ISMS Awareness Training Session

Welcomes Participants
For
The User Awareness Training On
ISMS
ISO/IEC 27001:2013
Pyramid
ISMS Awareness ISO:27001:2013
Acknowledgements
All trademarks and registered trademarks are the property of
their respective owners. (if any)
Copyright material reproduced with the kind permission of
the respective organization(if any)
Pyramid
Agenda
ISO
ISO27000:2013 - ISMS Concepts & Benefits
Information & Information security
Process model - PDCA
Assets, Threats, Vulnerabilities, Impacts, Attacks, Risk
An Introduction to ISO 27001:2013
Pyramid
ISO 27001:2013 Inside

ISO 27001:2013 Major Domain
ISO 27001:2013 Annex A
ISMS Practice applies to you

ISMS @ organization
Summary
Quiz
This training NOT address
Pyramid
Tools
Task level detail
Specifics of disaster
Detailed implementation of ISMS
a cookbook - (How to setup)
This training address

Roles and Responsibilities
Concept & Practice
Convert the Concept into Practice
Pyramid
ISO
ISO - International Organization for standardization
This is the third party organization

Worlds largest developer of standards.
Head Office in Geneva, Switzerland
200 countries are members in this organization
Non-governmental organization
ISO Is the word derived from Greek, which means EQUAL

ISOMETRIC - Equal measure or dimensions
ISONOMY - Equality of Laws
ISOTOPE - Possess almost identical properties
Pyramid
ISO 27001 : A Brief history
Pyramid
2013:ISO 27001
2005:ISO 27001
2002:Revisions BS 7799 PDCA
2000:ISO/IEC 17799 published
1998:BS 7799 Part 2 Specification
1995 :BS 7799 Part 1 Code of Practice
Initiative from UK Department of Trade and Industry
ISO 27001:2013
ISMS :Information Security Management System.
Definition:-Its an part of overall Documented management
system, based on business risk approach, to establish,
implement, operate, monitor, review, maintain and improve
information security
ISO 27001:2013 (ISMS - certification framework)
Pyramid
A standard for Information Security Management System

Provides the ISMS requirements and specifications of controls for certification
Aligned with ISO 9001/ ISO 14001 /ISO 18000
Mature & being nurtured (Past, present and future)
ISO 27001:2013 is NOT

A technical standard
Product or technology driven
An equipment evaluation methodology such as the Common
Criteria/ISO 15408
Related to the "Generally Accepted System Security
Pyramid
ISO 27001:2013 is
An internationally recognized structured methodology
dedicated to IS
Defined process to evaluate, implement, maintain, and
manage IS
A comprehensive set of controls of best practices in IS
Developed by industry for industry
Risk base process approach
Pyramid
10
Benefits of ISO 27001

International standard addressing information security
Best Practice promotes
Systematic/Structured approach
Provides means for corporate governance
Provides for a market differentiator

Increase business opportunity
Managing Risk At Reduced Cost with effective & efficient manner
Influences quality of systems, Increases product & service quality
Minimize financial losses
Reduce reputational risk
Maximize return on investment
Pyramid
11
Benefits of ISO 27001

Improved understanding of business aspects
Aligns processes with business objectives
Reduce operational risk

Protect information from range of threats.
Opportunity to identify and find weaknesses.
Better incident management
Ensure business continuity
Enhance the knowledge and importance of security related issues at
organization /Company level
Ease of access,
Creates Information Security culture in organization
Pyramid
12
Information
Data : data is raw , It simply exists and has no significance beyond its existence
(in and of itself).
Information =Meaning full Data
exist in many forms: Paper, Data, Email, software, print, written on

paper, stored electronically, transmitted by post or by using electronic
means, shown on films or spoken in conversation. Shown on corporate
videos, Displayed/ published on web, Verbal spoken in conversations
can be: Created, Stored, Destroyed, Processed, Transmitted, Used (For

proper & improper purposes), Corrupted, Lost, Stolen,
Pyramid
13
Information
Todays reality
Buy - Financial Information
Use - Login information
Extort - carding fraud
Steal Competitive Information
New attackers Cyber crime, Mafia, hackers and company
insiders
Perpetuated by outdated technology, human factors,
continual security changes, Limited control
Pyramid
14
Information Technology
Information Technology (IT) is concerned with technology to treat information.

