Current scenario: Today’s organizations rely heavily on information systems to run the business and offer products / services. They depend on IT for development, production, and delivery in various in-house applications. The application includes financial databases, time reservation for employees, technical assistance and other services, remote access to customers / employees, remote access to customer systems, interactions with the outside world via email, Internet, use of third parties and outsourced providers.
Business requirements:Information security is necessary as part of the contract between client and client. Marketing wants a competitive advantage and can build customer trust. Top management wants to know the status of IT infrastructure outages or information breaches or information incidents within the organization. Legal requirements such as Data Protection Act, copyright, design and patent regulation and regulatory requirements of an organization must be properly met and protected. The protection of information and information systems to comply with business and legal requirements by providing and demonstrating a secure environment to clients, managing security between competing client projects, and preventing the leakage of confidential information are the biggest challenges for information systems.
Definition of information: Information is an asset that, like other important business assets, is valuable to an organization and therefore must be adequately protected. Whatever form information takes or the means by which it is shared or stored, it must always be adequately protected.
Forms of information: Information can be stored electronically. It can be transmitted over the network. It can be shown in videos and it can be verbal.
Threat information:Cybercriminals, hackers, malware, Trojans, phishing, and spammers are the main threats to our information system. The study found that the majority of the people who committed the sabotage were IT workers who displayed characteristics that included arguing with coworkers, being paranoid and unhappy, being late for work, and exhibiting generally poor job performance. Of the cybercriminals, 86% held technical positions and 90% had administrator or privileged access to company systems. Most committed the crimes after their employment ended, but 41% sabotaged systems while still employed by the company.
Information security incidents: Information security incidents can cause disruptions to the organization’s routines and processes, decrease in shareholder value, loss of privacy, loss of competitive advantage, damage to reputation causing brand devaluation, loss of trust in IT, spending on information security assets for damaged, stolen or corrupted data. or loss in incidents, reduced profitability, injury or loss of life if safety-critical systems fail.
Some basic questions:
• Do we have an IT security policy?
• Have we ever analyzed threats / risks to our IT infrastructure and activities?
• Are we prepared for any natural calamity like floods, earthquakes, etc.?
• Are all of our assets insured?
• Are we sure our IT infrastructure / network is secure?
• Is our business data safe?
• Is the IP telephony network secure?
• Do we configure or maintain the security features of the applications?
• Do we have a segregated network environment for application development, testing, and the production server?
• Are the office coordinators trained for any physical security outbreak?
• Do we have control over the distribution of software / information?
Introduction to ISO 27001:In business, having the right information for the authorized person at the right time can make the difference between profit and loss, success and failure.
There are three aspects of information security:
Confidentiality: Protection of information against unauthorized disclosure, perhaps to a competitor or the press.
Integrity: Protect information from unauthorized modifications and ensure that information, such as the price list, is accurate and complete.
Availability: Ensuring that information is available when you need it. Ensuring the confidentiality, integrity, and availability of information is essential to maintaining competitive advantage, cash flow, profitability, legal compliance, and brand and business image.
Information security management system (ISMS): This is the part of the general management system based on a business risk approach to establish, implement, operate, monitor, review, maintain and improve information security. The management system includes organizational structure, policies, planning activities, responsibilities, practices, procedures, processes, and resources.
About ISO 27001: – A leading international standard for information security management. More than 12,000 organizations around the world certified to this standard. Its purpose is to protect the confidentiality, integrity and availability of the information. It is not only focused on information technology, but also on other important assets of the organization. It focuses on all business processes and business assets. The information may or may not be related to information technology and may or may not be in digital format. It was first published as the UK Department of Commerce and Industry (DTI) Code of Practice known as BS 7799. ISO 27001 has 2 parts ISO / IEC 27002 and ISO / IEC 27001
ISO / IEC 27002: 2005: is a code of practice for information security management. Provides guidance on best practices. It can be used as needed within your business. It is not for certification.
ISO / IEC 27001: 2005:It is used as the basis for certification. It is something Management Program + Risk Management. It has 11 security domains, 39 security objectives, and 133 controls.
ISO / IEC 27001: The standard contains the following main sections:
- Risks evaluation
- Security policy
- Asset Management
- Human resource security
- Physical and environmental security
- Communications and operations management
- Access control
- Acquisition, development and maintenance of information systems
- Information security incident management
- Business continuity management
- Compliance
Benefits of information security management systems (ISMS):competitive advantages: Business partners and customers respond favorably to trusted companies. Having ISMS will demonstrate maturity and reliability. Some companies will only partner with those that have ISMS. The implementation of ISMS can generate efficiencies in operations, leading to lower costs of doing business. Companies with ISMS can also compete on prices.
Reasons for ISO 27001: There are obvious reasons to implement an Information Security Management System (ISO 27001). The ISO 27001 standard complies with legal or regulatory compliance. Information assets are very important and valuable to any organization. The trust of shareholders, business partners, customers must be developed in the Information Technology of the organization to take advantage of business advantages. ISO 27001 certification shows that information assets are well managed taking into account the security, confidentiality and availability aspects of information assets.
ISMS Institution:Information security: management challenge or technical problem? Information security should be viewed as a business and managerial challenge, not simply a technical issue to be handed over to the experts. To keep your business safe, you need to understand both the problems and the solutions. To institute, the management of the ISMS plays an 80% role and a 20% responsibility for the technological system.
Start: – Before starting to institute an ISMS, you must obtain the approval of the Administration / Participants. You have to see if you are trying to do it for the whole organization or just for a part. You must assemble a team of stakeholders and trained professionals. You may choose to supplement the team with consultants with experience in implementation.
ISMS Certification (ISO 27001): An independent third party verification of the organization’s information security assurance based on ISO 27001: 2005 standards.
Precertification: Stage 1 – Audit Documentation
Stage 2 – Implementation Audit
Post-certification: Continuous surveillance for 2 years Reassessment / Recertification of the third year
Conclusion: Before the implementation of the management system for information security controls, the organization has several security controls over the information system. Information, which is a very critical asset for any organization, must be well protected against leakage or hacking. ISO / IEC 27001 is a standard for information security management system (ISMS) that ensures that well-managed processes are tailored to information security. The implementation of the ISMS leads to efficiencies in operations that lead to reduced costs of doing business.