Information Security Management



Similar documents
Information Security Management Systems

How To Implement An Information Security Management System

Bellevue University Cybersecurity Programs & Courses

Governance and Management of Information Security

Cyber Security and Privacy - Program 183

An Overview of ISO/IEC family of Information Security Management System Standards

ISO/IEC 27002:2013 WHITEPAPER. When Recognition Matters

Risk Management Guide for Information Technology Systems. NIST SP Overview

OVERVIEW. In all, this report makes recommendations in 14 areas, such as. Page iii

Information Security Basic Concepts

Security Services. A Solution for Providing BPM of Security Services within the Enterprise Environment.

Safeguards Frameworks and Controls. Security Functions Parker, D. B. (1984). The Many Faces of Data Vulnerability. IEEE Spectrum, 21(5),

SECURITY. Risk & Compliance Services

Cybersecurity Audit Why are we still Vulnerable? November 30, 2015

An Overview of Information Security Frameworks. Presented to TIF September 25, 2013

ISO/IEC Information & ICT Security and Governance Standards in practice. Charles Provencher, Nurun Inc; Chair CAC-SC27 & CAC-CGIT

White Paper Strengthening Information Assurance in Healthcare

John Essner, CISO Office of Information Technology State of New Jersey

Logging In: Auditing Cybersecurity in an Unsecure World

Cyber security in an organization-transcending way

Looking at the SANS 20 Critical Security Controls

Principle of Information Security. Asst. Prof. Kemathat Vibhatavanij Ph.D.

Compliance Risk Management IT Governance Assurance

Lessons from Defending Cyberspace

DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy IT Risk Strategy V0.1 April 21, 2014

National Cyber Security Policy -2013

Network Security Administrator

CHIS, Inc. Privacy General Guidelines

Managing e-health data: Security management. Marc Nyssen Medical Informatics VUB Master in Health Telematics KIST

Securing the Cloud Infrastructure

IT Security Management 100 Success Secrets

Our Commitment to Information Security

Committees Date: Subject: Public Report of: For Information Summary

Legislative Language

AN OVERVIEW OF INFORMATION SECURITY STANDARDS

Cyber- Attacks: The New Frontier for Fraudsters. Daniel Wanjohi, Technology Security Specialist

Healthcare and IT Working Together KY HFMA Spring Institute

FACT SHEET: Ransomware and HIPAA

Security metrics to improve information security management

SECURITY GUIDELINES INFORMATION SECURITY MANAGEMENT SYSTEM FOR COMPUTERISATION OF LAND RECORD

Information Technology Security Review April 16, 2012

Information Security Specialist Training on the Basis of ISO/IEC 27002

Human Factors in Information Security

The Impact of HIPAA and HITECH

Security Controls What Works. Southside Virginia Community College: Security Awareness

NSW Government Digital Information Security Policy

Security Testing. Claire L. Lohr, CSQE, CSDP, CTAL F. Scot Anderson, CISSP April 7, 2009 V 1.

MICHIGAN AUDIT REPORT OFFICE OF THE AUDITOR GENERAL THOMAS H. MCTAVISH, C.P.A. AUDITOR GENERAL

INFORMATION SECURITY SPECIFIC VENDOR COMPLIANCE PROGRAM (VCP) ACME Consulting Services, Inc.

Plan Development Getting from Principles to Paper

Information Security Services

REGULATIONS FOR THE SECURITY OF INTERNET BANKING

Compliance Guide: ASD ISM OVERVIEW

ISO 27001: Information Security and the Road to Certification

Information Security Office

White Paper Achieving HIPAA Compliance through Security Information Management. White Paper / HIPAA

Agile Information Security Management in Software R&D

Protecting Official Records as Evidence in the Cloud Environment. Anne Thurston

Cyber Security for SCADA/ICS Networks

Information Protection Framework: Data Security Compliance and Today s Healthcare Industry

Information Security Incident Management Policy September 2013

Securing the Microsoft Cloud

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Introduction to Information Security

INFORMATION SECURITY STRATEGIC PLAN

Risk Management in Practice A Guide for the Electric Sector

Logical Operations CyberSec First Responder: Threat Detection and Response (CFR) Exam CFR-110

Industrial Cyber Security Risk Manager. Proactively Monitor, Measure and Manage Cyber Security Risk

