Turning Policy Into Reality Tony S Krzyżewski Director, Chief Technical Officer Protocol Policy Systems.

Slides:

Advertisements

Similar presentations

USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.

Advertisements

Child Safeguarding Standards

Copyright © 2014 American Water Works Association Water Sector Approach to Process Control System Security.

Ethics Ethics are the rules of personal behavior and conduct established by a social group for those existing within the established framework of the social.

Buying Better Outcomes Workshop 4 Equalities and Contract Management If you do not take it seriously, why should the supplier?

Information Security Policies and Standards

ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

The Role of Security & Privacy in EA Program

Network and Systems Security Security Awareness, Risk Management, Policies and Network Architecture.

Philippe LE TERTRE IS Governance Consultant  Founder and managing partner of VADEGIS (company specialized in Information System Management.

Business Continuity Check List PageOne. - Why Does Your Business Need A Continuity Checklist? Should the unexpected occur, your business will be able.

Property of Common Sense Privacy - all rights reserved THE DATA PROTECTION ACT 1998 A QUESTION OF PRINCIPLES Sheelagh F M.

Risk Assessment – An Essential Standard

Effectively applying ISO9001:2000 clauses 5 and 8

Viruses & Security Threats Unit 1 – Understanding Computer Systems JMW 2012.

Teaching Security via Problem- based Learning Scenarios Chris Beaumont Senior Lecturer Learning Technology Research Group Liverpool Hope University College.

Managing your web records Patrick Power Manager, Government Recordkeeping Programme Archives New Zealand.

BY: CHELSEA KUCERA ELED 318 The Legal, Social and Ethical Issues in Technology for the Classroom.

SEC835 Database and Web application security Information Security Architecture.

Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.

Dr E Kritzinger – UNISA SACSAW Cyber Awareness Implementation Plan (CAIP) for schools.

Information Systems Security Computer System Life Cycle Security.

1©2012 Check Point Software Technologies Ltd. Squashing Politics with Policy.

Maintain Ethical Conduct

Designing Smart Cities Conference University of Strathclyde, Glasgow 31 st March 2015 “Regulating Smart Cities: Policing & Privacy” Paul Mackie Chief Executive.

Science What is “Safety” Freedom from danger Safety is the condition of being protected against failure, breakage, error, accidents, or harm. (Protection.

Internet and Computer Rules If you want to use the computers you need to follow the rules.

Success factors that govern the compilation of indicators An efficient model for change PART 3.

Chloe Miles IMPROVING PRODUCTIVITY USING IT. Menu Using Word Advantages Disadvantages Conclusion E-Safety Social Media Dangers of Social Media Sites Staying.

 INADEQUATE SECURITY POLICIES ›Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA.

Network and Systems Security Security Awareness, Risk Management, Policies and Network Architecture.

Year 9 Autumn Assessment Computer system/Information security-Planning, Communicating, Information. By Louis Smith-Lassey 9k 9Y1.

E-Safety E-safety relates to the education of using new technology responsibly and safely focusing on raising awareness of the core messages of safe content,

PwC 21 CFR Part 11 – A Risk Management Perspective Patrick D. Roche 07 March 2003, Washington D.C.

Information Security Governance and Risk Chapter 2 Part 3 Pages 100 to 141.

Holistic Approach to Security

Southern Institute of Technology (SIT) (Te Whare Wananga o Murihiku) ARCHIVES How we are traversing the Records Management Mountains © 2008 Southern Institute.

Managing your web records? Patrick Power Manager Government Recordkeeping Programme.

Knowing What You Missed Forensic Techniques for Investigating Network Traffic.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Fraud and corruption prevention on-line tools and techniques Dr Robert Lang Chief Executive Officer.

Using OMB Section 508 reporting in addressing your agency's program maturity. How to Measure Your Agency's 508 Program.

CHILDREN SERVICES DIRECTORY A PEPFAR-Funded Project IT Workshop Apollo Hotel, Randburg 22 October 2009.

BSBPMG507A Apply Communication Management Techniques 10.3 Distribute Information The process of making relevant information available to project stakeholders.

Publication Schemes Natasha Bodden Freedom of Information Unit November, 2009.

Frontline Enterprise Security

Security fundamentals Topic 2 Establishing and maintaining baseline security.

Copyright © 2007 Pearson Education Canada 23-1 Chapter 23: Using Advanced Skills.

INFORMATION SECURITY AWARENESS Whose Job is it Anyway? Ron Freedman Ron Freedman Vice President VCampus Corporation Scott Wright Scott WrightPresident.

1 Australian Government Policy Website Accessibility OZeWAI 1 December 2004 LaTrobe University, Melbourne Jacqui Begbie, Strategic Directions & Analysis,

Case study municipality. 2 Contents Introduction The way Results Conclusion.

PROGRESS ON THE IMPLEMENTATION OF AUDIT RECOMMENDATIONS FOR 2014/15: INFORMATION AND COMMUNICATION TECHNOLOGY (ICT) 1 Briefing presentation to the Portfolio.

Information Security tools for records managers Frank Rankin.

1 Information Governance (For Dental Practices) Norman Pottinger Information Governance Manager NHS Suffolk.

Documentation Requirements for Hospital Accreditation -By Global Manager Group.

BTEC NAT Unit 15 - Organisational Systems Security ORGANISATIONAL SYSTEMS SECURITY Unit 15 Lecture 7 EMPLOYMENT CONTRACTS & CODES OF CONDUCT.

