Archive for February, 2010

No Comments

Information Security Policy


2010
02.24

Tags: , ,
Posted in IT Policy, Security | No Comments »

Information Security Policy is basically a plan, outlining what the company’s critical assts are, and how they must (and can) be protected. Its main purpose is to provide staff with a brief overview of the “acceptable use” of any of the Information Assets, as well as to explain what is deemed as allowable and what is not, thus engaging them in securing the company’s critical systems.

The documents acts as a “must read” source of information for everyone using in any way systems and resources defined as potential targets. A good and well developed security policy should address some of these following elements:

-How sensitive information must be handled.
-How to properly maintain your ID (s) and password(s), as well as any other accounting data.
-How to respond to a potential security incident, intrusion attempt, etc.
-How to use workstations and Internet connectivity in a secure manner.
-How to properly use the corporate e-mail system.

Basically, the main reason behind the creation of a security policy is to set a company’s information security foundations, to explain to staff how they are responsible for the protection of the information resources, and highlight the importance of having secured communications while doing business online.

Some of the Information Security Policy categories:-

• Physical / Desktop Security / Laptop Security
• Internet Access
• Virus Protection
• Data Centre Access
• Software Installation
• Removable Media
• Encryption
• Backups
• Maintenance
• Incident Handling
• Web Browsing
• E-mail Use
• Instant Messaging Applications
• Downloading
• Intrusion Detection
• Acceptable Use

No Comments

Information Security Management System (ISMS) – ISO 27001


2010
02.22

Tags: , , , , , ,
Posted in Management, Security | No Comments »

Information Security Management System (ISMS) is a management system based on a systematic business risk approach, to establish, implement, operate, monitor, review, maintain, and improve information security. It is an organizational approach to information security. ISO/IEC 27001 is a standard for information security that focuses on an organization’s ISMS.

Objective of ISMS

    Information security is the protection of information to ensure:

• Confidentiality: ensuring that the information is accessible only to those authorised to access it.
• Integrity: ensuring that the information is accurate and complete and that the information is not modified without authorization.
• Availability: ensuring that the information is accessible to authorized users when required.

Why should I implement ISO 27001 ISMS?

• Certification of a management system brings several advantages. It gives an independent assessment of your organization’s conformity to an international standard that contains best practices from experts for ISMS.
• Meeting legislative and regulatory requirements
• As a measure and independent evidence that industry best practices are being followed.
• As part of a corporate governance program

Process for implementing ISO 27001
1. Define an information security policy
2. Define scope of the information security management system
3. Perform a security risk assessment
4. Manage the identified risk
5. Select controls to be implemented and applied
6. Prepare as SoA (a “statement of applicability”)

The Certification Process
 Guidelines – ISO/IEC 27002:2007
 Certification – ISO/IEC 27001:2005
 Stage 1 : Documentation Review & evaluate client’s readiness
 Stage 2 : Implementation audit & evaluate effectiveness of client’s systems
 Lead Auditor’s recommendation to certify
 Certificate issued by certification/registration body
 Surveillance
 Periodic review audits (6 months interval)
 Re-certification (after 3 years)