Good evening everyone, my name is ….

The CEO and Board chairman of ArmyTech, I

would like to welcome you to our presentation for reviewing our implemented
Information security management system.

ArmyTech
Perform with excellence, powered by innovation and guided by integrity

Information Security Management System

an e xe c u ta b l e st ra te y

1
To introduce ArmyTech executive team:
Andres is our CIO an public relation
Barry is our C Financial officer
Alis is our C Information security officer
the executive team
And Kanom is our C HR manager
ArmyTech

Santiago Noriega Andres Prado Barry Anand Alis Keshishi Sakonporn Onla-or
(CIO, PR) (CFO) (CISO) (CHRM)
Ardila
(CEO & the Board Chairman )

MIT
ATW 2
Part of our program is :

To briefly give you some information regarding ArmyTech , its operations

And our strategic justification for ISMS implementation
We will be looking at ISMS objectives to support our business objectives
And will go through the approach and detailed methodology undertaken for
this program and its success criteria.
outline
 ArmyTech background information
 isms strategic justification
 isms objectives
 the approach
 the methodology
 success criteria

ATW
MIT 3
Please say this using your own words, more natural.
corporate background
ArmyTech provides advanced defense technology systems and integrated
solutions, specialized in high-standards weapons and munitions founded in
1996.
Our Mission
To provide high standard and quality solutions in all core business areas.

Our Vision
To be recognized as the leading global Information Security and Defense Technology
Company by year 2020 and world-class solutions partner with our customers to provide
best solutions through our outstanding innovations and performances and deliver
maximum value to our shareholders.
Our Values
Perform with excellence, powered by innovation and guided by integrity.

ATW
MIT 4
Don’t mention company profile
Start with

It is is headquartered in
Richmond with over 100 staff
corporate background
across Australia wide and is
listed on the stock exchange
from 2003 as ATW.

Company Profile
• Headquartered in Richmond
• Listed on stock exchange in 2003, ArmyTech Limited (ASX: ATW)
• Employs over 100 staff across Australia wide
• Managed by Santiago Noriega Ardila as Chief Executive Officer and President

Products & Services

Then say the below, u don’t
• Combat weapons and rifles, Short-range anti-armor and assault weapons, Robotic
need to go through the list

In addition to our products platform weapons

We also provide consulting
and integration services• Asset protection and perimeter defense systems
• Consulting and Integration Services

ATW
MIT 5
We have many
business objectives in
regards to
business case
compliance &
Legislations,
- isms strategic justification -
Governing contracts,
third party service
Business Objectives ISMS Objectives
providers, IT and HR
rules, ownerships  Confidentiality, Integrity & Availability
 Compliance & Legislation
and
 Protect proprietary assets & information entrusted to us by
Authorities.  Governing Contracts, Third Party Service Providers, IT
customers, suppliers, and other partners
Our ISMS objectives Rules, HR Personnel Rules, Physical Security
are in place to  Competitive Advantage
support our business Marketing edge
objectives:  Evaluate and address the vulnerabilities
To address the  Putting business in order; responsibilities, ownership,
vulnerabilities and  Internal and external threats to our information
mitigate security authority
incidents and  Mitigate security incidents and maintain Business Continuity
maintain business
continuity & Improvement

We have identified
our scope, policies
and Risk Scope, Policies & Procedures
management Financial Justification
procedures  Aligns to a standard (ISO27001 for certification & business
To seek certification Lowering the expenses
in ISO270001 improvement & best practices (ISO27005/2) within an
 Total investment over 2 years - $1.7 M (estimate)
achievable scope
I would like to ask
Barry to give us some  Security Policies & Risk Management procedures, Training &
Insight for our
financial justification Implementation
for ISMS
implementation.
ATW
MIT 6
Thank you Santiago. By looking at our financial data for 2012 financial
year, ArmyTech Industry had noticed a proximate loss due to lack of
information & data security in the year 2012. Considering the fact and
business case
the importance of our data integrity ,confidentiality and availability the
management has decided to invest 10% of our total revenue for
improving & maintaining our information security .ArmyTech’s
management and the board has agreed to invest over 1 million on variety
of controls so that effective information security can be achieved.
- financial plan -
Overall investment was estimated $1.7m over two years and we are
expecting a decrease in security expenses by 80% by the end of 2014.
Now I’ll hand over to our information guys to describe this process more
in detail, thank you.