Welcome. Contents: 1.Organization’s Policies & Procedure 2.Internal Controls 3.Manager’s Financial Role 4.Procurement Process 5.Monthly Financial Report.

Security Methods and Practice Principles of Information Security, Fourth Edition CET4884 Planning for Security Ch5 Part I.

What is ISO Certification? Information is a valuable asset that can make or break your business. When properly managed it allows you to operate.

Primary Steps for Achieving ISO Certification.

Appendix A: Designing an Acceptable Use Policy. Overview Analyzing Risks That Users Introduce Designing Security for Computer Use.

Somerset ISD Online Acceptable Use Policy. Somerset Independent School District Electronic Resources Acceptable Use Policy The purpose of this training.

SECURITY AND ELECTRONIC COMMUNICATIONS WHAT YOU NEED TO KNOW FOR YOUR AUDIT.

Information Technology Acceptable Use An Overview

Release Management Release Management.

Data Protection What’s new about The General Data Protection Regulation (GDPR) May 2018? Call Kerry on Or .

The Freedom of Information and Data Protection Legislation An Overview

Basic Systems Management Employing Security Policies

Presentation transcript:

Turning Policy Into Reality Tony S Krzyżewski Director, Chief Technical Officer Protocol Policy Systems

Mobility Internet LAN Micro 2 The Challenge of Digital Enablement Mainframe Information Exposure Increases Management Ability Decreases

Record How You See Your Information

How Staff See Your Information Record Re……Record USB Record

How the Public Want to See Your Information Everywhere… and at all times!

The Policy Protection Model Policy Technology Identifies Procedures Which Requires Processes Leading To Educate Then We Control and Audit And For compliance with

Policies Set Our Expectations Users must not publish corporate information (applications, internal documents or files, press releases, price lists etc.) on any public facing computer system (e.g. website, social media site) unless the item has been authorised by the appropriate Manager and the Communications and Publicity Manager for public consumption. Online Services Policy: User 19.6 The Organisation must confirm the responsibilities of the cloud service provider with regard to information security. These responsibilities must be documented in an agreement which is signed by both the Organisation and the cloud service provider. Cloud Computing Policy: Technical The Organisation must confirm the responsibilities of the cloud service provider with regard to information security. These responsibilities must be documented in an agreement which is signed by both the Organisation and the cloud service provider. Cloud Computing Policy: Technical The access privileges of all users, systems and applications must be restricted based on the "need to know" and "least access" principles which require that there is a legitimate business need before access to any information systems resource is granted. Information Management Policy: Technical The access privileges of all users, systems and applications must be restricted based on the "need to know" and "least access" principles which require that there is a legitimate business need before access to any information systems resource is granted. Information Management Policy: Technical 2.3.2

Where do IT Policies Fit? Why we are hereWhat Constrains UsWhat We are Going To DoWho or What Does ItHow We Are Going to Do ItIT PoliciesIT StrategyRegulatory FrameworkProcedures & ProcessesPeople & Technology

Why Have IT Policies? They don’t… Employers presume everyone knows about computers and IT Security

Consistent Rules and Guidelines Align With Best Practice Set Audit Benchmarks F irst line of Threat Defence Protect Corporate Information Good Governance Why Have IT Policies? Ensure compliance

Affects everyone – not just IT Users HR Risk Managers and Auditors Managers Stakeholders CEO – the buck stops here IT Policies Are Holistic

IT policies that are copies of best practice guides are like diet and exercise manuals…. Something to aspire to that you can never achieve IT Policies Must Be Relevant

Need to know versus need to withhold principle Well defined rules ensure that everyone knows what is expected of them IT Policies are an Access Enabler

IT Policies kept in a book on the back shelf in the IT Manager’s office will never be read Publish them on the Intranet And Available to All

But What Normally Happens… Defining Policy is too hard so no one actually gets around to it. Technology gets purchased without regard to policy Vulnerabilities get introduced because there are no rules

So you have IT Policies What Now?

Perception by Users

Let People Have Their Say Consultation is the key to Success

Review Feedback Feedback will be:- Constructive Positive Indifferent Unhelpful Critical Ridicule Disparaging

Incorporate Feedback Feedback should be incorporated if is:- Valid Relevant Helpful Achievable Doesn’t Negatively Impact on Anything Else

Workshop for Managers Important because:- Managers Lead By Example Managers Are Responsible for Their Staff Consistent IT Security Message for All If Managers Aren’t Supportive, No One Else Will Be

Get Sign-Off

Talk to HR HR have an important role to play in IT Security:- New employees sign the Acceptable Use Policy Induction process During Employment ✓ Add users ✓ Change user access ✓ Terminating users Termination process IT Policy enforcement

Technical Review Enforce policy by:- Implementing the appropriate technology Configuring the technology accordingly Ensure you can monitor for compliance Create a work plan:- Upgrade technology if needed Update technical skills where required

Workshops for Staff Raise security awareness by:- Show Staff the Policy System; Explain why it’s important Tell War Stories Concentrate on Highlights, Don’t Overdo the Detail Repercussions for Non Compliance Monitor Staff Usage of Resources

Raising Staff Awareness Is SPAM a danger to our information? Why we want you to change your passwor d

The IT Policy Lifecycle

Tony S Krzyżewski Director, Chief Technical Officer Protocol Policy Systems Web: Video: Demo: demo.protocolpolicy.com