SlideShare ist ein Scribd-Unternehmen logo

Sec 270 02 sect 01av1

Als PPTX, PDF herunterladen
wchend
wchend
BildungTechnologie
1 von 19
Implementing IT Security Program Implementing ISO 27001 can enable enterprises to benchmark against competitors and to provide relevant information about IT security to vendors and customers, and it can enable management to demonstrate due diligence. It can forester efficient security cost management, compliance with laws and regulations, and a comfortable level of interoperability due to a common set of guidelines followed by the organizations. It can improve QA for IT security and increase security awareness among employees, customers, vendors, etc. John Jay College of Criminal Justice © 2012
Cost of Implementation • Internal resouces • External resources • Certification • Implementation John Jay College of Criminal Justice © 2012
Planning for ISO 27001 • Business continuity planning • System access control • System acquisition, development and maintenance • Physical and environmental security • Compliance • Information security incident management • Personnel security • Security organization • Communication and operations management • Asset classification and control • Security policies John Jay College of Criminal Justice © 2012
Three stages of Certification process 1. Informal review of the IT security program • Organization’s security policy • Risk treatment plan • Statement of applicability 2. Independent tests of the IT security program against the requirements and to obtain management support 3. Follow-up reviews or periodic audits to confirm that the organization remains in compliance with the standard. John Jay College of Criminal Justice © 2012
Planning • Commitment of senior management are essential • Team required – Internal audit – IT – Legal – HR John Jay College of Criminal Justice © 2012
Decision Making • Business objectives and priorities • Existing IT maturity levels • User acceptability and awareness • Internal audit capability • Contractual obligations • Customer requirements • The enterprise’s ability to adapt to change • Adherence to internal processes • Existing compliance efforts and legal requirements • Existing training programs John Jay College of Criminal Justice © 2012
Implementation • Define an IT security policy • Define the scope of the project • Peform a security risk assessment • Manage the identified risk • Select controls to be implemented and applied • Prepare an Statement of applicability John Jay College of Criminal Justice © 2012
1. Identify Business Objectives • Increased marketing potential • Assurance to the business partners of the organization’s status with respect to information security • Assurance to customers and partners about the organization’s commitment to information security, privacy and data protection • Increased revenue and profitability by providing the highest level of security for customers’ sensitive data • Identification of information assets and effective risk assessments • Preservation of the organization’s reputation and standing among industry leaders • Compliance with industry regulation John Jay College of Criminal Justice © 2012
2. Obtain Management Support • An information security policy • Information security objectives and plans • Roles and responsibilities for information security or a segregation of duties matrix that shows the list of the roles related to information security • An announcement or communication to the organization about the importance of adhering to the information security policy • Sufficient resources to manage, develop, maintain and implement the IT security program • Determination of the acceptable level of risk • Management review of the IT security program at planned intervals • Assurance that personnel affected by the IT security program are provide with training • Appointment of competent people for the roles and responsibilities that they are assigned to fulfill John Jay College of Criminal Justice © 2012
3. Select the Proper Scope of Implemenation • The selected scope helps to achieve the identified business objectives • The organization’s overal scale of operations is an integral parameter needed to determine the compliance process’s complexity level • To find out the appropriate scale of operations, organizations need to consider the number of employees, business processes, work locations, and products or services offered • What areas, locations, assets and technologies of the organizations will be controlled by the IT security program • Will suppliers be required to abide by the IT security program • Are there dependencies on other organizations? Should they be considered? • Any regulatory or legislative standards that apply to the areas covered by the IT security program that should be identified. John Jay College of Criminal Justice © 2012
4. Define a Method of Risk Assessment • The method to be used to assess the risk to identified information assets • Which risk are intolerable and therefore, need to be mitigated • Managing the residual risk through carefully considered policies, procedures and controls John Jay College of Criminal Justice © 2012
5. Prepare and Inventory of IT Assets to Protect, and Rank Assets According to Risk Classification Based on Risk Assessment • For assets, identify the CIA impact levels: high, medium and low • Identify risks, and classify them according to their severity and vulnerability • After identifying the risks and the levels of CIA, assign values to the risks. • Based on risk values, determine whether the risk is tolerable and whether to implement a control to eliminate or reduce the risk. John Jay College of Criminal Justice © 2012
6. Manage the Risks, and Create a Risk Treatment Plan • Acceptable risk treatment (accept, transfer, reduce, avoid) • Identification of operational controls and additional proposed controls, with the help of gap analysis • A proposed control implementation schedule John Jay College of Criminal Justice © 2012
7. Set Up Policies and Procedures to Control Risks Statements of policy or a detailed procedure and responsibility document to identify user roles for consistent and effective implementation of policies and procedures. John Jay College of Criminal Justice © 2012
8. Allocate Resources, and Train the Staff IT security program highlights one of the important commitments for management: sufficient resources to manage, develop, maintain and implement the IT security program John Jay College of Criminal Justice © 2012
9. Monitor the Implementation of the IT security program Periodic internal audit for monitoring and review. Audit review consists of testing of controls and identifying corrective / preventive actions. John Jay College of Criminal Justice © 2012
10. Prepare for the Certification Audit Conduct a full cycle of internal audits, management reviews and activities in the process and retains evidence of the responses taken as result of those reviews and audits. This should be reviewed annually. John Jay College of Criminal Justice © 2012
11. Conduct Periodic Reassessment Audits • Follow-up reviews or periodic audits confirm that the organization remains in compliance with the standard. John Jay College of Criminal Justice © 2012
Conclusion The true success of ISO 27001 is its alignment with the business objectives and effectiveness in realizing those objectives. IT and other departments play an important role in implementing the IT security program. To achieve the planned return on investment, the implementation plan has to be developed with an end goal in mind. Training and internal audit are major parts of IT security program implementation. ISO 27001 certification will help assure most business partners of an organization’s status with respect to information security without the necessity of conducting their own security reviews. An organization would choose to be certified against the ISO 27001 standard to provide confidence to their customer base and partners. John Jay College of Criminal Justice © 2012

