Course: Information Security Management in e-governance. Day 1. Session 3: Models and Frameworks for Information Security Management
|
|
- Charles Brown
- 8 years ago
- Views:
Transcription
1 Course: Information Security Management in e-governance Day 1 Session 3: Models and Frameworks for Information Security Management
2 Agenda Introduction to Enterprise Security framework Overview of security models, framework & standards Salient features of ISO security standards
3 What is Information Security ISO 27001:2005 defines this as: Confidentiality : the property that information is not made available or disclosed to unauthorized individuals, entities(programs), or processes (superceding processes) Integrity : the property of safeguarding the accuracy and completeness of assets. Availability : the property of being accessible and usable upon demand by an authorized entity. Slide 3
4 Who Should be Concerned? Users -Standards will affect them the most. System Support Personnel -they will be required to implement and adapt and support the standards. Executive Management -concerned about protection of data and the associated cost of the policy / standards. Slide 4
5 Role of Standards Manage Information Security Identify assets and appropriately protect them Reduce the risks of human error, theft, fraud or misuse of facilities Prevent unauthorized access, damage and interference to business Ensure the correct and secure operation of information processing facilities Control Access to Information Ensure security is built into information systems Counteract interruptions to business activities Avoid breaches of any criminal and civil law, statutory, regulatory or contractual obligations Slide 5
6 Why Best Practices are Important! Today, the effective use of best practices can help avoid re-inventing wheels, optimize the use of scarce IT resources and reduce the occurrence of major IT risks, such as: Project failures Wasted investments Security breaches System crashes Failures by service providers to understand and meet customer requirements Slide 6
7 Why Best Practices are Important! COBIT, ITIL and ISO are valuable to the ongoing growth and success of an organization because: Companies are demanding better returns from IT investments Best practices help meet regulatory requirements for IT controls Organizations face increasingly complex IT-related risks Organizations can optimize costs by standardizing controls Best practices help organizations assess how IT is performing Management of IT is critical to the success of enterprise strategy They help enable effective governance of IT activities A management framework helps staff understand what to do (policy, internal controls and defined practices) They can provide efficiency gains, less reliance on experts, fewer errors, increased trust from business partners and respect from regulators Slide 7
8 Benefits Productivity: Audit/Review Savings Breaking Barriers -Business Relationships Self-Analysis Security Awareness Targeting Of Security 'Baseline' Security and Policy Consistency Communication Slide 8
9 After adopting Standards Moved towards international best practice Manage the breadth and depth of information risk Build confidence in third parties Reduce the likelihood of disruption from major incidents Fight the growing threats of cybercrime Comply with legal and regulatory requirements Maintain business integrity Citizens Confidence Most Important Slide 9
10 Approach in Implementing Standards Support from Top Management Risk management -Accept, Mitigate, Transfer Well developed Security Policy Effective Implementation of policy User awareness is most important Prevention is better than cure Periodic review / audit Understand fundamental system functionality Identify security issues due to gaps Slide 10
11 Integrated IS Framework COBIT Service Management Information Security Project Management Application Delivery Business Continuity ITIL ISO IT Operations ISO 27K PMI CMM BS Slide 11
12 Some of the Standards - Overview Environment (ISO 14001) Business Continuity ( BS 25999) Quality (ISO 9001: 2000, QS 9000) Environment (ISO 14001) Organization Improvement (ISO 9004) Governance ( COBIT) Information Security (ISO 27001, 27002) Customers (BS 8600) Slide 12
13 ISO Slide 13
14 History of ISO - Timeline 1992 The Department of Trade and Industry (DTI), which is part of the UK Government, publish a 'Code of Practice for Information Security Management' This document is amended and re-published by the British Standards Institute (BSI) in 1995 as BS Support and compliance tools begin to emerge, such as COBRA The first major revision of BS7799 was published. This included many major enhancements. Accreditation and certification schemes are launched. LRQA and BSI are the first certification bodies. Slide 14
15 History of ISO The Timeline 2000 In December, BS7799 is again re-published, this time as a fast tracked ISO standard. It becomes ISO (or more formally, ISO/IEC 17799) The 'ISO Toolkit' is launched A second part to the standard is published: BS This is an Information Security Management Specification, rather than a code of practice. It begins the process of alignment with other management standards such as ISO A new version of ISO is published. This includes two new sections, and closer alignment with BS processes ISO is published, replacing BS7799-2, which is withdrawn. This is a specification for an ISMS (information security management system), which aligns with ISO and is compatible with ISO 9001 and ISO Slide 15
16 Where did come from? BS7799 was conceived, as a technology-neutral, vendor-neutral management system that, properly implemented, would enable an organization's management to assure itself that its information security measures and arrangements were effective. From the outset, BS7799 focused on protecting the availability, confidentiality and integrity of organizational information and these remain, today, the driving objectives of the standard. BS7799 was originally just a single standard, and had the status of a Code of Practice. In other words, it provided guidance for organizations, but hadn't been written as a specification that could form the basis of an external third party verification and certification scheme. Slide 16
17 Overview ISO (base standard) Published standards ISO/IEC the certification standard against which organizations' ISMS may be certified (published in 2005) ISO/IEC the re-naming of existing standard ISO (last revised in 2005, and renumbered ISO/IEC 27002:2005 in July 2007) ISO/IEC a guide to the certification/registration process (published in 2007) In preparation ISO/IEC a standard vocabulary for the ISMS standards ISO/IEC a new ISMS implementation guide ISO/IEC a new standard for information security management measurements ISO/IEC a proposed standard for risk management ISO/IEC a guideline for auditing information security management systems ISO/IEC a guideline for telecommunications in information security management system ISO/IEC guidance on implementing ISO/IEC in the healthcare industry Slide 17
18 Well known ISO standards in the 27xxx series ISO This is the specification for an information security management system & replaces old BS ISO This is the new standard number of the existing ISO standard ISO Designated number for a new standard covering information security management measurement & metric ISO Emerging standard for information security risk management Slide 18
