Presentation is loading. Please wait.

Presentation is loading. Please wait.

Sasa Aksentijevic, MBA IT Ph.d. Business Economy cnd./ ICT Manager / C(I)SO / ICT Court Forensic Expert LinkedIn: linkedin.com/sasaaksentijevic Information.

Published byLinda Phelps Modified over 8 years ago

Similar presentations

Presentation on theme: "Sasa Aksentijevic, MBA IT Ph.d. Business Economy cnd./ ICT Manager / C(I)SO / ICT Court Forensic Expert LinkedIn: linkedin.com/sasaaksentijevic Information."— Presentation transcript:

1 Sasa Aksentijevic, MBA IT Ph.d. Business Economy cnd./ ICT Manager / C(I)SO / ICT Court Forensic Expert LinkedIn: linkedin.com/sasaaksentijevic Information security Certification, internal audit, CISSPs, CISMs, ISO 27K, BCP, DR, network security, antivirus solutions, anti intrusion, firewalls, ethical hacking, residual risk management, SWOT, GAP, Monte Carlo... ???? Common ICT security mistakes in corporate environments

2 A little theory will not hurt anybody Management has discovered information security or Dilbert approach to information security Should we include coffee machine into the ISMS scope AKA is certification the final answer to infosec? “I will write my password on Post-It for you” AKA low level (operative) infosec breaches How can something be nothing? Is information security possible? Is ICT security possible? Q&A PRESENTATION Content

3 Common ICT security mistakes in corporate environments Infosec concept model

4 Common ICT security mistakes in corporate environments The pointy-haired boss (often abbreviated to just PHB is Dilbert's boss in the Dilbert comic strip. He is notable for his micromanagement, gross incompetence and unawareness of his surroundings, yet somehow retains power in the workplace. The phrase "pointy-haired boss" has acquired a generic usage to refer to incompetent managers. It is also possible to speak of someone being pointy-haired or having pointy hair metaphorically, meaning that they possess PHB-like traits.

5 Common ICT security mistakes in corporate environments O O ISO 27K (Information technology — Security techniques — Information security management systems — Requirements) is not information security standard. It is a systems management standard. ISO 27K outlines a framework for ISMS, but it it not a “golden standard” itself. ISO 27K is based on risk assesment: there is no “predefined” acceptable risk; criteria, applicability, inclusion and treatment are decided by organizations. Efficient implementation requires security analysis of technical aspects. Standard is dealing with policy, scope, risk analysis, procedures and records. Too many if`s ISO 27K certification is a proof of compliance with the standard. By itself, it does not guarantee information security. Organizations decide about applicability (or not) of Annex A controls. The list of controls exists (Annex “A”), but it is just a “suggestion”. Additional controls may be included.

6 Common ICT security mistakes in corporate environments Delegation (of tasks that should not be delegated) Compliance with local legislation/law requirements Problems with non compliance Inadequate resources (human resources, time, money, knowledge…) Creation of parallel, “backdoor” systems, especially for management authorization process Lack of interest for information security on behalf of the Management No BPC, no DR, no periodic updating Lack of consistent policies, criteria, standards, work instructions and learning from security incidents Management has no awareness that information security is ongoing, permanent process Lack of systematic resource and contingency planning, loose control over ICT assets, unclear ownership

7 Common ICT security mistakes in corporate environments Revoking of access rights, email access, revision of access right not implemented No ICT security induction, no periodic refreshment courses No segregation between work and test environments SLA for ICT services are not clearly defined (or they are not adhered to) No implementation of employee background checks Inadequate physical access controls (especially for guests, third parties, externals and temps) Saving on insurance, no change management (log), unsafe networking environment Process of incident learning is not implemented Controls related to third party relations and NDAs are not implemented

8 User breaches USB drives used for storage and not backup Data exchange procedures (encrypting,FT P,snail mail) No Data Classification/I nformation Lifecycle Management Remote working equipment (PDAs,MMC,U SB,notebooks) ICT assets not under control by owners Common ICT security mistakes in corporate environments

