Version Control Version No. Date Type of Changes Owner/ Author Date of Review/Expiry The information contained in this document is not to be used for any purpose other than the purposes for which this document is furnished by GENPACT, nor is this document (in whole or in part) to be reproduced or furnished to third parties or made public without the prior express written permission of GENPACT. [Document Title] NOTICE Classification: Genpact Internal
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Version Control
Version No. Date Type of Changes Owner/ Author
Date of Review/Expiry
The information contained in this document is not to be used for any purpose other than the purposes for which this document is furnished by GENPACT, nor is this document (in whole or in part) to be reproduced or furnished to third parties or made public without the prior express written permission of GENPACT.
[Document Title]
NOTICE
Classification: Genpact Internal
ISMS
Classification: Genpact Internal
ISMS
INTRODUCTION
ISMS – INFORMATION SECURITY MANAGEMENT SYSTEM
BS 7799-2:2002 – BRITISH STANDARD (PREV-1999)VERSION 2, YEAR 2002
ISO/IEC 27001Issued in Dec-2005
REQUIREMENTS - Used as basis for certification
ISO/IEC 17799:2005 – CODE OF PRACTICEVERSION 2, YEAR 2005;
27002: 2008 - RECOMMENDATIONS -- Provides best practice guidance; Not for Certification
Classification: Genpact Internal
ISMS
INFORMATION
Recorded data, facts, knowledge
Processed Data, an asset having value
DATA
Basic facts, figures, statistics, details
Known facts used for inference or reckoning
INFORMATION / DATA
Classification: Genpact Internal
ISMS
INFORMATION
Information is an asset, like other important business assets, has value to an organization and consequently needs to be suitably protected.
•Data stored in computers
•Tx-ed across Networks
•Print-outs, FAX
•Written form
•Stored on Media – Disks, film etc
•Spoken in Conversations - TeleClassification: Genpact Internal
ISMS
Safety from danger, espionage, Invulnerability
Protection, safe-keeping
Security is a process of defining the parameters that are gauged by either
Individuals or Organizations as risks, and the process of reducing or eliminating the
same
SECURITY
Classification: Genpact Internal
ISMS
Is about protecting Information through selection of appropriate controls (measures)
•Protects info from a range of threats
•Ensures business continuity
•Minimizes financial loss
•Maximizes return on investments and business opportunities
INFORMATION SECURITY
Classification: Genpact Internal
ISMS
Preservation of Confidentiality, Integrity and Availability
(CIA) of Information
•Confidentiality: Ensuring information is accessible to only those authorized
•Integrity: Safeguarding the accuracy & completeness of Information & processing methods
•Availability: Ensuring that the authorized users have access to Information and associated assets when required
INFORMATION SECURITY OBJECTIVES
Classification: Genpact Internal
ISMSMANAGEMENT SYSTEM
ACHIEVEMENT OFORGANISATION’S POLICIES
AND OBJECTIVES
STRUCTURE
PROCESSES
RESOURCES PROCEDURES
Classification: Genpact Internal
ISMS
MANAGEMENT SYSTEMS
FINANCIAL
INFORMATION
H R
HEALTH&SAFETY
QUALITY
ENV
I
RONMENT
STRUCTURE
POLICY&
PROCEDURES
PROCESS
RESOURCES
Provide assurance through discipline of Compliance
Classification: Genpact Internal
ISMS
INFORMATION SECURITY MANAGEMENT SYSTEM
ESTABLISH
IMPLEMENTOPERATE
MAINTAINIMPROVE
MONITORREVIEW
ISMS is that part of overall management system based on a business risk approach to:
PLAN
DO
CHECK
ACT
Classification: Genpact Internal
ISMS
ISMS ENABLES AN ORGANISATION TO ADOPT A PROACTIVE APPROACH THROUGH A MECHANISM OF
AWARENESS
PLANNING
TRAINING
ACTION
MEASUREMENT & REPORTING
REVIEW ON A CONTINUOUS BASIS
ISMS MECHANISM
Classification: Genpact Internal
ISMS
A WORD OF CAUTION !
