Information Security Management System ( ISO 17799:2000 / BS7799)  In any business environment, where the personnel use different media to store all business process
related informations , the organization needs safety in terms of the contents, longevity and usability
for those who need those informations and prevent undesirable access to those who don’t need them.
Confidentiality, integrity and availability of information may be essential to maintain competitive edge,
cash-flow profitability, legal compliance and commercial image. Security threats could be from a wide
range of sources. Such as computer assisted fraud, espionage etc.
INTRODUCTION
Information is an important asset to any organization. This asset is created, shared, transmitted and
stored. This is in different forms like physical (any media), written or printed, recorded (audio or video).
These informations need protection due to their sensitivity, confidentiality, purpose, statutory and
regulatory needs imposed on the organization.
PURPOSE
To facilitate an organization in:
- Identifying the need for security by assessing the risks involved.
- Identifying the process of creating the security measures.
- Training the employees and business partners to understand the need.
- Planning for business continuity and to recover from any disasters.
| Steps for Implementation |
M
E
T
H
O
D
O
L
O
G
Y
|
| 1 |
Kickoff |
| |
2 |
Assess Present State |
| 3 |
Risk Management |
| |
4 |
Implement Controls |
| 5 |
Develop Business Continuity Plans |
| |
6 |
Train & Educate Staff |
| 7 |
Check for Compliance |
| |
8 |
Check for Business Partners Compliance |
| 9 |
Plan for Audit |
| |
10 |
Reassess for Continuous Improvement |
Techniques Used
TWO DAYS OF AWARENESS TRAINING:
To appreciate the need and types of informations along with the probable threats to the safety and integrity of these
informations. This covers the following subjects :-
- Basics of information security
- Business requirements for ISMS
- Overview of ISO 17799:2003
- Assets and risk management
- Design and implementation of ISMS
- Assessment and Certification
FIVE DAYS OF IMPLEMENTATION TRAINING:
Creating, implementing and managing information security management system life cycle
| Lesson 1 |
Scope Determination |
| Lesson 2 |
Information assets Identification |
| Lesson 3 |
Determination of a value of information assets |
| Lesson 4 |
Risk Determination |
| Lesson 5 |
Determination of policy (ies) and degree of assurance |
| Lesson 6 |
Identification of objectives and controls |
| Lesson 7 |
Definition of policies, standards and procedures |
| Lesson 8 |
Production and implementation |
| Lesson 9 |
Completion of ISMS documentation |
| Lesson 10 |
Audit and review of ISMS |
| Summary |
Review of the implementation process |
 Identification of Threats
Source of Threat (External):
- Nature/Acts of God.
- Hardware supplies & Software supplies.
- Contractors& Other resource suppliers.
- Competition & Debt and equity holders.
- Unions, Governments& Environmentalists.
- Criminals/hackers.
Source of Threat (Internal):
- Management.
- Employees.
- Unreliable systems.
Security Definitions
- Security Policy : A declaration to demonstrate management support and commitment to the
process of Information Security Management Systems.
- Security Organization: An established management framework to initiate and control the
implementation of Information Security within the organization and to manage ongoing
Information Security provisions.
- Asset classification & control: A comprehensive inventory of assets with responsibility
assigned to ensure that effective security protection is maintained.
- Personnel Security : Well defined job descriptions for all staff outlining security roles and
responsibilities.
- Physical & Environmental Security: A clear and concise definitions of the security
requirements for your premises and people within them.
- Communications & Operations Management: Optimize your communication to facilitate
smooth operation of the Information Security Management Systems.
- Access Control : Network management to ensure that only those with the appropriate responsibility
have access to information in the networks and the protection of the supporting infrastructure.
- System Development & Maintenance : Ensuring that Information Technology projects & support
activities are conducted in a secure manner through data control and encryption where necessary.
- Business Continuity Management : A managed process for developing and maintaining
business contingency plans that protect critical business processes from major disasters and
failures.
- Compliance : A demonstration to clients, employees and the authorities of your
commitment to meet statutory or regulatory Information Security requirements.
|
