Post on 23-Jan-2017
www.intertek.com1
Information Security OverviewInformation Security Overview
Issue 2 © Intertek QATAR www.intertek.com 1Issue 2 © Intertek QATAR www.intertek.com 1
Welcome to the Seminar on
INFORMATION SECURITY (ISO 27001:2015)
&
BUSINESS CONTINUTIY (ISO 22301:2013)
QATAR 25th November 2015
www.intertek.com2
Information Security OverviewInformation Security Overview
Issue 2 © Intertek QATAR www.intertek.com 2
www.intertek.com2Issue 1 © Intertek QATAR www.intertek.com
Information Security OverviewInformation Security Overview Today we shall be covering following topics
INFORMATION SECURITY
BUSINESS CONTINUITY
RISK MANAGEMENT
www.intertek.com3
Information Security OverviewInformation Security Overview
Issue 2 © Intertek QATAR www.intertek.com 3Issue 2 © Intertek QATAR www.intertek.com 3
AN ORIENTATION
Welcome to the Seminar on ISO 27001:2013- QATAR
www.intertek.com4
Information Security OverviewInformation Security Overview
Issue 2 © Intertek QATAR www.intertek.com 44
www.intertek.com5
Information Security OverviewInformation Security Overview
Issue 2 © Intertek QATAR www.intertek.com 55
www.intertek.com6
Information Security OverviewInformation Security Overview
Issue 2 © Intertek QATAR www.intertek.com 6CQIMC LA PPT 2 Ver 0.2 6
Hackers target business secrets
28 March 2011 http://www.bbc.co.uk/news/technology-12864666
• Intellectual property and business secrets target for cyber thieves
• McAfee said deals were being done for trade secrets, marketing plans, R&D reports and source code.
• It urged companies to know who looks after their data as it moves into the cloud or third-party hosting centres.
• The McAfee report mentioned cases in Germany, Brazil and Italy in which trade secrets were either stolen by an
insider or cyber thieves.
• In some cases, companies made the job of the criminals easier because they did little to censor useful information
about a corporate's culture or structure revealed in e-mails and other messages.
• 2010 -Stuxnet virus targeted industrial plant equipment.
• 2011-attacks on petrochemical firms, the London Stock Exchange, the European Commission .
www.intertek.com7
Information Security OverviewInformation Security Overview
Issue 2 © Intertek QATAR www.intertek.com 77CQIMC LA PPT 2 Ver 0.2
www.intertek.com8
Information Security OverviewInformation Security Overview
Issue 2 © Intertek QATAR www.intertek.com 88
Some Videos
MASSIVE PERSONAL DATA BREACH IN US ?PRINTERS
VULNERABILITIES ?
www.intertek.com9
Information Security OverviewInformation Security Overview
Issue 2 © Intertek QATAR www.intertek.com 99
www.intertek.com10
Information Security OverviewInformation Security Overview
Issue 2 © Intertek QATAR www.intertek.com 10
InformationThe value of information goes beyond the written words, numbers and images:
knowledge, concepts, ideas and brands are examples of intangible forms of
information. In an interconnected world, information and related processes,
systems, networks and personnel involved in their operation, handling
and protection are assets that, like other important business assets, are valuable
to an organization’s business and consequently deserve or require protection
against various hazards.ISO/IEC 27002:2013
Ver2.0 21 June 2014
www.intertek.com11
Information Security OverviewInformation Security Overview
Issue 2 © Intertek QATAR www.intertek.com 1111
WHAT IS OF INFORMATION ?
www.intertek.com12
Information Security OverviewInformation Security Overview
Issue 2 © Intertek QATAR www.intertek.com 12
Availability – the property of being accessible and
usable upon demand by an authorised
entity
The elements of information security
12CQIMC LA PPT 2 Ver 0.2
www.intertek.com13
Information Security OverviewInformation Security Overview
Issue 2 © Intertek QATAR www.intertek.com 13
Information
CQIMC LA PPT 2 Ver 0.2 13
act of informing –
what is conveyed or represented by a particular arrangement or sequence of things.
data as processed, stored, or transmitted by a computer.
facts provided or learned about something or someone.
www.intertek.com14
Information Security OverviewInformation Security Overview
Issue 2 © Intertek QATAR www.intertek.com 14
Where is information residing .?
