ISO 27001 - information security user awareness training presentation -part 2

iFour Consultancy

Security awareness seminar

An introduction to ISO27k

Part 2

Security incidents cause What is risk? Risk relationships Threat agent Motive Threat type and Example Compliance Objectives of Compliance SOX Where SOX is Applicable BASEL II

Agenda

http://www.ifour-consultancy.com Software outsourcing company in India

http://www.ifour-consultancy.com/



Security incidents cause

• IT downtime, business interruption• Financial losses and costs• Devaluation of intellectual property• Breaking laws and regulations, leading to prosecutions, fines and

penalties• Reputation and brand damage leading to loss of customer, market,

business partner or owners’ confidence and lost business• Fear, uncertainty and doubt





What is risk?

• Risk is the possibility that a threat exploits a vulnerability in an information asset, leading to an adverse impact on the organization

• Threat: something that might cause harm• Vulnerability: a weakness that might be exploited• Impact: financial damage etc.





Risk relationships





Threat agent

The actor that represents, carries out or catalyzes the threat• Human• Machine• Nature





Motive

• Something that causes the threat agent to act

• Implies intentional/deliberate attacks but some are accidental





Threat type and Example





So how do we secure our information assets?

9http://www.ifour-consultancy.com Software outsourcing company in India




Compliance

What is Compliance?Act or process of meeting specific standards with a desire, demand or proposalCompliance represents following in detail

set of lawsRegulationsRulesPractices

The role of the compliance in banks is to ensure that the rules/ regulations are appropriately incorporated in bank’s internal processes and that each functionary, right from the top to the bottom, appreciates the value of compliance





Compliance

Banking Compliance

Internal compliance

Internal Policies

Applicable to all employeesank

Regulatory & Legal Compliance

Laws and Standards

Applicable to the bank as a whole





Objectives of Compliance

Prudential—to reduce the level of risk to which clients are exposed

Systemic risk reduction—to reduce the risk of disruption

Avoid misuse of system—to reduce the risk of system being used for criminal purposes

To protect confidentiality

It may also include rules about treating customers fairly and having corporate social responsibility (CSR)





Objectives of Compliance

Ensures orderliness

Preventing chaos in systems

Dedicated framework for overseeing the implementation of directions/guidelines issued by the Regulator/supervisor

Ensure that there is a process to promptly respond to and redress the anomalies





SOX SOX: Sarbanes–Oxley Act also known as “Corporate and Auditing Accountability and Responsibility

Act”

SOX, is a United States federal law that set new or enhanced standards for all U.S. public company boards, management and public accounting firms

Act Contains 11 Sections and Major Elements Corporate board responsibilities to criminal penalties, Auditor independence, Corporate governance, Fraud and Enhanced financial disclosure





Where SOX is Applicable

• (a) All public companies in the US

• (b) international companies that have registered equity or debt securities with SEC

• The Accounting firms that provide auditing services to (a) and (b)

• It does not apply to privately companies

• Act is administered by the Securities and Exchange Commission (SEC)

• SEC deals with compliance, rules and requirements

• The Act also created The Public Company Accounting Oversight Board (PCAOB)





BASEL II

“A set of banking regulations put forth by the Basel Committee on Bank Supervision, which regulates

finance and banking internationally.”









Documents

ISO 27001 - information security user awareness training presentation -part 2