGovernance and Management of Information Security
Governance and Management of Information Security Øivind Høiem, CISA CRISC Senior Advisor Information Security UNINETT, the Norwegian NREN About Øivind Senior Adviser at the HE sector secretary for information
More informationInformation Security Management Systems. Chief Operating Officer, Director of Strategy and Business Development, Chief Information Security Officer
Information Security Management Systems Chief Operating Officer, Director of Strategy and Business Development, Chief Information Security Officer atsec information security, 2013 ISO/IEC 27001 and related
More informationCorporate Records Management Policy
Corporate Records Management Policy Introduction Part 1 Records Management Policy Statement. February 2011 Part 2 Records Management Strategy. February 2011 Norfolk County Council Information Management
More informationHow small and medium-sized enterprises can formulate an information security management system
How small and medium-sized enterprises can formulate an information security management system Royal Holloway Information Security Thesis Series Information security for SMEs Vadim Gordas, MSc (RHUL) and
More informationCorporate Information Security Policy
Corporate Information Security Policy. A guide to the Council s approach to safeguarding information resources. September 2015 Contents Page 1. Introduction 1 2. Information Security Framework 2 3. Objectives
More informationSolution Brief for ISO 27002: 2013 Audit Standard ISO 27002. Publication Date: Feb 6, 2015. EventTracker 8815 Centre Park Drive, Columbia MD 21045
Solution Brief for ISO 27002: 2013 Audit Standard Publication Date: Feb 6, 2015 8815 Centre Park Drive, Columbia MD 21045 ISO 27002 About delivers business critical software and services that transform
More informationComputer Security Lecture 13
Computer Security Lecture 13 Risk Analysis Erland Jonsson (based on material from Lawrie Brown) Department of Computer Science and Engineering Chalmers University of Technology Sweden Security Management
More informationNSW Government Digital Information Security Policy
NSW Government Digital Information Security Policy Version: 1.0 Date: November 2012 CONTENTS PART 1 PRELIMINARY... 3 1.1 Scope... 3 1.2 Application... 3 1.3 Objectives... 3 PART 2 CORE REQUIREMENTS...
More informationINFORMATION TECHNOLOGY SECURITY STANDARDS
INFORMATION TECHNOLOGY SECURITY STANDARDS Version 2.0 December 2013 Table of Contents 1 OVERVIEW 3 2 SCOPE 4 3 STRUCTURE 5 4 ASSET MANAGEMENT 6 5 HUMAN RESOURCES SECURITY 7 6 PHYSICAL AND ENVIRONMENTAL
More informationAN OVERVIEW OF INFORMATION SECURITY STANDARDS
AN OVERVIEW OF INFORMATION SECURITY STANDARDS February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced
More informationWEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY
WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY DATA LABEL: PUBLIC INFORMATION SECURITY POLICY CONTENTS 1. INTRODUCTION... 3 2. MAIN OBJECTIVES... 3 3. LEGISLATION... 4 4. SCOPE... 4 5. STANDARDS... 4
More informationJoint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training- Session One Information Security and Challenges
Joint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training- Session One Information Security and Challenges Agenda Overview of Information Security Management Information
More informationNSW Government Digital Information Security Policy
NSW Government Digital Information Security Policy Version: 2.0 Date: April 2015 CONTENTS PART 1 PRELIMINARY... 3 1.1 Scope... 3 1.2 Application... 3 1.3 Objectives... 3 PART 2 POLICY STATEMENT... 4 Core
More informationPARLIAMENTARY AND HEALTH SERVICE OMBUDSMAN. Records Management Policy. Version 4.0. Page 1 of 11 Policy PHSO Records Management Policy v4.
