Sasa Aksentijevic, MBA IT Ph.d. Business Economy cnd./ ICT Manager / C(I)SO / ICT Court Forensic Expert LinkedIn: linkedin.com/sasaaksentijevic Information.

Slides:



Advertisements
Similar presentations
Fast Reliable Certified Secure Data Recovery Does Your Enterprise Have A Security Gap ? HDI Sacramento Chapter August 16th, 2011.
Advertisements

Dr Lami Kaya ISO Information Security Management System (ISMS) Certification Overview Dr Lami Kaya
Module 2: Legal Aspects of Associations & Non-Profits Presented by the Southern Early Childhood Association.
What is GARP®? GARP® is an Acronym for Generally Accepted Recordkeeping Principles ARMA understands that records must be.
Chapter 10 Accounting Information Systems and Internal Controls
Security and Personnel
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 14 Security Policies and Training.
Security Controls – What Works
ISA 562 Summer Information Security Management CISSP Topic 1 ISA 562 Internet Security Theory and Practice.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.
University of Guelph IT Security Policy Doug Blain Manager, IT Security ISC, April 27th.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
Creating a Secured and Trusted Information Sphere in Different Markets Giuseppe Contino.
ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.
Information Security at KFUPM
First Practice - Information Security Management System Implementation and ISO Certification.
Session 3 – Information Security Policies
Instructions and forms
Information Security Awareness Levels of TAFE South Australia Employees Hong Chan Bachelor of IT ( Honours ) Supervisor: Dr Sameera Mubarak.
INFORMATION SECURITY GOVERNANCE (ISG) Relates to the security of information systems Is an element of corporate governance.
Auditing for Security Management By Cyril Onwubiko Network Security Analyst at COLT Telecom Invited Guest Lecture delivered at London Metropolitan University,
SecureAware Building an Information Security Management System.
SEC835 Database and Web application security Information Security Architecture.
© 2009 IDBI Intech, Inc. All rights reserved.IDBI Intech Confidential 1 Information (Data) Security & Risk Mitigation.
CHAPTER 5 Infrastructure Components PART I. 2 ESGD5125 SEM II 2009/2010 Dr. Samy Abu Naser 2 Learning Objectives: To discuss: The need for SQA procedures.
K E M A, I N C. NERC Cyber Security Standards and August 14 th Blackout Implications OSI PI User Group April 20, 2004 Joe Weiss
BUS1MIS Management Information Systems Semester 1, 2012 Week 7 Lecture 1.
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
What Keeps You Awake at Night Compliance Corporate Governance Critical Infrastructure Are there regulatory risks? Do employees respect and adhere to internal.
Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.
COBIT - IT Governance.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Security considerations for mobile devices in GoRTT
© 2013 Cambridge Technical CommunicatorsSlide 1 ISO/IEC Standard for Information Security Management Systems.
ISO17799 Maturity. Confidentiality Confidentiality relates to the protection of sensitive data from unauthorized use and distribution. Examples include:
Managing Data Against Insider Threats Dr. John D. Johnson, CISSP.
Lesson 9-Information Security Best Practices. Overview Understanding administrative security. Security project plans. Understanding technical security.
Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.
Note1 (Admi1) Overview of administering security.
Information Security 14 October 2005 IT Security Unit Ministry of IT & Telecommunications.
What Can Go Wrong During a Pen-test? Effectively Engaging and Managing a Pen-test.
Introduction to Information Security
Pro-active Security Measures
Energize Your Workflow! ©2006 Merge eMed. All Rights Reserved User Group Meeting “Energize Your Workflow” May 7-9, Security.
Frontline Enterprise Security
IT Security Policies and Campus Networks The dilemma of translating good security policies to practical campus networking Sara McAneney IT Security Officer.
ISO/IEC 27001:2013 Annex A.8 Asset management
SecSDLC Chapter 2.
International Security Management Standards. BS ISO/IEC 17799:2005 BS ISO/IEC 27001:2005 First edition – ISO/IEC 17799:2000 Second edition ISO/IEC 17799:2005.
ISMS Implementation Workshop Adaptive Processes Consulting Pvt. Ltd.
©Dr. Respickius Casmir Network Security Best Practices – Session 2 By Dr. Respickius Casmir.
SAM-101 Standards and Evaluation. SAM-102 On security evaluations Users of secure systems need assurance that products they use are secure Users can:
Chap 8: Administering Security.  Security is a combination Technical – covered in chap 1 Administrative Physical controls SE571 Security in Computing.
Information Security Measures Confidentiality IntegrityAccessibility Information cannot be available or disclosed to unauthorized persons, entities or.
Dr. Mark Gaynor, Dr. Feliciano Yu, Bryan Duepner.
Information Security tools for records managers Frank Rankin.
Alex Ezrakhovich Process Approach for an Integrated Management System Change driven.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
SemiCorp Inc. Presented by Danu Hunskunatai GGU ID #
Security Methods and Practice Principles of Information Security, Fourth Edition CET4884 Planning for Security Ch5 Part I.
Donald JG Chiarella, PhD, CISM, CDMP, PEM, CHS-CIA, MBA.
UNDERSTANDING ISO 9001:2008.
IS YOUR ORGANISATION’S INFORMATION SECURE?
Security measures deployed by e-communication providers
Cybersecurity - What’s Next? June 2017
What Is ISO ISO 27001, titled "Information Security Management - Specification With Guidance for Use", is the replacement for BS It is intended.
ISO/IEC 27001:2005 A brief introduction Kaushik Majumder
IS Risk Management Framework Overview
Introduction to the PACS Security
Presentation transcript:

Sasa Aksentijevic, MBA IT Ph.d. Business Economy cnd./ ICT Manager / C(I)SO / ICT Court Forensic Expert LinkedIn: linkedin.com/sasaaksentijevic Information security Certification, internal audit, CISSPs, CISMs, ISO 27K, BCP, DR, network security, antivirus solutions, anti intrusion, firewalls, ethical hacking, residual risk management, SWOT, GAP, Monte Carlo... ???? Common ICT security mistakes in corporate environments

A little theory will not hurt anybody Management has discovered information security or Dilbert approach to information security Should we include coffee machine into the ISMS scope AKA is certification the final answer to infosec? “I will write my password on Post-It for you” AKA low level (operative) infosec breaches How can something be nothing? Is information security possible? Is ICT security possible? Q&A PRESENTATION Content

Common ICT security mistakes in corporate environments Infosec concept model

Common ICT security mistakes in corporate environments The pointy-haired boss (often abbreviated to just PHB is Dilbert's boss in the Dilbert comic strip. He is notable for his micromanagement, gross incompetence and unawareness of his surroundings, yet somehow retains power in the workplace. The phrase "pointy-haired boss" has acquired a generic usage to refer to incompetent managers. It is also possible to speak of someone being pointy-haired or having pointy hair metaphorically, meaning that they possess PHB-like traits.

Common ICT security mistakes in corporate environments O O ISO 27K (Information technology — Security techniques — Information security management systems — Requirements) is not information security standard. It is a systems management standard. ISO 27K outlines a framework for ISMS, but it it not a “golden standard” itself. ISO 27K is based on risk assesment: there is no “predefined” acceptable risk; criteria, applicability, inclusion and treatment are decided by organizations. Efficient implementation requires security analysis of technical aspects. Standard is dealing with policy, scope, risk analysis, procedures and records. Too many if`s ISO 27K certification is a proof of compliance with the standard. By itself, it does not guarantee information security. Organizations decide about applicability (or not) of Annex A controls. The list of controls exists (Annex “A”), but it is just a “suggestion”. Additional controls may be included.

Common ICT security mistakes in corporate environments Delegation (of tasks that should not be delegated) Compliance with local legislation/law requirements Problems with non compliance Inadequate resources (human resources, time, money, knowledge…) Creation of parallel, “backdoor” systems, especially for management authorization process Lack of interest for information security on behalf of the Management No BPC, no DR, no periodic updating Lack of consistent policies, criteria, standards, work instructions and learning from security incidents Management has no awareness that information security is ongoing, permanent process Lack of systematic resource and contingency planning, loose control over ICT assets, unclear ownership

Common ICT security mistakes in corporate environments Revoking of access rights, access, revision of access right not implemented No ICT security induction, no periodic refreshment courses No segregation between work and test environments SLA for ICT services are not clearly defined (or they are not adhered to) No implementation of employee background checks Inadequate physical access controls (especially for guests, third parties, externals and temps) Saving on insurance, no change management (log), unsafe networking environment Process of incident learning is not implemented Controls related to third party relations and NDAs are not implemented

User breaches USB drives used for storage and not backup Data exchange procedures (encrypting,FT P,snail mail) No Data Classification/I nformation Lifecycle Management Remote working equipment (PDAs,MMC,U SB,notebooks) ICT assets not under control by owners Common ICT security mistakes in corporate environments

User breaches Photocopy machines, printers and network scanners Password sharing, passwords on Post-It Clear workplace and display policy not enforced Documents not supervised,lac k of access authorization Non systematic document disposal Common ICT security mistakes in corporate environments

User breaches No continuous learning/inter est in security culture Data backup procedures Common network areas used for personal data placement 3 rd party relations, hardware repair procedures Malicious intent Common ICT security mistakes in corporate environments

Common ICT security mistakes in corporate environments

Technical effort -> BEST PRACTICES, CERTIFICATION, LEGISLATION, FORENSICS, TESTING, PDCA, AUDIT(s)… Personal effort -> EMPLOYEES (PARTICIPANTS, STAKEHOLDERS) Organizational effort -> MANAGEMENT Common ICT security mistakes in corporate environments

Thank you for your attention! Common ICT security mistakes in corporate environments

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.