Upload
oceans00
View
226
Download
3
Tags:
Embed Size (px)
DESCRIPTION
uesful
Citation preview
Version Control
Version No. Date Type of Changes Owner/ Author
Date of Review/Expiry
The information contained in this document is not to be used for any purpose other than the purposes for which this document is furnished by GENPACT, nor is this document (in whole or in part) to be reproduced or furnished to third parties or made public without the prior express written permission of GENPACT.
[Document Title]
NOTICE
Classification: Genpact Internal
ISMS
Classification: Genpact Internal
ISMS
INTRODUCTION
ISMS – INFORMATION SECURITY MANAGEMENT SYSTEM
BS 7799-2:2002 – BRITISH STANDARD (PREV-1999)VERSION 2, YEAR 2002
ISO/IEC 27001Issued in Dec-2005
REQUIREMENTS - Used as basis for certification
ISO/IEC 17799:2005 – CODE OF PRACTICEVERSION 2, YEAR 2005;
27002: 2008 - RECOMMENDATIONS -- Provides best practice guidance; Not for Certification
Classification: Genpact Internal
ISMS
INFORMATION
Recorded data, facts, knowledge
Processed Data, an asset having value
DATA
Basic facts, figures, statistics, details
Known facts used for inference or reckoning
INFORMATION / DATA
Classification: Genpact Internal
ISMS
INFORMATION
Information is an asset, like other important business assets, has value to an organization and consequently needs to be suitably protected.
•Data stored in computers
•Tx-ed across Networks
•Print-outs, FAX
•Written form
•Stored on Media – Disks, film etc
•Spoken in Conversations - TeleClassification: Genpact Internal
ISMS
Safety from danger, espionage, Invulnerability
Protection, safe-keeping
Security is a process of defining the parameters that are gauged by either
Individuals or Organizations as risks, and the process of reducing or eliminating the
same
SECURITY
Classification: Genpact Internal
ISMS
Is about protecting Information through selection of appropriate controls (measures)
•Protects info from a range of threats
•Ensures business continuity
•Minimizes financial loss
•Maximizes return on investments and business opportunities
INFORMATION SECURITY
Classification: Genpact Internal
ISMS
Preservation of Confidentiality, Integrity and Availability
(CIA) of Information
•Confidentiality: Ensuring information is accessible to only those authorized
•Integrity: Safeguarding the accuracy & completeness of Information & processing methods
•Availability: Ensuring that the authorized users have access to Information and associated assets when required
INFORMATION SECURITY OBJECTIVES
Classification: Genpact Internal
ISMSMANAGEMENT SYSTEM
ACHIEVEMENT OFORGANISATION’S POLICIES
AND OBJECTIVES
STRUCTURE
PROCESSES
RESOURCES PROCEDURES
Classification: Genpact Internal
ISMS
MANAGEMENT SYSTEMS
FINANCIAL
INFORMATION
H R
HEALTH&SAFETY
QUALITY
ENV
I
RONMENT
STRUCTURE
POLICY&
PROCEDURES
PROCESS
RESOURCES
Provide assurance through discipline of Compliance
Classification: Genpact Internal
ISMS
INFORMATION SECURITY MANAGEMENT SYSTEM
ESTABLISH
IMPLEMENTOPERATE
MAINTAINIMPROVE
MONITORREVIEW
ISMS is that part of overall management system based on a business risk approach to:
PLAN
DO
CHECK
ACT
Classification: Genpact Internal
ISMS
ISMS ENABLES AN ORGANISATION TO ADOPT A PROACTIVE APPROACH THROUGH A MECHANISM OF
AWARENESS
PLANNING
TRAINING
ACTION
MEASUREMENT & REPORTING
REVIEW ON A CONTINUOUS BASIS
ISMS MECHANISM
Classification: Genpact Internal
ISMS
A WORD OF CAUTION !