PARLIAMENTARY AND HEALTH SERVICE OMBUDSMAN Records Management Policy Version 4.0 Page 1 of 11 Document Control Title: Original Author(s): Owner: Reviewed by: Quality Assured by: File Location: Approval
More informationWest Midlands Police and Crime Commissioner Records Management Policy 1 Contents
West Midlands Police and Crime Commissioner Records Management Policy 1 Contents 1 CONTENTS...2 2 INTRODUCTION...3 2.1 SCOPE...3 2.2 OVERVIEW & PURPOSE...3 2.3 ROLES AND RESPONSIBILITIES...5 COMMISSIONED
More informationMicrosoft s Compliance Framework for Online Services
Microsoft s Compliance Framework for Online Services Online Services Security and Compliance Executive summary Contents Executive summary 1 The changing landscape for online services compliance 4 How Microsoft
More informationState of Oregon. State of Oregon 1
State of Oregon State of Oregon 1 Table of Contents 1. Introduction...1 2. Information Asset Management...2 3. Communication Operations...7 3.3 Workstation Management... 7 3.9 Log management... 11 4. Information
More informationBy. Mr. Chomnaphas Tangsook Business Director BSI Group ( Thailand) Co., Ltd
BS 25999 Business Continuity Management By. Mr. Chomnaphas Tangsook Business Director BSI Group ( Thailand) Co., Ltd 1 Contents slide BSI British Standards 2006 BS 25999(Business Continuity) 2002 BS 15000
More informationISO27001 Controls and Objectives
Introduction This reference document for the University of Birmingham lists the control objectives, specific controls and background information, as given in Annex A to ISO/IEC 27001:2005. As such, the
More informationInformation Security Policy
Office of the Prime Minister document CIMU P 0016:2003 Version: 2.0 Effective date: 01 Oct 2003 Information 1. statement i) General The Public Service of the Government of Malta (Public Service) shall
More informationHengtian Information Security White Paper
Hengtian Information Security White Paper March, 2012 Contents Overview... 1 1. Security Policy... 2 2. Organization of information security... 2 3. Asset management... 3 4. Human Resources Security...
More informationLog management and ISO 27001
Log management and ISO 27001 Rakesh Maheshwari STQC Directorate Department of Information Technology Ministry of Communications & IT rakesh@mit.gov.in Log management Log management is the process of generating,
More informationInformation Security Awareness Training
Information Security Awareness Training Presenter: William F. Slater, III M.S., MBA, PMP, CISSP, CISA, ISO 27002 1 Agenda Why are we doing this? Objectives What is Information Security? What is Information
More information(Instructor-led; 3 Days)
Information Security Manager: Architecture, Planning, and Governance (Instructor-led; 3 Days) Module I. Information Security Governance A. Introduction to Information Security Governance B. Overview of
More informationSecurity Controls What Works. Southside Virginia Community College: Security Awareness
Security Controls What Works Southside Virginia Community College: Security Awareness Session Overview Identification of Information Security Drivers Identification of Regulations and Acts Introduction
More informationISO 27001 Controls and Objectives
ISO 27001 s and Objectives A.5 Security policy A.5.1 Information security policy Objective: To provide management direction and support for information security in accordance with business requirements
More informationDomain 5 Information Security Governance and Risk Management
Domain 5 Information Security Governance and Risk Management Security Frameworks CobiT (Control Objectives for Information and related Technology), developed by Information Systems Audit and Control Association
More informationDe Nieuwe Code voor Informatiebeveiliging
De Nieuwe Code voor Informatiebeveiliging Piet Donga, ING Voorzitter NEN NC 27 - IT Security 1 Agenda Standardisation of Information security The new Code of Practice for Information Security The Code
More informationThe CIPM certification is comprised of two domains: Privacy Program Governance (I) and Privacy Program Operational Life Cycle (II).