IT Infrastructure consists of the equipment, systems, software, and Services
used in common across an organization, regardless of mission/program/project
IT Infrastructure serves as the foundation upon which mission/program/project-specific systems
and capabilities are built
What we have in IT Structure?

Hardware : Desktop ,Laptop, Server ,Network
Software :OS, MS Office ,Frontend ,etc.
People (Skill-sets) , Facilities
Data
What problems we face ?
System Break Down / Device Malfunctions
Data Lost , Password Lost ,Connectivity Lost
Data Access by unauthorized User
Continuity Lost
Pyramid
15
Security
The quality or state of being secure to be free from danger
Security is achieved using several strategies simultaneously or used in
combination with one another
Security is not something you buy, it is something you do
Monitored 24x7X365
Pyramid
Security is for PPT and not only for appliances or devices

PEOPLE - Organization Staff Who we are
PROCESSES - Business Processes what we do
TECHNOLOGY - Technology used by Organization what we use
16
Security breaches leads to
Pyramid
Reputation loss
Financial loss
Intellectual property loss
Legislative Breaches leading to legal actions (Cyber Law)
Loss of customer confidence
Business interruption costs
Goodwill loss
17
Information Security
Preservation of Confidentiality, Integrity and Availability
Pyramid
18
Protection of C I A of Assets
Confidentiality - the property that information is not made
available or disclosed to unauthorized individuals, entities, or
processes
Ensuring that information is
accessible only to those
authorized to have access
Pyramid
19
Integrity - the property of safeguarding the accuracy and
completeness of assets
Ensuring that accuracy and
completeness of information
and processing methods
Pyramid
20
Availability - the property of being accessible and usable
upon demand to authorized users
Ensuring that authorized users
have access to information and
associated assets when required
Pyramid
21
Lets try to find a type of organization(or a single

organization where any of these concept
wouldn't apply.
Pyramid
22
CIA: Aim of ISMS
Pyramid
23
ISMS PDCA Model
Pyramid
24
Maturity
Deming's Circle (Shewhart Cycle)
PLAN
DO
Effective improvement
ACT
CHECK
Consolidation of
level reached. i.e.
baseline
Continuous Step by step

improvement , Continuous
improvement is a subset of
continual improvement
Time Scale
Pyramid
25
Asset -Anything that has a value to the organization

(What you are trying to protect)
Buildings
Infrastructures
Environmental
Conditions
Electricity
Pyramid
26
Assets Hardware, Backups, Forensic Evidence,

Communication Channels
Hardware
Forensic Evidence
Communication
channels
Communication
channels
Pyramid
27
Assets - Information containers
Pyramid
28
Asset
Sensitive Information
Pyramid
You
29
Threats Something that can potentially cause damage to the

organization (events you are protecting your assets against)
Intrusion
Malware
Phish
Identity Loss
Data Loss
Compliance
Pyramid
30
Information Threats
Intrusion Entrance by force without permission
(Unauthorized act of bypassing security mechanism)
Malware Malicious software designed to infiltrate or damage
computer system without owners consent
Phishing Single unique message sent to targets with the
intent of gaining confidential or personal information.
Identity loss Loss of individuals information
Data Loss Unforeseen loss of data or information
Compliance Acting according to certain standards
Hacking Action at a distance or inside the organization
Pyramid
31
Threat agent: The catalyst that performs the threat

(Human, environmental, intentional, accidental)
Pyramid
Rioters
Rioters
Contractors
Disaffected Workers
32
Threat Agents
Employees
Hackers
Pyramid
Fraudsters
Thief's
Terrorists
33
Threat Agents - war
Pyramid
34
Vulnerabilities It is weakness / hole in an organization

