Information Security

– Concepts, Policy,
Organisation

Narmadha R, Director,
O/o. DGCA, Chennai
1
Isg.techmahindra.com
What is Information Security?

“Information Security protects information from a wide

range of threats in order to ensure business continuity,
minimise business damage and maximise return on
investment and business opportunities.”

Confidential 2
Isg.techmahindra.com
Information types

Information can be: Character of information

• Financial
• created • Strategic
• stored • Operational
• destroyed • Personal
• Used
• Transmitted • Remember!!!!

Information System includes

Information format non-electronic information
• Paper also.
• Databases
• Disk(ette)s
• CD-ROMs
• Tapes
• (Design) drawings
• Films
• Conversations

Confidential 3
Isg.techmahindra.com
 Basic components
Confidentialit Ensuring that information is accessible only
y to those authorised to have access.

Safeguarding the accuracy and

Integrity completeness of information and
processing methods.

Ensuring that authorised users

Availability have access to information and
associated assets when
required.
Confidential 4
Isg.techmahindra.com
 Integrity

Confidentiality Availability

In some organisations, integrity and / or availability

may be more important than confidentiality.

Confidential 5
Isg.techmahindra.com
 Managing information boundaries

• Intranet connections to other

business units,
• Extranets to business partners,
• Remote connections to staff working
off-site,
• Virtual Private Networks (VPN’s),
• Customer networks,
• Supplier chains,
• Service Level Agreements, contracts,
outsourcing arrangements,
• Third Party access.

Confidential 6
Isg.techmahindra.com
Context for Info Security
Management

The Public

Internal customers
Mgmt.

Integrity Confidentiality
Employees Litigation
Risk

Availability

Stakeholders Internal
Audit
Confidential 7
Isg.techmahindra.com
What is ISO 27001?

• It’s a International Standard for Information Security

Management
• It consists of various Specification for information
Security Management
• Code of Practice for Information Security Management
• Basis for contractual relationship
• Basis for third party certification
• Can be Certified by Certification Bodies
• Applicable to all industry Sectors
• Emphasis on prevention
Confidential 8
Isg.techmahindra.com
Plan Do Check Act Cycle (PDCA)
Plan

Establish the
ISMS

Interested Implement and Maintain and Interested

operate the ISMS improve the ISMS
parties parties

Do Act

Monitor and
Information review the ISMS
Managed
security information
requirements
and expectations Check security

Confidential 9
Isg.techmahindra.com
Important Areas of Concern

ISO27001
1. Security policy
2. Organization of information security
3. Asset management
4. Human resources security
5. Physical and environmental security
6. Communications and operations management
7. Access control
8. Information systems acquisition, development
and maintenance
9. Information security incident management
10. Business continuity management
11. Compliance
Confidential 10
Isg.techmahindra.com
ISO27001 Framework: Components

Security
SecurityPolicy
Policy
Incident Compliance
Security
Security
Compliance Organisation
Management Organisation

Business
BusinessContinuity
Continuity Asset
AssetClassification
Classification
Management
Management &&Control
Control
Information
Security
Management
System
System System Personnel
PersonnelSecurity/
Security/
Development
Development HR Security
HR Security

Physical
Physicaland
and
Access
AccessControl
Control
Communications Environmental
Environmental
Communications
&&Operations
Operations

Confidential 11
Isg.techmahindra.com
1. Security Policy

• Objective:
• Information security policy.

• Covers:
• Information security policy document
• Review of Informational Security Policy

Confidential 12
Isg.techmahindra.com
Examples of various IS Security
policies

Confidential 13
Isg.techmahindra.com
2. Organization of information
security
• Objective:
• Internal Organization
• External Parties

• Covers:
• Allocation of information security responsibilities
• Authorization process for information processing facilities
• Management commitment to information security
• Information security coordination
• Confidentiality agreements
• Contact with authorities
• Independent review of information security
• Identification of risks related to external parties
• Addressing security when dealing with customers
• Addressing Security in third party agreements

Confidential 14
Isg.techmahindra.com
2. Organization of information security -
Example

Management Chaired by
Security Forum CEO / COO

eSecurity Group
• Specialised services
(e.g. Penetration
testing)
Chief Information
Security Officer
QMG
• Audits and reviews
Location Security Specialised staff:
• Integration security
Managers • Risk Assessment
• Security Incident • processes in BMS
BCP/DRP
handling • Application Security
• MIS and dash • Security audits and
boards reviews TIM
• Security • Security Training & • IT Operations
Coordination Awareness • Network Security
• Monitoring

Information Security Group

Confidential 15
Isg.techmahindra.com
3. Asset Management
• Objective:
• Responsibility for assets
• Information classification

• Covers:
• Inventory of assets
• Ownership of assets
• Acceptable use of assets
• Classification guidelines
• Information labelling and handling

Confidential 16
Isg.techmahindra.com
Information Asset - Classification

• Inventory of Information Assets are categorized & classified as

based on:

•Valuation of Information Assets – Scale

•Very High, High ,Medium ,Low , Negligible
•Other Attributes of Inventory
•Asset Group, Asset Classification, Value, Storage Area,
Storage location
•Asset Owner, Asset Retention, Remarks

