Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Other Side of Information Security Wilco van Ginkel – Ubizen

Published byLisa Higgins Modified over 8 years ago

Similar presentations

Presentation on theme: "The Other Side of Information Security Wilco van Ginkel – Ubizen"— Presentation transcript:

1 The Other Side of Information Security Wilco van Ginkel – Ubizen wilco.vanginkel@ubizen.com

2 Purpose of this talk Provide the audience an overview of ‘The Other Side of Information Security’ in a nutshell Nutshell because of time constraints

3 Agenda Introduction Business Assessment Risk Management PSPG Security Awareness Compliance Examples where Organisational meets Technical

4 Introduction The four fundamental security questions The components of a total security solution Trend in the market The Security Triangle The Domains

5 The Four Security Questions Most organisations ask the question: ‘How should I protect’ More important is to ask first: 1. Why should I need protection? 2. How difficult will it be to protect? 3. What and against who should I protect? 4. Then

6 Components Security Solution Security Solution Technical Organisational Business Assessment Business Assessment PSPG Risk Management Risk Management Security Awareness Security Awareness Legal 20%80%

7 Trend Security is considered more and more as part of the normal business process We are not talking ‘Rocket Science’ Does this mean that technology is dead or something? Most organisations just don’t know how to do it…

8 Security Triangle Business Assessment, Risk Management & PSPG Security Awareness Security Architecture & Infrastructure Information

9 The Domains Security Requirements 5 73 1 Business Requirements 2 46 Domains: 1. I.T. 2. Physical 3. Environmental 4. Human 5. Organizational 6. Administrative 7. Legal

10 The first step ‘Meet the parents’ Because: They are the end responsibles for security They decide about the budget They should support security They have authority How: Business Assessment & Risk Management

11 Business Assessment - 1 Why should I need protection: Discuss the stakes Discuss the different types of information Discuss the Security Requirements (CIAR) Discuss strategic questions, like: Replacement value of IT Targets Is IT just support or strategic for the organisation …

12 Examples of Stakes Company Image Loss of customers Loss of service Legal pursuits Financial recovery costs …

13 Examples of Information Public Confidential Privacy Company critical …

14 Security Requirements CIAR Can be more fine-grained: Internal vs external Function vs data Example  External Data Confidentiality Example  Accountability (Non-repudiation): Broken anonymity Unavailability of proof Unavailability of accountability function

15 Business Assessment - 2 How difficult will it be to protect? Evaluate the constraints, like Financial Internal knowledge Dependency on partners Calendar …

16 Risk Management - 1 Risk Management consists of two parts: Risk Assessment Risk Treatment (mitigation) Risk Assessment: Risk Analysis (identification + evaluation) Risk Valuation Against what and who should I protect  Risk Assessment How to protect  Risk Treatment Dependency between security requirements & risk management…

17 Risk Management - 2 Some attention points: Different Risk Assessment/Analysis methodologies: Generic Detailed Business oriented Sometimes difficult to determine the ‘value’ Make sure that you’ve the right people, meaning: Who know the business processes Who have authority to decide Be careful when using risk management tools…

18 PSPG - 1 Policies  high-level statements of a companies belief, goals and objectives Standards  mandatory rules & regulations Procedures  how to implement the policies, standards and guidelines Guidelines  recommendations

19 PSPG - 2 Assessment, Laws, Regulations, Requirements Assessment, Laws, Regulations, Requirements Policy Standards Procedures, Practices Procedures, Practices Guidelines From ‘Information Security, Policies, Procedures, and Standards’

20 PSPG - 3 Example: Policy  Access to company information systems is restricted to authorised users only Standard  Users are required to have a unique User-id & confidential password Procedure  User-id & password requests must contain a signature of the authorised system owner. Approval of the signature must be verified against the company list of authorised signatures Guideline  Passwords should have 5 to 8 alphanumeric characters From ‘Information Security, Policies, Procedures, and Standards’

21 PSPG Building Blocks Corporate Security Policy Corporate Security Policy 1 st level 2 nd level Asset classification Asset classification Security Organisation Security Organisation High-level IRP High-level IRP Education & Training Education & Training Business Continuity Framework Business Continuity Framework 3 rd level Access Control Access Control Compliance Back-up Recovery Back-up Recovery … 4 th level Malicious Software Malicious Software Cryptography System Specific System Specific Acceptable Use Acceptable Use …

22 PSPG - 4 Make sure that: The PSPG documents are supported by the System Owner The PSPG documents are developed by a representative group within the organisation The PSPG documents are clearly communicated The PSPG documents are useful and pragmatic You pay attention to the organisational culture! You pay attention to the international culture!

