Presentation is loading. Please wait.

Presentation is loading. Please wait.

Turning Policy Into Reality Tony S Krzyżewski Director, Chief Technical Officer Protocol Policy Systems.

Published byDominic Acey Modified over 9 years ago

Similar presentations

Presentation on theme: "Turning Policy Into Reality Tony S Krzyżewski Director, Chief Technical Officer Protocol Policy Systems."— Presentation transcript:

1 Turning Policy Into Reality Tony S Krzyżewski Director, Chief Technical Officer Protocol Policy Systems

2 Mobility Internet LAN Micro 2 The Challenge of Digital Enablement Mainframe Information Exposure Increases Management Ability Decreases

3 Record How You See Your Information

4 How Staff See Your Information Record Re……Record USB Record

5 How the Public Want to See Your Information Everywhere… and at all times!

6 The Policy Protection Model Policy Technology Identifies Procedures Which Requires Processes Leading To Educate Then We Control and Audit And For compliance with

7 Policies Set Our Expectations Users must not publish corporate information (applications, internal documents or files, press releases, price lists etc.) on any public facing computer system (e.g. website, social media site) unless the item has been authorised by the appropriate Manager and the Communications and Publicity Manager for public consumption. Online Services Policy: User 19.6 The Organisation must confirm the responsibilities of the cloud service provider with regard to information security. These responsibilities must be documented in an agreement which is signed by both the Organisation and the cloud service provider. Cloud Computing Policy: Technical 5.1.2 The Organisation must confirm the responsibilities of the cloud service provider with regard to information security. These responsibilities must be documented in an agreement which is signed by both the Organisation and the cloud service provider. Cloud Computing Policy: Technical 5.1.2 The access privileges of all users, systems and applications must be restricted based on the "need to know" and "least access" principles which require that there is a legitimate business need before access to any information systems resource is granted. Information Management Policy: Technical 2.3.2 The access privileges of all users, systems and applications must be restricted based on the "need to know" and "least access" principles which require that there is a legitimate business need before access to any information systems resource is granted. Information Management Policy: Technical 2.3.2

8 Where do IT Policies Fit? Why we are hereWhat Constrains UsWhat We are Going To DoWho or What Does ItHow We Are Going to Do ItIT PoliciesIT StrategyRegulatory FrameworkProcedures & ProcessesPeople & Technology

9 Why Have IT Policies? They don’t… Employers presume everyone knows about computers and IT Security

10 Consistent Rules and Guidelines Align With Best Practice Set Audit Benchmarks F irst line of Threat Defence Protect Corporate Information Good Governance Why Have IT Policies? Ensure compliance

11 Affects everyone – not just IT Users HR Risk Managers and Auditors Managers Stakeholders CEO – the buck stops here IT Policies Are Holistic

12 IT policies that are copies of best practice guides are like diet and exercise manuals…. Something to aspire to that you can never achieve IT Policies Must Be Relevant

13 Need to know versus need to withhold principle Well defined rules ensure that everyone knows what is expected of them IT Policies are an Access Enabler

14 IT Policies kept in a book on the back shelf in the IT Manager’s office will never be read Publish them on the Intranet And Available to All

15 But What Normally Happens… Defining Policy is too hard so no one actually gets around to it. Technology gets purchased without regard to policy Vulnerabilities get introduced because there are no rules

16

17

18

19

20

21

22

23 So you have IT Policies What Now?

24 Perception by Users

25 Let People Have Their Say Consultation is the key to Success

26 Review Feedback Feedback will be:- Constructive Positive Indifferent Unhelpful Critical Ridicule Disparaging

27 Incorporate Feedback Feedback should be incorporated if is:- Valid Relevant Helpful Achievable Doesn’t Negatively Impact on Anything Else

28 Workshop for Managers Important because:- Managers Lead By Example Managers Are Responsible for Their Staff Consistent IT Security Message for All If Managers Aren’t Supportive, No One Else Will Be

29 Get Sign-Off

30 Talk to HR HR have an important role to play in IT Security:- New employees sign the Acceptable Use Policy Induction process During Employment ✓ Add users ✓ Change user access ✓ Terminating users Termination process IT Policy enforcement

