Chapter 1 - Discussion Notes

CHAPTER 1:
INTRODUCTION TO INFORMATION SECURITY MANAGEMENT NOTES FOR

PRESENTATION
Slide 2
Information security is a management activity within the corporate governance
framework which provides the strategic direction for security activities and ensures
objectives are achieved.
Value of information (VOI or VoI) is the amount a decision maker would be willing to
pay for information prior to making a decision.
Examples include research results, technology evaluations, and new methodologies. The
value of information is determined by its importance to the decision maker or to the
outcome of the decision being made.
Slide 3
the purpose of is ISM is to provide a focus for all aspects of IT security and manage all
IT security activities. the term information is used as a general term and includes date
to stores databases and metadata.
Slide 4
What is data and information in IT?
Data- is an individual unit that contains raw materials which do not carry any specific
meaning.Data refers to the raw information.
Information- is a group of data that collectively carries a logical meaning.
Slide 5
Objective of ISM- is to protect the interests of those relying on information and the
systems and communications that deliver the information from harm resulting from
failures of availability confidentiality and integrity.
Slide 6
Confidentiality - That's the idea that says only an authorized user should be able to see
particular information or access particular resources.
Integrity- So with integrity technologies, what we do is we're looking for tampering and
we're detecting that and then alerting someone so that they know that this data is no
longer trustworthy.
EXAMPLE
A bad guy, for instance, might try to come into a system after he's hacked it and
change the log file to remove any record that he was there in the first place. That
would be an integrity attack. So we need security capabilities to ensure that the system
is still true to itself.
AVAILABILITY- In this case, it's about making sure that authorized users have access to
the resources that they need when they need them. So, for instance, we have
authorized user here and they want to access a particular server. So when they come,
they get access as they expect. However, we could end up with a case where we have
a malicious actor who comes in and floods this system with too much traffic, therefore
taking it down, making it not available. We refer to this as a denial of service attack,
and a denial of service attack can take a lot of different forms.
But that's the basic idea, is that a bad guy is preventing a good guy from getting access
to the system.
Remember,
Whenever you come up with a new security project,
go back over the different angles of the CIA triad and say, did I cover confidentiality,
integrity, availability? If yes , then the job is finished.
Slide 7
ISM process should include the production, maintenance distribution and enforcement
of an information security.
Slide 8
Understanding the agreed current and future security requirements of the business and
the existing business security policy and plans.
Slide 9
Implementation of a set of security controls that support the information security policy
and manage risks associated with access to services information and systems.
Slide 10
documentation of all security controls together with the operation and maintenance of
the controls and their associated risks.
Slide 11
management of suppliers and contracts regarding access to systems and servicesin
conjunction with supplier management
Slide 12
management of all security breaches and incidents associated with all system and
services
Slide 13
ISMS-
Slide 14
ISO 27001 the standard has been designed to help organizations manage their security
practices consistently and cost effectively
Slide 15
its technology and vendor neutral and is applicable to all organizations irrespective of
their size type or nature.
Slide 16
The ISO 27000 series a family of mutually supporting information security standards
that together provide a globally recognized framework for best practice Information
Security Management these standards help organizations keep their information assets
secure by offering a set of specifications codes of conduct and best practice guidelines
to ensure strong Information Security Management
Slide 17 - BENEFITS OF ISO 27001
Slide 18
ISO 27001 guide you secure your information in all its forms an isms helps protect all
forms of
information whether digital paper-based or stored in the cloud
Slide 19
increase your attack resilience - implementing and maintaining an isms will significantly
increase your organization's resilience to cyber attacks
Slide 20
protect what matters- whether the scope of your isms covers your whole organization
or just the
parts that deal with information ISO
27001 protects against technology-based risks and other more common threats such as
poorly informed staff or ineffective procedures
Slide 21
an isms constantly adapts to changes both in the threat environment and inside the
organization ensuring the information security risks are effectively managed over time.
Slide 22
reduce costs associated with information security an isms looks to assess and treat risks
cost effectively ensuring organizations can maximize their return on investment
Slide 23
protect the confidentiality, availability , and integrity of your data an isms offers a set
of policies procedures and Technical and physical controls to protect the confidentiality
availability and integrity of your information.
Slide 24
make security part of business as usual- make security part of business as usual the
standards holistic approach covers the whole organization not just the IT department so
employees can readily understand risks and embrace
controls as part of their everyday security working practice.
Slide 25
there are 114 controls in Annex a covering the breadth of Information Security
Management including areas such:
the standard (ISO ) requires organizations to compare the measures they have
implemented with the annexa controls.
They're then expected to implement the missing controls or else provide and document
a reason that those controls aren't applicable to them.
Additional information :
1. Why ISO standards are important to an organization?
ISO standards provide a strong basis for the development of national and international
regulation, helping save time and reduce barriers to international trade.
2. What happens if you are not ISO certified?
-After failing an ISO audit, a business will be given detailed information about
the reasons for failure and actions required to address these reasons. This
information identifies areas of nonconformity and should be used a guide for
areas address before a follow-up or fresh audit
3. Certification to ISO/IEC 27001

Like other ISO management system standards, certification to ISO/IEC 27001 is possible
but not obligatory. Some organizations choose to implement the standard in order to
benefit from the best practice it contains while others also want to get certified to reassure
customers and clients.

Chapter 1 - Discussion Notes

Uploaded by

Copyright:

Available Formats

Chapter 1 - Discussion Notes

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Chapter 1 - Discussion Notes

Uploaded by

Copyright:

Available Formats

CHAPTER 1:

INTRODUCTION TO INFORMATION SECURITY MANAGEMENT NOTES FOR

3. Certification to ISO/IEC 27001

You might also like