SlideShare uma empresa Scribd logo

ISMS End-User Training Presentation.pptx

Transferir como PPTX, PDF
C
comstarndt

ISMS End-User Training Presentation

Tecnologia
1 de 29
June, 2022 Information Security Management System – ISO 27001:2013 ICT End-User Presentation
Agenda ISMS – ISO 27001:2013 Information & Information Security User Responsibility ISMS Implementation Q&A
3 Incidents…… Patient Health Information (PHI) of patients of Diatherix, providing clinical laboratory testing services was accessed by unauthorised external entity. Exposed Information included patient name, account number, address, date of test, insurance information and insured information Three persons indicted for their involvement in an International cybercrime scheme that used stolen information from banks, businesses and government agencies to steal $15 million. Tennessee Electric Company Inc., d.b.a. TEC Industrial Maintenance & Construction, in July filed a complaint against TriSummit Bank, a $278 million institution based in Tennessee for a series of fraudulent payroll drafts sent from TEC's account in 2012. TEC says the bank failed to have those ACH transactions approved by the utility before they were transmitted.
 The internet allows an attacker to attack from anywhere on the planet.  Risks caused by poor security knowledge and practice:  Data/ information breach  Unavailability of data/information  Unavailability of system, internet, application etc.  Identity Theft  Monetary Theft  Legal Ramifications (for yourself and companies) Why Information Security?
Solution to such situations.....?? Information Security Management System – ISO 27001
Information & Information Security 6
What is Information Information is an asset which, like other important business assets, has value to an organization and consequently needs to be suitably protected What is Information…
Information exists in many forms
9 Information can be…. Printed or written on paper Stored Electronically Transmitted by post/ courier or electronically Shown on corporate video Displayed / published on web Verbal – spoken in conversation Whatever form the information takes or means by which it is shared or stored, it should always be appropriately protected Transmitted through an individual
10 Information Lifecycle  Create  Store  Distribute (to authorized persons)  Modify (by authorized persons)  Archive  Delete (electronic) or Dispose (paper, disk, etc) Information may need protection through its entire lifecycle including deletion or disposal
Why Information Assets are the most important?  Business Requirements – Client / customer / stakeholder – Marketing – Trustworthy – Internal management tool  Legal Requirements – Revenue Department – Qatar Stock Exchange – Copyright, patents, ….  Contractual Security Obligations – Intranet connections to other BU – Extranets to business partners – Remote connections to staff – VPN – Customer networks – Supplier chains – SLA, contracts, outsourcing arrangement – Third party access
What is Information Security? “Information security is protecting the information through preserving their Confidentiality, Integrity and Availability along with the authenticity and reliability”
In some organizations integrity and/or availability may be more important than confidentiality Information Security is preservation of Confidentiality Ensuring that information is available only to those with authorized access. Integrity Safeguarding the accuracy and completeness of information and information processing methods and facilities Availability Ensuring authorized users have access to information when required 15 Information Security Triads/Components –CIA
Information is not made available to unauthorized individuals, entities or processes; Confidentiality Measures include encryption, social engineering best practices, Access rights, Secured storage, etc Safeguarding the accuracy and completeness of assets Integrity Measures include Access controls, Backups, etc. Asset being accessible and usable upon demand by authorized entity Availability Measures include Disaster Recovery Plan, Redundancy, High Availability, etc. Information Security Triads/Components – CIA
Information Security Management System –ISO 27001:2013 15
Information Security Management System
ISO 27001:2013 Information Security Management System Information Security Management System (ISMS) is :  That part of the overall management system, based on a business risk approach, to establish, implement, operate, monitor, review, maintain and improve information security  A management process  Not a technological process The purpose of an Information Security Management System is to secure an organization’s Information Assets by identifying, assessing and managing Risks resulting from Threats exploiting Vulnerabilities.
Introduction to ISO 27001:2013 standard  ISO 27001 is the international standard that provides requirements for safeguarding an organization’s asset  ISO 27001:2005 was the first ISO standard for information security  ISO 27001:2013 was published on 25th September, 2013  Comprehensive set of Clauses and Controls comprising best practices in information security  A framework for building a risk based information security management system
ISO 27001:2013 Features Focus on continual improvement process Plan-Do-Check-Act Process Model Process based approach Scope covers Information Security not only IT Security 14 Domains, 35 Control Objectives and 114 Controls Covers People, Process & Technology
ISO 27001:2013 Requirements Requirements Clause 4 – Context of the organization Clause 5 – Leadership Clause 6 – Planning Clause 7 – Support Clause 8 – Operation Clause 9 – Performance Evaluation Clause 10 – Improvement Like other management system standards, ISO 27001:2013 has 10 clauses…. Additionally, ISO 27001:2013 has Controls in Annex A with 14 Domains, 35 Control Objectives & 114 Controls
21 A.5 Security Policy A.6 Organisation of Information Security A.7 Human Resources Security A.8 Asset Management A.9 Access Control A.10 Cryptography A.11 Physical and Environmental Security A.17 Information Security Aspects of BCM A.13 Communications Security A.14 System Acquisition, Development and Maintenance A.15 Supplier Relationships A.16 Information Security Incident Management A.12 Operations Security A.18 Compliance 14 Domains 35 Control Objectives 114 Controls Control Objectives & Controls (Annexure A of ISO 27001:2013) Availability INFORMATION
ISMS Implementation 22
Risk Management – The critical first step in ISO 27001 implementation RISK = ASSET VALUE X PROBABILITY X IMPACT Risk is the possibility that a threat exploits a vulnerability in an information asset, leading to an adverse impact on the organization
Information Assets & Types  Software  IT Hardware (Physical Assets)  Persons who support and use the IT system  Processes & support processes that deliver products and services  IT and other Infrastructure of the organization  System interfaces (internal and external connectivity)  Electronic media and, above all Data and Information An asset is any tangible or intangible thing or characteristic that has value to an organization
Classification of Information Asset Public Non-Sensitive Information Available for external release.. Examples include periodicals, bulletins, financial statements, press releases, etc. Internal/Protected Information that is generally available to employees and approved non-employees such as contractors, trainees. Examples include Staff memos, news letters, staff awareness program documentation or bulletins, etc. Confidential Information that is sensitive & related to project & personnel, is intended for use by employees, customer and approved non-employees such as contractors, trainees can be printed in hard copy format only with the approval of HODs. Examples include personal information, business plans, unpublished financial statements, etc. Restricted Information that is highly sensitive within and outside organization, Shall be applied to the documented information Leakage of which can cause damage to organization Security.Examples include Design documents , drawings, contracts etc.
Information Security Risk Assessment  Inherent Risk = Asset Value X Threat Value X Vulnerability Value X Probability Value X Impact Value  Asset Inventory  Asset Classification  Asset Value: Confidentiality Value + Integrity Value + Availability Value (each value will be assigned on a scale of 1 to 3, where 1 is low, 2 is medium & 3 is high)  Existing Controls Effectiveness will be assigned on a scale of 1 to 3, where  Treatment of Risk if it is Unacceptable  Risk Priority Number = Inherent Risk /Existing Controls Effectiveness  Residual Risk if risk is High or Moderate – will be signed by Management or Risk Owner
What is a Threat  An Expression of intention to inflict evil injury or damage  Attacks against key security services – Confidentiality, Integrity & Availability  Threat means something bad is coming your way – High threat means it is highly likely to hit you and it will be very bad .
Q & A
Thank You!