23 Security Standards - 1 Are you on our own? No, there are standards out there A set of best practices Can be a good starting point and prevents to re-invent the wheel However, be careful not to implement a security standard blindly…

24 Security Standards - 2 Some well-known examples are: ISO/17799 (BS/7799 part 1 + 2) Cobit-3 ITIL ISO-13335 Common Criteria (ISO-15408) NIST IETF … Certification…

25 Security Awareness - 1 The most critical success factor of Information Security Awareness should be at any level in the organisation It is all about psychology…

26 Security Awareness - 2 Incorrect Behaviour Correct Behaviour Unaware Aware

27 Compliance Do we still comply with our PSPG’s? Auditing: Quick Scan Review Full Audit Monitoring Internal vs external Technical vs organisational

28 Organisational meets technical - 1 Example: CSP  Accountability principle Access Control Policy  strong authentication Standard  Tokens

29 Organisational meets technical - 2 Example: CSP  Information across untrusted networks should be protected Cryptography Policy  Symmetric Encryption at least 128 bits, preferred choice 3-DES Guideline  Hardware Encryptors

30 Organisational meets technical - 3 Example: Within the business process ‘Electronic Transactions’, there is a high security requirement for Integrity and Non-repudiation Defined risks are: Unauthorised change of the transaction Denial of sending the transaction Standard  Digital signatures Cryptography Policy  Use RSA, minimum key length of at least 1024 bits

31 Useful links www.isaca.org www.bsi-global.com www.nist.gov www.ietf.org www.iso.org www.cenorm.be/isss www.sse-cmm.org

32 Useful books ‘Writing Information Security Policies’, Scott Barman ‘Building an Information Security Awareness Program’, Mark B. Desman ‘Information Security Risk Analysis’, Thomas Peltier ‘Information Security Policies, Procedures, and Standards’, Thomas Peltier ‘Information Security Policies made easy, version 8’, Crisson Wood ‘Incident Response’ (O-Reilly), Richard Forno ‘Computer Forensics’, Warren Kruse II & Jay G. Heiser ‘Know your enemy’  honeypot project ‘Information Warfare’, Dorothy Dennings …

33 Reading stuff to fill long winter nights… ISO TR13335 General Management of IT Security ISO 15408 Common Criteria for evaluation and certification of IT security Baseline Protection Manual (BSI.DE) BS7799: Code of practice for Information Security Management (two parts) CobiT: Governance, Control and Audit for Information and Related Technology (ISACA) SSE-CMM: System Security Engineering - Capability Maturity Model

34 Questions Discussions

Download ppt "The Other Side of Information Security Wilco van Ginkel – Ubizen"

Similar presentations

Dr Lami Kaya LamiKaya@gmail.com ISO 27001 Information Security Management System (ISMS) Certification Overview Dr Lami Kaya LamiKaya@gmail.com.

Dr Lami Kaya ISO Information Security Management System (ISMS) Certification Overview Dr Lami Kaya
Agenda What is Compliance? Risk and Compliance Management

Agenda What is Compliance? Risk and Compliance Management
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group 209-754-9130

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.

ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.
Agenda COBIT 5 Product Family Information Security COBIT 5 content

Agenda COBIT 5 Product Family Information Security COBIT 5 content
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
Advantages of IT Security Prof. Uldis Sukovskis, CISA Riga Information Technology Institute Secure information exchange in Electronic media Baltic IT&T.

Advantages of IT Security Prof. Uldis Sukovskis, CISA Riga Information Technology Institute Secure information exchange in Electronic media Baltic IT&T.
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
Chapter 12 Strategies for Managing the Technology Infrastructure.

Chapter 12 Strategies for Managing the Technology Infrastructure.
Creating a Secured and Trusted Information Sphere in Different Markets Giuseppe Contino.

Creating a Secured and Trusted Information Sphere in Different Markets Giuseppe Contino.
ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.

ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.
Chapter 9 Information Systems Controls for System Reliability— Part 2: Confidentiality and Privacy Copyright © 2012 Pearson Education, Inc. publishing.

Chapter 9 Information Systems Controls for System Reliability— Part 2: Confidentiality and Privacy Copyright © 2012 Pearson Education, Inc. publishing.
First Practice - Information Security Management System Implementation and ISO 27001 Certification.

First Practice - Information Security Management System Implementation and ISO Certification.
Session 3 – Information Security Policies

Session 3 – Information Security Policies
Effectively applying ISO9001:2000 clauses 5 and 8

Effectively applying ISO9001:2000 clauses 5 and 8
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.

Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.
Introduction to IT Auditing

Introduction to IT Auditing

Similar presentations

Ads by Google