1 / 48

COMP3371 Cyber Security

Learn about the importance of information security as a process, the role of an ISMS, and the standards organizations can aspire towards. Discover how an ISMS can help manage information security effectively and the key stages in developing an ISMS.

hensley
Download Presentation

COMP3371 Cyber Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. COMP3371Cyber Security Richard Henson University of Worcester February 2018

  2. Week 2: Developing an Information Security Management System (ISMS) • Objectives: • Explain why security is a process, and not just something that can be “bought” • Explain the term ISMS and how it relates to information security policy • Explain the standards an organisation can aspire towards as it develops security controls and its ISMS

  3. Why do Organisations find Cyber Security difficult? • Each organisation is different • each has its own unique way of handling information! • Can’t just copy each other… • even with “off the shelf” software may well use it in their own way • At least one employee needs to be given responsibility & training before they can start…

  4. Why can’t they just outsource the whole thing? • Last week’s management misconception: • data has no value • This week: • security is a process not a “thing” • US gov realised many years ago that security can’t be “done”… • Problem: took them a long time to admit that!

  5. How can an ISMS help? • ISMS = system for managing information security in an organisation • should be in place for all organisations • Many still see information/cyber security as something they can just spend a little money on now and then • annual budget needed to run a system!

  6. Developing an ISMS • Stage 1: senior management accepts responsibility • that means accepting they need an information security policy • Next stage is to write the policy! • then to implement policy successfully, a system needs to be in place

  7. Information Assurance (IA) • A term introduced by US government to acknowledge that 100% information security was no longer possible… • IA is strategic… • Policy and set of organisational processes to effectively manage information security • ISMS is largely operational • putting policies into practice and checking the practice

  8. An ISMS that is “fit for purpose” • Organisation needs to know… • [or acknowledge through the work of an analyst] • all aspects of how data is managed • Requires an understanding of processes and associated data • can then identify data flows, storage, etc… • risk assessment essential (importance of each…) • determine how much effort is needed to protect each of the data flows, data stores, etc. …

  9. International Standard for IA and ISMS(ISO 27001) • Developed in UK as BS7799 • before the millennium (!) • Became International in 2005 • revised in 2013 • regarded as the “gold standard” • 80% of certificates held in Japan (!)

  10. Information Assurance Standards and Certification • ISO27001 lists over 100 controls • unless explicitly stated/justified, assumes all controls are needed • risk assessment needed… no point spending money on controls where they are not needed but exemptions need justifying… • Other information assurance standards have been developed to encourage appropriate ISMS development and use

  11. PCI DSS: Approach to Security Controls; less focus on ISMS • System devised by Credit Card Companies (i.e. banks…) • https://www.pcisecuritystandards.org/ • Guidelines for a number of years… • Now with v3 a sting in the tail for the SME • heavy fines possible • can be refused business merchant facilities… • Will affect small businesses WORLDWIDE selling online directly to consumers

  12. Requirements for PCI DSS compliance? (1) • 12 controls (11 Technical) • Install and maintain a firewall configuration to protect cardholder data • Do not use vendor-supplied defaults for system passwords and other security parameters • Protect stored cardholder data • Encrypt transmission of cardholder data across open, public networks • Use and regularly update anti-virus software or programs

  13. What is needed for PCI DSS compliance? (2) • Develop and maintain secure systems and applications • Restrict access to cardholder data by business need-to-know • Assign a unique ID to each person with computer access • Track and monitor all access to network resources and cardholder data • Regularly test security systems and processes • Maintain a policy that addresses information security for employees and contractors

  14. PCI DSS issues • Is it realistic? • Is it essential? • How can it be policed? • Discussion in groups…

  15. IASME • Standard developed for UK SMEs • same basic principles as ISO27001 • emphasis on risk assessment to reduce controls actually needed • requires some scrutiny of an organisation’s processes • more streamlined than ISO27001 • more relevant to SMEs • number of templates available to help with policy and procedure development

  16. IASME & Cyber Essentials • IASME potentially uses 100+ controls… • designed to be more SME friendly • BUT.. ISMS development tricky for SMEs… • GCHQ introduced Cyber Essentials • now a minimum for government contracts • useful starting point! • BUT requires only 5 controls… all essentially technical • no formal requirement for an IS policy • some documented process expected… • encourages thinking about policy, procedures, ISMS

  17. Break

  18. Reality of Information Security Policy? • Colleagues conducted a study (2009): • https://staffweb.worc.ac.uk/hensonr/Information%20Assurance%20Market%20Research%20v3JAAB.ppt • about 60% of businesses had a policy • consistent with a government-funded survey the previous year • BIG PROBLEM!

  19. What is Policy? • Aseries of statements… what the organisation would like to do, and aspires to do • not effective until implemented! • What would an organisation like to do about security... Over to you!

  20. Policy and System! • Where to start • What others have done? • What advisers advise? • Use a template and change the name? • Writing policy is easy… • writing a policy capable of implementation is the difficult bit!

  21. Policy and the SME (like Ticketmania or FixDomestic): • Why do they need an information security policy? • Who would write it? • who would approve it • Over to you… • Remember it needs to be capable of implementation?

  22. Policy and Technology • Policy implementation always a headache for organisations to implement • requires employee training • may cause employee unrest • Technologies can be used to implement policies • degree of success in the latter depends on: • communication of policies (and WHY!) • understanding of technologies

  23. Creating a Policy • Same principles apply as with ANY change in organisational policy • MUST come from the top!!! • Possible implementation issues also needs to be: • identified • communicated to employees • Problem: Senior Management generally don’t understand IT… • unlikely to want to stand in front of employees and discuss… wheel an “expert” in?

  24. Information Security Policy matters • Threats… • who will quantify? • Head of IT? (or outsourcer) • External Consultant? • both? • Who will suggest strategies to mitigate against those threats? • as above? • Who will make the policies? • Senior Management • (with guidance…)

  25. Managing Information Security as a Process • First step… • identify all systems that carry information and decide what controls are in place to protect them • test those controls for potential security breaches • identify what has been forgotten • secure as appropriate through further controls • Next step: • once secure, develop a strategy to MANAGE this process over time... • implement that strategy

  26. Informatiom Security Strategy: Where to start? • Can’t START with technology • need to start with ISSUES that need addressing • policy to address them should follow • Should be primarily “top down” • concerned with policies, not technical matters… • can be supplemented by “bottom up” approach

  27. IT Manager, and Implementation • Needs to be able to do it right… • likely to need a big budget! • Big responsibility on the IT manager to convince senior management: • that the policy (change) really is necessary! • that the organisation won’t suffer financially • the consequences of NOT changing

  28. Going beyond Creating a Policy… • According to the latest figures, many now businesses say they DO have an information security policy • big questions… is it implemented??? will it be? by when? • One possible approach… • implement through getting ISO27001, PCI-DSS, IASME or other information assurance standard

  29. Information Security Management • Oversee implementation of policy • will be never ending! • Can’t begin to evolve into an ISMS until policy has been agreed and signed off…

  30. Policy… making a start(1) • Produce a draft… • what is needed • Think how that could be put into action… • set of agreed procedures to protect data • accept that administering them is an organisational level matter • acknowledge the iterative nature of checking implementation & agree a rate of iteration (e.g. yearly) • Now have the makings of policy with ISMS • first stage towards ISO27001 (if they wish?)

