iValueIT

C O N S U L T I N G

Delivering Integrated Value Through IT

www.ivitc.com

Session 1

The Importance of
Information Security
Umar Alhabsyi, ST, MT, CISA, CRISC.
umar.alhabsyi@gmail.com

Manajemen Keamanan Informasi

Pendekatan Praktikal berbasis ISO 27001
Umar Alhabsyi, ST, MT, CISA, CRISC.

Delivering the integrated value of IT to your business

Information is a business asset

'Information is an asset which, like other

important business assets, has value to
an organization and consequently needs
to be suitably protected
(ISO 27002:2005)
Information and the supporting processes, systems, and networks are
important business assets.
Umar Alhabsyi, ST, MT, CISA, CRISC.

Delivering the integrated value of IT to your business

Information can be...

Created
Stored
Destroyed
Processed
Transmitted
Used (For proper & improper purposes)
Corrupted
Lost
Stolen

Umar Alhabsyi, ST, MT, CISA, CRISC.

Delivering the integrated value of IT to your business

Information can exist in many forms

Printed or written on paper
Stored electronically
Transmitted by post or using electronics
means
Shown on corporate videos
Displayed / published on web
Verbal spoken in conversations
Whatever form the information takes, or means by which it is
shared or stored, it should always be appropriately protected
(BS ISO 27002:2005)

Umar Alhabsyi, ST, MT, CISA, CRISC.

Delivering the integrated value of IT to your business

Risks Are Increasing

Cybercrime
Malware
Identity Theft
Lost Laptops
Targeted Financial Gain
Personal information Sharing
Slowing of security investment
Dissipation of security message
Competitive pressures
Umar Alhabsyi, ST, MT, CISA, CRISC.

Delivering the integrated value of IT to your business

News Items Continue To Gain Attention of Board of

Directors
Bank of
America

1.3 million consumers

exposed

Lost back-up tape

DSW retail

1.2 million consumers

exposed

Hacking

Card Services

40 million consumers
exposed

Hacking

TJX Stores

45 million consumers
exposed

Internal theft

UCLA

800,000 consumers exposed Human error

Fidelity

196,000 consumers exposed Stolen laptop

Umar Alhabsyi, ST, MT, CISA, CRISC.

Delivering the integrated value of IT to your business

Source:
CERT incident statistics between 1995 and 2002. 2003 by Carnegie Mellon University.

The total number of security incidents recorded by the CERT rose

from 2,412 in 1995 to 82,094 in 2002

Umar Alhabsyi, ST, MT, CISA, CRISC.

Delivering the integrated value of IT to your business

Security breaches leads to

Reputation loss
Financial loss
Intellectual property loss

Legislative Breaches leading

to legal actions (Cyber Law)
Loss of customer confidence

Business interruption costs

Umar Alhabsyi, ST, MT, CISA, CRISC.

Delivering the integrated value of IT to your business

The importance of information security

Organizations and their information systems and
networks are faced with security threats from a wide
range of sources, including computer-assisted fraud,
espionage, sabotage, vandalism, fire or flood.
Information security is important to both public and
private sector businesses, and to protect critical
infrastructures.
Many information systems have not been designed to be
secure. The security that can be achieved through
technical means is limited, and should be supported by
appropriate management and procedures.

Umar Alhabsyi, ST, MT, CISA, CRISC.

Delivering the integrated value of IT to your business

So, what is information security?

Umar Alhabsyi, ST, MT, CISA, CRISC.

Delivering the integrated value of IT to your business 10

Misperceptions of Information Security

Information security is often seen purely in terms of basic hardware,
software or methods. E.g. Firewalls, encryption algorithms.
Information Security decisions are usually left to technical staff to decide
and implement without management involvement.
Security is seen as something negative. It contributes nothing to company
performance and just interferes with accepted working practices. It makes
work for already stretched resources.
Security only needs to be reviewed when changes are made.

Umar Alhabsyi, ST, MT, CISA, CRISC.

Delivering the integrated value of IT to your business 11

Security is not a product

Its a Process

-Bruce Schneier
American cryptographer, computer security specialist, and writer

Security is not Technology Problem

It is Human and Management Problem
-Kevin D Mitnick
Computer security consultant and author

INFORMATION SECURITY:
The protection of information from
a wide range of threats in order to ensure business
continuity, minimize business risk, and maximize return
on investments and business opportunities.
Umar Alhabsyi, ST, MT, CISA, CRISC.