19 Where does ISO / fits in.. Slide 19
20 Implementation context for PDCA ISO Information Security Management System (ISMS) adopts the PDCA model Plan (Design Phase) Establish the objectives and processes necessary to deliver results in accordance with the specifications. Do (Implementation Phase) Implement the processes. Check AKA Study (Assessment Phase) Monitor and evaluate the processes and results against objectives and Specifications and report the outcome. Act (Manage, Authorize Phase) Apply actions to the outcome for necessary improvement. This means reviewing all steps (Plan, Do, Check, Act) and modifying the process to improve it before its next implementation. Slide 20
21 PDCA Process P D C A Interested Parties ISMS PROCESS Management Responsibility Interested Parties PLAN Establish ISMS P R O C E S S Information Security Requirements & Expectations DO Implement & Operate the ISMS CHECK Monitor & Review ISMS ACT Maintain & Improve Managed Information Security Slide 21
22 BS ISO/IEC 27002:2005 (aka ISO 27002) The international Standard that establishes the guidelines and general principles for initiating, implementing, maintaining, and improving information security management in an organization. The full title of this standard is: Information technology. Security techniques. Code of practice for information security management ISO is technology independent, focusing on : Management aspects of information security, Defining controls in a generic sense so that they are applicable across different applications, platforms, and technologies. Slide 22
23 Structure and Format of ISO ISO/IEC is: A code of practice - a generic, advisory document, not truly a standard or formal specification A reasonably well structured set of suggested controls to address information security risks, covering confidentiality, integrity and availability aspects ISO specifies 39 control objectives: To protect information assets against threats to their confidentiality, integrity and availability Which comprise a generic functional requirements specification for an organization s information security management controls architecture And suggests literally hundreds of best-practice information security control measures Slide 23
24 Structure and Format of ISO The formal standard is arranged in the following sections: 0. Introduction 1. Scope 2. Terms and definitions 3. Structure of this standard 4. Risk assessment The actual control domains and detail controls begin with Section 5. Section 5: Security policy Management should : Define a policy to clarify their direction of, and support for, information security, Provide a high-level information security policy statement identifying key information security directives and mandates for the entire organization Support the policy by a comprehensive suite of more detailed corporate information security policies, typically in the form of an information security policy manual. The policy manual in turn is supported by a set of information security standards, procedures and guidelines
25 Structure and Format of ISO Section 6: Organization of information security A suitable information security governance structure should be designed and implemented. 6.1 Internal organization The organization should have a management framework for information security. Senior management should approve information security policies. Roles and responsibilities should be defined Information security should be independently reviewed. 6.2 External parties Information security should not be compromised by the introduction of third party products or services. Risks should be assessed and mitigated. when dealing with customers and in third party agreements. Slide 25
26 Structure and Format of ISO Section 7: Asset management The organization should be in a position to understand what information assets it holds, and to manage their security appropriately. 7.1 Responsibility for assets All [information] assets should be accounted for and have a nominated owner. The inventory should record ownership and location of the assets, and owners should identify acceptable uses. An inventory of information assets should be maintained, including: IT hardware, software data storage media computer room air conditioners and UPSs, and ICT services) system documentation 7.2 Information classification Information should be classified according to its need for security protection and labeled accordingly. Slide 26
27 Structure and Format of ISO Section 8: Human resources security The organization should manage system access rights etc. for joiners, movers and leavers, and should undertake suitable security awareness, training and educational activities. 8.1 Prior to employment Security responsibilities should be taken into account when recruiting permanent employees, contractors and temporary staff 8.2 During employment Management responsibilities regarding information security should be defined. Employees and third party IT users should educated and trained in security procedures. A formal disciplinary process is necessary to handle security breaches. 8.3 Termination or change of employment Security aspects of a person s exit from the organization (e.g. the return of corporate assets and removal of access rights) or change of responsibilities Slide 27
28 Structure and Format of ISO Section 9: Physical and environmental security Valuable IT equipment should be physically protected against malicious or accidental damage or loss, overheating, loss of mains power etc. 9.1 Secure areas This section describes the need for concentric layers of physical controls to protect sensitive IT facilities from unauthorized access. 9.2 Equipment security Critical IT equipment, cabling and so on should be protected against physical damage, fire, flood, theft etc., both on- and off-site. Power supplies and cabling should be secured. IT equipment should be maintained properly and disposed of securely. Slide 28
29 Structure and Format of ISO Section 10: Communications and operations management This lengthy, detailed section of the standard describes security controls for systems and network management Operational procedures and responsibilities 10.2 Third party service delivery management 10.3 System planning and acceptance 10.4 Protection against malicious and mobile code 10.5 Back-up 10.6 Network security management 10.7 Media handling 10.8 Exchange of information 10.9 Electronic commerce services Monitoring Slide 29
30 Structure and Format of ISO Section 11: Access control Logical access to IT systems, networks and data must be suitably controlled to prevent unauthorized use. This is another lengthy and detailed section Business requirement for access control 11.2 User access management 11.3 User responsibilities 11.4 Network access control 11.5 Operating system access control 11.6 Application and information access control 11.7 Mobile computing and teleworking Slide 30
31 Structure and Format of ISO Section 12: Information systems acquisition, development and maintenance Information security must be taken into account in the Systems Development Lifecycle (SDLC) processes for specifying, building/acquiring, testing, implementing and maintaining IT systems Security requirements of information systems 12.2 Correct processing in application systems 12.3 Cryptographic controls 12.4 Security of system files 12.5 Security in development and support processes 12.6 Technical vulnerability management Slide 31
