Presentation is loading. Please wait.

Presentation is loading. Please wait.

Information Security OECD, April 2001 International Computing Centre Managing Information Security Ed Gelbstein, International Computing Centre, Geneva.

Published byElwin Franklin Modified over 8 years ago

Similar presentations

Presentation on theme: "Information Security OECD, April 2001 International Computing Centre Managing Information Security Ed Gelbstein, International Computing Centre, Geneva."— Presentation transcript:

1 Information Security OECD, April 2001 International Computing Centre Managing Information Security Ed Gelbstein, International Computing Centre, Geneva

2 Information Security OECD, April 2001 International Computing Centre

3 Information Security OECD, April 2001 International Computing Centre Asset valuation What is the business value of k Data k Intellectual property k Systems (sw/hw) k Documents k The Organisation’s reputation disclosed modified unavailable destroyed etc

4 Information Security OECD, April 2001 International Computing Centre How do you respond ? Hackers please note This facility is secured Monday and Friday, 09:00 to 17:00 CET Please do not visit at any other time We thank you for your understanding Option 1 Option 2 Emergency response plan + team

5 Information Security OECD, April 2001 International Computing Centre Key components Ownership and culture Policies Processes and tools Autopsies, diagnostics, audits

6 Information Security OECD, April 2001 International Computing Centre Ownership Anybody Somebody Everybody Nobody

7 Information Security OECD, April 2001 International Computing Centre Culture Security management is a way of life It relies on everyone It requires many processes It may contain many projects but it has no end Only the paranoid survive

8 Information Security OECD, April 2001 International Computing Centre Threatscape Internal External Physical Logical Sabotage Misuse/ fraud Unauthorised access Unauthorised change Unauthorised disclosure Destruction of data Malicious software Stupidity Weaknesses in systems Weaknesses in products Cyber-attack (DoS/ DDoS) Cyber-attack (EMP) Data blackmail and many more...

9 Information Security OECD, April 2001 International Computing Centre Threatscape (2) Most pervasiveMost expensive Most publicisedMost frequent Virus, worm, trojan horse Insider fraud, sabotage Theft of proprietary information Attacks on e-business - theft of credit card data - Denial of Service Developers’ mistakes Poor configuration Poor system administration

10 Information Security OECD, April 2001 International Computing Centre Building blocks Change Control Backup /restore Media management Disaster recovery Business continuity Crisis management Physical access control Logical access control Infrastructure - No single point of failure - UPS and standby - Clusters, fail-soft, alternative routing, RAID, … Diagnostics and monitoring System administration Audits Policies Best practices Standards Action plans Key word: OWNERSHIP

11 Information Security OECD, April 2001 International Computing Centre Building blocks (2) Confidentiality Integrity Authorisation Authentication Audit trail Non-repudiation Risk assessment Communications Risk management Alert monitoring Tools and products Organisation - incident detection - incident response Staff vetting Training Tests and audits Key word: OWNERSHIP

12 Information Security OECD, April 2001 International Computing Centre Policies Scope Documentation Dissemination Maintenance Compliance Non-compliance

13 Information Security OECD, April 2001 International Computing Centre Scope of policies 9 E-mail  9 Passwords 9 System / Resource access 9 Database administration 9 Encryption 9 Backup/ Restore/ Disaster recovery 9 Physical access and remote access 9 Software installation 9 Change control list continues...

14 Information Security OECD, April 2001 International Computing Centre Scope of policies (2) 9 Acceptable use 9 Monitoring and audits 9 Mobile computing 9 Wireless computing 9 Privacy 9 Staff background checks and more...

15 Information Security OECD, April 2001 International Computing Centre e-mail policy includes... < Virus, worm, other infectious software < Executable code < Audio and video files < Other large files < Encryption < Non-disclosure < Offensive language/material < Legal liability (harassment, copyright, libel, etc) < Junk e-mail and other loss of productivity < Personal use of corporate e-mail < Archival and so on...

