Académique Documents
Professionnel Documents
Culture Documents
For
The User Awareness Training On
ISMS
ISO/IEC 27001:2013
Pyramid
Acknowledgements
All trademarks and registered trademarks are the property of
their respective owners. (if any)
Copyright material reproduced with the kind permission of
the respective organization(if any)
Pyramid
Agenda
ISO
ISO27000:2013 - ISMS Concepts & Benefits
Information & Information security
Process model - PDCA
Assets, Threats, Vulnerabilities, Impacts, Attacks, Risk
An Introduction to ISO 27001:2013
Pyramid
Pyramid
Tools
Task level detail
Specifics of disaster
Detailed implementation of ISMS
a cookbook - (How to setup)
Pyramid
ISO
ISO - International Organization for standardization
Pyramid
Pyramid
2013:ISO 27001
2005:ISO 27001
2002:Revisions BS 7799 PDCA
2000:ISO/IEC 17799 published
1998:BS 7799 Part 2 Specification
1995 :BS 7799 Part 1 Code of Practice
Initiative from UK Department of Trade and Industry
ISO 27001:2013
ISMS :Information Security Management System.
Definition:-Its an part of overall Documented management
system, based on business risk approach, to establish,
implement, operate, monitor, review, maintain and improve
information security
ISO 27001:2013 (ISMS - certification framework)
Pyramid
Pyramid
ISO 27001:2013 is
An internationally recognized structured methodology
dedicated to IS
Defined process to evaluate, implement, maintain, and
manage IS
A comprehensive set of controls of best practices in IS
Developed by industry for industry
Risk base process approach
Pyramid
10
Pyramid
11
Ease of access,
Creates Information Security culture in organization
Pyramid
12
Information
Data : data is raw , It simply exists and has no significance beyond its existence
(in and of itself).
Information =Meaning full Data
Pyramid
13
Information
Todays reality
Buy - Financial Information
Use - Login information
Extort - carding fraud
Steal Competitive Information
New attackers Cyber crime, Mafia, hackers and company
insiders
Perpetuated by outdated technology, human factors,
continual security changes, Limited control
Pyramid
14
Information Technology
Pyramid
15
Security
The quality or state of being secure to be free from danger
Security is achieved using several strategies simultaneously or used in
combination with one another
Security is not something you buy, it is something you do
Monitored 24x7X365
Pyramid
16
Pyramid
Reputation loss
Financial loss
Intellectual property loss
Legislative Breaches leading to legal actions (Cyber Law)
Loss of customer confidence
Business interruption costs
Goodwill loss
17
Information Security
Pyramid
18
Information Security
Protection of C I A of Assets
Confidentiality - the property that information is not made
available or disclosed to unauthorized individuals, entities, or
processes
Ensuring that information is
accessible only to those
authorized to have access
Pyramid
19
Information Security
Protection of C I A of Assets
Integrity - the property of safeguarding the accuracy and
completeness of assets
Ensuring that accuracy and
completeness of information
and processing methods
Pyramid
20
Information Security
Protection of C I A of Assets
Availability - the property of being accessible and usable
upon demand to authorized users
Ensuring that authorized users
have access to information and
associated assets when required
Pyramid
21
Pyramid
22
Pyramid
23
Pyramid
24
Maturity
PLAN
DO
Effective improvement
ACT
CHECK
Consolidation of
level reached. i.e.
baseline
Time Scale
Pyramid
25
Buildings
Infrastructures
Environmental
Conditions
Electricity
Pyramid
26
Hardware
Forensic Evidence
Communication
channels
Communication
channels
Pyramid
27
Pyramid
28
Asset
Sensitive Information
Pyramid
You
ISMS Awareness ISO:27001:2013
29
Intrusion
Malware
Phish
Identity Loss
Data Loss
Compliance
Pyramid
30
Information Threats
Intrusion Entrance by force without permission
(Unauthorized act of bypassing security mechanism)
Malware Malicious software designed to infiltrate or damage
computer system without owners consent
Phishing Single unique message sent to targets with the
intent of gaining confidential or personal information.
Identity loss Loss of individuals information
Data Loss Unforeseen loss of data or information
Compliance Acting according to certain standards
Hacking Action at a distance or inside the organization
Pyramid
31
Pyramid
Rioters
Rioters
Contractors
Disaffected Workers
ISMS Awareness ISO:27001:2013
32
Threat Agents
Employees
Hackers
Pyramid
Fraudsters
Thief's
Terrorists
ISMS Awareness ISO:27001:2013
33
Pyramid
34
Pyramid
35
Vulnerabilities
- Addressing information
can be forged
- Arbitrary program code
can be executed
Pyramid
36
Vulnerabilities
Electromagnetic radiation
Pyramid
37
Vulnerability ?
Pyramid
38
Impacts
Pyramid
39
Impacts
Pyramid
40
Attack
An attack is any malicious or accidental disruption
in the confidentiality, integrity, or availability of information
Pyramid
41
Pyramid
42
Network Attacks
Ping floods (keep asking are you there?)
