GSD XM ISO 27001:2013 External Audit Awareness

Slides:



Advertisements
Similar presentations
APP“医生预约”商业计划书 深圳市华康全景信息技术有限公司
Advertisements

第十章 資訊安全管理 本投影片(下稱教用資源)僅授權給採用教用資源相關之旗標書籍為教科書之授課老師(下稱老師)專用,老師為教學使用之目的,得摘錄、編輯、重製教用資源(但使用量不得超過各該教用資源內容之80%)以製作為輔助教學之教學投影片,並於授課時搭配旗標書籍公開播放,但不得為網際網路公開傳輸之遠距教學、網路教學等之使用;除此之外,老師不得再授權予任何第三人使用,並不得將依此授權所製作之教學投影片之相關著作物移作他用。
復元動力 復元動力 2013年5月11日 游秀慧 新生精神康復會 行政總裁
資訊安全.
國立台灣師範大學 國際人力資源發展研究所 施正屏博士
生產與作業管理小組報告 第七章:品質經營 指導教授:盧淵源 教授 小組成員: M 蕭妃伶 M 陳珮甄
政策分析与政策过程 Policy Analysis and Policy Processes 主要内容
信息安全标准、法律法规及等级保护 温州市继续教育院 -信息安全继续教育培训 陆军波 /
专业选修课 学年第一学期 谢少敏 中国会计与审计专题 What Are Audits? 专业选修课 学年第一学期 谢少敏
CHAPTER 9 采购 Procurement.
專案管理 Project Management
OMC 商業智庫 劉老師講題大綱 參考資料.
針扎之處置,追蹤,與預防---- 醫療品質與病人安全
第十四章 發展專案風險管理計畫 1.
寻找适合您的工业4.0 Dell/曾峰.
1 報告人:張克章教授 資訊安全 政策與管理 Dept. Information Management Chang Gung University Information security policy and management 資訊安全政策與管理 資訊安全政策與管理 Information Security.
NCC委員會之軟性變革 --以知識管理系統導入全會應用之案例探討— 指導教授:李國光 博士
Ericsson Solutions for Intelligent Transport Systems and Solutions
ISO 9001條文簡介 ( 2000年版) ISO9001訓練教材之二 顧問師 林弘炤.
International Conference ITIE2010: Inspiration from Best Practices
企業會計資訊系統發展現況與電腦審計實務分享
美國醫療資訊保護法規之研究 以HIPAA/HITECH之隱私規則與資安規則為中心
《本資料內容限內部訓練專用,不得取代標準》
教育部資通訊人才培育先導型計畫 寬頻有線教學推動聯盟中心 第十章 資安事件管理.
企业目标, 风险与内部控制 - 通过风险管理实现企业目标
Activities in 2004/5 2004/5年度活动 ETI conference- May 2004
Construction Safety Week 建造業安全周 Safety Summit 2012
中国公私合作伙伴关系(PPP )现状 Disclaimer:
Logistics 物流 昭安國際物流園區 總經理 曾玉勤.
INNOVATION FOR CHINA’s STRATEGIC TRANSFORMATION 为推动中国环境与发展战略转型而创新
有限資源下的機隊維修 遠東航空公司 副總經理孫水汴 中華民國103年06月17日.
COBIT 資訊及相關技術的管理、控制與稽核
1 Maturity Mechanics and Model Elements成熟度机理和模型的元素
China Standardization activities of ITS
The Issue of Information Security Management 資安管理專題
品質管理系統 華南品規課 鴻准精密模具有限公司 2018/12/6.
IT基础设施运营管理服务 – 定义、实现、展示
Maturity Mechanics and Model for Large-Scale Construction Project Management 大型建设工程项目管理成熟度机理 及其模型 贾广社.
第十一章 行銷通路及供應鍊管理.
如何利用教学资源库 提高师生的信息素养 How to Utilize the Teaching Resource Library
顧武雄 Jovi Ku Microsoft特約資深講師
Construction Safety Week
第 一章 資訊安全導論 本投影片(下稱教用資源)僅授權給採用教用資源相關之旗標書籍為教科書之授課老師(下稱老師)專用,老師為教學使用之目的,得摘錄、編輯、重製教用資源(但使用量不得超過各該教用資源內容之80%)以製作為輔助教學之教學投影片,並於授課時搭配旗標書籍公開播放,但不得為網際網路公開傳輸之遠距教學、網路教學等之使用;除此之外,老師不得再授權予任何第三人使用,並不得將依此授權所製作之教學投影片之相關著作物移作他用。
中国能源与温室气体管理项目 China Business Council for Sustainable Development
Connecting Education and Career through Learning
Microsoft SQL Server 2008 報表服務_設計
Contitech Tianjin HR Intern Recruitment 2014
IBM SWG Overall Introduction
ISO9001:2008 GB/T19001:2008 换版动态.

