Joint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training- Session One

Similar documents
Joint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training- Session One Information Security and Challenges

ISO Controls and Objectives

ISO27001 Controls and Objectives

Joint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training - Session One

Joint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training- Session Three

Joint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training- Session One

ISO 27002:2013 Version Change Summary

Newcastle University Information Security Procedures Version 3

University of Sunderland Business Assurance Information Security Policy

INFORMATION TECHNOLOGY SECURITY STANDARDS

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

Joint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training- Session Two

Information Security: Business Assurance Guidelines

Digital Forensic. A newsletter for IT Professionals. I. Background of Digital Forensic. Definition of Digital Forensic

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

Security Controls What Works. Southside Virginia Community College: Security Awareness

Information Security Management System (ISMS) Policy

INFORMATION SECURITY PROCEDURES

Information Security Awareness Training

Joint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training- Session Two Information Security in Universities

Issue 1.0. UoG/ILS/IS 001. Information Security and Assurance Policy. Information Security and Compliance Manager

Microsoft s Compliance Framework for Online Services

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

ISO/IEC 27002:2013 WHITEPAPER. When Recognition Matters

INFORMATION SYSTEMS. Revised: August 2013

CITY UNIVERSITY OF HONG KONG Information Security Incident Management Standard

Security and Privacy Controls for Federal Information Systems and Organizations

Hong Kong Baptist University

Information Shield Solution Matrix for CIP Security Standards

Supplier Security Assessment Questionnaire

LEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction

IT Governance: The benefits of an Information Security Management System

TEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL

California State University, Sacramento INFORMATION SECURITY PROGRAM

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

ICT Policy. Executive Summary. Date of ratification Executive Team Committee 22nd October Document Author(s) Collette McQueen

INFORMATION SECURITY MANAGEMENT POLICY

ISACA Kampala Chapter Feb Bernard Wanyama Syntech Associates Limited

Operational Risk Publication Date: May Operational Risk... 3

ISMS Implementation Guide

Intel Enhanced Data Security Assessment Form

Governance and Management of Information Security

SITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA

FINAL May Guideline on Security Systems for Safeguarding Customer Information

Analysis of Information Security Management Systems at 5 Domestic Hospitals with More than 500 Beds

Information security management systems Specification with guidance for use

Third Party Security Requirements Policy

Information Security Management Systems

Mike Casey Director of IT

Information Security Program

University of Liverpool

AN OVERVIEW OF INFORMATION SECURITY STANDARDS

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

Information Resources Security Guidelines

Information Security Policies. Version 6.1

<Choose> Addendum Windows Azure Data Processing Agreement Amendment ID M129

ICT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY

CHIS, Inc. Privacy General Guidelines

Managing Cloud Computing Risk

IS INFORMATION SECURITY POLICY

Rotherham CCG Network Security Policy V2.0

University of Aberdeen Information Security Policy

IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY

Library Systems Security: On Premises & Off Premises

Service Children s Education

IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY (for Cheshire CCGs)

How To Protect Decd Information From Harm

CHAPTER 1 COMPUTER SECURITY INCIDENT RESPONSE TEAM (CSIRT)

1 Purpose Scope Roles and Responsibilities Physical & Environmental Security Access Control to the Network...

Highland Council Information Security Policy

Hengtian Information Security White Paper

Recent Researches in Electrical Engineering

Montclair State University. HIPAA Security Policy

Acceptable Use Policy

How to Practice Safely in an era of Cybercrime and Privacy Fears

IT Security Incident Management Policies and Practices

Information security controls. Briefing for clients on Experian information security controls

Cyber Security Incident Handling Policy. Information Technology Services Center (ITSC) of The Hong Kong University of Science and Technology

Developing the Corporate Security Architecture. Alex Woda July 22, 2009

Polish Financial Supervision Authority. Guidelines

Version 1.0. Ratified By

Information Security Policy

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics

BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO

Practical Overview on responsibilities of Data Protection Officers. Security measures

