ISO 27001 - 2005-Induction Sep07

ISO 27001:2005
Induction - Sep 2007
Protection notice / Copyright notice

Contents
 What is Information Security?
 An Introduction to ISO 27001:2005
 Siemens Corporate Information Security Guide
 Policies and Procedures
 Summary

Page 2 Sep 2007 For Internal Use only P&Q
What is Information Security?
Information Security
It is nothing but the protection of information assets in such a way that

accurate information shall be accessible only to authorized users
whenever required. It also implies to the storage devices on which
information is being stored.
e.g. Hard disks, Floppy Disks, CDs, Tapes, Paper Documents etc.

Keys to Information Security
Has my
knowledge Is my database
been disclosed? reliable and
not altered?
Confidentiality Integrity
New paradigm
Validation Availability
Are my transactions Is my information

legally binding? available to authorised users?
Protect, detect, and recover from insecurities

…. Protection notice / Copyright notice
Need for Information Security
More and more customers are asking for Information Security
Requirements of several Certifications
Legal Requirements (Data Privacy, SOX , IT Act 2000 etc.)
Requirements as SISL is part of the Siemens global network
Increase in risks with greater use of technology

Introduction
to ISMS ISMS
Information Security Management System
ISMS is a management framework, based on ISO

27001, for providing security to critical information

Introduction to ISO 27001
ISO27001
ISO/IEC 27001:2005 Auditable Standard
Clauses: Mandatory Processes Annex A: Control Objectives
4 The ISMS
11 Domains
5 Management Responsibility
39 Control Objectives
6 Internal ISMS Audits
133 controls
7 Management Review
Microsoft Excel
Worksheet 8 ISMS Improvement
ISMS: PDCA Model - Define ISMS Scope
- Define Policy
- Identify Risks
- Assess Risks
- Select Control objectives and
- Formulate a risk treatment plan Plan control for treatment of risks
- Implement the risk treatment plan -Prepare a statement of applicability
- Implement controls selected to
meet the control objectives
Do ACT
- Implement Identified improvements

-Take corrective and preventive actions
-Communicate the results and actions
- Execute monitoring procedures Check and agree with all interested parties
- Undertake regular reviews of the
- Ensure that improvement achieve their
effectiveness
intended objectives
- Conduct internal audits at planned
intervals

IS Organization Structure
ISMF – Information Security Management Forum
Regional IS Operations Information

in Charge Security Officer
Administration Team Incidence Response

for Physical Security Team
ISMS Implementation Network Security

Team – Business: ISAs Administrator
ISMS Implementation Communications

Team – Support: ISAs Security Administrator
Server Desktop
Business Continuity &
Security Administrator
DRP Team
Application Security
Administrator
Ref: Procedure for Management Responsibility

Corporate IS Policies
Sr. No
Policy Name
1 Entrance to the Corporate Information Security Guide
2 Rules for the Workplace / Use of Work Resources
3 Rules for Managers
4 Rules for the Operation of IT Systems, Networks, Services, and Applications
5 Protection of Corporate Proprietary Information
6 Secure Use of E-mail
7 Passwords
8 System/Data Access Control for IT Systems
9 Computer Viruses
10 Data Backup
11 Using Key Material of the Siemens Public Key Infrastructure for Encryption, Digital
Signature, Authentication
12 IT Disaster Recovery Planning
13 Cooperation and Data Communication with Business Partners

Corporate IS Policies
Sr. No
Policy Name
13-1 Rules for Business Partners of Siemens
14 Mobile Security
15 Secure Network Topologies
16 Dynamic Assignment of IP Addresses
17 Sharing LAN Infrastructure with non-Siemens Tenants
18 Security of i2 Systems (Specific Users)
19 Security in SAP Systems (Specific Users)
20 Secure Portal Access (Specific Users)
21 Secure Portal Application Integration (Specific Users)
22 Use of Application Service Providing (Specific Users)
Find Corporate Information Security Guide (CISG) at http://cio.siemens.com  Information Security  Security
Guide  All Static Policies