Delivering the integrated value of IT to your business 12

Security Concept: CIA

Umar Alhabsyi, ST, MT, CISA, CRISC.

Delivering the integrated value of IT to your business 13

Objective of information security

1. Protects information from a range of
threats
2. Ensures business continuity
3. Minimizes financial loss
4. Optimizes return on investments
5. Increases business opportunities
Business survival depends on information
security.

Umar Alhabsyi, ST, MT, CISA, CRISC.

Delivering the integrated value of IT to your business 14

Achieving Information Security

Information security is achieved by implementing a

suitable set of controls, including policies,
processes, procedures, organizational structures
and software and hardware functions.

These controls need to be established,

implemented, monitored, reviewed and improved,
where necessary, to ensure that the specific
security and business objectives of the organization
are met.

Umar Alhabsyi, ST, MT, CISA, CRISC.

Delivering the integrated value of IT to your business 15

Some Facts
Information Security
is Organizational
Problem rather
than IT Problem

More than 70% of

Threats are Internal

More than 60%

culprits are First
Time fraudsters

Biggest Risk : People

Biggest Asset :
People

Social Engineering is
major threat

More than 2/3rd express their inability to determine

Whether my systems are currently compromised?

Umar Alhabsyi, ST, MT, CISA, CRISC.

Delivering the integrated value of IT to your business 16

Achieving Information Security

4 Ps of Information Security

Umar Alhabsyi, ST, MT, CISA, CRISC.

Delivering the integrated value of IT to your business 17

Security Needs Involvement From The Board

of Directors/Executive Management
Strategic Oversight
Review alignment with organization
strategy
Determine Risk profile for
organization
Endorse security program
Require regular reporting on
effectiveness
Review investment return
Potential new technologies to add
value, reduce costs

Umar Alhabsyi, ST, MT, CISA, CRISC.

Delivering the integrated value of IT to your business 18

The need for a structured approach

Early 1990
DTI (UK) established a working group Information Security
Management Code of Practice produced as BSI-DISC
publication

1995

BS 7799 published as UK Standard

1999

BS 7799 - 1:1999 second revision published

2000

BS 7799 - 1 accepted by ISO as ISO - 17799 published

BS 7799-2:2002 published

Umar Alhabsyi, ST, MT, CISA, CRISC.

Delivering the integrated value of IT to your business 19

 ISO 27001:2005
Information technology Security
techniques Information security
management systems Requirements
ISO 27002:2005
Information technology Security
techniques Code of practice for
information security management
Umar Alhabsyi, ST, MT, CISA, CRISC.

Delivering the integrated value of IT to your business 20

Information
Security Policy

Organisation
of Information
Security

Compliance

Business
Continuity
Planning

Asset
Management

Human
Resource
Security

Incident
Management
Availability

System
Development
&
Maintenance

Physical
Security

Access Control

Umar Alhabsyi, ST, MT, CISA, CRISC.

Communicatio
n & Operations
Management

Delivering the integrated value of IT to your business 21

Control Clauses
Information Security Policy - To provide management
direction and support for Information security.
Organisation Of Information Security - Management
framework for implementation
Asset Management - To ensure the security of
organisational IT and its related assets

valuable

Human Resources Security - To reduce the risks of human

error, theft, fraud or misuse of facilities.
Physical
&
Environmental
Security
-To
prevent
unauthorised access, theft, compromise , damage, information
and information processing facilities.

Umar Alhabsyi, ST, MT, CISA, CRISC.

Delivering the integrated value of IT to your business 22

Control Clauses
Communications & Operations Management
- To ensure the correct and secure operation of
information processing facilities.
Access Control - To control access to
information and information processing facilities
on need to know and need to do basis.
Information Systems Acquisition,
Development & Maintenance - To ensure
security built into information systems

Umar Alhabsyi, ST, MT, CISA, CRISC.

Delivering the integrated value of IT to your business 23

Control Clauses
Information Security Incident Management - To
ensure information security events and weaknesses
associated with information systems are
communicated.
Business Continuity Management - To reduce
disruption caused by disasters and security failures to
an acceptable level.
Compliance - To avoid breaches of any criminal and
civil law, statutory, regulatory or contractual
obligations and of any security requirements.

Umar Alhabsyi, ST, MT, CISA, CRISC.

Delivering the integrated value of IT to your business 24

Umar Alhabsyi, ST, MT, CISA, CRISC.

Delivering the integrated value of IT to your business 25

Terima kasih

Umar Alhabsyi, ST, MT, CISA, CRISC.

Delivering the integrated value of IT to your business 26