VMware vcloud Air HIPAA Matrix

HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT

ADEC GROUP INFORMaTiON SecURiTY AND CONTROLS

Network Security Policy

Information Security Management. Audit Check List

STFC Monitoring and Interception policy for Information & Communications Technology Systems and Services

Information Security Policy

INFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION

KEELE UNIVERSITY IT INFORMATION SECURITY POLICY

How To Manage Security On A Networked Computer System

Information Security Team

ISO 27001: Information Security and the Road to Certification

Transcription:

Joint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training- Session One Information Security- Perspective for Management Information Security Management Program Concept and Implementation

Agenda Information Security Management Information Security Fundamentals The Standard - ISO27001 ISO27001 11 Domains Information Security Change Management Information Security Change Management - Example 1

Information Security Management Information Security Management Physical Information e.g. paper forms / answer scripts / proposals / project progress reports Electronic Information e.g. financial data (accounting system) student information (registry system) payroll information (HR system) 2

Information Security Management Information Security Management Information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction (Wikipedia) Information security exists to: ensure adequate and proportionate security controls that adequately protect information assets and give confidence to customers and other interested parties. This can be translated into maintaining and improving competitive edge, cash flow, profitability, legal compliance and commercial image. (ISO27001) 3

Information Security Management Information Security Management The risks associated with information The corresponding controls in place to manage those risks Controls: Technology measures Organisational structures Procedures Policies Plans Industry standard for information security management ISO27001 4

Information Security Management Policy Top Management Procedures Middle Management Plans Operation Level Security Culture 5

Information Security Why manage information security? Data Loss Statistics 6

Information Security Why manage information security? Data Loss Statistics 7

Information Security The core principles of information security: Confidentiality Confidentiality is keeping sensitive information against unauthorised access Integrity is keeping information intact and valid Availability is keeping information available and accessible Integrity The CIA Triad Availability 8

Information Security Information security is not only related to computer systems. People are always the weakest link. People A complete framework is required to manage information security. JUCC is committed to improve the security environment of the universities in all 3 perspectives Process Technology 9

Information Security Types of Information Security Controls Know when it occurs Administrative Logical Physical Detective Corrective Preventive Rectify when it occurs Limitations No 100% assurance Breakdown e.g. misunderstand/ mistake Involve human judgement Management override Collusion Avoid its occurrence 10

COST Information Security Control Implementation- Cost vs Loss Optimised Level of Control Total Cost Cost of Loss Cost of Control Cost of Security Control Potential Loss CONTROL 11

Information Security Management ISO27001 Standard- ISO27001 Information Security Management System (ISMS) standard Published by International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC) Requires management: Systematically examine the organization's information security risks, taking account of the threats, vulnerabilities and impacts; Design and implement a coherent and comprehensive suite of information security controls and/or other forms of risk treatment (such as risk avoidance or risk transfer) to address those risks that are deemed unacceptable; and Adopt an overarching management process to ensure that the information security controls continue to meet the organization's information security needs on an ongoing basis. (Source: Wikipedia) 12

Information Security Management ISO27001 ISO27001-11 Domains 1. Security Policy 2. Organisation of Information Security 3. Asset Management 4. Human Resource Security 5. Physical and Environment Security 6. Communication and Operations Management 7. Access Control 8. Information System Acquisition, Development and Maintenance 9. Information Security Incident Management 10. Business Continuity Management 11. Compliance 13

Information Security Management ISO27001 ISO27001-11 Domains (cont d) Security Policy Security policy document approved and communicated Regular review of the policy document Organisation of Information Security Clear direction and visible management support Managed implementation of security controls Information security responsibilities defined 14

Information Security Management ISO27001 ISO27001-11 Domains (cont d) Asset Management Information, software & physical asset inventory Information classification Information handling procedures Human Resource Security Employment checks Confidentiality/ non-disclosure agreements Information security training Disciplinary process for security violation 15

Information Security Management ISO27001 ISO27001-11 Domains (cont d) Physical and Environment Security Physical protection of premises/ facilities Protection against natural disasters Protection against communication interception Clear desk policy Communication and Operations Management Operating procedures Security requirements for contractors Detection and prevention of malicious software Data backup Network, email, portable media and disposal management procedures 16