India Specific IS Policies
Sr. No
Policy Name
1 Local Administrator Rights
2 Broadband
3 Rental Equipment
4 Wireless Internet Card
5 Email deletion of employees
6 Internet Access
For More :
http://intranet.sisl.siemens.co.in/SISL_NEW/index.html

Policy 2 –
Rules for the Workplace /
Use of Work Resources

Rules for the Workplace / Use of Work
Resources
Conduct at the workplace within company premises

 Protect corporate proprietary information against unauthorized persons
 Classify and treat company proprietary information according to its need
for protection information
Handling visitors
 Escort visitors in case of visit to secure areas
 Challenge unknown visitors if found unescorted in secure areas
 Sign the gate pass of the visitor at the time of leaving
Using Company owned IT Systems outside company premises

 Must be approved before hand and local regulations must be observed
 In open environments, make sure no unauthorized person can access
company proprietary information

Page 14 Remote access
Sep 2007to the Siemens Intranet
For Internal Usemust
only be limited to approved services P&Q
Rules for the Workplace / Use of Work
Resources
Rules for all employees and managers
 Protect corporate proprietary information against unauthorized persons
 Classify and treat company proprietary information according to its need for protection
Handling documents/data media

 Keep confidential documents and data media locked
 Remove confidential documents / media after conferences
 For documents printed on network printers, ensure unauthorized person does not gains
access
 Destroy documents/data media which aren't needed anymore properly
 Remove all data from hard drives before removal for further use
Information security for faxes
 Make sure the dialed number is correct.
 Make sure the sender information is correct

Page
 15 a phoneSep
Make call2007
to verify that aFor
faxInternal Use only
was received correctly (important faxes only) P&Q
Policy 3 –
Rules for Manager

Policy 3 - Rules for Manager
User Registration
There should be a formal registration procedure for the new employee joining the
organization
User Deregistration
There shall be a formal user deregistration procedure for granting access to all multi-user
information systems and services.
Installation of Software
Proprietary software products are usually supplied under a licence agreement that limits
the use of the products to specified machines.

Policy 5 –
Protection of Corporate
Proprietary Information

Policy 5 –
Protection of Corporate Proprietary Information
“Corporate proprietary information comes under one of
the four classifications, according to the protection it
Strictly Confidential requires.”
Information that is
extremely sensitive and
is intended for use only Confidential
by named individuals
within the company. For Internal Use
Information that is
sensitive within the
company and is intended Non-sensitive information
available for Internal Public
for use only by specified
release.
groups of employees.
Non-sensitive
information available
for external release.

Policy 6 –
Secure Use of Email

Policy 6 - Secure Use of Email
Rules for senders of email
 The recipient must be able to clearly identify the sender.

-Never hide or falsify the sender's details.
 Check e-mails and file attachments for computer viruses.
 Use digital signatures to ensure the integrity of the content or the legal responsibility of the sender.
 Send corporate proprietary information to external partners only as part of contractually agreed
business relationships.
 Send messages to specific persons and not to unnecessarily large distribution groups.
 Do not create or forward chain letters or unauthorized warning messages. Upon receipt of such e-
mails, forward them to Local support
Rules for recipients of email
 Access to mailboxes limited to the owner or to persons explicitly authorized by the owner.
 Do not change default security settings made by the system manager.
 If the user implements the security settings for the e-mail program they must be set to the highest
security level.
 Check e-mails and inserted attachments for computer viruses when opening the e-mail.
 Handle e-mail according to the need for protection
 No automatic forwarding to external postboxes.
 Never attempt to read, delete, copy, change, decrypt or forward another person's
Protection e-mail.
notice / Copyright notice
Policy 7 -
Passwords

Password Quality
Password should be a mix of upper & lower case letters, numerals and at least one
special characters
For Normal Users – minimum 8 character length

For Privilege Users – minimum 15 character length
For Users with Admin Rights - 15 character length
Use enhanced password rules if demanded by system manager
Do not reuse previous five passwords
Do not use trivial passwords (e.g. words from dictionaries, keyboard patterns, user
IDs). Use different passwords for different security levels (e.g. system access,
remote access, encryption, applications)

Password Storage
 Do not reveal passwords to others.