WITH AN ISMS WE ARE NOT INTENDING TO MAKE THE SYSTEM ‘HACKER-PROOF’, BUT DEVISE A SYSTEM WHICH CAN, TO A LARGE EXTENT
•ANTICIPATE POTENTIAL PROBLEMS
•PRE-EMPT THROUGH PROACTIVE MEASURES
•PROTECT AGAINST CONSIDERABLE DAMAGE
•ENSURE RECOVERY AND RESTORATION
Classification: Genpact Internal
ISMS
ISMS PROCESS (PDCA) MODEL
Interested parties
Requirements&
Expectations
Interested parties
ManagedInfo
Security
ESTABLISH
IMPLEMENTOPERATE
MAINTAINIMPROVE
MONITORREVIEW
PLAN
DO
CHECK
ACT
Classification: Genpact Internal
Plan : Establish The ISMS
Define ISMS ScopeDefine ISMS PolicySystematic approach to Risk AssessmentIdentify & Assess the RisksIdentify & Evaluate options for Risk TreatmentSelect control objectives & controlsPrepare Statement of Applicability
ISMS
Classification: Genpact Internal
Do: Implement & Operate ISMS
Formulate a risk treatment PlanImplement the Risk Treatment PlanImplement selected control objectives & controlsImplement training & awareness ProgrammesMange OperationsManage Resources
ISMS
Classification: Genpact Internal
Check: Monitor & Review ISMS
Execute the monitoring ProceduresUndertake regular reviews of ISMS effectivenessReview the level of residual risk & acceptable riskConduct internal ISMS audits at Planned intervalsRegular management review of ISMSRecord actions & events that have an impact on ISMS
ISMS
Classification: Genpact Internal
Act: Maintain & Improve ISMS
Implement identified improvementsTake appropriate corrective & preventive actionsCommunicate results & actions and agree with all interested partiesEnsure that the improvements achieve the intended objectives
MS Standards and BS 7799 reqmtsISMS Standards and BS 7799 reqmtsISMS Standards and BS 7799 reqmtsISMS Standards and BS 7799 reqmtsISMS Standards and BS 7799 reqmtsISMS Standards and BS 7799 reqmtsISMS Standards and BS 7799 reqmtsISMS Standards and BS 7799 reqmtsISMS Standards and BS 7799 reqmtsISMS Standards and BS 7799 reqmtsISMS Standards and BS 7799 reqmtsISMS Standards and BS 7799 reqmtsISMS Standards and BS 7799 reqmtsISMS Standards and BS 7799 reqmtsISMS Standards and BS 7799 reqmtsISMS Standards and BS 7799 reqmtsISMS Standards and BS 7799 reqmtsISMS Standards and BS 7799 reqmtsISMS Standards and BS 7799 reqmtsI
ISMSISO 27001: 2005 STRUCTURE
Classification: Genpact Internal
ISMS
CONTROL OBJECTIVES & CONTROLS
39 CONTROL OBIJECTIVES
133 CONTROLS
SPECIFIES REQUIREMENTS
SATISFIES OBJECTIVES
11 DOMAINS
Classification: Genpact Internal
ISMS
11 SECURITY DOMAINS OF ISO/IEC 27001:2005
A.5 SECURITY POLICY
A.6 ORGANIZATIONAL INFO SECURITY
A.7ASSET MANGEMENT
A.13 INFO SEC. INCIDENT MGMNT
A.11 ACCESS CONTROL
A.9 PHYSICAL &ENVRNMNTL
SECURITY
A.10 COMMUNICNS&OPS MGMT
A.8HR
SECURITY
A.14 BUSINESS CONTINUITY
A.12INFO SYS
ACQSN,DEV& MAINT
A.15 COMPLIANCEClassification: Genpact
Internal
ISMS
A.5 SECURITY POLICY
• INFORMATION SECURITY POLICY DOCUMENT
• REVIEW & EVALUATION
Classification: Genpact Internal
ISMS
A.6 ORGANIZATIONAL SECURITY
A.6.1 INFORMATION SECURITY INFRASTRUCTURE
•INFORMATION SECURITY FORUM
•INFORMATION SECURITY COORDINATION
•ALLOCATION OF RESPONSIBILITIES
•AUTHORIZATION PROCESS FOR IPF(INFO PROCESSING FACILITIES)