14
Information – is of value to the organization, consequently requires adequate protection!
Information needs to be protected !
www.intertek.com15
Information Security OverviewInformation Security Overview
Issue 2 © Intertek QATAR www.intertek.com 1515
Standards Considered in this Module
REQUIREMENT - CERTIFIABLE GUIDELINES – NON - CERTIFIABLE
www.intertek.com16Issue 2 © Intertek QATAR www.intertek.com 16
Information Security OverviewInformation Security Overview
www.intertek.com16Issue 1 © Intertek QATAR www.intertek.com
ISO 27001 : 2013 OVERVIEWISO 27001 : 2013 OVERVIEWISO 27001 : 2013
www.intertek.com17
Information Security OverviewInformation Security Overview
Issue 2 © Intertek QATAR www.intertek.com 1717
www.intertek.com18
Information Security OverviewInformation Security Overview
Issue 2 © Intertek QATAR www.intertek.com 18
www.intertek.com18Issue 1 © Intertek QATAR www.intertek.com
Information Security OverviewInformation Security Overview
EXTERNAL INTERESTED PARTIES INTERNAL INTERESTED PARTIES
A
B
C
D
E
G
F
H
ISO 27001:2013
www.intertek.com19
Information Security OverviewInformation Security Overview
Issue 2 © Intertek QATAR www.intertek.com 19
www.intertek.com19Issue 1 © Intertek QATAR www.intertek.com
Information Security OverviewInformation Security Overview
www.intertek.com20
Information Security OverviewInformation Security Overview
Issue 2 © Intertek QATAR www.intertek.com 20
www.intertek.com20Issue 1 © Intertek QATAR www.intertek.com
Information Security OverviewInformation Security Overview
www.intertek.com21
Information Security OverviewInformation Security Overview
Issue 2 © Intertek QATAR www.intertek.com 21
Information security
Information security –
preservation of confidentiality, Integrity and availability of information .
In addition, other properties, such as authenticity, accountability (2.2), non-
repudiation (2.49), and reliability (2.56) can also be involved.
21
www.intertek.com22
Information Security OverviewInformation Security Overview
Issue 2 © Intertek QATAR www.intertek.com 22
Need to secure Information ?
22
YES > YES > because of THREATS & VULNERABILITIESbecause of THREATS & VULNERABILITIES
www.intertek.com23
Information Security OverviewInformation Security Overview
Issue 2 © Intertek QATAR www.intertek.com 2323
Info Security Attack can impact
www.intertek.com24
Information Security OverviewInformation Security Overview
Issue 2 © Intertek QATAR www.intertek.com 2424
ISO 27000:2014
ISMS PRINCIPLES
www.intertek.com25
Information Security OverviewInformation Security Overview
Issue 2 © Intertek QATAR www.intertek.com 25
The structure of ISO 27001:2013
CQIMC LA PPT 2 Ver 0.2 25
ISO 27001:2013 is compliant with Annex SL of ISO/IEC Directives, in
order to be aligned with all the other management standards – this is
already evident in ISO 22301, the new business continuity management
standard. The main clauses now in all the management standards is /
and :
0 Introduction
1 Scope
2 Normative references
3 Terms and definitions
4 Context of the organization
5 Leadership
6 Planning
7 Support
8 Operation
9 Performance evaluation
10 Improvement
P D C A ISO 27001:2013 Clauses
PLAN 1, 4, 5, 6 & 7 > PLANNING, 4, 5, 6 & 7 > PLANNING
DO 8 > OPERATIONCHECK 9 > PERFORMANCE EVALUATION9 > PERFORMANCE EVALUATION
ACT 10 > IMPROVEMENT10 > IMPROVEMENT
www.intertek.com26
Information Security OverviewInformation Security Overview
Issue 2 © Intertek QATAR www.intertek.com 26
www.intertek.com26Issue 1 © Intertek QATAR www.intertek.com
Information Security OverviewInformation Security Overview
www.intertek.com27
Information Security OverviewInformation Security Overview
Issue 2 © Intertek QATAR www.intertek.com 27