Page 1 of 7 The CIPM certification is comprised of two domains: Privacy Program Governance (I) and Privacy Program Operational Life Cycle (II). Domain I provides a solid foundation for the governance of
More information3rd Party Assurance & Information Governance 2014-2016 outlook IIA Ireland Annual Conference 2014. Straightforward Security and Compliance
3rd Party Assurance & Information Governance 2014-2016 outlook IIA Ireland Annual Conference 2014 Continuous Education Services (elearning/workshops) Compliance Management Portals Information Security
More informationDigital Continuity Plan
Digital Continuity Plan Ensuring that your business information remains accessible and usable for as long as it is needed Accessible and usable information Digital continuity Digital continuity is an approach
More informationUniversity of Sunderland Business Assurance Information Security Policy
University of Sunderland Business Assurance Information Security Policy Document Classification: Public Policy Reference Central Register Policy Reference Faculty / Service IG 003 Policy Owner Assistant
More informationCESG Certification of Cyber Security Training Courses
CESG Certification of Cyber Security Training Courses Supporting Assessment Criteria for the CESG Certified Training (CCT) Scheme Portions of this work are copyright The Institute of Information Security
More informationCyber Security and Privacy Services. Working in partnership with you to protect your organisation from cyber security threats and data theft
Cyber Security and Privacy Services Working in partnership with you to protect your organisation from cyber security threats and data theft 2 Cyber Security and Privacy Services What drives your security
More informationow to use CobiT to assess the security & reliability of Digital Preservation
ow to use CobiT to assess the security & reliability of Digital Preservation Erpa WORKSHOP Antwerp 14-16 April 2004 Greet Volders Managing Consultant - VOQUALS N.V. Vice President & in charge of Education
More informationInformation Security Management System Policy
Information Security Management System Policy Public Version 3.3 Issued Document Name Owner P079A ISMS Security Policy Information Security Security Policies, Standards and Procedures emanate from the
More informationInformation Security Policy September 2009 Newman University IT Services. Information Security Policy
Contents 1. Statement 1.1 Introduction 1.2 Objectives 1.3 Scope and Policy Structure 1.4 Risk Assessment and Management 1.5 Responsibilities for Information Security 2. Compliance 3. HR Security 3.1 Terms
More informationIT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:
IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: 1. IT Cost Containment 84 topics 2. Cloud Computing Readiness 225
More informationNSW Government. Cloud Services Policy and Guidelines
NSW Government Cloud Services Policy and Guidelines August 2013 1 CONTENTS 1. Introduction 2 1.1 Policy statement 3 1.2 Purpose 3 1.3 Scope 3 1.4 Responsibility 3 2. Cloud services for NSW Government 4
More informationSpecialist Cloud Services. Acumin Cloud Security Resourcing
Specialist Cloud Services Acumin Cloud Security Resourcing DOCUMENT: FRAMEWORK: STATUS Cloud Security Resourcing Service Definition G-Cloud Released VERSION: 1.0 CLASSIFICATION: CloudStore Acumin Consulting
More informationRecords Retention and Disposal Schedule. Information Management
Records Retention and Disposal Schedule Information Management Version control Version Author Policy Approved By Approval Date Publication Date Review Due V 1.0 Information Governance Unit Philip Jones,
More informationInformation Security Specialist Training on the Basis of ISO/IEC 27002
Information Security Specialist Training on the Basis of ISO/IEC 27002 Natalia Miloslavskaya, Alexander Tolstoy Moscow Engineering Physics Institute (State University), Russia, {milmur, ait}@mephi.edu
More informationIssue 1.0. UoG/ILS/IS 001. Information Security and Assurance Policy. Information Security and Compliance Manager
Document Reference Number Date Title Author Owning Department Version Approval Date Review Date Approving Body UoG/ILS/IS 001 January 2016 Information Security and Assurance Policy Information Security
More informationInformation Security Management System Information Security Policy
Management System Policy Version: 3.4 Issued Document Name: Owner: P079A - ISMS Security Policy Classification: Public Security Policies, Standards and Procedures emanate from the Policy which has been
More informationDigital Forensics G-Cloud Service Definition
