Presentation

on
Network And Information
Security
(22620)

By

Ms.Pritee H. Raut
(Assistante Professor)

COMPUTER ENGINEERING DEPARTMENT

G. H. RAISONI POLYTECHNIC,NAGPUR
 UNIT-5
Network Security, Cyber Laws
And Compliance Standards

(MARKS-14)
 kerbero
 s
Kerberos is a network authentication protocol designed to provide strong authentication
for client/server applications by means of secret-key cryptography. Kerberos ensures the
highest level of security to network resources.

Here are the principal entities involved in the typical Kerberos workflow: (2m)
1. Client. The client acts on behalf of the user and initiates communication for a service
request
2. Server. The server hosts the service the user wants to access
3. Authentication Server (AS). The AS performs the desired client authentication. If the
authentication happens successfully, the AS issues the client a ticket called TGT (Ticket
Granting Ticket).
4. Key Distribution Center (KDC). In a Kerberos environment, the authentication server
logically separated into three parts: A database (db), the Authentication Server (AS), and
the Ticket Granting Server (TGS). These three parts, in turn, exist in a single server
called the Key Distribution Center
5. Ticket Granting Server (TGS). The TGS is an application server that issues ticket for the
server
working of
kerberos
Step-1:
User login and request services on the host. Thus user requests for. ticket-granting service(TGS)

Step-2:
Authentication Server verifies user’s access right using database and timestamp is created (time
stamp tells the expiration date and time of encrypted key , default expiration time is 8 hours for time
stamp) and then gives ticket-granting-ticket(TGT) and session key.

Step-3:
then client submit this ticket-granting-ticket(TGT) to ticket-granting service(TGS) for authentication.

Step-4:
If the TGS can authenticate the client, it sends credentials and a service ticket to access the
requested service to the client.

Step-5:
The client sends a request to access the Application server(AP). This request includes the service
ticket received in step 4. If the application server can authenticate this request, the client can access
the server.

Step-6:

The server provides the requested services to the client.

 IP Sec(security)
 The IP packet contain data in plain text form i.e., anyone watching the IP packet
passes by can read the data and can even can change it. Some kind of higher level
mechanism are there to prevent such kind of attacks.
 Hence., there is a need to secure the network infrastructure from unauthorized
monitoring. Also there is a need to control the network traffic and to secure end
user to end user traffic using authentication and encryption mechanisms.
 IPSec is a protocol which is develop to support secure exchange of packet at the IP
layer. It provides the secure communication across a LAN, private and public
WANS, and the internet.
 The overall idea of IPSec is to encrypt and seal the transport and application layer
data during transmission.
 IPSec Architecture
 IPSec (IP Security) architecture uses two protocols to secure the traffic or data flow.
These protocols are ESP (Encapsulation Security Payload) and AH (Authentication
Header).

IPSec provides:
 Confidentiality
 Authentication
 Integrity
 IP Security
Architecture:
1. Architecture:
Architecture or IP Security Architecture covers the general concepts, definitions, protocols,
algorithms and security requirements of IP Security technology.

2. ESP Protocol:
ESP(Encapsulation Security Payload) provide the confidentiality service. Encapsulation
Security Payload is implemented in either two ways:

• ESP with optional Authentication.

• ESP with Authentication.

3. Encryption algorithm:
Encryption algorithm is the document that describes various encryption algorithm used for
Encapsulation Security Payload.

4. AH Protocol:
AH (Authentication Header) Protocol provides both Authentication and Integrity service.
Authentication Header is implemented in one way only: Authentication along with Integrity.
5. Authentication Algorithm:

Authentication Algorithm contains the set of the documents that describe authentication algorithm
used for AH and for the authentication option of ESP.

6. DOI (Domain of Interpretation):

DOI is the identifier(approved encryption algorithm, authentication algorithm) which support both AH
and ESP protocols. It contains values needed for documentation related to each other.

7. Key Management:

Key Management contains the document that describes how the keys are exchanged between sender
and receiver.
 Simple Mail Transfer
 SMTP isProtocol-
short for Simple Mail Transfer Protocol.
 It is an application layer protocol.
 It is used for sending the emails efficiently and reliably over the internet.

Working-

 SMTP server is always on a listening mode.

 Client initiates a TCP connection with the SMTP server.
 SMTP server listens for a connection and initiates a connection on that port.
 The connection is established.
 Client informs the SMTP server that it would like to send a mail.
 Assuming the server is OK, client sends the mail to its mail server.
 Client’s mail server use DNS to get the IP Address of receiver’s mail server.
 Then, SMTP transfers the mail from sender’s mail server to the receiver’s mail server.
While sending the mail, SMTP is used two times-

Between the sender and the sender’s mail server

Between the sender’s mail server and the receiver’s mail server

NOTE-

To receive or download the email,

Another protocol is needed between the receiver’s mail server and the receiver.
The most commonly used protocols are POP3 and IMAP.

Characteristics of SMTP-

SMTP is a push protocol.

SMTP uses TCP at the transport layer.
SMTP uses port number 25.
SMTP uses persistent TCP connections, so it can send multiple emails at once.
SMTP is a connection oriented protocol.
SMTP is an in-band protocol.
SMTP is a stateless protocol.
 SMTP is a pure text based protocol.

• SMTP can only handle the messages containing 7 bit ASCII text.
• SMTP can not transfer other types of data like images, video, audio etc.
• SMTP can not transfer executable files and binary objects.
• SMTP can not transfer the text data of other languages like French, Japanese, Chinese etc.
• If an email is asked to be sent twice, then SMTP server resends it without saying that the email has
already been sent.

We can not use SMTP at the receiver’s side.

This is because-

• SMTP is a push protocol.

• At receiver’s side, a pull protocol like POP3, IMAP is needed.
• Receiver periodically checks if he has any mail from his mail server.

SMTP is not suitable for client authentication.

This is because-

• SMTP does not require authentication.

• It allows anyone on the Internet to send emails to anyone or even to a large group of people.
Privacy Enhanced Mail (PEM)

 Privacy Enhanced Mail (PEM) is an email security standard to

provide secure electronic mail communication over the internet.
Security of email messages has become extremely important
nowadays. In order to deal with the security issues of emails the
internet architecture board has adopted it.
The PEM mainly provides the following services –

Authentication-

sender authentication allow user to verify that the PEM message which he has received is truly from
the person who claims to have sent it

Confidentiality –

Confidentiality refers to the act of preventing unauthorized access to the information hence
protecting it. The confidentiality is obtained in PEM by encrypting the messages by using various
standard algorithms such as Data Encryption Standard (DES). DES in cipher block chaining mode is
being currently used by PEM.

Integrity –

Data integrity refers to the consistency of data through out its life cycle. This is obtained by using a
unique concept called as message digest where message digest is a hash function which converts
the message into an image called digest on taking the message as input.
 Working of
PEM
The PEM works
1.Canonical Conversion – basically in 4 main
This step involves the conversion of the message into a standard format that is independent
steps.
of the computer architecture and the operation system of the sender and the receiver. If the
sender and receiver has different computer architecture or operating system. It may lead to
generation of different message digest due to difference in their interpretation because of
syntactical difference from one operating system to an other.
2. Digital signature-
In this step, the digital signature is generated by encrypting the message digest of an email
message with the sender’s private key.
 3.Encryption
The encrypted message is generated by encrypting the original message and digital
signature together along with the symmetric key as shown in the figure below. This step
is very crucial in order to obtain the confidentiality.

4. Base-64 Encoding –

This is the last step where the binary output is transformed into character output.
1.Canonical Conversion –
There is a possibility that the sender and the receiver of email messages use a computer that has a different
operating system and architecture. This is because the internet works on any computer that has a TCP/IP stack,
regardless of its architecture or operating system, so there is a possibility that the same thing is represented
differently in these different computers. For example, a new line in the case of the Microsoft DOS operating
system is represented by two characters, while in a Unix operating system, the same is represented by a single
character. These can create problems while creating a message Digest; hence digital signature comes into the
picture. For example, the message Digest of the email message created in the Microsoft DOS operating system
can differ from the message digest of the email message created in the Unix operating system. This is because
the input used for creating message Digest is not the same in both cases.

Step #2 – Digital Signature

In this step, a digital signature is created for email messages. First, using the algorithm kike MD, MD2, or MD5,
the message digest of an email message is created. Then this message Digest is encrypted using the sender’s
private key to from the digital signature for the sender.

Step #3 – Encryption
In this step, the original email message and the digital signature created in step 2 are encrypted using a
symmetric key. For the Encryption process, DES or DES-3 algorithm is used.

4. Base-64 Encoding –

This is the last step where the binary output is transformed into character output.
 Pretty Good Privacy

(PGP)
PGP stands for Pretty Good Privacy (PGP) which is invented by Phil Zimmermann.
 PGP was designed to provide all four aspects of security, i.e., privacy, integrity,
authentication, and non-repudiation in the sending of email.
 PGP uses a digital signature (a combination of hashing and public key encryption) to
provide integrity, authentication, and non-repudiation.
 PGP uses a combination of secret key encryption and public key encryption to provide
privacy. Therefore, we can say that the digital signature uses one hash function, one
secret key, and two private-public key pairs.
PGP at the Sender site (A)
 Following are the steps taken by PGP to create secure
e-mail at the sender site:

1. The e-mail message is hashed by using a hashing function to create a digest.

2. The digest is then encrypted to form a signed digest by using the sender's
private key, and then signed digest is added to the original email message.
3. The original message and signed digest are encrypted by using a one-time
secret key created by the sender.
4. The secret key is encrypted by using a receiver's public key.
5. Both the encrypted secret key and the encrypted combination of message and
digest are sent together.
PGP at the Receiver site (B)
Following are the steps taken to show how PGP uses hashing and a
combination of three keys to generate the original message:

1. The receiver receives the combination of encrypted secret key and message digest
is received.
2. The encrypted secret key is decrypted by using the receiver's private key to get
the one-time secret key.
3. The secret key is then used to decrypt the combination of message and digest.
4. The digest is decrypted by using the sender's public key, and the original message
is hashed by using a hash function to create a digest.
5. Both the digests are compared if both of them are equal means that all the aspects
of security are preserved.
Public Key Infrastructure(6m)
 Public key infrastructure or PKI is the governing body behind issuing digital
certificates. It helps to protect confidential data and gives unique identities to users
and systems. Thus, it ensures security in communications.
 The public key infrastructure uses a pair of keys: the public key and the private key
to achieve security. The public keys are prone to attacks and thus an intact
infrastructure is needed to maintain them.
COMPONENT OF PKI
(sample)
 Digital Certificates:
 Certificate Authority:
 Registration Authority
 Digital

Certificate
Digital certificate is issued by a trusted third party which proves sender's identity to the
receiver and receiver’s identity to the sender.
 A digital certificate is a certificate issued by a Certificate Authority (CA) to verify the identity
of the certificate holder. The CA issues an encrypted digital certificate containing the
applicant’s public key and a variety of other identification information. Digital certificate is
used to attach public key with a particular individual or an entity.

Digital certificate contains:-

1. Name of certificate holder.
2. Serial number which is used to uniquely identify a certificate, the individual or the entity
identified by the certificate
3. Expiration dates.
4. Copy of certificate holder's public key.(used for decrypting messages and digital signatures)
5. Digital Signature of the certificate issuing authority.
6. Digital certificate is also sent with the digital signature and the message.
 Certificate Authority

(CA)
A certificate authority (CA) is a trusted entity that manages and issues security
certificates and public keys that are used for secure communication in a public
network.
 The CA is part of the public key infrastructure (PKI) along with the registration
authority (RA) who verifies the information provided by a requester of a digital
certificate.
 If the information is verified as correct, the certificate authority(CA) can then issue a
certificate.
 Registration Authorities
 (RA)
CA may use a third-party Registration Authority (RA) to perform the necessary checks on
the person or company requesting the certificate to confirm their identity.
 The RA may appear to the client as a CA, but they do not actually sign the certificate
that is issued. The specific authentication process used depends of the class of
certificate being requested:

Classes of a Digital Certificate:

 A digital certificate can be divided into four broad categories. These are :
 Class 1: These can be obtained by only providing the email address.
 Class 2: These need more personal information.
 Class 3: This first checks the identity of the person making a request.
 Class 4: They are used by organizations and governments.
 Digital Certificate

Structure
Digital certificates are structured in conformance with the X.509 standard. This standard outlines the
required fields that comprise a certificate together with acceptable values for those fields.

The fields specified by X.509 are as follows:

