Presentation is loading. Please wait.

Presentation is loading. Please wait.

Engineering and Management of Secure Computer Networks School of Engineering © Steve Woodhead 2009 Corporate Governance and Information Security (InfoSec)

Published byLogan Murphy Modified over 8 years ago

Similar presentations

Presentation on theme: "Engineering and Management of Secure Computer Networks School of Engineering © Steve Woodhead 2009 Corporate Governance and Information Security (InfoSec)"— Presentation transcript:

1 Engineering and Management of Secure Computer Networks School of Engineering © Steve Woodhead 2009 Corporate Governance and Information Security (InfoSec) Mark Clements Andrew Adekunle

2 Engineering and Management of Secure Computer Networks School of Engineering © Steve Woodhead 2009 Lecture Overview Some InfoSec facts –Recent information security breach surveys Corporate Governance – The infosec perspective Lecture Review Lecture References

3 Engineering and Management of Secure Computer Networks School of Engineering © Steve Woodhead 2009 Information Security Breach Surveys UK Department for Business, Enterprise and Regulatory Reform (BERR) –Survey every two years – last survey published in Spring 2008 Global Survey by Ernst and Young –10 th Annual Global Information Security Survey – published in Dec 2007 We shall focus on the results of the UK BERR 2008 survey

4 Engineering and Management of Secure Computer Networks School of Engineering © Steve Woodhead 2009 BERR Information Security Breach Survey 2008 Company Strategy Security Breach Incidents –Malicious –Accidental

5 Engineering and Management of Secure Computer Networks School of Engineering © Steve Woodhead 2009 Company Strategy Changing business environment Importance of information Documented InfoSec policy InfoSec standards InfoSec qualifications Web site protection Backup and recovery policy

6 Engineering and Management of Secure Computer Networks School of Engineering © Steve Woodhead 2009

7 Engineering and Management of Secure Computer Networks School of Engineering © Steve Woodhead 2009 How does the previous graph relate to you? What do the figures say about the way companies deal with their IT resources? What does the outsourcing result mean for the IT industry generally? Outsource or in-house?

8 Engineering and Management of Secure Computer Networks School of Engineering © Steve Woodhead 2009 Businesses:20022008 Have a documented security policy27%55% Percentage of IT budget spent on security (average) 2%7% Provide ongoing security training to staff20%40% Use multi-factor authentication5%14% Have implemented BS 7799 / ISO 270015%11% The Changing Business Environment

9 Engineering and Management of Secure Computer Networks School of Engineering © Steve Woodhead 2009 Discuss What does the previous slide say about the business view of security from a financial standpoint?

10 Engineering and Management of Secure Computer Networks School of Engineering © Steve Woodhead 2009

11 Engineering and Management of Secure Computer Networks School of Engineering © Steve Woodhead 2009 Discuss: Why have the figures for confidential data been rising year on year?

12 Engineering and Management of Secure Computer Networks School of Engineering © Steve Woodhead 2009 Changing Business Environment and Value of Information Held Information is becoming more accessible Information is becoming more critical for business operations Information integrity and availability are now critical for a growing number of businesses –This is particularly true of large businesses Over half of all businesses outsource some IT operations. –Offshore outsourcing is growing, particularly in large businesses

13 Engineering and Management of Secure Computer Networks School of Engineering © Steve Woodhead 2009

14 Engineering and Management of Secure Computer Networks School of Engineering © Steve Woodhead 2009

15 Engineering and Management of Secure Computer Networks School of Engineering © Steve Woodhead 2009 ISO/IEC 27002 Risk assessment, Security policy Organization of information security Asset management, Human resources security, Physical and environmental security Communications and operations management, Access control Information systems acquisition, development and maintenance Information security incident management Business continuity management, Compliance

16 Engineering and Management of Secure Computer Networks School of Engineering © Steve Woodhead 2009 Documentation, Standards and Formal Staff Qualifications A significant number of businesses have no documented InfoSec policy –Though this is improving Significantly less than half of business have a knowledge of BS7799 Very few personnel with InfoSec responsibilities have any formal qualification in this field –The position is significantly weaker in small companies, compared to large companies

17 Engineering and Management of Secure Computer Networks School of Engineering © Steve Woodhead 2009

18 Engineering and Management of Secure Computer Networks School of Engineering © Steve Woodhead 2009 Security Measures for Web Servers Some businesses have only limited security measures to protect their corporate web site –Although this is improving