16 Information Security OECD, April 2001 International Computing Centre Vigilance Alerts (Vendor, CERT, FBI, other) Attacks (who, when, how) Hacker tools, communiques, websites Disgruntled staff, behavioural changes etc

17 Information Security OECD, April 2001 International Computing Centre Security rings Data access rights Database security System security LAN and server security Firewall security Authentication etc What does it take to get through each of these layers

18 Information Security OECD, April 2001 International Computing Centre Tools and products Firewalls and antivirus software Resource access controls Encryption Digital certificates Proxy / Reverse Proxy servers Intrusion detection systems Software integrity checkers Log analysis tools and so on... “out of the box” may not be e-nough many choices

19 Information Security OECD, April 2001 International Computing Centre Certification, audits, etc d tests d audits d post-mortems d certification Like your annual medical it’s no guarantee of good health but it might diagnose a problem Who tests the testers? How do you know you have not been attacked ?

20 Information Security OECD, April 2001 International Computing Centre Be vigilant, be silent... Yes, we have been attacked and are very aware of the flaws in our security Our security is superb and we are totally confident in our ability to stay ahead Risk of losing credibility and of inviting trouble A challenge to every cracker and script kiddie to prove you wrong

21 Information Security OECD, April 2001 International Computing Centre Give it a try? Intrusion test Access a predefined file from a server on your network Report of route taken to access Report of weaknesses found

Download ppt "Information Security OECD, April 2001 International Computing Centre Managing Information Security Ed Gelbstein, International Computing Centre, Geneva."

Similar presentations

The Whole/Hole of Security Public (DoD) v. Corporate Carl Bourland US Army Judge Advocate Generals Corps.

The Whole/Hole of Security Public (DoD) v. Corporate Carl Bourland US Army Judge Advocate Generals Corps.
1.8 Malpractice and Crime In this section you must be able to: Explain the consequences of malpractice and crime on information systems. Describe the possible.

1.8 Malpractice and Crime In this section you must be able to: Explain the consequences of malpractice and crime on information systems. Describe the possible.
Security and Trust in E- Commerce. The E-commerce Security Environment: The Scope of the Problem  Overall size of cybercrime unclear; amount of losses.

Security and Trust in E- Commerce. The E-commerce Security Environment: The Scope of the Problem  Overall size of cybercrime unclear; amount of losses.
1 MIS 2000 Class 22 System Security Update: Winter 2015.

1 MIS 2000 Class 22 System Security Update: Winter 2015.
2 Issues of the information age Computer _______ and mistakes –Preventing computer related waste & mistakes Computer crime –Computer as tool to commit.

2 Issues of the information age Computer _______ and mistakes –Preventing computer related waste & mistakes Computer crime –Computer as tool to commit.
Crime and Security in the Networked Economy Part 4.

Crime and Security in the Networked Economy Part 4.
Agenda COBIT 5 Product Family Information Security COBIT 5 content

Agenda COBIT 5 Product Family Information Security COBIT 5 content
McGraw-Hill/Irwin ©2009 The McGraw-Hill Companies, All Rights Reserved CHAPTER 4 ETHICS AND INFORMATION SECURITY Business Driven Information Systems 2e.

McGraw-Hill/Irwin ©2009 The McGraw-Hill Companies, All Rights Reserved CHAPTER 4 ETHICS AND INFORMATION SECURITY Business Driven Information Systems 2e.
Chapter 4 McGraw-Hill/Irwin Copyright © 2011 by The McGraw-Hill Companies, Inc. All rights reserved. Ethics and Information Security.

Chapter 4 McGraw-Hill/Irwin Copyright © 2011 by The McGraw-Hill Companies, Inc. All rights reserved. Ethics and Information Security.
Separate Domains of IT Infrastructure

Separate Domains of IT Infrastructure
1 Telstra in Confidence Managing Security for our Mobile Technology.

1 Telstra in Confidence Managing Security for our Mobile Technology.
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
Security+ Guide to Network Security Fundamentals

Security+ Guide to Network Security Fundamentals
Lecture 10 Security and Control.

Lecture 10 Security and Control.
Lecture 10 Security and Control.

Lecture 10 Security and Control.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
FIT3105 Security and Identity Management Lecture 1.

FIT3105 Security and Identity Management Lecture 1.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.

Similar presentations

Ads by Google