 Issuing CA - The name of the certificate authority which issued the certificate.
 CA Digital Signature - The digital signature of the issuing certificate authority.
 Version Number - Specifies the version of X.509 to which the certificate conforms (at time of writing the
current version is 3). The version number is important because it defines which other fields are necessary
in the certificate.
 Serial Number - A unique number identifying the specific certificate issued by a particular CA.
 Subject/Owner - The owner of the certificate. Possible values include a person, company, department,
network device, application etc.
 Owner's Public Key - The public key associated with the certificate and corresponding to the certificate
owner's private key.
 Validity Period - The dates during which the certificate is deemed to be valid.
 Certificate Usage - Specifies the approved uses of the certificate.
 Signature Algorithm - The hashing and digital signature algorithms used in the creation of the certificate.
 What is
 Cybercrime is criminalcybercrime?
activity that either targets or uses a computer, a computer
network or a networked device.
 Most, but not all, cybercrime is committed by cybercriminals or hackers who want to
make money. Cybercrime is carried out by individuals or organizations.
 Cybercrime that stops users using a machine or network, or prevents a business
providing a software service to its customers, is called a Denial-of-Service (DoS) attack.
Types of cybercrime(2m)
Here are some specific examples of the different types of cybercrime:
 Email and internet fraud.
 Identity fraud (where personal information is stolen and used).
 Theft of financial or card payment data.
 Theft and sale of corporate data.
 Cyberextortion (demanding money to prevent a threatened attack).
 Ransomware attacks (a type of cyberextortion).
 Cyberespionage (where hackers access government or company data).
 What is COBIT Framework?
The COBIT Framework (Control Objectives for Information and Related
Technologies) is a comprehensive set of guidelines and best practices designed
to help organizations manage and govern their IT (Information Technology)
systems effectively. It provides a structured approach to ensuring that IT aligns
with business goals, delivers value, manages risks, and complies with laws and
regulations.
Principles of COBIT
Framework(6M)
1- Meeting Stakeholder Needs

The first important principle of COBIT is “Meeting Stakeholder Needs”. This principle
focuses on ensuring that IT governance and management align with the needs and
expectations of all stakeholders involved with the organization. basically, giving them
what they need or expect from the IT resources in the company.

2- Covering the Enterprise End to end

This means that IT governance and management should not focus only on specific IT
systems or departments but should cover the entire organization—from top to bottom,
across all processes, departments, and functions. Every part of the business should
benefit from proper IT management and oversight.
Covering the entire enterprise helps identify and manage risks more effectively, as every
aspect of the business is included in the IT governance plan.
3- Applying a Single Integrated Framework

his means using one framework (COBIT, in this case) to manage all aspects of IT governance. Instead
of having different frameworks for different areas (like security, risk management, or performance
management), COBIT combines everything into one, making it easier to manage and monitor.
the latest relevant frameworks and standards are CMMI, PMBOK/Prince2, TOGAF, ISO 27000 series, ITIL,
ISO 38500, ISO 31000, ISO 9000, COSO ERM, COSO, etc.
COBIT can be used as a management and governance framework integrator. It means that it can be
integrated with any of these frameworks and standards to make your business achieve new goals.

4- Enabling a Holistic Approach

Holistic refers to looking at the big picture rather than focusing on individual parts. In the context of
COBIT, it means considering all aspects of IT governance and management—such as people,
processes, technology, and information—together as a whole to ensure everything works well together.
This ensures better alignment, risk management, performance, and decision-making across the
organization.
5- Separating Governance from Management

"Separating Governance from Management" in COBIT ensures that strategic decisions

(governance) are made by leadership, while operational tasks (management) are
carried out by those responsible for day-to-day activities. This separation improves
clarity, accountability, and decision-making in IT governance.
Governance is about setting the direction and making high-level decisions. It
involves defining the overall objectives, policies, and strategies for IT to ensure they align
with the business goals.
Management focuses on operational tasks, like handling IT projects, managing risks,
and ensuring systems run smoothly.
 What is Hacking?
 Hacking is the activity of identifying weaknesses in a computer system or a network
to exploit the security to gain access to personal data or business data. An example
of computer hacking can be: using a password cracking algorithm to gain access to a
computer system.

Who is a Hacker?
 A Hacker is a person who finds and exploits the weakness in computer systems
and/or networks to gain access. Hackers are usually skilled computer programmers
with knowledge of computer security.
 Types of

Hackers
Hackers are classified according to the intent of their actions. The following list classifies
types of hackers according to their intent:

1.White hat hacker or Ethical Hacker (White hat): A security hacker who gains access to
systems with a view to fix the identified weaknesses. They may also perform penetration Testing and
vulnerability assessments.

2. Black hat hacker or Cracker (Black hat): A hacker who gains unauthorized access to computer
systems for personal gain. The intent is usually to steal corporate data, violate privacy rights,
transfer funds from bank accounts etc.
 Types of Hackers
3. Grey hat hacker Grey hat: A hacker who is in between ethical and black hat
hackers. He/she breaks into computer systems without authority with a view to
identify weaknesses and reveal them to the system owner.