Digital Forensics G-Cloud Service Definition 2013 General Dynamics Information Technology Limited. All rights 1 GDIT Team Clients Metropolitan Police Service The General Dynamics Information Technology
More informationInformation Security Policies. Version 6.1
Information Security Policies Version 6.1 Information Security Policies Contents: 1. Information Security page 3 2. Business Continuity page 5 3. Compliance page 6 4. Outsourcing and Third Party Access
More informationInformation Security and Governance Policy
Information Security and Governance Policy Version: 1.0 Ratified by: Information Governance Group Date ratified: 19 th October 2012 Name of organisation / author: Derek Wilkinson Name of responsible Information
More informationISMS Implementation Guide
atsec information security corporation 9130 Jollyville Road, Suite 260 Austin, TX 78759 Tel: 512-615-7300 Fax: 512-615-7301 www.atsec.com ISMS Implementation Guide atsec information security ISMS Implementation
More informationCorporate Policy and Strategy Committee
Corporate Policy and Strategy Committee 10am, Tuesday, 30 September 2014 Information Governance Policies Item number Report number Executive/routine Wards All Executive summary Information is a key asset
More informationAn Overview of ISO/IEC 27000 family of Information Security Management System Standards
What is ISO/IEC 27001? The ISO/IEC 27001 standard, published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), is known as Information
More informationFINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information
FINAL May 2005 Guideline on Security Systems for Safeguarding Customer Information Table of Contents 1 Introduction 1 1.1 Purpose of Guideline 1 2 Definitions 2 3 Internal Controls and Procedures 2 3.1
More informationUniversity of Central Florida Class Specification Administrative and Professional. Information Security Officer
Information Security Officer Job Code: 2534 Serve as the information security officer for the University. Develop and computer security system standards, policies, and procedures. Serve as technical team
More informationHow To Protect Information Security In Japanese Government Computers
Study on the Current Situation of Information Security in Cambodia Hitoshi ARAKI JICA Expert Needs of Information Security Use of the Internet is essential and indispensable for any business nowadays;
More informationPCI Policy Compliance Using Information Security Policies Made Easy. PCI Policy Compliance Information Shield Page 1
PCI Policy Compliance Using Information Security Policies Made Easy PCI Policy Compliance Information Shield Page 1 PCI Policy Compliance Using Information Security Policies Made Easy By David J Lineman
More informationOrgChart Now Information Security Overview. OfficeWork Software LLC
OrgChart Now Information Security Overview OfficeWork Software LLC Version 1.3 May 13, 2015 OrgChart Now Information Security Overview Introduction OrgChart Now is a SaaS (Software as a Service) product
More informationImproving Residual Risk Management Through the Use of Security Metrics
Improving Residual Risk Management Through the Use of Security Metrics Every investment in security should be effective in reducing risk, but how do you measure it? Jonathan Pagett and Siaw-Lynn Ng introduce
More informationCriticism of Implementation of ITSM & ISO20000 in IT Banking Industry. Presented by: Agus Sutiawan, MIT, CISA, CISM, ITIL, BSMR3
Criticism of Implementation of ITSM & ISO20000 in IT Banking Industry Presented by: Agus Sutiawan, MIT, CISA, CISM, ITIL, BSMR3 Outline What is IT Service Management What is ISO 20000 Step by step implementation
More informationInformation Governance Strategy & Policy
Information Governance Strategy & Policy March 2014 CONTENT Page 1 Introduction 1 2 Strategic Aims 1 3 Policy 2 4 Responsibilities 3 5 Information Governance Reporting Structure 4 6 Managing Information
More informationNewcastle University Information Security Procedures Version 3
Newcastle University Information Security Procedures Version 3 A Information Security Procedures 2 B Business Continuity 3 C Compliance 4 D Outsourcing and Third Party Access 5 E Personnel 6 F Operations
More informationInformation security management systems Specification with guidance for use
BRITISH STANDARD BS 7799-2:2002 Information security management systems Specification with guidance for use ICS 03.100.01; 35.020 This British Standard, having been prepared under the direction of the
More informationHIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT
HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT A Review List This paper was put together with Security in mind, ISO, and HIPAA, for guidance as you move into a cloud deployment Dr.