32 Structure and Format of ISO Section 13: Information security incident management Information security events, incidents and weaknesses (including nearmisses) should be promptly reported and properly managed Reporting in information security events and weaknesses An incident reporting/alarm procedure is required, plus the associated response and escalation procedures. There should be a central point of contact, and all employees, contractors etc. should be informed of their incident reporting responsibilities Management of information security incidents and improvements Responsibilities and procedures are required to manage incidents consistently and effectively, to implement continuous improvement (learning the lessons), and to collect forensic evidence. Slide 32
33 Structure and Format of ISO Section 14: Business continuity management This section describes the relationship between IT disaster recovery planning, business continuity management and contingency planning, ranging from analysis and documentation through to regular exercising/testing of the plans. These controls are designed to minimize the impact of security incidents that happen despite the preventive controls noted elsewhere in the standard. Section 15: Compliance 15.1 Compliance with legal requirements 15.2 Compliance with security policies and standards, and technical compliance 15.3 Information systems audit considerations Slide 33
34 Implementation process cycle IS POLICY SECURITY ORGANISATION MANAGEMENT REVIEW PLAN Establish ISMS ASSET IDENTIFICATION & CLASSIFICATION DO Implement & Operate the ISMS ACT Maintain & Improve CORRECTIVE & PREVENTIVE ACTIONS CHECK Monitor & Review ISMS CONTROL SELECTION & IMPLEMENTATION CHECK PROCESSES OPERATIONALIZ E THE PROCESES Slide 34
35 ITIL Slide 35
36 Background What is Information Technology Infrastructure Library (ITIL )? Describes best practice in IT service management (ITSM) drawn from public and private sector IT organizations The primary objective of Service Management is to ensure that the IT services are aligned to the business needs and actively support them. Benefits include: Increased user and customer satisfaction with IT services Improved service availability, directly leading to increased benefits profits and revenue Financial savings from reduced rework, lost time, improved resource management and usage Improved time to market for new products and services Improved decision making and optimized risks ITIL is a Registered Trade Mark, and Registered Community Trade Mark of the Office of Government Commerce, and is Registered in the U.S. Patent and Trademark Office. Slide 36
37 What is ITIL V3? ITIL is about more than just infrastructure Business of IT oriented approach Promoting service based approach to managing IT Includes discussion topics about strategic options, functions, roles and responsibilities as well as continual improvement Makes reference to other frameworks (i.e. Cobit, ISO27001) and talks about better alignment to those Helps to provide a standardized process context Highlights the importance of process Identifies the core activities and metrics for its processes Requests measurement programs (baselining, benchmarking) to ensure performance (i.e. TCO, ROI, Costing/Pricing) Revised certification program for Professionals more structured and focused by processes Slide 37
38 Version 3 Overview V3 Overview Service strategy: Service Portfolio Mgmt Financial Mgmt Demand Mgmt Supporting material: Service, organizational, process and technology maps Service design: Service Catalogue Mgmt Service Level Mgmt Supplier Mgmt Capacity Mgmt Availability Mgmt IT Service Continuity Mgmt Information Security Mgmt Service operation: Event Mgmt Incident Mgmt Request Fulfilment Access Mgmt Problem Mgmt Functions: Service Desk Technical Mgmt IT Operations Mgmt Applications Mgmt Service transition: Change Mgmt Service Asset & Configuration Mgmt Knowledge Mgmt Transition Planning and Support Release & Deployment Mgmt Service Validation & Testing Evaluation Continual Service Improvement: Seven Step Improvement Process Slide 38
39 ITIL Version 3 Service Design Slide 39
40 Service Design Goals & Objectives Goal: The design of appropriate and innovative IT services, including their architectures, processes, policies, and documentation, to meet current and future agreed business requirements. Objectives: Design services to meet agreed business outcomes Design processes to support the service lifecycle Identify and manage risks Design secure and resilient IT infrastructures, environments, applications and data/information resources and capability Design measurement methods and metrics Slide 40
41 Service Design Goals & Objectives (contd..) Objectives (contd..): Produce and maintain plans, processes, policies, standards, architectures, frameworks and documents to support the design of quality IT solutions Develop skills and capability within IT Contribute to the overall improvement in IT service quality Slide 41
42 Service Design Processes covered in Service Design Service Catalogue Management: The purpose SCM is to provide a single, consistent source of information on all of the agreed services, and ensure that it is widely available to those who are approved to access the service catalogue Service Level Management: SLM negotiates, agrees and documents appropriate IT service targets with the business, and then monitors and produces reports on delivery against the agreed level of service Capacity Management: The purpose of Capacity Management is to provide a point of focus and management for all capacity and performance-related issues, relating to both services and resources, and to match the capacity of IT to the agreed business demands IT Service Continuity Management: The purpose of ITSCM is to maintain the appropriate on-going recovery capability within IT services to match the agreed needs, requirements and timescales of the business Slide 42
43 Service Design Processes covered in Service Design (con t) Availability Management: The purpose of Availability Management is to provide a point of focus and management for all availability-related issues, relating to services, components and resources, ensuring that availability targets in all areas are measured and achieved, and that they match or exceed the current and future agreed needs of the business in a cost-effective manner Information Security Management: The purpose of the ISM process is to align IT security with business security and ensure that information security is effectively managed in all service and Service Management activities Supplier Management: The purpose of the Supplier Management process is to obtain value for money from suppliers and to ensure that suppliers perform to the targets contained within their contracts and agreements, while conforming to all of the terms and conditions Slide 43
44 Service Design IT Service Continuity Management (ITSCM) ITSCM is concerned with managing an organisation s ability to continue to provide a pre-determined and agreed level of IT Services to support the minimum business requirements following an interruption to the business. Goal: The goal of the ITSCM is to support the overall Business Continuity Management process by ensuring that the required IT technical and service facilities (including computer systems, networks, applications, data repositories, telecommunications, technical support, and Service Desk) can be resumed within required, and agreed, business timescales. Slide 44