WITH AN ISMS WE ARE NOT INTENDING TO MAKE THE SYSTEM ‘HACKER-PROOF’, BUT DEVISE A SYSTEM WHICH CAN, TO A LARGE EXTENT
•ANTICIPATE POTENTIAL PROBLEMS
•PRE-EMPT THROUGH PROACTIVE MEASURES
•PROTECT AGAINST CONSIDERABLE DAMAGE
•ENSURE RECOVERY AND RESTORATION
Classification: Genpact Internal
ISMS
ISMS PROCESS (PDCA) MODEL
Interested parties
Requirements&
Expectations
Interested parties
ManagedInfo
Security
ESTABLISH
IMPLEMENTOPERATE
MAINTAINIMPROVE
MONITORREVIEW
PLAN
DO
CHECK
ACT
Classification: Genpact Internal
Plan : Establish The ISMS
Define ISMS ScopeDefine ISMS PolicySystematic approach to Risk AssessmentIdentify & Assess the RisksIdentify & Evaluate options for Risk TreatmentSelect control objectives & controlsPrepare Statement of Applicability
ISMS
Classification: Genpact Internal
Do: Implement & Operate ISMS
Formulate a risk treatment PlanImplement the Risk Treatment PlanImplement selected control objectives & controlsImplement training & awareness ProgrammesMange OperationsManage Resources
ISMS
Classification: Genpact Internal
Check: Monitor & Review ISMS
Execute the monitoring ProceduresUndertake regular reviews of ISMS effectivenessReview the level of residual risk & acceptable riskConduct internal ISMS audits at Planned intervalsRegular management review of ISMSRecord actions & events that have an impact on ISMS
ISMS
Classification: Genpact Internal
Act: Maintain & Improve ISMS
Implement identified improvementsTake appropriate corrective & preventive actionsCommunicate results & actions and agree with all interested partiesEnsure that the improvements achieve the intended objectives
ISMS
Classification: Genpact Internal
ISMS
ISO 27001: 2005 STRUCTURE1. SCOPE
2. NORMATIVE REFS
3. TERMS&DEFINITIONS
4. ISMS
4.1GENERAL
4.2 ESTABLISH&MANAGE ISMS
4.3 DOCUMENT ISMS
4.3.3 CONTROL OF RECORDS
5. MANAGEMENT RESPONSIBILITY
5.1 MANAGEMENT COMMITMENT
5.2 RESOURCE MANAGEMENTContd... Classification: Genpact
Internal
ISMS
ISO 2701: 2005 STRUCTURE6. MANAGRMENT REVIEW OF ISMS
6.4 INTERNAL ISMS AUDITS
7. ISMS IMPROVEMENT
7.1 CONTINUOUS IMPROVEMENT
7.2 CORRECTIVE ACTION
7.3 PREVENTIVE ACTION
ANNEXURES
A. CONTROL OBJECTIVES & CONTROLS (Normative)
B. GUIDANCE ON USE OF STANDARD (Informative)
C. CORRESPONDENCE BETWEEN OTHER STANDARDS
D. CHANGES TO INTERNAL NUMBERING (Informative)Classification: Genpact
Internal
1. Scope2. Normative References3. Terms & Definitions4. Information Security Management
System4.1 General4.2 Establish and manage ISMS4.3 Document ISMS4.3.3 Control of Records
5. Management Responsibility5.1 Management Commitment5.2 Resource Management
6. Management Review Of the ISMS6.4 Internal ISMS Audits
7. ISMS Improvement7.1 Continual Improvement.7.2 Corrective Actions7.3 Preventive Actions
Annexures- A,B,C & D
MS Standards and BS 7799 reqmtsISMS Standards and BS 7799 reqmtsISMS Standards and BS 7799 reqmtsISMS Standards and BS 7799 reqmtsISMS Standards and BS 7799 reqmtsISMS Standards and BS 7799 reqmtsISMS Standards and BS 7799 reqmtsISMS Standards and BS 7799 reqmtsISMS Standards and BS 7799 reqmtsISMS Standards and BS 7799 reqmtsISMS Standards and BS 7799 reqmtsISMS Standards and BS 7799 reqmtsISMS Standards and BS 7799 reqmtsISMS Standards and BS 7799 reqmtsISMS Standards and BS 7799 reqmtsISMS Standards and BS 7799 reqmtsISMS Standards and BS 7799 reqmtsISMS Standards and BS 7799 reqmtsISMS Standards and BS 7799 reqmtsI
