Scribd Logo
Upload

Welcome to Scribd!

  • 74 views

    ISMS at CDC - Oct 2011

    Uploaded by

    maira-izhar-3279
    This document discusses the Information Security Management System (ISMS) of a company. It provides an overview of the company's businesses, technology footprint, and information security hierarchy. The company has established a multilayered security approach and certified its core depository function against ISO 27001. It implements a 131-control ISMS across 11 departments and 2 locations to provide a balanced approach to information security risk management.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd

    ISMS at CDC - Oct 2011

    Uploaded by

    maira-izhar-3279
    74 views16 pages
    This document discusses the Information Security Management System (ISMS) of a company. It provides an overview of the company's businesses, technology footprint, and information security hierarchy. The company has established a multilayered security approach and certified its core depository function against ISO 27001. It implements a 131-control ISMS across 11 departments and 2 locations to provide a balanced approach to information security risk management.

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    This document discusses the Information Security Management System (ISMS) of a company. It provides an overview of the company's businesses, technology footprint, and information security hierarchy. The company has established a multilayered security approach and certified its core depository function against ISO 27001. It implements a 131-control ISMS across 11 departments and 2 locations to provide a balanced approach to information security risk management.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    74 views16 pages

    ISMS at CDC - Oct 2011

    Uploaded by

    maira-izhar-3279
    This document discusses the Information Security Management System (ISMS) of a company. It provides an overview of the company's businesses, technology footprint, and information security hierarchy. The company has established a multilayered security approach and certified its core depository function against ISO 27001. It implements a 131-control ISMS across 11 departments and 2 locations to provide a balanced approach to information security risk management.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    of 16

    Information Security Management System

    Presented to Prof. M. Moinuddin Ali Khan and team Institute of Business Management
    October 26, 2011

    Proprietary - Authorized Distribution Only

    Synopsis
    Information security - key driver since inception; Enterprise Security unit established in 2001; Multilayered security approach to ensure faulttolerance; Core depository function certified against ISO 27001; SOC for visibility, control and automation.

    Proprietary - Authorized Distribution Only

    Overview of CDC Businesses


    Servicing 26 largebase issuers Holding 66.6 billion shares worth 17.66 billion USDs in 592 securities ISO/IEC 27001:2005 certified Assets over 2.1 billion USDs in 90 funds for 25 AMC
    2008 - RTA Service 2002 - Trustee & Custodial Service 1999 Investor Account Service 1997 Depository Operations 2010 ITMinds

    100,000 direct account holders Over 300,000 account holders

    Enterprise IT based consultancy and implementation services

    Proprietary - Authorized Distribution Only

    Information Security Hierarchy


    Security Management Group
    CEO

    CIO

    Department Heads

    CISO

    Enterprise Security

    Champion Users
    4

    Proprietary - Authorized Distribution Only

    CDC Technology Footprint


    3 core Business
    Applications
    3 different
    Network Security
    Devices Authentication Anti Virus Complaince Etc

    Others
    Email BlackBerry GL / Payroll IVR, Call Center, Internet

    Databases Technologies
    10 Enterprise Class Servers 28 TBs of 3 different Ent. Storage

    Application Servers
    50 + Servers by 3 different vendors

    Devices NW Software Multi-homed Internet ACL Etc

    Real-time live data service to NCCPL and all 3 Stock Exchanges Multiple database servers (primary & standby) to support alternate channels Separate Dev / QA / UAT environments

    8 offices in 5 cities 3 inter-connected datacenters with data replicated in real-time, and providing connectivity hubs Live connectivity to 100,000 clients

    Proprietary - Authorized Distribution Only

    Key information security questions


    What is valuable information? How does information flow within the organization? Where is information stored? How is information risk defined? How is information safe-guarded?
    Proprietary - Authorized Distribution Only 6

    Information Patterns & Needs


    What is management doing to grow business? How is the company image? Are company plans / secrets adequately protected? Can business continue in case of disaster? What is IT ROI?

    Are systems available when required? Are controls appropriate to the risks? Who is accessing information? Can reliable services be developed?

    How are customer details protected? In how many forms are the details available? How is physical security managed? How are vendors managed? Control How is IT service quality? How are service-levels? costs? How is IT security ensured? How is compliance done? How is compliance with legal and regulatory requirements performed? What are links usage? Database / application performance? Capacity management?

    Are privileged user activity monitored? How are logs protected? Are logs centrally managed? Tamper proof? How to provide assurance to board?

    What risks arise due to non-compliance? How to prove due-diligence to auditors?


    7

    Proprietary - Authorized Distribution Only

    CDC - ISMS Scope


    Primary objective:
    To establish an ISMS that provides balanced approach to information security.

    11 departments, 2 locations Applicable controls 131 out of 133 9 months implementation Certified by SGS / UKAS in Sept 2009

    Proprietary - Authorized Distribution Only

    Information Security Dimensions


    Culture

    i
    Proprietary - Authorized Distribution Only 9

    ISO 27001 Standard


    An internationally recognized business driven approach to managing information security. Management system enabling balance b/w physical, technical, manual & personnel security.
    1. 2. 3. 4. 5. Security Policy Organizing Information Security Asset Management Human Resources Security Physical & Environmental Security 6. Communications & Operations Management 7. Access Control 8. Information Systems Acquisition, Development and Maintenance 9. Information Security Incident Management 10.Business Continuity Management 11.Compliance
    10

    Proprietary - Authorized Distribution Only

    ISO 27001 Standard vs. others


    COSO / SOx / HIPAA ISO 27001 WHAT COBIT PCI DSS ITIL

    BS 25999
    HOW

    IBTRM

    SCOPE OFCOVERAGE

    Proprietary - Authorized Distribution Only

    11

    ISMS Implementation Approach

    Establish

    Implement

    Maintain

    Monitor

    Proprietary - Authorized Distribution Only

    12

    ISMS Implementation Approach


    Scope Policy Risk Assessment Gap Analysis Document procedures Deploy Controls Training Maintain ISMS Implement records

    Establish

    Maintain
    Management review Residual risk acceptance Corrective / preventive actions

    Monitor
    Measure effectiveness Internal audits Vulnerability assessment

    Proprietary - Authorized Distribution Only

    13

    ISMS Implementation Methodology


    Initiation Scoping Project planning Gap analysis Develop working papers Project roll out plan Awareness Implementation Information asset inventory classification Risk assessment BCP / DR testing Compliance Internal Audit Information Security Forum meeting Certification audit stage I Certification audit stage II

    Development of policy / procedures


    Implement controls

    Proprietary - Authorized Distribution Only

    14

    ISMS Framework
    Poli cies ISMS Manual Management

    Procedures

    Forms / Templates / Records

    Operations

    Proprietary - Authorized Distribution Only

    15

    Open Discussion
    Security is an attitude.

    Proprietary - Authorized Distribution Only

    16

    You might also like