Information Security Management - PowerPoint PPT Presentation

1 / 10
About This Presentation
Title:

Information Security Management

Description:

... ISO/IEC 27003 - ISMS implementation Guide (under development) ISO/IEC 27004 Measurement and metrics (under development) ISO/IEC 27005 Risk management ... – PowerPoint PPT presentation

Number of Views:794
Avg rating:3.0/5.0
Slides: 11
Provided by: Rebecca314
Category:

less

Transcript and Presenter's Notes

Title: Information Security Management


1
Security Management
Information Security Management Management
System Requirements, Code of Practice for
Controls, and Risk Management
supervision
Assistant Professor Dr. Sanaa Wafa Al-Sayegh
Tamer abo lehia
ITGD 2202
2
Background of ISMS Standards
  • Information Security Management System (ISMS)
    standards have been produced to help
    organisations come up with cost effective answers
    to questions like
  • Why do the same type of information security
    problem come up again and again?
  • Why does the IT department keep asking for more
    and more money to solve information security
    problems (that dont go away)?
  • How can we do information security well when IT
    is core to our business, but not our core
    business?
  • Origins in UK business in the 1990s, pooling
    knowledge of best practice
  • Initial focus on controls (now published as
    ISO/IEC 177992005)
  • Enhanced with a management decision making
    framework (now published as ISO/IEC 270012005)
  • Recently internationalised and updated by ISO/IEC

STANDARDS AUSTRALIA SECURITY FORUM
3
Organisations involved in the development of the
ISMS Standards
  • Nationally
  • Large corporates (e.g. ANZ, Shell, Bluescope,
    Telstra)
  • Information and IT security specialists (e.g.
    Witham Labs, Pacific Research, Fujitsu,
    Megaprime)
  • Internationally
  • Representatives from large corporates in the IT
    and other sectors, information security
    specialists from specialist business and
    government organizations
  • Australia, Austria, Belgium, Brazil, Canada,
    China, Czech Republic, Denmark, Finland, France,
    Germany, India, Italy, Japan, Kenya, Luxembourg,
    Malaysia, New Zealand, Netherlands, Norway,
    Poland, Russia, Singapore, Spain, South Africa,
    South Korea,Sri Lanka, Sweden, Switzerland, UK,
    Ukraine, USA

STANDARDS AUSTRALIA SECURITY FORUM
4
The target audience and the value the ISMS
Standards bring to the market
  • These standards are relevant to any organisation
    reliant on information and IT
  • Large corporates
  • SMEs
  • Government agencies
  • Focus is on organizations that cant justify a
    staff of information security specialists
  • Value is provided by making pooled, peer
    reviewed, best practices for the management and
    implementation of an information security
    programme available to all at a modest cost

STANDARDS AUSTRALIA SECURITY FORUM
5
Objectives of the Standards
The ISMS standards specify a framework for
organisations to manage information security
aspects of their business, and if necessary to
demonstrate to other parties (e.g. business
partners, auditors, customers, suppliers) their
ability to manage information security.
STANDARDS AUSTRALIA SECURITY FORUM
6
Key Elements / Scope of the ISMS Standards
  • ISO/IEC 27001 Information Security Management
    Systems - Requirements is the foundational
    standard it is applicable to all types of
    organisation and all sectors of the economy.
  • It specifies a risk-based management system that
    is designed to ensure that organisations select
    and operate adequate and proportionate (i.e. cost
    effective) security controls to protect
    information assets.
  • It uses the plan-do-check-act (improve) model
    used in environment and quality management
    standards.
  • It is specified to allow implementation
    integrated within broader management systems.
  • The standard shows how requirements relate to
    the OECD Guidelines for the Security of
    Information Systems and Networks.

STANDARDS AUSTRALIA SECURITY FORUM
7
Content of the ISMS Standards
  • Foundations (ISO/IEC 27001)
  • Establishing, implementing, operating,maintaining
    and improving an ISMS
  • Documentation requirements
  • Management responsibilities
  • Internal audits and management reviews
  • Supporting Standards
  • ISO/IEC 27000 - ISMS fundamentals and vocabulary
    (under development)
  • ISO/IEC 27002 - Code of practice for information
    security management
    (controls) (ISO/IEC 17799 to be renumbered next
    year)
  • ISO/IEC 27003 - ISMS implementation Guide (under
    development)
  • ISO/IEC 27004 Measurement and metrics (under
    development)
  • ISO/IEC 27005 Risk management (under
    development)
  • ISO/IEC 27006 Requirements for the
    accreditation of bodies providing
    certification of ISMS (under
    development)

STANDARDS AUSTRALIA SECURITY FORUM
8
ISMS - the tip of the iceberg
  • There are also generally applicable ISO/IEC
    and/or Australian/NZ Standards covering
  • Digital signatures
  • Encryption (algorithms,modes of operation,key
    management)
  • Entity authentication
  • Hash functions
  • Intrusion detection
  • IT evidence collection
  • Message authentication codes
  • Network security
  • Non repudiation
  • Prime numbers
  • Random numbers
  • Security evaluation of products
  • Security incident management
  • Time-stamping
  • Trusted third party services

STANDARDS AUSTRALIA SECURITY FORUM
9
Call to action
Poor information security outcomes are commonly
the result of poor management and not poor
technical controls.
  • The 27000 series of ISMS Standards tackle the
    information problems we face from the management
    perspective.
  • It is not easy, but it is best practice and it
    works

STANDARDS AUSTRALIA SECURITY FORUM
10
Reference
  • From internet
Write a Comment
User Comments (0)
About PowerShow.com