INFORMATION SECURITY

FRAMEWORK
• Information security refers to the practice of protecting
information systems from unauthorized access, use,
disclosure, disruption, modification or destruction.
• It encompasses a range of measures and strategies aimed
at safeguarding the confidentiality, integrity and
availability of sensitive information assets, including
data, systems, networks and application.
 TYPES OF INFORMATION SECURITY
• Confidentiality
- Ensuring that sensitive information is accessible only to
authorized individual or entities and protected from
unauthorized access or disclosure.
• Integrity

- Maintaining the accuracy, consistency, and reliability of

information by preventing unauthorized alterations,
modifications, or tampering.
• Availability

- Ensuring that information and information system are

accessible and usable when needed by authorized users and
stakeholders, while minimizing downtime and disruption.
 IMPORTANCE OF INFORMATION SECURITY IN ORGANIZATIONS

• 1. Protecting Sensitive Information: Information

security measures help safeguard sensitive data such as
customer information, intellectual property, financial
records, and proprietary business data from unauthorized
access, disclosure or misuse.
• 2. Ensuring Compliance: Many industries are subject to
regulatory requirements and legal obligations regarding
the protection of sensitive information.
• 3. Preserving Business Continuity: Information security
helps ensure the availability and reliability of critical
systems and services, even in the face of cyber threats,
natural disasters or other disruptions.
• 4. Mitigating Risks: Effective information security practices
help identify, assess and mitigate various risk to the
organization information assets, including cyber threats, data
breaches, malware attacks, insider threats and other security
vulnerabilities.
• 5. Safeguarding Reputation: A strong information security
posture enhances the organization’s reputation and brand
image by demonstrating a commitment to protecting
sensitive information and ensuring the privacy and
confidentiality of stakeholder’s data.
• 6. Supporting Business Objectives: Information security
enables organizations to pursue their business objectives and
strategic initiatives with confidence, knowing that their
information assets are adequately protected.
 INFORMATION SECURITY FRAMEWORK

• An Information Security Framework is a structured set

of guidelines, standards, processes, and procedures
designed to protect an organization’s sensitive
information assets from unauthorized access, disclosure,
alteration or destruction.
• It provides a comprehensive approach to managing
information security risks and ensuring the
confidentiality, integrity, and availability of information
assets.
 PURPOSE AND BENEFITS OF
IMPLEMENTING A FRAMEWORK
• The purpose of implementing an information security
framework is to provide a structured and systematic
approach to managing information security risks and
ensuring the confidentiality, integrity and availability of
an organization's information assets.
• By adopting framework, organizations can establish
clear guidelines, standards, processes and procedures for
protecting sensitive information and mitigating security
risks effectively.
• 1. Standardization: A framework provides a standardized
set of guidelines and best practices for managing
information security , enabling consistency and
coherence in security efforts across the organization.
• 2. Risk Management: Frameworks help organizations
identify, assess and prioritize information security risk,
allowing them to allocate resources and implement
controls to mitigate these risk to an acceptable level.
• 3. Compliance: Frameworks often incorporate legal and
regulatory requirements, industry standards, and best
practices, helping organizations ensure compliance with
relevant laws, regulations, and contractual obligations
related to information security.
• 4. Awareness and Education: Frameworks promote
awareness and education about information security risks,
policies, and procedures among employees, stakeholders,
and partners, fostering a culture of security awareness and
responsibility.
• 5. Continuous Improvement: Frameworks facilitate
continuous monitoring, evaluation, and improvement of
information security process and controls, enabling
organizations to adapt to evolving threats and
vulnerabilities effectively.
• 6. Assurance: By implementing a recognized framework ,
organizations can provide assurance to stakeholders,
customers, partners, and regulators that they have
established effective measures to protect sensitive
information and manage security risks.
NIST Cybersecurity Framework(CSF)
• Developed by the National Institute Of Standards and
Technology(NIST), the CSF provides a voluntary
framework for improving cybersecurity risk
management across various sectors, including critical,
infrastructure, government agencies and private
organizations.
• The CSF consists of five core functions: Identify, Protect,
Detect, Respond, and Recover. These function serve as the
foundation for organizing cybersecurity activities and
managing risks effectively.
• Organization can use the CSF to assess their current
cybersecurity posture, establish cybersecurity goals and
priorities, and implement measures to address gaps and
vulnerabilities.
• The CSF is flexible and scalable, allowing organizations to
tailor it to their specific needs, risk profiles and operating
environments.
ISO/IEC 27001
• ISO/IEC 27001 is an international standard for Information
Security Management System(ISMS), developed by the
International Organization for Standardization(ISO) and the
International Electrotechnical Commission(IEC).
• The standard provides a systematic approach to managing
information security risks, ensuring the confidentiality,
integrity, and availability of information assets.
• ISO/IEC 27001 outlines requirements for establishing,
implementing, maintaining and continuously improving an
ISMS. This includes conducting risk assessments,
implementing controls, conducting internal audits and
performing management reviews.
• Certification ISO/IEC 27001 demonstrates an organization’s
commitment to information security best practices and provides
assurance to stakeholders, customer and partners.
CIS Controls
• The Center for Internet Security(CIS) Controls is set of
cybersecurity best practices developed by a global community
of security experts.
• The CIS Controls provide prioritized guidance on essential
cybersecurity activities that organizations should implement
to mitigate common cyber threats and vulnerabilities
effectively.
• The controls are organized into three categories: Basic,
Foundational, and Organizational. Each category consists of
specific security controls and sub-controls that address
various aspects of cybersecurity, such as asset management,
access control, and incident response.
• The CIS Controls are designed to be practical, actionable, and
adaptable to organizations of all sizes and industries, helping
them improve their security posture and reduce cyber risk.
 COMPONENTS OF INFORMATION SECURITY
FRAMEWORK
1. Policies and Procedures
• Policies: High level statements that define the organizations
objectives, principles, and rules related to information
security. These policies provide overarching guidance on
how information security should be managed within the
organization.
• Procedures: Step-by-step instructions or guidelines for
implementing specific security controls, processes, or
activities. Procedures provide detailed guidance on how to
carry out tasks related to information security, such as
incident response, access control and data encryption.
2. Risk Management
• Risk Assessment: The process of identifying, analyzing, and
evaluating information security risks to the organizations
information assets. Risk assessments help prioritize risks
based on their likelihood and potential impact on the
organization.
• Risk Treatment: The process of selecting and implementing
appropriate risk mitigation measures to address identified
risks. Risk Treatment may involve implementing security
controls, transferring risks, avoiding risks, or accepting
residual risks.
3. Compliance Requirements
• Legal and Regulatory Compliance: Ensuring compliance with
relevant laws, regulations, and industry standards related to
information security. This includes data protection
regulations, industry-specific requirements, contractual
obligations and international standards.
4. Incident Response Plan
• Incident Management: The process of detecting, responding,
and recovering from security incidents or breaches. Incident
response plans and procedures outline the steps to be taken in
the event of a security incident, including incident detection,
containment, eradication, recovery, and post-incident
analysis.
THANK YOU 