D1 Session2

INFORMATION SECURITY MANAGEMENT
SYSTEM
Using ISO 27001:2005 & ISO 27002:2007

For
Ensuring Confidentiality
Assuring Integrity & Availability
by
Capt. Raj
CEO
MacroFirm Technology
Capt.raj@macrofirmtechnology.com
© 2007 MacroFirm Technology.

All rights reserved.
Discussion Outline
Introduction to Information Security
Industry Statistics on Security Breeches and Incidents
What is ISO 27001
The ISMS Implementation Methodology
The Key Controls of ISO 27002, 27799, etc

Introduction to Information Security

Introduction
What are Information?
Stored on Computers
Transmitted across networks
Printed out or written on paper
Sent by fax
Stored on tapes or on disks
Spoken in conversations (including
telephone)
Shown on films or presentations
4
Introduction
Information Classification

Introduction
Uses of Information Technology Infrastructure
• Data Collection
• Data Analysis, Reduction and
Reporting
• Statistical Analysis
• Process control
• Automated Test and Inspection
• System Design
• Document Management
6
Introduction
Uses of Information Technology Infrastructure

• Internet Access
• E-mail
• Chatting
• Instant Messaging
• Video Conferencing
• Virtual Teaming
• E-Learning
• E-Commerce
• Website Design
7
Challenge of Managing the IT Infrastructure
f Lo ndon
o Changing
Ll o yd’s 2001 Changing
r f o rces e – Jan Technologies
Technologies
Hackers
Hackers&& e it
Hack e web s
Loss
Lossof
ofCompetitive
Competitive
s
to clo
Extremists
Extremists Advantage
On a Advantage
ve
TRUST orga rage, 60
ni % of
secu sations h
TRUST
Secur ri
ity a
Barcla lapse close years ty breach ve suffere
ys s t 90 ses - 200 i n th e da
Augus ’ online ban t ha 4 l a s t two
t 2000 k–
e y f ound busines
surv pled te r Opportunities for
One t of sam compu eriod – Opportunities for
n ed
e nth p
FRAUD
perc xperienc m o
FRAUD
had
e n a 12 i n the
i t
hes cen 004
b reac 62 per a r c h 2 Viruses
Viruses&&Worms Worms
ro m - M
up f us year
“Free” Access
“Free” Access for for
io
prev
Employees
Employees New
NewIT ITProjects
Projects
f e m a ils e d by a
t
nu m ber o es detec ose
Malici Outsourcing
Outsourcing The ng v irus e r v i c er
ou i ni gs -
$13.2 s code atta conta scannin 400 mark
B c ng n
2001 . economic ks had IT System Crashes leadi the one i
- Jan impac e
abov t 2003
IT System Crashes
2002 t in
s
A ugu
8
What is Information Security?
In the context of ISO 27001, Information Security is defined as the

preservation of:
Confidentiality: ensuring that information is only accessible

only to those authorized to have access.
Integrity: safeguarding the accuracy and completeness of

information and processing methods.
Availability: ensuring that authorized users have access to

information and associated assets when required.
In addition, other properties such as authenticity, accountability,

non-repudiation and reliability can also be involved.

Three Aspects of Information Security
Confidentiality Availability
Information should Information should

be available only to be accessible to
authorized Information those who are
individuals authorized to access
it when they need it
Integrity
Information should
be modified only by
authorized
individuals

Information Security: Management Challenge or
Technical Issue?
80 % is Management Information security must

Infosec Policies be seen as a management
and business challenge,
Infosec Responsibilities
not simply as technical
Infosec Awareness/Training issue to be handed over
Business Continuity Planning experts. To keep your
20 % is Technology business secure, you must
understand both the
Systems, Tools, Architectures,
etc. problems and the solutions.

Why Information Security?
Protects information from a range of threats
Ensures business continuity
Maximize return on investments and business

opportunities
It is a business issue!

How to Achieve Information Security?
Information security is achieved by evaluating

business risks and other risks faced by the
organisation, mitigate the risks by implementing a
suitable set of controls, which could be policies,
practices, procedures, organizational structures and
software functions.
These controls need to be established to ensure that

the specific security objectives (without dampening
the business objectives) of the organization are met.

Information Security – A Human Behavioral Problem
What Do Companies Say: What Does FBI Say About Companies:

66% have information security problems 91% have detected employee abuse
65% were attacked by own employees 70% indicate the Internet as a frequent
51% see information security as a priority attack point
40% do not investigate security incidents 64% have suffered financial losses
38% have detected attacks that blocked 40% have detected attacks from outside
their IT systems 36% have reported security incidents.
Only 33% can detect attacks and intrusions
Source: FBI Computer Crime and
Source: EY Information Security Survey Security Survey 2001
2001 - 2002

BPO clients more wary of info security leaks'
— Forrester study sees impact on growth
STRENGTHENING its earlier claim that a slew of

incidents of information security breach, including the
Msource case, would dampen the industry's growth
rate, a recent Forrester study has found that an
overwhelming majority of 31 foreign BPO clients
surveyed plan to step up investigation of vendor's security
and
business processes, to mitigate risks.

Reaction from State Side
When asked how recent incidents of security
breach had impacted their offshore BPO plans,
the clients surveyed — most of them in the US
— admitted to some change or addition in their
Vendor Selection Process.
They said this would come in the form of
additional controls, such as increasing call
monitoring ratio, or changing the ratio of call
centre agent versus supervisors, or cross
examination of databases.

The Incident(s)
• The survey by Forrester comes in the wake of recent
information security breaches, both onshore and
offshore. MasterCard International said a security
breach of credit card payment data had exposed about
40 million cards of all brands to potential fraud in what
one analyst termed was the biggest privacy breach
ever.
• In April, some former employees of Mphasis BFL's BPO
operation Msource in Pune were arrested for allegedly
stealing over $350,000 from four Citibank customers,
sending shock waves through the Indian IT-enabled
services sector.
Source: The Hindu June 22nd 06
The Impact
Following the incident, Forrester had said that the
case, coupled with high call centre attrition
rates, would severely dampen BPO growth rate
in the next 18 months in India and elsewhere.
It had warned that call centre BPO growth could

drop by as much as 30 per cent.

Data Theft Scandal: Press has a field day in
UK
In spite of NASSCOM writing to Dispatches (Channel
4), for evidence regarding the details of the
allegations, expressing doubts about the veracity of
'The Data Theft Scandal' report to be aired by
Channel 4, they refused to provide that information,
prior to airing of the program. NASSCOM had urged
the TV channel to fully co-operate with authorities to
find out the 'corrupt staff' associated with Indian call-
centres. A program, based on the same alleged
criminals, was aired by Channel 4 in the UK on
October 5. The Channel 4 program is understood to
have spent over a year trying to locate security
lapses in India's call centre industry.
Source: OffshoreTimes.com

Implications
The media along with the unions in both US and
UK have always sympathized with the workers
whose jobs were persevered to be technically
outsourced to countries like India, Philippines
and others.
Any such incidents from the service provider will

not only have an impact to the particular
organization but will spill over to the country it
is based in.
The local media will have more “Ammo” if that

country is not “politically aligned” with the big 2.
BPO: More Bad News
The bad news seems to never end for the BPO industry.
The latest scam where an employee of HSBC has been
arrested for defrauding 20 London- based customers to
the tune of £230,000 has made headlines not only in
India but globally as well. Newspapers have been quick
to remind the readers lest they forget about the BPO
"hall of shame."
Its most unfortunate that all the companies in
the industry have been tarred with the same
brush, irrespective of the activity of the
individual firm or its credentials.
How the Indian BPO Industry responded
to this crisis …….
• Most of the BPO companies providing
services to UK clients ensure compliance
with UK Data Protection Act 1998 (DPA)
through contractual agreements
• Companies dealing with US clients require
compliance depending upon the industry
served. Eg Healthcare requires
compliance with HIPAA, Financial services
require compliance with GLBA and BS
7799
• Many companies in India are undergoing/have
undergone SAS 70 & BS 7799 Audit. SAS-70
assignments help service companies operating
from India to implement and improve internal
controls, ensure minimal disruptions to business
from clients' auditors.
• NASSCOM has been working closely with the
ITES BPO industry to create an information
security culture within these segments. Indian
companies have raised their quality standards in
recent years to meet international demands.
- Vice President Nasscom 2006
Malaysian Figures

What Do Companies Say:
0% 10% 20% 30% 40% 50% 60%
Employee Awareness 56%
Tools/Security Solutions 44%
People Skills 40%
Budget 37%
Management Support 26%
Other Reasons 8%