沙勇忠 Sha Yongzhong 兰州大学图书馆 Library of Lanzhou University
Ericsson Innovation Award 2018 爱立信创新大赛 2018
The impact of IES 8 on the global profession
資訊安全概論 Introduction to Information Security
自我介紹 李易如 小c 桃園人 交大運管系 聽音樂、慢跑、旅遊 黃家耀老師lab.
Component 2: Workshop 第二部分研讨会
交通大學 運輸科技與管理學系 博士班二年級 朱佑旌
TBSA商務企劃進階檢定認證班.
NASA雜談+電腦網路簡介 Prof. Michael Tsai 2015/03/02.
4.環境管理系統與稽核 一個系統化的方法去達成妳設定的環境目標 環境政策 規劃 執行 檢查/矯正 管理審查 持續 改善.
Adaptive Planning 适应性规划
資訊安全概論 樹德科技大學 資訊工程系 林峻立 助理教授.
Resources Planning for Applied Research
审计学 2008年暑期双专班 第三讲 审计的方法 谢少敏.
The Challenge of Human Resources Management
质量管理体系与工具 工程管理学
The Six Sigma Revolution
ppt宝藏提供 中国银行业信息化系统建设研讨会
Start today. Change tomorrow.
CAI-Asia China, CATNet-Asia
Presentation transcript:

Documents for YIFAN Employees To Read External Audit Awareness provided by Shuying Gao

GSD XM ISO 27001:2013 External Audit Awareness By Shuying, Gao Feb 19, 2016

Agenda ISO 27001:2013基本知识Basic Information 全球信息安全政策Global Information Security Policy ISO 27001:2013信息安全管理体系ISMS 目标指标及达成状况Objective Status 风险评估结果分享Risk Assessment Result Sharing 审核常见问题及回答Frequent Q&A

ISO27001:2013基本知识Basic Information ISO是国际标准化组织(International Organization for Standardization)名称的英文缩写。该组织的成果是正式出版的国际标准,即ISO标准 2. GSD XM目前推行的管理体系标准是什么? ISO27001:2013,信息安全管理体系(Information Security Management System) 3. GSD XM为何要推行以上管理体系标准? 客户的要求,全球化的要求,戴尔自身改进的需求 不断提升信息安全管理水平,满足客户需求 实施风险管控,增强投资者及利益相关方信心 提供安全的工作环境;树立良好社会形象

ISO27001:2013基本知识Basic Information ISO/IEC 27001 is an internationally recognized best practice framework for an Information Security Management System (ISMS). What is it? It helps organizations identify the risks to their important information and put in place the appropriate controls to help reduce the risks The standard contains 10 sections requiring 7 main areas compliance Contains an Annex with 114 controls to reduce risks related to information security Why need it? Information security issues like hacking, virus infections, breach of critical customer data, leakage of company internal documentation Serious impact on daily operations, and potential threat to national security Loss of security may have bigger impact than trade loss

ISO27001:2013基本知识Basic Information 不执行体系会带来什么后果?What’s the impact if do not execute ISMS 直接损失Direct loss 减少产品市场份额 Reduce product marketing share 减少销售收入 Reduce incoming 间接损失Indirect loss 增加恢复成本 Increase recovery cost 客户抱怨 Customer complain 品牌和声誉损害 Brand and reputation damage 法律损失Legal loss 违背法律法规 Violate law and regulations 增加诉讼、罚款和诉讼费用 Increase litigation, fines and litigation cost