Information Security Management ISO27001 ISO27001-11 Domains (cont d) Access Control User registration/ deregistration process Password controls User access review Remote access control Audit logging Information System Acquisition, Development and Maintenance Data validation Message authentication Cryptography management Control over testing data System change controls Prevention against covert channels 17

Information Security Management ISO27001 ISO27001-11 Domains (cont d) Information Security Incident Management Incident prioritisation & classification Channels for incident reporting Incident escalation procedures Contacts of regulatory bodies and law enforcement agencies Business Continuity Management Business continuity framework Established business continuity plans Regular business continuity test 18

Information Security Management ISO27001 ISO27001-11 Domains (cont d) Compliance Defined compliance requirements Procedures implemented to comply with requirements (e.g. personal data/ privacy protection) Regular compliance checks 19

Information Security Management ISO27001 Plan-Do-Check-Act (PDCA) A model adopted by ISO27001 Act Security improvement plan; Review and update of ISMS components, such as policy and procedures. A PDCA example Plan Risk assessment, risk treatment and risk acceptance. Check Review of incidents and lessons learnt; Self internal compliance audits; Review of risk assessment and action required. Do Incident reporting and management; Regular updates of news and trends of information security; Regular information security training or awareness program to staff member. 20

Managing Changes in Information Security Management 21

Managing Changes in Information Security Management Managing Changes Managing changes is essential in information security management as a structured approach to shifting/transitioning individuals, teams, and organisations from a current state to a desired future state. Examples of change: Missionary changes Strategic changes Operational changes (including Structural changes) Technological changes Changing the attitudes and behaviors of personnel (Wikipedia) 22

Managing Changes in Information Security Management Information Security Change Includes changes to policy, direction, strategy and operations relating to information security May affect a large number of personnel in an organisation May face resistance from change audience Should be well managed 23

Managing Changes in Information Security Management Process Evaluate the current situation Assess the scope of change Need for change Capability to change Define the objective, goal and process Develop the change management plan Communicate the change to stakeholders and relevant personnel (the plan, reasons and benefits) Execute (including training to personnel) Counter resistance Progress tracking, evaluation & fine-tuning 24

Managing Changes in Information Security Management Example To Implement password expiry requirement (e.g. 90 days) across the institution Current Situation: No password expiry on systems, users are not used to changing and remembering new passwords Passwords are easily cracked by brute-force attack Unauthorised access identified due to leakage of username and password Need for Change: Improve access security Capability to Change: System Ready for password expiration requirements Users Resistance towards implementation of password expiry 25

Managing Changes in Information Security Management Example Objective & Goal: Implement consistent password expiry requirement across the university for all information systems Change Management Plan: Timeline, budget, performance indicators, instructions, technical support, contacts Communication: Early communication to staff and students, explaining the new processes, as well as the benefits and needs Counter Resistance: Understand the source of resistance, provide training and counseling Progress Tracking: Monitor the helpdesk request raised by users and fine tune parameters such as the expiration period (e.g. from 90 days to 180 days for the first phase of implementation) 26

Summary Information security management framework is essential for the overall security of data in the university. Defining sound information security management is the responsibility of university s management. Information security changes should be well managed. 27

Q&A? 28

Copyright Statement All material in this document is, unless otherwise stated, the property of the Joint Universities Computer Centre ( JUCC ). Copyright and other intellectual property laws protect these materials. Reproduction or retransmission of the materials, in whole or in part, in any manner, without the prior written consent of the copyright holder, is a violation of copyright law. A single copy of the materials available through this document may be made, solely for personal, noncommercial use. Individuals must preserve any copyright or other notices contained in or associated with them. Users may not distribute such copies to others, whether or not in electronic form, whether or not for a charge or other consideration, without prior written consent of the copyright holder of the materials. Contact information for requests for permission to reproduce or distribute materials available through this document is listed below: copyright@jucc.edu.hk Joint Universities Computer Centre Limited (JUCC), Room 223, Run Run Shaw Building, c/o Computer Centre, The University of Hong Kong, Pokfulam Road, Hong Kong 29

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information