SYSTEM
Ensuring Confidentiality
Assuring Integrity & Availability
by
Capt. Raj
CEO
MacroFirm Technology
Capt.raj@macrofirmtechnology.com
Stored on Computers
Transmitted across networks
Printed out or written on paper
Sent by fax
Stored on tapes or on disks
Spoken in conversations (including
telephone)
Shown on films or presentations
4
© 2007 MacroFirm Technology.
All rights reserved.
Introduction
Information Classification
• Data Collection
• Data Analysis, Reduction and
Reporting
• Statistical Analysis
• Process control
• Automated Test and Inspection
• System Design
• Document Management
6
© 2007 MacroFirm Technology.
All rights reserved.
Introduction
7
© 2007 MacroFirm Technology.
All rights reserved.
Challenge of Managing the IT Infrastructure
f Lo ndon
o Changing
Ll o yd’s 2001 Changing
r f o rces e – Jan Technologies
Technologies
Hackers
Hackers&& e it
Hack e web s
Loss
Lossof
ofCompetitive
Competitive
s
to clo
Extremists
Extremists Advantage
On a Advantage
ve
TRUST orga rage, 60
ni % of
secu sations h
TRUST
Secur ri
ity a
Barcla lapse close years ty breach ve suffere
ys s t 90 ses - 200 i n th e da
Augus ’ online ban t ha 4 l a s t two
t 2000 k–
e y f ound busines
surv pled te r Opportunities for
One t of sam compu eriod – Opportunities for
n ed
e nth p
FRAUD
perc xperienc m o
FRAUD
had
e n a 12 i n the
i t
hes cen 004
b reac 62 per a r c h 2 Viruses
Viruses&&Worms Worms
ro m - M
up f us year
“Free” Access
“Free” Access for for
io
prev
Employees
Employees New
NewIT ITProjects
Projects
f e m a ils e d by a
t
nu m ber o es detec ose
Malici Outsourcing
Outsourcing The ng v irus e r v i c er
ou i ni gs -
$13.2 s code atta conta scannin 400 mark
B c ng n
2001 . economic ks had IT System Crashes leadi the one i
- Jan impac e
abov t 2003
IT System Crashes
2002 t in
s
A ugu
8
© 2007 MacroFirm Technology.
All rights reserved.
What is Information Security?
Confidentiality Availability
Information should
be modified only by
authorized
individuals
It is a business issue!
Budget 37%
Other Reasons 8%
What can
Happen?
How can it
Threats happen?
Vulnerabilities
Integrity Confidentiality
Availability
Risks
Threats +
Vulnerabilities
© 2007 MacroFirm Technology.
All rights reserved.
Understanding Threats, Vulnerabilities, and Risks
Spoofing
Computer
Snooping
hardware and
Phishing software
threat +
Malicious Codes Poor procedures vulnerability
Abuse system of Poor oversight /
privileges enforcement
Sabotage
© 2007 MacroFirm Technology.
All rights reserved.
Security Threats
NATURAL
Enterprise Architecture
Identification of
Vulnerabilities
Identification of
Threats
Evaluation of
Business Risks Impacts
Review of Existing
Security Controls
Identification New
Security Controls
Policy and
Procedures
Gap Analysis
Detection Correction
Deterrence Recovery
(Avoidance)
Monitoring
Prevention
Awareness
Limitation
Top Management
Heads of Department
HR Manager
IT Manager / Sys Administrator
Process Owners
Physical Security Manager/ Guard
ISMSDefinition
ISMS Definition
Riskassessment
assessment
Risk 8 Steps to follow when
implementing the ISO 27001
Riskmanagement
management
Risk standard.
Trainingand
Training andawareness
awareness
Preparingfor
Preparing forthe
theaudit
audit
Audit
Audit
Ongoingimprovement
Ongoing improvement
© 2007 MacroFirm Technology.
All rights reserved.
Whatever the type or size of a business
(multinational or SME), all organizations are
vulnerable to threats that jeopardize the
confidentiality, integrity and availability of
important data. The sooner protective action is
taken, the more inexpensive and effective the
security.
Annex
AnnexAA(normative)
(normative)
Control
Control objectivesand
objectives and
ISO/IEC
ISO/IEC controls
controls
ISO/IEC
ISO/IEC 17799:2005
17799:2005
27799:2007
27799:2007 Security
Security
Health informatics -- techniques - Code of
Health informatics -- techniques - Code of
Information security practice for
Information security practice for
management in information security
management in information security
health using ISO/IEC management
health using ISO/IEC management
17799
17799
PEOPLE
PROCESS
TECHNOLOGY
In that order