Operating Costs 2012-2013 FY. Annual Turnover & Assets ISMS Investment
Lowering the expenses
Employee expenses ($4.5M) Revenue: $13.5M
Patent Cost ( $1M) Profit Before tax: $6M Total investment over 2 years - $1.7 M
Finance costs ($2.5K) Profit after tax (30%): $4.2M (estimate).
Professional fees ($800K) Asset: $6M
Facilities and equipment ($500k) Market Value: $3.7M Time line: Implemented in July 2013
Research and development ($250K) seeking certification by 2014
Administrative expenses ($200K)
Communication and technology ($100K)
Consumables used ($30k)
Travel expenses ($40k)
Other, security issues ( $800k)
Total estimated annual cost: $7.5M

ATW
MIT 7
Thank you Barry,

ArmyTech operates in a
complex
business need for EISF!
environment with many
security concerns
Regarding, data handling,
research & design Is it about?
For patenting process along
with all other technical • Complex environment • Complex system
securities.
• Hardware • Authentication
Our aim for having a security • Physical Security • Access control
framework in place is not how
well or advance our tools and • Software • Document security
technologies could be, it is
about having an executable • Technical Security • Email Security
framework to help us to:
• Privacy • Encryption
• Application • Secure Web
• Research & Design Security • Integrity
• Firewall access control • Secure code
• Data leakage handling security • Single sign on
• VPN Services

ATW
MIT
 enterprise information security framework
• To tackle our business problems
• To be able to measure & meet our obligations and legislative requirement
• Having repeatable processes which can improve overtime

It is all about how we manage our people, technology and processes regarding information security.

Solve our business Being measured Repeatable process,

& meet our
problems improve over time
requirements

to drive performance improvement while meeting our obligations and legislative requirement

People Processes Technology

ATW
MIT
The principal activities at ArmyTech
Is related to our research, design,
development, Integration , product and
service delivery.
business processes & information assets
By considering the processes within each
business unit we have classified our
information assets which need to be
protected as: read the right hand list.

Operational Business Units Information Assets

Principal Activities
• Research, design, development,
integration and sustainment of
advanced defense technology
systems, products and services
• Deliver fully qualified, field
capable, commercially and high-
standards weapons and munitions
• Provides technology integrated
solutions and trainings
• Consulting and Integration
Services, Mission Systems and
Training
• Research and Development • Network Infrastructure
•
• Information Technology R&D
•
• Information Security Compliance R&D team
• Client Communications
and Governance
•
• Finance and Accounting/Payroll Product Assembly Process
•
• Assembly Line Unit and Logistics Data Center
•
• Sales and Marketing Product Sales & Marketing
• Human Resources
• Warehouse

10
ATW
MIT
 isms scope
Scope Statement
The Information Security Management System in relation to management of information
and communication services in research, design, development, integration and
sustainment of advanced defense technology systems, network and communications.
The scope is applicable to all services business operations excluding licensing and export
agreements, warehouse, off site testing, the delivery and activities related to Australian
Stock Exchange. This is in accordance with the Statement of Applicability, version 1.0
October 2013.
The scope in which ArmyTech management agrees for ISMS to be operational is the management of information and communication services in research,
design, development, integration and sustainment of advanced defense technology systems, network and communications. It excludes the licensing and export
agreements, warehouse, off site testing, the delivery and activities related to Australian Stock Exchange.

I would like to ask Alis our CISO to provide us with the

approach and methodology that ArmyTech has undertaken for
creation of our ISMS framework. Thank you

ATW
MIT 11
 plan do check act
PLAN
1) Identify business objectives.
2) Obtain management support.
3) Select the proper scope of
implementation.
4) Define a method of risk assessment.
5) Prepare an inventory of information
assets to protect, and rank assets
according to risk classification based
on risk assessment.

ACT DO
6) Manage the risks, and create a
11) Conduct periodic reassessment
risk treatment plan.
audits:
7) Set up policies and procedures
• Continual Improvement
to control risks.
• Corrective action
8) Allocate resources, and train
• Preventive action
the staff.

CHECK
9) Monitor the implementation of
the ISMS.
10) Prepare for the certification
audit.

