Current Scenario: Present day organizations are highly dependent on Information systems to manage business and deliver products/services. They depend on IT for development, production and delivery in various internal applications. The application includes financial databases, employee time booking, providing helpdesk and other services, providing remote access to customers/ employees, remote access of client systems, interactions with the outside world through e-mail, internet, usage of third parties and outsourced suppliers.
Business Requirements:Information Security is required as part of contract between client and customer. Marketing wants a competitive edge and can give confidence building to the customer. Senior management wants to know the status of IT Infrastructure outages or information breaches or information incidents within organization. Legal requirements like Data Protection Act, copyright, designs and patents regulation and regulatory requirement of an organization should be met and well protected. Protection of Information and Information Systems to meet business and legal requirement by provision and demonstration of secure environment to clients, managing security between projects of competing clients, preventing leak of confidential information are the biggest challenges to Information System.
Information Definition: Information is an asset which like other important business assets is of value to an organization and consequently needs to be suitably protected. Whatever forms the information takes or means by which it is shared or stored should always be appropriately protected.
Forms of Information: Information can be stored electronically. It can be transmitted over network. It can be shown on videos and can be in verbal.
Information Threats:Cyber-criminals, Hackers, Malware, Trojans, Phishes, Spammers are major threats to our information system. The study found that the majority of people who committed the sabotage were IT workers who displayed characteristics including arguing with co-workers, being paranoid and disgruntled, coming to work late, and exhibiting poor overall work performance. Of the cybercriminals 86% were in technical positions and 90% had administrator or privileged access to company systems. Most committed the crimes after their employment was terminated but 41% sabotaged systems while they were still employees at the company.Natural Calamities like Storms, tornados, floods can cause extensive damage to our information system.
Information Security Incidents: Information security incidents can cause disruption to organizational routines and processes, decrease in shareholder value, loss of privacy, loss of competitive advantage, reputational damage causing brand devaluation, loss of confidence in IT, expenditure on information security assets for data damaged, stolen, corrupted or lost in incidents, reduced profitability, injury or loss of life if safety-critical systems fail.
Few Basic Questions:
• Do we have IT Security policy?
• Have we ever analyzed threats/risk to our IT activities and infrastructure?
• Are we ready for any natural calamities like flood, earthquake etc?
• Are all our assets secured?
• Are we confident that our IT-Infrastructure/Network is secure?
• Is our business data safe?
• Is IP telephone network secure?
• Do we configure or maintain application security features?
• Do we have segregated network environment for Application development, testing and production server?
• Are office coordinators trained for any physical security out-break?
• Do we have control over software /information distribution?
Introduction to ISO 27001:In business having the correct information to the authorized person at the right time can make the difference between profit and loss, success and failure.
There are three aspects of information security:
Confidentiality: Protecting information from unauthorized disclosure, perhaps to a competitor or to press.
Integrity: Protecting information from unauthorized modification, and ensuring that information, such as price list, is accurate and complete
Availability: Ensuring information is available when you need it. Ensuring the confidentiality, integrity and availability of information is essential to maintain competitive edge, cash flow, profitability, legal compliance and commercial image and branding.
Information Security Management System (ISMS): This is the part of overall management system based on a business risk approach to establish, implement, operate, monitor, review, maintain and improve information security. The management system includes organizational structure, policies, planning activities, responsibilities, practices, procedures, processes and resources.
About ISO 27001:- A leading international standard for information security management. More than 12,000 organizations worldwide certified against this standard. Its purpose is to protect the confidentiality, integrity and availability of information.Technical security controls such as antivirus and firewalls are not normally audited in ISO/IEC 27001 certification audits: the organization is essentially presumed to have adopted all necessary information security controls. It does not focus only on information technology but also on other important assets at the organization. It focuses on all business processes and business assets. Information may or may not be related to information technology & may or may not be in a digital form. It is first published as department of Trade and Industry (DTI) Code of Practice in UK known as BS 7799.ISO 27001 has 2 Parts ISO/IEC 27002 & ISO/IEC 27001
ISO / IEC 27002: 2005: It is a code of practice for Information Security Management. It provides best practice guidance. It can be used as required within your business. It is not for certification.
ISO/IEC 27001: 2005:It is used as a basis for certification. It is something Management Program + Risk Management. It has 11 Security Domains, 39 Security Objectives and 133 Controls.
ISO/IEC 27001: The standard contains the following main sections:
- Risk Assessment
- Security Policy
- Asset Management
- Human Resources Security
- Physical and Environmental Security
- Communications and Operations Management
- Access Control
- Information Systems Acquisition, development and maintenance
- Information Security Incident Management
- Business Continuity Management
Benefits of Information Security Management Systems (ISMS):competitive Advantages: Business partners and customers respond favorably to trustworthy companies. Having ISMS will demonstrate maturity and trustworthiness. Some companies will only partner with those who have ISMS. Implementing ISMS can lead to efficiencies in operations, leading to reduced costs of doing business. Companies with ISMS may be able to compete on pricing also.
Reasons for ISO 27001: There are obvious reasons to implement an Information Security Management System (ISO 27001). ISO 27001 standard meets the statutory or regulatory compliance. Information assets are very important and valuable to any organization. Confidence of shareholders, business partner, customers should be developed in the Information Technology of the organization to take business advantages. ISO 27001 certification shows that Information assets are well managed keeping into consideration the security, confidentiality and availability aspects of the information assets.
Instituting ISMS:Information Security -Management Challenge or Technical Issue? Information security must be seen as a management and business challenge, not simply as a technical issue to be handed over to experts. To keep your business secure, you must understand both the problems and the solutions. To institute ISMS management play 80% role and 20% responsibility of technology system.
Beginning: – Before beginning to institute ISMS you need to get approval from Management/Stake Holders. You have to see whether you are attempting to do it for whole organization or just a part. You must assemble a team of stakeholders and skilled professionals. You may choose to supplement the team with consultants with implementation experience.
ISMS (ISO 27001) Certification: An independent verification by third party of the information security assurance of the organization based on ISO 27001:2005 standards.
Pre-Certification: Stage 1 – Documentation Audit
Stage 2 – Implementation Audit
Post- certification: Continuing Surveillance for 2 years 3rd-Year Re-assessment/Recertification
Conclusion: Prior to implementation of management system for Information Security controls, organization does have various securities control over information system.These security controls tend to somewhat disorganized and disjointed. Information, being a very critical asset to any organization needs to be well protected from being leaked or hacked out. ISO/IEC 27001 is a standard for Information security management system (ISMS) that ensures well managed processes are being adapted for information security. Implementation of ISMS lead to efficiencies in operations leading to reduced costs of doing business.