  31. Making a start(2) • Appoint someone with institutional responsibility • in control of the policy-making, and evolution • Role should NOT be outsourced! • need to provide advice, expertise, implement procedures • need realistic budget that takes into account the resource and human cost…

  32. GDPR and Organisational Responsibility • Some of the changes from DPA when GDPR was announced • https://staffweb.worc.ac.uk/hensonr/GDPAfactsopinions.pdf • Quote: “An in-house Data Protection Officer (DPO) role for organisations that require regular and systematic monitoring of peoples’ personal data on a large scale”

  33. Role of DPO • Needed under GDPR if • “core activities” consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale;” • or consist of processing on a large scale of “special categories of data” or “data relating to criminal convictions and offences.” • Estimation: an additional 28000 DPOs will be needed across the EU to cover this (!) https://iapp.org/news/a/study-at-least-28000-dpos-needed-to-meet-gdpr-requirements/

  34. The Costs of securing data • Hardware/software cost • fixed and easily determined • Human resource cost • cost of Information Security supremo • cost the organisation of using staff to implement and enforce data security procedures • more difficult to quantify • cost of testing knowledge off/retraining employees

  35. Costs of Securing Data • Isolated LAN, with no internet connectivity • no need to worry about data in and data out via the Internet • less stringent procedures may be needed/enforced • employees could still mess up or steal data • LAN connected to the Internet: • “secret” data? highly rigorous procedures, implemented frequently – very expensive • no real secrets (political or commercial) more infrequent cycle, less exhaustive procedures • much cheaper…

  36. The Costs of Data Breach? • Groups again…

  37. The Costs of Data Breach • People not able to work… • Organisation not able to communicate effectively with customers… • Embarrassment of reporting in the media • loss of reputation • Fines, etc., by FCA or ICO • Fall in stock market price • Increase in insurance premiums • Not getting future contracts…

  38. Information Security Procedures • In groups, discuss: • possible procedures the organisation could set up… • how expensive such procedures might be to implement… • how “realistic” procedures could be laid out in a policy…

  39. Writing that Policy (1) • Written as a “Management Report” e.g. • http://www.computerweekly.com/answer/Information-security-policy-template-and-tips • Should be agreed by SMT and reflect: • their objectives for security of information • top-down… • strategy for achieving those objectives • requires liaison to find out what is feasible

  40. Writing… (2) • Why not just buy a “security-policy-in-a-box” ? SMT won’t have the time! • needs to be explained in detail by a security professional • once understood… • needs to be formally agreed upon by SMT

  41. Writing… (3) • Even if WAS possible to for management to endorse an off-the-shelf policy… • not the right approach to attempt to teach management how to think about security! • their organisation is unique!

  42. Writing… (4) • First step should be to find out how management views security • security policy… set of management mandates • “top-down” only provides requirements for the security professional to obey… • too restricting without liaison first… (needs some “bottom-up” input

  43. Writing (5) • As a result of discussion with SMT… • Develop top-level IS policy • Includes all topics for policy, but does not break them down into the sort of detail needed for implementation • Example: top level • Example PCI-DSS: http://www.lse.ac.uk/intranet/LSEServices/IMT/about/policies/documents/PCI-DSS-Information-Security-Policy.pdf

  44. Writing (6): What to include… • What are your security objectives, and how do you measure them? • What types of information do you handle, and how do the different types of information need to be protected? • How do you assess risks and select security controls?

  45. What to include… cont • How do you manage and report incidents, and learn from them? • Who is responsible for security? • What is acceptable employee use for Internet, email and other communication channels?

  46. Writing (7) • To implement a top level policy… • need to liaise with relevant staff and create operational policy • e.g. acceptable passwords • e.g. acceptable use of email • Operational policies can be shared with employees during a training session… • not just an email with link… (!)

  47. How achieving a Information Assurance “badge” could help with implementing policy… • Whatever the business: • any new work will have a cost • that cost needs to be qualified • More cost means less profit… • what is the ROI of achieving a high level of information security? • badge can be used to impress (potential) customers

  48. Potential Financial Benefits of Information Assurance? • Need to be sold to senior mgt… • less risk of losing valuable (even strategically important…) data • less likely to get embarrassing leaks, which could even get to the media (!) • less likely to fall foul of the law (!) • Evidence from an ever growing set of examples of businesses who have done both of the above • lost customers AND share price dropped…

More Related