Confidential 17
Isg.techmahindra.com
4. Human Resource Security
• Objective:
• Prior to employment
• During employment
• Termination or change of employment

• Covers:
• Roles and responsibilities
• Screening
• Terms and conditions of employment
• Management responsibilities
• Information security awareness, education and training
• Disciplinary process
• Termination responsibilities
• Return of assets
• Removal of access rights

Confidential 18
Isg.techmahindra.com
5. Physical and Environmental
Security
• Objective:
• Secure Areas
• Equipment Security

• Covers:
• Physical Security Perimeter
• Physical entry Controls
• Securing Offices, rooms and facilities
• Protecting against external and environmental threats
• Working in Secure Areas
• Public access delivery and loading areas
• Cabling Security
• Equipment Maintenance
• Securing of equipment off-premises
• Secure disposal or re-use of equipment
• Removal of property

Confidential 19
Isg.techmahindra.com
6. Communications & Operations
Management
• Objective:
• Operational Procedures and responsibilities
• Third party service delivery management
• System planning and acceptance
• Protection against malicious and mobile code
• Backup
• Network Security Management
• Media handling
• Exchange of Information
• Electronic Commerce Services
• Monitoring

• Covers:
• Documented Operating procedures
• Change management
• Segregation of duties

Confidential 20
Isg.techmahindra.com
6. Communications & Operations Management
(contd..)
• Separation of development, test and operational facilities
• Service delivery
• Monitoring and review of third party services
• Managing changes to third party services
• Capacity Management
• Controls against malicious code
• Information backup
• Network Controls
• Security of network services
• Management of removable media
• Disposal of Media
• Information handling procedures
• Security of system documentation
• Information exchange policies and procedures
• Exchange agreements

Confidential 21
Isg.techmahindra.com
6. Communications & Operations Management
(contd..)
• Electronic Messaging
• Business information systems
• On-Line Transactions
• Publicly available information
• Audit logging
• Monitoring system use
• Protection of log information
• Administrator and operator
logs
• Fault logging
• Clock synchronisation

Confidential 22
Isg.techmahindra.com
7. Access Controls
• Objective:
• Business Requirement for Access Control
• User Access Management
• User Responsibilities
• Network Access Control
• Operating system access control
• Application and Information Access Control
• Mobile Computing and teleworking

• Covers:
• Access Control Policy
• User Registration
• Privilege Management
• User Password Management
• Review of user access rights
• Password use

Confidential 23
Isg.techmahindra.com
7. Access Controls (contd..)
• Unattended user equipment
• Clear desk and clear screen policy
• Policy on use of network services
• User authentication for external connections
• Equipment identification in networks
• Remote diagnostic and configuration port protection
• Segregation in networks
• Network connection control
• Network routing control
• Secure log-on procedures
• User identification and authentication
• Password management system
• Use of system utilities
• Session time-out
• Limitation of connection time
• Information access restriction
• Sensitive system isolation
• Mobile computing and communications
• Teleworking

Confidential 24
Isg.techmahindra.com
8. Information systems acquisition, development and maintenance

• Objective:
• Security requirements of information systems
• Correct processing in applications
• Cryptographic controls
• Security of system files
• Security in development and support processes
• Technical Vulnerability Management

• Covers:
• Security requirements analysis and specification
• Input data validation
• Control of internal processing
• Message integrity
• Output data validation
• Policy on use of cryptographic controls
• Key management
• Control of operational software
• Protection of system test data
Confidential 25
Isg.techmahindra.com
8. Information systems acquisition, development and maintenance (contd)

• Access Control to program source code

• Change control procedures
• Technical review of applications after operating system changes
• Restriction on changes to software packages
• Information leakage
• Outsourced software development
• Control of technical vulnerabilities

Confidential 26
Isg.techmahindra.com
9. Information Security Incident
Management
• Objective:
• Reporting information security events and weaknesses
• Management of information security incidents and improvements
• Covers:
• Reporting information security events
• Reporting security weaknesses
• Responsibilities and procedures
• Learning from information security incidents
• Collection of evidence

Confidential 27
Isg.techmahindra.com
10. Business Continuity
Management
• Objective:
• Information security aspects of business continuity management

• Covers:
• Including information security in the business continuity
management process
• Business continuity and risk assessment
• Developing and implementing continuity plans including
information security
• Business continuity planning framework
• Testing, maintaining and re-assessing business continuity plans

Confidential 28
Isg.techmahindra.com
11. Compliance

• Objective
• Compliance with legal requirements
• Compliance with security policies and standards, and technical compliance
• Information Systems audit considerations

• Covers:
• Identification of applicable legislation
• Intellectual property rights (IPR)
• Protection of organizational records
• Data protection and privacy of personal information
• Prevention of misuse of information processing facilities
• Regulation of cryptographic controls
• Compliance with security policies and standards
• Technical compliance checking
• Information systems audit controls
• Protection of information system audit tools

Confidential 29
Isg.techmahindra.com
 Your Questions please?
Thank You…

Thank You
30
Isg.techmahindra.com