www.intertek.com27Issue 1 © Intertek QATAR www.intertek.com
Information Security OverviewInformation Security Overview
ISO 27001:2013 is compliant with Annex SL of ISO/IEC Directives, in
order to be aligned with all the other management standards – this is
already evident in ISO 22301, the new business continuity management
standard. The main clauses now in all the management standards is /
and :
0 Introduction
1 Scope
2 Normative references
3 Terms and definitions
4 Context of the organization
5 Leadership
6 Planning
7 Support
8 Operation
9 Performance evaluation
10 Improvement
www.intertek.com28
Information Security OverviewInformation Security Overview
Issue 2 © Intertek QATAR www.intertek.com 2828
1. Qatar HR Law 2009;
2. Qatar Law of Trademark & Commercial Indications Law no. 3 1978;
3. Qatar Copywrite Law no.25 1995;
4. Qatar Public Telecommunications Law no.13 1987;
5. Qatar Decree ict QATAR Law no. 34 of 2004 & 26 of 2006
LAWS OF THE LAND – Impacting Information Security
www.intertek.com29
Information Security OverviewInformation Security Overview
Issue 2 © Intertek QATAR www.intertek.com 29
www.intertek.com29Issue 1 © Intertek QATAR www.intertek.com
Information Security OverviewInformation Security Overview 4 PHASES OF RISK MANAGEMENT
www.intertek.com30Issue 2 © Intertek QATAR www.intertek.com 30
Information Security OverviewInformation Security Overview
www.intertek.com30Issue 1 © Intertek QATAR www.intertek.com
ISO 27001 : 2013 OVERVIEWISO 27001 : 2013 OVERVIEW
30
Incident > Product Withdrawal and Product Recall
Mattel recalls 1.5 million toys:
http://www.youtube.com/watch?v=NlsvfXAQ5v8&
feature=fvw
Lead contamination – Toxic levels of Lead pain
lawsuit:
http://www.youtube.com/watch?v=3DL4dleEz7I
www.intertek.com31Issue 2 © Intertek QATAR www.intertek.com 31
Information Security OverviewInformation Security Overview
www.intertek.com31Issue 1 © Intertek QATAR www.intertek.com
ISO 27001 : 2013 OVERVIEWISO 27001 : 2013 OVERVIEW
The 2009 Toyota 9 Million Car Recall
Toyota Motor Corp. recalled approximately 9 million vehicles in the United States, which was the company’s
largest-ever U.S. recall. The purpose of the recall was to address quality assurance and quality control
problems with a removable floor mat that could cause accelerators to get stuck and potentially lead to a crash.
(Source: Toyota recalls 3.8 million vehicles, MSNBC.com)
Toyota, which up until that point prided itself on its quality practices, had made the decision in the 1990's to put a
greater emphasis on growth. They failed to adhere to the quality principle of employee involvement, as there was
less employee engagement and sharing of best practices. While the CEO was proactive about cancelling the
sales and productions of the recalled models, 52 people lost their lives as a result of motor vehicle crashes
Incident > Product Withdrawal and Product Recall
www.intertek.com32Issue 2 © Intertek QATAR www.intertek.com 32
Information Security OverviewInformation Security Overview
www.intertek.com32Issue 1 © Intertek QATAR www.intertek.com
ISO 27001 : 2013 OVERVIEWISO 27001 : 2013 OVERVIEW COST IMPACT DUE TO
PERFECTION / NON-CONFORMANCE
www.intertek.com33Issue 2 © Intertek QATAR www.intertek.com 33
Information Security OverviewInformation Security Overview
www.intertek.com33Issue 1 © Intertek QATAR www.intertek.com
ISO 27001 : 2013 OVERVIEWISO 27001 : 2013 OVERVIEW COST IMPACT DUE TO
PERFECTION / NON-CONFORMANCE
www.intertek.com34Issue 2 © Intertek QATAR www.intertek.com 34
Information Security OverviewInformation Security Overview
www.intertek.com34Issue 1 © Intertek QATAR www.intertek.com
ISO 27001 : 2013 OVERVIEWISO 27001 : 2013 OVERVIEW
Now let us understand BCMS
THANK YOU !