Welcome Onboard Government Information Security Practitioners Ramadan Kareem
Welcome Onboard Government Information Security Practitioners Ramadan Kareem Security and Audit Office, ITA 0
Agenda § § § What is an Information Asset? What is Information Security? Information Security Incidents (Events) Information Security Management System (ISMS) Benefits of ISMS to the Organisation Benefits of ISMS to the Community ISMS in Six Simple Steps Information Security Practitioners (ISPs) Responsibilities of ISPs Competence Development Key Messages ITA Confidential 1
Information Asset § Asset is something owned by a firm or an individual and has an economic value attached to it. Information Asset § An Information Asset is a definable piece of information, stored in any manner which is recognized as 'valuable' to the organization. § Information and Knowledge have together been recognized as “Information Asset”. § Money, skill, time, resources or a combination of these are required to replace / restore an “Information Asset”. § Examples: Medical Records (Intangible), Servers, Laptop (Tangible) ITA Confidential 2
Information Security § Collective measures taken to protect (or guard) an asset from being stolen or damaged. Information Security § Is the protection of information assets : Against unauthorized access (Ensure Confidentiality) Against modification of information , whether in storage, processing, or transit, (Ensure Integrity) Against denial of service to authorized users. (Ensure Availability) ITA Confidential 3
(Global) Information Security Events § In US stolen PCs contained 185, 000 patient’s medical records § UK Govt lost at least 150 Computers in the first half of 2005 § German Police Hard Drive containing confidential information sold on e. Bay. § A survey estimates that 11, 300 laptops, 31, 400 handheld devices and 200, 000 mobile phones were left in taxis around the world during the first six months of 2005. § In Canada Medical Lab Database corruption affects 2200 patients. § US Airways honors 1, 000 tickets at $1. 86 due to computer glitch § 600, 000 customers of Bank of America Corp have been notified that their financial records may have been stolen by bank employees and sold to collection agencies § Fake ATMs in Romania used for Identity theft. § Carjackers swipe biometric Mercedes, plus Owner’s finger in Singapore. ITA Confidential 4
Information Security Management System § An Information Security Management System (ISMS) includes all of the policies, procedures, plans, processes, practices, roles, responsibilities, structures, resources (Hardware and Software), that are used to protect and preserve information. § ISMS includes all of the elements that organizations use to manage and control their information security risks. § An Information Security Management System (ISMS) is a systematic approach to managing sensitive company information so that it remains secure. § ISMS covers People, Process and Technology dimensions of Information Security. § BSI published a code of practice for ISMS, which has now been adopted internationally as ISO/IEC 27001: 2005. ITA Confidential 5
Benefits of an ISMS to the Organisation After implementing an ISMS, the organisation may realize the benefits of: preventing an information security incident from occurring reducing the likelihood of a security incident occurring; detecting an incident occurring, or its effects; protecting the information from the effects of an incident; responding to an incident to minimise business damage recovering quickly should an incident occur. reducing the consequences or impact of a security incident ITA Confidential 6
Benefits to the Community § Effective and Efficient protection of Government Assets § Protection of individuals’ Private Information held with the Government Agencies § Reduced likelihood of Security breaches and losses § Reduced likelihood of disruptions to operations and services § Consistent Availability of Govt. Services to the Community § Public Trust in Electronic Transactions with the Government ITA Confidential 7
ISMS in Six Simple Steps 1. Establish the ISMS Scope, Boundary and Policy 2. Identify Your Information Assets 3. Conduct A Risk Assessment ITA Confidential 8
ISMS in Six Simple Steps 4. Risk Treatment (Eg: Apply Appropriate Controls) 5. Monitor and Review 6. Maintain, Learn and Improve ITA Confidential 9
ISO/IEC 27001 ISMS Certification § § The ISO 27001 Standard provides a model for establishing and managing an ISMS. The standard follows a process based approach in establishing and managing an ISMS The domains covered include: Security Policy Organization of Information Security Asset Management Human Resources Security Physical and Environmental Security Communications and Operations Management Access Control Information Systems Acquisition, Development and Maintenance Information Security Incident Management Business Continuity Management Compliance (Legal Requirement etc. , ) ITA Confidential 10
Information Security Practitioners § The “Champions of Information Security” within your Organization § Develop an undying “Passion for Security”. § Spread the “Importance of Information Security” across various levels - Executive Management, IT Management, Business Departments and the entire user community. § Play the “Lead Role” in Planning, Establishing and Managing an “Information Security Management System” § Share knowledge with all other practitioners. § Contribute to the growth of the “Infosec Community” in Oman ITA Confidential 11
Responsibilities of ISPs § § § § Establish, manage and consistently monitor the “Information Security Management System” of the organization Understand the concept of Protecting Information Assets from a business perspective. Understand risk management methodologies and apply commensurate controls to handle the identified risks. Take proactive & reactive actions and ensure timely management of Information Security incidents. Maintain current knowledge of government measures and recommended practices. Act as an interface between the organization and ITA Acquire, maintain and share knowledge related to all aspects of Information Security ITA Confidential 12
Competence Development § § § ITA is committed to the development of competence and skills of all ISPs. A competence development plan is being devised The plan shall include trainings / hands-on workshops and conferences The plan shall cover both Security Management and Technology areas. (Eg: ISO 27001, Microsoft Security, etc. ) Aimed at walking through each ISP thru a formal certification process (Eg: CISM, etc. ) ISPs expected to be committed & focused on knowledge / skill development ITA Confidential 13
Key Messages § § § § § Let us together work towards a “Secure Digital Oman”. Security is about People, Processes, Policies and then Technologies. Investment in “Security” (Controls / Technologies) should be commensurate with the “Business Risks”. “Choose the Right Lock for the Right Mandoos” Security is dynamic and requires “Always-On” vigil. Let us share thoughts and knowledge Always keep in touch Look forward for the “Security Training Calendar” In short, “Feel Passionate and Committed about Security” Security and Audit Office of ITA is available for assistance in security related matters. ITA Confidential 14
Infosec is similar to a Game of Chess…. ITA Confidential 15
Discussion Time… security@ita. gov. om ITA Confidential 16
- Slides: 17
