BSR103 Information Security Management System PDF

INFORMATION SECURITY MANAGEMENT SYSTEM BSR103 - INFORMATION SECURITY MANAGEMENT SYSTEM Classification: Internal © Eduvo Sdn Bhd │ All rights reserved Objective Information Security – CIA Definition Of The Common Keyword In ISMS ISO 2700 Family and introduction Classification: Internal © Eduvo Sdn Bhd │ All rights reserved Warm Up What is most important for a company? Classification: Internal © Eduvo Sdn Bhd │ All rights reserved Warm Up (Cont) What is the most important information from the following companies? Recipe Source of goods Classification: Internal © Eduvo Sdn Bhd │ All rights reserved Information Security CIA CIA - Confidentiality, Integrity and Availability. Classification: Internal © Eduvo Sdn Bhd │ All rights reserved Information Security Concept Information security is the protection of information from a wide range of threats in order to ensure business continuity, minimize business risk, and maximize return on investments and business opportunities. Information Security Availability Classification: Internal © Eduvo Sdn Bhd │ All rights reserved Information Security Concept (Cont) Confidentiality Information is not made available or disclosed to unauthorized individuals, entities, or processes. Classification: Internal © Eduvo Sdn Bhd │ All rights reserved Information Security Concept (Cont) Integrity To maintain and assure the accuracy and completeness of data over its entire life-cycle. Data cannot be modified in an unauthorized or undetected manner. Classification: Internal © Eduvo Sdn Bhd │ All rights reserved Information Security Concept (Cont) Availability For information to be available it means that the computing systems that process the information and the communication channels through which information is being sent are working correctly. Classification: Internal © Eduvo Sdn Bhd │ All rights reserved Introduction to ISM What is ISM A set of policies and procedures for systematically managing an organization's sensitive data. In short Set of security rules to protect information. Classification: Internal © Eduvo Sdn Bhd │ All rights reserved Why we need ISM? The goal of an ISM is to minimize risk and ensure Business Continuity by pro-actively limiting the impact of a security breach. In short Without ISM, information may fall into the wrong hands & this will cause risk to a business Classification: Internal © Eduvo Sdn Bhd │ All rights reserved Who need ISM? Every organization which have sensitive document or information that cannot be expose to 3rd parties. Specialist: IT Manager Manager and Business Owner People whos' involved in the IT department of Company Classification: Internal © Eduvo Sdn Bhd │ All rights reserved How to have ISM? Information security is achieved by implementing a suitable set of controls, including policies, processes, procedures, organizational structures and software/ hardware function. Classification: Internal © Eduvo Sdn Bhd │ All rights reserved How to have ISM? (Cont) ISMS involves a mixture of modern technology, human behavior change & operational improvement. Same Classification: Internal © Eduvo Sdn Bhd │ All rights reserved How to have ISM? (Cont) These controls need to be established, implemented, monitored, reviewed and improved, where necessary, to ensure that the specific security and business objectives of the organization are met Classification: Internal © Eduvo Sdn Bhd │ All rights reserved ISMS Framework Understand business P Preventive Plan structure measures Information asset Corrective actions identification D Risk assessment Act ISMS Do Continuous improvement ISMS system Establish risk acceptance criteria Risk management plan C A ISMS document measurement and Check architecture monitoring Release system Classification: Internal © Eduvo Sdn Bhd │ All rights reserved Exercise 1 Classification: Internal © Eduvo Sdn Bhd │ All rights reserved Exercise 1 (4 marks) Information Leakage Try to imagine what would happen if Facebook and Lazada information were leaked today. Please write at least one paragraph for each in https://forms.office.com/r/eWSpfumFSc. (Each 2 marks) Classification: Internal © Eduvo Sdn Bhd │ All rights reserved Definition Of The Common Keyword In ISMS To define what does each word meaning in the ISMS Classification: Internal © Eduvo Sdn Bhd │ All rights reserved Definition (1/8) Asset Anything that has value to the organization. Availability Availability ensures the reliable and timely access to data or computing resources by the appropriate personnel. Confidentiality The concept of confidentiality attempts to prevent the intentional or unintentional disclosure of a message’s content. Classification: Internal © Eduvo Sdn Bhd │ All rights reserved Definition (2/8) Control A means of managing risk, including policies, procedures, guidelines, practices or organizational structures, which can be of an administrative, technical, management, or legal nature. Exposure An exposure is an instance of being exposed to losses from a threat agent. Information Information is data that has meaning in some context for its receiver. Classification: Internal © Eduvo Sdn Bhd │ All rights reserved Definition (3/8) Information analysis Information analysis provides a clear picture of how an organization handles information — how the information ‘flows’ through the organization. Information management Information management describes the means by which an organization efficiently plans, collects, organizes, uses, controls, disseminates and disposes of its information, and through which it ensures that the value of that information is fully identified and exploited. Classification: Internal © Eduvo Sdn Bhd │ All rights reserved Definition (4/8) Information security Information security is the protection of information from a wide range of threats in order to ensure business continuity, minimize business risk, and maximize return on investments and business opportunities. Information security event An information security event is an identified occurrence of a system, service, or network state indicating a possible breach of information security policy or failure of safeguards Classification: Internal © Eduvo Sdn Bhd │ All rights reserved Definition (5/8) Information security incident An information security incident is indicated by a single or series of unwanted or unexpected information security