4. Script kiddies: A non-skilled person who gains access to computer systems using already
made tools.
 Types of
Hackers
5. Hacktivist : A hacker who use hacking to send social, religious, and political, etc.
messages. This is usually done by hijacking websites and leaving the message on the
hijacked website.

6. Phreaker : A hacker who identifies and exploits weaknesses in telephones instead of

computers.
 Digital

forgery
Digital forgery (or digital tampering) is the process of manipulating documents or
images for the intent of financial, social or political gain.
 Creating a fake copy or imitation of a document or an object with the intention to
deceive is called forgery.
 It can involve everything from forging a signature, faking a masterpiece, creating a
cheap replica of an expensive original device to faking government documents like a
licence, birth certificate etc.
 Market places are full of convincing fakes of expensive originals items like designers
shoes, clothes etc. All of these fakes can be called as forgeries.
 Digital forgery involves creating the same fakes in electronic form.
 Cyberstalking(2
m)
 Cyberstalking is a crime in which the attacker harasses a victim using electronic
communication, such as e-mail or instant messaging (IM), or messages posted to a Web
site or a discussion group.
 Though cyberstalking does not involve physical contact, it is still considered a crime.
The offense is much more serious when a minor child is the victim.
 Ex- Repeated and unwanted communications through phone calls, mail, emails, or social
media sites. Following the victim to work, school, home, or other places where they
frequently visit. ... Repeatedly sending the victim unwanted gifts. Posting information, or
spreading rumors.
 There is no unified legal approach to cyberstalking, but many governments have moved
toward making these practices punishable by law.
Copyright, patent ,trademark(2m)

 A patent protects new inventions, processes, or scientific

creations.
 trademark protects brands, logos, and slogans.
 copyright protects original works of authorship.
 Cyber
Pornography
 Cyber Pornography means the publishing, distributing or designing
pornography by using cyberspace.
 Cyber pornography is the act of using cyberspace to create, display,
distribute, import, or publish pornography or obscene materials,
especially materials depicting children engaged in sexual acts with
adults.
Information Technology Act, 2000

Cyber pornography is banned in many countries but legalized in some. Cyber Pornography is neither
banned nor legalised under the IT Act, 2000. The IT Act prohibits the production and distribution of
cyber pornography but does not prohibit the viewing or downloading of pornographic content if it is
not child pornography.

SECTION 67

section 67 of the Information Technology Act, 2000 makes the following acts punishable with
imprisonment up to 3 years and a fine up to 5 lakhs:

• Publication– It includes uploading of pornographic content on a website, WhatsApp group or any

other digital portal where third parties can have access to such pornographic content.

• Transmission– It means to send obscene material to any person electronically.

• Causing to be published or transmitted– It is a comprehensive terminology which would end

up making the intermediary portal liable, using which the offender has published or transmitted
such obscene content. The Intermediary Guidelines under the Information Technology Act put an
onus on the Intermediary/Service Provider to exercise due diligence to ensure that their portal is
not being misused.
SECTION 67 A

Section 67A of the Information Technology Act makes publication, transmission and causing to be
transmitted and published any material containing sexually explicit act or conduct punishable with
imprisonment up to 5 years and a fine up to ₹10 lakhs.

Following conclusions can be made by understanding the above provisions:

1. Viewing Cyber pornography is legal in India. Merely downloading and viewing such content does
not amount to an offence.

2. Publication of pornographic content online is illegal.

3. Storing Cyber pornographic content is not an offence.

4. Transmitting cyber pornography via instant messaging, emails or any other mode of digital
transmission is an offence.
Child Pornography

Section 67B of the IT Act, 2000 makes it publishing, transmitting, viewing or downloading child
pornography illegal. The fact that the internet has made child pornography more accessible to
the distributors, as well as the collectors, cannot be denied.

According to Section 67B, any person who has not attained the age of 18 years is a child. It
further states that child pornography can be committed in the following five ways:

1. By publishing or transmitting or causing to publish or transmit any material electronically

that depicts the children engaged in a sexually explicit act or conduct.
2. By depicting children in an obscene or sexually explicit manner.
3. By inducing children to online relationship with one or more children for and on a sexually
explicit act, or in a manner that may offend a reasonable adult on the computer resource.
4. By facilitating child abuse online.
5. By recording own abuse or that of others pertaining to sexually explicit act with others.
 Cyber

terrorism
Cyber terrorism can be also defined as the intentional use of computers, networks,
and public internet to cause destruction and harm for personal objectives.
 Experienced cyber terrorists, who are very skilled in terms of hacking can cause
massive damage to government systems, hospital records, and national security
programs
 There is much concern from government and media sources about potential
damage that could be caused by cyber terrorism, and this has prompted efforts by
government agencies such as the Federal Bureau of Investigations (FBI) and
the Central Intelligence Agency (CIA) to put an end to cyber attacks and cyber
terrorism

 Ex- international cyber terrorist accessing and disabling or modifying the signal
that control military technology.
 Cyber
 defamation
Defamation can be understood as the wrongful and intentional publication of
something either in the written or oral form about a person to harm his reputation in
the society.