(How the events might occur)
Pyramid
35
Vulnerabilities
- Addressing information
can be forged
- Arbitrary program code
can be executed
- Communication lines can be tapped

- Messages can be intercepted
- Easy by which software

can be changed
Pyramid
36
Vulnerabilities
Attractiveness of our information
Electromagnetic radiation
Information containers are not

particularly heavy and can be easily
moved
Pyramid
37
Vulnerability ?
Pyramid
38
Impacts
Court action against

Organization
Court action against an
employee
Pyramid
39
Impacts
Loss of monetary value of assets
Pyramid
Inability to carryout some or all of

your businesses
40
Attack
An attack is any malicious or accidental disruption
in the confidentiality, integrity, or availability of information
Few basic types of attacks are

Access, Modification, Denial of Service, and Repudiation
Attacks can originate from

Electronic (external or internal network)
Physical (hardware/equipment misappropriation)
Human (Social engineering)
Pyramid
41
Viruses , Trojan Horse , Masquerading, Denial of Service
Pyramid
New viruses discovered every day

Contagious often of pandemic proportion
Impact depends on payload:
Denial of service
Disclosure
Back doors
Time bombs
42
Network Attacks
Ping floods (keep asking are you there?)
Smurf (ping flood to an IP broadcast address)
Ping of death (fragmented ping packet > 65535 bytes)
Teardrop (fragmented packets and overlaps)
LAND (forged SYN packets force target to talk to itself)
Pyramid
43
Application Attacks
Over enthusiastic customers
computers cant cope with the load
Amarillo
Multi MB video, recipients sent it to their friends
Changing software to steal airtime

e.g. free international mobile calls
Exploiting ineffective financial controls in business systems to

commit fraud (Enron, Barings, )
Errors (e.g. In December 2005, a clerk sold 6500 shares at 1 yen

instead of 1 share at 6500 yen, with a loss estimated at 225M US$)
Pyramid
44
Password Attacks
Password theft
Sniffing passwords (e.g. L0PHT2.0), Shoulder surfing,
sticky notes
Password guessing/cracking
Dozens available free on the Internet (e.g. L0PHTCrack)
Social engineering
Help desk, phishing
Could be more than just passwords
Personal information
Credit card security codes
Pyramid
45
Attacks
Social Engineering
Pyramid
Physical Theft
46
Attacks - Eavesdropping
Wireless networks
Wireless telephones
(no encryption)
Stand next to a person
using a mobile
Pyramid
47
Attacks - Hacking
Action at a distance or inside the organization?
Web site defacement
Changing data
Stealing data
Pyramid
48
Attacks
Tsunami
Fire, Flood, Storm

Dont Mix with IT
Pyramid
49
Attacks
Hurricane, Earth quake, Terrorist Attack
Pyramid
50
Attack V/s CIA

Attack
Access
Modification
Confidentiality Integrity
Yes
Yes
DOS
Masquerading
Pyramid
Availability
Yes
Yes
51
Information Security Solutions

Information Security Culture in organization
Awareness
Antivirus
Spam Filters
Firewalls, VPN
Data protection
Enforced security End to End

Compliance and Industry Certifications
Pyramid
52
Risk - Unpredictable Outcome

Event
Threat
Exploits
Vulnerability
Violates
Asset
Causes
Adverse
Impact
Pyramid
53
Risk Identify the Information assets

Identify the vulnerabilities
Identify the threat and threat agent
Assess the risk in terms of impact
Assess the risk in terms of probability

Analyze the risk in terms of cost of control Implementation
and maintenance
Pyramid
54
ISO 27001:2013 Inside

