Sunteți pe pagina 1din 14

INTRODUCTION TO INFORMATION SECURITY

IT Governance
IT Governance is a system for ensuring business value of IT through effective use of resources ,performing risk management of IT assets and measuring performance for continuous improvement of IT

IT Governance
Are we achieving (or likely to achieve) the objectives of IT Governance Domains ? Strategic Alignment Does IT strategy support the organizations strategy ? IS IT delivering value to its clients and end users ?

Performance Measurement

Do we have competent staff , right sized infrastructure and supporting applications ?

IT Governance Domains

Value Delivery

What are the key risks to IT Assets and How to manage them ?

Resource Management

Risk Management

ISMS Lead Implementer Course

Information is an asset for any organization

Information Security

Preservation of Confidentiality , Integrity and Availability of information (CIA)


Information is an Asset for any organization

ISMS Lead Implementer Course

Information Security Three Pillars


Confidentiality
Confidentiality
Property that information is not made available or disclosed to unauthorized individuals , entities or processes

Integrity
Availability Integrity
Property of protecting the accuracy and completeness of information

Availability
Property of being accessible and usable upon demand by an authorized entity

ISMS Lead Implementer Course

Business Case of InfoSec


Why do we Need Information Security ?

RISK
ISMS Lead Implementer Course

Business Case of InfoSec


If the Corporate Email Server goes down , the communication between employees , clients and vendors will be delayed

CIA
If the HR Master Data is not showing the updated records for all the timesheets submitted by the employees ; the payroll may not get processed on timely basis

CIA
If the user privileges are not changed after job change ; the user may be able to view unauthorized information

CIA
There is no backup site available for continuing critical business operations which may cause reputation and/or client loss

CIA
ISMS Lead Implementer Course

What is a Risk
Risk is Combination of probability and consequence of an event
Vul. Risk

Threat
Email Server Unavailable
Vul.

Due to power failure

Configuration Change

Email server can become unavailable due to the power failure causing serious problems in internal and external communication , the probability of such event is high.

Vul.

Threat Password Theft


Vul.

Weak Password

Risk

Social Engineering

Password theft can occur due to the social engineering resulting in critical information leakage , the probability of such event is medium

ISMS Lead Implementer Course

Risk Based Approach to InfoSec


> Justifies investment on Information Security

RISK

> Help analyze the control requirements


> Prioritize information security efforts and investments

> Helps in preparing business case for information security


> Helps in aligning Information Security efforts to the Organizations overall business objectives > Defines what needs to be measures in Information Security

ISMS Lead Implementer Course

Risk Classifications
Following are some classifications of Risk :
Call Centre Operations ,

Operational Risk Technology Risk Human Resource Risks Legal Risks Natural Risks (Force Majeure) Contractual Risks
ISMS Lead Implementer Course
Data and Privacy Regulations Use of new of State-of-theArt technology

Social Engineering

Flood and Natural Disasters , Law and order situation

Breech of service level agreements

10

Risk Based Approach to InfoSec


Threat for this house is Getting Robbed
WHAT IS THE RISK ?
Risk= Probability * Consequence Risk= 0.8 %* 1000 $ = 800 $

(Vul) Glass windows


(Vul) No alarm on main gate

(Vul) No neighbor or watchman


ISMS Lead Implementer Course

(Control) Alarm on main gate

11

ISMS Implementation Roadmap

12

High Level Roadmap


RFP / TENDER DEVELOPMENT

GAP ANALYSIS

EXECUTION & IMPLEMENTATION

THIRD PARTY CERTIFICATION

SUPPORT AND OPERATIONS

13

Office No. 11 , Level. 10 , Arfa Software Technology Park , 346-B Ferozepur Road Lahore 54000 Pakistan Phone: +92-423-597-2112 Fax: +92-423-595-8117 Email :info [at] kinverg.com URL : kinverg.com Facebook.com/ kinverg Linkedin.com/company/ kinverg Twitter.com/ kinverg

PAKISTAN | KSA