Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Other Side of Information Security Wilco van Ginkel – Ubizen

Published byVirgil Welch Modified over 8 years ago

Similar presentations

Presentation on theme: "The Other Side of Information Security Wilco van Ginkel – Ubizen"— Presentation transcript:

1 The Other Side of Information Security Wilco van Ginkel – Ubizen wilco.vanginkel@ubizen.com

2 Purpose of the keynote Give the audience the other side of Information Security in a nutshell Nutshell because of time constraints

3 Agenda Introduction Business & Risk Assessment Security Policies & Procedures Security Standards Security Awareness Examples where Organisational meets Technical

4 Introduction The four fundamental questions The components of a total security solution Trend in the market The Security Triangle The Domains

5 The Four Questions Most organisations ask the question: ‘How should I protect’ More important is to ask first: 1. Why should I need protection? 2. How difficult will it be to protect? 3. What and against who should I protect? 4. Then

6 Components Security Solution TechnicalOrganisational Assessment Policies Procedures Awareness Legal 20%80%

7 Trend Security is considered more and more as part of the normal business process We are not talking ‘Rocket Science’ Does this mean that technology is dead or something? Most organisations don’t know how to do it…

8 Security Triangle Assessment & Policies Security Awareness Cryptography

9 The Domains Security Requirements 5 73 1 Business Requirements 2 46 Domains: 1. I.T. 2. Physical 3. Environmental 4. Human 5. Organizational 6. Administrative 7. Legal

10 The first step ‘Meet the parents’ Because: They decide about security They should backup and support security They have authority They are responsible… How: Perform Business & Risk Assessment

11 Business Assessment - 1 Why should I need protection: Discuss the stakes Discuss the different types of information Discuss the Security Requirements (CIAR) Discuss strategic questions, like: Replacement value of IT Targets Is IT just support or strategic for the organisation …

12 Business Assessment - 2 How difficult will it be to protect? Evaluate the constraints, like Financial Internal knowledge Dependency on partners Calendar …

13 Risk Assessment - 1 Against what and who should I protect? Perform Risk Assessment Be aware of terminology: Risk Identification (RI) Risk Assessment (RASS = RI + ‘value’) Risk Management (RM = How should we protect) Risk Analysis (RASS + RM)

14 Risk Assessment - 2 Some attention points: Different Risk Assessment/Analysis methodologies Sometimes difficult to determine the ‘value’ Make sure that you’ve the right people, meaning: Who know the business processes Who have authority to decide

15 Security Policies First things first: the CSP Formalisation of the Security Strategy and objectives High Level

16 Security Policies - 2 System Security Policies: General description of the Information System Security around the Information System Security on the Information System Technical security settings (OS, database, application) Other important policies are, for example: Asset Classification Malicious Software Policy …

17 Security Policies – 3 Make sure that: The policy is supported by the System Owner You avoid the ‘Ivory Tower Syndrome’ The policy is clearly communicated The policy is useful and pragmatic

18 Security Procedures Who is doing what, why and when? Important procedures are, for example: Boarding Process Incident & Escalation Back-up/Recovery Change & Configuration Management …

19 Security Standards - 1 Are we on our own? No, there are standards out there A set of best practices Can be a good starting point and prevents to re-invent the wheel However, be careful not to implement a security standard blindly…

20 Security Standards - 2 Some well-known examples are: BS/7799 part 1 + 2 (ISO/7799-1) Cobit-3 ITIL ISO-13335 Common Criteria (ISO-15408) NIST IETF … Interesting could be certification

21 Security Awareness The most critical success factor of Information Security Mind set Awareness should be at any level in the organisation Relation with psychology…

22 Organisational meets technical - 1 Example: CSP  Accountability principle Authentication Policy  strong authentication Counter measure  Tokens

23 Organisational meets technical - 2 Example: CSP  Information across untrusted networks should be protected Cryptography Policy  Symmetric Encryption at least 128 bits, preferred choice 3-DES Counter Measure  Hardware Encryptors