Management Clause 4 ~ 10
Annex A
Domains 14
Control Objectives 35
Controls 115
Domains : A territory over which rule

or control is exercised
Control Objectives: A specific result

that a organization or system aims to
achieve within a time frame and with
available resource
Controls: A practice, procedure or
mechanism that reduces risk
Pyramid
55
Major Domain
Compliance
System acquisition,
development,
and maintenance
Physical and
Environmental
Security
Asset
Management
Information
Security Policy
aspects of Business
Continuity Management
Supplier Relationship
Operations
security
Access
Control
Organisation of
Information
Security
Incident Management
Security Incidents
Disasters
New Business Opportunities
Changes in Business
Knowledge of New Threats
Communications
security
Cryptographic
Human Resource
Security
Risk Management
Framework
Incident
Management
Framework
Disaster Recovery
BIA
Aids in the selection of appropriate and cost
effective controls
Pyramid
56
Annex A
Annex A No
Domains
Control Objectives
Controls
A5
Information Security Policies
A6
Organization of Information Security
A7
Human resources security
A8
Asset management
10
A9
Access Control
14
A10
Cryptographic
02
A11
Physical and environmental Security
15
A12
Operations security
14
A13
Communications Security
A14
System acquisition, development, and maintenance
14
A15
Supplier Relationship
A16
Information Security Incident management
A17
Information Security aspects of Business Continuity Management
A18
Compliance
35
115
Pyramid
57
Access and Passwords

Only use your own user accounts
Never let anyone else use your user account
Choose a strong password
Never tell anyone your password

Never write it down
Use a different password for each system
Use two factor authentication where possible
Pyramid
58
Email
Use for work-related emails only
Never send confidential information by email unless it is
encrypted
Always check that you are sending an email to the correct
person
Read and comply with the Email Policy
Protect your email password
Email is often used to verify password resets in other
applications
Pyramid
59
Phishing Emails
Attacks
How do I tell?
Mass - random
Spear targetted on one
organisation
Whaling targetted on
one individual
Types
Click-through
Attachments
Web form capture
Pyramid
Unexpected
Spelling mistakes
Lack of personal
information used
Asking for an action
Open attachment
Go to website
Provide information
Beware! They are

becoming increasingly
convincing
60
Using the Internet

Dont disable your firewall software
Ensure your browser and associated programs are up to date
Check that links go to the site stated
Check for HTTPS and the padlock symbol when performing
confidential transactions
Dont download unknown programs
Limit work-related information posted on social media sites
Do not visit sites that are against the Internet Acceptable Use
Policy
Pyramid
61
Anti-Virus
Never disable your anti-virus protection
Keep your AV signatures and updates current

Allow a scan to be performed regularly
Report any viruses found to the IT Help Desk
Pyramid
62
Mobile Computing
Never leave unattended in a public place or vehicle

Keep locked away when not in use
No confidential information to be stored on mobile devices
unless previously approved
Use screen lock and if possible whole disk encryption
Do not install unauthorised software
Do not allow others to use your business device
Consider backups and anti-virus protection
Pyramid
63
Removable Media
Any attachable devices with storage e.g. USB drives,

