Professional Documents
Culture Documents
1
General - background
• How to establish security requirements
–Risk assessments
–Legal, statutory requirements
–Business requirements for Information
processing
• Select controls from a standard
• Controls to be considered to be common practice
–Information security policy
–Allocation of responsibilities
–Awareness and training
–Technical vulnerability management
–Incident reporting
2
Critical Success factors for addressing
InfoSec in organisations
3
12 Key control areas
1. Risk assessment and treatment
2. Information Security policy
3. Organization / management of Info Sec
4. Assets classification and control (management)
5. Human resources security
6. Physical and environmental security
7. Communications and operations management
8. Access control
9. Information Systems acquisition, development and
maintenance
10. Information Security Incident Management
11. Business Continuity Management
12. Compliance
4
Security policy
INFORMATION SECURITY POLICY
5
Security policy
Information security policy
c. a brief explanation of the security policies, principles,
standards and compliance requirements of particular
importance to the organization, for example:
8
Organization Information Security
INTERNAL ORGANIZATION
Management commitment to information security
Information security co-ordination.
Allocation of information security responsibilities
Authorization process for information processing facilities
Confidentiality agreements
Contact with authorities
Contact with special interest groups
Independent review of information security......
EXTERNAL PARTIES
Identification of risks related to external parties
Addressing security when dealing with customers
Addressing security in third party agreements
9
Asset Management
Inventory of assets
Ownership of assets
Acceptable use of assets
10
Asset Management
INFORMATION CLASSIFICATION
Objective: To ensure that information receives an appropriate
level of protection.
12
Human Resources Security
DURING EMPLOYMENT
Objective: To ensure that employees, contractors and third party
users are aware of information security threats and concerns,
their responsibilities and liabilities, and are equipped to support
organizational security policy in the course of their normal work,
and to reduce the risk of human error.
Management responsibilities
Information security awareness, education, and training
Disciplinary process
13
Human Resources Security
Termination responsibilities
Return of assets
Removal of access rights
14
Physical and environmental security
SECURE AREAS
16
Communications and operations management
17
Communications and operations management
18
Access control
19
Access control
USER RESPONSIBILITIES
Objective: To prevent unauthorized user
access.
• co-operation of authorized users is essential
for effective security.
• make users aware of responsibilities e.g.
passwords use and security of user equipment.
21
Access control
22
Access control
23
INFORMATION SYSTEMS ACQUISITION,
DEVELOPMENT AND MAINTENANCE
SECURITY REQUIREMENTS OF INFORMATION
SYSTEMS
Objective: To ensure that security is built into
information systems.
• includes infrastructure, business applications
and user-developed applications.
• Identify and justify all security requirements
during requirements phase agreed and
documented (before development)
24
INFORMATION SYSTEMS ACQUISITION,
DEVELOPMENT AND MAINTENANCE
SECURITY IN DEVELOPMENT AND SUPPORT
PROCESSES
Objective: To maintain the security of application
system software and information.
• strictly control project and support environments.
25
INFORMATION SECURITY INCIDENT
MANAGEMENT
REPORTING INFORMATION SECURITY EVENTS AND
WEAKNESSES
• Reporting information security events
• Reporting security weaknesses
26
Business continuity management
27
Compliance
28
Compliance
29
Compliance
30