ISMSISO 27001: 2005 STRUCTURE
Classification: Genpact Internal
ISMS
CONTROL OBJECTIVES & CONTROLS
39 CONTROL OBIJECTIVES
133 CONTROLS
SPECIFIES REQUIREMENTS
SATISFIES OBJECTIVES
11 DOMAINS
Classification: Genpact Internal
ISMS
11 SECURITY DOMAINS OF ISO/IEC 27001:2005
A.5 SECURITY POLICY
A.6 ORGANIZATIONAL INFO SECURITY
A.7ASSET MANGEMENT
A.13 INFO SEC. INCIDENT MGMNT
A.11 ACCESS CONTROL
A.9 PHYSICAL &ENVRNMNTL
SECURITY
A.10 COMMUNICNS&OPS MGMT
A.8HR
SECURITY
A.14 BUSINESS CONTINUITY
A.12INFO SYS
ACQSN,DEV& MAINT
A.15 COMPLIANCEClassification: Genpact
Internal
ISMS
A.5 SECURITY POLICY
• INFORMATION SECURITY POLICY DOCUMENT
• REVIEW & EVALUATION
Classification: Genpact Internal
ISMS
A.6 ORGANIZATIONAL SECURITY
A.6.1 INFORMATION SECURITY INFRASTRUCTURE
•INFORMATION SECURITY FORUM
•INFORMATION SECURITY COORDINATION
•ALLOCATION OF RESPONSIBILITIES
•AUTHORIZATION PROCESS FOR IPF(INFO PROCESSING FACILITIES)
•SPECIALIST INFORMATION SECURITY ADVICE
•CO-OPERATION BETWEEN DEPARTMENTS
•INDEPENDENT REVIEW OF INFORMATION SECURITY
Classification: Genpact Internal
ISMS
A.6.2 SECURITY OF THIRD PARTY ACCESS
•IDENTIFICATION OF RISKS FROM THIRD PARTY ACCESS
•SECURITY REQUIREMENTS IN THIRD PARTY CONTRACTS
A.6.3 OUTSOURCING
•SECURITY REQUIREMENTS IN OUTSOURCING CONTRACTS
A.6 ORGANIZATIONAL SECURITY
Classification: Genpact Internal
ISMS
A.7 ASSET CLASSIFICATION & CONTROL
A.7.1 ACCOUNTABILITY OF ASSETS
> INVENTORY OF ASSETS
A.7.2 INFORMATION CLASSIFICATION
> CLASSIFICATION GUDELINES
> INFORMATION LABELLING & HANDLING
TOP SECRET
SECRET
CONFIDENTIAL
RESTRICTED
UNCLASSIFIED
Classification: Genpact Internal
ISMS
A.8 HR SECURITY
A.8.1 SECURITY IN JOB DEFINITION & RE-SOURCING
•INCLUDING SECURITY IN JOB RESPONSIBILITIES
•PERSONNEL SCREENING AND POLICY
•NON-DISCLOSURE AGREEMENTS
•TERMS & CONDITION OF EMPLOYMENT
A.8.2 USER TRAINING
•INFORMATION SECURITY EDUCATION & TRAINING
(PART OF INDUCTION MODULE)
Classification: Genpact Internal
ISMS
A.9 PHYSICAL & ENVIRONMENTAL SECURITY
A.9.1 SECURE AREAS
PERIMETER,ENTRY/EXIT, LOCKING OFFICES, DELIVERY PT
A.9.2 EQUIPMENT SECURITY
PROTECTION,POWER,CABLING,MAINT,OFF-PREMISES, SECURE DISPOSAL
A.9.3 GENERAL CONTROLS
CLEAR DESK &SCREEN, REMOVAL OF PROPERTY
Classification: Genpact Internal
ISMS
A.10 COMMUNICATIONS & OPERATIONS MGMT
A.10.1 OPERATIONAL PROCEDURES & RESPONSIBILITIES
A.10.2 SYSTEMS PLANNING & ACCEPTANCE
A.10.3 PROTECTION AGAINST MALICIOUS SOFTWARE
A.10.4 HOUSEKEEPING (INFO BACK-UP, LOGS)
A.10.5 NETWORK MANAGEMENT
A.10.6 MEDIA HANDLING & SECURITY
REMOVABLE MEDIA,DISPOSAL,INFO HANDLING ETC
A.10.7 EXCHANGE OF INFORMATION & SOFTWARE
MEDIA IN TRANSIT, E-MAIL, E-COMMERCE ETC
CLEAR DESK &SCREEN, REMOVAL OF PROPERTY
Classification: Genpact Internal
ISMS
A.11 ACCESS CONTROL (Virtual)
A.11.1 BUSINESS REQUIREMENTS FOR ACCESS CONTROL
A.11.2 USER ACCESS MANAGEMENT
A.11.3 USER RESPONSIBILITIES
A.11.4 NETWORK ACCESS CONTROL
A.11.5 O/S SYSTEM ACCESS CONTROL
A.11.6 APPLICATION ACCESS CONTROL A11.7 MONITORING SYSTEM ACCESS & USE
A.11.10MOBILE COMPUTING & TELEWORKINGClassification: Genpact Internal
ISMS
A.12 SYSTEM DEVELOPMENT&MAINTENANCE
A.12.1 SECURITY REQUIREMENTS OF SYSTEMS
A.12.2 SECURITY IN APPLICATION SYSTEMS
A.12.3 CRYPTOGRAPHIC CONTROLS
A.12.4 SECURITY OF SYSTEM FILES
A.12.5 SECURITY IN DEVELOPMENT & SUPPORT PROCESSES
Classification: Genpact Internal
