ISMS Awareness Training Session

(1)

Pyramid 1

ISMS Awareness ISO:27001:2013

Welcomes Participants

For

The User Awareness Training On

ISMS

(2)

Pyramid 2

Acknowledgements

• All trademarks and registered trademarks are the property of their respective owners. (if any)

(3)

Pyramid 3

Agenda

• ISO

• ISO27000:2013 - ISMS Concepts & Benefits • Information & Information security

• Process model - PDCA

• Assets, Threats, Vulnerabilities, Impacts, Attacks, Risk • An Introduction to ISO 27001:2013

– ISO 27001:2013 – Inside

– ISO 27001:2013 – Major Domain – ISO 27001:2013 – Annex A

• ISMS Practice applies to you • ISMS @ organization

• Summary • Quiz

(4)

Pyramid 4

This training NOT address

• Tools

• Task level detail

• Specifics of disaster

• Detailed implementation of ISMS • a cookbook - (How to setup)

(5)

Pyramid 5

This training address

• Roles and Responsibilities • Concept & Practice

• Convert the Concept into Practice

(6)

Pyramid 6

ISO

• ISO - International Organization for standardization

• This is the third party organization

• World’s largest developer of standards. • Head Office in Geneva, Switzerland

• 200 countries are members in this organization • Non-governmental organization

• ISO Is the word derived from Greek, which means EQUAL • ISOMETRIC - Equal measure or dimensions

• ISONOMY - Equality of Laws

(7)

Pyramid 7

ISO 27001 : A Brief history

• 2013:ISO 27001 • 2005:ISO 27001

• 2002:Revisions BS 7799 PDCA • 2000:ISO/IEC 17799 published • 1998:BS 7799 Part 2 Specification

• 1995 :BS 7799 Part 1 Code of Practice

(8)

Pyramid 8

ISO 27001:2013

• ISMS :Information Security Management System.

• Definition:-Its an part of overall Documented management system, based on business risk approach, to establish,

implement, operate, monitor, review, maintain and improve information security

• ISO 27001:2013 (ISMS - certification framework)

• A standard for Information Security Management System

• Provides the ISMS requirements and specifications of controls for certification • Aligned with ISO 9001/ ISO 14001 /ISO 18000

(9)

Pyramid 9

ISO 27001:2013 is NOT

• A technical standard

• Product or technology driven

• An equipment evaluation methodology such as the Common Criteria/ISO 15408

(10)

Pyramid 10

ISO 27001:2013 is

• An internationally recognized structured methodology dedicated to IS

• Defined process to evaluate, implement, maintain, and manage IS

• A comprehensive set of controls of best practices in IS • Developed by industry for industry

(11)

Pyramid 11

Benefits of ISO 27001

• International standard addressing information security • Best Practice promotes

• Systematic/Structured approach

• Provides means for corporate governance • Provides for a market differentiator

• Increase business opportunity

• Managing Risk At Reduced Cost with effective & efficient manner • Influences quality of systems, Increases product & service quality • Minimize financial losses

• Reduce reputational risk

(12)

Pyramid 12

Benefits of ISO 27001

• Improved understanding of business aspects • Aligns processes with business objectives • Reduce operational risk

• Protect information from range of threats. • Opportunity to identify and find weaknesses. • Better incident management

• Ensure business continuity

• Enhance the knowledge and importance of security related issues at organization /Company level

• Ease of access,

(13)

Pyramid 13

• Data : data is raw , It simply exists and has no significance beyond its existence (in and of itself).

• Information =Meaning full Data

 exist in many forms: Paper, Data, Email, software, print, written on paper, stored electronically, transmitted by post or by using electronic means, shown on films or spoken in conversation. Shown on corporate videos, Displayed/ published on web, Verbal – spoken in conversations

 can be

:

Created, Stored, Destroyed, Processed, Transmitted, Used – (For proper & improper purposes), Corrupted, Lost, Stolen,

(14)

Pyramid 14

Information…

• Today’s reality

• Buy - Financial Information • Use - Login information

• Extort - “carding” fraud

• Steal – Competitive Information

• New attackers – Cyber crime, Mafia, hackers and company insiders

• Perpetuated by – outdated technology, human factors, continual security changes, Limited control

(15)

Pyramid 15

Information Technology

• Information Technology (IT) is concerned with technology to treat information. • IT Infrastructure consists of the equipment, systems, software, and Services

used in common across an organization, regardless of mission/program/project

– IT Infrastructure serves as the foundation upon which mission/program/project-specific systems and capabilities are built

• What we have in IT Structure?