Recomendados

Responsible for information
Responsible for informationResponsible for information
Responsible for informationDunton Environmental
 
Proactive information security michael
Proactive information security michael Proactive information security michael
Proactive information security michael Priyanka Aash
 
2009 iapp-the corpprivacydeptmar13-2009
2009 iapp-the corpprivacydeptmar13-20092009 iapp-the corpprivacydeptmar13-2009
2009 iapp-the corpprivacydeptmar13-2009asundaram1
 
Information security
Information securityInformation security
Information securitySanjay Tiwari
 
Health Informatics- Module 5-Chapter 1.pptx
Health Informatics- Module 5-Chapter 1.pptxHealth Informatics- Module 5-Chapter 1.pptx
Health Informatics- Module 5-Chapter 1.pptxArti Parab Academics
 
Information security: importance of having defined policy & process
Information security: importance of having defined policy & processInformation security: importance of having defined policy & process
Information security: importance of having defined policy & processInformation Technology Society Nepal
 
Information Security Background
Information Security BackgroundInformation Security Background
Information Security BackgroundNicholas Davis
 
Information security background
Information security backgroundInformation security background
Information security backgroundNicholas Davis
 

Recomendados

Responsible for information
Responsible for informationResponsible for information
Responsible for informationDunton Environmental
 
Proactive information security michael
Proactive information security michael Proactive information security michael
Proactive information security michael Priyanka Aash
 
2009 iapp-the corpprivacydeptmar13-2009
2009 iapp-the corpprivacydeptmar13-20092009 iapp-the corpprivacydeptmar13-2009
2009 iapp-the corpprivacydeptmar13-2009asundaram1
 
Information security
Information securityInformation security
Information securitySanjay Tiwari
 
Health Informatics- Module 5-Chapter 1.pptx
Health Informatics- Module 5-Chapter 1.pptxHealth Informatics- Module 5-Chapter 1.pptx
Health Informatics- Module 5-Chapter 1.pptxArti Parab Academics
 
Information security: importance of having defined policy & process
Information security: importance of having defined policy & processInformation security: importance of having defined policy & process
Information security: importance of having defined policy & processInformation Technology Society Nepal
 
Information Security Background
Information Security BackgroundInformation Security Background
Information Security BackgroundNicholas Davis
 
Information security background
Information security backgroundInformation security background
Information security backgroundNicholas Davis
 
Testing
TestingTesting
Testinglorenceman
 
D1 security and risk management v1.62
D1 security and risk management v1.62D1 security and risk management v1.62
D1 security and risk management v1.62AlliedConSapCourses
 
A to Z of Information Security Management
A to Z of Information Security ManagementA to Z of Information Security Management
A to Z of Information Security ManagementMark Conway
 
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to SuccessAddressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to SuccessSirius
 
Dr K Subramanian
Dr K SubramanianDr K Subramanian
Dr K Subramanianeletseditorial
 
Case study financial_services
Case study financial_servicesCase study financial_services
Case study financial_servicesG. Subramanian
 
Information security
Information securityInformation security
Information securityavinashbalakrishnan2
 
Fundamentals of-information-security
Fundamentals of-information-security Fundamentals of-information-security
Fundamentals of-information-security madunix
 
DATA PROTECTION IMPACT ASSESSMENT TEMPLATE (ODPC).docx
DATA PROTECTION IMPACT ASSESSMENT TEMPLATE (ODPC).docxDATA PROTECTION IMPACT ASSESSMENT TEMPLATE (ODPC).docx
DATA PROTECTION IMPACT ASSESSMENT TEMPLATE (ODPC).docxSteveNgigi2
 
Awareness Security Session 2023 v1.0.pptx.pdf
Awareness Security Session 2023 v1.0.pptx.pdfAwareness Security Session 2023 v1.0.pptx.pdf
Awareness Security Session 2023 v1.0.pptx.pdfAbdullahKanash
 
internet security and cyber lawUnit1
internet security and cyber lawUnit1internet security and cyber lawUnit1
internet security and cyber lawUnit1Royalzig Luxury Furniture
 
Dancyrityshy 1foundatioieh
Dancyrityshy 1foundatioiehDancyrityshy 1foundatioieh
Dancyrityshy 1foundatioiehAnne Starr
 
Isa Prog Need L
Isa Prog Need LIsa Prog Need L
Isa Prog Need LR_Yanus
 
GDPR and ISO 27001 - how to be compliant
GDPR and ISO 27001 - how to be compliantGDPR and ISO 27001 - how to be compliant
GDPR and ISO 27001 - how to be compliantIlesh Dattani
 
Information Risk Management Overview
Information Risk Management OverviewInformation Risk Management Overview
Information Risk Management Overviewelvinchan
 
2 Security And Internet Security
2 Security And Internet Security2 Security And Internet Security
2 Security And Internet SecurityAna Meskovska
 
Information Security Assessment Offering
Information Security Assessment OfferingInformation Security Assessment Offering
Information Security Assessment Offeringeeaches
 
What Is Digital Asset Security. What Are the Risks Associated With It.docx.pdf
What Is Digital Asset Security. What Are the Risks Associated With It.docx.pdfWhat Is Digital Asset Security. What Are the Risks Associated With It.docx.pdf
What Is Digital Asset Security. What Are the Risks Associated With It.docx.pdfSecureCurve
 
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...abhichowdary16
 
Business RISKS From IT
Business RISKS From IT Business RISKS From IT
Business RISKS From IT Sanjiv Arora
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 