A.13.1 REPORTING INFO SECURITY EVENTS & WEAKNESSES
A.13.2 MANAGEMENT OF INFO SECURITY INCIDENTS & IMPROVEMENTS
A.13 INFO SECURITY INCIDENT MANAGEMENT
Classification: Genpact Internal
ISMS
A.14 BUSINESS CONTINUITY MANAGEMENT
A.14.1 ASPECTS OF BUSINESS CONTINUITY MANAGEMENT
BUSINESS CONTINUITY MANAGEMENT PROCESS
BUSINESS CONTINUITY AND IMPACT ANALYSIS
FORMULATING AND IMPLEMENTING CONTINUITY PLANS
BUSINESS CONTINUITY PLANNING FRAMEWORK
TESTING, MAINTAINING & RE-ASSESSING BUSINESS CONTINUITY PLANS
Classification: Genpact Internal
ISMS
A.15 COMPLIANCE
A.15.1 COMPLIANCE WITH LEGAL REQUIREMENTS
A.15.2 COMPLIANCE WITH SECURITY POLICIES & STANDARDS and TECHNICAL COMPLIANCE
A.15.3 INFO SYSTEM AUDIT CONSIDERATIONS
Classification: Genpact Internal
ISMS
RISK ASSESSMENT& MANAGEMENT PROCESS
Asset ID & Valuation
IdentifyVulnerabilities
Evaluate Impacts
IdentifyThreats
Level of Acceptable Risk
Business Risks
Rating/RankingOf Risks
Classification: Genpact Internal
Process For Developing an ISMS
Selection Of Controls(ISO 27001)
Legal Requirements
Business Requirements
Security Requirements
Risk Assessment
Threats &Vulnerabilities
Assessment
AssetsIdentification& Valuation
InformationSecurity
ManagementSystem
Policy Procedures & Controls
ISMS
Classification: Genpact Internal
STEPS IN ISMS IMPLEMENTATION
ISMS SCOPEPolicy
STMNT
BIA BCP
RISKANALYSIS
PPT
CONTROLS
Client’s
Legal, Statutory
Business
Requirements
ISMS
Classification: Genpact Internal
ISMS
BENEFITS OF ISO 27001
•A SINGLE REFERENCE POINT FOR IDENTIFYING A RANGE OF CONTROLS NEEDED FOR MOST SITUATIONS WHERE INFORMATION SYSTEMS ARE USED
•FACILITATION OF TRADING IN TRUSTED ENVIRONMENT
•INTERNATIONALLY RECOGNIZED STRUCTURED METHODOLOGY
•WELL DEFINED PROCESS TO EVALUATE, IMPLEMENT, MAINTAIN AND MANAGE INFORMATION SECURITY
•A SET OF TAILORED POLICY, STANDARDS, PROCEDURES AND GUIDELINES
•THE STANDARD PROVIDES A YARDSTICK AGAINST WHICH SECURITY CAN BE JUDGED
Classification: Genpact Internal
CERTIFICATION ADVANTAGES
ISMS
ISO-27001COMPLIANTCERTIFICATE
COMPETETIVE EDGE
PUBLIC DEMONSTRATION
ENHANCED CORPORATE IMAGE
ACCOUNTABILITY / REASSURANCE
IMPROVEMENT PROCESS
ENSURES MANAGEMENT COMMITMENT
POSITIVE RESPONSE FROM POTENTIAL CLIENTS
EMPLOYELE MOTIVATION
ISMS
Classification: Genpact Internal
BETTERMENT AFTER IMPLEMENTATION
ENHANCES KNOWLEDGE & IMPORTANCE OF SECURITY RELATED ISSUES
IMPROVES UNDERSTANDING OF BUSINESS ASPECTS
REDUCTION IN SECURITY BREACHES
IDENTIFICATION OF CRITICAL ASSETS
ENHANCES INFO SECURITY – INTERNALLY & EXTERNALLY
IMPROVES INSURANCE RATING
PROVIDES A STRUCTURE FOR CONTINUOUS IMPROVEMENT
ISMS
Classification: Genpact Internal
ROLE AS CISO / COMPLIANCE OFFICER
ENSURE SYSTEMATIC ESTABLISHMENT OF ISMS, WITH MANAGEMENT COMMITMENT, COOPERATION & COORDINATION WITH ALL DIVISIONS.
SMOOTH & SUCCESSFUL IMPLEMENTATION AND OPERATION OF ISMS
OMBUDSMAN ON ALL MATTERS RELATING TO INFO SECURITY
MONITOR & REVIEW ISMS THROUGH INTERNAL AUDIT USING
BS 7799, ISO 17799 TOOLS
ASSIST TO MAINTAIN & IMPROVE CONTINUALLY, THE ISMS
OBTAIN BS 7799 CERTIFICATION AND MAINTAIN THE STANDARD
ISMS
Classification: Genpact Internal
ISMS
CONCLUSION
SECURITY IS EVERYBODY’S CONCERN &
INFORMATION SECURITY IS PARAMOUNT
IN OUR CONCERN (COMPANY)
OR ELSE
THE CONCERN ITSELF MAY
CEASE TO EXISTClassification: Genpact
Internal
QUESTIONS, IF ANY ISMSISMS
Classification: Genpact Internal
ISMSISMS
Classification: Genpact Internal