Security as we know it !!
"You mean people can just walk in
and walk out with data?"
c ed m y s ystems
“ I h a ve outsour e t o a s ecurity
CEO: aintenan c
g an d m
monitorin
”
company
CFO: “We have invested RM 750,000 on IT security and l s”.

w al
Back-ups” e
fir
MD: M a ve
y clien “ Ih
No ex t
ternal server and T O :
hacke datab C
r can ase is
come isolat
in” ed fro
m the
webse
rver.
My Response to them: Its like building a solid
front door and leaving your window open.
Medco sys admin gets 30 months for planting logic bomb
Inside saboteur could have crippled pharmacists' ability to check for deadly
drug interactions, U.S. attorney says- Jan 2008
January 08, 2008 (Computerworld) -- A former systems administrator at

Medco Health Solutions Inc. was sentenced to 30 months in federal prison
today for planting a logic bomb that could have taken down a corporate
network that held customer health care information.
Yung-Hsun Lin, 51, of Montville, N.J., was sentenced in U.S. District Court in
Newark, N.J. Lin, who faced a maximum of 10 years in prison, pleaded
guilty to one count of computer fraud in September. He was responsible for
programming and maintaining the servers at Medco, where he worked from
1997 to 2005.

Understanding Threats, Vulnerabilities, and Risks
What can
Happen?
How can it
Threats happen?
Vulnerabilities
Integrity Confidentiality
Availability
Risks
Threats +
Vulnerabilities
Understanding Threats, Vulnerabilities, and Risks
Spoofing
Computer
Snooping
hardware and
Phishing software
threat +
Malicious Codes Poor procedures vulnerability
Abuse system of Poor oversight /
privileges enforcement
Sabotage
Security Threats

Risk Assessment and Management
Man-Made Unintentional
Intentional Viruses, Accidental Power loss,
Espionage, Sharing Forgetting Password,
Passwords, Inadequate Unattended Terminal
Backups Display, Food/Drinks
NATURAL
Hurricane, Fire, Flood,

Earthquake

Terrorists White Collar Hackers Open

Crime Source
Enterprise Architecture
Disasters Extranets Script IP Theft

Copiers

Risk Assessment refers to
assessment of threats to, impacts on
and vulnerabilities of assets and the
likelihood of their occurrence.
What are
It produces an estimate of the risk to you going
an asset at a given point of time. It to protect?
answers the following questions:
What can go wrong?

How bad could it be?
How likely is it to occur?
How to manage the risk?
Risk Assessment and Management Process
Asset Identification
and Valuation
Identification of
Vulnerabilities
Identification of
Threats
Evaluation of
Business Risks Impacts
Rating/Ranking of Level of Acceptable

Risks Risk
Risk Assessment and Management Process (2)
Review of Existing
Security Controls
Identification New
Security Controls
Policy and
Procedures
Gap Analysis
Risk Acceptance Implementation and

(Residual Risk) Risk Reduction

Security Controls
Measures to Prevent, Detect or Reduce the Risk.

Effective security generally requires combination of the
following:
Detection Correction
Deterrence Recovery
(Avoidance)
Monitoring
Prevention
Awareness
Limitation

Who needs ISMS?
Every organisation which feels that

information is the key business driver.
BASICALLY EVERYBODY!!!!!!!!!!!!!!!
• Banks
• IT and software development companies
• IT Service providers
• R & D Centres
• Outsourcing Companies
• DR centres
• Data Centres
• Government (example: tax office)
• Consultancy Firms
• Hospitals
• Schools and Universities
•
All rights reserved. Insurance Companies
Why should an organization go for ISMS?
ISO 27001 defines best practice for Information Security

Management
Without a formal Information Security Management

System (ISMS) such as ISO 27001 based system,
security will be compromised – Its just a matter of
time.
Information Security needs in the first line a

management process, not a technological process.

All rights reserved. 39
Who Do I Involve?
Top Management
Heads of Department
HR Manager
IT Manager / Sys Administrator
Process Owners
Physical Security Manager/ Guard

ISMS Implementation Methodology

ISO 27001 Implementation Methodology
Projectinitiation
Project initiation
ISMSDefinition
ISMS Definition
Riskassessment
assessment
Risk 8 Steps to follow when
implementing the ISO 27001
Riskmanagement
management
Risk standard.
Trainingand
Training andawareness
awareness
Preparingfor
Preparing forthe
theaudit
audit
Audit
Audit
Ongoingimprovement
Ongoing improvement
Whatever the type or size of a business
(multinational or SME), all organizations are
vulnerable to threats that jeopardize the
confidentiality, integrity and availability of
important data. The sooner protective action is
taken, the more inexpensive and effective the
security.