31 Technical Review Enforce policy by:- Implementing the appropriate technology Configuring the technology accordingly Ensure you can monitor for compliance Create a work plan:- Upgrade technology if needed Update technical skills where required

32 Workshops for Staff Raise security awareness by:- Show Staff the Policy System; Explain why it’s important Tell War Stories Concentrate on Highlights, Don’t Overdo the Detail Repercussions for Non Compliance Monitor Staff Usage of Resources

33 Raising Staff Awareness Is SPAM a danger to our information? Why we want you to change your passwor d

34 The IT Policy Lifecycle

35 Tony S Krzyżewski Director, Chief Technical Officer Protocol Policy Systems Email: tonyk@protocolpolicy.com Web: www.protocolpolicy.com Video: www.youtu.be/whbywf8ovK0 Demo: demo.protocolpolicy.com

Download ppt "Turning Policy Into Reality Tony S Krzyżewski Director, Chief Technical Officer Protocol Policy Systems."

Similar presentations

USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.

USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.
Child Safeguarding Standards

Child Safeguarding Standards
Copyright © 2014 American Water Works Association Water Sector Approach to Process Control System Security.

Copyright © 2014 American Water Works Association Water Sector Approach to Process Control System Security.
Ethics Ethics are the rules of personal behavior and conduct established by a social group for those existing within the established framework of the social.

Ethics Ethics are the rules of personal behavior and conduct established by a social group for those existing within the established framework of the social.
Buying Better Outcomes Workshop 4 Equalities and Contract Management If you do not take it seriously, why should the supplier?

Buying Better Outcomes Workshop 4 Equalities and Contract Management If you do not take it seriously, why should the supplier?
Information Security Policies and Standards

Information Security Policies and Standards
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
The Role of Security & Privacy in EA Program

The Role of Security & Privacy in EA Program
Network and Systems Security Security Awareness, Risk Management, Policies and Network Architecture.

Network and Systems Security Security Awareness, Risk Management, Policies and Network Architecture.
Www.adira.org Philippe LE TERTRE IS Governance Consultant  Founder and managing partner of VADEGIS (company specialized in Information System Management.

Philippe LE TERTRE IS Governance Consultant  Founder and managing partner of VADEGIS (company specialized in Information System Management.
Business Continuity Check List PageOne. - Why Does Your Business Need A Continuity Checklist? Should the unexpected occur, your business will be able.

Business Continuity Check List PageOne. - Why Does Your Business Need A Continuity Checklist? Should the unexpected occur, your business will be able.
Property of Common Sense Privacy - all rights reserved 01875340890 THE DATA PROTECTION ACT 1998 A QUESTION OF PRINCIPLES Sheelagh F M.

Property of Common Sense Privacy - all rights reserved THE DATA PROTECTION ACT 1998 A QUESTION OF PRINCIPLES Sheelagh F M.
Risk Assessment – An Essential Standard

Risk Assessment – An Essential Standard
Effectively applying ISO9001:2000 clauses 5 and 8

Effectively applying ISO9001:2000 clauses 5 and 8
Viruses & Security Threats Unit 1 – Understanding Computer Systems JMW 2012.

Viruses & Security Threats Unit 1 – Understanding Computer Systems JMW 2012.
Teaching Security via Problem- based Learning Scenarios Chris Beaumont Senior Lecturer Learning Technology Research Group Liverpool Hope University College.

Teaching Security via Problem- based Learning Scenarios Chris Beaumont Senior Lecturer Learning Technology Research Group Liverpool Hope University College.
Managing your web records Patrick Power Manager, Government Recordkeeping Programme Archives New Zealand.

Managing your web records Patrick Power Manager, Government Recordkeeping Programme Archives New Zealand.
BY: CHELSEA KUCERA ELED 318 The Legal, Social and Ethical Issues in Technology for the Classroom.

BY: CHELSEA KUCERA ELED 318 The Legal, Social and Ethical Issues in Technology for the Classroom.
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.

Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.

Similar presentations

Ads by Google