Empfohlen

D1 security and risk management v1.62
D1 security and risk management v1.62D1 security and risk management v1.62
D1 security and risk management v1.62AlliedConSapCourses
 
CISSP Online & Classroom Training & Certification Course - ievision.org
CISSP Online & Classroom Training & Certification Course - ievision.orgCISSP Online & Classroom Training & Certification Course - ievision.org
CISSP Online & Classroom Training & Certification Course - ievision.orgIEVISION IT SERVICES Pvt. Ltd
 
Information System Audit and Control
Information System Audit and ControlInformation System Audit and Control
Information System Audit and ControlAsad Raza
 
Use of the COBIT Security Baseline
Use of the COBIT Security BaselineUse of the COBIT Security Baseline
Use of the COBIT Security BaselineBarry Caplin
 
A project approach to HIPAA
A project approach to HIPAAA project approach to HIPAA
A project approach to HIPAADaniel P Wallace
 
Information Security Governance and Strategy
Information Security Governance and Strategy Information Security Governance and Strategy
Information Security Governance and Strategy Dam Frank
 
Ebsl Technologies It Operations Internal Presentation
Ebsl Technologies It Operations Internal PresentationEbsl Technologies It Operations Internal Presentation
Ebsl Technologies It Operations Internal PresentationPublicly traded global multi-billion services company
 
CISA Training - Chapter 2 - 2016
CISA Training - Chapter 2 - 2016CISA Training - Chapter 2 - 2016
CISA Training - Chapter 2 - 2016Hafiz Sheikh Adnan Ahmed
 

Empfohlen

D1 security and risk management v1.62
D1 security and risk management v1.62D1 security and risk management v1.62
D1 security and risk management v1.62AlliedConSapCourses
 
CISSP Online & Classroom Training & Certification Course - ievision.org
CISSP Online & Classroom Training & Certification Course - ievision.orgCISSP Online & Classroom Training & Certification Course - ievision.org
CISSP Online & Classroom Training & Certification Course - ievision.orgIEVISION IT SERVICES Pvt. Ltd
 
Information System Audit and Control
Information System Audit and ControlInformation System Audit and Control
Information System Audit and ControlAsad Raza
 
Use of the COBIT Security Baseline
Use of the COBIT Security BaselineUse of the COBIT Security Baseline
Use of the COBIT Security BaselineBarry Caplin
 
A project approach to HIPAA
A project approach to HIPAAA project approach to HIPAA
A project approach to HIPAADaniel P Wallace
 
Information Security Governance and Strategy
Information Security Governance and Strategy Information Security Governance and Strategy
Information Security Governance and Strategy Dam Frank
 
Ebsl Technologies It Operations Internal Presentation
Ebsl Technologies It Operations Internal PresentationEbsl Technologies It Operations Internal Presentation
Ebsl Technologies It Operations Internal PresentationPublicly traded global multi-billion services company
 
CISA Training - Chapter 2 - 2016
CISA Training - Chapter 2 - 2016CISA Training - Chapter 2 - 2016
CISA Training - Chapter 2 - 2016Hafiz Sheikh Adnan Ahmed
 
Its time to rethink everything a governance risk compliance primer
Its time to rethink everything a governance risk compliance primerIts time to rethink everything a governance risk compliance primer
Its time to rethink everything a governance risk compliance primerEnclaveSecurity
 
Business continuity-plan-template
Business continuity-plan-templateBusiness continuity-plan-template
Business continuity-plan-templateMohamed Owaish
 
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMS
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMSCISA Domain 1 The Process On AUDITING INFORMATION SYSTEMS
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMSShivamSharma909
 
Security policy
Security policySecurity policy
Security policyDhani Ahmad
 
IT Risk assessment and Audit Planning
IT Risk assessment and Audit PlanningIT Risk assessment and Audit Planning
IT Risk assessment and Audit Planninggoreankush1
 
