Information Security Management System

(ISMS) based on the ISO 27000 series

standards (ISO2700)

ENTERPRISE STANDARDS FOR INFORMATION SECURITY

SRI LANKA INSTITUTE OF INFORMATION TECHNOLOGY
BSC (HONS) IN INFORMATION TECHNOLOGY CYBER
About Organization
ISMS Introduction
ISMS Benefits
ISMS Cost Table of content
Assets Register
Registered Assets
Most Critical Assets
Bank Of Ceylon
(BOC)
Bank OF Ceylon (BOC)
Bank of Ceylon is a state-owned, major commercial bank in Sri Lanka. Its
head office is located in an iconic cylindrical building in Colombo, the political
and commercial capital of the island.

The bank has a network of 628 branches, 689 automated teller machines
(ATMs), 123 CDM network and 15 regional loan centres within the country. It
also has an around-the-clock call centre at 0094 11 2204444 and an around
the clock branch at its Colombo office.

In addition to the local presence, the bank maintains an off-shore banking unit
in the head office in Colombo, and three branches in Malé, Chennai and
Seychelles, and a subsidiary in London.
 ISMS Introduction
An information security management system (ISMS) is a framework of policies
and controls that manage security and risks systematically and across your entire
enterprise—information security

These security controls can follow common security standards or be more

focused on your industry. For example, ISO 27001 is a set of specifications
detailing how to create, manage, and implement ISMS policies and controls. The
ISO doesn’t mandate specific actions; instead, it provides guideline on developing
appropriate ISMS strategies.

The framework for ISMS is usually focused on risk assessment and risk
management. 
 ISMS Benefits
 Secures your information in all its forms
• An ISMS helps protect all forms of information,
including digital, paper-based, intellectual property,
company secrets, data on devices and in the Cloud, hard
copies and personal information.

 Provides a centrally managed framework

• An ISMS provides a framework for keeping your
organization's information safe and managing it all in
one place.
 Helps respond to evolving security threats
• Constantly adapting to changes both in the environment
and inside the organisation, an ISMS reduces the threat
of continually evolving risks.
 ISMS Benefits
 Protects confidentiality, availability and integrity of data
• An ISMS offers a set of policies, procedures, technical
and physical controls to protect the confidentiality,
availability and integrity of information.

 Increases resilience to cyber attacks

• Implementing and maintaining an ISMS will
significantly increase your organisation’s resilience to
cyber attacks.

 Reduces costs associated with information security

• Thanks to the risk assessment and analysis approach of
an ISMS, organisations can reduce costs spent on
indiscriminately adding layers of defensive technology
that might not work.
 ISMS Cost

These are the main costs associated with the management system elements of an
ISO27000 ISMS.

 ISMS Management costs

 ISMS implementation costs
 Certification costs
 Maintenance costs
 Assets Register

o Digital Assets o Servers

o Business Databases

o Physical Assets

o People Assets

o Network Devices

o Media

o Support Utilities
 Registered Assets
 Digital Assets  Media
• Banking Website • Commercial Advertisements
• Self Banking Mobile app • Public campaign and Banners

 Business Databases
• Employees database
• Account holder's information
database

 Physical Assets
• ATM Machines
• Vehicles

 People Assets
• Database Manager
• Network Administrator
Most Critical Assets

 ATM Machines
 Online Banking web site & mobile app
 Account holder's information database
 Database Manager
 Network Engineer
 ATM Machines

Detected risk level

Raw risk level
Possibility of

Mean risk total

Impact level

undetectability
Incident
occurrence
Known or Primary
Known or suspected Key information security controls in
suspected concerns
vulnerabilities effect
threats (C/I/A) ♦
♠ ♣ ♥

Remote cyber Taking control of atm server, C+A 4 1 4 Security controls 4 16

attack incomplete checking and
updating
30
Inset skimmers Capture information from C+I 5 3 15 Checking correcting data 2 30
swiped cards

Direct malware Using physical access to an C 3.5 2 7 Security controls 2 14

attack ATM to deploy malware
variants
 Online Banking web site & mobile app

Detected risk level

Raw risk level
Possibility of

Mean risk total

Impact level

undetectability
Incident
occurrence
Known or Primary
Known or suspected Key information security
suspected concerns
vulnerabilities controls in effect
threats (C/I/A) ♦
♠ ♣ ♥

Virus Anti-virus program is not properly C+I+A 4 3 12 Renew the anti-virus program 2 24
updated and update system

40
Hacking Network connectivity, Inadequate C+I+A 2 2 4 Data protection policies & 4 16
firewall protection procedures , Network security
controls, System security
controls
Software errors Software have not proper access C+A 5 4 20 Want to make sure proper 2 40
control connection to network
 Account holder's information database

Detected risk level

Raw risk level
Possibility of

Mean risk total

Impact level

undetectability
Incident
occurrence
Known or Primary
Known or suspected Key information security
suspected concerns
vulnerabilities controls in effect
threats (C/I/A) ♦
♠ ♣ ♥

Disk failure There is no backup of the A 5 5 25 Maintain backup device 2 50

document

42
Unauthorized Access was given to too many C+I+A 2.5 4 10 Data protection policies & 3 30
access people and access control procedures , Network security
scheme is not properly controls, System security
defined  controls
Virus Anti-virus program is not C+I+A 3 5 15 Renew the anti-virus program 3 45
properly updated and update system
 Database Manager

Incident undetectability

Detected risk level

Raw risk level
Possibility of

Mean risk total

Impact level
occurrence
Known or Primary
Known or suspected Key information security
suspected concerns
vulnerabilities controls in effect
threats (C/I/A)
♠ ♣ ♥

Unavailability There is replacement for this A 3 3 9 There is no replacement for this 5 45

of this person position position
13
Frequent errors Lack of training I+A 5 2 10 Network Engineers must have 2 20
proper training on network
knowledge
 Network Engineer

Detected risk level

Raw risk level
Possibility of

Mean risk total

Impact level

undetectability
Incident
occurrence
Known or Primary
Known or suspected Key information security
suspected concerns
vulnerabilities controls in effect
threats (C/I/A) ♦
♠ ♣ ♥

Unavailability of There is replacement for this A 3 4 12 There is no replacement for this 4 48

this person position position

51
Frequent errors Lack of training I+A 1.5 2 3 Network Engineers must have 5 15
proper training on network
knowledge
Access to the Lack of policies for the correct C+A 2 5 10 Company policies, Data 3 30
network by use of telecommunications media protection policies &
unauthorized and messaging procedures , Network security
persons controls, System security
controls
 Our Group

IT-17168014 IT-17183864 R.M.V.D.B.Rathnayake IT-17124768

Pransikkudura K.L.S Silva A.A.N
Thank you