Information Security Management System with ISO/IEC …The ISO 27001 Annex A Controls A.5...
Transcript of Information Security Management System with ISO/IEC …The ISO 27001 Annex A Controls A.5...
Information Security Management System with
ISO/IEC 27001 in Education“การด าเนินการเพ่ือการรับรองมาตรฐาน ISO/IEC 27001 ในสถานศกึษา”
นางสาวกาญจนา สกุปลัง่นายเจตนนัต เจือจนัทร
ส านกัคอมพิวเตอร มหาวิทยาลยับรูพา
Outline
• Information Security
• Information Security Management
• ISMS Methodology and Key Activities
• ISMS Control Objectives and Controls
• Risk Management
• ISMS Implementation and Certification Process
• ISO/IEC 27001:2013 in Education
• Other Standard
Cybersecurity , Threat
https://threatmap.fortiguard.com/
https://threatmap.checkpoint.com/ThreatPortal/livemap.html
Information Security
• การรักษาความปลอดภยัข้อมลู ความมัน่คงปลอดภยัของสารสนเทศ การรักษาความปลอดภยัสารสนเทศrefers to the processes and tools designed and deployed to protect sensitive business information from modification, disruption, destruction, and inspection
Information Security
Availability
ความพร้อมใช้
Confidentiality
การรักษาความลบั
Integrity
ความถกูต้องครบถ้วนInfoSec
3.People
1.Technology
2.Process
Line of Defense
- Operational Management- Internal Controls
- Risk Management- Compliance
- Awareness,Training- Internal Audit
Information Security Management
Establish the ISMS
(PLAN)
Implement and operate
the ISMS(DO)
Monitor and review ISMS
(CHECK)
Maintain and Improve the ISMS (ACT)
People
Information
Software
Hardware
Process / Services
Security Management
Context of the organization
- Organization and its context
- Needs and expectations of interested parties
- Scope of ISMS
Leadership
- Leadership and commitment
- Policy
- Roles, responsibilities and authorities
Planning
- Action to address risks and opportunities
- Objectives and planning
Support
- Resources
- Competence
- Awareness
- Communication
- Documented information
Operation
- Operational planning and control
- Risk assessment
- Risk treatment
Performance Evaluation
- Monitoring, measurement, analysis and evaluation
- Internal audit
- Management review
Improvement
- Nonconformity and corrective action
- Continual improvement
ISMS Methodology and Key Activities
1. Secure Executive support
2. Define the scopeof the system
3. Evaluate assets
4. Define the Information Security Manage System
- Set the ISMS objectives - ISMS scope- Information assets- Risk analysis
- Set the ISMS objectives- ISMS scope- Information assets- Risk analysis
5. Train and buildcompetencies for the Roles
6. System Maintenance
And monitoring
7. Certication audit
- ISMS - ISMS audits and reviews - ISO27001 certificate
End
Start
ISMS Control Objectives and Controls
• ข้อก าหนด และมาตรการควบคมุISO 27001:2013 (clauses 4-10)
4. Context of the
organization 10. Improvement
9. Performance
evaluation8. Operation7. Support6. Planning5. Leadership
18. Compliance17. Information security aspects of
business continuity management
16. Information security incident
management
15. Supplier
relationships
14. Systems acquisition
development &
maintenance
5. Information security
policies
13. Communications
security12. Operations security
11. Physical and
environmental security10. Cryptography
9. Access control8. Asset management7. Human resources
security
6. Organisation of
information security
ISO 27001:2013 (Annex A Controls)
The ISO 27001 requirements
4.1 Understanding the organisation and its context
4.2 Understanding the needs and expectations of interested parties
4.3 Determining the scope of the information security management system
4.4 Information security management system
5.1 Leadership and commitment
5.2 Information Security Policy
5.3 Organizational roles, responsibilities and authorities
6.1 Actions to address risks and opportunities
6.2 Information security objectives and planning to achieve them
7.1 Resources
7.2 Competence
7.3 Awareness
7.4 Communication
7.5 Documented information
8.1 Operational planning and control
8.2 Information security risk assessment
8.3 Information security risk treatment
9.1 Monitoring, measurement, analysis and evaluation
9.2 Internal audit
9.3 Management review
10.1 Nonconformity and corrective action
10.2 Continual improvement
The ISO 27001 Annex A Controls
A.5 Information security policies
A.6 Organisation of information security
A.7 Human resource security
A.8 Asset management
A.9 Access control
A.10 Cryptography
A.11 Physical and environmental securityA.12 Operations securityA.13 Communications securityA.14 System acquisition, development, and maintenanceA.15 Supplier relationshipsA.16 Information security incident managementA.17 Information security aspects of business continuity managementA.18 Compliance
โครงสร้างเอกสาร
คูมื่อระบบ
ระเบียบปฏิบตัิงาน
คูมื่อปฏิบตัิ
เอกสารสนบัสนนุ บนัทกึ ข้อมลู แบบฟอร ม
ISO Manual
ISO Procedure
Work instruction
Others
Records
Reports, e-Docs
Risk Management
Assetระบทุรัพยส์นิ
Valuationระบคุวามส าคญั
Risk Eventsระบเุหตกุารณ์
Risk Ownersระบผุูรั้บผดิชอบ
Threatesระบภุัยคกุคาม
Vulnerabilitiesระบชุอ่งโหว่
Existing Controls
Consequence Exposureประเมนิระดบัความเสยีหาย
Impact Ratingประเมนิระดบัผลกระทบ
Risk Value Level of Risksค านวณระดบัความสีย่ง
Likelihood Rating
ประเมนิระดบัโอกาสการเกดิ
Risk Evaluationประเมนิผลล าดบั
Option for treatmentพจิารณาทางเลอืกตอบสนอง
Selection of Control
พจิารณาแนวทาง มาตรการณ์ควบคมุ
Risk Management
Planจัดท าแผนบรหิาร
Acceptanceยอมรับ
Consider additional
guidelines for improvement and measuresพจิารณาเพิม่เตมิแนวทางปรับปรุงมาตรการณ์ทีใ่ช ้
Risk Approveอนุมัตแิผน
Risk Identification Risk Analysis Risk Evaluation Risk Treatment
Residual Riskประเมนิระดบั คงเหลอื
Risk against
Risk Acceptance
Criterialพจิารณา
เทยีบเกณฑ์การยอมรับ
opportunities for
improvementแผนปรับปรุงดา้น
InfoSec
Risk Manageจัดการความเสีย่ง
Prepare process for managing
risks and measures
แนวทางจัดการความเสีย่ง
มาตรการทีเ่ลอืก
Risk Treatment Plan
แผนจัดการความเสีย่ง InfoSec
Yes No
Yes No
ISMS Implementation and Certification Process
PDCA ISMS Methodology
Re Certification Audit
Certification Audit
Surveillance Audit
Surveillance Audit
ISO 27001 Certification
Start
Year 1
Year 2
Year 3
ISO/IEC 27001:2013 in Education
• 27001 Certification 287 in Thailand at year 2017
• 27001 Certification 54 World
• Education (ICT) To Information technology
33 Information technology 890 1236 1152 2086 3217 3588 4558 5059 4933 5573 6578 7478
34 Engineering Services 25 33 48 173 122 126 189 211 217 201 245 382
35 Other Services 189 204 228 380 579 564 755 849 867 959 1432 1369
36 Public administration 23 33 79 181 79 106 155 192 191 212 235 185
37 Education 8 9 25 47 75 65 102 101 83 104 109 54
ถาม-ตอบ
• https://ict.buu.ac.th/index.php?r=about-us/iso27001