Information Security Management Awareness Training

What is Information Security Standard?

Information Security Implementation

 ISO 27001: 2013?
ISMS History
• Started in 1990 as British Standard
• In 1995, launched BS 17799, as UK standard
• In 2005, ISO launched ISO 27001:2005
standard
• In 2013 ISO launched revised version as
ISO 27001:2013
 ISO 27001:2013 Structure
1. Introduction / Scope
2. Normative References
3. Terms and Definitions
4. Context of the Organization
5. Leadership
6. Planning
7. Support
8. Operation
9. Performance Evaluation
10.Improvement
 ISO 27001:2013 Structure

4 Context of the 9 Performance 10

5 Leadership 6 Planning 7 Support 8 Operation
organisation evaluation Improvement

Understanding & Management & Risks & Operational Measurement, Non conformity &
Resources
organisation commitment opportunities planning analysis, evaluation corrective action

Expectations of Market
Quality Internal
interested ISMS objectives Competence requirements, Improvement
policy audits
parties/stakeholders customer interaction

Responsibilities, Planning of Planning process of Management

Scope Awareness
authorities changes organisation review

Information Security
Communication
Management System

Documented
information
 Features of ISO 27001: 2013
The Standards covers 114 Controls & 14 Domains
Control Domain Name
No.
5 Information Security Policies
6 Organization of Information Security
7 Human Resource Security
8 Asset Management
9 Access Control
10 Cryptography
11 Physical Environmental Security
12 Operations Security
13 Communications Security
14 System Acquisition , Development and Maintenance
15 Supplier relationships
16 Information Security Incident Management
17 Information Security aspects of Business Continuity Management
18 Compliance
ISMS
ISMS
ISMS
ISMS
ISMS
 Risk Management
• Risk & Opportunity Identification
• Risk Estimation
– Assign to a Risk Owner
– Risk Value = C,I,A, Vulnerability, Threat, Probability & Impact
– Document Implemented Controls
– Review if additional controls are required
– Set Target Date
– Review Risks frequently
– Residual Risk Value = C,I,A, R. Vulnerability, Threat, R. Probability & Impact
– Review risks frequently to identify new risks as well as to review the
identified risks
ISMS
ISMS
ISMS
End of Session 1

Q&A
ISMS
 ISMS
• Information Security Scope Statement
• ISMS Policy Statement
• Policies covering other ISMS Requirements
• Statement of Applicability
• System Manual
• Information Classifications
– Public, Internal, Confidential & Most Confidential
• Procedures
– Purpose, Scope, Entry & Exit Criteria, Inputs, Procedure, Verification,
Measurements, Records, References, ISO Clause reference & Abbreviations
• Guidelines
• Formats and Records
 ISMS – HR Process
• Recruitment
– Background Check
– NDA, Employment Agreements and Other relevant
Documents
– ID Card Issues and Return
• Relieving
– Removing authorizations & permissions
– Exit Interview
• Disciplinary Action
• Legal Compliance
 ISMS – Training Process
• Identify Training Needs
– Mandatory and Optional
• Training Calendar
• Identify Trainers
• Training Material Preparation
• Conducting Training
– Attendance
– Feedback
• Monitor Training Effectiveness
 ISMS – Admin & Purchase

• Physical Security
• Third Party Access
• Work Environment Maintenance
• CCTV Monitoring
• Fire Safety & Fire Drill
• Equipment Maintenance
• Purchase & Outwards
 ISMS – IT Infrastructure Process

• IT Asset Installation
• Network Administration and Maintenance
• IT Asset Allocation and Maintenance
– Preventive and Breakdown Maintenance
• Back up and Restoration
• Vulnerability Analysis and Penetration Test
• Reuse and Disposal of Information Assets
• IT Verification Checks
 ISMS – System and Application Access
Control Process
• Account Creation
• User registration and De-registration
• Modification of Access Rights
• Review of Access Rights
• Asset Management
 ISMS – Capacity Management Process

• Identification & Planning

• Implementation
• Monitoring
 ISMS – Change Management Process

• Change Identification
– Software / Hardware
– Infrastructure
– Organisation Structure
• Analyse the Change
• Implementation
• Monitoring
 ISMS – Incident Management Process

• Incident Identification and Reporting

• Monitor Incident Closure
• Collection of Evidence
• Determine Actions
• Implement Actions
• Analyse Effectiveness of Implemented
Actions
 Business Continuity Process

• Processes and Procedures for ensuring

continued business operations
– Plan
– Implement
– Record Results
– Update Plan, cycle continues
 ISMS – Internal Audits

• Audit calendar – ISMS Plan

• Audit Plan
• Identify Auditors and Auditees
• Auditing and Reporting
• Follow-up & Closing NCs
• Complete the Audit Cycle
ISMS – Management Review Process

• MRM Calendar – ISMS Plan

• Agenda for MRM
– Agenda Points
– ISMS Objectives
– Review Objectives and redefine
• Documenting Decisions and Action Items
• Analyse Performance of Processes
• Circulate MoM
 ISMS – Dos
• Adhere to Information Security Policies
• Be accountable for your IT assets and confidential data
• Read and Understand the information security policies
• Always keep your system locked when you are away
• Ensure sensitive information on the computer screen is not visible
to others
• Protect your user ID and password
• Use strong password, and change your password on a regular basis
• Ensure the auto update of antivirus is always on
• Perform scheduled virus scanning
• Backup your system data, and store it securely if you are storing
confidential data
• Scan all email attachments for viruses before opening them
 ISMS – Dos
• Share your email address only with known people
• Choose well-known or trustworthy e-shopping sites
• Logout once you finish browsing any site 
• Use different passwords for bank accounts, company accounts and
external accounts
• Clean up cache files frequently / immediately
• Always use Physical Authentication System while entering / exiting
office
• Report information security incidents to CISO, even if committed by
you
• Always alert IT / CISO is there is anything suspicious
• Always ask CISO / security team, if in doubt
• Keep your mobile devices with you at all times
• Wear your badge at all times while you are at office
 ISMS – Don’ts
• Don't visit untrustworthy sites out of curiosity, or access the URLs
provided in those websites
• Don't download data from doubtful sources
• Don’t discuss something sensitive in public place
• Don’t leave your computer / sensitive documents unlocked
• Don’t Share your password with any one
• Don’t use easily-guessed password, such as your id, card number,
phone number, date of birth
• Don’t install any patch updates to platform or operating system
• Don't use illegal software and programs
• Don't download programs without permission of IT / CISO 
• Don't open email attachments from unknown sources
• Don't forward or reply to junk email or hoax message
 ISMS – Don’ts
• Don’t click on links embedded in spam mails
• Don’t make any e-shopping transactions using computers in
Internet cafe
• Don’t use the confidential information in the training materials
• Don’t leave without closing all browsers and logging out from the
public PCs
• Don’t tailgate while entering / exiting office
• Avoid clicking ‘Keep me logged in’ or ‘Remember me’ options on
websites
• Never use your official email address for social media sites
• Don’t leave any printed material on printers
• Don't give out personal information online
• Don't keep sensitive information on the desktop
• Avoid connecting your devises with Public Networks / Wifi
Thank You

Q&A