Control and Continual Improvement
Whether you are ISO 27001 certified or not, it is

important to regularly verify and improve your
management framework after its implementation.
Inspections and updates should be performed
regularly, as security is a field that is ever-changing.
For example, outdated antivirus software is of very
little use.

Future of ISMS
Industry Specific ISMS on the cards for 2008
Healthcare
Automotive
Banking & Finance
Telco
Supplychain
IT Service providers

Needs for Health Care Security (HIPAA Chain of Trust)

Health Care ISMS = Management System +
Generic Controls + Health care controls
Annex
AnnexAA(normative)
(normative)
Control
Control objectivesand
objectives and
ISO/IEC
ISO/IEC controls
controls
ISO/IEC
ISO/IEC 17799:2005
17799:2005
27799:2007
27799:2007 Security
Security
Health informatics -- techniques - Code of
Health informatics -- techniques - Code of
Information security practice for
Information security practice for
management in information security
management in information security
health using ISO/IEC management
health using ISO/IEC management
17799
17799

ITU Security Standard

ISO 29001- Supply Chain and Transportation Security
& EU Regulations

Conclusion
Take care of………….
PEOPLE
PROCESS
TECHNOLOGY
In that order
For Further Information on MDeC Support for MSC

Status companies on ISMS, please contact Mr. Muhu
kmuhu@mdec.com.my


D1 Session2

Diunggah oleh

Informasi Dokumen

Deskripsi Asli:

Judul Asli

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

D1 Session2

Diunggah oleh

Hak Cipta:

Format Tersedia

INFORMATION SECURITY MANAGEMENT

Using ISO 27001:2005 & ISO 27002:2007

© 2007 MacroFirm Technology.

© 2007 MacroFirm Technology.

© 2007 MacroFirm Technology.

© 2007 MacroFirm Technology.

Uses of Information Technology Infrastructure

Uses of Information Technology Infrastructure

In the context of ISO 27001, Information Security is defined as the

Confidentiality: ensuring that information is only accessible

Integrity: safeguarding the accuracy and completeness of

Availability: ensuring that authorized users have access to

In addition, other properties such as authenticity, accountability,

© 2007 MacroFirm Technology.

Information should Information should

© 2007 MacroFirm Technology.

80 % is Management Information security must

© 2007 MacroFirm Technology.

Protects information from a range of threats

Ensures business continuity

Maximize return on investments and business

© 2007 MacroFirm Technology.

Information security is achieved by evaluating

These controls need to be established to ensure that

© 2007 MacroFirm Technology.

What Do Companies Say: What Does FBI Say About Companies:

© 2007 MacroFirm Technology.

STRENGTHENING its earlier claim that a slew of

© 2007 MacroFirm Technology.

© 2007 MacroFirm Technology.

It had warned that call centre BPO growth could

© 2007 MacroFirm Technology.

© 2007 MacroFirm Technology.

Any such incidents from the service provider will

The local media will have more “Ammo” if that

© 2007 MacroFirm Technology.

Employee Awareness 56%

Tools/Security Solutions 44%

People Skills 40%

Management Support 26%

© 2007 MacroFirm Technology.

CFO: “We have invested RM 750,000 on IT security and l s”.

January 08, 2008 (Computerworld) -- A former systems administrator at

© 2007 MacroFirm Technology.

© 2007 MacroFirm Technology.

Hurricane, Fire, Flood,

© 2007 MacroFirm Technology.

Terrorists White Collar Hackers Open

Disasters Extranets Script IP Theft

© 2007 MacroFirm Technology.

What can go wrong?

Rating/Ranking of Level of Acceptable

Risk Acceptance Implementation and

© 2007 MacroFirm Technology.

Measures to Prevent, Detect or Reduce the Risk.

© 2007 MacroFirm Technology.

Every organisation which feels that

ISO 27001 defines best practice for Information Security

Without a formal Information Security Management

Information Security needs in the first line a

© 2007 MacroFirm Technology.

© 2007 MacroFirm Technology.