ISO27001:2013基本知识Basic Information 戴尔(中国)有限公司[五缘湾运营中心泗水路613号海沧大厦1#/金尚路2388号]认证情况 管理体系 第二阶段外审时间 认证机构 认证范围 ISO27001:2013 Feb 22~29, 2016 NSAI(National Standard Authority of Ireland) Activities applicable to end-to-end services and solutions, encompassing customer support, configuration services and deployment services for customers in China

ISO27001:2013基本知识Basic Information 信息安全管理体系管理者代表: Ernest Lee Ext: 888 5480 信息安全管理体系执行Leader: Shuying Gao Ext: 888 4079 Dell’s commitment: Information security protect confidentiality, integrity and availability of Dell assets to ensure business continuity, minimize business impact, maximize return on investment and business opportunities.

ISO27001:2013基本知识Basic Information Communication deliver management team’s requirement and strong support Committee team deliver ISMS requirement, knowledge sharing to team 任何疑问,欢迎发邮件至ISMS专用邮箱:GSD_Xiamen_ISMS_Comminication@Dell.com

Cybersecurity Consult Control Process Owners ISO27001:2013 Teams Global PM Isern-Flecha, Ileana TS, Alan Lim China PM Shuying Gao Cybersecurity Consult Sze, Dickson Core Team Enterprise TS Pro- support TS Support Service Ops Client TS TAM GCC GFS GETS CS GSPPO-Part Planning GSPPO-DLP Jiang, Xinhua Yuan, Ricky Chen, Ada Jiang, Leo Zeng, Jolen Chen, Vicky Cai, Eden Chen, Joelle Zhang, Kosta Zhang, Rachel Zhong, Sally Control Process Owners Supporting team: Physical security: Y, Jason; Lin, Tina HR: Huang, Sophy; Du, Junli Facility: Shen, Candy; Liu, Li hua GP: Chen, Jerry; Chan, Audrey; Durai, Karthick; Tsoi, Haydee; Wu, Heidi Data Center: Wang, Toms; Lin, Henry Legal: Chen, Kylie; Chen, Happy

ISO27001:2013基本知识Basic Information 文 件 清 单 点 击 这 里 PAL (Process Asset Library) QMS (Quality Management System) Store ISMS documents Review/Approval Tracking record & change GSD XMN ISO 27001:2013 project documents Implementation evidence ISMS documentation list Link here Link here

ISO27001:2013基本知识Basic Information 文 件 清 单 点 击 这 里 工作流程发生变更 责任人发生变化,部门职责发生变化 系统变更等 为何需要及时变更ISO文件? 实际操作和文件规定不符 避免过期的文件造成误操作 如何变更ISO文件? 联系PAL负责人把需要变更文件从Active移动到Stage 更改文件内容,触发Reviewer和Approver批准 通知PAL负责人登记修改信息并把文件从Stage移回Active

全球信息安全政策Global Information Security Policy Policy Link Owned by Dell Chief Security Officer (CSO) and formally reviewed annually Supported by content in Dell’s Ethics and Compliance mandatory training for all employees “Purpose: Information is one of Dell's most valuable assets and shall be protected. Information can be written, oral, stored electronically, or embedded in video. Information security protects the confidentiality, integrity, and availability of Dell's data and computing environment from a wide range of threats in order to ensure business continuity, minimize business impacts, and maximize return on investment and business opportunities.   Scope: This Policy applies to: Information Technology resources storing or processing data owned or controlled by Dell, regardless of ownership or location.  This Information Security Policy is a Corporate Policy and applies to all Dell employees, employees of any Dell subsidiary, assigned workers, as well as to third parties performing services on Dell’s behalf (hereinafter collectively referred to as “You”). For employees, compliance with this Policy is an expectation of employment (subject to local legal requirements). For assigned workers and third parties who perform services on Dell’s behalf, compliance with this Policy is a condition of access to Dell facilities and resources, and of being permitted to perform services for Dell.” Also covers: Policy statements (obligations) Procedures and Training Asking Questions Reporting & Investigations Discipline and other Consequences Other topics