Iso 27001 metrics and implementation guide
Iso 27001 metrics and implementation guideIso 27001 metrics and implementation guide
Iso 27001 metrics and implementation guidemfmurat
 
Ch4 cism 2014
Ch4 cism 2014Ch4 cism 2014
Ch4 cism 2014Aladdin Dandis
 
The best way to use ISO 27001
The best way to use ISO 27001The best way to use ISO 27001
The best way to use ISO 27001powertech
 
ICT Association Suriname Presentation On eGovernment 2012
ICT Association Suriname Presentation On eGovernment 2012ICT Association Suriname Presentation On eGovernment 2012
ICT Association Suriname Presentation On eGovernment 2012Cyril Soeri
 
Domain 1 - Security and Risk Management
Domain 1 - Security and Risk ManagementDomain 1 - Security and Risk Management
Domain 1 - Security and Risk ManagementMaganathin Veeraragaloo
 
ISO 27001 (v2013) Checklist
ISO 27001 (v2013) ChecklistISO 27001 (v2013) Checklist
ISO 27001 (v2013) ChecklistIvan Piskunov
 
Presentation on iso 27001-2013, Internal Auditing and BCM
Presentation on iso 27001-2013, Internal Auditing and BCMPresentation on iso 27001-2013, Internal Auditing and BCM
Presentation on iso 27001-2013, Internal Auditing and BCMShantanu Rai
 
Bankauditin it env
Bankauditin it envBankauditin it env
Bankauditin it envDr Vijay Pithadia Director
 
Fraudulent Methods for Attacking Bank Networks and Prevention 2014
Fraudulent Methods for Attacking Bank Networks and Prevention 2014Fraudulent Methods for Attacking Bank Networks and Prevention 2014
Fraudulent Methods for Attacking Bank Networks and Prevention 2014Aladdin Dandis
 
Top management role to implement ISO 27001
Top management role to implement ISO 27001Top management role to implement ISO 27001
Top management role to implement ISO 27001PECB
 
Ch3 cism 2014
Ch3 cism 2014Ch3 cism 2014
Ch3 cism 2014Aladdin Dandis
 
Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001PECB
 
Understanding and Managing Risks in Management Systems Auditing
Understanding and Managing Risks in Management Systems AuditingUnderstanding and Managing Risks in Management Systems Auditing
Understanding and Managing Risks in Management Systems AuditingPECB
 
Module 4 disaster recovery student slides ver 1.0
Module 4 disaster recovery student slides ver 1.0Module 4 disaster recovery student slides ver 1.0
Module 4 disaster recovery student slides ver 1.0Aladdin Dandis
 
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAEIT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE360 BSI
 
All
AllAll
Allprogrammermag
 
Sec 270 02 sect 01v1
Sec 270 02 sect 01v1Sec 270 02 sect 01v1
Sec 270 02 sect 01v1wchend
 

Weitere ähnliche Inhalte

Was ist angesagt?

Its time to rethink everything a governance risk compliance primer
Its time to rethink everything a governance risk compliance primerIts time to rethink everything a governance risk compliance primer
Its time to rethink everything a governance risk compliance primerEnclaveSecurity
 
Business continuity-plan-template
Business continuity-plan-templateBusiness continuity-plan-template
Business continuity-plan-templateMohamed Owaish
 
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMS
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMSCISA Domain 1 The Process On AUDITING INFORMATION SYSTEMS
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMSShivamSharma909
 
IT Risk assessment and Audit Planning
IT Risk assessment and Audit PlanningIT Risk assessment and Audit Planning
IT Risk assessment and Audit Planninggoreankush1
 
Iso 27001 metrics and implementation guide
Iso 27001 metrics and implementation guideIso 27001 metrics and implementation guide
Iso 27001 metrics and implementation guidemfmurat
 
The best way to use ISO 27001
The best way to use ISO 27001The best way to use ISO 27001
The best way to use ISO 27001powertech
 
ICT Association Suriname Presentation On eGovernment 2012
ICT Association Suriname Presentation On eGovernment 2012ICT Association Suriname Presentation On eGovernment 2012
ICT Association Suriname Presentation On eGovernment 2012Cyril Soeri
 
ISO 27001 (v2013) Checklist
ISO 27001 (v2013) ChecklistISO 27001 (v2013) Checklist
ISO 27001 (v2013) ChecklistIvan Piskunov
 
Presentation on iso 27001-2013, Internal Auditing and BCM
Presentation on iso 27001-2013, Internal Auditing and BCMPresentation on iso 27001-2013, Internal Auditing and BCM
Presentation on iso 27001-2013, Internal Auditing and BCMShantanu Rai
 
Fraudulent Methods for Attacking Bank Networks and Prevention 2014
Fraudulent Methods for Attacking Bank Networks and Prevention 2014Fraudulent Methods for Attacking Bank Networks and Prevention 2014
Fraudulent Methods for Attacking Bank Networks and Prevention 2014Aladdin Dandis
 
Top management role to implement ISO 27001
Top management role to implement ISO 27001Top management role to implement ISO 27001
Top management role to implement ISO 27001PECB
 
Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001PECB
 
Understanding and Managing Risks in Management Systems Auditing
Understanding and Managing Risks in Management Systems AuditingUnderstanding and Managing Risks in Management Systems Auditing
Understanding and Managing Risks in Management Systems AuditingPECB
 
Module 4 disaster recovery student slides ver 1.0
Module 4 disaster recovery student slides ver 1.0Module 4 disaster recovery student slides ver 1.0
Module 4 disaster recovery student slides ver 1.0Aladdin Dandis
 
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAEIT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE360 BSI
 

Was ist angesagt? (20)

Its time to rethink everything a governance risk compliance primer
Its time to rethink everything a governance risk compliance primerIts time to rethink everything a governance risk compliance primer
Its time to rethink everything a governance risk compliance primer
 
Business continuity-plan-template
Business continuity-plan-templateBusiness continuity-plan-template
Business continuity-plan-template
 
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMS
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMSCISA Domain 1 The Process On AUDITING INFORMATION SYSTEMS
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMS
 
Security policy
Security policySecurity policy
Security policy
 
IT Risk assessment and Audit Planning
IT Risk assessment and Audit PlanningIT Risk assessment and Audit Planning
IT Risk assessment and Audit Planning
 
Iso 27001 metrics and implementation guide
Iso 27001 metrics and implementation guideIso 27001 metrics and implementation guide
Iso 27001 metrics and implementation guide
 
Ch4 cism 2014
Ch4 cism 2014Ch4 cism 2014
Ch4 cism 2014
 
The best way to use ISO 27001
The best way to use ISO 27001The best way to use ISO 27001
The best way to use ISO 27001
 
ICT Association Suriname Presentation On eGovernment 2012
ICT Association Suriname Presentation On eGovernment 2012ICT Association Suriname Presentation On eGovernment 2012
ICT Association Suriname Presentation On eGovernment 2012
 
Domain 1 - Security and Risk Management
Domain 1 - Security and Risk ManagementDomain 1 - Security and Risk Management
Domain 1 - Security and Risk Management
 
ISO 27001 (v2013) Checklist
ISO 27001 (v2013) ChecklistISO 27001 (v2013) Checklist
ISO 27001 (v2013) Checklist
 
Presentation on iso 27001-2013, Internal Auditing and BCM
Presentation on iso 27001-2013, Internal Auditing and BCMPresentation on iso 27001-2013, Internal Auditing and BCM
Presentation on iso 27001-2013, Internal Auditing and BCM
 
Bankauditin it env
Bankauditin it envBankauditin it env
Bankauditin it env
 
Fraudulent Methods for Attacking Bank Networks and Prevention 2014
Fraudulent Methods for Attacking Bank Networks and Prevention 2014Fraudulent Methods for Attacking Bank Networks and Prevention 2014
Fraudulent Methods for Attacking Bank Networks and Prevention 2014
 
Top management role to implement ISO 27001
Top management role to implement ISO 27001Top management role to implement ISO 27001
Top management role to implement ISO 27001
 
Ch3 cism 2014
Ch3 cism 2014Ch3 cism 2014
Ch3 cism 2014
 
Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001
 
Understanding and Managing Risks in Management Systems Auditing
Understanding and Managing Risks in Management Systems AuditingUnderstanding and Managing Risks in Management Systems Auditing
Understanding and Managing Risks in Management Systems Auditing
 
Module 4 disaster recovery student slides ver 1.0
Module 4 disaster recovery student slides ver 1.0Module 4 disaster recovery student slides ver 1.0
Module 4 disaster recovery student slides ver 1.0
 
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAEIT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
 

Andere mochten auch

Sec 270 02 sect 01v1
Sec 270 02 sect 01v1Sec 270 02 sect 01v1
Sec 270 02 sect 01v1wchend
 
提高扩展能力的常用模式——黄东
提高扩展能力的常用模式——黄东提高扩展能力的常用模式——黄东
提高扩展能力的常用模式——黄东programmermag
 
Tbc career meeting 02 2012 linked in-1
Tbc career meeting 02 2012 linked in-1Tbc career meeting 02 2012 linked in-1
Tbc career meeting 02 2012 linked in-1wchend
 
Evolutionand impactofhiddenmobilethreats wandera
Evolutionand impactofhiddenmobilethreats wanderaEvolutionand impactofhiddenmobilethreats wandera
Evolutionand impactofhiddenmobilethreats wanderaAnjoum .
 
Slideshare Bedrijfspresentatie Connect It V1.0
Slideshare Bedrijfspresentatie Connect It V1.0Slideshare Bedrijfspresentatie Connect It V1.0
Slideshare Bedrijfspresentatie Connect It V1.0prijke
 
Tbc career meeting 02 2012 linked in-2
Tbc career meeting 02 2012 linked in-2Tbc career meeting 02 2012 linked in-2
Tbc career meeting 02 2012 linked in-2wchend
 
Six Sigma For Managers 185
Six Sigma For Managers 185Six Sigma For Managers 185
Six Sigma For Managers 185Anjoum .
 