A Database Security Management White Paper: Securing the Information Business Relies On. November 2004

Information Security Management System Policy

Practice Good Enterprise Security Management. Presented by Laurence CHAN, MTR Corporation Limited

IT Infrastructure Services. White Paper. Cyber Risk Mitigation for Smart Cities

Corporate Information Security Management Policy

Cyber Security solutions

INF3510 Information Security University of Oslo Spring Lecture 1 Course Information Background and Basic Concepts

Information Security Management System Information Security Policy

Defensible Strategy To. Cyber Incident Response

Data Privacy and Gramm- Leach-Bliley Act Section 501(b)

How Security Testing can ensure Your Mobile Application Security. Yohannes, CEHv8, ECSAv8, ISE, OSCP(PWK) Information Security Consultant

Information Security Awareness Training

Security Standards BS7799 and ISO17799

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

A Structured Comparison of Security Standards

ICASAS505A Review and update disaster recovery and contingency plans

Transcription:

Information Security Management M.Reza Sohizadeh A. 7 May 2009 Reza.Sohizadeh@ii.uib.no

Outline Information Information Security Information Security Management Information Security Management System ISMS Standard ISMS Approach and Traces Conclusion Finse Winter School 2 /32

What is Information? Information: is an asset that, like other important business assets, is essential to an organization s business and consequently needs to be suitably protected. (ISO/ IEC 17799) Asset: Anything that has value to the organization Can exist in many forms: data stored on computers transmitted across networks printed out written on a paper sent by fax stored on disks held on microfilm spoken in conversations over the telephone Finse Winter School 3 /32

Confidentiality : Information Security Preservation of Ensuring that information is available to only those authorized to have access. Integrity : Safeguarding the accuracy and completeness of information & processing methods. Availability : Ensuring that information and vital services are available to authorized users when required. Other practices such as authenticity, accountability, nonreputation and reliability can also be involved. Finse Winter School 4 /32

Information Threats Finse Winter School 5 /32

Information Security Information Security is about protecting Information through selection of appropriate Security Controls to: Protects information from a range of threats Ensures business continuity Minimizes financial loss Maximizes return on investments and business opportunities Finse Winter School 6 /32

The Challenge is Provision and demonstration of secure environment to clients Managing security between projects from competing clients Preventing loss of product knowledge to external attacks, internal thefts Preventing Leak of confidential information to competition Meeting Parent company requirements Ease of access to large mobile work force Providing access to customers where off site development is undertaken with the client. Introduction of new technologies and tools Managing Legal Compliance Managing costs Vs risk Finse Winter School 7 /32

What is needed? (Information Security Management) Finse Winter School 8 /32

Where to start? Access Control Availibility Confidentiality Integrity People Privacy Law, Compliance Common Criteria? Risk Authentication Policy Cryptography Finse Winter School 9 /32

Why Information Security Management System? Information security that can be achieved through technical means is limited. Security also depends on people, policies, processes and procedures. Resources are not unlimited. It is not a once off exercise, but an ongoing activity. All these can be addressed effectively and efficiently only by establishing a proper Information Security Management System (ISMS) Finse Winter School 10 /32

Information Security Management System With an ISMS we are not intending to make the system hacker proof, but develop a mechanism which can, to a large extent: Anticipate potential problems Prepare through proactive measures Protect against considerable damages Ensure recovery and restoration Finse Winter School 11 /32

Information Security Management System Finse Winter School 12 /32

PLAN DO CHECK ACT Policy,Organization, Risk Assesmet Selecting and Implementing Security Controls,Risk Management Check if The implemented controls are working properly and effectively (Metrics) If not, what should be done and do it. Preventive Actions Awareness and training Corrective Actions Finse Winter School 13 /32

Don t you think that a standard approach may help? ISO/IEC 27001:2005, NIST SP 800x Finse Winter School 14 /32

Finse Winter School 15 /32

ISO 2700x Family 27000 Fundamentals & Vocabulary 27001:2005 ISMS 27005:2008 Risk Management 27002 Code of Practice for ISM 27003 Implementation Guidance 27004 Metrics & Measurement 27006 Guidelines on ISMS accreditation Finse Winter School 16 /32

