Documente Academic
Documente Profesional
Documente Cultură
Presented By Daniel Udochi CISA, CISM, Certified QA Lead Auditor Thursday, March 11, 2010 ISACA Kenya Chapter Presentation
AGENDA
Information Security Introduction & Overview Information Security Management The Challenge
Basic Definitions
Information - A meaningful collection of data (facts, ideas, etc)
about a particular subject
effectiveness or
Information Security
Integrity
Availability
In addition to these cardinal properties are Authenticity, Accountability, Non-repudiation and Reliability
Thursday, March 11, 2010 ISACA Kenya Chapter Presentation
Information processing
Computers, manual clerk processing etc
Information transmission
LAN, WAN, Internet etc.
Phenomenal growth rate and expansion of the internet and the myriad of available services
High adoption rate of new technologies by previously technology shy nations in the emerging markets of developing world in order to leverage new opportunities Diverse and ever-increasing spectrum of threats to information and associated assets. Pervasive nature of information systems and services leading to increased vulnerability to security threats.
nd
When I took office, only high energy physicists had ever heard of what is called the World Wide Web... Now even my cat has it's own page - Bill Clinton 42 US President (1993 - 2001)
The Chinese word for Risk - - is symbolized by two characters Opportunity & Danger
Thursday, March 11, 2010 ISACA Kenya Chapter Presentation
"Global Village" once a vision of Marshall McLuhan (1911 1980) now Reality! readiness levels Kenya Chapter Presentation Thursday, March 11, 2010 - same global risks, poor awareness & ISACA
Improve!
ISACA Kenya Chapter Presentation
Security Policy
Security Model
Security Architecture & Technical Standards Admin & End User Guideline & Procedures Enforcement Processes Monitoring Processes Recovery Processes
Security Policy
Objective To provide management direction and support for information security and demonstrate management commitment to information security.
Key Requirements Information security policy document Policy review & authorization procedure Policy evaluation criteria
Deliverables Policy communication & awareness
Thursday, March 11, 2010 ISACA Kenya Chapter Presentation
Asset Management
Objective To ensure that major organizational information assets are accounted for and protected as appropriate. Key Requirements Accountability of Information Assets Information Classification Deliverables Information Asset Inventory Nominated owner for key information assets Information Classification scheme/guideline
Thursday, March 11, 2010 ISACA Kenya Chapter Presentation
HR Security
Objective To reduce the risks of human error, theft, fraud or misuse of organizational facilities by addressing security responsibilities at recruitment and throughout an individuals employment. Key Requirements Security in job definition & sourcing User training Security incident response Deliverables Defined roles and responsibilities for security Formal verification process and checklists Confidentiality / Non -disclosure agreements User training records Incident reporting & Disciplinary procedures
Thursday, March 11, 2010 ISACA Kenya Chapter Presentation
Deliverables
Thursday, March 11, 2010
Effective & adequate physical security & controls IPF location based on security requirements Formal maintenance procedure & records Off-site and equipment disposal procedures Clear desk/Screen Policy
ISACA Kenya Chapter Presentation
Stores up to 2,000,000 keystrokes can be Stored with 128 bit encryption Works on all operating systems Prices from only $139
Thursday, March 11, 2010 ISACA Kenya Chapter Presentation
Access Control
Objective To control access to information & business processes on the basis of business and security requirements. Key Requirements Defined business requirement for access control User access management Procedures & Responsibilities Network Access Control Network Access Control Operating System Access Control Application Access Control Monitoring System Access & Use Mobile Computing & Teleworking
Deliverables Access control policy & password management guide Access management processes review, authorization etc
Thursday, March 11, 2010
Compliance
Objective To avoid breaches of any criminal and civil law, statutory, regulatory or contractual obligations and of any security requirements.` Key Requirements Schedule of applicable legal, statutory, regulatory or contractual obligations. Formal IPR management processes. Data protection and privacy controls Routine assessment/audit of compliance with Security policies Deliverables Infosec assessment/audit procedures & reports IPR and data privacy protection procedures Change mgt. & control procedures
Thursday, March 11, 2010 ISACA Kenya Chapter Presentation
Logical sequence of activities required to achieve a defined goal/objective. Basically describes the Who, What, How Detailed and comprehensive (almost elementary) step-by-step instruction for achieving specific tasks within the procedure Records produced in the course of daily business operations and show compliance with Policy, Procedure/ Work Instructions
an approach to implementing security that is consistent with the organizational culture; visible support and commitment from management; a good understanding of the security requirements, risk assessment and risk management; effective marketing of security to all managers and employees; distribution of guidance on information security policy and standards to all employees and contractors; providing appropriate training and education; a comprehensive and balanced system of measurement which is used to evaluate performance in information security management and feedback suggestions for improvement.
Thursday, March 11, 2010 ISACA Kenya Chapter Presentation
Daniel Udochi Zain Africa Regional Manager, Revenue Assurance & Fraud Management Dandoch@gmail.com
Copyright Daniel Udochi 2010 All Rights Reserved. No part of this document may be reproduced without written consent from the author ISACA Kenya Chapter Presentation