260 likes | 378 Views
The Other Side of Information Security Nader Elkhuzundar 120080130. Purpose of the keynote. Give the audience the other side of Information Security in a nutshell Nutshell because of time constraints. Agenda. Introduction Business & Risk Assessment Security Policies & Procedures
E N D
The Other Side of Information Security Nader Elkhuzundar 120080130
Purpose of the keynote Give the audience the other side of Information Security in a nutshell Nutshell because of time constraints
Agenda • Introduction • Business & Risk Assessment • Security Policies & Procedures • Security Standards • Security Awareness • Examples where Organisational meets Technical
Introduction • The four fundamental questions • The components of a total security solution • Trend in the market • The Security Triangle • The Domains
The Four Questions • Most organisations ask the question: ‘How should I protect’ More important is to ask first: • Why should I need protection? • How difficult will it be to protect? • What and against who should I protect? • Then
Components Security Solution Assessment Policies Technical Organisational Procedures Legal Awareness 20% 80%
Trend • Security is considered more and more as part of the normal business process • We are not talking ‘Rocket Science’ • Does this mean that technology is dead or something? • Most organisations don’t know how to do it…
Security Triangle Assessment & Policies Security Awareness Cryptography
Business Security 2 1 6 4 Requirements Requirements The Domains • Domains: • 1. I.T. • 2. Physical • 3. Environmental • 4. Human • 5. Organizational • 6. Administrative • 7. Legal 7 3 5
The first step • ‘Meet the parents’ • Because: • They decide about security • They should backup and support security • They have authority • They are responsible… • How: • Perform Business & Risk Assessment
Business Assessment - 1 • Why should I need protection: • Discuss the stakes • Discuss the different types of information • Discuss the Security Requirements (CIAR) • Discuss strategic questions, like: • Replacement value of IT • Targets • Is IT just support or strategic for the organisation • …
Business Assessment - 2 • How difficult will it be to protect? • Evaluate the constraints, like • Financial • Internal knowledge • Dependency on partners • Calendar • …
Risk Assessment - 1 • Against what and who should I protect? • Perform Risk Assessment • Be aware of terminology: • Risk Identification (RI) • Risk Assessment (RASS = RI + ‘value’) • Risk Management (RM = How should we protect) • Risk Analysis (RASS + RM)
Risk Assessment - 2 • Some attention points: • Different Risk Assessment/Analysis methodologies • Sometimes difficult to determine the ‘value’ • Make sure that you’ve the right people, meaning: • Who know the business processes • Who have authority to decide
Security Policies • First things first: the CSP • Formalisation of the Security Strategy and objectives • High Level
Security Policies - 2 • System Security Policies: • General description of the Information System • Security around the Information System • Security on the Information System • Technical security settings (OS, database, application) • Other important policies are, for example: • Asset Classification • Malicious Software Policy • …
Security Policies – 3 • Make sure that: • The policy is supported by the System Owner • You avoid the ‘Ivory Tower Syndrome’ • The policy is clearly communicated • The policy is useful and pragmatic
Security Procedures • Who is doing what, why and when? • Important procedures are, for example: • Boarding Process • Incident & Escalation • Back-up/Recovery • Change & Configuration Management • …
Security Standards - 1 • Are we on our own? • No, there are standards out there • A set of best practices • Can be a good starting point and prevents to re-invent the wheel • However, be careful not to implement a security standard blindly…
Security Standards - 2 • Some well-known examples are: • BS/7799 part 1 + 2 (ISO/7799-1) • Cobit-3 • ITIL • ISO-13335 • Common Criteria (ISO-15408) • NIST • IETF • … • Interesting could be certification
Security Awareness • The most critical success factor of Information Security • Mind set • Awareness should be at any level in the organisation • Relation with psychology…
Organisational meets technical - 1 • Example: • CSP Accountability principle • Authentication Policy strong authentication • Counter measure Tokens
Organisational meets technical - 2 • Example: • CSP Information across untrusted networks should be protected • Cryptography Policy Symmetric Encryption at least 128 bits, preferred choice 3-DES • Counter Measure Hardware Encryptors
Organisational meets technical - 3 • Example: • Within the business process ‘Electronic Transactions’, there is a high security requirement for Integrity and Non-repudiation • Defined risks are: • Unauthorised change of the transaction • Denial of sending the transaction • Digital signatures • Crypto Policy: Use RSA, minimum key length at least 1024 bits
Useful links • www.isaca.org • www.bsi-global.com • www.nist.gov • www.ietf.org • www.iso.org • www.cse-cst.gc.ca • www.bsi.de • www.cenorm.be/isss • www.cesg.gov.uk • www.sse-cmm.org
Reading stuff to fill long winter nights… • ISO TR13335 General Management of IT Security • ISO 15408 Common Criteria for evaluation and certification of IT security • Baseline Protection Manual (BSI.DE) • BS7799: Code of practice for Information Security Management (two parts) • CobiT: Governance, Control and Audit for Information and Related Technology (ISACA) • SSE-CMM: System Security Engineering - Capability Maturity Model