 Cyber defamation involves defaming a person through a new and far more effective
method such as the use of modern Electronic devices.

 It refers to the publishing of defamatory material against any person in cyberspace or

with the help of computers or the Internet.

 If a person publishes any kind of defamatory statement against any other person on a
website or sends E-mails containing defamatory material to that person to whom the
statement has been made would amount to Cyber defamation.
 Cyber law
 Cyber law is like any other legal rule or policy that should be followed in our day to day
life to stay out of any kind of trouble. These laws are formed by keeping several issues
into consideration such as our society, morals, computer ethics, etc. The only
difference is that cyber law is applied to the internet and internet-related technologies
only.
 Cyber law is formed to maintain discipline and justice in the cyber world. This area in the
legal system is introduced because the crime related to computers and other technology
was increasing rapidly.
 These types of crimes were not falling under the category of any existing legal category
therefore a separate section was formed named Cyber Law.
 Cyber laws help to reduce or prevent people from cybercriminal activities on a large scale
with the help of protecting information access from unauthorized people, freedom of
speech related to the use of the Internet, privacy, communications, email, websites,
intellectual property, hardware and software, such as data storage devices.
 Need of cyber
 Like any law, a cyber lawlaw
is created to help protect people and organizations on the
Internet from malicious people on the Internet and help maintain order. If someone breaks
a cyber law or rule, it allows another person or organization to take action against that
person or have them sentenced to a punishment.

Area of Cyber Law:

1. Fraud
2. Copyright
3. Defamation
4. Harassment and Stalking
5. Freedom of Speech
 ISO
27001
ISO 27001 (formally known as ISO/IEC 27001:2005) is a specification for an information security management
system (ISMS). An ISMS is a framework of policies and procedures that includes all legal, physical and technical
controls involved in an organisation's information risk management processes.

What is the purpose of ISO 27001?

 ISO 27001 was developed to help organizations, of any size or any industry, to protect their information in a
systematic and cost-effective way, through the adoption of an Information Security Management System
(ISMS).

 ISO 27001 uses a top-down, risk-based approach and is technology-neutral. The specification defines a six-part
planning process:
1. Define a security policy.
2. Define the scope of the ISMS.
3. Conduct a risk assessment.
4. Manage identified risks.
5. Select control objectives and controls to be implemented.
6. Prepare a statement of applicability.
Why is ISO 27001 important?

Not only does the standard provide companies with the necessary know-how for protecting their
most valuable information, but a company can also get certified against ISO 27001 and, in this
way, prove to its customers and partners that it safeguards their data.

What are the 3 ISMS security objectives?

The basic goal of ISO 27001 is to protect three aspects of information:
Confidentiality: only the authorized persons have the right to access information.
Integrity: only the authorized persons can change the information.
Availability: the information must be accessible to authorized persons whenever it is needed.

What is an ISMS?
• An Information Security Management System (ISMS) is a set of rules that a company needs to
establish in order to:
• identify stakeholders and their expectations of the company in terms of information security
• identify which risks exist for the information
• define controls (safeguards) and other mitigation methods to meet the identified expectations
and handle risks
• set clear objectives on what needs to be achieved with information security
• implement all the controls and other risk treatment methods
• continuously measure if the implemented controls perform as expected
• make continuous improvement to make the whole ISMS work better
 ISO 20000

 The PPT shows that ISO 20000 is the international standard for IT
Service Management (ITSM), published by ISO (the International
Organization for Standardization), and ICE (the International
Electoral Commission).The standard describes a set of
management processes designed to help you deliver more
effective IT services
 The information technology service management system
complies with the requirements mentioned in the clauses of ISO
20000-1:2018 . ISO 20000 gives you the methodology and the
framework to help you manage your ITSM, while allowing you to
prove your company follows best practice. With the requirements
of the standard you will achieve best practice, helping to improve
your delivery of IT services. What is ISO 20000 ?