(Exception: System managers may tell authorized persons a new password)
 Change pre-defined passwords after the first use
 Protect your password records against disclosure
 Passwords stored electronically must be encrypted
 Passwords may have to be lodged with a manager (without disclosure)
 Change passwords right away if a password may have become disclosed
 Change passwords within 90 days. 30 days for sensitive data /privileged

accounts (e.g. system manager)

Policy 8 –
System / Data Access Control
for IT Systems

Policy 8 - System / Data Access Control for
IT Systems
Rules for self-protection
 Use protection mechanisms according to regulations, and do not disable, modify or circumvent them.
 Access to own IT system only after authentication has been carried out, e.g. by entering a password.
 Protect access to own system resources.
 Lock opened access links, including during brief absence from the workstation, e.g. by enabling a screen
saver.
 When work is over, close opened accesses or protect against unauthorized system/data access.
 Adopt deputizing regulations for access to own system/data resources.
Rules for users on External IT systems
 No direct connection to Siemens intranet permitted, for remote access contact Local support
 Avoid transmission of corporate proprietary data on external systems wherever possible
 Delete session data at the end of the session from the external system (including in the recycle bin, in
temporary directories, etc.).
 Delete Siemens data from private storage media before they are resold or disposed of in such a way
that the data cannot be recovered.
 Transfer data from external systems to the company's own systems as soon as possible if this data is
essential
Page 26 for the company.
Sep 2007 For Internal Use only P&Q
Policy 9 -
Computer Viruses

Computer Viruses
Handling Computer Viruses
 Creating and / or distributing computer viruses is strictly forbidden
 False reports on viruses / warning messages, chain letters, etc. must not be
created or forwarded
 SysAdmin must be informed if suspicion exists that virus is present or the anti-
virus program repeatedly messages that a virus was removed or computer
responds in an unfamiliar way
 Do not deactivate the anti-virus programs or change of the settings provided by

the system administrator

Policy 10 –
Data Backup

Policy 10 - Data Backup
Rules for Users that create their Own Data Backups
A valid data backup concept must exist, even if it is a simple one.
Back up all data, especially data which cannot be restored easily.
Mark backup media, and protect against unauthorized access.

Backup media containing data that must be highly available must be stored separately from
the PC or workstation.
Storing and disposal of data media containing company proprietary data must be in line with
Policy "Protection of Corporate Proprietary Information".

Policy 11-
Using Key Material of the Siemens PKI for
Encryption, Digital Signature, Authentication

Policy 11- Using Key Material of the Siemens
PKI for Encryption, Digital Signature, Authentication
Rules for Managers
Policy rules must be obeyed in scope of responsibility.

The risks and consequences of a security breach must be assessed and minimized.
The manager must acknowledge the revocation of all personal keys of all individuals
leaving the company.
The manager must acknowledge that all non-personal keys are returned
if the possessor leaves the company or transfers.
The manager can transfer the key ownership to a successor without revoking the
key, when the owner of a non-personal key leaves the company or is transferred.