• Hardware : Desktop ,Laptop, Server ,Network • Software :OS, MS Office ,Frontend ,etc.

• People (Skill-sets) , Facilities • Data

• What problems we face ?

• System Break Down / Device Malfunctions • Data Lost , Password Lost ,Connectivity Lost • Data Access by unauthorized User

(16)

Pyramid 16

Security

• “The quality or state of being secure to be free from danger”

• Security is achieved using several strategies simultaneously or used in combination with one another

• Security is not something you buy, it is something you do • Monitored 24x7X365

• Security is for PPT and not only for appliances or devices

• PEOPLE - Organization Staff – ‘Who we are’

• PROCESSES - Business Processes – ‘what we do’

(17)

Pyramid 17

Security breaches leads to…

• Reputation loss • Financial loss

• Intellectual property loss

• Legislative Breaches leading to legal actions (Cyber Law) • Loss of customer confidence

• Business interruption costs • Goodwill loss

(18)

Pyramid 18

Information Security

(19)

Pyramid 19

Information Security –

Protection of C I A of Assets

• Confidentiality - the property that information is not made available or disclosed to unauthorized individuals, entities, or processes

“Ensuring that information is accessible only to those

(20)

Pyramid 20

Information Security –

Protection of C I A of Assets

• Integrity - the property of safeguarding the accuracy and completeness of assets

“Ensuring that accuracy and completeness of information and processing methods”

(21)

Pyramid 21

Information Security –

Protection of C I A of Assets

• Availability - the property of being accessible and usable upon demand to authorized users

“Ensuring that authorized users have access to information and associated assets when required”

(22)

Pyramid 22

Let’s try to find a type of organization(or a single

organization where any of these concept

(23)

Pyramid 23

(24)

Pyramid 24

(25)

Pyramid 25

Deming's Circle (Shewhart Cycle)

DO CHECK ACT PLAN Time Scale Maturity Consolidation of level reached. i.e. baseline

Continuous Step by step improvement , Continuous improvement is a subset of

continual improvement

(26)

Pyramid 26

Asset

-Anything that has a value to the organization (What you are trying to protect)

Buildings

Infrastructures

Environmental Conditions

(27)

Pyramid 27

Assets – Hardware, Backups, Forensic Evidence,

Communication Channels

Forensic Evidence Hardware Communication channels Communication channels

(28)

Pyramid 28

(29)

Pyramid 29

Asset

Sensitive Information

(30)

Pyramid 30

Threats – Something that can potentially cause damage to the

organization (events you are protecting your assets against)

Malware Phish

Intrusion

(31)

Pyramid 31

Information Threats

• Intrusion – Entrance by force without permission (Unauthorized act of bypassing security mechanism)

• Malware – Malicious software designed to infiltrate or damage computer system without owners consent

• Phishing – Single unique message sent to targets with the intent of gaining confidential or personal information.

• Identity loss – Loss of individual’s information

• Data Loss – Unforeseen loss of data or information • Compliance – Acting according to certain standards

(32)

Pyramid 32

Threat agent

: The catalyst that performs the threat (Human, environmental, intentional, accidental)

Ri ote rs Ri ote rs Disaffected Workers Contractors

(33)

Pyramid 33

Threat Agents

Employees Fraudsters _Thief's

(34)

Pyramid 34

(35)

Pyramid 35

Vulnerabilities

– It is weakness / hole in an organization (How the events might occur)

(36)

Pyramid 36

Vulnerabilities

- Addressing information can be forged

- Arbitrary program code can be executed

- Communication lines can be tapped - Messages can be intercepted

- Easy by which software can be changed

(37)

Pyramid 37

Vulnerabilities

Attractiveness of our information Electromagnetic radiation

Information containers are not

particularly heavy and can be easily moved

(38)

Pyramid 38

(39)