Business Excellence
Business ExcellenceBusiness Excellence
Business ExcellenceAnjoum .
 

Andere mochten auch (9)

All
AllAll
All
 
Sec 270 02 sect 01v1
Sec 270 02 sect 01v1Sec 270 02 sect 01v1
Sec 270 02 sect 01v1
 
提高扩展能力的常用模式——黄东
提高扩展能力的常用模式——黄东提高扩展能力的常用模式——黄东
提高扩展能力的常用模式——黄东
 
Tbc career meeting 02 2012 linked in-1
Tbc career meeting 02 2012 linked in-1Tbc career meeting 02 2012 linked in-1
Tbc career meeting 02 2012 linked in-1
 
Evolutionand impactofhiddenmobilethreats wandera
Evolutionand impactofhiddenmobilethreats wanderaEvolutionand impactofhiddenmobilethreats wandera
Evolutionand impactofhiddenmobilethreats wandera
 
Slideshare Bedrijfspresentatie Connect It V1.0
Slideshare Bedrijfspresentatie Connect It V1.0Slideshare Bedrijfspresentatie Connect It V1.0
Slideshare Bedrijfspresentatie Connect It V1.0
 
Tbc career meeting 02 2012 linked in-2
Tbc career meeting 02 2012 linked in-2Tbc career meeting 02 2012 linked in-2
Tbc career meeting 02 2012 linked in-2
 
Six Sigma For Managers 185
Six Sigma For Managers 185Six Sigma For Managers 185
Six Sigma For Managers 185
 
Business Excellence
Business ExcellenceBusiness Excellence
Business Excellence
 

Ähnlich wie Sec 270 02 sect 01av1

english_bok_ismp_202306.pptx
english_bok_ismp_202306.pptxenglish_bok_ismp_202306.pptx
english_bok_ismp_202306.pptxssuser00d6eb
 
Introduction to IT compliance program and Discuss the challenges IT .pdf
Introduction to IT compliance program and Discuss the challenges IT .pdfIntroduction to IT compliance program and Discuss the challenges IT .pdf
Introduction to IT compliance program and Discuss the challenges IT .pdfSALES97
 
Assuring Digital Strategic Initiatives by
Assuring Digital Strategic Initiatives by Assuring Digital Strategic Initiatives by
Assuring Digital Strategic Initiatives by FirstMutualHoldings
 
Vulnerability Management Whitepaper PowerPoint Presentation Slides
Vulnerability Management Whitepaper PowerPoint Presentation SlidesVulnerability Management Whitepaper PowerPoint Presentation Slides
Vulnerability Management Whitepaper PowerPoint Presentation SlidesSlideTeam
 
Planning for security and security audit process
Planning for security and security audit processPlanning for security and security audit process
Planning for security and security audit processDivya Tiwari
 
Governance and management of IT.pptx
Governance and management of IT.pptxGovernance and management of IT.pptx
Governance and management of IT.pptxPrashant Singh
 
Control Standards for Information Security
Control Standards for Information SecurityControl Standards for Information Security
Control Standards for Information SecurityJohnHPazEMCPMPITIL5G
 
ISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewShankar Subramaniyan
 
Control and audit of information System (hendri eka saputra)
Control and audit of information System (hendri eka saputra)Control and audit of information System (hendri eka saputra)
Control and audit of information System (hendri eka saputra)Hendri Eka Saputra
 
Cybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationCybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationMcKonly & Asbury, LLP
 
Whitepaper iso 27001_isms | All about ISO 27001
Whitepaper iso 27001_isms | All about ISO 27001Whitepaper iso 27001_isms | All about ISO 27001
Whitepaper iso 27001_isms | All about ISO 27001Chandan Singh Ghodela
 
What do the changes to ISO14001 mean for business?
What do the changes to ISO14001 mean for business? What do the changes to ISO14001 mean for business?
What do the changes to ISO14001 mean for business? Ardea International
 
ISO 45001 018 . 2018 م.71-مبادرة#تواصل_تطوير-د.محمد عبدالمجيد-التعريف بمتطلبا...
ISO 45001 018 . 2018 م.71-مبادرة#تواصل_تطوير-د.محمد عبدالمجيد-التعريف بمتطلبا...ISO 45001 018 . 2018 م.71-مبادرة#تواصل_تطوير-د.محمد عبدالمجيد-التعريف بمتطلبا...
ISO 45001 018 . 2018 م.71-مبادرة#تواصل_تطوير-د.محمد عبدالمجيد-التعريف بمتطلبا...Egyptian Engineers Association
 
ISO27k ISMS implementation and certification process overview v2.pptx
ISO27k ISMS implementation and certification process overview v2.pptxISO27k ISMS implementation and certification process overview v2.pptx
ISO27k ISMS implementation and certification process overview v2.pptxNapoleon NV
 