DRP IT Disaster Recovery Planning

When disaster strikes….
Attacks on Suburban trains Mumbai/India

When disaster strikes….
Monsoon rain flooding Mumbai/India (07.2005)
How do we
continue our
business during /
after disaster?
Plan for Disaster

Recovery &
Business
ContinuityMumbai/India
and
follow the
26.-29. July 2005
Instruction Manual

BCP Approach
Infrastructure
Impacts &
Analysis
Cost
Risk
Infrastructure BCP
Team Coordinators
Non-IT
Disaster
Recovery CIO & Business
IT Disaster Business
Plan Infrastructur BCP Coordinators
Recovery DRP Continuity Impact
e contribute contribute to BCP
to BCP Plan Analysis &
Plan
Risk
Analysis
Processes
Identify
Mission
Critical
BCP/DRP Definition
BCP
Coordinators
Business Continuity Mgmt BCM Organization
EDC <Team Lead><Deputy>

Executive Decision
Legal CEOCFO CIO
Committee EDC Org
HR
SRE/ CCMS/
Real
Business Continuity Estates PR
Program Manager BCP
Coordinator
RM HR
T
Infosec BU
Response Management Officer Repre-
….
Team sentative
.
s
ERT_IT ERT_Manu ERT_xx

Emergency Response fact
Teams ERT Org …..

Fire on WTC twin towers
Example of Disaster that

can happen in any Office
premises:
Panic and terror gave way to

anger and disbelief on
September 11, 2001 as
New Yorkers mourned the
massive loss of life after two
hijacked commercial planes
slammed into the World
Trade Center's twin towers,
which later crumpled to the
ground in a heap of concrete,
flames and ash.
Behavior in Case of Fire
In case of fire take the nearest escape route to the assembling

point.
point
The call to evacuate the building will

be given by fire alarm, the Chief of the Disaster Preparedness
Organisation (DPO) or the on-scene commander.
commander

Remember that
– Elevators must not be used;
– Exit smoke filled rooms in a bent over or
in crawling position.
If it is not possible to leave a room safely, i.e.

when the escape route is full of smoke:
– close the doors,
– make yourself visible and audible
at the window,
– wait for the emergency crew.
Wait at a safe and readily visible place for the fire department to arrive and
give them instructions if needed.
Additional Info

Business Continuity Mgmt
Fire is only one of the disaster that can happen in the work place.
Ref: Instruction Manual for additional guidelines
In case of any Disaster, inform the Emergency Response Team

(ERT) identified for your SBU.

Policy 13 –
Cooperation and Data
Communication with Business
Partners &

Policy 13- Co-operation and data
communication with Business Partner
Rules on the disclosure of information
Allow business partners access to corporate proprietary information only to the extent provided for
in the applicable contractual agreements.
All information resulting from the collaboration with a business partner is to be handled as
corporate proprietary information
Information that has to be passed to a business partner must carry the copyright and classification
endorsements
The written consent of the owner of corporate proprietary information must be obtained before the
information may be made available to the business partner, unless the provider of the information is
the owner.
Own resources are to be protected against unauthorized access by the business partner.
 Data may only be shared with business partners using the applications and systems installed for
this purpose in the particular company unit.
Ref: Procedure from Risk from Third Parties
Business Partner’s to follow Policy 13-1 :Rules for Business Partners of Siemens
Policy 14 –
Mobile Security

Policy 14 - Mobile Security
Usage of a mobile device

Report loss or theft of devices to local support.
Report any unknown / found devices to local support.
Report the manipulation of devices to local support
Store the device in a safe place.
Non-Siemens devices must not be used.
Backup the data regularly.

Policy 14 - Mobile Security
Configuration of a mobile device

Do not change default security settings.
Have the security settings configured before using the device
Check the security setting regularly
Software of a mobile device

Use the virus scanner software
Enable Operating System Firewall
Use access control software

Self Discipline ( Summary )
Don’t download Freeware and Pirated Software's
Ensure Latest Anti Virus is loaded on Desktops
Always Use Strong Passwords and Change it periodically
Never Share your Passwords
Store Laptops / Data Media in Lockable Place
Take regular Back Up of Important Data
Verify the credentials if message is received from unknown sender
Erase complete Data if Data Media is to be sent out for Repairs
Disposal of defective Data Media incl. Documents by Crushing / Shredding
Avoid Business discussions at Public Places especially over the phone
Be alert while working on Laptops during Travel
Transmit confidential data in Encrypted Form only
Always switch off your computer before leaving for the day
Intranet Resources
 Corporate Information Security Guide