45 Service Design IT Service Continuity Management Objectives To maintain a set of IT service Continuity Plans and IT recovery plans that support the overall Business Continuity Plans (BCPs) of the organization To complete regular Business Impact Analysis (BIA) exercises to ensure that all continuity plans are maintained in line with changing business impacts and requirements To conduct regular risk assessment and management exercises in conjunction particularly with the business and the Availability Management and Security Management processes, that manages IT services within an agreed level of business risk Slide 45
46 Service Design IT Service Continuity Management Objectives To ensure that appropriate continuity and recovery mechanisms are put in place to meet or exceed the agreed business continuity targets To assess the impact of all changes on the IT service Continuity Plans and IT recovery plans To ensure that proactive measures to improve the availability of services are implemented wherever it is cost justifiable to do so To negotiate and agree the necessary contracts with suppliers for the provision of the necessary recovery capability to support all continuity plans in conjunction with the Supplier Management process Slide 46
47 Service Design IT Service Continuity Management Lifecycle of Service Continuity Management Business Continuity Management (BCM) Initiation Lifecycle Key activities Policy setting Scope Initiate a project Business Continuity Strategy Requirements and strategy Business Impact Analysis Risk Assessment IT Service Continuity Strategy Business Continuity plans Implementation Develop IT Service continuity plans Develop IT plans, recovery plans and procedures Organization Planning Testing strategy Invocation On going Operation Slide 47 Education, awareness and Training Review and audit Testing Change Management
48 Service Design IT Service Continuity Management KPIs Positive results from audits performed over the ITSCM plans to ensure that, at all times, the agreed recovery requirements of the business can be achieved Successful results from recovery testing Reduction in the risk and impact of possible failure of IT services Increased awareness of business impact, needs and requirements throughout IT Increased preparedness of all IT service areas and staff to respond to an invocation of the ITSCM plans Slide 48
49 IT Service Continuity Management KPIs Response time to restore business operations after a disaster occurs based on the type of recovery option chosen (i.e. manual, immediate, fast, intermediate, or gradual) Cost of service continuity management vs. cost incurred by the business in the event of an IT service loss. This could include both tangible (i.e. financial) and intangible (i.e. reputation) costs Slide 49
50 COBIT Control Objective for Information & related Technology Accepted globally as a set of tools that ensures IT is working effectively Provides common language to communicate goals, objectives and expected results to all stakeholders Based on, and integrates, industry standards and good practices in: Strategic alignment of IT with business goals Value delivery of services and new projects Risk management Resource management Performance measurement Slide 50
51 COBIT Control Objective for Information & related Technology COBIT provides guidance for executive management to govern IT within the enterprise More effective tools for IT to support business goals More transparent and predictable full life-cycle IT costs More timely and reliable information from IT Higher quality IT services and more successful projects More effective management of IT-related risks Slide 51
52 Harmonizing the Elements of IT Governance IT Governance Resource Management Slide 52
53 The COBIT Framework Slide 53
54 COBIT Defines Processes, Goals and Metrics Relationship Amongst Process, Goals and Metrics (DS5) Slide 54
55 COBIT Products and Their Primary Audience COBIT, Risk IT and Val IT frameworks Implementing and Continually Improving IT Governance COBIT User Guide for Service Managers COBIT and Application Controls Slide 55
56 End of Session Slide 56
ISO 27001 Controls and Objectives
ISO 27001 s and Objectives A.5 Security policy A.5.1 Information security policy Objective: To provide management direction and support for information security in accordance with business requirements
More informationINFORMATION TECHNOLOGY SECURITY STANDARDS
INFORMATION TECHNOLOGY SECURITY STANDARDS Version 2.0 December 2013 Table of Contents 1 OVERVIEW 3 2 SCOPE 4 3 STRUCTURE 5 4 ASSET MANAGEMENT 6 5 HUMAN RESOURCES SECURITY 7 6 PHYSICAL AND ENVIRONMENTAL
More informationISO27001 Controls and Objectives
Introduction This reference document for the University of Birmingham lists the control objectives, specific controls and background information, as given in Annex A to ISO/IEC 27001:2005. As such, the
More informationInformation Security: Business Assurance Guidelines
Information Security: Business Assurance Guidelines The DTI drives our ambition of prosperity for all by working to create the best environment for business success in the UK. We help people and companies
More informationWEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY
WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY DATA LABEL: PUBLIC INFORMATION SECURITY POLICY CONTENTS 1. INTRODUCTION... 3 2. MAIN OBJECTIVES... 3 3. LEGISLATION... 4 4. SCOPE... 4 5. STANDARDS... 4
More informationOVERVIEW. In all, this report makes recommendations in 14 areas, such as. Page iii
The Office of the Auditor General has conducted a procedural review of the State Data Center (Data Center), a part of the Arizona Strategic Enterprise Technology (ASET) Division within the Arizona Department
More informationISO/IEC 27002:2013 WHITEPAPER. When Recognition Matters
When Recognition Matters WHITEPAPER ISO/IEC 27002:2013 INFORMATION TECHNOLOGY - SECURITY TECHNIQUES CODE OF PRACTICE FOR INFORMATION SECURITY CONTROLS www.pecb.com CONTENT 3 4 5 6 6 7 7 7 7 8 8 8 9 9 9
More informationUniversity of Sunderland Business Assurance Information Security Policy
University of Sunderland Business Assurance Information Security Policy Document Classification: Public Policy Reference Central Register Policy Reference Faculty / Service IG 003 Policy Owner Assistant
More informationTutorial: Towards better managed Grids. IT Service Management best practices based on ITIL
Tutorial: Towards better managed Grids. IT Service Management best practices based on ITIL EGI Technical Forum 2011, Lyon (France) September 22, 2011 Dr. Thomas Schaaf www.gslm.eu EMERGENCE TECH LTD. The
More informationDomain 1 The Process of Auditing Information Systems
Certified Information Systems Auditor (CISA ) Certification Course Description Our 5-day ISACA Certified Information Systems Auditor (CISA) training course equips information professionals with the knowledge
More informationHead of Information & Communications Technology Responsible work team: ICT Security. Key point summary... 2
Policy Procedure Information security policy Policy number: 442 Old instruction number: MAN:F005:a1 Issue date: 24 August 2006 Reviewed as current: 11 July 2014 Owner: Head of Information & Communications
More informationBusiness Continuity Policy and Business Continuity Management System