memory cards, CD/DVDs
Should not be used unless previously approved
Must be encrypted if confidential information is to
be stored
Never insert unknown media into your PC or device
e.g. a USB stick you have found
Pyramid
64
Information Disposal
Dispose of information appropriately according to
its type
Confidential information must be disposed of
securely
Paper must be shredded
Electronic devices or media that may contain
confidential information must be disposed of
securely
Hard disks may be shredded
Pyramid
65
Security Incidents
An incident may be an actual or potential breach of
policy or loss of data
Information security incidents should be reported
to the IT Help Desk
In some cases, there may be a need to treat the
area as a crime scene
Evidence should be preserved where possible
Pyramid
66
ISMS @ ORGANISATION
Security Organization
Apex Committee :
CEO/CTO/CISO
ISMS Forum:
IT Head
HR Head
IS Task Force :
Project Managers
Administrators
IS Team Member
Audit Committee:
Appointed by Apex Committee
BCP Team:
Appointed by Apex Committee /ISMS Forum
DRP Team:
Appointed by Apex Committee /ISMS Forum
Pyramid
67
Conclusion
Pyramid
68
Conclusion
Pyramid
69
Conclusion
Business of every business is to remain in business
Pyramid
70
Summary
We must protect our information assets
The consequences to the organisation are potentially very
severe
The organisation will do what it canbut you have a key part
to play in achieving this
Be careful and vigilant, especially on the Internet
If youre unsure, please ask your manager
Pyramid
71
Quiz
1. Name three of our information assets
2. Name two groups who may try to gain
unauthorised access to our information
assets
3. Give two ways in which the organisation
may be affected by an information security
breach
4. ISO/IEC xxxxx is the Information Security
standard what is xxxxx?
5. Give an example of a strong password
Pyramid
72
Quiz cont.
6. If you recognise a Phishing email what
should you do with it?
7. If you find a USB memory stick in the car
park what action should you take?
8. What are your responsibilities when you
have a visitor?
9. Who would you report an information
security incident to?
10.Whose responsibility is information
security within our organisation?
Pyramid
73
Question & Answer
Pyramid
74
?
Thank you for your attention
ni3online@gmail.com
+91 9823146393
Pyramid
75

ISMS Awareness Training Session

Transféré par

Informations du document

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

ISMS Awareness Training Session

Transféré par

Droits d'auteur :

Formats disponibles

Welcomes Participants

ISMS Awareness ISO:27001:2013

ISMS Awareness ISO:27001:2013

ISO 27001:2013 Inside

ISMS Practice applies to you

This training NOT address

ISMS Awareness ISO:27001:2013

This training address

ISMS Awareness ISO:27001:2013

This is the third party organization

ISO Is the word derived from Greek, which means EQUAL

ISMS Awareness ISO:27001:2013

ISO 27001 : A Brief history

ISMS Awareness ISO:27001:2013

A standard for Information Security Management System

ISMS Awareness ISO:27001:2013

ISO 27001:2013 is NOT

ISMS Awareness ISO:27001:2013

ISMS Awareness ISO:27001:2013

Benefits of ISO 27001

Provides for a market differentiator

ISMS Awareness ISO:27001:2013

Benefits of ISO 27001

Reduce operational risk

ISMS Awareness ISO:27001:2013

exist in many forms: Paper, Data, Email, software, print, written on

can be: Created, Stored, Destroyed, Processed, Transmitted, Used (For

ISMS Awareness ISO:27001:2013

ISMS Awareness ISO:27001:2013

Information Technology (IT) is concerned with technology to treat information.

What we have in IT Structure?

ISMS Awareness ISO:27001:2013

Security is for PPT and not only for appliances or devices

ISMS Awareness ISO:27001:2013

Security breaches leads to

ISMS Awareness ISO:27001:2013

Preservation of Confidentiality, Integrity and Availability

ISMS Awareness ISO:27001:2013

ISMS Awareness ISO:27001:2013

ISMS Awareness ISO:27001:2013

ISMS Awareness ISO:27001:2013

Lets try to find a type of organization(or a single

ISMS Awareness ISO:27001:2013

CIA: Aim of ISMS

ISMS Awareness ISO:27001:2013

ISMS PDCA Model

ISMS Awareness ISO:27001:2013

Deming's Circle (Shewhart Cycle)

Continuous Step by step

ISMS Awareness ISO:27001:2013

Asset -Anything that has a value to the organization

ISMS Awareness ISO:27001:2013

Assets Hardware, Backups, Forensic Evidence,

ISMS Awareness ISO:27001:2013

Assets - Information containers

ISMS Awareness ISO:27001:2013

Threats Something that can potentially cause damage to the

ISMS Awareness ISO:27001:2013

ISMS Awareness ISO:27001:2013

Threat agent: The catalyst that performs the threat

Threat Agents - war

ISMS Awareness ISO:27001:2013

Vulnerabilities It is weakness / hole in an organization

ISMS Awareness ISO:27001:2013