Networks ∙ Services ∙ People www.geant.org Mark Johnston SIG ISM - Copenhagen Changing GÉANT’s Security Future GÉANT Feb 22, 2016 CNOO – Head of IIS Fotis.

Slides:



Advertisements
Similar presentations
1 IT Risk Management in Government Jonathan Smith Sr. Risk Manager Commonwealth Security and Risk Management October 1,
Advertisements

Introduction to Risk Management 26 September 2014 Peter Fowler CPPD.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
CST 481/598 Many thanks to Jeni Li.  Potential negative impact to an asset  Probability of a loss  A function of three variables  The probability.
Computer Security: Principles and Practice
First Practice - Information Security Management System Implementation and ISO Certification.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
Information Security Risk Management
Security Architecture Dr. Gabriel. Security Database security: –degree to which data is fully protected from tampering or unauthorized acts –Full understanding.
Introduction to Network Defense
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.
Enterprise Risk ManagementSeptember 2010Miami, FL © 2010 Enterprise Risk Management Information Security- Facing the Risks in Electronic Channels and Social.
SEC835 Database and Web application security Information Security Architecture.
Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.
Visual 3. 1 Lesson 3 Risk Assessment and Risk Mitigation.
K E M A, I N C. NERC Cyber Security Standards and August 14 th Blackout Implications OSI PI User Group April 20, 2004 Joe Weiss
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
Overview Of Information Security Management By BM RAO Senior Technical Director National Informatics Centre Ministry of Communications and Information.
1 Figure 1-17: Security Management Security is a Primarily a Management Issue, not a Technology Issue Top-to-Bottom Commitment  Top-management commitment.
Security Architecture
INFORMATION SECURITY & RISK MANAGEMENT SZABIST – Spring 2012.
Irene Khan – Secretary General Building effective and responsive INGOs, the strategic role of HR: The IS Job Value Review 8 February 2008.
April 14, A Watershed Date in HIPAA Privacy Compliance: Where Should You Be in HIPAA Security Compliance and How to Get There… John Parmigiani National.
© 2011 Underwriters Laboratories Inc. All rights reserved. This document may not be reproduced or distributed without authorization. ASSET Safety Management.
1 Smart Grid Cyber Security Annabelle Lee Senior Cyber Security Strategist Computer Security Division National Institute of Standards and Technology June.
Assessing Current Network Concerns Lesson 5. CERT/CC Stats.
Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 1 Security Architecture.
Working with HIT Systems
Devon & Cornwall Police Authority Strategic Review November 2010.
Alaa Mubaied Risk Management Alaa Mubaied
Information Security: Model, Process and Outputs Presentation to PRIA WG November 10, 2006.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 1 Security Architecture.
Introduction and Overview of Information Security and Policy By: Hashem Alaidaros 4/10/2015 Lecture 1 IS 332.
Develop your Legal Practice using “Cloud” applications, but … Make sure your data is safe! Tuesday 17 November 2015 The Law Society, London Allan Carton,
Chap 8: Administering Security.  Security is a combination Technical – covered in chap 1 Administrative Physical controls SE571 Security in Computing.
Risk Identification and Risk Assessment
Control and Security Frameworks Chapter Three Prepared by: Raval, Fichadia Raval Fichadia John Wiley & Sons, Inc
Chapter 1: Security Governance Through Principles and Policies
Assessing Current Network Concerns Lesson 5. The Assessment Two important elements you will need to determine in order to produce a valuable assessment.
Dr. Bhavani Thuraisingham Information Security and Risk Management June 5, 2015 Lecture #5 Summary of Chapter 3.
Operational Issues. Operational Changes It is important to organisations to ensure that they abide by the Law when caring for the safety of their employees,
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 16 – IT Security.
BizSmart Lunch & Learn Webinar Information Security and Protecting your business With the increased risk of some sort of cyber- attack over the past few.
Risk Controls in IA Zachary Rensko COSC 481. Outline Definition Risk Control Strategies Risk Control Categories The Human Firewall Project OCTAVE.
By: Mark Reed.  Protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction.
Welcome to the ICT Department Unit 3_5 Security Policies.
Primary Steps for Achieving ISO Certification.
Articulate the major security risks and legal compliance issues for a Fire and Rescue Service. Identify and justify technical controls for securing remote.
Security Management in Practice
3 Do you monitor for unauthorized intrusion activity?
Information Security, Theory and Practice.
Chapter 8 – Administering Security
Chapter Three Objectives
COMP3357 Managing Cyber Risk
Security Management Practices
BUILDING A PRIVACY AND SECURITY PROGRAM FOR YOUR NON-PROFIT
I have many checklists: how do I get started with cyber security?
Richard Henson University of Worcester February 2017
Cybersecurity Threat Assessment
Cyber Security in a Risk Management Framework
HIPAA Compliance Services CTG HealthCare Solutions, Inc.
Effective Risk Management in Decision Making Process
The General Data Protection Regulations 2016
3 Do you monitor for unauthorized intrusion activity?
Information Security Risks; All-in-One Terminology
DSC Contract Management Committee Meeting
3 Do you monitor for unauthorized intrusion activity?
Presentation transcript:

Networks ∙ Services ∙ People Mark Johnston SIG ISM - Copenhagen Changing GÉANT’s Security Future GÉANT Feb 22, 2016 CNOO – Head of IIS Fotis Gagadis Security Officer

Networks ∙ Services ∙ People 2 We knew that we’ve had things to consider Security had to play the “good” cops Trying to listen Inquire and Observe people We’ve had to Identify where the gaps and things to consider exist Results Some people were not aware of: Risks and environment Security Concepts Historical Issues

Networks ∙ Services ∙ People 3 After a couple of weeks at GÉANT and after WISE in Oct 2015 We’ve set objectives People should commit People should understand their actions People should understand that can make unnecessary decisions We’ve had to take control of the environment Train people to think before acting We are changing to a secure conscious organisation

Networks ∙ Services ∙ People 4 We have decided to use ISO 27005: Take control of the environment through a Risk Process Standardised Risk Assessment process Integrated some quantitative measures and future fields for Disaster Recovery Most Risk Assessments such as ISO 27005: Cannot take into consideration real comparison data on most of the times e.g. comparison of data in case of fire outbreak before and after fire sprinkler installation (just an example). Hard to find either way Subjective and Act as “threat” agent since information is not objective BUT can be helpful to ensure quick actions and force change Support of Management through a risk dashboard and comparison Rate the risks and assets within a business People are registering their risks

Networks ∙ Services ∙ People 5 We have said to people: Think of Confidentiality, Integrity and Availability Rate an Asset based upon CIA from 1-5 However we have not rated Confidentiality, Integrity and Availability to take the Business Impact out of it. On the old/new ISO at the Appendices takes the asset value as Business impact/Consequence  Asset Value We wanted people to start thinking of the basics but we did not want to be restricted only on the CIA attributes. (People while rating the Consequence did not consider the CIA attributes, but unintentionally were selecting business attributes such as timely, accurate and private which are evolving while business needs change. People were rating Impact as Asset Value even if Impact was requested) Security is more than 1960’s CIA attributes What about Authenticated, Reliable, Compliant, Liable which they can come through measurable Business Objectives Our Process

Networks ∙ Services ∙ People 6 We have: Registered their assets in a high level We could not have risks and assets being more than 1000 rows which could be unmanageable Owners of assets Separated assets on tangible and intangible Description of the asset and Location e.g. GÉANT Project Systems Number of those assets Information Classification – Information Kept within these devices, current protection and future protection level Our Process - Registering Assets

Networks ∙ Services ∙ People 7 Our Process - Asset Register

Networks ∙ Services ∙ People 8 We have said to people: Vulnerability is a lack on a control e.g. Lack of monitoring Threat is the potential danger associated with the exploitation of the vulnerability e.g. Disgruntled Employees Lets create your risk based upon the asset, vulnerability and threat – e.g. Unauthorized actions of employees to GÉANT Systems sensitive resources could not be monitored due to lack of monitoring capabilities (just an example) Lets rate the risk together Vulnerability and Threat ( 1-3), Asset (1-5) Classic: Risk = A x V x T Our Process - Rating the risk

Networks ∙ Services ∙ People 9 We have said to people: OK – really good However, what is the overall probability/likelihood of this risk being realised? Provide us with a number from 1-5 with 5 being the highest Some models do not take the overall probability of a risk being realised and this can have effect on decisions Risk = [Impact (Asset) x Vulnerability x Threat] x Likelihood As said people had to start realising concepts and Impact was also introduced. However is the asset value. Our Process - ranking the likelihood of the risk happening to give overall rating

Networks ∙ Services ∙ People 10 Our Process – Overall Risk rating

Networks ∙ Services ∙ People 11 Our Process Comparison Dashboard – track Risk reduction

Networks ∙ Services ∙ People 12 What we would like to do or have done: Normalise the environment (we are getting there) Security following business Potentially ISO Potentially change our risk approach to much more objective in the future – we would like to do Set security objectives for each team within the organization - done Set the Information and Infrastructure Security Group to control actions - done Set tactical and operational goals and we follow them - done Set strategic goals and we follow them – done Security Strategy updated for both offices - done Audits on Amsterdam office – done Closer to people but we say stop when needed (some people take it on board others…) - done Making Progress and Continual Improvement

Networks ∙ Services ∙ People Thank you Networks ∙ Services ∙ People Questions

Networks ∙ Services ∙ People 14 Our Process - Example

Networks ∙ Services ∙ People 15 Our Process - Example

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.