Business Continuity Policy and Business Continuity Management System Summary: This policy sets out the structure for ensuring that the PCT has effective Business Continuity Plans in place in order to maintain
More informationSecurity Controls What Works. Southside Virginia Community College: Security Awareness
Security Controls What Works Southside Virginia Community College: Security Awareness Session Overview Identification of Information Security Drivers Identification of Regulations and Acts Introduction
More informationITIL v3 Service Manager Bridge
ITIL v3 Service Manager Bridge Course Length: 5 Days Course Overview This 5 day hands on, certification training program enables ITIL Version 2 certified Service Managers to upgrade their Service Manager
More informationISO20000: What it is and how it relates to ITIL v3
ISO20000: What it is and how it relates to ITIL v3 John DiMaria; Certified Six Sigma BB, HISP BSI Product Manager; ICT (ISMS,ITSM,BCM) Objectives and Agenda To raise awareness, to inform and to enthuse
More informationIT Service Management
IT Service Management VNUG Conference 2013-09-04 Anders Stenmark Business Critical Consultant, HP Agenda Introduction Reliable service delivery ITSM ITSM Assessments 2 Introduction Anders Stenmark Business
More informationGovernance and Management of Information Security
Governance and Management of Information Security Øivind Høiem, CISA CRISC Senior Advisor Information Security UNINETT, the Norwegian NREN About Øivind Senior Adviser at the HE sector secretary for information
More informationAN OVERVIEW OF INFORMATION SECURITY STANDARDS
AN OVERVIEW OF INFORMATION SECURITY STANDARDS February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced
More informationService Management. A framework for providing worlds class IT services
Service Management A framework for providing worlds class IT services Barry Corless MISM Slide - 1 Copyright Remarc Technologies Ltd, 2007 These course notes were produced by Remarc Service Management,
More informationIT Governance Dr. Michael Shaw Term Project
IT Governance Dr. Michael Shaw Term Project IT Auditing Framework and Issues Dealing with Regulatory and Compliance Issues Submitted by: Gajin Tsai gtsai2@uiuc.edu May 3 rd, 2007 1 Table of Contents: Abstract...3
More informationITIL: What is it? How does ITIL link to COBIT and ISO 17799?
ITIL: What is it? How does ITIL link to COBIT and ISO 17799? 1 What is ITIL? The IT Infrastructure Library A set of books comprising an IT service management Best Practices framework An industry of products,
More informationBuild (develop) and document Acceptance Transition to production (installation) Operations and maintenance support (postinstallation)
It is a well-known fact in computer security that security problems are very often a direct result of software bugs. That leads security researches to pay lots of attention to software engineering. The
More informationInformation Security Policy
Information Security Policy Author: Responsible Lead Executive Director: Endorsing Body: Governance or Assurance Committee Alan Ashforth Alan Lawrie ehealth Strategy Group Implementation Date: September
More informationSafeguards Frameworks and Controls. Security Functions Parker, D. B. (1984). The Many Faces of Data Vulnerability. IEEE Spectrum, 21(5), 46-49.
Safeguards Frameworks and Controls Theory of Secure Information Systems Features: Safeguards and Controls Richard Baskerville T 1 F 1 O 1 T 2 F 2 O 2 T 3 F 3 O 3 T 4... T n...... F l O m T F O Security
More informationInformation Security Management System Policy
Information Security Management System Policy Public Version 3.3 Issued Document Name Owner P079A ISMS Security Policy Information Security Security Policies, Standards and Procedures emanate from the
More informationITIL v3 (Lecture II) Service Management as a Practice
ITIL v3 (Lecture II) as a Practice 1 Processes Availability mgmt Knowledge mgmt Service cont mgmt Evaluation Supplier mgmt Validation & Testing Access mgmt Financial mgmt Info security mgmt Release & Deploy
More informationInformation Security Management System Information Security Policy
Management System Policy Version: 3.4 Issued Document Name: Owner: P079A - ISMS Security Policy Classification: Public Security Policies, Standards and Procedures emanate from the Policy which has been
More informationBy. Mr. Chomnaphas Tangsook Business Director BSI Group ( Thailand) Co., Ltd
BS 25999 Business Continuity Management By. Mr. Chomnaphas Tangsook Business Director BSI Group ( Thailand) Co., Ltd 1 Contents slide BSI British Standards 2006 BS 25999(Business Continuity) 2002 BS 15000
More informationInformation Security Management Systems
Information Security Management Systems Øivind Høiem CISA, CRISC, ISO27001 Lead Implementer Senior Advisor Information Security UNINETT, the Norwegian NREN About Øivind Senior Adviser at the HE sector
More informationInformation Security Managing The Risk
Information Technology Capability Maturity Model Information Security Managing The Risk Introduction Information Security continues to be business critical and is increasingly complex to manage for the
More informationInformation security controls. Briefing for clients on Experian information security controls
Information security controls Briefing for clients on Experian information security controls Introduction Security sits at the core of Experian s operations. The vast majority of modern organisations face
More informationISO 27000 Information Security Management Systems Foundation
ISO 27000 Information Security Management Systems Foundation Professional Certifications Sample Questions Sample Questions 1. is one of the industry standards/best practices in Service Management and Quality
More informationITIL A guide to service asset and configuration management
ITIL A guide to service asset and configuration management The goal of service asset and configuration management The goals of configuration management are to: Support many of the ITIL processes by providing
More informationISO/IEC 27001 Information Security Management. Securing your information assets Product Guide
ISO/IEC 27001 Information Security Management Securing your information assets Product Guide What is ISO/IEC 27001? ISO/IEC 27001 is the international standard for information security management and details
More informationBusiness Continuity (Policy & Procedure)
Business Continuity (Policy & Procedure) Publication Scheme Y/N Can be published on Force Website Department of Origin Force Operations Policy Holder Ch Supt Head of Force Ops Author Business Continuity
More informationITSM Process Maturity Assessment
ITSM Process Maturity Assessment April 2011 Prepared by: Brian Newcomb TABLE OF CONTENTS Executive Summary... 3 Detailed Assessment Results and Recommendations... 5 Advisory Group Survey Results (External
More informationSan Francisco Chapter. Presented by Mike O. Villegas, CISA, CISSP
Presented by Mike O. Villegas, CISA, CISSP Agenda Information Security (IS) Vision at Newegg.com Typical Issues at Most Organizations Information Security Governance Four Inter-related CoBIT Domains ISO
More informationHengtian Information Security White Paper
Hengtian Information Security White Paper March, 2012 Contents Overview... 1 1. Security Policy... 2 2. Organization of information security... 2 3. Asset management... 3 4. Human Resources Security...
