Turning Policy Into Reality Tony S Krzyżewski Director, Chief Technical Officer Protocol Policy Systems
Mobility Internet LAN Micro 2 The Challenge of Digital Enablement Mainframe Information Exposure Increases Management Ability Decreases
Record How You See Your Information
How Staff See Your Information Record Re……Record USB Record
How the Public Want to See Your Information Everywhere… and at all times!
The Policy Protection Model Policy Technology Identifies Procedures Which Requires Processes Leading To Educate Then We Control and Audit And For compliance with
Policies Set Our Expectations Users must not publish corporate information (applications, internal documents or files, press releases, price lists etc.) on any public facing computer system (e.g. website, social media site) unless the item has been authorised by the appropriate Manager and the Communications and Publicity Manager for public consumption. Online Services Policy: User 19.6 The Organisation must confirm the responsibilities of the cloud service provider with regard to information security. These responsibilities must be documented in an agreement which is signed by both the Organisation and the cloud service provider. Cloud Computing Policy: Technical The Organisation must confirm the responsibilities of the cloud service provider with regard to information security. These responsibilities must be documented in an agreement which is signed by both the Organisation and the cloud service provider. Cloud Computing Policy: Technical The access privileges of all users, systems and applications must be restricted based on the "need to know" and "least access" principles which require that there is a legitimate business need before access to any information systems resource is granted. Information Management Policy: Technical The access privileges of all users, systems and applications must be restricted based on the "need to know" and "least access" principles which require that there is a legitimate business need before access to any information systems resource is granted. Information Management Policy: Technical 2.3.2
Where do IT Policies Fit? Why we are hereWhat Constrains UsWhat We are Going To DoWho or What Does ItHow We Are Going to Do ItIT PoliciesIT StrategyRegulatory FrameworkProcedures & ProcessesPeople & Technology
Why Have IT Policies? They don’t… Employers presume everyone knows about computers and IT Security
Consistent Rules and Guidelines Align With Best Practice Set Audit Benchmarks F irst line of Threat Defence Protect Corporate Information Good Governance Why Have IT Policies? Ensure compliance
Affects everyone – not just IT Users HR Risk Managers and Auditors Managers Stakeholders CEO – the buck stops here IT Policies Are Holistic
IT policies that are copies of best practice guides are like diet and exercise manuals…. Something to aspire to that you can never achieve IT Policies Must Be Relevant
Need to know versus need to withhold principle Well defined rules ensure that everyone knows what is expected of them IT Policies are an Access Enabler
IT Policies kept in a book on the back shelf in the IT Manager’s office will never be read Publish them on the Intranet And Available to All
But What Normally Happens… Defining Policy is too hard so no one actually gets around to it. Technology gets purchased without regard to policy Vulnerabilities get introduced because there are no rules
So you have IT Policies What Now?
Perception by Users
Let People Have Their Say Consultation is the key to Success
Review Feedback Feedback will be:- Constructive Positive Indifferent Unhelpful Critical Ridicule Disparaging
Incorporate Feedback Feedback should be incorporated if is:- Valid Relevant Helpful Achievable Doesn’t Negatively Impact on Anything Else
Workshop for Managers Important because:- Managers Lead By Example Managers Are Responsible for Their Staff Consistent IT Security Message for All If Managers Aren’t Supportive, No One Else Will Be
Get Sign-Off
Talk to HR HR have an important role to play in IT Security:- New employees sign the Acceptable Use Policy Induction process During Employment ✓ Add users ✓ Change user access ✓ Terminating users Termination process IT Policy enforcement
Technical Review Enforce policy by:- Implementing the appropriate technology Configuring the technology accordingly Ensure you can monitor for compliance Create a work plan:- Upgrade technology if needed Update technical skills where required
Workshops for Staff Raise security awareness by:- Show Staff the Policy System; Explain why it’s important Tell War Stories Concentrate on Highlights, Don’t Overdo the Detail Repercussions for Non Compliance Monitor Staff Usage of Resources
Raising Staff Awareness Is SPAM a danger to our information? Why we want you to change your passwor d
The IT Policy Lifecycle
Tony S Krzyżewski Director, Chief Technical Officer Protocol Policy Systems Web: Video: Demo: demo.protocolpolicy.com