Mais conteúdo relacionado

Semelhante a ISMS End-User Training Presentation.pptx

D1 security and risk management v1.62
D1 security and risk management v1.62D1 security and risk management v1.62
D1 security and risk management v1.62AlliedConSapCourses
 
A to Z of Information Security Management
A to Z of Information Security ManagementA to Z of Information Security Management
A to Z of Information Security ManagementMark Conway
 
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to SuccessAddressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to SuccessSirius
 
Case study financial_services
Case study financial_servicesCase study financial_services
Case study financial_servicesG. Subramanian
 
Fundamentals of-information-security
Fundamentals of-information-security Fundamentals of-information-security
Fundamentals of-information-security madunix
 
DATA PROTECTION IMPACT ASSESSMENT TEMPLATE (ODPC).docx
DATA PROTECTION IMPACT ASSESSMENT TEMPLATE (ODPC).docxDATA PROTECTION IMPACT ASSESSMENT TEMPLATE (ODPC).docx
DATA PROTECTION IMPACT ASSESSMENT TEMPLATE (ODPC).docxSteveNgigi2
 
Awareness Security Session 2023 v1.0.pptx.pdf
Awareness Security Session 2023 v1.0.pptx.pdfAwareness Security Session 2023 v1.0.pptx.pdf
Awareness Security Session 2023 v1.0.pptx.pdfAbdullahKanash
 
Dancyrityshy 1foundatioieh
Dancyrityshy 1foundatioiehDancyrityshy 1foundatioieh
Dancyrityshy 1foundatioiehAnne Starr
 
Isa Prog Need L
Isa Prog Need LIsa Prog Need L
Isa Prog Need LR_Yanus
 
GDPR and ISO 27001 - how to be compliant
GDPR and ISO 27001 - how to be compliantGDPR and ISO 27001 - how to be compliant
GDPR and ISO 27001 - how to be compliantIlesh Dattani
 
Information Risk Management Overview
Information Risk Management OverviewInformation Risk Management Overview
Information Risk Management Overviewelvinchan
 
2 Security And Internet Security
2 Security And Internet Security2 Security And Internet Security
2 Security And Internet SecurityAna Meskovska
 
Information Security Assessment Offering
Information Security Assessment OfferingInformation Security Assessment Offering
Information Security Assessment Offeringeeaches
 
What Is Digital Asset Security. What Are the Risks Associated With It.docx.pdf
What Is Digital Asset Security. What Are the Risks Associated With It.docx.pdfWhat Is Digital Asset Security. What Are the Risks Associated With It.docx.pdf
What Is Digital Asset Security. What Are the Risks Associated With It.docx.pdfSecureCurve
 
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...abhichowdary16
 
Business RISKS From IT
Business RISKS From IT Business RISKS From IT
Business RISKS From IT Sanjiv Arora
 

Semelhante a ISMS End-User Training Presentation.pptx (20)

Testing
TestingTesting
Testing
 
D1 security and risk management v1.62
D1 security and risk management v1.62D1 security and risk management v1.62
D1 security and risk management v1.62
 
A to Z of Information Security Management
A to Z of Information Security ManagementA to Z of Information Security Management
A to Z of Information Security Management
 
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to SuccessAddressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
 
Dr K Subramanian
Dr K SubramanianDr K Subramanian
Dr K Subramanian
 
Case study financial_services
Case study financial_servicesCase study financial_services
Case study financial_services
 
Information security
Information securityInformation security
Information security
 
Fundamentals of-information-security
Fundamentals of-information-security Fundamentals of-information-security
Fundamentals of-information-security
 
DATA PROTECTION IMPACT ASSESSMENT TEMPLATE (ODPC).docx
DATA PROTECTION IMPACT ASSESSMENT TEMPLATE (ODPC).docxDATA PROTECTION IMPACT ASSESSMENT TEMPLATE (ODPC).docx
DATA PROTECTION IMPACT ASSESSMENT TEMPLATE (ODPC).docx
 
Awareness Security Session 2023 v1.0.pptx.pdf
Awareness Security Session 2023 v1.0.pptx.pdfAwareness Security Session 2023 v1.0.pptx.pdf
Awareness Security Session 2023 v1.0.pptx.pdf
 
internet security and cyber lawUnit1
internet security and cyber lawUnit1internet security and cyber lawUnit1
internet security and cyber lawUnit1
 