全球信息安全政策Global Information Security Policy Policy Link Policy Statement 1. Dell people resources (i.e. employees, contractors, consultants, vendors, business partners, other third parties) shall maintain the confidentiality, integrity, and availability of company information. Information used to conduct Dell business shall be protected from unauthorized access, disclosure, modification, or deletion and shall be accessible when needed to support business operations. 1a. Third party Dell resources, either individuals or companies, shall be compliant with Dell Information Privacy and Security agreement (IPSA) terms and are subject to review by Dell Cybersecurity to support Dell’s Information Security Policy and Standards. 2. Dell computer systems and networks shall be designed, engineered, and operated in such a way that ensures the confidentiality, integrity, and availability requirements of the information they store, process, and/or transmit. 3. Information, unless it is classified by Dell as public information and, regardless of the form or format, is classified as confidential information. Data must fall under one of the data classification types as described in the Data Classification standard. Required access controls for confidential information shall be determined by the data owner based on commercial value, sensitivity, impact of loss or compromise, legal and contractual requirements, and Dell obligations of confidentiality to employees, business partners, external customers, and trading partners. 4. Dell Cybersecurity shall perform on-going risk reviews and assessments of Dell's information security posture worldwide as appropriate. These risk reviews and assessments will be used as an input to enterprise risk management practices. 5. This policy is supported by other, topic-specific information security policies. Those policies are supported, similarly, by information security standards and procedures.

(Vulnerability & threat) ISO 27001:2013信息安全管理体系ISMS Planning Formulate IS strategy Determine system scope Define management responsibility Determine control objectives and control methods through risk assessment Maintenance Follow PDCA (Plan, Do, Check, Action) Once the ISMS system is established, the organization shall operate according to the requirements ISMS Framework Implement control Risk Management Risk Assessment (Refer ISO/IECTR13335) Risk Mitigation Risk Control (Vulnerability & threat) Risk Management

The Confidentiality, Integrity and Availability of assets ISO 27001:2013信息安全管理体系ISMS Business needs Information Assets Business depends on the security of information assets Start from business needs Risk Management Information security direct goal Final goal of information security The Confidentiality, Integrity and Availability of assets

ISO 27001:2013信息安全管理体系ISMS ISMS Committee Team Supporting Team 1.CSTTS Customer Support 1.CSTTS -Enterprise & Pro- support TS -Client support TS 2.GCC 3.TAM Deployment & Field Service 1.CS 2.GFS 3.GETS 4.GSPPO -Part planning -Service ops. 1.Cybersecurity 2.Data center 3.Facility 4.GP 5.HR 6.Legal 7.Physical security

ISO 27001:2013信息安全管理体系 PLAN ACT CHECK PLAN DO ACT CHECK 6.Planning 6.1Actions to address Risks and Responsibilities 6.2Information security objectives and planning to achieve them 7.Support Cover resource, competence, awareness, communications, document information 8.Operations 8.1Operational planning and control 8.2Information security risk assessment 8.3Information security risk treat 10. Improvement 10.1Nonconformity and corrective action 10.2Continual Improvement 9.Performance Evaluation 9.1Monitoring, measurement, analysis and evaluation 9.2Internal audit 9.3Management review PLAN ACT CHECK

