1 / 23

Comprehensive Approach to Secure Business Information

Learn about the principles of confidentiality, integrity, and availability in information security, including control methods and ISO17799 standards.

swayze
Download Presentation

Comprehensive Approach to Secure Business Information

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. ISO17799 Maturity

  2. Secure Business –Need Security Infrastructures… • Confidentiality relates to the protection of sensitive data from unauthorized use and distribution. • Examples include: Securing corporate data Securing personnel (payroll, health) information Confidentiality

  3. Secure Business –Need Security Infrastructures… • Confidentiality relates to the protection of sensitive data from unauthorized use and distribution. • Examples include: Securing corporate data Securing personnel (payroll, health) information Integrity • Integrity relates to maintaining the quality and validity of data. • Examples include: • Ensuring that the transactional systems aren’t modified by an unauthorized party Confidentiality

  4. Secure Business –Need Security Infrastructures… • Confidentiality relates to the protection of sensitive data from unauthorized use and distribution. • Examples include: Securing corporate data Securing personnel (payroll, health) information • Integrity relates to maintaining the quality and validity of data. • Examples include: • Ensuring that the transactional systems aren’t modified by an unauthorized party Integrity Availability Confidentiality • Availability relates to ensuring that data is accessible. • Examples include: • Ensuring that processing can take place 24 hours a day

  5. What Is Information Security? • Key facets of an information security program include: People – organization, responsibility, accountability, and leadership Process – policies, procedures, and practices Technology – scalable technical support for automation, integration, and enabling of information security operations.

  6. What Is Information Security? • Ultimately, information security is the method by which an organization ensures that it has control over its systems and data, thereby protecting its investment in information technology and its ability to maintain business operations.

  7. What Is Information Security? • Effective control requires executive sponsorship. • Everyone must know and agree to their responsibilities for maintaining effective controls. • Liability may depend on “due care”. • If you’re going to be plugged • in, you accept responsibility. • Trust can’t be enforced. • -- Policy can.

  8. …Having An Enterprise View • Corporate information protection is based on a multi-layered approach. The structure limits the exposure of any one security breach, however today, the Internet cuts across traditional layers and an unauthorized user could quickly exploit a weak layer. Security Program Overall foundation to protect environment and set policy for other security layers. Includes monitoring, detection and response. Security Program Internet Security Protects the data that is visible to the Internet from Web pages and via corporate communications. If breach, corporate image and/or communications can be compromised. Internet Perimeter Perimeter Security First layer of physical protection (Voice & Data). If breached, access to data is possible. Network Host Application Network Security First Internal layer of protection. If breached, loss control of data movement is possible and/or data modification. Electronic Commerce Data Host Security Protects computer, application and data. If breached, data could be altered and/or deleted. E-Commerce Security Protects the data while communicating across the organization and outside the organization. If breach, all corporate layers of security can be compromised. Application Security Protects application and data. If breached, data could be altered and/or deleted.

  9. Where did ISO17799 Originate? • Began as UK Department of Trade and Industry (DTI) Code of Practice • Facilitated trade in trusted environments • Led to British Standard 7799 (BS7799) • Adopted as ISO17799 in December 2000

  10. What is ISO17799? • A comprehensive set of controls comprising best practices • in information security • Controls-based policy • Measurable • Certifiable • Risk-management based • Internationally recognized

  11. What is ISO17799? • 10-Section Standard • Security Policy • Organizational Security • Asset Classification & Control • Personnel Security • Physical and Environmental Security • Computer & Operations Management • Access Control • System Development and Maintenance • Business Continuity Planning • Compliance

  12. What is ISO17799? • Security Policy • To provide management direction and support for information security. • Policy - program

  13. What is ISO17799? • Security Organization • To manage information security both in and out of the organization. • Infrastructure – leadership • Third party access – contracts • Outsourcing - SLAs

  14. What is ISO17799? • Asset Classification & Control • To maintain appropriate protection of corporate assets and to ensure that information assets receive an appropriate level of protection. • Accountability – ownership • Information classification - appropriateness

  15. What is ISO17799? • Personnel Security • To reduce risk of human error, maintain awareness, and minimize damage from incidents. • Job resourcing – background • User training – awareness • Incident response – procedures

  16. What is ISO17799? • Physical and Environmental Security • To prevent unauthorized access, damage and interference to business premises and information. • Secure areas – physical control • Equipment security – individual • General controls – common sense

  17. What is ISO17799? • Computer & Operations Management • To ensure the correct and secure operations of information systems. • Procedures / responsibilities – who & how • Planning & acceptance – capacity • Malicious software – virus • Housekeeping – backup • Network management – segregation of duties • Media handling – disposal • Information exchange – agreements

  18. What is ISO17799? • Access Control • To control access to information. • Policy – existence • User access management – authorization • User registration – maintenance • User responsibilities – awareness • Network access – interfaces • Operating system access – foundation • Application access – segregation • Monitoring – detection • Mobile access – ubiquitousness

  19. What is ISO17799? • System Development and Maintenance • To ensure that security is built into information systems • Security in applications – integrity • Cryptographic controls – confidentiality • Input / Output Controls • Security of system files – foundation • Security in development – change control

  20. What is ISO17799? • Business Continuity Planning • To counteract interruptions to business activities and to protect critical business processes from the effects of major failures or disasters. • Management process – not tech! • Impact analysis – risk assessment • Continuity plans - existence • Planning framework - consistency • Test, test, test! - update

  21. What is ISO17799? • Compliance • To avoid breaches of compliance with law & policy and maximize effectiveness of system audits. • Legal requirements – money • Reviews – policy and technology • System audit – impact

  22. How Will Organizations Benefit? • Standardization – efficiency & automation • Competitive advantage • Risk management – not security for the sake of security • Cost-effectiveness • Move from reactive to proactive • Accepted framework for policy

  23. How Will Organizations Benefit? • Driver for process improvement • Meet business partner requirements • Maintain regulatory compliance • Measure the effectiveness of information security efforts • (ROI!)

More Related