More informationInformation Management Strategy. July 2012
Information Management Strategy July 2012 Contents Executive summary 6 Introduction 9 Corporate context 10 Objective one: An appropriate IM structure 11 Objective two: An effective policy framework 13
More informationiso20000templates.com
iso20000templates.com Public IT Limited 2011 IT Service Policy Document Ref. ITSM01001 Version: 1.0 Draft 1 Document Author: Document Owner: V 1.0 Draft 1 Page 1 of 11 Revision History Version Date RFC
More informationLORD CHANCELLOR S CODE OF PRACTICE ON THE MANAGEMENT OF RECORDS UNDER
LORD CHANCELLOR S CODE OF PRACTICE ON THE MANAGEMENT OF RECORDS UNDER SECTION 46 OF THE FREEDOM OF INFORMATION ACT 2000 NOVEMBER 2002 Presented to Parliament by the Lord Chancellor Pursuant to section
More informationNERC Cyber Security. Compliance Consulting. Services. HCL Governance, Risk & Compliance Practice
NERC Cyber Security Compliance Consulting Services HCL Governance, Risk & Compliance Practice Overview The North American Electric Reliability Corporation (NERC) is a nonprofit corporation designed to
More informationSafeguards Frameworks and Controls. Security Functions Parker, D. B. (1984). The Many Faces of Data Vulnerability. IEEE Spectrum, 21(5), 46-49.
Safeguards Frameworks and Controls Theory of Secure Information Systems Features: Safeguards and Controls Richard Baskerville T 1 F 1 O 1 T 2 F 2 O 2 T 3 F 3 O 3 T 4... T n...... F l O m T F O Security
More informationInformation and records management. Purpose. Scope. Policy
Information and records management NZQA Quality Management System Policy Purpose The purpose of this policy is to establish a framework for the management of corporate information and records within NZQA.
More informationNSW Government. Cloud Services Policy and Guidelines
NSW Government Cloud Services Policy and Guidelines August 2013 CONTENTS 1. Introduction 2 1.1 Policy statement 3 1.2 Purpose 3 1.3 Scope 3 1.4 Responsibility 3 2. Cloud services for NSW Government 4 2.1
More informationA Flexible and Comprehensive Approach to a Cloud Compliance Program
A Flexible and Comprehensive Approach to a Cloud Compliance Program Stuart Aston Microsoft UK Session ID: SPO-201 Session Classification: General Interest Compliance in the cloud Transparency Responsibility
More informationHighland Council Information Security Policy
Highland Council Information Security Policy Document Owner: Vicki Nairn, Head of Digital Transformation Page 1 of 16 Contents 1. Document Control... 4 Version History... 4 Document Authors... 4 Distribution...
More informationFREEDOM OF INFORMATION (SCOTLAND) ACT 2002 CODE OF PRACTICE ON RECORDS MANAGEMENT
FREEDOM OF INFORMATION (SCOTLAND) ACT 2002 CODE OF PRACTICE ON RECORDS MANAGEMENT November 2003 Laid before the Scottish Parliament on 10th November 2003 pursuant to section 61(6) of the Freedom of Information
More informationISO/IEC 27001 Information Security Management. Securing your information assets Product Guide
ISO/IEC 27001 Information Security Management Securing your information assets Product Guide What is ISO/IEC 27001? ISO/IEC 27001 is the international standard for information security management and details
More informationISO 27001 COMPLIANCE WITH OBSERVEIT
ISO 27001 COMPLIANCE WITH OBSERVEIT OVERVIEW ISO/IEC 27001 is a framework of policies and procedures that include all legal, physical and technical controls involved in an organization s information risk
More informationComputer Security course
Computer Security course Risk Analysis Erland Jonsson (based on material from Lawrie Brown) Department of Computer Science and Engineering Chalmers University of Technology Sweden Security Management Overview
More informationClient information note Assessment process Management systems service outline
Client information note Assessment process Management systems service outline Overview The accreditation requirements define that there are four elements to the assessment process: assessment of the system
More informationBusiness Operations. Module Db. Capita s Combined Offer for Business & Enforcement Operations delivers many overarching benefits for TfL:
Module Db Technical Solution Capita s Combined Offer for Business & Enforcement Operations delivers many overarching benefits for TfL: Cost is reduced through greater economies of scale, removal of duplication
More informationUK Permanent Salary Index - 2015
1 SYSTEM INTEGRATORS & CONSULTANCIES Job Title Guidelines 8 9 2010 2011 2012 2013 2014 Information & Risk IT Officer Project & Risk Consultant Analyst Part of a team in a large organisation responsible
More informationCompetency Unit: Exemplar Global SCY Security Management Systems Auditing
Please visit: www.exemplarglobal.org for your region s Principal Office contact details. Email: info@exemplarglobal.org Competency Unit: Exemplar Global SCY Security Management Systems Auditing How to
More informationCleveland Police. Data protection audit report. Executive summary November 2014
Cleveland Police Data protection audit report Executive summary November 2014 1. Background The Information Commissioner is responsible for enforcing and promoting compliance with the Data Protection Act
More informationCLASSIFICATION SPECIFICATION FORM
www.mpi.mb.ca CLASSIFICATION SPECIFICATION FORM Human Resources CLASSIFICATION TITLE: POSITION TITLE: (If different from above) DEPARTMENT: DIVISION: LOCATION: Executive Director Executive Director, Information
More informationIT Governance: The benefits of an Information Security Management System
IT Governance: The benefits of an Information Security Management System Katerina Cai, CISSP Hewlett-Packard 2004 Hewlett-Packard Development Company, L.P. The information contained herein is subject to
More informationThird Party Identity Services Assurance Framework. Information Security Registered Assessors Program Guide
Third Party Identity Services Assurance Framework Information Security Registered Assessors Program Guide Version 2.0 December 2015 Digital Transformation Office Commonwealth of Australia 2015 This work
More informationISO 27000 Information Security Management Systems Foundation
ISO 27000 Information Security Management Systems Foundation Professional Certifications Sample Questions Sample Questions 1. is one of the industry standards/best practices in Service Management and Quality
More informationWe then give an overall assurance rating (as described below) indicating the extent to which controls are in place and are effective.
Good Practice Audit outcomes analysis Police Forces April 2013 to April 2014 This report is based on the final audit reports the ICO completed in the Criminal Justice sector, specifically of Police forces,
More informationEXECUTIVE STRATEGY BRIEF. Securing the Cloud Infrastructure. Cloud. Resources
EXECUTIVE STRATEGY BRIEF Securing the Cloud Infrastructure Cloud Resources 01 Securing the Cloud Infrastructure / Executive Strategy Brief Securing the Cloud Infrastructure Microsoft recognizes that trust
More informationSITA Service Management Strategy Implementation. Presented by: SITA Service Management Centre
SITA Service Management Strategy Implementation Presented by: SITA Service Management Centre Contents What is a Service? What is Service Management? SITA Service Management Strategy Methodology Service
More informationHIPAA Security. 5 Security Standards: Organizational, Policies. Security Topics. and Procedures and Documentation Requirements
HIPAA Security S E R I E S Security Topics 1. Security 101 for Covered Entities 2. Security Standards - Administrative Safeguards 3. Security Standards - Physical Safeguards 4. Security Standards - Technical
More information08/10/2013. Data protection and compliance. Agenda. Data protection life cycle and goals. Introduction. Data protection overview
Data protection and compliance In the cloud and in your data center 1 November 2013 Agenda 1 Introduction 2 Data protection overview 3 Understanding the cloud 4 Where do I start? 5 Wrap-up Page 2 Data
More informationInformation Governance Policy
Information Governance Policy Version: 4 Bodies consulted: Caldicott Guardian, IM&T Directors Approved by: MT Date Approved: 27/10/2015 Lead Manager: Governance Manager Responsible Director: SIRO Date
More informationISO20000: What it is and how it relates to ITIL v3
ISO20000: What it is and how it relates to ITIL v3 John DiMaria; Certified Six Sigma BB, HISP BSI Product Manager; ICT (ISMS,ITSM,BCM) Objectives and Agenda To raise awareness, to inform and to enthuse
More information