Overview of ISO/IEC27001:2005 Finse Winter School 17 /32

ISO/IEC 27001:2005 Domains Finse Winter School 18 /32

CONFIRMED / SCHEDULED ISO27000 - Information technology: Information security management systems, Overview and vocabulary ISO27007 - Guidelines for Information Security Management Systems Auditing ISO27008 - Guidelines for ISM auditing with respect to security controls (approved April 2008) ISO27011 - Information technology: Information security management guidelines for telecommunications ISO27799 - Health Informatics: Information security management in health using ISO/IEC 17799 Finse Winter School 19 /32

UNCONFIRMED / NOT YET SCHEDULED ISO27010 ISM Guidelines for Sector-Sector Working and Communications ISO27031 ICT Readiness for Business Continuity ISO27032 Cyber Security ISO27033 Network Security / Intrusion Detection (to replace ISO 18028) ISO27034 Guidelines for application security ISO27051 Telecommunications (ITU-T) Finse Winter School 20 /32

How the system works? Finse Winter School 21 /32

Risk Assesment Risk analysis refers to the processes used to evaluate those probabilities and consequences, and also to the study of how to incorporate the resulting estimates into the decision-making process. The risk assessment process also serves as a decision-making tool, in that its outcomes are used to provide guidance on the areas of highest risk, and to devise policies and plans to ensure that systems are appropriately protected. Finse Winter School 22 /32

Risk Assesment a) What can go wrong? b) What is the likelihood of it going wrong? c) What consequences would arise? Finse Winter School 23 /32

Risk Management Often, this is followed by risk evaluation, risk acceptance and avoidance, and risk management, according to the following questions: a) What can be done? b) What options are available, and what are their associated trade-offs in terms of cost, benefits, and risks? c) What impact do current management decisions have on future options? d) What are the priorities? Finse Winter School 24 /32

Is this system just for business purpose? Finse Winter School 25 /32

CIIP in Norway In 1998, the State Secretary Committee for ICT formed a subcommittee with a mandate to report on the status of ICT vulnerability efforts in Norway. Furthermore, the importance of CIIP is also stressed by the Defense Review and the Defense Policy Commission 2000. In the aftermath of attacks in the US on 11 September 2001, the government considered it necessary to increase national safety and security, particularly within civil defense, in the Police Security Service, and in emergency planning within the health sector Finse Winter School 26 /32

CIIP in Norway The Norwegian government published a national strategy for securing ICT systems in Norway in June 2003. The strategy involved all aspects of ICT security, ranging from security for individuals, businesses, and the daily activities of the government to the security of IT-dependent critical infrastructure. Finse Winter School 27 /32

CIIP in Norway As a result of the recommendations of the strategy, the NorCERT, NorSIS, and KIS organizations were established. In 2007, this was supplanted by the National Guidelines to Strengthen Information Security, 2007 2010. Finse Winter School 28 /32

CIIP in Norway Directorate for Civil Protection and Emergency Planning (DSB). 4(Risk Assesment), A.14(BCP) National Security Authority (NSM) A.13(IRP) SERTIT NorCERT The National Information Security Co-ordination Council (KIS) 5(Management Resp.),6(Audit),7(Review) Norwegian Post and Telecommunications Authority (NPT) A.10,A.11,A.12 Norwegian Center for Information Security (NorSIS)A.8(Awarenesss and Training) Finse Winter School 29 /32

Security Operation Center Outputs/ISMS Security monitoring for risk management (ISO/IEC 27005) Security posture risk analysis (ISO/IEC 27005) Secure role-based portal access (A.11 ISO 27001 ) Real-time monitoring and status of incidents and tickets (A.10.10 ISO 27001 ) Security policy reports (A.5 ISO 27001 ) Real-time assessment per incident as well as weekly and monthly reports (A.13 ISO 27001 ) Security incident reports (A.13 ISO 27001 ) Information required to prepare a compliance audit (A.15.3 ISO 27001 ) Evidence of security policy compliance (A.15.2 ISO 27001 ) Trends of security incidents and events (A.13.2 ISO 27001 ) Finse Winter School 30 /32

Conclusion Access Control(A.11) Confidentiality(A.12) Integrity(A.12) Availibility(A.12) People(A.8) Privacy(A.15) Risk(4) Law, Compliance(A.15) Authentication(A.11) Policy(A.5) Common Criteria (complementery Standard) Cryptography(A.12.3) Finse Winter School 31 /32

Question? Finse Winter School 32 /32

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information