iso-27001

IMPLEMENTAÇÃODANORMAISO27001WorldleaderinRiskManagementandCompliancesolutions.Createvalueandminimizeyourrisksthroughouron-demandmanagementsystems.RealISOCorp.626,GlennCurtissUniondale,11556NewYork–USA–PartOneInformativeAspectsGuideObjectives:»GeneralviewofInformationSecurity»Focusonsecuritymanagement»UnderstandinganISMS»UnderstandingRiskAnalysis»StudyofInformationSecuritymanagementprocessesModusOperandiGeneralaspectsofInformationSecurityWhatdoesInformationSecuritymean?»ForeignhackerscapturingCCnumbers»Largecorporationwebsitesbeingdistortedforpoliticalreasons»Virusattacksthatrenderlargecorporationsinactive»Digitalspiescapturingandsellinginformationoncompetitionandhugedatabases»YoungpeopleinvadingsystemsnotknowingthetrueinformationvalueWhatdoesInformationSecuritymean?Old-fashionedview!!!Decision-Taking»ControlInformationDecision-Making»AgooddecisiondependsonthequalityofinformationInformationSecurityFarbeyondfirewall!»SecuritydoesnotdependuponITalone»Assuringsecuritydoesnotmeansimplyensuringinformationsecrecy»Properdecisionsdependonaccurateinformation»SecuritymaygenerateperceivablevalueWhatisinformation?»Onpaper:Memos,standards,formulas,designs,strategies.»Ondigitalmedia:Disks,tapes,CDs,transmittedfiles.»Sound:Meetingrecording,messagesleftontelephoneswitchboards,cellphonemailbox.»Image:Documentphotos,identificationphotos,facilitiesphotos,videotapes,digitalvideos.Resources»Processing:Abilitytohandleinformationandgenerateresults»Storage:Abilitytostoreinformation.Doesnotchangeinformation»Communication:Abilitytotransmitinformation.ShouldnotchangetransmittedinformationLastParadigm:Responsibility»DueDiligence:showsthatthecompanyiscarryingoutsecurityactivitiesonasteadybasis.»DueCare:developmentofinformationsecuritypolicies,riskanalysis,andanISMS.ShowsthatManagementhastakentherequireddecisionsandactionstoprotectthecompany.»Warning:Notcarryingout“DueDiligence”and“DueCare”maycharacterizeadministrativenegligence.BasicPrinciples»Confidentiality:giveninformationthatmaynotbemadeavailableordisclosedforpeople,entitiesorprocesseswithoutpermission.Aconcepttoensurethatsensitive,confidentialinformationislimitedtoanappropriategroupofindividualsororganizations.»Integrity:theconditionbywhichinformationorinformationresourcesareprotectedfromunauthorizedchanges.Informationaccuracyandcompleteness.BasicPrinciples»Availability:informationistobedeliveredtotherightpeople,whenneeded.ISO27001FrameworkandImplementationWhatisISO27001?»Astandardwiththerequirementsforacompanytoimplementaninformationsecuritymanagementsystem»ItwasoriginatedfromBS7799,createdbyBSI–BritishStandardInstitute»Businessprocess-orientedandnottechnologyinfrastructure-oriented»BasedonPDCAmanagementcycleWhatisISO27001?»DeterminesthatacompanymusthaveanISMS–ISManagementSystem»Maybeappliedtoanycompanytype»EnablesacompanytohaveitsISMScertificated»InlinewithISO9000,ISO14000standardsWhatISO27001isNOT?»Atechnicalstandard»AstandarddevelopedforITarea»Aguideforbestpractices.ForthatISO27002isavailable»AmethodologyforinformationsecuritymanagementISManagementSystem-PDCA»UnderstandingsecurityrequirementsAssessbusinessrisksandrequirements»ImplementingandoperatingcontrolsTechnological,physical,andadministrative»MonitoringandreviewingSystemperformanceIndicatorsandobjectivemetrics»ImprovingonanongoingbasisCorrectiveandpreventiveactionsISO27001ApplicationWhyimplementinganISMS?»TheSystemwasdevelopedwiththeaimofsuitingandprovidingsecuritycontrolsthatproperlyprotectthecompany’sinformationassets,increasingreliabilityofcustomersandotherconcernedpartiesISO27001ApplicationBasicRequirements»However,thefollowingitemsmaynotbedisregarded:»4–InformationSecurityManagementSystem»5–ManagementResponsibility»6–InternalISMSAudits»7–ManagementReviewoftheISMS»8–ISMSImprovementInformationSecurityManagementSystemTheSecurityManagementSystemshould:»FollowPDCAmodel»ConsiderbusinesscontextandInformationrisks»Bebusinessprocess-oriented»ComplywiththestandardrequirementsImplementingISMS-StartingPointSystemScopeWhichprocesseswillmysystemactupon?»Thescopedefineswhichinformationassetsthesystemwillactupon»Itisinterestingtodefinescopethroughbusinessprocessapproach»ScopedefinitionshouldbeclearandallowidentificationoflocationsandassetsinvolvedInformationSecurityPolicyManagementSystemguidelines»Policyshouldreflectthecompany’sphilosophywithregardtoitsinformationsecurity»Itshouldprovidedirectionstoallconcernedparties»ItshouldconsiderbusinessrequirementsandapplicableregulatoryrequirementsInformationSecurityPolicyStrategicLine-up»Whicharethemaincompany’sstrategies?»Howdoesinformationsecurityrelatetothesestrategies?»Whicharethecompany’ssecurityobjectives?RiskAnalysisSecurityRequirementsforaCompany»InformationSecurityrisks»RegulatoryandContractualObligations»Setofprinciples,objectivesandbusinessrequirementsneededforinformationprocessingRiskAnalysisNationalandInternationalStandardsReferences»ISO13335-1andISO13335-2»ISOGuide73–RiskmanagementVocabulary»ASNZS4360WhatareRisks?»R