1 / 27

The Other Side of Information Security Wilco van Ginkel – Ubizen wilco.vanginkel@ubizen

The Other Side of Information Security Wilco van Ginkel – Ubizen wilco.vanginkel@ubizen.com. Purpose of the keynote. Give the audience the other side of Information Security in a nutshell Nutshell because of time constraints. Agenda. Introduction Business & Risk Assessment

Sophia
Download Presentation

The Other Side of Information Security Wilco van Ginkel – Ubizen wilco.vanginkel@ubizen

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The Other Side of Information Security Wilco van Ginkel – Ubizen wilco.vanginkel@ubizen.com

  2. Purpose of the keynote Give the audience the other side of Information Security in a nutshell Nutshell because of time constraints

  3. Agenda • Introduction • Business & Risk Assessment • Security Policies & Procedures • Security Standards • Security Awareness • Examples where Organisational meets Technical

  4. Introduction • The four fundamental questions • The components of a total security solution • Trend in the market • The Security Triangle • The Domains

  5. The Four Questions • Most organisations ask the question: ‘How should I protect’ More important is to ask first: • Why should I need protection? • How difficult will it be to protect? • What and against who should I protect? • Then

  6. Components Security Solution Assessment Policies Technical Organisational Procedures Legal Awareness 20% 80%

  7. Trend • Security is considered more and more as part of the normal business process • We are not talking ‘Rocket Science’ • Does this mean that technology is dead or something? • Most organisations don’t know how to do it…

  8. Security Triangle Assessment & Policies Security Awareness Cryptography

  9. Business Security 2 1 6 4 Requirements Requirements The Domains • Domains: • 1. I.T. • 2. Physical • 3. Environmental • 4. Human • 5. Organizational • 6. Administrative • 7. Legal 7 3 5

  10. The first step • ‘Meet the parents’ • Because: • They decide about security • They should backup and support security • They have authority • They are responsible… • How: • Perform Business & Risk Assessment

  11. Business Assessment - 1 • Why should I need protection: • Discuss the stakes • Discuss the different types of information • Discuss the Security Requirements (CIAR) • Discuss strategic questions, like: • Replacement value of IT • Targets • Is IT just support or strategic for the organisation • …

  12. Business Assessment - 2 • How difficult will it be to protect? • Evaluate the constraints, like • Financial • Internal knowledge • Dependency on partners • Calendar • …

  13. Risk Assessment - 1 • Against what and who should I protect? • Perform Risk Assessment • Be aware of terminology: • Risk Identification (RI) • Risk Assessment (RASS = RI + ‘value’) • Risk Management (RM = How should we protect) • Risk Analysis (RASS + RM)

  14. Risk Assessment - 2 • Some attention points: • Different Risk Assessment/Analysis methodologies • Sometimes difficult to determine the ‘value’ • Make sure that you’ve the right people, meaning: • Who know the business processes • Who have authority to decide

  15. Security Policies • First things first: the CSP • Formalisation of the Security Strategy and objectives • High Level

  16. Security Policies - 2 • System Security Policies: • General description of the Information System • Security around the Information System • Security on the Information System • Technical security settings (OS, database, application) • Other important policies are, for example: • Asset Classification • Malicious Software Policy • …

  17. Security Policies – 3 • Make sure that: • The policy is supported by the System Owner • You avoid the ‘Ivory Tower Syndrome’ • The policy is clearly communicated • The policy is useful and pragmatic

  18. Security Procedures • Who is doing what, why and when? • Important procedures are, for example: • Boarding Process • Incident & Escalation • Back-up/Recovery • Change & Configuration Management • …

  19. Security Standards - 1 • Are we on our own? • No, there are standards out there • A set of best practices • Can be a good starting point and prevents to re-invent the wheel • However, be careful not to implement a security standard blindly…

  20. Security Standards - 2 • Some well-known examples are: • BS/7799 part 1 + 2 (ISO/7799-1) • Cobit-3 • ITIL • ISO-13335 • Common Criteria (ISO-15408) • NIST • IETF • … • Interesting could be certification

  21. Security Awareness • The most critical success factor of Information Security • Mind set • Awareness should be at any level in the organisation • Relation with psychology…

  22. Organisational meets technical - 1 • Example: • CSP  Accountability principle • Authentication Policy  strong authentication • Counter measure  Tokens

  23. Organisational meets technical - 2 • Example: • CSP  Information across untrusted networks should be protected • Cryptography Policy  Symmetric Encryption at least 128 bits, preferred choice 3-DES • Counter Measure  Hardware Encryptors

  24. Organisational meets technical - 3 • Example: • Within the business process ‘Electronic Transactions’, there is a high security requirement for Integrity and Non-repudiation • Defined risks are: • Unauthorised change of the transaction • Denial of sending the transaction • Digital signatures • Crypto Policy: Use RSA, minimum key length at least 1024 bits

  25. Useful links • www.isaca.org • www.bsi-global.com • www.nist.gov • www.ietf.org • www.iso.org • www.cse-cst.gc.ca • www.bsi.de • www.cenorm.be/isss • www.cesg.gov.uk • www.sse-cmm.org

  26. Reading stuff to fill long winter nights… • ISO TR13335 General Management of IT Security • ISO 15408 Common Criteria for evaluation and certification of IT security • Baseline Protection Manual (BSI.DE) • BS7799: Code of practice for Information Security Management (two parts) • CobiT: Governance, Control and Audit for Information and Related Technology (ISACA) • SSE-CMM: System Security Engineering - Capability Maturity Model

  27. Questions, Discussions, ….

More Related