ATW
MIT
 Information Security Management System
Planning

Step 1 Step 2 Step 3

Manageme Business Define the
nt . strategy, scope and
Support governance boundaries
framework of ISMS
Project
Charter

Project Plan
Strategy & Scope of the
&
governance ISMS (as
Management
framework part of SOA)
decisions

Document
control
procedure

ATW
MIT
 strategy and governance framework
Regulatory Requirements
• Firearms Act 1996
• Firearms Amendment (Ammunition Control, Act 2012, amendment from 4 March 2013 )
• NSW gun regulations
• The International Traffic in Arms Regulations (ITAR)
• The Australian Customs (Prohibited Exports) Regulations 1958
• The Export Administration Regulations (EAR )
Standards
• ISO 27001 Certified: (sections 4 – 8 for creating and operating ISMS)
• COBIT Certified( NOT)
Frameworks
• ISO27002 Compliant: It is optional for ArmyTech to use ISO27002 as a guidance and support for some of the controls defined in ISO
27001. ArmyTech will implement best practices described in ISO 27002 as a checklist to be followed.
• ISO27005 Compliant – As part of ISO 27000 series ArmyTech intends to comply to ISO 27005 for performing ISRM processes.
• BSI IT Baseline Handbook(Green Book): which contains standard security safeguards required in the organizational, personnel,
infrastructure and technical areas.
• SOX404 (Legislation) Compliant: ArmyTech to be SOX404 compliant as it sells products to the US government also as a requirement
for “best practices” .
• PCISDSS: ArmyTech is NOT PCISDSS compliant.

ATW
MIT 14
 Information Security Management System
Planning Info. gathering Risk/Threat Issues

Information assets, threats,

Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 vulnerability & impacts
Manageme Business Define the Identify Define the
nt . strategy, scope and Informati Identify risk Risk List of
Support governance boundaries on Generic assessme Management Potential
framework of ISMS Assets Risks & nt
Process Controls
Project Threats approach methods of analysis Additional
Charter and the required controls which are
level of assurance
not define in ISMS
certification
criteria

Project Plan
Scope of the TRAM Step 7
& Strategy & Asset
governance ISMS (as Identify
Management Classification
framework part of SOA) the risk
decisions
Step 8 Step 9 Step 10
Analyze & Undertake Select
Document evaluate risk controls
control the risk treatment
procedure

Risk
Risk TRA/BIA Treatment
Register Plan

ATW 15
MIT
 risk management process
(considering risk triggers)

Define the risk assessment approach

• Bow tie analysis
• Cause/ consequence analysis
• Cause and Effect analysis
• Business Impact Analysis
• Scenario analysis
Identify Risks
• Identify generic risks & threats using BSI’s new threat catalogue T0 “Elementary Threats” , ISO27005 best practices
• Mapping threats to assets
• Vulnerability Test
• Define threat vectors & impact on CIA
Analyse & Evaluate the Risk
• Likelihood, Consequence, Loss Calculation
• Risk level( considering cost, time, political factors, Acceptable Risks Matrix & Management Response )
Undertake Risk Treatment plan
(Treat, transfer, terminate, accept)
Select Controls & Approval for Proposed Residual Risks

ATW
MIT 16
 risk level matrix

Likelihood Consequence/Impact

Negligile Minor Moderate Major Catastrophic

E D C B A
A Almost Certain Medium
Medium Major Extreme Extreme
B Likely Minor
Medium Major Major Extreme
C Possible Minor
Medium Medium Major Major
D Unlikely Minor
Minor Medium Medium Major
E Rare Minor
Minor Medium Medium Medium
F Extremely Rare Minor
Minor Minor Medium Medium

Extreme: Unacceptable risks, must be eliminated. Intolerable and immediate action is required.
Major: Risks that must be eliminated or have stringent controls in place.
Medium: Acceptable risks and should be looked at after attending to all of the major-risk issues – these
need a control in place.
Minor: Insignificant risks and may be ignored.

ATW
MIT
17
 Information Security Management System
Planning Info. gathering Risk/Threat Issues Impact Analysis Cons. & Impl.

Information assets, threats,

Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 vulnerability & impacts
Step 1 Step 1 Step 1 Step 1
Manageme Business Define the Identify Define the Managem Manageme
nt . strategy, scope and Informati Identify risk Risk List of ent nt Develop Develop
Support governance boundaries on Generic assessme Management Potential approval authorizati ISMS ISMS
framework of ISMS Assets Risks & nt for on to implemen Operating
Process Controls
Project Threats approach methods of analysis proposed implement tation Program
Additional
Charter and the required controls which are residual ISMS program
level of assurance risks
not define in ISMS
certification
criteria