More informationBusiness Continuity Management Governance. Frank Higgins Abu Dhabi March 2015
Business Continuity Management Governance Frank Higgins Abu Dhabi March 2015 Different Names Same Concept BCM (Business Continuity Management) BSI 25999 IPOCM (Incident Preparedness & Operational Continuity
More informationService Children s Education
Service Children s Education Data Handling and Security Information Security Audit Issued January 2009 2009 - An Agency of the Ministry of Defence Information Security Audit 2 Information handling and
More informationITIL Introducing service design
ITIL Introducing service design The objectives of service design The main objective of the service design stage can be defined as: The design of appropriate and innovative IT services, including their
More informationPreparation Guide. EXIN IT Service Management Associate Bridge based on ISO/IEC 20000
Preparation Guide EXIN IT Service Management Associate Bridge based on ISO/IEC 20000 Edition January 2014 Copyright 2014 EXIN All rights reserved. No part of this publication may be published, reproduced,
More informationInformation Technology Engineers Examination. Information Technology Service Manager Examination. (Level 4) Syllabus
Information Technology Engineers Examination Information Technology Service Manager Examination (Level 4) Syllabus Details of Knowledge and Skills Required for the Information Technology Engineers Examination
More informationBusiness Continuity Management
Business Continuity Management Standard Operating Procedure Notice: This document has been made available through the Police Service of Scotland Freedom of Information Publication Scheme. It should not
More informationNeed to reassure customers that your cloud services are secure? Inspire confidence with STAR Certification from BSI
Need to reassure customers that your cloud services are secure? Inspire confidence with STAR Certification from BSI What is STAR Certification? TM STAR Certification is a unique new certification which
More informationMicrosoft s Compliance Framework for Online Services
Microsoft s Compliance Framework for Online Services Online Services Security and Compliance Executive summary Contents Executive summary 1 The changing landscape for online services compliance 4 How Microsoft
More informationCompany Management System. Business Continuity in SIA
Company Management System Business Continuity in SIA Document code: Classification: Company Project/Service Year Document No. Version Public INDEX 1. INTRODUCTION... 3 2. SIA S BUSINESS CONTINUITY MANAGEMENT
More informationInformation Management Advice 35: Implementing Information Security Part 1: A Step by Step Approach to your Agency Project
Information Management Advice 35: Implementing Information Security Part 1: A Step by Step Approach to your Agency Project Introduction This Advice provides an overview of the steps agencies need to take
More informationIntroduction to ITIL for Project Managers
CSC NORTH AMERICAN PUBLIC SECTOR Introduction to ITIL for Project Managers May Chantilly Luncheon Linda Budiman, PMP ITILv2 & ITILv3 Process Architect ITIL Service Manager, CobiT certified 5/13/2008 8:08:45
More informationWest Midlands Police and Crime Commissioner Records Management Policy 1 Contents
West Midlands Police and Crime Commissioner Records Management Policy 1 Contents 1 CONTENTS...2 2 INTRODUCTION...3 2.1 SCOPE...3 2.2 OVERVIEW & PURPOSE...3 2.3 ROLES AND RESPONSIBILITIES...5 COMMISSIONED
More informationInformation Security Program
Stephen F. Austin State University Information Security Program Revised: September 2014 2014 Table of Contents Overview... 1 Introduction... 1 Purpose... 1 Authority... 2 Scope... 2 Information Security
More informationBest Practice ITIL (Information Technology Infrastructure Library)
Best Practice ITIL (Information Technology Infrastructure Library) To achieve G H Bank s overall objectives, the Information Technology Group must provide excellent cutting-edge IT services to all stakeholders
More informationInformation Security Policy September 2009 Newman University IT Services. Information Security Policy
Contents 1. Statement 1.1 Introduction 1.2 Objectives 1.3 Scope and Policy Structure 1.4 Risk Assessment and Management 1.5 Responsibilities for Information Security 2. Compliance 3. HR Security 3.1 Terms
More informationNeed to reassure customers that your cloud services are secure? Inspire confidence with STAR Certification from BSI
Need to reassure customers that your cloud services are secure? Inspire confidence with STAR Certification from BSI What is STAR Certification? TM STAR Certification differentiates you from your competition.
