certification
play

Certification Francesco Ciclosi, University of Camerino 1 Is - PowerPoint PPT Presentation

Feb 24, 2024 •480 likes •791 views

University ICT Security Certification Francesco Ciclosi, University of Camerino 1 Is secure an organization complies with the standard ISO/IEC 27001? TRUE FALSE Is the standard ISO/IEC 27001 a metric of the

  1. University ICT Security Certification Francesco Ciclosi, University of Camerino 1

  2. • Is secure an organization complies with the standard ISO/IEC 27001? –  TRUE –  FALSE • Is the standard ISO/IEC 27001 a metric of the organization’s information security level? –  TRUE –  FALSE 2

  3. First answer: FALSE • Is secure an organization complies with the standard ISO/IEC 27001? • It's not true that the compliance with the standard ISO/IEC 27001 guarantees the safety of the organization • Generally the compliance with the standard doesn’t say nothing about the real level of information’s security

  4. Second answer: FALSE • Is the standard ISO/IEC 27001 a metric of the organization’s information security level ? • The standard ISO/IEC 27001 – Is not a metric of the level or quality of security – Gives us some guidance about the correct manner to manage the information security process

  5. About the ISO 27001 scope • The scope: – is to certify the quality of the information security management process – is not to certify the quality of the solutions, of the technologies or of the configurations • This standard follows the same approach used by the ISO 9000 family (industrial processes' quality certification) – Where the focus is not on the tool’s quality but on the tool's management process quality

  6. The risk treatment • Is necessary to implement a process of security risk treatment (compliance with the standard ISO 27005:2011): – Define all controls needed to implement the right risk treatment – Compare the same controls with those defined in the Annex A, in order to verify the presence of the mandatory controls – Arrange the Statement of Applicability (SOA) – Prepare a risk treatment global plan – Obtain the risk owner's endorsement about the risk treatment plan and about the residual risk

  7. Reference control objectives and controls • The ANNEX A is the section of the standard where are defined: – the controls – the controls objectives • that represent the requirements to ensure the standard compliance of the ISMS Annex A ISO 27001:2005 ISO 27001:2013 Control areas 11 14 Controls objectives 39 35 Controls 133 114

  8. The controls • Are divided in thematic sections – (such as: technological aspects, logical or physical security, human resource, business processes, and so on) • Every sections is also divided in one or more subsections • Every sections is organized as follows: – A general objective with a short description – One or more pair " control/control objective "

  9. Definition of the perimeter • A first study and investigation phase in order to define: – the perimeter of the ISMS – the field of application (SOA), as well as limits and exclusions • The outcome enabled us to define the following certification scope: «Supply of connectivity, email, web portal, telephone, hosting and management services to the University and to customers that may request them»

  10. Analysis of the main services provided • We have developed an asset tree for every Business Service(BS), in order to map out its layout • The asset tree includes the following information units: IF (Information) SW (Software) HW (Hardware) COM (Communication devices) L (Locations) P (People- Human resources)

  11. Stakeholder identification • Identification of the various parties that are interested in supplying/using such services – students – teaching staff – technical-administration staff – external staff – public parties – private parties – external users

  12. The document infrastructure definition • Is set up to support the certification process • Is composed of regulations, roles and rules • These documents specify how resources , including sensitive information, are to be managed , protected and distributed within the University • The documents were divided into the categories: – System Documents; – Organizational Procedures; – Technical Procedures; – Operating Instructions. • The classification of each documents is made by indicating an identifier chronological number

  13. The correlation matrix Current Annex A – Control Objectives and Controls Applicable Notes state A.5 Information security policies A.5.1 Management direction for information security Objective: To provide management direction and support for information security in accordance with business requirements and relevant laws and regulations. Control A set of policies for information security should be Policies for A.5.1. defined, approved by DS 02 – ISMS NOT SI information 1 Policy NEW management, published and security communicated to employees and relevant external parties. Control The policies for information security should be Review of the reviewed at planned intervals A.5.1. policies for Annual NOT SI or if significant changes occur 2 Review NEW information to ensure their continuing security suitability, adequacy and effectiveness.