Project Plan
Scope of the TRAM Step 7
& Strategy & Asset
governance ISMS (as Identify
Management Classification
framework part of SOA) the risk
decisions
Step 8 Step 9 Step 10 Operating
SOA(incl Procedures
Analyze & Undertake Select Residual Audit
uding
evaluate risk controls risk plan,
Document Scope
the risk treatment approval preventi
control Stateme
procedure nt) ve
actions,
security
Risk Risk metrics
Register TRA/BIA Treatment
Plan

ATW 18
MIT
enterprise information security management system road map
IT Governance / Control Priorities

Target : ISO27001 Certification

Implementation
Project Information Gap Analysis Business Impact Remedia & Training
Planning Gathering Analysis tion Planning
Planning

Corporate Information Priorities

Information Assets & Flows

Policies & Standards
Supporting technologies & Procedures

Output plans and documents

Operational ISMS
Information Security
Policy

Training & Standards

Awareness
Programs Security
Calendar

Audit & Compliance Incident Management

Checking & Investigation

Audit Log/Reports Continuous Incident Register

Improvement
Register

ATW
MIT 19
 security awareness training – who?

It is part of
our policy
and training
plan to cater
& scale the
IT Security Specialists
security
And Professionals
awareness
programs Education & Experience
across our
organization
in order to Functional Roles and
ensure that Responsibilities
users: Relate to IT Systems
Education
Manage/Acquire/Design & Develop/
Implement & Operation/Review & Evaluate/Use

All User Involved with IT system

Security Basics & Literacy Training

All Users
Security Awareness Awareness

ATW
MIT 20
 Policy-Training-Awareness
Ensure :
• Users are aware that they are a target
• Motivate and change users behavior by teaching them how to use
technology securely
• To keep the training program fresh and up-to-date with the latest threat
vector information
• Not to underestimate the level of effort needed to maintain the program
The aim is to:
• Go beyond just prevention
• Begin developing human sensors
• Create a far more resilient organization

ATW
MIT 21
 business continuity management
Risk Business Impact
Assessment Analysis

Risk Assessment Strategy

Incident Management Disaster Recovery Dev.

Plan Plan

Ongoing Review Managing Changes Training & Awareness Testing

Maintenance & Ongoing Improvement

(Audit, Evaluation, Feedback)

Target = Best Practice Alignment

ATW
MIT
 information security management system
- success criteria -
The management and the board of directors at ArmyTech are aware that the success of ISMS lies in its:
• Clearly defined risk management ownership ,accountability , routine risk assessment and mitigation processes
• Focusing on the real threats and matching vulnerabilities, reality check of BCP/DRP providers strategy
• And of course an ongoing funding for its maintenance & improvement.

Critical Success Criteria Project Success Slides

OFF ON Clearly defined RM ownership,
 Roles & Responsibilities accountability
OFF ON Defined risk limits/tolerance
 Risk Policy & Scope
Matching vulnerabilities. Threats &
 Risk Assessment OFF ON
data
 Reporting Process & Improvement OFF ON Funding risk management
improvement
 Realistic
OFF ON Focus on real threats
 Routine Routine root cause analysis for risk
OFF ON
identification & mitigation
Objectivity
OFF ON Reality check of strategy conducted
by third party and its repeat

ATW
MIT 23
ATW
MIT 24
 Information Security Management System
Planning Info. gathering Risk/Threat Issues Impact Analysis Cons. & Impl.

Information assets, threats,

Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 vulnerability & impacts
Step 1 Step 1 Step 1 Step 1
Manageme Business Define the Identify Define the Managem Manageme
nt . strategy, scope and Informati Identify risk Risk List of ent nt Develop Develop
Support governance boundaries on Generic assessme Management Potential approval authorizati ISMS ISMS
framework of ISMS Assets Risks & nt for on to implemen Operating
Process Controls
Project Threats approach methods of analysis proposed implement tation Program
Additional
Charter and the required controls which are residual ISMS program
level of assurance risks
not define in ISMS
certification
criteria

Project Plan
Scope of the TRAM Step 7
& Strategy & Asset
governance ISMS (as Identify
Management Classification
framework part of SOA) the risk
decisions
Step 8 Step 9 Step 10 Operating
SOA(incl Procedures
Analyze & Undertake Select Residual
uding Audit
evaluate risk controls risk
Document Scope plan,
the risk treatment approval
control Stateme preventi
procedure Risk nt) ve
Register actions,
Standard BIA sec
Risk TRA of metrics
Treatment measures
Plan for risks

ATW 25
MIT