19 Engineering and Management of Secure Computer Networks School of Engineering © Steve Woodhead 2009

20 Engineering and Management of Secure Computer Networks School of Engineering © Steve Woodhead 2009

21 Engineering and Management of Secure Computer Networks School of Engineering © Steve Woodhead 2009 Backup and Recovery Policy 82% of businesses operate a daily backup of their servers –But few employ more advanced backup options More businesses are implementing disaster recovery plans –But more testing of these plans is needed

22 Engineering and Management of Secure Computer Networks School of Engineering © Steve Woodhead 2009 Security Breach Incidents MaliciousAccidental

23 Engineering and Management of Secure Computer Networks School of Engineering © Steve Woodhead 2009 Security Breach Incidents 13% Have detected unauthorised outsiders within their network 9% Had fake (phishing) emails sent asking their customers for data 9% Had customers impersonated (eg after identity theft) 6% Have suffered a confidentiality breach In the 2008 survey, for Large Companies:

24 Engineering and Management of Secure Computer Networks School of Engineering © Steve Woodhead 2009

25 Engineering and Management of Secure Computer Networks School of Engineering © Steve Woodhead 2009

26 Engineering and Management of Secure Computer Networks School of Engineering © Steve Woodhead 2009

27 Engineering and Management of Secure Computer Networks School of Engineering © Steve Woodhead 2009

28 Engineering and Management of Secure Computer Networks School of Engineering © Steve Woodhead 2009 Breach Incident Types Viruses and other malicious software form the basis of fewer breaches in recent years Other malicious breaches remain significant issues –Directed or coordinated breaches e.g. DDOS, Stuxnet Accidental breaches are also a notable threat –For all types, larger companies have a greater exposure to breaches

29 Engineering and Management of Secure Computer Networks School of Engineering © Steve Woodhead 2009 Cost of Incidents Company size<50 staff >250 staff >500 staff Companies that had a security incident in the last year 45%72%96% Median number of incidents (mean) 6 (100) 15 (200) >400 (>1300) Average cost of worst incident in the year £10- 20k £90- 170k £1-2m

30 Engineering and Management of Secure Computer Networks School of Engineering © Steve Woodhead 2009 Summary of Current Issues (1) 10% Of web sites that accept payment details do not encrypt them 21% Spend less than 1% of their IT budget on security 35% Have no controls over staff use of Instant Messaging (discuss!) 48% Of disaster recovery plans have not been tested in the last year 52% Do not carry out any formal security risk assessment (gap in the market!) For UK companies in 2008:

31 Engineering and Management of Secure Computer Networks School of Engineering © Steve Woodhead 2009 Summary of Current Issues (2) 67% Do nothing to prevent confidential data leaving on USB sticks, etc 78% Of companies that had computers stolen did not encrypt the hard disks 79% Are not aware of the contents of BS 7799 / ISO 27001 and 27002 84% Of companies do not scan outgoing email for confidential data For UK companies in 2008 (continued):

32 Engineering and Management of Secure Computer Networks School of Engineering © Steve Woodhead 2009 Security Breach Incidents Summary Viruses and other malicious software are causing less incidents Other malicious incidents remain a significant threat Accidental incidents remain a significant threat There are a number of areas in which many companies need to improve their systems and policies

33 Engineering and Management of Secure Computer Networks School of Engineering © Steve Woodhead 2009 Corporate Governance - the InfoSec Perspective (1) Many businesses now have a high (or very high) reliance on information availability and security –For example e-commerce businesses must have a highly reliable web presence, with all of the information relating to their products readily available –Many businesses store sensitive information about their clients, such as credit card details – these must be kept securely

34 Engineering and Management of Secure Computer Networks School of Engineering © Steve Woodhead 2009 Corporate Governance - the InfoSec Perspective (2) The future of the business maybe at risk if appropriate measures are not taken to ensure information availability and security –For an e-commerce business, non-availability of the web site will be very costly, both immediately and in the medium term –Businesses have closed down as a result of loss of reputation

35 Engineering and Management of Secure Computer Networks School of Engineering © Steve Woodhead 2009 Corporate Governance - the InfoSec Perspective (3) There may also be a range of regulatory and legal InfoSec requirements, which the business must meet –Breach of these may lead to prosecution, as well as loss of reputation