https://cio.siemens.com/
 Virus Competence Center

https://vcc.siemens.com/
Computer Emergency Response Team

https://www.cert.siemens.de/

Quiz
Q1 You are about to go on vacation. What measures to you undertake on your last
working day?
 I lock up all portable data media
 I give a trustworthy co-worker my password, in case someone has to use my PC
 I take my computer home to prevent any misuse in my absence.
 I leave my ID-Card at the main reception desk
 I follow the appropriate steps outlined in the personnel regulations concerning vacation/
deputation.
Q2 Which rules governs password use?

 They should not have more than 10 letters
 Punctual marks and symbols are not permitted
 They should be easy to remember such as your spouse's name
 They should never be written down
 They should be changed regularly
Note: There could be more than one correct choices

Quiz
Q3 Which rules are applicable for receiving Visitors at Siemens?
b) Siemens does not permit any visitors on company premises
c) Visitors must be accompanied at all times
d) All visitors must be picked up at the reception desk
e) It is forbidden to hold any doors open for visitors
f) I provide visitors with my ID Card to permit them free access to the building.
Q4 Which of the following is not part of the basis of Data Quality?

 Confidentiality
 Integrity
 Availability
 Comparability
 Liability
Note: There could be more than one correct choices

Thank You

ISO 27001 - 2005-Induction Sep07

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

ISO 27001 - 2005-Induction Sep07

Uploaded by

Copyright:

Available Formats

ISO 27001:2005

Induction - Sep 2007

Protection notice / Copyright notice

 What is Information Security?

 An Introduction to ISO 27001:2005

 Siemens Corporate Information Security Guide

 Policies and Procedures

Protection notice / Copyright notice

It is nothing but the protection of information assets in such a way that

Protection notice / Copyright notice

Are my transactions Is my information

Protect, detect, and recover from insecurities

More and more customers are asking for Information Security

Requirements of several Certifications

Legal Requirements (Data Privacy, SOX , IT Act 2000 etc.)

Requirements as SISL is part of the Siemens global network

Increase in risks with greater use of technology

Protection notice / Copyright notice

Information Security Management System

ISMS is a management framework, based on ISO

Protection notice / Copyright notice

ISO/IEC 27001:2005 Auditable Standard

Clauses: Mandatory Processes Annex A: Control Objectives

- Implement Identified improvements

Protection notice / Copyright notice

Regional IS Operations Information

Administration Team Incidence Response

ISMS Implementation Network Security

ISMS Implementation Communications

Ref: Procedure for Management Responsibility

2 Rules for the Workplace / Use of Work Resources

3 Rules for Managers

4 Rules for the Operation of IT Systems, Networks, Services, and Applications

5 Protection of Corporate Proprietary Information

6 Secure Use of E-mail

8 System/Data Access Control for IT Systems

12 IT Disaster Recovery Planning

13 Cooperation and Data Communication with Business Partners

15 Secure Network Topologies

16 Dynamic Assignment of IP Addresses

17 Sharing LAN Infrastructure with non-Siemens Tenants

18 Security of i2 Systems (Specific Users)

19 Security in SAP Systems (Specific Users)

20 Secure Portal Access (Specific Users)

21 Secure Portal Application Integration (Specific Users)

22 Use of Application Service Providing (Specific Users)

Protection notice / Copyright notice

4 Wireless Internet Card

5 Email deletion of employees

Protection notice / Copyright notice

Protection notice / Copyright notice

Conduct at the workplace within company premises

Using Company owned IT Systems outside company premises

Handling documents/data media

 Remove confidential documents / media after conferences

 Destroy documents/data media which aren't needed anymore properly

 Make sure the sender information is correct

Protection notice / Copyright notice

Protection notice / Copyright notice

Protection notice / Copyright notice

Protection notice / Copyright notice

Protection notice / Copyright notice