  14. The risk assessment/management strategy • We have defined a customized strategy for risk analysis and risk assessment • This strategy was Suitable to the perimeter of our ISMS • The method adopted was the Magerit one, which was implemented through the PILAR software tool • The methodology is compliance with the standard ISO/IEC 27005:2011 «Information security risk management» • The approach consists of 5 steps

  15. The five steps (1/3) • 1 - Assets – Definition of the assets that are important for the University, through an analysis of the main one, paying attention to the "dependency between the assets" – Division of assets into five levels – Enhancement of assets with a qualitative ranking system for a better positioning of each asset’s value in relation to the others • 2 - Threats – Identification of all the threats that were considered relevant to every asset type – Matching between asset groups and threat – Definition of the vulnerability level considering the frequency value and the damage value

  16. The five steps (2/3) • 3 - Countermeasures – Calculation of impact and risk that may theoretically concern the assets in the worst possible case (as if none of the countermeasures are activated) – The countermeasures may be included in the risk calculation either by: • reducing the threat frequency (preventative countermeasures) • limiting the damage caused (containing countermeasures) • 4 - Impact – Calculation of the impact that threats may have on the systems • considering the asset value • considering the damage level that such threats may cause – Two types of calculations were chosen: • the cumulative impact • the reflected impact

  17. The five steps (3/3) • 5 - Risk – Calculation of the risk value • considering the impact of threats • considering the threats occurrence frequency – Combination or grouping the single risks in different ways (a given asset is the reference), until a global value is obtained and expressed by using a ranking system – As output of the risk analysis process , the global risk value (related to a single asset) is expressed by using an eight-point ranking system – There is two threshold values that are defined beforehand: • alert threshold – no further countermeasures need to be taken below such a value • action threshold - if such a value is reached, then suitable countermeasures need to be immediately identified to bring the risk value back to acceptable levels – We have decided to accept the consequent residual risk value if it’s lower than the action threshold value

  18. The risk treatment methodology

  19. The improvement actions • Are recorded in a special register • Are constantly monitored • Act as an input for every new risk analysis and management process, that is constantly carried out, at least on an annual basis • Is possible to indirectly monitor the effectiveness of this actions • This cyclical improvement process complies with standard ISO/IEC 27005:2011 «Information security risk management»

  20. Point # Source Ref. Doc. Weakness Action ISO27001 Configuration errors, DS-05, § 6.3.1, cabling is not interferences and data 1 AR countermeasur 9.2.3 completely protected interception may easily es [AUX6] and identifiable occur if cabling is not checked Evidence Consequences Priority Responsibilities Resources By status on 25 % June, 2015 Labelling all the cables related to the systems. Separating PT-20 – Security power cables from 31 and cabling Medium Mr. Rossi Internal 100 data cables. Checking Dec, schema.docx - V.0 2015 that unauthorized del 18/11/2013 interception of data traffic is impossible by accessing the cabling.

  21. The indicator table • In the ISMS are defined same indicators – finalized at the continuous monitoring of the effectiveness of the activated controls – punctually associated with the reference standard – gathered through a special table-like form that helps to check the trend of what has been detected Annex ID Descripti Detecti 201 1 2 3 4 5 6 7 8 9 10 11 12 201 Desira Accepta A on on rate 3 4 ble ble point I27 Password A.11.3. 6m 3 4 4 5 5 5 2 4 quality 1

  22. The indicator thresholds • Acceptability – defines whether a given value may or may not be considered risky – may trigger improvement actions • Desirability – defines whether a given value may or may not be considered acceptable – may activates alert messages to the system administrators

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

1 2 3 KASS Certification Procedure Operation System Certification Certification Training

1 2 3 KASS Certification Procedure Operation System Certification Certification Training

1 2 3 KASS Certification Procedure Operation System Certification Certification Training Inspection/Audit Establish MoC Status of Operator/ Maintainer Manual, Function Identify CRB Record and Interfaces Result of Form Ground/

618 views • 24 slides
CAPLA CERTIFICATION PROGRAM EVERYTHING YOU NEED TO KNOW ABOUT THE CERTIFICATION EXAM HOW TO

CAPLA CERTIFICATION PROGRAM EVERYTHING YOU NEED TO KNOW ABOUT THE CERTIFICATION EXAM HOW TO

CAPLA CERTIFICATION PROGRAM EVERYTHING YOU NEED TO KNOW ABOUT THE CERTIFICATION EXAM HOW TO APPLY TO WRITE Once you have logged into the Then under Certification The Certification committee Application Forms may be CAPLA website using

687 views • 37 slides
1 CERTIFICATION Coming to you soon! 2 What is OPTA VIA Certification? OPTA VIA

1 CERTIFICATION Coming to you soon! 2 What is OPTA VIA Certification? OPTA VIA

1 CERTIFICATION Coming to you soon! 2 What is OPTA VIA Certification? OPTA VIA Certification is based on Dr. As Habits of Health Transformational System and is available to all Coaches who want to apply and reinforce their knowledge of

613 views • 19 slides
Certification Pathway to CCC-A Todd R. Philbrick, CAE Director, Certification Ex Officio to the

Certification Pathway to CCC-A Todd R. Philbrick, CAE Director, Certification Ex Officio to the