ISO 27001:2013信息安全管理体系ISMS 全球安全工作场所政策Global Secure Workplace Policy - 最佳安全实践Security Best Practices Lock Down Information Lock Down Dell systems Maintain Good Habit Speak Up Dell Office Space-Clear desk Dell Office Space- Secure Disposal Conference Rooms, Shared Desks and Common Areas Home office Working in a Public Space or while Traveling Use Dell assets, email, Internet and social media safely Global Policy全球政策 Regular secure workplace audit 定期安全工作环境审核 Champion for encouragement NC (Non-compliance) for CAPA (Corrective action, preventative action) Plan to initiate audit from Nov 戴尔办公区域-安 全处理 Dell Secure Workplace Standard 戴尔安全工作场所标准 Dell Secure Workplace Checklist戴 尔安全工厂场所检查表 Job aid for a secured workplace安 全工作场所工作辅助 锁定信息 锁定戴尔系统 会议室,公共办公桌, 公用区和安全区 养成好习惯 家庭办公区 大声讲出来 公共空间或旅行 途中办公

Secure Work Environment ISO 27001:2013信息安全管理体系 Secure Work Environment 安全工作 小贴士 Secure Work Tips 公司内部文件资料以及电脑包和手机钱包等贵重物品收纳到柜子中或随身携带,不要放置或粘贴在桌上,并且柜子随时保持上锁 工牌随身佩戴于胸前或者腰间的显著位置 暂时离开位置时,及时将电脑锁定屏幕 即使(短时间)离开会议室要随身携带电脑和文件 打印的文件随时取走,不要留在打印机旁 确保安装公司要求的Data Protection和McAfee安全软件 Microsoft软件有Titus Data Labeling控件,并清楚各个分级的使用方法 紧急联系电话:公司内部-8882222; 公安局报警电话-110; 火警报警电话-119

ISO 27001:2013信息安全管理体系ISMS

ISO 27001:2013信息安全管理体系ISMS

Data Classification Link ISO 27001:2013信息安全管理体系ISMS Data Classification Link

ISO 27001:2013信息安全管理体系ISMS 损害 价值 传播 保护

风险评估结果分享Risk Assessment Result Sharing Risk Assessment conducted in 3 phases: Initial risk assessment conducted on May-2015 workshop based on the identified assets. 12 threats/vulnerabilities from 4 categories of asset with high risk factor identified and treatment plan recommended. 11 threats/vulnerabilities to be mitigated and 1 accepted. 8 of the 11 has been closed. Remaining 3 to be closed by end of April. Additional risk assessment conducted during the office tour on May 4 risk items identified and all have been remediated and closed. Additional “Activities-based” assessment conducted as part of the stage-1 audit finding. 1 threat category found with high potential risk factor – sending unsecured mail to external parties. Treatment plan has been recommended and implementation for some relevant teams.

与信息安全有关的法律法规清单Legal Requirement GSD XM ISMS符合法律法规要求

目标指标及达成状况Objective Status

审核常见问题及回答Frequent Q&A 戴尔的信息安全方针是什么? 谁是GSD XM信息安全管理系统的管理者代表? 你们部门的ISO 27001代表是谁? 你们部门有哪些信息安全相关的潜在风险? 你们部门有哪些适用的法律法规?是否符合法规要求? GS XM ISMS的目标是什么? 你们部门ISMS目标的(Metrics)是什么?是否针对未达标的Metrics进行分析并采取相应的措施? 内外部紧急联络电话是多少?