24 Organisational meets technical - 3 Example: Within the business process ‘Electronic Transactions’, there is a high security requirement for Integrity and Non-repudiation Defined risks are: Unauthorised change of the transaction Denial of sending the transaction Digital signatures Crypto Policy: Use RSA, minimum key length at least 1024 bits

25 Useful links www.isaca.org www.bsi-global.com www.nist.gov www.ietf.org www.iso.org www.cse-cst.gc.ca www.bsi.de www.cenorm.be/isss www.cesg.gov.uk www.sse-cmm.org

26 Reading stuff to fill long winter nights… ISO TR13335 General Management of IT Security ISO 15408 Common Criteria for evaluation and certification of IT security Baseline Protection Manual (BSI.DE) BS7799: Code of practice for Information Security Management (two parts) CobiT: Governance, Control and Audit for Information and Related Technology (ISACA) SSE-CMM: System Security Engineering - Capability Maturity Model

27 Questions, Discussions, ….

Download ppt "The Other Side of Information Security Wilco van Ginkel – Ubizen"

Similar presentations

Secure Systems Research Group - FAU Process Standards (and Process Improvement)

Secure Systems Research Group - FAU Process Standards (and Process Improvement)
Protection of Information Assets I. Joko Dewanto 1.

Protection of Information Assets I. Joko Dewanto 1.
ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.

ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.
Agenda COBIT 5 Product Family Information Security COBIT 5 content

Agenda COBIT 5 Product Family Information Security COBIT 5 content
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Www.isaca-malta.org Roger Southgate Past President of ISACA London Chapter Member of the BSI Committees for Service Management and IT Governance Leader.

Roger Southgate Past President of ISACA London Chapter Member of the BSI Committees for Service Management and IT Governance Leader.
Information security An introduction to Technology and law with focus on e-signature, encryption and third party service Yue Liu Feb.2008.

Information security An introduction to Technology and law with focus on e-signature, encryption and third party service Yue Liu Feb.2008.
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
Advantages of IT Security Prof. Uldis Sukovskis, CISA Riga Information Technology Institute Secure information exchange in Electronic media Baltic IT&T.

Advantages of IT Security Prof. Uldis Sukovskis, CISA Riga Information Technology Institute Secure information exchange in Electronic media Baltic IT&T.
Building a Successful Security Infrastructure

Building a Successful Security Infrastructure
6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.

6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.
OPM Cybersecurity Competencies by Occupation (Technical Competencies) 2210085508540391 Information Technology Management Series Electronics Engineering.

OPM Cybersecurity Competencies by Occupation (Technical Competencies) Information Technology Management Series Electronics Engineering.
Internal Control Concepts Knowledge. Best Practices for IT Governance IT Governance Structure of Relationship Audit Role in IT Governance.

Internal Control Concepts Knowledge. Best Practices for IT Governance IT Governance Structure of Relationship Audit Role in IT Governance.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.
Chapter 12 Strategies for Managing the Technology Infrastructure.

Chapter 12 Strategies for Managing the Technology Infrastructure.
E-Government Security and necessary Infrastructures Dimitrios Lekkas Dept. of Systems and Products Design Engineering University of the Aegean

E-Government Security and necessary Infrastructures Dimitrios Lekkas Dept. of Systems and Products Design Engineering University of the Aegean
Chapter 9 Information Systems Controls for System Reliability— Part 2: Confidentiality and Privacy Copyright © 2012 Pearson Education, Inc. publishing.

Chapter 9 Information Systems Controls for System Reliability— Part 2: Confidentiality and Privacy Copyright © 2012 Pearson Education, Inc. publishing.
Security on the Internet Jan Damsgaard Dept. of Informatics Copenhagen Business School

Security on the Internet Jan Damsgaard Dept. of Informatics Copenhagen Business School
Chapter 19 Security.

Chapter 19 Security.

Similar presentations

Ads by Google