Dancyrityshy 1foundatioieh
Dancyrityshy 1foundatioiehDancyrityshy 1foundatioieh
Dancyrityshy 1foundatioieh
 
Isa Prog Need L
Isa Prog Need LIsa Prog Need L
Isa Prog Need L
 
GDPR and ISO 27001 - how to be compliant
GDPR and ISO 27001 - how to be compliantGDPR and ISO 27001 - how to be compliant
GDPR and ISO 27001 - how to be compliant
 
Information Risk Management Overview
Information Risk Management OverviewInformation Risk Management Overview
Information Risk Management Overview
 
2 Security And Internet Security
2 Security And Internet Security2 Security And Internet Security
2 Security And Internet Security
 
Information Security Assessment Offering
Information Security Assessment OfferingInformation Security Assessment Offering
Information Security Assessment Offering
 
What Is Digital Asset Security. What Are the Risks Associated With It.docx.pdf
What Is Digital Asset Security. What Are the Risks Associated With It.docx.pdfWhat Is Digital Asset Security. What Are the Risks Associated With It.docx.pdf
What Is Digital Asset Security. What Are the Risks Associated With It.docx.pdf
 
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
 
Business RISKS From IT
Business RISKS From IT Business RISKS From IT
Business RISKS From IT
 

Último

Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 

Último (20)

Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 

ISMS End-User Training Presentation.pptx

  • 1. June, 2022 Information Security Management System – ISO 27001:2013 ICT End-User Presentation
  • 2. Agenda ISMS – ISO 27001:2013 Information & Information Security User Responsibility ISMS Implementation Q&A
  • 3. 3 Incidents…… Patient Health Information (PHI) of patients of Diatherix, providing clinical laboratory testing services was accessed by unauthorised external entity. Exposed Information included patient name, account number, address, date of test, insurance information and insured information Three persons indicted for their involvement in an International cybercrime scheme that used stolen information from banks, businesses and government agencies to steal $15 million. Tennessee Electric Company Inc., d.b.a. TEC Industrial Maintenance & Construction, in July filed a complaint against TriSummit Bank, a $278 million institution based in Tennessee for a series of fraudulent payroll drafts sent from TEC's account in 2012. TEC says the bank failed to have those ACH transactions approved by the utility before they were transmitted.
  • 4.  The internet allows an attacker to attack from anywhere on the planet.  Risks caused by poor security knowledge and practice:  Data/ information breach  Unavailability of data/information  Unavailability of system, internet, application etc.  Identity Theft  Monetary Theft  Legal Ramifications (for yourself and companies) Why Information Security?
  • 5. Solution to such situations.....?? Information Security Management System – ISO 27001
  • 7. What is Information Information is an asset which, like other important business assets, has value to an organization and consequently needs to be suitably protected What is Information…
  • 9. 9 Information can be…. Printed or written on paper Stored Electronically Transmitted by post/ courier or electronically Shown on corporate video Displayed / published on web Verbal – spoken in conversation Whatever form the information takes or means by which it is shared or stored, it should always be appropriately protected Transmitted through an individual
  • 10. 10 Information Lifecycle  Create  Store  Distribute (to authorized persons)  Modify (by authorized persons)  Archive  Delete (electronic) or Dispose (paper, disk, etc) Information may need protection through its entire lifecycle including deletion or disposal
  • 11. Why Information Assets are the most important?  Business Requirements – Client / customer / stakeholder – Marketing – Trustworthy – Internal management tool  Legal Requirements – Revenue Department – Qatar Stock Exchange – Copyright, patents, ….  Contractual Security Obligations – Intranet connections to other BU – Extranets to business partners – Remote connections to staff – VPN – Customer networks – Supplier chains – SLA, contracts, outsourcing arrangement – Third party access
  • 12. What is Information Security? “Information security is protecting the information through preserving their Confidentiality, Integrity and Availability along with the authenticity and reliability”
  • 13. In some organizations integrity and/or availability may be more important than confidentiality Information Security is preservation of Confidentiality Ensuring that information is available only to those with authorized access. Integrity Safeguarding the accuracy and completeness of information and information processing methods and facilities Availability Ensuring authorized users have access to information when required 15 Information Security Triads/Components –CIA
  • 14. Information is not made available to unauthorized individuals, entities or processes; Confidentiality Measures include encryption, social engineering best practices, Access rights, Secured storage, etc Safeguarding the accuracy and completeness of assets Integrity Measures include Access controls, Backups, etc. Asset being accessible and usable upon demand by authorized entity Availability Measures include Disaster Recovery Plan, Redundancy, High Availability, etc. Information Security Triads/Components – CIA
  • 17. ISO 27001:2013 Information Security Management System Information Security Management System (ISMS) is :  That part of the overall management system, based on a business risk approach, to establish, implement, operate, monitor, review, maintain and improve information security  A management process  Not a technological process The purpose of an Information Security Management System is to secure an organization’s Information Assets by identifying, assessing and managing Risks resulting from Threats exploiting Vulnerabilities.
  • 18. Introduction to ISO 27001:2013 standard  ISO 27001 is the international standard that provides requirements for safeguarding an organization’s asset  ISO 27001:2005 was the first ISO standard for information security  ISO 27001:2013 was published on 25th September, 2013  Comprehensive set of Clauses and Controls comprising best practices in information security  A framework for building a risk based information security management system
  • 19. ISO 27001:2013 Features Focus on continual improvement process Plan-Do-Check-Act Process Model Process based approach Scope covers Information Security not only IT Security 14 Domains, 35 Control Objectives and 114 Controls Covers People, Process & Technology
  • 20. ISO 27001:2013 Requirements Requirements Clause 4 – Context of the organization Clause 5 – Leadership Clause 6 – Planning Clause 7 – Support Clause 8 – Operation Clause 9 – Performance Evaluation Clause 10 – Improvement Like other management system standards, ISO 27001:2013 has 10 clauses…. Additionally, ISO 27001:2013 has Controls in Annex A with 14 Domains, 35 Control Objectives & 114 Controls
  • 21. 21 A.5 Security Policy A.6 Organisation of Information Security A.7 Human Resources Security A.8 Asset Management A.9 Access Control A.10 Cryptography A.11 Physical and Environmental Security A.17 Information Security Aspects of BCM A.13 Communications Security A.14 System Acquisition, Development and Maintenance A.15 Supplier Relationships A.16 Information Security Incident Management A.12 Operations Security A.18 Compliance 14 Domains 35 Control Objectives 114 Controls Control Objectives & Controls (Annexure A of ISO 27001:2013) Availability INFORMATION
  • 23. Risk Management – The critical first step in ISO 27001 implementation RISK = ASSET VALUE X PROBABILITY X IMPACT Risk is the possibility that a threat exploits a vulnerability in an information asset, leading to an adverse impact on the organization
  • 24. Information Assets & Types  Software  IT Hardware (Physical Assets)  Persons who support and use the IT system  Processes & support processes that deliver products and services  IT and other Infrastructure of the organization  System interfaces (internal and external connectivity)  Electronic media and, above all Data and Information An asset is any tangible or intangible thing or characteristic that has value to an organization
  • 25. Classification of Information Asset Public Non-Sensitive Information Available for external release.. Examples include periodicals, bulletins, financial statements, press releases, etc. Internal/Protected Information that is generally available to employees and approved non-employees such as contractors, trainees. Examples include Staff memos, news letters, staff awareness program documentation or bulletins, etc. Confidential Information that is sensitive & related to project & personnel, is intended for use by employees, customer and approved non-employees such as contractors, trainees can be printed in hard copy format only with the approval of HODs. Examples include personal information, business plans, unpublished financial statements, etc. Restricted Information that is highly sensitive within and outside organization, Shall be applied to the documented information Leakage of which can cause damage to organization Security.Examples include Design documents , drawings, contracts etc.
  • 26. Information Security Risk Assessment  Inherent Risk = Asset Value X Threat Value X Vulnerability Value X Probability Value X Impact Value  Asset Inventory  Asset Classification  Asset Value: Confidentiality Value + Integrity Value + Availability Value (each value will be assigned on a scale of 1 to 3, where 1 is low, 2 is medium & 3 is high)  Existing Controls Effectiveness will be assigned on a scale of 1 to 3, where  Treatment of Risk if it is Unacceptable  Risk Priority Number = Inherent Risk /Existing Controls Effectiveness  Residual Risk if risk is High or Moderate – will be signed by Management or Risk Owner
  • 27. What is a Threat  An Expression of intention to inflict evil injury or damage  Attacks against key security services – Confidentiality, Integrity & Availability  Threat means something bad is coming your way – High threat means it is highly likely to hit you and it will be very bad .
  • 28. Q & A