审核常见问题及回答样本Frequent Q&A 常问问题 答案 1.戴尔的信息安全政策是什么? 全球信息安全政策– PPT第11页 1.我们需要维护公司信息的保密性、完整性和可获得性。通过控制授权 访问控制权限、不透露、修改或删除权限保护公司信息,支持业务运营 1a.第三方戴尔资源,不管个人还是公司,应该符合戴尔信息隐私和安全 协议(IPSA), 戴尔网络安全部门支持信息安全政策和标准的检验 2.戴尔计算机系统和网络在信息的存储、处理、传输过程中,应该从保密 性、完整性和可获得性方面进行设计、管理 3.只要被定义成机密类别的信息,必须按照数据分类标准进行管理,要求 有访问控制 PPT第19、20页 4.戴尔网络安全部门应该进行持续的风险评估和检验 5.此政策也有其他信息安全政策支持,有信息安全标准和流程支持 2.谁是GSD XM ISO27001信息安全系统的管理者代表? Lee, Ernest是管理者代表 3.谁是GSD XM ISO27001的中国区执行Leader?谁是你们部门的ISO27001信息安全代表? Gao, Shuying是中国区执行Leader CSTTS-Enterprise&Pro-support-Jiang, Xinhua; Yuan, Ricky; CSTTS-Client Support-Jiang Leo; GCC-Chen, Vicky; TAM-Zeng, Jolen; CS-Zhang, Kosta; GFS-Cai, Eden; GETS-Chen, Joelle; GSPPO-Part planning-Zhang, Rachel; GSPPO-Service ops-Zhong, Sally 4.你们部门有哪些信息安全相关的潜在风险? 1.客户PII信息保护与管理 2.禁止使用U disk/2nd HD/2nd OS/其它未被授权的外部Removable storage 3.未授权软件安装 4.BCP plan 5.包括敏感信息的邮件 6.服务器公共存储 通过降低\转移\接受风险,使风险得到管控 常问问题 答案 5.安全工作小贴士 PPT第17页 1.公司内部文件资料以及电脑包和手机钱包等贵重物品收纳到柜子中或随 身携带,不要放置或粘贴在桌上,并且柜子随时保持上锁 2.工牌随身佩戴于胸前或者腰间的显著位置 3.暂时离开位置时,及时将电脑锁定屏幕 4.即使(短时间)离开会议室要随身携带电脑和文件 5.打印的文件随时取走,不要留在打印机旁 6.确保安装公司要求的Data Protection和McAfee安全软件 7.Microsoft软件有TitusDataLabeling控件,并清楚各个分级的使用方法 6.有哪些适用的法律法规?是否符合法规要求? 《消费者权益保护法》,《中华人民共和国著作权法》,《中华人民共和国专利法》,《中华人民共和国刑法》,《计算机软件保护条例》,《中华人民共和国知识产权海关保护条例》等,符合法律法规要求。 7.GSD XM ISO27001的最主要目标是什么? 执行ISMS,符合ISO27001:2013标准,获得ISO27001:2013认证 8.你们部门ISO27001信息安全相关的目标是什么 积极参与并执行ISMS,获得ISO/IEC27001:2013认证.积极参与公司强制性伦理道德培训,和ISMS awareness培训保护隐私,日常行为符合公司要求.配合访问权限/密码控制,参与安全工作环境审计,确保信息保密,安全工作.参与BCP计划,确保异常发生时,能提供帮助使业务持续运行。 9.紧急联络方式是什么? 内部:保安8882222;遇到涉嫌盗窃,保密信息泄露,戴尔笔记本或其他戴尔设备丢失等,立即向戴尔全球安全中心报告网址:http://intranet.dell.com/dept/GLOBALSECURITY/Pages/emergency/reportIncident.aspx,或者立即打电话001-512-728-5555 外部:公安局报警电话-110; 火警报警电话-119 10.碰到问题怎么办? 联系各部门经理或各部门代表Jiang, Xinhua/Yuan, Ricky, 或发邮件到GSD_Xiamen_ISMS_Communication@Dell.com

准备stage 2 external audit主要的Challenges 项目管理中的信息安全管理 文 件 清 单 点 击 这 里 需要根据流程规定建立项目管理中的信息安全风险管控机制 在所有GSD XM认证范围内的组织内进行 状态:已执行 供应商信息安全管理 根据供应商信息安全管理流程展开审计 一年内完成所有Scope范围内供应商的审计并通报结果 状态:已执行 IT BCP Plan 需要有IT的BCP plan和测试结果作为evidence 状态:已有相关Evidence

怎么准备Stage2 External Audit? 培训 文 件 清 单 点 击 这 里 所有需要 auditee参加stage 2 external audit awareness training 阅读相关规定/文件/流程 所有需要 auditee必须阅读ISO27001:2013标准 阅读manual, annex control manual, risk assessment及GSD XM的 流程 准备Evidence和Presentation deck Section leader组织会议收集evidence 尽量避免在audit过程中找不到控制点,找不到文件和相关 证据的风险

Q & A Thank you!

GSD Organization File GSD Organization