Smurf (ping flood to an IP broadcast address)
Ping of death (fragmented ping packet > 65535 bytes)
Teardrop (fragmented packets and overlaps)
LAND (forged SYN packets force target to talk to itself)
Pyramid
43
Application Attacks
Over enthusiastic customers
Amarillo
Pyramid
44
Password Attacks
Password theft
Sniffing passwords (e.g. L0PHT2.0), Shoulder surfing,
sticky notes
Password guessing/cracking
Dozens available free on the Internet (e.g. L0PHTCrack)
Social engineering
Help desk, phishing
Could be more than just passwords
Personal information
Credit card security codes
Pyramid
45
Attacks
Social Engineering
Pyramid
Physical Theft
46
Attacks - Eavesdropping
Wireless networks
Wireless telephones
(no encryption)
Stand next to a person
using a mobile
Pyramid
47
Attacks - Hacking
Action at a distance or inside the organization?
Web site defacement
Changing data
Stealing data
Pyramid
48
Attacks
Tsunami
Pyramid
49
Attacks
Pyramid
50
Confidentiality Integrity
Yes
Yes
DOS
Masquerading
Pyramid
Availability
Yes
Yes
51
Spam Filters
Firewalls, VPN
Data protection
Pyramid
52
Exploits
Vulnerability
Violates
Asset
Causes
Adverse
Impact
Pyramid
53
Pyramid
54
Pyramid
55
Major Domain
Compliance
System acquisition,
development,
and maintenance
Physical and
Environmental
Security
Asset
Management
Information
Security Policy
Information Security
aspects of Business
Continuity Management
Supplier Relationship
Operations
security
Access
Control
Organisation of
Information
Security
Information Security
Incident Management
Security Incidents
Disasters
New Business Opportunities
Changes in Business
Knowledge of New Threats
Communications
security
Cryptographic
Human Resource
Security
Risk Management
Framework
Incident
Management
Framework
Disaster Recovery
BIA
Aids in the selection of appropriate and cost
effective controls
Pyramid
56
Annex A
Annex A No
Domains
Control Objectives
Controls
A5
A6
A7
A8
Asset management
10
A9
Access Control
14
A10
Cryptographic
02
A11
15
A12
Operations security
14
A13
Communications Security
A14
14
A15
Supplier Relationship
A16
A17
A18
Compliance
35
115
Pyramid
57
Pyramid
58
Email
Use for work-related emails only
Never send confidential information by email unless it is
encrypted
Always check that you are sending an email to the correct
person
Read and comply with the Email Policy
Protect your email password
Email is often used to verify password resets in other
applications
Pyramid
59
Phishing Emails
Attacks
How do I tell?
Mass - random
Spear targetted on one
organisation
Whaling targetted on
one individual
Types
Click-through
Attachments
Web form capture
Pyramid
Unexpected
Spelling mistakes
Lack of personal
information used
Asking for an action
Open attachment
Go to website
Provide information
60
confidential transactions
Dont download unknown programs
Limit work-related information posted on social media sites
Do not visit sites that are against the Internet Acceptable Use
Policy
Pyramid
61
Anti-Virus
Never disable your anti-virus protection
Pyramid
62
Mobile Computing
Pyramid
63
Removable Media
Pyramid
64
Information Disposal
Dispose of information appropriately according to
its type
Confidential information must be disposed of
securely
Paper must be shredded
Electronic devices or media that may contain
confidential information must be disposed of
securely
Hard disks may be shredded
Pyramid
65
Security Incidents
An incident may be an actual or potential breach of
policy or loss of data
Information security incidents should be reported
to the IT Help Desk
In some cases, there may be a need to treat the
area as a crime scene
Evidence should be preserved where possible
Pyramid
66
ISMS @ ORGANISATION
Security Organization
Apex Committee :
CEO/CTO/CISO
ISMS Forum:
IT Head
HR Head
IS Task Force :
Project Managers
Administrators
IS Team Member
Audit Committee:
BCP Team:
DRP Team:
Pyramid
67
Conclusion
Pyramid
68
Conclusion
Pyramid
69
Conclusion
Pyramid
70
Summary
We must protect our information assets
The consequences to the organisation are potentially very
severe
The organisation will do what it canbut you have a key part
to play in achieving this
Be careful and vigilant, especially on the Internet
If youre unsure, please ask your manager
Pyramid
71
Quiz
1. Name three of our information assets
2. Name two groups who may try to gain
unauthorised access to our information
assets
3. Give two ways in which the organisation
may be affected by an information security
breach
4. ISO/IEC xxxxx is the Information Security
standard what is xxxxx?
5. Give an example of a strong password
Pyramid
72
Quiz cont.
6. If you recognise a Phishing email what
should you do with it?
7. If you find a USB memory stick in the car
park what action should you take?
8. What are your responsibilities when you
have a visitor?
9. Who would you report an information
security incident to?
10.Whose responsibility is information
security within our organisation?
Pyramid
73
Pyramid
74
?
Thank you for your attention
ni3online@gmail.com
+91 9823146393
Pyramid
75