Pyramid 39

Impacts

• Court action against Organization

• Court action against an employee

(40)

Pyramid 40

Impacts

Loss of monetary value of assets _{Inability to carryout some or all of} your businesses

(41)

Pyramid 41

Attack

• An attack is any malicious or accidental disruption

– in the confidentiality, integrity, or availability of information • Few basic types of attacks are

– Access, Modification, Denial of Service, and Repudiation • Attacks can originate from

– Electronic (external or internal network)

– Physical (hardware/equipment misappropriation) – Human (Social engineering)

(42)

Pyramid 42

Viruses , Trojan Horse , Masquerading, Denial of Service

• New viruses discovered every day • Contagious often of pandemic proportion • Impact depends on payload:

– Denial of service – Disclosure

– Back doors – Time bombs…

(43)

Pyramid 43

Network Attacks

•Ping floods (keep asking “are you there?”)

•Smurf (ping flood to an IP broadcast address)

•Ping of death (fragmented ping packet > 65535 bytes) •Teardrop (fragmented packets and overlaps)

(44)

Pyramid 44

Application Attacks

•Over enthusiastic customers

•computers can’t cope with the load

•Amarillo

•Multi MB video, recipients sent it to their friends…

•Changing software to steal airtime

•e.g. “free” international mobile calls

•Exploiting ineffective financial controls in business systems to commit fraud (Enron, Barings, …)

•Errors (e.g. In December 2005, a clerk sold 6500 shares at 1 yen instead of 1 share at 6500 yen, with a loss estimated at 225M US$)

(45)

Pyramid 45

Password Attacks

•Password theft

•Sniffing passwords (e.g. L0PHT2.0), Shoulder surfing, sticky notes

•Password guessing/cracking

•Dozens available free on the Internet (e.g. L0PHTCrack) •Social engineering

•Help desk, phishing

•Could be more than just passwords •Personal information

(46)

Pyramid 46

Attacks

(47)

Pyramid 47

Attacks - Eavesdropping

• Wireless networks

• Wireless telephones

(no encryption)

• Stand next to a person

using a mobile

(48)

Pyramid 48

Attacks - Hacking

•Action at a distance or inside the organization? •Web site defacement

•Changing data •Stealing data

(49)

Pyramid 49

Attacks

Fire, Flood, Storm – Don’t Mix with IT

(50)

Pyramid 50

Attacks

(51)

Pyramid 51

Attack V/s CIA

Attack Confidentiality Integrity Availability Access Yes

Modification Yes

DOS Yes

(52)

Pyramid 52

Information Security Solutions

• Information Security Culture in organization • Awareness

• Antivirus • Spam Filters • Firewalls, VPN • Data protection

• Enforced security End to End

(53)

Pyramid 53

Risk - Unpredictable Outcome

Threat Adverse Impact Vulnerability Asset Exploits Violates Causes Event

(54)

Pyramid 54

Risk -

• Identify the Information assets • Identify the vulnerabilities

• Identify the threat and threat agent • Assess the risk in terms of impact

• Assess the risk in terms of probability

• Analyze the risk in terms of cost of control Implementation and maintenance

(55)

Pyramid 55

ISO 27001:2013 – Inside Management Clause 4 ~ 10 Annex – A Domains – 14 Control Objectives – 35 Controls – 115

Domains : A territory over which rule or control is exercised

Control Objectives: A specific result

that a organization or system aims to achieve within a time frame and with available resource

Controls: A practice, procedure or

(56)

Pyramid 56

Security Incidents Disasters

New Business Opportunities Changes in Business Knowledge of New Threats Risk Management Framework Incident Management Framework BIA

Aids in the selection of appropriate and cost effective controls Operations security Asset Management Cryptographic Information Security aspects of Business Continuity Management System acquisition, development, and maintenance Access Control Physical and Environmental Security Compliance Supplier Relationship Communications security Information Security Incident Management Disaster Recovery Information Security Policy Organisation of Information Security Human Resource Security Major Domain

(57)

