Transcript Need for Information Security, Understanding Information

Information Security- needs, trends
& OCR
11th Feb., 2015
- Er. Sansar Jung Dewan
At First: InfoSec Basics with the Five W’s
What is Information Security?
Why do you need Information Security?
Who is responsible for Information Security?
When is the right time to address Information
Security?
Where does Information Security apply?
Information Security definition
• “ Protecting information and information systems from unauthorized
access, use, disclosure, disruption, modification, or destruction in order to
provide
• Integrity, which means guarding against improper information
modification or destruction, and includes ensuring information
nonrepudiation and authenticity;
• Confidentiality, which means preserving authorized restrictions on
access and disclosure, including means for protecting personal privacy
and proprietary information; and
• Availability, which means ensuring timely and reliable access to
and use of information. ”
- FISMA 2002, US Federal Law as Title III of the E-Government Act 2002
Threat Environment
Tools & Techniques
• Malicious Software (Malware)- trojans, spyware,
botnets
Actors
•
•
•
•
Users
Malicious Actors
State-sponsored Actors
Issue-motivated groups
Which threats have most increased your risk exposure over the
last 12 months?
Source: Get ahead of cybercrime EY’s Global Information Security Survey 2014
Which vulnerabilities have most increased your risk exposure over the
last 12 months?
Source: Get ahead of cybercrime EY’s Global Information Security Survey 2014
Source: INTERNET SECURITY THREAT REPORT 2014, Symantec
Motivation is increasing
New Technologies will generate new vulnerabilities
The Spectrum of malicious actors is expanding
Capability is easier to acquire
Security breaches levels decreased slightly but much more costly
Cost of breaches nearly doubles in the last year
Organizations of all sizes continue to suffer from external attacks
Understanding, communication and awareness lead to effective security
Organizations are seeking new ways to gain assurance over security
Source: Executive Summary: 2014 Information Security Breach Survey,
2014 Australian Government InfoSec Manual Principles
Top Mgmt. need to consider
What would a serious cyber security incident cost our organization ?
Who would benefit from having access to our information ?
What makes us secure against threats ?
Is the behavior of my staff enabling a strong security culture ?
Are we ready to respond to a cyber security incident ?
Source: 2014 Australian Government InfoSec Manual Principles
InfoSec Documentation
Information Security Policy
Security Risk Management Plan
System Security Plan
Standard Operating Procedures
Incident Response Plan
Emergency Procedures
Business Continuity and disaster recovery Plans
Source: 2014 Australian Government InfoSec Manual Principles
InfoSec Leadership & Support
Organizational structure & top management
Leadership commitment and policy
Support
Organizational structure & top management
– with duties, roles & responsibilities, authorities of management, etc.
Organization structure: ISO 27001:2013
Leadership commitment and policy
Providing information security policy and objectives
Ensuring the integration of ISMS requirement
Ensuring that the resources needed for ISMS are
available
Communicate the importance of effective management
of InfoSec and compliance with ISMS
Ensuring that the ISMS allows you to achieve the
appropriate result
Treatment and support for people to enhance the
efficiency of ISMS
Promoting continuous improvement
Leadership commitment and policy
Senior mgmt. need to establish an InfoSec policy that
• Is suitable for the organization
• Includes the goals and provides a framework for setting goals of
InfoSec
• Includes a commitment to meet the appropriate requirements
related to InfoSec
• Includes a commitment to continual improvement of ISMS
Policy of information security should
• Be available as documented information
• Be communicated within the organization
• Be made available to interested parties
Support
Management Commitment & Provision of Resources
•
•
•
•
•
•
•
•
•
Establishing an ISMS policy
Ensuring that ISMS objectives and plans are established
Establishing roles and responsibilities for information security
Communicating to the organization the importance of meeting
information security objectives
Conforming to the information security policy, its responsibilities under
the law and the need for continual improvement
Providing sufficient resources to establish, implement, operate, monitor,
review, maintain and improve the ISMS
Deciding the criteria for accepting risks and the acceptable levels of risk
Ensuring that internal ISMS audits are conducted
Conducting management reviews of the ISMS
Support
Training Awareness & Competence
• The organization shall ensure that all personnel who are assigned
responsibilities defined in the ISMS are competent to perform the
required tasks by:
• determining the necessary competencies for personnel performing work
effecting the ISMS;
• providing training or taking other actions (e.g. employing competent
personnel) to satisfy these needs;
• evaluating the effectiveness of the actions taken; and
• maintaining records of education, training, skills, experience and
qualifications
Framework for ISMS
OCR Information
Systems & Online
Services
OCR Online Services timeline
माघ २५, २०६९
कार्तिक २४,२०६९
मर्ं सर २६,
२०७०,सेवा के न्द्रहरु
स्थापिा
Launch of new
systems
& e-Services
Launch of “View
Company Profile”
माघ ८, २०६९
Issuance of
the Company
(E-Filing)
Directives, 2013
कार्तिक
३,२०७०
अर्िवार्ि
र्वधतु ीर् सेवा
Components
BPR & back
office
electronic
workflow
Partnerships
with Gov.
Agencies &
private
sector
IT
Infrastructure
Online
services
Digitization
Companies
files &
database
consolidation
Components …
Partnerships with
other Government
Agencies
• Inland Revenue Deprt.
• GIDC
Partnerships with
business
communities &
professional
organizations
• FNCCI
• Nepal Bar Association
• CAN
IT Infrastructure
• Virtual Infrastructure
• Business Continuity
Plan
• Data Center & Data
Recovery site
Components …
Online Services
•
•
•
•
Name Availability Check
Name Reserve
Online Registration
View Company Profile
Online
• E-file company documents
• Companies’ info
Digitization of
Companies files &
database consolidation
• Electronic registries of
116,000 companies
• COBOL/Dbase IV & MS
SQL 2005
How to register a company online ?
1. Create Username
Enter details
2. Reserve Company Name
Enter proposed name
Choose NSIC
Type Objectives in details
Receive OCR e-notification on Name request
3. Fill web form & upload scanned documents
Enter other details
Receive OCR e-notification on registration decision
4. Pay/Deposit Revenue
•
•
< NRs. 10,000 at OCR Counter
>NRs. 10,000 at Rastriya Banijya Bank, Teku Branch
5. Submit hard copies & revenue receipt, & collect certificate
How to e-file documents ?
E-File annual returns and documents event wise
OCR Info Systems Users
• Online User Counts – 72,000
• Internal User Counts – 200
• Roles - 22
Role Groups
User Management
User Activity Logs
User Activity Report
User & Role Groups Management
How registered company obtains username & password ?
1. Create Company User Account
Enter details
2. Receive ANNEX 1 in an email
3. Submit documents
What docs to submit ?
• Signed & stamped ANNEX 1
• Board of Directors decision on
authority to sign on the ANNEX 1,
obtain and use OCR eservice username
& password
• Photocopy of Certificate of Company
Registration
• Photocopy of Identification of person
submitting all the docs.
Where to Submit ?
• OCR Service Center, Tripureshwor,
KTM
• FNCCI District Chambers
• Chitwan
• Pokhara
• Birgunj
• Biratnagar
• CAN
• Kavre
•…
4. Receive temporary password in an email
Thank you!