iso 27001 - information security user awareness training presentation -part 2

iFour Consultancy

Security awareness seminar

An introduction to ISO27k

Part 2

Security incidents cause What is risk? Risk relationships Threat agent Motive Threat type and Example Compliance Objectives of Compliance SOX Where SOX is Applicable BASEL II

Agenda

http://www.ifour-consultancy.com Software outsourcing company in India

Security incidents cause

• IT downtime, business interruption• Financial losses and costs• Devaluation of intellectual property• Breaking laws and regulations, leading to prosecutions, fines and

penalties• Reputation and brand damage leading to loss of customer, market,

business partner or owners’ confidence and lost business• Fear, uncertainty and doubt

http://www.ifour-consultancy.com Software outsourcing company in India

What is risk?

• Risk is the possibility that a threat exploits a vulnerability in an information asset, leading to an adverse impact on the organization

• Threat: something that might cause harm• Vulnerability: a weakness that might be exploited• Impact: financial damage etc.

http://www.ifour-consultancy.com Software outsourcing company in India

Risk relationships

http://www.ifour-consultancy.com Software outsourcing company in India

Threat agent

The actor that represents, carries out or catalyzes the threat• Human• Machine• Nature

http://www.ifour-consultancy.com Software outsourcing company in India

Motive

• Something that causes the threat agent to act

• Implies intentional/deliberate attacks but some are accidental

http://www.ifour-consultancy.com Software outsourcing company in India

Threat type and Example

http://www.ifour-consultancy.com Software outsourcing company in India

So how do we secure our information assets?

9http://www.ifour-consultancy.com Software outsourcing company in India

Compliance

What is Compliance?Act or process of meeting specific standards with a desire, demand or proposalCompliance represents following in detail

set of lawsRegulationsRulesPractices

The role of the compliance in banks is to ensure that the rules/ regulations are appropriately incorporated in bank’s internal processes and that each functionary, right from the top to the bottom, appreciates the value of compliance

http://www.ifour-consultancy.com Software outsourcing company in India

Compliance

Banking Compliance

Internal compliance

Internal Policies

Applicable to all employeesank

Regulatory & Legal Compliance

Laws and Standards

Applicable to the bank as a whole

http://www.ifour-consultancy.com Software outsourcing company in India

Objectives of Compliance

Prudential—to reduce the level of risk to which clients are exposed

Systemic risk reduction—to reduce the risk of disruption

Avoid misuse of system—to reduce the risk of system being used for criminal purposes

To protect confidentiality

It may also include rules about treating customers fairly and having corporate social responsibility (CSR)

http://www.ifour-consultancy.com Software outsourcing company in India

Objectives of Compliance

Ensures orderliness

Preventing chaos in systems

Dedicated framework for overseeing the implementation of directions/guidelines issued by the Regulator/supervisor

Ensure that there is a process to promptly respond to and redress the anomalies

http://www.ifour-consultancy.com Software outsourcing company in India

SOX SOX: Sarbanes–Oxley Act also known as “Corporate and Auditing Accountability and Responsibility

Act”

SOX, is a United States federal law that set new or enhanced standards for all U.S. public company boards, management and public accounting firms

Act Contains 11 Sections and Major Elements Corporate board responsibilities to criminal penalties, Auditor independence, Corporate governance, Fraud and Enhanced financial disclosure

http://www.ifour-consultancy.com Software outsourcing company in India

Where SOX is Applicable

• (a) All public companies in the US

• (b) international companies that have registered equity or debt securities with SEC

• The Accounting firms that provide auditing services to (a) and (b)

• It does not apply to privately companies

• Act is administered by the Securities and Exchange Commission (SEC)

• SEC deals with compliance, rules and requirements

• The Act also created The Public Company Accounting Oversight Board (PCAOB)

http://www.ifour-consultancy.com Software outsourcing company in India

BASEL II

“A set of banking regulations put forth by the Basel Committee on Bank Supervision, which regulates

finance and banking internationally.”

http://www.ifour-consultancy.com Software outsourcing company in India

http://www.ifour-consultancy.com Software outsourcing company in India