ASHA Certification Pathway to CCC-A Todd R. Philbrick, CAE Director, Certification Ex Officio to the CFCC Presentation Overview What is Certification? CCC-A Certification Standards CCC-A Application Process FAQs Keep your

209 views • 19 slides
Timer Certification Clinic Timer Certification A prerequisite for training and certification in

Timer Certification Clinic Timer Certification A prerequisite for training and certification in

Timer Certification Clinic Timer Certification A prerequisite for training and certification in all other positions (Descriptions in some of the following slides are as indicated in the rules, although it is not unusual for the referee to

378 views • 10 slides
Wastewater Laboratory Certification Overview 1 What is laboratory certification? Laboratory

Wastewater Laboratory Certification Overview 1 What is laboratory certification? Laboratory

Wastewater Laboratory Certification Overview 1 What is laboratory certification? Laboratory certification is a process that provides formal recognition to the managerial and technical competence of a laboratory performing specific analyses

853 views • 50 slides
AEROREADY CERTIFICATION Components to AEROready TM Certification In order to award an AEROready TM

AEROREADY CERTIFICATION Components to AEROready TM Certification In order to award an AEROready TM

AEROREADY CERTIFICATION Components to AEROready TM Certification In order to award an AEROready TM certification, our consulting team analyses hundreds of site selection criteria with emphasis on the following 10 items Assessment of airport

1.08k views • 75 slides
IIBA Certification Overview 1 Topics A. Benefits of Attaining an IIBA Certification B. IIBA

IIBA Certification Overview 1 Topics A. Benefits of Attaining an IIBA Certification B. IIBA

IIBA Certification Overview 1 Topics A. Benefits of Attaining an IIBA Certification B. IIBA Certification Options C. Applying for Certification D. Exam Activities Register and Prepare E. Benefits of BABOK studying 2/13/2018, p. 1

127 views • 10 slides
SOUTH DAKOTA DEPARTMENT OF EDUCATION OFFICE OF EDUCATOR CERTIFICATION Certification@state.sd.us

SOUTH DAKOTA DEPARTMENT OF EDUCATION OFFICE OF EDUCATOR CERTIFICATION Certification@state.sd.us

SOUTH DAKOTA DEPARTMENT OF EDUCATION OFFICE OF EDUCATOR CERTIFICATION Certification@state.sd.us OUTCOME OF PRESENTATION Understand the importance of educator certification Ability to create a user id and apply for certification

698 views • 53 slides
Voluntary EU certification for Voluntary EU certification for non-residential buildings

Voluntary EU certification for Voluntary EU certification for non-residential buildings

Voluntary EU certification for Voluntary EU certification for non-residential buildings Definition of an Energy Performance Scale Jana Bendalov BUILDING TESTING AND RESEARCH INSTITUTE / Slovakia 09 January 2012 1 Context

609 views • 19 slides
ABIM Certification and Maintenance of Certification You You ACC ABIM ACC ABIM Your

ABIM Certification and Maintenance of Certification You You ACC ABIM ACC ABIM Your

ABIM Certification and Maintenance of Certification You You ACC ABIM ACC ABIM Your professional The Certifying Body society (also ABP, AOA) Help you as a Accountable to the member public Outline 1. Background & Environmental

1.38k views • 29 slides
Certification in Humanitarian Logistics Level I HLC 2007 How Certification came about.HLC

Certification in Humanitarian Logistics Level I HLC 2007 How Certification came about.HLC

1 Certification in Humanitarian Logistics Level I HLC 2007 How Certification came about.HLC 2003 HLC participant feedback Needs to be clear career map, not just specific training initiatives around warehousing or other functions

473 views • 19 slides
8/6/2020 Direct Certification SY 2020-2021 Overview Direct Certification (DC) What is

8/6/2020 Direct Certification SY 2020-2021 Overview Direct Certification (DC) What is

8/6/2020 Direct Certification SY 2020-2021 Overview Direct Certification (DC) What is it? How does it work? HCNP Systems Direct Certification Menu What is DC? Allows SFAs to certify children as eligible for FREE meals

471 views • 13 slides
Ed-Fi Certification Indiana Department of Education May 16, 2018 Welcome Ed-Fi Vendor

Ed-Fi Certification Indiana Department of Education May 16, 2018 Welcome Ed-Fi Vendor

Ed-Fi Certification Indiana Department of Education May 16, 2018 Welcome Ed-Fi Vendor Certification Agenda Introduction to Ed-Fi Ed-Fi Certification Resources Ed-Fi Certification Process & Benefits Q & A

402 views • 28 slides
National Board Certification A Distinction That Matters National Board Certification Program

National Board Certification A Distinction That Matters National Board Certification Program

National Board Certification A Distinction That Matters National Board Certification Program District and Regional Support Division North Carolina Department of Public Instruction Board Certification: A Vehicle for Transforming Teaching Ron

534 views • 30 slides
3/9/2020 The Virtual The Virtual The Virtual The Virtual Certification Certification

3/9/2020 The Virtual The Virtual The Virtual The Virtual Certification Certification

3/9/2020 The Virtual The Virtual The Virtual The Virtual Certification Certification Certification Certification Interview Interview Interview Interview NACC Initial Certification Webinar for a Zoom Conference Interview 1

359 views • 7 slides
The Quality Systems Group Final Report and Recommendations to the 25th ITTC 3. Cross - check the

The Quality Systems Group Final Report and Recommendations to the 25th ITTC 3. Cross - check the

Proceedings of 25th ITTC Volume I 325 The Quality Systems Group Final Report and Recommendations to the 25th ITTC 3. Cross - check the ITTC Symbols List and the Dictionary with other standards e.g. 1. GENERAL ISO Standards 1.1 Membership

158 views • 12 slides
Quality and Accreditation in Healthcare Ins. ? Institution Patient Healthcare Asst. Medical

Quality and Accreditation in Healthcare Ins. ? Institution Patient Healthcare Asst. Medical

28.09.2012 International International Ibni Sina Health Capacity Building Programme. Management Certificate at Health Health Founder Member of Strategic Health Ins. Organization Organization Healthcare Institutions Kzlay Hospital

469 views • 11 slides
ISO 45001 Evolution of OHSMSs IOSH East Midlands Branch Nottingham Forest Football Club 17

ISO 45001 Evolution of OHSMSs IOSH East Midlands Branch Nottingham Forest Football Club 17

ISO 45001 Evolution of OHSMSs IOSH East Midlands Branch Nottingham Forest Football Club 17 January 2019 Richard Jones MSc CFIOSH PIEMA FRSPH MCIPR Head of Policy and Public Affairs ISO 45001 Outline - Why was a new standard needed? -

443 views • 28 slides
Regional Eastern Africa Unistaff Alumni Network Conference and Workshop 6 th to 10 th November

Regional Eastern Africa Unistaff Alumni Network Conference and Workshop 6 th to 10 th November

Regional Eastern Africa Unistaff Alumni Network Conference and Workshop 6 th to 10 th November Kenyatta University ISSUES AND CHALLENGES IN IMPLEMENTING QUALITY ASSURANCE IN HIGHER EDUCATION STRATHMORE UNIVERSITY CASE Mrs C N Muchira

507 views • 12 slides
Better Ideas in Action www.garwarefibres.com Whats Ahead? About Garware Technical Fibres

Better Ideas in Action www.garwarefibres.com Whats Ahead? About Garware Technical Fibres

Better Ideas in Action www.garwarefibres.com Whats Ahead? About Garware Technical Fibres Limited Garware Technical Fibres Vigour Solutions Offered Garware Technical Fibres Infrastructure Manufacturing Excellence

805 views • 63 slides
Workshop on Quality Management in Surface, Climate and Upper Air Climate and Upper-Air Obs

Workshop on Quality Management in Surface, Climate and Upper Air Climate and Upper-Air Obs

World Meteorological Organization World Meteorological Organization Working together in weather, climate and water WMO Workshop on Quality Management in Surface, Climate and Upper Air Climate and Upper-Air Obs Observations a o s (Tokyo,

506 views • 47 slides
How can ISO 9001 Quality PLUS Clinical Standards help improve your health service? Marie Colwell

How can ISO 9001 Quality PLUS Clinical Standards help improve your health service? Marie Colwell

How can ISO 9001 Quality PLUS Clinical Standards help improve your health service? Marie Colwell Health Program Manager David Sikorski Principal Advisor Improvement Solutions SAI Global Thursday 28 th July 2011 2 How can ISO 9001

550 views • 44 slides
T HE V ALUE OF A CCREDITATION :C ONSIDERATIONS FOR DECIDING ON SERVICE PROVIDERS FOR CERTIFICATION

T HE V ALUE OF A CCREDITATION :C ONSIDERATIONS FOR DECIDING ON SERVICE PROVIDERS FOR CERTIFICATION

T HE V ALUE OF A CCREDITATION :C ONSIDERATIONS FOR DECIDING ON SERVICE PROVIDERS FOR CERTIFICATION / INSPECTION VANI BHAMBRI ARORA National Accreditation Board for Certification Bodies QUAL ALITY TY COUNC NCIL OF INDI DIA New Delhi

336 views • 32 slides

More recommend