More informationITIL Roles Descriptions
ITIL Roles s Role Process Liaison Incident Analyst Operations Assurance Analyst Infrastructure Solution Architect Problem Manager Problem Owner Change Manager Change Owner CAB Member Release Analyst Test
More informationDoes it state the management commitment and set out the organizational approach to managing information security?
Risk Assessment Check List Information Security Policy 1. Information security policy document Does an Information security policy exist, which is approved by the management, published and communicated
More informationInformation security management systems Specification with guidance for use
BRITISH STANDARD BS 7799-2:2002 Information security management systems Specification with guidance for use ICS 03.100.01; 35.020 This British Standard, having been prepared under the direction of the
More informationPreparation Guide. EXIN IT Service Management Associate based on ISO/IEC 20000
Preparation Guide EXIN IT Service Management Associate based on ISO/IEC 20000 Edition January 2014 Copyright 2014 EXIN All rights reserved. No part of this publication may be published, reproduced, copied
More informationDomain 5 Information Security Governance and Risk Management
Domain 5 Information Security Governance and Risk Management Security Frameworks CobiT (Control Objectives for Information and related Technology), developed by Information Systems Audit and Control Association
More informationOhio Supercomputer Center
Ohio Supercomputer Center IT Business Continuity Planning No: Effective: OSC-13 06/02/2009 Issued By: Kevin Wohlever Director of Supercomputer Operations Published By: Ohio Supercomputer Center Original
More informationWHITE PAPER December, 2008
INTRODUCTION Key to most IT organization s ongoing success is the leadership team s ability to anticipate, plan for, and adapt to change. With ever changing business/mission requirements, customer/user
More informationIntegrating Project Management and Service Management
Integrating Project and Integrating Project and By Reg Lo with contributions from Michael Robinson. 1 Introduction Project has become a well recognized management discipline within IT. is also becoming
More informationINFORMATION SECURITY PROCEDURES
INFORMATION AN INFORMATION SECURITY PROCEURES Parent Policy Title Information Security Policy Associated ocuments Use of Computer Facilities Statute 2009 Risk Management Policy Risk Management Procedures
More informationBUSINESS CONTINUITY POLICY
BUSINESS CONTINUITY POLICY Document Type Corporate Policy Unique Identifier CO-038 Document Purpose To provide a structure through which: i. A comprehensive business continuity management system (BCMS)
More informationBusiness Continuity Management
Business Continuity Management Policy Statement & Strategy July 2009 Basildon District Council Business Continuity Management Policy Statement The Council is committed to ensuring robust and effective
More informationInformation Security Awareness Training
Information Security Awareness Training Presenter: William F. Slater, III M.S., MBA, PMP, CISSP, CISA, ISO 27002 1 Agenda Why are we doing this? Objectives What is Information Security? What is Information
More informationITIL Foundation for IT Service Management 2011 Edition
ITIL Foundation for IT Service Management 2011 Edition ITIL Rev 03.12 3 days Description ITIL (IT Infrastructure Library) provides a practical, no-nonsense framework for identifying, planning, delivering
More informationProposal for Business Continuity Plan and Management Review 6 August 2008
Proposal for Business Continuity Plan and Management Review 6 August 2008 2008/8/6 Contents About Newton IT / Quality of our services. BCM & BS25999 Overview 2. BCM Development in line with BS25999 3.
More informationNSW Government Digital Information Security Policy
NSW Government Digital Information Security Policy Version: 2.0 Date: April 2015 CONTENTS PART 1 PRELIMINARY... 3 1.1 Scope... 3 1.2 Application... 3 1.3 Objectives... 3 PART 2 POLICY STATEMENT... 4 Core
More informationIT Governance: The benefits of an Information Security Management System
IT Governance: The benefits of an Information Security Management System Katerina Cai, CISSP Hewlett-Packard 2004 Hewlett-Packard Development Company, L.P. The information contained herein is subject to
More informationManaging e-health data: Security management. Marc Nyssen Medical Informatics VUB Master in Health Telematics KIST E-mail: mnyssen@vub.ac.
