Information Security Management System (ISMS)

based on the ISO 27000 series standards

(ISO2700)

ENTERPRISE STANDARDS FOR INFORMATION SECURITY

SRI LANKA INSTITUTE OF INFORMATION TECHNOLOGY
BSC (HONS) IN INFORMATION TECHNOLOGY CYBER
SECURITY.
✓About Organization
✓ISMS Introduction
✓ISMS Benefits
✓ISMS Cost Table of content
✓Assets Register
✓Registered Assets
✓Most Critical Assets
Bank Of
Ceylon
(BOC)
Bank OF Ceylon (BOC)
Bank of Ceylon is a state-owned, major commercial bank in Sri Lanka. Its
head office is located in an iconic cylindrical building in Colombo, the political
and commercial capital of the island.

The bank has a network of 628 branches, 689 automated teller machines
(ATMs), 123 CDM network and 15 regional loan centres within the country. It
also has an around-the-clock call centre at 0094 11 2204444 and an around
the clock branch at its Colombo office.

In addition to the local presence, the bank maintains an off-shore banking unit
in the head office in Colombo, and three branches in Malé, Chennai and
Seychelles, and a subsidiary in London.
ISMS Introduction
An information security management system (ISMS) is a framework of policies
and controls that manage security and risks systematically and across your entire
enterprise—information security

These security controls can follow common security standards or be more focused
on your industry. For example, ISO 27001 is a set of specifications detailing how
to create, manage, and implement ISMS policies and controls. The ISO doesn’t
mandate specific actions; instead, it provides guideline on developing appropriate
ISMS strategies.

The framework for ISMS is usually focused on risk assessment and risk
management.
 ISMS Benefits
▪ Secures your information in all its forms
• An ISMS helps protect all forms of information,
including digital, paper-based, intellectual
property, company secrets, data on devices
and in the Cloud, hard copies and personal
information.
▪ Provides a centrally managed framework
• An ISMS provides a framework for keeping your
organization's information safe and managing
it all in one place.
▪ Helps respond to evolving security threats
• Constantly adapting to changes both in the
environment and inside the organisation, an
ISMS reduces the threat of continually
evolving risks.
 ISMS Benefits
▪ Protects confidentiality, availability and integrity of
data
• An ISMS offers a set of policies, procedures,
technical and physical controls to protect the
confidentiality, availability and integrity of
information.

▪ Increases resilience to cyber attacks

• Implementing and maintaining an ISMS will
significantly increase your organisation’s
resilience to cyber attacks.

▪ Reduces costs associated with information security

• Thanks to the risk assessment and analysis
approach of an ISMS, organisations can
reduce costs spent on indiscriminately adding
layers of defensive technology that might not
work.
ISMS Cost

These are the main costs associated with the management system
elements of an ISO27000 ISMS.

▪ ISMS Management costs

▪ ISMS implementation costs
▪ Certification costs
▪ Maintenance costs
Assets Register
o Digital Assets o Servers

o Business Databases

o Physical Assets

o People Assets

o Network Devices

o Media

o Support Utilities
Registered Assets
▪ Digital Assets ▪ Media
• Banking Website • Commercial Advertisements
• Self Banking Mobile app • Public campaign and Banners

▪ Business Databases
• Employees database
• Account holder's
information database

▪ Physical Assets
• ATM Machines
• Vehicles

▪ People Assets
• Database Manager
• Network Administrator
Most Critical Assets

❑ ATM Machines
❑ Online Banking web site & mobile app
❑ Account holder's information database
❑ Database Manager
❑ Network Engineer
 ATM Machines

Detected risk level

♥ Raw risk level

undetectability

Mean risk total

♣ Impact level
♠ Possibility of
occurrence
Primary

♦ Incident
Known or
Known or suspected concern Key information security controls in
suspected
vulnerabilities s effect
threats
(C/I/A)

Remote Taking control of atm C+A 4 1 4 Security controls 4 16

cyber attack server, incomplete
checking and updating
30
Inset Capture information from C+I 5 3 15 Checking correcting data 2 30
skimmers swiped cards

Direct Using physical access to C 3.5 2 7 Security controls 2 14

malware an ATM to deploy
attack malware variants
 Online Banking web site & mobile app

Detected risk level

♥ Raw risk level

undetectability

Mean risk total

♣ Impact level
♠ Possibility of
occurrence
Primary

♦ Incident
Known or
Known or suspected concer Key information security
suspected
vulnerabilities ns controls in effect
threats
(C/I/A)

Virus Anti-virus program is not C+I+A 4 3 12 Renew the anti-virus 2 24

properly updated program and update
system
40
Hacking Network connectivity, C+I+A 2 2 4 Data protection policies 4 16
Inadequate firewall & procedures , Network
protection security controls, System
security controls
Software Software have not proper C+A 5 4 20 Want to make sure 2 40
errors access control proper connection to
network
 Account holder's information database

Detected risk level

♥ Raw risk level

undetectability

Mean risk total

♣ Impact level
♠ Possibility of
occurrence

♦ Incident
Known or Primary
Known or suspected Key information security
suspected concerns
vulnerabilities controls in effect
threats (C/I/A)

Disk failure There is no backup of the A 5 5 25 Maintain backup device 2 50

document

Unauthorized Access was given to too C+I+A 2.5 4 10 Data protection policies & 3 30 42
access many people and access procedures , Network
control scheme is not security controls, System
properly defined security controls
Virus Anti-virus program is not C+I+A 3 5 15 Renew the anti-virus 3 45
properly updated program and update
system
 Database Manager

Detected risk level

♥ Raw risk level

undetectability

Mean risk total

♣ Impact level
♠ Possibility of
occurrence
Primary

♦ Incident
Known or
Known or suspected concer Key information security
suspected
vulnerabilities ns controls in effect
threats
(C/I/A)

Unavailability There is replacement for this A 3 3 9 There is no replacement 5 45

of this person position for this position
13
Frequent Lack of training I+A 5 2 10 Network Engineers must 2 20
errors have proper training on
network knowledge
 Network Engineer

Detected risk level

♥ Raw risk level

undetectability

Mean risk total

♣ Impact level
♠ Possibility of
occurrence

♦ Incident
Known or Primary
Known or suspected Key information security
suspected concern
vulnerabilities controls in effect
threats s (C/I/A)

Unavailability There is replacement for this A 3 4 12 There is no replacement for 4 48

of this person position this position

51
Frequent Lack of training I+A 1.5 2 3 Network Engineers must 5 15
errors have proper training on
network knowledge
Access to the Lack of policies for the C+A 2 5 10 Company policies, Data 3 30
network by correct use of protection policies &
unauthorized telecommunications media procedures , Network
persons and messaging security controls, System
security controls
 Our Group

IT-17168014 IT-17183864 IT-17124768

Pransikkudura K.L.S R.M.V.D.B.Rathnayake Silva A.A.N
Thank you