Pyramid 57

Annex A No Domains Control Objectives Controls

A5 Information Security Policies 1 2

A6 Organization of Information Security 2 7

A7 Human resources security 3 6

A8 Asset management 3 10

A9 Access Control 4 14

A10 Cryptographic 1 02

A11 Physical and environmental Security 2 15

A12 Operations security 7 14

A13 Communications Security 2 7

A14 System acquisition, development, and maintenance 3 14

A15 Supplier Relationship 2 5

A16 Information Security Incident management 1 7 A17 Information Security aspects of Business Continuity Management 2 4

A18 Compliance 2 8

35 115

(58)

Pyramid 58

Access and Passwords

• Only use your own user accounts

• Never let anyone else use your user account • Choose a strong password

• Never tell anyone your password • Never write it down

• Use a different password for each system

(59)

Pyramid 59

Email

• Use for work-related emails only

• Never send confidential information by email unless it is encrypted

• Always check that you are sending an email to the correct person

• Read and comply with the Email Policy • Protect your email password

– Email is often used to verify password resets in other applications

(60)

Pyramid 60

Phishing Emails

• Attacks

– Mass - random

– Spear – targetted on one organisation – Whaling – targetted on one individual

• Types

– Click-through – Attachments

– Web form capture

• How do I tell?

– Unexpected

– Spelling mistakes – Lack of personal

information used – Asking for an action

• Open attachment • Go to website

• Provide information

– Beware! They are

becoming increasingly convincing

(61)

Pyramid 61

Using the Internet

• Don’t disable your firewall software

• Ensure your browser and associated programs are up to date • Check that links go to the site stated

• Check for HTTPS and the padlock symbol when performing confidential transactions

• Don’t download unknown programs

• Limit work-related information posted on social media sites • Do not visit sites that are against the Internet Acceptable Use

(62)

Pyramid 62

Anti-Virus

• Never disable your anti-virus protection

• Keep your AV signatures and updates current • Allow a scan to be performed regularly

(63)

Pyramid 63

Mobile Computing

• Never leave unattended in a public place or vehicle • Keep locked away when not in use

• No confidential information to be stored on mobile devices unless previously approved

• Use screen lock and if possible whole disk encryption • Do not install unauthorised software

• Do not allow others to use your business device • Consider backups and anti-virus protection

(64)

Pyramid 64

Removable Media

• Any attachable devices with storage e.g. USB drives, memory cards, CD/DVDs

• Should not be used unless previously approved • Must be encrypted if confidential information is to

be stored

• Never insert unknown media into your PC or device e.g. a USB stick you have found

(65)

Pyramid 65

Information Disposal

• Dispose of information appropriately according to its type

• Confidential information must be disposed of securely

– Paper must be shredded

– Electronic devices or media that may contain confidential information must be disposed of securely

(66)

Pyramid 66

Security Incidents

• An incident may be an actual or potential breach of policy or loss of data

• Information security incidents should be reported to the IT Help Desk

• In some cases, there may be a need to treat the area as a crime scene

(67)

Pyramid 67

ISMS @ ORGANISATION

Security Organization • Apex Committee : – CEO/CTO/CISO • ISMS Forum: – IT Head – HR Head • IS Task Force : – Project Managers – Administrators – IS Team Member • Audit Committee:

– Appointed by Apex Committee

• BCP Team:

– Appointed by Apex Committee /ISMS Forum

• DRP Team:

(68)

Pyramid 68

(69)

Pyramid 69

(70)

Pyramid 70

“Business of every business is to remain in business”

(71)

Pyramid 71

Summary

• We must protect our information assets

• The consequences to the organisation are potentially very severe

• The organisation will do what it can…but you have a key part to play in achieving this

• Be careful and vigilant, especially on the Internet • If you’re unsure, please ask your manager

(72)

Pyramid 72

Quiz

1. Name three of our information assets

2. Name two groups who may try to gain

unauthorised access to our information

assets

3. Give two ways in which the organisation

may be affected by an information security

breach

4. ISO/IEC xxxxx is the Information Security

standard – what is xxxxx?

(73)

Pyramid 73

Quiz cont.

6. If you recognise a “Phishing” email what

should you do with it?

7. If you find a USB memory stick in the car

park what action should you take?

8. What are your responsibilities when you

have a visitor?

9. Who would you report an information

security incident to?

10.Whose responsibility is information

security within our organisation?

(74)

Pyramid 74

?

(75)

Pyramid 75