Managing e-health data: Security management Marc Nyssen Medical Informatics VUB Master in Health Telematics KIST E-mail: mnyssen@vub.ac.be Structure of the presentation Data management: need for a clear
More informationFrameworks for IT Management
Frameworks for IT Management Copyright protected. Use is for Single Users only via a VHP Approved License. For information and printed versions please see www.vanharen.net 18 ITIL - the IT Infrastructure
More informationITIL 2011 Lifecycle Roles and Responsibilities UXC Consulting
ITIL 2011 Lifecycle Roles and Responsibilities UXC Consulting Date November 2011 Company UXC Consulting Version Version 1.5 Contact info@uxcconsulting.com.au http://www.uxcconsulting.com.au This summary
More informationITIL V3 and ISO/IEC 20000
For IT Service Management ITIL V3 and ISO/IEC 20000 Jenny Dugmore and Sharon Taylor Alignment White Paper March 2008 ITIL V3 and ISO/IEC 20000 Background For some years the close relationship between ITIL
More informationMoving from BS 25999-2 to ISO 22301. The new international standard for business continuity management systems. Transition Guide
Transition Guide Moving from BS 25999-2 to ISO 22301 The new international standard for business continuity management systems Extract from The Route Map to Business Continuity Management: Meeting the
More informationDraft Information Technology Policy
Draft Information Technology Policy Version 3.0 Draft Date June 2014 Status Draft Approved By: Table of Contents 1.0 Introduction... 6 Background... 6 Purpose... 6 Scope... 6 Legal Framework... 6 2.0 Software
More informationITIL v3. Service Management
ITIL v3 1 as a Practice ITIL = IT Infrastructure Library Set of books giving guidance on the provision of quality IT services Common language Best practices in delivery of IT services Not standards! Platform
More informationIs securing personal information a priority? Reassure clients and achieve data protection compliance with BS 10012
Is securing personal information a priority? Reassure clients and achieve data protection compliance with BS 10012 Make protection of personal information your priority and safeguard your reputation. Comply
More informationINFORMATION SECURITY MANAGEMENT SYSTEM. Version 1c
INFORMATION SECURITY MANAGEMENT SYSTEM Version 1c Revised April 2011 CONTENTS Introduction... 5 1 Security Policy... 7 1.1 Information Security Policy... 7 1.2 Scope 2 Security Organisation... 8 2.1 Information
More informationITIL - QUICK REFERENCE GUIDE
http://www.tutorialspoint.com/itil/itil_quick_guide.htm ITIL - QUICK REFERENCE GUIDE Copyright tutorialspoint.com ITIL Overview ITIL is a framework providing best practice guidelines on all aspects of
More informationCLASSIFICATION SPECIFICATION FORM
www.mpi.mb.ca CLASSIFICATION SPECIFICATION FORM Human Resources CLASSIFICATION TITLE: POSITION TITLE: (If different from above) DEPARTMENT: DIVISION: LOCATION: Executive Director Executive Director, Information
More informationREGULATIONS FOR THE SECURITY OF INTERNET BANKING
REGULATIONS FOR THE SECURITY OF INTERNET BANKING PAYMENT SYSTEMS DEPARTMENT STATE BANK OF PAKISTAN Table of Contents PREFACE... 3 DEFINITIONS... 4 1. SCOPE OF THE REGULATIONS... 6 2. INTERNET BANKING SECURITY
More informationsecurity policy Purpose The purpose of this paper is to outline the steps required for developing and maintaining a corporate security policy.
Abstract This paper addresses the methods and methodologies required to develop a corporate security policy that will effectively protect a company's assets. Date: January 1, 2000 Authors: J.D. Smith,
More informationBusiness Continuity Policy
Business Continuity Policy St Mary Magdalene Academy V1.0 / September 2014 Document Control Document Details Document Title Document Type Business Continuity Policy Policy Version 2.0 Effective From 1st
More informationInformation Security Management Systems
Information Security Management Systems Information Security Management Systems Conformity Assessment Scheme ISO/IEC 27001:2005 (JIS Q 27001:2006) ITMangement Center Japan Information Processing Development
More informationBusiness Continuity Management Policy
Business Continuity Management Policy Business Continuity Policy Version 1.0 1 Version control Version Date Changes Author 0.1 April 13 1 st draft PH 0.2 June 13 Amendments in line with guidance PH 0.3
More informationISO 27001: Information Security and the Road to Certification
ISO 27001: Information Security and the Road to Certification White paper Abstract An information security management system (ISMS) is an essential part of an organization s defense against cyberattacks
More informationInformation Technology Infrastructure Library -ITIL. IT Governance CEN 667
Information Technology Infrastructure Library -ITIL IT Governance CEN 667 1 Lectures Schedule Week Topic Introduction to IT governance Week 1 Overwiev of Information Security standards - ISO 27000 series
More informationDetermining Best Fit. for ITIL Implementations
Determining Best Fit for ITIL Implementations Michael Harris President David Consulting Group Agenda Why ITIL? The Evolution of IT Metrics Towards the Business What do businesses need from IT Introduction
More informationBusiness Continuity Policy
Business Continuity Policy Page 1 of 15 Business Continuity Policy First published: Amendment record Version Date Reviewer Comment 1.0 07/01/2014 Debbie Campbell 2.0 11/07/14 Vicky Ryan Updated to include
More informationBUSINESS CONTINUITY MANAGEMENT FRAMEWORK
BUSINESS CONTINUITY MANAGEMENT FRAMEWORK Document Author: Civil Contingencies Service - Authorised by the CCS Joint Management Board - Version 1.0. Issued December 2012 Page 1 FRAMEWORK STATEMENT Business
More informationISO 27002:2013 Version Change Summary
Information Shield www.informationshield.com 888.641.0500 sales@informationshield.com Information Security Policies Made Easy ISO 27002:2013 Version Change Summary This table highlights the control category
More informationRoles within ITIL V3. Contents
Roles within ITIL V3 Roles are employed in order to define responsibilities. In particular, they are used to assign Process Owners to the various ITIL V3 processes, and to illustrate responsibilities for
More informationHong Kong Information Security Group TRAINING AGENDA
TRAINING AGENDA THE ITIL FOUNDATION CERTIFICATE IN IT SEVICE MANAGEMENT The purpose of the ITIL Foundation certificate in IT Service Management is to certify that the candidate has gained knowledge of
More informationInformation Security Policy
Office of the Prime Minister document CIMU P 0016:2003 Version: 2.0 Effective date: 01 Oct 2003 Information 1. statement i) General The Public Service of the Government of Malta (Public Service) shall
More informationIM&T Infrastructure Security Policy. Document author Assured by Review cycle. 1. Introduction...3. 2. Policy Statement...3. 3. Purpose...
IM&T Infrastructure Security Policy Board library reference Document author Assured by Review cycle P070 Information Security and Technical Assurance Manager Finance and Planning Committee 3 Years This
More informationCertified Information Systems Auditor (CISA)
Certified Information Systems Auditor (CISA) Course Introduction Course Introduction Module 01 - The Process of Auditing Information Systems Lesson 1: Management of the Audit Function Organization of the
More informationIssue 1.0. UoG/ILS/IS 001. Information Security and Assurance Policy. Information Security and Compliance Manager
Document Reference Number Date Title Author Owning Department Version Approval Date Review Date Approving Body UoG/ILS/IS 001 January 2016 Information Security and Assurance Policy Information Security
More information