Beruflich Dokumente
Kultur Dokumente
C O N S U L T I N G
Session 1
The Importance of
Information Security
Umar Alhabsyi, ST, MT, CISA, CRISC.
umar.alhabsyi@gmail.com
Created
Stored
Destroyed
Processed
Transmitted
Used (For proper & improper purposes)
Corrupted
Lost
Stolen
DSW retail
Hacking
Card Services
40 million consumers
exposed
Hacking
TJX Stores
45 million consumers
exposed
Internal theft
UCLA
Fidelity
Source:
CERT incident statistics between 1995 and 2002. 2003 by Carnegie Mellon University.
-Bruce Schneier
American cryptographer, computer security specialist, and writer
INFORMATION SECURITY:
The protection of information from
a wide range of threats in order to ensure business
continuity, minimize business risk, and maximize return
on investments and business opportunities.
Umar Alhabsyi, ST, MT, CISA, CRISC.
Some Facts
Information Security
is Organizational
Problem rather
than IT Problem
Biggest Asset :
People
Social Engineering is
major threat
1995
1999
2000
ISO 27001:2005
Information technology Security
techniques Information security
management systems Requirements
ISO 27002:2005
Information technology Security
techniques Code of practice for
information security management
Umar Alhabsyi, ST, MT, CISA, CRISC.
Information
Security Policy
Organisation
of Information
Security
Compliance
Business
Continuity
Planning
Asset
Management
Human
Resource
Security
Incident
Management
Availability
System
Development
&
Maintenance
Physical
Security
Access Control
Communicatio
n & Operations
Management
Control Clauses
Information Security Policy - To provide management
direction and support for Information security.
Organisation Of Information Security - Management
framework for implementation
Asset Management - To ensure the security of
organisational IT and its related assets
valuable
Control Clauses
Communications & Operations Management
- To ensure the correct and secure operation of
information processing facilities.
Access Control - To control access to
information and information processing facilities
on need to know and need to do basis.
Information Systems Acquisition,
Development & Maintenance - To ensure
security built into information systems
Control Clauses
Information Security Incident Management - To
ensure information security events and weaknesses
associated with information systems are
communicated.
Business Continuity Management - To reduce
disruption caused by disasters and security failures to
an acceptable level.
Compliance - To avoid breaches of any criminal and
civil law, statutory, regulatory or contractual
obligations and of any security requirements.
Terima kasih