Need for Information Security, Understanding Information security trends and Improving Security

Similar documents
ISO/IEC 27002:2013 WHITEPAPER. When Recognition Matters

IT Security Management Risk Analysis and Controls

Security Controls What Works. Southside Virginia Community College: Security Awareness

Nuclear Security Requires Cyber Security

Principle of Information Security. Asst. Prof. Kemathat Vibhatavanij Ph.D.

SITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA

AUDITING TECHNIQUES TO ASSESS FRAUD RISKS IN ELECTRONIC HEALTH RECORDS

Get Confidence in Mission Security with IV&V Information Assurance

Joint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training- Session One

FACT SHEET: Ransomware and HIPAA

Public Law th Congress An Act

ISO Controls and Objectives

Enterprise Security Governance. Robert Coles Chief Information Security Officer and Global Head of Digital Risk & Security

ISO Information Security Management Systems Foundation

Information Security and Risk Management

Threats and Attacks. Modifications by Prof. Dong Xuan and Adam C. Champion. Principles of Information Security, 5th Edition 1

Network Security. Instructor: Adam Hahn

Standards for Security Categorization of Federal Information and Information Systems

1. Computer Security: An Introduction. Definitions Security threats and analysis Types of security controls Security services

BUDGET LETTER PEER-TO-PEER FILE SHARING , , EXECUTIVE ORDER S-16-04

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

Lessons from Defending Cyberspace

Information Security for the Rest of Us

THE NEW REALITY OF RISK CYBER RISK: TRENDS AND SOLUTIONS

NSW Government Digital Information Security Policy

Cloud Security and Managing Use Risks

UF IT Risk Assessment Standard

Cyber- Attacks: The New Frontier for Fraudsters. Daniel Wanjohi, Technology Security Specialist

John Essner, CISO Office of Information Technology State of New Jersey

Cybersecurity Awareness. Part 1

University of Sunderland Business Assurance Information Security Policy

Legislative Language

Office of Inspector General

Safeguards Frameworks and Controls. Security Functions Parker, D. B. (1984). The Many Faces of Data Vulnerability. IEEE Spectrum, 21(5),

UF Risk IT Assessment Guidelines

HIPAA Compliance Evaluation Report

CSCI 454/554 Computer and Network Security. Instructor: Dr. Kun Sun

Mobile Security Standard

FISH AND WILDLIFE SERVICE INFORMATION RESOURCES MANAGEMENT. Chapter 7 Information Technology (IT) Security Program 270 FW 7 TABLE OF CONTENTS

^H 3RD EDITION ITGOVERNANCE A MANAGER'S GUIOE TO OATA SECURITY ANO DS 7799/IS ALAN CALDER STEVE WATKINS. KOGAN PAGE London and Sterling, VA

Agenda. Introduction to SCADA. Importance of SCADA security. Recommended steps

STATE OF CYBER SECURITY IN ETHIOPIA

Understanding changes to the Trust Services Principles for SOC 2 reporting

Security Controls in Service Management

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Protecting Official Records as Evidence in the Cloud Environment. Anne Thurston

Risk-Based Assessment and Scoping of IV&V Work Related to Information Assurance Presented by Joelle Spagnuolo-Loretta, Richard Brockway, John C.

Cybercrime & Cybersecurity: the Ongoing Battle International Hellenic University

AUGUST 28, 2013 INFORMATION TECHNOLOGY INCIDENT RESPONSE PLAN Siskiyou Boulevard Ashland OR 97520

Information Security Program

Information Security for Managers

資 通 安 全 產 品 研 發 與 驗 證 (I) ICT Security Overview. Prof.. Albert B. Jeng ( 鄭 博 仁 教 授 ) 景 文 科 技 大 學 資 訊 工 程 系

EXIN Information Security Foundation based on ISO/IEC Sample Exam

FERPA: Data & Transport Security Best Practices

Chapter 4 Information Security Program Development

Auditing After a Cyber Attack JAX IIA Chapter Meeting Cybersecurity and Law Enforcement

Cyber Resilience Implementing the Right Strategy. Grant Brown Security specialist,

DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Threat and Vulnerability Management V1.0 April 21, 2014

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics

INFORMATION SECURITY SPECIFIC VENDOR COMPLIANCE PROGRAM (VCP) ACME Consulting Services, Inc.