MCGlobalTech Service Presentation
MCGlobalTech Service PresentationMCGlobalTech Service Presentation
MCGlobalTech Service PresentationWilliam McBorrough
 
Achieving ISO 27001 Certification.pdf
Achieving ISO 27001 Certification.pdfAchieving ISO 27001 Certification.pdf
Achieving ISO 27001 Certification.pdfmicroteklearning21
 
MCGlobalTech Consulting Service Presentation
MCGlobalTech Consulting Service PresentationMCGlobalTech Consulting Service Presentation
MCGlobalTech Consulting Service PresentationWilliam McBorrough
 
CISM_WK_1.pptx
CISM_WK_1.pptxCISM_WK_1.pptx
CISM_WK_1.pptxdotco
 
GDPR compliance and information security: Reducing data breach risks
GDPR compliance and information security: Reducing data breach risksGDPR compliance and information security: Reducing data breach risks
GDPR compliance and information security: Reducing data breach risksIT Governance Ltd
 

Ähnlich wie Sec 270 02 sect 01av1 (20)

english_bok_ismp_202306.pptx
english_bok_ismp_202306.pptxenglish_bok_ismp_202306.pptx
english_bok_ismp_202306.pptx
 
Introduction to IT compliance program and Discuss the challenges IT .pdf
Introduction to IT compliance program and Discuss the challenges IT .pdfIntroduction to IT compliance program and Discuss the challenges IT .pdf
Introduction to IT compliance program and Discuss the challenges IT .pdf
 
Assuring Digital Strategic Initiatives by
Assuring Digital Strategic Initiatives by Assuring Digital Strategic Initiatives by
Assuring Digital Strategic Initiatives by
 
Vulnerability Management Whitepaper PowerPoint Presentation Slides
Vulnerability Management Whitepaper PowerPoint Presentation SlidesVulnerability Management Whitepaper PowerPoint Presentation Slides
Vulnerability Management Whitepaper PowerPoint Presentation Slides
 
Planning for security and security audit process
Planning for security and security audit processPlanning for security and security audit process
Planning for security and security audit process
 
Governance and management of IT.pptx
Governance and management of IT.pptxGovernance and management of IT.pptx
Governance and management of IT.pptx
 
Control Standards for Information Security
Control Standards for Information SecurityControl Standards for Information Security
Control Standards for Information Security
 
standards1.pdf
standards1.pdfstandards1.pdf
standards1.pdf
 
ISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process Overview
 
Control and audit of information System (hendri eka saputra)
Control and audit of information System (hendri eka saputra)Control and audit of information System (hendri eka saputra)
Control and audit of information System (hendri eka saputra)
 
Cybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationCybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your Organization
 
Whitepaper iso 27001_isms | All about ISO 27001
Whitepaper iso 27001_isms | All about ISO 27001Whitepaper iso 27001_isms | All about ISO 27001
Whitepaper iso 27001_isms | All about ISO 27001
 
What do the changes to ISO14001 mean for business?
What do the changes to ISO14001 mean for business? What do the changes to ISO14001 mean for business?
What do the changes to ISO14001 mean for business?
 
ISO 45001 018 . 2018 م.71-مبادرة#تواصل_تطوير-د.محمد عبدالمجيد-التعريف بمتطلبا...
ISO 45001 018 . 2018 م.71-مبادرة#تواصل_تطوير-د.محمد عبدالمجيد-التعريف بمتطلبا...ISO 45001 018 . 2018 م.71-مبادرة#تواصل_تطوير-د.محمد عبدالمجيد-التعريف بمتطلبا...
ISO 45001 018 . 2018 م.71-مبادرة#تواصل_تطوير-د.محمد عبدالمجيد-التعريف بمتطلبا...
 
ISO27k ISMS implementation and certification process overview v2.pptx
ISO27k ISMS implementation and certification process overview v2.pptxISO27k ISMS implementation and certification process overview v2.pptx
ISO27k ISMS implementation and certification process overview v2.pptx
 
MCGlobalTech Service Presentation
MCGlobalTech Service PresentationMCGlobalTech Service Presentation
MCGlobalTech Service Presentation
 
Achieving ISO 27001 Certification.pdf
Achieving ISO 27001 Certification.pdfAchieving ISO 27001 Certification.pdf
Achieving ISO 27001 Certification.pdf
 
MCGlobalTech Consulting Service Presentation
MCGlobalTech Consulting Service PresentationMCGlobalTech Consulting Service Presentation
MCGlobalTech Consulting Service Presentation
 
CISM_WK_1.pptx
CISM_WK_1.pptxCISM_WK_1.pptx
CISM_WK_1.pptx
 
GDPR compliance and information security: Reducing data breach risks
GDPR compliance and information security: Reducing data breach risksGDPR compliance and information security: Reducing data breach risks
GDPR compliance and information security: Reducing data breach risks
 

Kürzlich hochgeladen

Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Krashi Coaching
 
Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Celine George
 
Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsIntroduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsTechSoup
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdfQucHHunhnh
 
