Professional Documents
Culture Documents
What is
Data, Information and
Information Security?
2
ISO/IEC 17799
3
analysis
Information
Information
Decision
Information
Information
data
Information
data
data
data
analysis
Information
Information
Information
data
data
Types of information
On paper
Stored electronically
Transmitted by regular mail or e-mail
Videos
Spoken in conversations
Low
Medium
Agriculture
Automitive
Chemical
Industrial equipment
Transportation
Mining
High
Pharmaceutical
Telecommunications
Government
Aerospace
Defense
Biomedic
Electronics
Finacial Services
Health
Information Services
Retail
Transmit
Create
Store
Process
Used
(Misused)
Destroy
Corrupt
Loss
Business Process
Compliance
Personel
Computer
Application
Computer
Infrastructure
Telecommunications
Infrastructure
Data
Data
Threats to Information
Examples
Employees
Low awareness about information security
Growth in networking and distributed computing
Hacking tools and viruses
E-Mail
Naturals - Fire, flood, earthquake
10
Integrity
Availability
Organizational structures
Software functions
12
ISMS
6 Organization of
information security
7 Asset management
8 Human resources
security
9 Physical and
environmental security
10 Communications and
operations management
PLAN
11 Access control
ACT
DO
SoA
15 Compliance
12 Information systems
acquisition, development
and maintenance
5 Security policy
CHECK
13 Information security
incident management
14 Business continuity
management
ISMS
Information Security
Architecture
14
PDCA Model
Plan
ISMS Scope and boundaries
ISMS Policy
Risk treatment
Management approval
Statement of applicability
Do
ISMS
Act
Check
PDCA Model
Plan
Establish the ISMS
Do
ISMS
Act
Check
16
ISMS
A management system is a system to establish
policy and objectives and to achieve those
objectives.
Organizational structure
Processes and associated resources
Measurement and evaluation methodology
Review process to ensure problems are corrected and
opportunities for improvement are recognized and
implemented when justified
17
History
October 2005 ISO/IEC FDIS 27001:2005
Jun 2005 ISO/IEC 17799:2005
Mar 2004 UNE 71502
2001 Revision BS 7799-2
1999 BS7799 1 & 2
Code of practice(PD0003)
2005
2000
1995
1990
1985
1980
Shell standar
t
18
International Transition
BS7799-1 : 1999
10 Domains
36 Objetive controls
127 Controls
ISO 17799:2000
10 Domains
36 Objetive controls
127 Controls
BS7799-2:2002
10 Domains
36 Objetive controls
127 Controls
ISO 17799:2005
11 Domains
39 Objetive controls
133 Controls
ISO 27001:2005
10 Domains
36 Objetive controls
127 Controls
19
ISMS Implementation
20
ISMS Policy
21
Risk Assessment
22
Risk management
Risk Assessment
Risk Analysis
Vulnerabilities
identification
Assets identification
Risks identification
Threat identification
Risk qualification
Business level of
impact
Requirements
Controls selection
standard / legal,
regulatory / bussiness
Current controls
review
Anlisis de brecha
Residual risk
acceptance
23
Risk assessment
RISK LEVELS
50
51
49
52
100.00%
LOW
3
MEDIUM
4
5
90.00%
48
6
80.00%
Impact
47
VERY LOW
VERY LOW
LOW MEDIUM
HIGH
LOW
LOW
LOW
MEDIUM
60.00%
45
50.00%
44
LOW
VERY HIGH
70.00%
46
VERY HIGH
HIGH
10
40.00%
43
11
30.00%
42
LOW
LOW
MEDIUM MEDIUM
MEDIUM
AHIGH
12
20.00%
41
40
MEDIUM
LOW
MEDIUM
HIGH
HIGH
13
10.00%
0.00%
14
HIGH
39
HIGH
VERY HIGH
LOW
MEDIUM
MEDIUM
HIGH
HIGH
15
38
VERY HIGH
VERY HIGH
16
37
17
36
18
35
19
34
20
33
21
32
Likelihood
Initial Risk
Residual Risk
22
31
23
30
29
28
27
26
25
24
24
Vulnerabilities
Use
Pr
ot
e
se
ea
em
cr
In
Securty Controls
t
en
se
po
Ex
cr
In
ct
Ag
ai
nt
s
Threats
Risk
em
pl
d
te
en
Securty
require
ments
ve
Ha
Im
e
at
ic
d
c
In
Assets
e
av
H
Assets Values
&
Business Impact
25
Select controls
26
Statement of applicability
PDCA Model
Plan
Establish the ISMS
Do
ISMS
Act
Check
28
Metrics
29
Implementation
30
PDCA Model
Plan
Establish the ISMS
Do
ISMS
Act
Check
31
Check
32
Check
33
Check
34
PDCA Model
Plan
Establish the ISMS
Do
ISMS
Act
Check
35
Act
ISMS Documentation
Statement of Applicability.
37
Management responsibilities
Establishing an ISMS policy
Ensuring that ISMS objectives and plans are established
Establishing roles and responsibilities
Communicating to the organization the importance of meeting ISMS
Providing sufficient resources to establish, implement, operate,
monitor, review, maintain and improve the ISMS
Deciding the criteria for accepting risks and the acceptable levels of
risk
38
40
Performance
Functionality
urity
Sec
100% Trusted
41
Strategic responsibilities
Tactic responsibilities
Security Services
Identity, Cryptography, Certificates..
Certification & Accreditation
Standards, Guidelines,
Local Regulations,
Federal Regulations
43
Tactic responsibilities
Best Practices
Information Security Procedures
Architecture Administration
Training & Awareness Programs
44
Tactic responsibilities
45
Operative responsibilities
5 Security policy
6 Organization of information security
7 Asset management
8 Human resources security
9 Physical and environmental security
10 Communications and operations management
11 Access control
12 Information systems acquisition, development
and maintenance
13 Information security incident management
14 Business continuity management
15 Compliance
46
Risk Assessment
6 Organization of
information security
14 Business
continuity
management
7 Asset management
8 Human
resources security
DO
9 Physical and
environmental
security
13 Information security
incident management
5 Security Policy
SG
10 Communications and
operations management
SI
ACT
12 Information systems
acquisition, development
and maintenance
15 Compliance
11 Access control
Risk Treatment
CHECK
48
5 Security policy
49
50
7 Asset manageme
51
52
10.10 monitoring
56
11 Access control
11.1 business requirement for access control
57
11 Access control
11.5 operating system access control
58
59
60
61
15 Compliance
15.1 compliance with legal requirements
62
63