CYBER SECURITY FOUNDATION - OUTLINE

INFORMATION SECURITY FOR YOUR AGENCY

External Supplier Control Requirements

Information Security Services

Cybersecurity and internal audit. August 15, 2014

The Protection Mission a constant endeavor

CTR System Report FISMA

Issue 1.0. UoG/ILS/IS 001. Information Security and Assurance Policy. Information Security and Compliance Manager

University of Central Florida Class Specification Administrative and Professional. Information Security Officer

Missouri Student Information System Data Governance

TITLE III INFORMATION SECURITY

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

University of Pittsburgh Security Assessment Questionnaire (v1.5)

August 6, Technology 101 for the Corporate Lawyer

Cisco on Cisco Best Practice Security Practices for Online Collaboration and Social Media

Cybersecurity Report on Small Business: Study Shows Gap between Needs and Actions

Road map for ISO implementation

National Cyber Security Policy -2013

CIS 6930/4930 Computer and Network Security. Dr. Yao Liu

GAO. INFORMATION SECURITY Persistent Weaknesses Highlight Need for Further Improvement

BALTIMORE CITY COMMUNITY COLLEGE INFORMATION TECHNOLOGY SECURITY PLAN

Transcription:

Need for Information Security, Understanding Information security trends and Improving Security 10 th December, 2014 - Er. Sansar Jung Dewan

At First: InfoSec Basics with the Five W s What is Information Security? Why do you need Information Security? Who is responsible for Information Security? When is the right time to address Information Security? Where does Information Security apply?

Information Security definition Protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide Integrity, which means guarding against improper information modification or destruction, and includes ensuring information nonrepudiation and authenticity; Confidentiality, which means preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information; and Availability, which means ensuring timely and reliable access to and use of information. - FISMA 2002, US Federal Law as Title III of the E-Government Act 2002

Threat Environment Tools & Techniques Malicious Software (Malware)- trojans, spyware, botnets Actors Users Malicious Actors State-sponsored Actors Issue-motivated groups

Which threats have most increased your risk exposure over the last 12 months? Source: Get ahead of cybercrime EY s Global Information Security Survey 2014

Which vulnerabilities have most increased your risk exposure over the last 12 months? Source: Get ahead of cybercrime EY s Global Information Security Survey 2014

Source: INTERNET SECURITY THREAT REPORT 2014, Symantec

Motivation is increasing New Technologies will generate new vulnerabilities The Spectrum of malicious actors is expanding Capability is easier to acquire Security breaches levels decreased slightly but much more costly Cost of breaches nearly doubles in the last year Organizations of all sizes continue to suffer from external attacks Understanding, communication and awareness lead to effective security Organizations are seeking new ways to gain assurance over security Source: Executive Summary: 2014 Information Security Breach Survey, 2014 Australian Government InfoSec Manual Principles

Top Mgmt. need to consider What would a serious cyber security incident cost our organization? Who would benefit from having access to our information? What makes us secure against threats? Is the behavior of my staff enabling a strong security culture? Are we ready to respond to a cyber security incident? Source: 2014 Australian Government InfoSec Manual Principles

InfoSec Documentation Information Security Policy Security Risk Management Plan System Security Plan Standard Operating Procedures Incident Response Plan Emergency Procedures Business Continuity and disaster recovery Plans Source: 2014 Australian Government InfoSec Manual Principles

InfoSec Leadership & Support Organizational structure & top management Leadership commitment and policy Support

Organizational structure & top management with duties, roles & responsibilities, authorities of management, etc. Organization structure: ISO 27001:2013

Leadership commitment and policy Providing information security policy and objectives Ensuring the integration of ISMS requirement Ensuring that the resources needed for ISMS are available Communicate the importance of effective management of InfoSec and compliance with ISMS Ensuring that the ISMS allows you to achieve the appropriate result Treatment and support for people to enhance the efficiency of ISMS Promoting continuous improvement

Leadership commitment and policy Senior mgmt. need to establish an InfoSec policy that Is suitable for the organization Includes the goals and provides a framework for setting goals of InfoSec Includes a commitment to meet the appropriate requirements related to InfoSec Includes a commitment to continual improvement of ISMS Policy of information security should Be available as documented information Be communicated within the organization Be made available to interested parties

Support Management Commitment & Provision of Resources Establishing an ISMS policy Ensuring that ISMS objectives and plans are established Establishing roles and responsibilities for information security Communicating to the organization the importance of meeting information security objectives Conforming to the information security policy, its responsibilities under the law and the need for continual improvement Providing sufficient resources to establish, implement, operate, monitor, review, maintain and improve the ISMS Deciding the criteria for accepting risks and the acceptable levels of risk Ensuring that internal ISMS audits are conducted Conducting management reviews of the ISMS

Support Training Awareness & Competence The organization shall ensure that all personnel who are assigned responsibilities defined in the ISMS are competent to perform the required tasks by: determining the necessary competencies for personnel performing work effecting the ISMS; providing training or taking other actions (e.g. employing competent personnel) to satisfy these needs; evaluating the effectiveness of the actions taken; and maintaining records of education, training, skills, experience and qualifications

Framework for ISMS

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information