events that have a significant probability of compromising business operations and threatening information security. Policy The overall intention and direction as formally expressed by management Risk A combination of the probability of an event and its consequence. Classification: Internal © Eduvo Sdn Bhd │ All rights reserved Definition (6/8) Risk analysis The systematic use of information to identify sources and to estimate the risk. Risk evaluation The process of comparing the estimated risk against given risk criteria to determine the significance of the risk Risk assessment The overall process of risk analysis and risk evaluation. Classification: Internal © Eduvo Sdn Bhd │ All rights reserved Definition (7/8) Risk treatment The process of selection and implementation of measures to modify risk. Third party The person or body that is recognized as being independent of the parties involved, as far as the issue in question is concerned. Threat A potential cause of an unwanted incident, which may result in harm to a system or organization. Classification: Internal © Eduvo Sdn Bhd │ All rights reserved Definition (8/8) Vulnerability A weakness of an asset or group of assets that can be exploited by one or more threats. Classification: Internal © Eduvo Sdn Bhd │ All rights reserved ISO 2700 Family Classification: Internal © Eduvo Sdn Bhd │ All rights reserved Introduction ISO = International Organization for Standardization IEC = International Electrotechnical Commission Its purpose is to develop, maintain and promote standards in the fields of Information technology (IT) and Information and Communications Technology (ICT). Classification: Internal © Eduvo Sdn Bhd │ All rights reserved ISO 27000 family of standards ISO/IEC 27001 Specifies the requirements for an ISMS ISO/IEC 27002 Guideline for the implementation of the controls in Annex A ISO/IEC 27000 A general overview of information security and terms and definitions Classification: Internal © Eduvo Sdn Bhd │ All rights reserved ISO 27000 family of standards (Cont) ISO/IEC 27003 Information security management system implementation guidance ISO/IEC 27004 Advice on how organizations can monitor and measure the performance of their ISMS ISO/IEC 27005 Guidance on risk management Classification: Internal © Eduvo Sdn Bhd │ All rights reserved ISO 27000 family of standards (Cont) ISO/IEC 27006, ISO/IEC 27007, ISO/IEC 27011, ISO/IEC 27015 and others… Classification: Internal © Eduvo Sdn Bhd │ All rights reserved ISO 27001: 2013 Classification: Internal © Eduvo Sdn Bhd │ All rights reserved Key components ISO27001 It specifies the requirements for establishing, implementing, maintaining and continually improving an ISMS. Latest version is ISO 27001:2017 Annex A This forms parts of ISO 27001 and is a set of control objectives and controls. ISO27002 This is the code of practice for information security management and provides guidance on best practice for ISM. Classification: Internal © Eduvo Sdn Bhd │ All rights reserved Leadership must ISO/IEC 27001 requires that management Systematically examine the organization’s information security risks, taking account of the threats, vulnerabilities, and impacts Design and implement a coherent and comprehensive suite of information security controls and/or other forms of risk treatment (such as risk avoidance or risk transfer) to address those risks that are deemed unacceptable Classification: Internal © Eduvo Sdn Bhd │ All rights reserved Leadership must (Cont) ISO/IEC 27001 requires that management Adopt an overarching management process to ensure that the information security controls continue to meet the organization’s information security needs on an ongoing basis. Classification: Internal © Eduvo Sdn Bhd │ All rights reserved 27001 PDCA Plan 4. Context of the Organisation 6. Planning Understanding of context Actions of address risk and opportunity Expectations of interested parties IS objectives Scope of ISMS 7. Support 5. Leadership Resources Management commitment Competence IS Policy Awareness Roles, responsibilities and authorities Communication Documented information Classification: Internal © Eduvo Sdn Bhd │ All rights reserved 27001 PDCA (Cont) Do Check Act 8. Organisation 9. Performance and 10. Improvement Evaluation Operational planning and Nonconformity and control Monitoring, measurement, corrective action Risk assessment analysis and evaluation Continual improvement Risk treatment Internal audit Management review Classification: Internal © Eduvo Sdn Bhd │ All rights reserved In Additional to ISO 27001 is ISO 27002 ISO 27002 more on controls Classification: Internal © Eduvo Sdn Bhd │ All rights reserved The controls A11. Physical A5. Information A10. and Security Policies Cryptography Environment Security A6. Organisation A9. Access A12. Operations of Information Control Security Security A13. A8. Asset A7. HR Security Communications Management Security Classification: Internal © Eduvo Sdn Bhd │ All rights reserved The controls (Cont) A14. System A16. Information Acquisition, A15. Supplier Security Incident Development, Relationships Management and Maintenance A18. Compliance A17. Information with Legal and Security Aspects Contractual of BCM Requirements Classification: Internal © Eduvo Sdn Bhd │ All rights reserved Assignment 1 Total 4 Classification: Internal © Eduvo Sdn Bhd │ All rights reserved Research Writing (4 marks) According to your topic research about the followings: 1. Introduction 2. Who needs it 3. Why organization need it 4. How to have it *Notes: Your assignment will be check for plagiarism. If we found you plagiarizing it will be considered to get 0 marks directly. (even copy from online.) Classification: Internal © Eduvo Sdn Bhd │ All rights reserved Research Writing (4 marks) ISO 45001 ISO 9001 ISO 22000 ISO 14001 ISO 37001 Classification: Internal © Eduvo Sdn Bhd │ All rights reserved Research Writing (4 marks) Submission To complete your assignment with Microsoft Words. 750 words requirements. Assignment will check by AI Detector Tool, if over than 50% consider your assignment as 0 mark. Before 8th Nov 2024 submit. https://forms.office.com/r/bKBRnhksNt Classification: Internal © Eduvo Sdn Bhd │ All rights reserved END Classification: Internal © Eduvo Sdn Bhd │ All rights reserved

BSR103 Information Security Management System PDF

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue