1 / 46

ADDRESSING CORPORATE CONCERNS ON INFORMATION SECURITY MANAGEMENT WITH ISO 17799/ BS 7799.

ADDRESSING CORPORATE CONCERNS ON INFORMATION SECURITY MANAGEMENT WITH ISO 17799/ BS 7799. Ajai K. Srivastava G.M. Marketing BSI India. Presentation Outline. The Global Information Village The Need for Protection BS 779 9 – An Overview Implementing an ISMS based on BS7799

stockton
Download Presentation

ADDRESSING CORPORATE CONCERNS ON INFORMATION SECURITY MANAGEMENT WITH ISO 17799/ BS 7799.

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. ADDRESSING CORPORATE CONCERNS ON INFORMATION SECURITY MANAGEMENT WITH ISO 17799/BS 7799. Ajai K. Srivastava G.M. Marketing BSI India

  2. Presentation Outline The Global Information Village The Need for Protection BS 7799– An Overview Implementing an ISMS based on BS7799 Benefits of using BS7799

  3. 1.THE GLOBAL INFORMATION VILLAGE

  4. The Global Information Village

  5. INDUSTRIAL ECONOMY INFORMATION AS NOUN Static:e.g. memo; financial report etc Automation : An Idiot Savant – assisting in managing repetitive discrete steps INFORMATION ECONOMY INFORMATION AS VERB Dertouzos: “Information Work” e.g. Designing a building Dominates the terrain; 50 to 60 % of an Industrialised country’s GNP The Paradigm Shift in the Nature of Information

  6. THE DIGITAL NERVOUS SYSTEM Basic Operations Business Reflexes Strategic Thinking DIGITAL NERVOUS SYSTEM Customer Interaction BUSINESS @ THE SPEED OF THOUGHT

  7. INFORMATION FLOWIS THE LIFEBLOOD OF YOUR BUSINESS

  8. Information tends to be the most undervalued asset a business has. • Information can directly affect the most valuable asset a business has IMAGE

  9. “Information is an asset which, like other important business assets, has value to an organization and consequently needs to be suitably protected.” ISO/IEC 17799:2000

  10. 2.THE NEED FOR PROTECTION

  11. ATTACK ATTACK TECHNOLOGY ENVIRONMENT ATTACK ATTACK ATTACK ATTACK Information Security INFORMATION INFORMATION

  12. Typical Technology Responses

  13. INFORMATION ATTACK ATTACK POLICIES PROCESSES STANDARDS TRAINING HUMAN FIREWALL HUMAN FIREWALL TECHNOLOGY ENVIRONMENT ATTACK ATTACK ATTACK ATTACK INFORMATION Information Security

  14. INFORMATION ATTACK ATTACK POLICIES PROCESSES STANDARDS TRAINING ATTACK ATTACK HUMAN FIREWALL HUMAN FIREWALL TECHNOLOGY ENVIRONMENT ATTACK ATTACK ATTACK ATTACK INFORMATION ATTACK ATTACK Information Security

  15. MANAGEMENT INFORMATION MANAGEMENT POLICIES PROCESSES STANDARDS TRAINING HUMAN FIREWALL HUMAN FIREWALL TECHNOLOGY ENVIRONMENT INFORMATION Information Security

  16. Management Total Business Management System Management System – Building Blocks Inputs Outputs Core Processes Support Processes Resource

  17. Environment Quality Information Security Business Management System People Risk Health and Safety Improvement

  18. Environment ISO 14001 Quality ISO9001:2000 QS-9000 / TS 16949 AS9000 / AS9100 TL9000 Info Sec BS 7799 Business Management System BSI - IMS H & S OHSAS 18001 Customers BS 8600 Risk BSI Risk Mgmt Improvement ISO 9004

  19. Management Systems & Standards ISO 9004 Performance Improvement All Interested Parties ISO 17799 Information Security Management OHSAS 18001 Health and Safety Management ISO 14001 Environmental Management Stakeholders Involved ISO 9001 Quality Management Increasing Aspects Covered

  20. Managing your Risks

  21. Information Security Assurance • 3 different layers • PRODUCT LEVEL ASSURANCE • e.g. Firewall- Product is fit for its Purpose • PROCESS LEVEL ASSURANCE • e.g. Credit card Transactions- Robust Processes to protect interested parties • MANAGEMENT SYSTEM LEVEL ASSURANCE • e.g ISMS- Systemic Proactive responses aligned to business objectives to protect ALL stakeholders :Management,Employees,Customers,Suppliers,Users, Regulatory etc.

  22. The Virtuous M S Spiral Continual Improvement Commitment and Policy Management Review Planning Checking and Corrective Action Implementation and Operation

  23. Information Security Management must be viewed as a strategic dimension of your business ISMS – Your Competitive Edge Managing Risks to Information Assets to: • Protect Brand • Retain Customers, and • Enhance Market Capitalization

  24. Critical Security Concerns The First Global Information Security Survey –KPMG 2002 VIRUSES –22% HACKERS – 21% R.A.CONTROLS-17% INTERNET SECURITY-17% DATA PRIVACY- 10 %

  25. What is the damage QUANTIFIABLE The average direct loss of all breaches suffered by each organization is USD$108,000. GBP 30,000 INR 500,000 The First Global Information Security Survey – KPMG 2002

  26. What is the damage INCALCULABLE The Loss Of • Productivity • Recovery Costs • Customers • Market Capitalisation • Shareholder Value • Credibility

  27. Common Myths About Information Security • Myth 1: • Information Security is the concern and responsibility of the MIS/IT manager • Myth 2: • Security Threats from outsiders are the greatest source of risks •  Myth 3: • Information Security is assured by safeguarding networks and the IT infrastructure • Myth 4: • Managing People issues is not as important • Myth 5: • Adopting latest technological solutions will increase security

  28. 3.BS 7799 – AN OVERVIEW

  29. What is Information Security • ISO 17799:2000 defines this as the preservation of: • Confidentiality • Ensuring that information is accessible only to those authorized to have access • Integrity • Safeguarding the accuracy and completeness of information and processing methods • Availability • Ensuring that authorized users have access to information and associated assets when required ISO/IEC 17799:2000

  30. What it is: An internationally recognized structured methodology dedicated to information security A defined process to evaluate, implement, maintain, and manage information security A comprehensive set of controls comprised of best practices in information security Developed by industry for industry What it is not: A technical standard Product or technology driven An equipment evaluation methodology such as the Common Criteria/ISO 15408) Related to the "Generally Accepted System Security Principles," or GASSP Related to the five-part "Guidelines for the Management of IT Security," or GMITS/ISO TR 13335 ISO/IEC 17799 ?

  31. What does it comprise ? • ISO/IEC 17799:2000Code of Practice for Information Security • BS 7799-2:2002Specification for information security management systems

  32. BS 7799-2:2002 • MMeasure Performance of the ISMS • IIdentify Improvements in the ISMS and effectively implement them. • TTake appropriate corrective & preventive action • CCommunicate the results and actions and consult with all parties involved. • RRevise the ISMS where necessary • EEnsure that the revision achieve their intended objectives. Act • DDefine ISMS Scope and Policy • DDefine a systematic approach to risk assessment • IIdentify the risk • AApply the systematic approach for assessing the risk • IIdentify and Evaluate options for the treatment of risk. • SSelect Control Objectives and Controls for the treatment of risks. • EExecute Procedures to and Other Controls • UUndertake regular reviews of the effectiveness of the ISMS • RReview the level of residual risk and acceptable risk • EExecute the management procedure • RRecord and report all actions and events • IImplement a specific management program • IImplement controls that have been selected • MManage Operations • MManage Resources • IImplement Procedures and Other Control Processes Plan Check Do

  33. Information Security Policy Compliance Security Organisation Continuity Planning Asset Classification Controls INFORMATION Staff Records Personnel Security Client Records Financial Records Access Controls Physical Security Communications Management BS 7799 –10 Domains of Information Management System Development

  34. 4.IMPLEMENTING AN ISMS BASED ON BS 7799

  35. BS 7799Registrations Around the Globe

  36. BS 7799Registrations In India

  37. Develop INPUT Client Business Awareness OUTPUT BSI Certification Business Improvement Management System Build Process Client Consultant BSI Building a Management System Measure/Analyse Progress

  38. Initiating BS 7799 Implementation • Step 1ISMS – Defining Policy & Organization Structure • Step 2ISMS – Defining the Scope • Step 3ISMS - Risk Assessment • Step 4ISMS - Risk Management • Step 5ISMS – Choosing Controls • Step 6 ISMS - Statement of Applicability

  39. Risk Assessment and Risk Management Process

  40. Management Review Information Security Policy Security Organisation Corrective Action Act Classify Assets Check Plan Check Process Do Apply the Controls Operationalise Process BS 7799 Implementation

  41. Management framework policies relating to BS 7799-2 • Security Manual Level 1 Policy, scope risk assessment, statement of applicability Describes processes – who, what, when, where Level 2 Procedure Work Instructions, checklists, forms, etc. Level 3 Describes how tasks and specific activities are done Level 4 Provides objective evidence of compliance to ISMS requirements Records ISMS Documentation

  42. Critical Success Factors • Security policy that reflects business objectives • Implementation approach is consistent with company culture • Visible support and commitment from management • Good understanding of security requirements, risk assessment and risk management • Effective marketing of security to all managers and employees • Providing appropriate training and education • A comprehensive and balanced system of measurement which is used to evaluate performance in information security management and feedback suggestions for improvement

  43. 5.BENEFITS OF BS 7799

  44. Benefits of BS 7799 certification • Opportunity to identify and fix weaknesses • Senior Management take ownership of information Security • Provides confidence to trading partners and customers • Independent review of your information Security Management System

  45. Key Challenges facing executives • Enterprises must manage threats to Information security across many fields while attackers can choose to specialize in narrow fields of competencies • Fractured Corporate response to such focused attacks • To think precisely about the concept of threat in the security context of the organization • Executives must develop non traditional competencies in strategic risk management • Executives must manage ENTERPRISE SECURITY PROACTIVELY

  46. Further Information Email:ajai.srivastava@bsiindia.com Tel: +11 2371 9002/3 Fax: +11 2373 9003

More Related