Information Security Management System with

ISO/IEC 27001 in Education“การด าเนินการเพ่ือการรับรองมาตรฐาน ISO/IEC 27001 ในสถานศกึษา”

นางสาวกาญจนา สกุปลัง่นายเจตนนัต เจือจนัทร

ส านกัคอมพิวเตอร มหาวิทยาลยับรูพา

Outline

• Information Security

• Information Security Management

• ISMS Methodology and Key Activities

• ISMS Control Objectives and Controls

• Risk Management

• ISMS Implementation and Certification Process

• ISO/IEC 27001:2013 in Education

• Other Standard

Cybersecurity , Threat

https://threatmap.fortiguard.com/

https://threatmap.checkpoint.com/ThreatPortal/livemap.html

Information Security

• การรักษาความปลอดภยัข้อมลู ความมัน่คงปลอดภยัของสารสนเทศ การรักษาความปลอดภยัสารสนเทศrefers to the processes and tools designed and deployed to protect sensitive business information from modification, disruption, destruction, and inspection

Information Security

Availability

ความพร้อมใช้

Confidentiality

การรักษาความลบั

Integrity

ความถกูต้องครบถ้วนInfoSec

3.People

1.Technology

2.Process

Line of Defense

- Operational Management- Internal Controls

- Risk Management- Compliance

- Awareness,Training- Internal Audit

Information Security Management

Establish the ISMS

(PLAN)

Implement and operate

the ISMS(DO)

Monitor and review ISMS

(CHECK)

Maintain and Improve the ISMS (ACT)

People

Information

Software

Hardware

Process / Services

Security Management

Context of the organization

- Organization and its context

- Needs and expectations of interested parties

- Scope of ISMS

Leadership

- Leadership and commitment

- Policy

- Roles, responsibilities and authorities

Planning

- Action to address risks and opportunities

- Objectives and planning

Support

- Resources

- Competence

- Awareness

- Communication

- Documented information

Operation

- Operational planning and control

- Risk assessment

- Risk treatment

Performance Evaluation

- Monitoring, measurement, analysis and evaluation

- Internal audit

- Management review

Improvement

- Nonconformity and corrective action

- Continual improvement

ISMS Methodology and Key Activities

1. Secure Executive support

2. Define the scopeof the system

3. Evaluate assets

4. Define the Information Security Manage System

- Set the ISMS objectives - ISMS scope- Information assets- Risk analysis

- Set the ISMS objectives- ISMS scope- Information assets- Risk analysis

5. Train and buildcompetencies for the Roles

6. System Maintenance

And monitoring

7. Certication audit

- ISMS - ISMS audits and reviews - ISO27001 certificate

End

Start

ISMS Control Objectives and Controls

• ข้อก าหนด และมาตรการควบคมุISO 27001:2013 (clauses 4-10)

4. Context of the

organization 10. Improvement

9. Performance

evaluation8. Operation7. Support6. Planning5. Leadership

18. Compliance17. Information security aspects of

business continuity management

16. Information security incident

management

15. Supplier

relationships

14. Systems acquisition

development &

maintenance

5. Information security

policies

13. Communications

security12. Operations security

11. Physical and

environmental security10. Cryptography

9. Access control8. Asset management7. Human resources

security

6. Organisation of

information security

ISO 27001:2013 (Annex A Controls)

The ISO 27001 requirements

4.1 Understanding the organisation and its context

4.2 Understanding the needs and expectations of interested parties

4.3 Determining the scope of the information security management system

4.4 Information security management system

5.1 Leadership and commitment

5.2 Information Security Policy

5.3 Organizational roles, responsibilities and authorities

6.1 Actions to address risks and opportunities

6.2 Information security objectives and planning to achieve them

7.1 Resources

7.2 Competence

7.3 Awareness

7.4 Communication

7.5 Documented information

8.1 Operational planning and control

8.2 Information security risk assessment

8.3 Information security risk treatment

9.1 Monitoring, measurement, analysis and evaluation

9.2 Internal audit

9.3 Management review

10.1 Nonconformity and corrective action

10.2 Continual improvement

The ISO 27001 Annex A Controls

A.5 Information security policies

A.6 Organisation of information security

A.7 Human resource security

A.8 Asset management

A.9 Access control

A.10 Cryptography

A.11 Physical and environmental securityA.12 Operations securityA.13 Communications securityA.14 System acquisition, development, and maintenanceA.15 Supplier relationshipsA.16 Information security incident managementA.17 Information security aspects of business continuity managementA.18 Compliance

โครงสร้างเอกสาร

คูมื่อระบบ

ระเบียบปฏิบตัิงาน

คูมื่อปฏิบตัิ

เอกสารสนบัสนนุ บนัทกึ ข้อมลู แบบฟอร ม

ISO Manual

ISO Procedure

Work instruction

Others

Records

Reports, e-Docs

Risk Management

Assetระบทุรัพยส์นิ

Valuationระบคุวามส าคญั

Risk Eventsระบเุหตกุารณ์

Risk Ownersระบผุูรั้บผดิชอบ

Threatesระบภุัยคกุคาม

Vulnerabilitiesระบชุอ่งโหว่

Existing Controls

Consequence Exposureประเมนิระดบัความเสยีหาย

Impact Ratingประเมนิระดบัผลกระทบ

Risk Value Level of Risksค านวณระดบัความสีย่ง

Likelihood Rating

ประเมนิระดบัโอกาสการเกดิ

Risk Evaluationประเมนิผลล าดบั

Option for treatmentพจิารณาทางเลอืกตอบสนอง

Selection of Control

พจิารณาแนวทาง มาตรการณ์ควบคมุ

Risk Management

Planจัดท าแผนบรหิาร

Acceptanceยอมรับ

Consider additional

guidelines for improvement and measuresพจิารณาเพิม่เตมิแนวทางปรับปรุงมาตรการณ์ทีใ่ช ้

Risk Approveอนุมัตแิผน

Risk Identification Risk Analysis Risk Evaluation Risk Treatment

Residual Riskประเมนิระดบั คงเหลอื

Risk against

Risk Acceptance

Criterialพจิารณา

เทยีบเกณฑ์การยอมรับ

opportunities for

improvementแผนปรับปรุงดา้น

InfoSec

Risk Manageจัดการความเสีย่ง

Prepare process for managing

risks and measures

แนวทางจัดการความเสีย่ง

มาตรการทีเ่ลอืก

Risk Treatment Plan

แผนจัดการความเสีย่ง InfoSec

Yes No

Yes No

ISMS Implementation and Certification Process

PDCA ISMS Methodology

Re Certification Audit

Certification Audit

Surveillance Audit

Surveillance Audit

ISO 27001 Certification

Start

Year 1

Year 2

Year 3

ISO/IEC 27001:2013 in Education

• 27001 Certification 287 in Thailand at year 2017

• 27001 Certification 54 World

• Education (ICT) To Information technology

33 Information technology 890 1236 1152 2086 3217 3588 4558 5059 4933 5573 6578 7478

34 Engineering Services 25 33 48 173 122 126 189 211 217 201 245 382

35 Other Services 189 204 228 380 579 564 755 849 867 959 1432 1369

36 Public administration 23 33 79 181 79 106 155 192 191 212 235 185

37 Education 8 9 25 47 75 65 102 101 83 104 109 54

ถาม-ตอบ

• https://ict.buu.ac.th/index.php?r=about-us/iso27001