This document discusses information security management systems (ISMS). It defines information and its lifecycle, including how information can be created, stored, processed, transmitted, used, lost, corrupted, etc. It then defines the key aspects of information security - integrity, availability, and confidentiality. It emphasizes that information is a valuable asset for organizations that needs to be protected. The document outlines some of the main components of establishing an ISMS, including risk management, policies, training, and processes. It also discusses ISO 27001 as the international standard for ISMS and its various control areas.
2. INFORMATION SECURITY Management System Dr Kalpesh Parikh
What is Information?
“Information is an asset which, like other
important business assets, has value to an
organisation and consequently needs to be suitably
protected.”
BS 7799-1:2000
3. INFORMATION SECURITY Management System Dr Kalpesh Parikh
Types of Information
• Printed or written on paper
• Stored electronically
• Transmitted by post or using electronic means
• Shown on corporate videos
• Verbal - spoken in conversations
“…...Whatever form the information takes, or means by
which it is shared or stored, it should always be
appropriately protected”
(ISO/IEC 17799: 2000)
4. INFORMATION SECURITY Management System Dr Kalpesh Parikh
Information Lifecycle
Information can be:
Created Stored Destroyed ?
Processed Transmitted
Used (for proper and improper purposes)
Lost ! Corrupted !
5. INFORMATION SECURITY Management System Dr Kalpesh Parikh
What is Information Security
Integrity
Safeguarding the
accuracy &
completeness of
information and
processing
methods
Availability
Ensuring that
authorized users
have access to
information and
associated assets
when required
Confidentiality
Ensuring that
information is
accessible only
to those
authorized to
have access
6. INFORMATION SECURITY Management System Dr Kalpesh Parikh
How to Achieve Information Security
•Attitude Building
•Efforts v/s Value of Asset
•Segmentation
•Harmonization
•Concept of Insurance
•Managing Risk
•Objective Evidence through Monitoring and Analysis
7. INFORMATION SECURITY Management System Dr Kalpesh Parikh
Why Information Security Management System?
Information is an Asset
• Not known even if stolen
• Challenge is you don’t know – how to know
• Theoretically any information can get stolen
• Affects every one
• Technical and Technology is subset of complete domain
• Dynamic in nature
• Very complex to manage
8. INFORMATION SECURITY Management System Dr Kalpesh Parikh
ISMS - Commitment You have my full
commitment…..
Apart from money, time
resources and attention
and just so long as I don’t
have to be involved
10. INFORMATION SECURITY Management System Dr Kalpesh Parikh
ISG - Risk Management – Onion Structure
Technology
Environment
Information
Human Firewall
Standards
Policies
T
r
a
i
n
i
n
g
P
r
o
c
e
s
s
e
s
Management
12. INFORMATION SECURITY Management System Dr Kalpesh Parikh
ISMS – Information assets and Valuation
• An inventory of all important assets shall be drawn up
and maintained. Accountability shall be defined.
• What are Assets ?
Organisation assigns value to something
Eg. Information assets, paper doc, s/w , physical,
people, company image and reputation, services.
• Which Assets ?
Asset materially affect delivery of product/service by
their absence or degradation.
• Valuation
What System – 0 to 5 (Quantitative)
- low to very high (Qualitative)
13. INFORMATION SECURITY Management System Dr Kalpesh Parikh
ISMS - Risk Assessment
Threat :
“Potential to cause an unwanted incident which may result
in harm to a system or organization and its assets”
Eg. Natural disaster, Human, Technological, Theft/Loss
Vulnerability:
A vulnerability is a weakness/hole in an organisation’s
Information System.
Eg. Unprotected cabling, unstable power grid, wrong allocation of
password
14. INFORMATION SECURITY Management System Dr Kalpesh Parikh
Risk: The possibility of incurring misfortune or loss; hazard
(to expose to danger or loss)
At Risk: Vulnerable; likely to be lost /damaged
Security Risk:
Potential that a given threat will exploit vulnerabilities to cause
loss or damage to an asset or group of Info Asset.
Measuring Risk:
Risk = Value X Threat X Vulnerability X Probability
of asset of Happening
ISMS - Risk Assessment
15. INFORMATION SECURITY Management System Dr Kalpesh Parikh
ISMS - Risk Treatment Plan
Coordinated document defining the actions to reduce
unacceptable risks and implement the required controls to protect
information.
Direction : Treat, Transfer, Terminate, Tolerate
Treatment : Define an acceptable level of residual risk
constantly review Threat and Vulnerabilities
Review exiting controls
apply additional security controls
introducing policy and procedures
Controls: Which Controls ? / Selection of Control
16. INFORMATION SECURITY Management System Dr Kalpesh Parikh
ISMS - Statement of Applicability (SOA)
•The statement of Applicability is a critique of the objectives and
controls, which the organization has selected as suitable to its
business needs. The statement will also record exclusion of any
controls.
• Risk Assessment will determine which controls should be
implemented
• Justification of which controls are relevant and not relevant
17. INFORMATION SECURITY Management System Dr Kalpesh Parikh
ISO 27001 (ISMS) Control Areas
1. Security Policy
2. Security Organization
3. Asset Classification and Control
4. Personnel Security
5. Physical and Environmental Security
6. Communications and Operations Management
7. Access Control
8. Systems Development and Maintenance
9. Business Continuity Planning
10. Compliance