36 Engineering and Management of Secure Computer Networks School of Engineering © Steve Woodhead 2009 Lecture Review Some infosec facts –Recent information security breach surveys Corporate Governance – The infosec perspective Lecture Review Lecture References

37 Engineering and Management of Secure Computer Networks School of Engineering © Steve Woodhead 2009 Lecture References Information Security Breaches Survey 2006, UK BERR, http://www.pwc.co.uk/eng/publications/berr_information_security_breaches_su rvey_2008.html 10 th Global Information Security Survey, Ernst & Young, 2007 http://www.ey.com/Global/assets.nsf/UK/GISS_2007/$file/GISS%202007%20 FINAL.pdf

Download ppt "Engineering and Management of Secure Computer Networks School of Engineering © Steve Woodhead 2009 Corporate Governance and Information Security (InfoSec)"

Similar presentations

Copyright © XiSEC, All rights reserved, 2002 Secure Computing Best Lifetime Achievement Award 2002 Ted Humphreys Information Security Management Goes Global.

Copyright © XiSEC, All rights reserved, 2002 Secure Computing Best Lifetime Achievement Award 2002 Ted Humphreys Information Security Management Goes Global.
Innovation or Necessity? ISM 158 By: Sepehr Saeb.

Innovation or Necessity? ISM 158 By: Sepehr Saeb.
Secure Systems Research Group - FAU Process Standards (and Process Improvement)

Secure Systems Research Group - FAU Process Standards (and Process Improvement)
AFM INTERNAL AUDIT NETWORK MEETING MUTUAL ONE GROVE PARK, LEICESTER Current ‘Hot Topics’ in Information Security Governance Auditing David Tattersall 03.

AFM INTERNAL AUDIT NETWORK MEETING MUTUAL ONE GROVE PARK, LEICESTER Current ‘Hot Topics’ in Information Security Governance Auditing David Tattersall 03.
Personal Data Protection and Security Measures Justin Law IT Services - Information Security Team 25 & 27 November 2013.

Personal Data Protection and Security Measures Justin Law IT Services - Information Security Team 25 & 27 November 2013.
SL21 Information Security Board Mission, Goals and Guiding Principles.

SL21 Information Security Board Mission, Goals and Guiding Principles.
Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 © 2002 Carnegie.

Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA © 2002 Carnegie.
Data Ownership Responsibilities & Procedures

Data Ownership Responsibilities & Procedures
GLOBRIN Business Continuity Workshop TECHNOLOGY & INFORMATION 13 th November 2013 Graham Jack.

GLOBRIN Business Continuity Workshop TECHNOLOGY & INFORMATION 13 th November 2013 Graham Jack.
AUDIT COMMITTEE FORUM TM ACF Roundtable IT Governance – what does it mean to you as an audit committee member July 2010 The AUDIT COMMITTEE FORUM TM is.

AUDIT COMMITTEE FORUM TM ACF Roundtable IT Governance – what does it mean to you as an audit committee member July 2010 The AUDIT COMMITTEE FORUM TM is.
ISO Information Security Management

ISO Information Security Management
Information Security Policies Larry Conrad September 29, 2009.

Information Security Policies Larry Conrad September 29, 2009.
Security Controls – What Works

Security Controls – What Works
Personal Data Protection and Security Measures Justin Law IT Services - Information Security Team 18, 20 & 25 March 2015.

Personal Data Protection and Security Measures Justin Law IT Services - Information Security Team 18, 20 & 25 March 2015.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
© 2006 PCE Systems Ltd IT Systems Integrity Chris Nabavi BSc SMIEEE.

© 2006 PCE Systems Ltd IT Systems Integrity Chris Nabavi BSc SMIEEE.
Global Information Security Issues According to the E&Y Global Survey, Managers Say the Right Thing… –90% of 1400 companies surveyed in 66 countries say.

Global Information Security Issues According to the E&Y Global Survey, Managers Say the Right Thing… –90% of 1400 companies surveyed in 66 countries say.
Factors to be taken into account when designing ICT Security Policies

Factors to be taken into account when designing ICT Security Policies
Security Governance Technology Executive Club

Security Governance Technology Executive Club

Similar presentations

Ads by Google