Presentation On

Information Security Policy

Guideline
 Presenters

 Thanvir Ahmad– EMIT 2302118

 Naimuzzaman– EMIT 2302117
 Md. Abu Raihan Chowdhury– EMIT 2302138

2 2/27/2024
 Referenced Documents

➢ InformationSecurity Policy
Guideline, Dated 6th April 2014

3 2/27/2024
 Preamble

Vision 2021: Digital Bangladesh

Implementation of e-governance

Information Security Policy

4 2/27/2024
 Current Situation

lack of information
protection procedure

weak and unmanaged

security controls

under skilled personnel

and lack of expertise

5 2/27/2024
Guideline Governance and Enforcement

❖ Ministry of ICT on behalf of the Government of

Bangladesh will have the ownership

❖ Ministry of ICT will monitor the implementation

❖ Bangladesh Computer Council, Office of the

CCA and Bangladesh Telecommunication
Regulatory Commission (BTRC) will jointly
coordinate the implementation

6 2/27/2024
 Guideline Covers
Different Information
Objective Scope
Terminology Classification

Different Information Risks, Threats and

Roles and Risks, Threats and
Vulnerabilities
State of Security
Responsibility Vulnerabilities
Information Strategy

Assessment of Risks, Security Controls

Security LegalIssues
Legal Issuesofof
Assessment
Threats of Risks,
and Vulnerabilities to Protect
controls to Information
information
Threats and Vulnerabilities Information
protect Security
security
information

Certification
Importance
Importance of
of Auditing for
auditing for Monitoring
Monitoringand Certification
as an Agency
Information
information security
security Improving
and improving as an agency

Procedures
Procedures for
for Backup && Sample
Incident Backup Business
Business Sample
Incident Handling
Handling Restore Continuity Information
Information
and Restore Continuity
and Disaster
Disaster Mechanism Security
Security Policy
Recovery Mechanism Plan
Plan
Recovery Policy
7 2/27/2024
 Risk, Threats and Vulnerabilities

Understanding Risk, Threats

and Vulnerabilities

Identification of Risk, Threats

and Vulnerabilities

Risk Management

Risk Management Template

8 2/27/2024
 Risk
The potential (merely “chance”) for loss, damage or destruction of an
information asset as a result of a threat exploiting a vulnerability.

9 2/27/2024
 Reasons of Risk
lack of security awareness are
Operating procedures are not
there
documented
little support for security measures
Lack of fire prevention system
information is not classified
The building is in an earthquake zone,
no official policy and no where minor quakes are expected
monitoring/intrusion detection
or incident response weak access control mechanisms exists
team are in place The building is in an flooded
zone or can be affected by flood
inadequate information security
because of lack of proper water
policy operates
disposal system

Employees are not identified adequately, visitors may roam unchecked

10 2/27/2024
 Threat
A threat is a potential cause of an unwanted incident, which may result in
harm to a system or organizations’ information assets.

11 2/27/2024
 Typical Information Security Threats

unauthorized access, workload,

disclosure of information, denial of service,
legal threats, spoofing,
sabotage, advanced persistent threat
inadequate security awareness, (APT),
poor security policy, applications with bugs,
fraudulent, eavesdropping

12 2/27/2024
 Vulnerability

Vulnerabilities are flaws or weaknesses associated with an agency’s assets

or capabilities.Vulnerability is merely a condition or set of conditions that
may allow a threat to affect an asset.

Typically vulnerability results from:

flawed procedures,
under-skilled staff,
incorrectly configured or defective technology.

13 2/27/2024
 Classification of Vulnerability

Organizational

Spatial Personnel

Vulnerability

Hardware,
software Environmental
and
network

14 2/27/2024
 Identification of Risk, Threats and
Vulnerabilities

Information
Threat Vulnerability Risk
Asset
• Information • Threat is • Vulnerability • Risk is
asset is something is the destruction
something against what weakness or (or chance of
what agency an agency gap in the destruction)
tries to tries to protection of an
protect. protect their efforts made information
information by an agency. asset as a
asset. result of
threat
exploiting
vulnerability.

15 2/27/2024
 Risk Management
Establish the context

Identify Risk

Communication and Consult

Monitoring and Review

Analyze Risk

Likelihood Consequence

Estimate Level of
Risk

Evaluate Risk

Treat Risk
16 2/27/2024
 Risk Management Template

17 2/27/2024
 Security Control
Security controls are safeguards or countermeasures to avoid, counteract or
minimize security risks.

18 2/27/2024
 Security Control Criteria

Preventative Physical

According Legal and According Procedural

to Time regulatory to Nature

Corrective Detective

Technical

19 2/27/2024
Example of Some Security Controls
Personnel Security,
Equipment Control,
Access controls,
Physical and Environmental Protection, Information
Operational Procedure and
responsibilities,
Third party service delivery
management,
System planning and acceptance,
Application Security,
Protection against malicious code,
20
Information back-up,
Network security management,
Removable Media handling,
exchange/transmission,
Information disposal,
Information system security,
Cryptographic controls,
Correct processing,
System files security,
Monitoring
2/27/2024
 Digital Signature certificates ensures 4
goals of Information Security

Authenticity Confidentiality

Integrity Non-
repudiation

21 2/27/2024
 Some Legal and Compliance Document

ICT Act 2006 (amended in 2009)

ICT Policy 2009
Right to Information Act
Intellectual Property Rights
Copyright, Patent, Trademark related laws
PKI related rules/guidelines for cryptographic controls
Laws on document & records retention
Cyber Security related laws/guideline/policy
UN conventions/Laws related to internet or cyber security

22 2/27/2024
 Business Continuity Plan
Steps
Including information security in the
business continuity management process;

Business continuity and risk assessment;

Developing and implementing continuity

plans including information security;

Business continuity planning framework;

Testing, maintaining and re-assessing

business continuity plans;
23 2/27/2024
 Some More Issues

Standards and Guideline

Information System Audit and

Certification

Incident Management

Monitoring & Improvement

National Cyber Security Strategy

24 2/27/2024
 Sample Outline of an IS Policy
Preamble
Definitions
Introduction
Scope
Policy Governance & Monitoring
Information Asset and Classification
Roles & Responsibilities
Risk management
Security Controls

Security policies, principles, standards,

and Compliance

Incident Management

Policy Awareness and Training on

Information Security
Reference Documents
(Guideline/Procedure/Appendix)
25 2/27/2024
 Acronyms
AS/NZS - Australia/New Zealand Standard

2. APT - Advanced Persistent Threat

3. BCC - Bangladesh Computer Council

4. BTRC - Bangladesh Telecommunication Regulatory

Commission

5. CCA -Controller of Certifying Authorities

6. CoBIT - Control Objectives for Information and Related

Technology

7. DDoS - Distributed Denial of Service

8. EU -European

9. FFIEC- Federal Financial Institutions Examination

Council
10. ICT -Information and Communication
Technology
26 2/27/2024
 Acronyms
11. IDS- Intrusion Detection System
12. IEC- International Electro technical Commission
13. IETF- Internet Engineering Task Force
14. IPS- Intrusion Prevention System
15. IS- Information Security
16. ISMS- Information Security Management
System
17. ISO- International Organization for Standards
18. IT -Information Technology
19. ITIL- Information Technology Infrastructure Library
20. LAN- Local Area Network
21. OECD- Organization for Economic and Cooperation
Development
22. PC -Personal Computer
23. PDCA -Plan-Do-Check-Act Cycle
24. PKI- Public Key Infrastructure
25. RFC- Request for Comment
26. USA- United States of America

27 2/27/2024
THANK YOU