Professional Documents
Culture Documents
Sundar Murthi
DGM, CAB
Session Plan
Information security as a Governance
requirement
IS setup
Putting an IS Policy in place
IS Audit
Challenges
4/25/2013
Information Security
Protecting Information and Information assets
- from unauthorized access, use, disclosure,
disruption, modification, perusal, inspection,
recording or destruction.
- It includes media on which information is
recorded including Hard disks, Floppy Disks,
CDs, Tapes as also paper documents
4/25/2013
Information Security Principals
• Accountability
• Assurance Confidentiality
• Authentication
• Authorization
• Identification
Integrity Availability
4/25/2013
Information Security – Does it make
business sense?
• Cost of loss/breach of information is very high
• Data privacy required by law and contracts
• More and more customers are asking for
Information Security
• Requirements of Basel II & III
(Operational Risk)
4/25/2013
What’s being protected?
4/25/2013
Organizing for effective ISMS
Information Security Committee
Board of
Directors
- CEO
-CIO
CMD
-CFO
CISO
4/25/2013
Defining Stakeholders
• Information Owner
• Information Custodian
• Application Owner
• User-manager
• Security Administrator
• End User
4/25/2013
ISO 27001
ISO27001
The ISMS
11 Domains
Management Responsibility
39 Control Objectives
Internal ISMS Audits
133 controls
Management Review
ISMS Improvement
4/25/2013
ISMS Implementation:
6 Steps in Planning
Information Security
Step 1 Define the Policy
policy
Risks to be managed
ISO27001 Annex A:
Step 5 control objectives and Select control Risk treatment
controls plan
objectives
Additional controls & controls
Selected controls and objectives
Step 6 Statement of Statement of
Security policy
Compliance Organization of
info security
Information
Info Sec Incident HR security
management
4/25/2013
IS Audit
Scope of IS Audit includes
• Determining effectiveness of planning and
oversight of IT activities
• Evaluating adequacy of operating process and
internal controls
• Determining adequacies of compliance efforts
• Identifying shortcomings in systems
4/25/2013
IS Audit
• To be a part of internal audit systems
• To be reviewed by the Audit Committee of the
Board
• Needs qualified/experienced auditors – either
internal or external
4/25/2013
Information Security Challenges
• Technology moved faster than controls
• Lack of institutional and social culture of
security
• New trends
– Mobile banking
– Cloud computing
– Virtualization
– Multiple channel of banking
4/25/2013
4/25/2013