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxSOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxiammrhaywood
 
mini mental status format.docx
mini mental status format.docxmini mental status format.docx
mini mental status format.docxPoojaSen20
 
Disha NEET Physics Guide for classes 11 and 12.pdf
Disha NEET Physics Guide for classes 11 and 12.pdfDisha NEET Physics Guide for classes 11 and 12.pdf
Disha NEET Physics Guide for classes 11 and 12.pdfchloefrazer622
 
Sanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfSanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfsanyamsingh5019
 
Mastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory InspectionMastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory InspectionSafetyChain Software
 
Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..Disha Kariya
 
Interactive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communicationInteractive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communicationnomboosow
 
CARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxCARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxGaneshChakor2
 
A Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformA Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformChameera Dedduwage
 
Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactPECB
 
Arihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfArihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfchloefrazer622
 
Grant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingGrant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingTechSoup
 
Russian Call Girls in Andheri Airport Mumbai WhatsApp 9167673311 💞 Full Nigh...
Russian Call Girls in Andheri Airport Mumbai WhatsApp 9167673311 💞 Full Nigh...Russian Call Girls in Andheri Airport Mumbai WhatsApp 9167673311 💞 Full Nigh...
Russian Call Girls in Andheri Airport Mumbai WhatsApp 9167673311 💞 Full Nigh...Pooja Nehwal
 
Separation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and ActinidesSeparation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and ActinidesFatimaKhan178732
 

Kürzlich hochgeladen (20)

Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
 
Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17
 
Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsIntroduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The Basics
 
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
 
Mattingly "AI & Prompt Design: The Basics of Prompt Design"
Mattingly "AI & Prompt Design: The Basics of Prompt Design"Mattingly "AI & Prompt Design: The Basics of Prompt Design"
Mattingly "AI & Prompt Design: The Basics of Prompt Design"
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf
 
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxSOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
 
mini mental status format.docx
mini mental status format.docxmini mental status format.docx
mini mental status format.docx
 
Disha NEET Physics Guide for classes 11 and 12.pdf
Disha NEET Physics Guide for classes 11 and 12.pdfDisha NEET Physics Guide for classes 11 and 12.pdf
Disha NEET Physics Guide for classes 11 and 12.pdf
 
Sanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfSanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdf
 
Mastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory InspectionMastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory Inspection
 
Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..
 
Interactive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communicationInteractive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communication
 
CARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxCARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptx
 
A Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformA Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy Reform
 
Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global Impact
 
Arihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfArihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdf
 
Grant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingGrant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy Consulting
 
Russian Call Girls in Andheri Airport Mumbai WhatsApp 9167673311 💞 Full Nigh...
Russian Call Girls in Andheri Airport Mumbai WhatsApp 9167673311 💞 Full Nigh...Russian Call Girls in Andheri Airport Mumbai WhatsApp 9167673311 💞 Full Nigh...
Russian Call Girls in Andheri Airport Mumbai WhatsApp 9167673311 💞 Full Nigh...
 
Separation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and ActinidesSeparation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and Actinides
 