9 User breaches Photocopy machines, printers and network scanners Password sharing, passwords on Post-It Clear workplace and display policy not enforced Documents not supervised,lac k of access authorization Non systematic document disposal Common ICT security mistakes in corporate environments

10 User breaches No continuous learning/inter est in security culture Data backup procedures Common network areas used for personal data placement 3 rd party relations, hardware repair procedures Malicious intent Common ICT security mistakes in corporate environments

11 Common ICT security mistakes in corporate environments

12 Technical effort -> BEST PRACTICES, CERTIFICATION, LEGISLATION, FORENSICS, TESTING, PDCA, AUDIT(s)… Personal effort -> EMPLOYEES (PARTICIPANTS, STAKEHOLDERS) Organizational effort -> MANAGEMENT Common ICT security mistakes in corporate environments

13 Thank you for your attention! Common ICT security mistakes in corporate environments

Download ppt "Sasa Aksentijevic, MBA IT Ph.d. Business Economy cnd./ ICT Manager / C(I)SO / ICT Court Forensic Expert LinkedIn: linkedin.com/sasaaksentijevic Information."

Similar presentations

Fast Reliable Certified Secure Data Recovery Does Your Enterprise Have A Security Gap ? HDI Sacramento Chapter August 16th, 2011.

Fast Reliable Certified Secure Data Recovery Does Your Enterprise Have A Security Gap ? HDI Sacramento Chapter August 16th, 2011.
Dr Lami Kaya LamiKaya@gmail.com ISO 27001 Information Security Management System (ISMS) Certification Overview Dr Lami Kaya LamiKaya@gmail.com.

Dr Lami Kaya ISO Information Security Management System (ISMS) Certification Overview Dr Lami Kaya
Module 2: Legal Aspects of Associations & Non-Profits Presented by the Southern Early Childhood Association.

Module 2: Legal Aspects of Associations & Non-Profits Presented by the Southern Early Childhood Association.
What is GARP®? GARP® is an Acronym for Generally Accepted Recordkeeping Principles ARMA understands that records must be.

What is GARP®? GARP® is an Acronym for Generally Accepted Recordkeeping Principles ARMA understands that records must be.
Chapter 10 Accounting Information Systems and Internal Controls

Chapter 10 Accounting Information Systems and Internal Controls
Security and Personnel

Security and Personnel
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 14 Security Policies and Training.

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 14 Security Policies and Training.
Security Controls – What Works

Security Controls – What Works
ISA 562 Summer 2008 1 Information Security Management CISSP Topic 1 ISA 562 Internet Security Theory and Practice.

ISA 562 Summer Information Security Management CISSP Topic 1 ISA 562 Internet Security Theory and Practice.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.
University of Guelph IT Security Policy Doug Blain Manager, IT Security ISC, April 27th.

University of Guelph IT Security Policy Doug Blain Manager, IT Security ISC, April 27th.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
Creating a Secured and Trusted Information Sphere in Different Markets Giuseppe Contino.

Creating a Secured and Trusted Information Sphere in Different Markets Giuseppe Contino.
ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.

ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.
Information Security at KFUPM

Information Security at KFUPM
First Practice - Information Security Management System Implementation and ISO 27001 Certification.

First Practice - Information Security Management System Implementation and ISO Certification.
Session 3 – Information Security Policies

Session 3 – Information Security Policies
Instructions and forms

Instructions and forms
Information Security Awareness Levels of TAFE South Australia Employees Hong Chan Bachelor of IT ( Honours ) Supervisor: Dr Sameera Mubarak.

Information Security Awareness Levels of TAFE South Australia Employees Hong Chan Bachelor of IT ( Honours ) Supervisor: Dr Sameera Mubarak.
INFORMATION SECURITY GOVERNANCE (ISG) Relates to the security of information systems Is an element of corporate governance.

INFORMATION SECURITY GOVERNANCE (ISG) Relates to the security of information systems Is an element of corporate governance.

Similar presentations

Ads by Google