Sec 270 02 sect 01av1

  • 1. Implementing IT Security Program Implementing ISO 27001 can enable enterprises to benchmark against competitors and to provide relevant information about IT security to vendors and customers, and it can enable management to demonstrate due diligence. It can forester efficient security cost management, compliance with laws and regulations, and a comfortable level of interoperability due to a common set of guidelines followed by the organizations. It can improve QA for IT security and increase security awareness among employees, customers, vendors, etc. John Jay College of Criminal Justice © 2012
  • 2. Cost of Implementation • Internal resouces • External resources • Certification • Implementation John Jay College of Criminal Justice © 2012
  • 3. Planning for ISO 27001 • Business continuity planning • System access control • System acquisition, development and maintenance • Physical and environmental security • Compliance • Information security incident management • Personnel security • Security organization • Communication and operations management • Asset classification and control • Security policies John Jay College of Criminal Justice © 2012
  • 4. Three stages of Certification process 1. Informal review of the IT security program • Organization’s security policy • Risk treatment plan • Statement of applicability 2. Independent tests of the IT security program against the requirements and to obtain management support 3. Follow-up reviews or periodic audits to confirm that the organization remains in compliance with the standard. John Jay College of Criminal Justice © 2012
  • 5. Planning • Commitment of senior management are essential • Team required – Internal audit – IT – Legal – HR John Jay College of Criminal Justice © 2012
  • 6. Decision Making • Business objectives and priorities • Existing IT maturity levels • User acceptability and awareness • Internal audit capability • Contractual obligations • Customer requirements • The enterprise’s ability to adapt to change • Adherence to internal processes • Existing compliance efforts and legal requirements • Existing training programs John Jay College of Criminal Justice © 2012
  • 7. Implementation • Define an IT security policy • Define the scope of the project • Peform a security risk assessment • Manage the identified risk • Select controls to be implemented and applied • Prepare an Statement of applicability John Jay College of Criminal Justice © 2012
  • 8. 1. Identify Business Objectives • Increased marketing potential • Assurance to the business partners of the organization’s status with respect to information security • Assurance to customers and partners about the organization’s commitment to information security, privacy and data protection • Increased revenue and profitability by providing the highest level of security for customers’ sensitive data • Identification of information assets and effective risk assessments • Preservation of the organization’s reputation and standing among industry leaders • Compliance with industry regulation John Jay College of Criminal Justice © 2012
  • 9. 2. Obtain Management Support • An information security policy • Information security objectives and plans • Roles and responsibilities for information security or a segregation of duties matrix that shows the list of the roles related to information security • An announcement or communication to the organization about the importance of adhering to the information security policy • Sufficient resources to manage, develop, maintain and implement the IT security program • Determination of the acceptable level of risk • Management review of the IT security program at planned intervals • Assurance that personnel affected by the IT security program are provide with training • Appointment of competent people for the roles and responsibilities that they are assigned to fulfill John Jay College of Criminal Justice © 2012
  • 10. 3. Select the Proper Scope of Implemenation • The selected scope helps to achieve the identified business objectives • The organization’s overal scale of operations is an integral parameter needed to determine the compliance process’s complexity level • To find out the appropriate scale of operations, organizations need to consider the number of employees, business processes, work locations, and products or services offered • What areas, locations, assets and technologies of the organizations will be controlled by the IT security program • Will suppliers be required to abide by the IT security program • Are there dependencies on other organizations? Should they be considered? • Any regulatory or legislative standards that apply to the areas covered by the IT security program that should be identified. John Jay College of Criminal Justice © 2012
  • 11. 4. Define a Method of Risk Assessment • The method to be used to assess the risk to identified information assets • Which risk are intolerable and therefore, need to be mitigated • Managing the residual risk through carefully considered policies, procedures and controls John Jay College of Criminal Justice © 2012
  • 12. 5. Prepare and Inventory of IT Assets to Protect, and Rank Assets According to Risk Classification Based on Risk Assessment • For assets, identify the CIA impact levels: high, medium and low • Identify risks, and classify them according to their severity and vulnerability • After identifying the risks and the levels of CIA, assign values to the risks. • Based on risk values, determine whether the risk is tolerable and whether to implement a control to eliminate or reduce the risk. John Jay College of Criminal Justice © 2012
  • 13. 6. Manage the Risks, and Create a Risk Treatment Plan • Acceptable risk treatment (accept, transfer, reduce, avoid) • Identification of operational controls and additional proposed controls, with the help of gap analysis • A proposed control implementation schedule John Jay College of Criminal Justice © 2012
  • 14. 7. Set Up Policies and Procedures to Control Risks Statements of policy or a detailed procedure and responsibility document to identify user roles for consistent and effective implementation of policies and procedures. John Jay College of Criminal Justice © 2012
  • 15. 8. Allocate Resources, and Train the Staff IT security program highlights one of the important commitments for management: sufficient resources to manage, develop, maintain and implement the IT security program John Jay College of Criminal Justice © 2012
  • 16. 9. Monitor the Implementation of the IT security program Periodic internal audit for monitoring and review. Audit review consists of testing of controls and identifying corrective / preventive actions. John Jay College of Criminal Justice © 2012
  • 17. 10. Prepare for the Certification Audit Conduct a full cycle of internal audits, management reviews and activities in the process and retains evidence of the responses taken as result of those reviews and audits. This should be reviewed annually. John Jay College of Criminal Justice © 2012
  • 18. 11. Conduct Periodic Reassessment Audits • Follow-up reviews or periodic audits confirm that the organization remains in compliance with the standard. John Jay College of Criminal Justice © 2012
  • 19. Conclusion The true success of ISO 27001 is its alignment with the business objectives and effectiveness in realizing those objectives. IT and other departments play an important role in implementing the IT security program. To achieve the planned return on investment, the implementation plan has to be developed with an end goal in mind. Training and internal audit are major parts of IT security program implementation. ISO 27001 certification will help assure most business partners of an organization’s status with respect to information security without the necessity of conducting their own security reviews. An organization would choose to be certified against the ISO 27001 standard to provide confidence to their customer base and partners. John Jay College of Criminal Justice © 2012

Hinweis der Redaktion

  1. The statement of applicability (also known as an SOA) is a document which identifies the controls chosen for your environment, and explains how and why they are appropriate. The SOA is derived from the output of the risk assessment/ risk treatment plan and, if ISO27001 compliance is to be achieved, must directly relate the selected controls back to the original risks they are intended to mitigate. Normally the controls are selected from ISO17799, but it is possible to also include own controls. A number of sector specific schemes are being introduced which stipulate additional mandatory controls.The SOA should make reference to the policies, procedures or other documentation or systems through which the selected control will actually manifest.It is also good practise to document the justification of why those controls not selected were excluded.
  2. Confidentiality – Ensuring that information accessible only to those authorized to have accessIntegrity – Safeguarding the accuracy and completeness of information and processing methodsAvailability – Ensuring that authorized users have access to information and associated assets when required