1 / 39

COMP3371 Cyber Security

COMP3371 Cyber Security. Richard Henson University of Worcester February 2017. Week 2: Developing an Information Security Management System (ISMS). Objectives: Explain why security is a process, and not just something that can be “bought”

jesus
Download Presentation

COMP3371 Cyber Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. COMP3371Cyber Security Richard Henson University of Worcester February 2017

  2. Week 2: Developing an Information Security Management System (ISMS) • Objectives: • Explain why security is a process, and not just something that can be “bought” • Explain the term ISMS and how it relates to information security policy • Explain the standards an organisation can aspire towards as it develops controls and an ISMS

  3. What is an Information Security Management System (ISMS)? • A system for managing information security in an organisation • many organisations still don’t treat information security seriously… still see security as something they can spend a little money on now and then

  4. Developing an ISMS • Each organisation is different! No template “one size fits all” ISMS is therefore possible • one reason for an IS policy is that it will ensure that a system is place

  5. Information Assurance • A set of organisational processes to manage information security • require some kind of ISMS to ensure that they are not neglected • different information assurance standards have been developed to encourage appropriate ISMS development and use

  6. An ISMS that is “fit for purpose” • Organisation needs to know (or acknowledge through the work of an analyst) all aspects of how data is managed • requires an understanding of processes and associated data • can then identify data flows, etc… • Risk assessment required to determine where controls on data flows are needed • unless explicitly stated, ISO27001 assumes all controls needed • no point spending money on controls where they are not needed but exemptions need justifying…

  7. PCI DSS: Approach to Security Controls; less focus on ISMS • System devised by Credit Card Companies (i.e. banks…) • https://www.pcisecuritystandards.org/ • Guidelines for a number of years… • Now with v3 a sting in the tail for the SME • heavy fines possible • can be refused business merchant facilities… • Will affect small businesses WORLDWIDE selling online directly to consumers

  8. Requirements for PCI DSS compliance? (1) • 12 controls (11 Technical) • Install and maintain a firewall configuration to protect cardholder data • Do not use vendor-supplied defaults for system passwords and other security parameters • Protect stored cardholder data • Encrypt transmission of cardholder data across open, public networks • Use and regularly update anti-virus software or programs

  9. What is needed for PCI DSS compliance? (2) • Develop and maintain secure systems and applications • Restrict access to cardholder data by business need-to-know • Assign a unique ID to each person with computer access • Track and monitor all access to network resources and cardholder data • Regularly test security systems and processes • Maintain a policy that addresses information security for employees and contractors

  10. PCI DSS issues • Is it realistic? • Is it essential? • How can it be policed? • Discussion in groups…

  11. ISO27001 • ISO27001 standard (“gold standard”) developed from a British standard BS7799 • lists over 100 possible controls • but good risk assessment can reduce the number actually used • how many are actually needed? • depends on an organisation’s processes • for each control not used • non-use needs to be justified…

  12. IASME & Cyber Essentials • IASME uses principles of ISMS and like ISO27001 uses 100+ controls… • designed to be more SME friendly • ISMS development tricky for SMEs… • Cyber Essentials requires only 5 controls… all essentially technical • Cyber Essentials now a minimum for government contracts • useful starting point? No IS policy! Some documented process expected

  13. Policy and System! • Policy is a series of statements… what the organisation would like to do, and aspires to do • will only be an aspiration until implementation • writing policy easy… • writing policy capable of implementation more difficult!

  14. How would you set up an Information Security policy? • Who would write it? • who would approve it • Discussion again in groups • could you “outsource”? • If done internally • who would be involved in implementation?

  15. Managing Information Security as a Process • First step… • identify all systems that carry information and decide what controls are in place to protect them • test those controls for potential security breaches • identify what has been forgotten • secure as appropriate through further controls • Next step: • once secure, develop a strategy to MANAGE this process over time... • implement that strategy

  16. Informatiom Security Strategy: Where to start? • Can’t START with technology • need to start with ISSUES that need addressing • policy to address them should follow • Should be primarily “top down” • concerned with policies, not technical matters… • can be supplemented by “bottom up” approach

  17. Policy and Technology • Policy always a headache for organisations to implement • requires employee training • may cause employee unrest • Technologies can be used to implement policies • degree of success in the latter depends on: • communication of policies (and WHY!) • understanding of technologies

  18. Information Security Policy matters • Threats… • who will quantify? • Head of IT? • External Consultant? • both? • Who will suggest strategies to mitigate against those threats? • as above? • Who will make the policies? • Senior Management • (with guidance…)

  19. Creating a Policy • Same principles apply as with ANY change in organisational policy • MUST come from the top!!! • Possible implementation issues also needs to be: • identified • communicated to employees • Problem: Senior Management generally don’t understand IT… • unlikely to stand in front of employees and discuss…

  20. IT Manager, and Implementation • Needs to be able to do it right… • likely to need a big budget! • Big responsibility on the IT manager to convince senior management: • that the policy (change) really is necessary! • that the organisation won’t suffer financially • the consequences of NOT changing

  21. Going beyond a Creating a Policy… • According to the latest figures, many businesses say they DO have an information security policy • big questions… is it implemented??? will it be? by when? • One possible approach to making sure policy gets through to all parts of an organisation is to implement PCI-DSS or other information assurance standard

  22. Information Security Management • Oversee implementation of policy • will be never ending! • Can’t begin to evolve into an ISMS until policy has been agreed and signed off…

  23. Making a start… (1) • Devise a set of agreed procedures to protect data • Accept that administering them is an organisational level matter • Acknowledge the iterative nature of checking implementation & agree a rate of iteration (e.g. yearly) • Now have the makings of an ISMS • first stage towards ISO27001

  24. Making a start… (2) • Appoint someone with institutional responsibility • in control of the policy-making, and evolution • Role should not be outsourced! • need to provide advice, expertise, implement procedures • need realistic budget that takes into account the resource and human cost…

  25. The Costs of securing data • Hardware/software cost • fixed and easily determined • Human resource cost • cost of Information Security supremo • cost the organisation of using staff to implement and enforce data security procedures • more difficult to quantify • cost of testing knowledge off/retraining employees

  26. Costs of Securing Data • Isolated LAN, with no internet connectivity • no need to worry about data in and data out via the Internet • less stringent procedures may be needed/enforced • employees could still mess up or steal data • LAN connected to the Internet: • “secret” data? highly rigorous procedures, implemented frequently – very expensive • no real secrets (political or commercial) more infrequent cycle, less exhaustive procedures • much cheaper…

  27. The Costs of Data Breach? • Groups again…

  28. The Costs of Data Breach • People not able to work… • Organisation not able to communicate effectively with customers… • Embarrassment of reporting in the media • loss of reputation • Fines, etc., by FCA or ICO • Fall in stock market price • Increase in insurance premiums • Not getting future contracts…

  29. Information Security Procedures • In groups, discuss: • possible procedures the organisation could set up… • how expensive such procedures might be to implement… • how “realistic” procedures could be laid out in a policy…

  30. Writing that Policy (1) • Written as a “Management Report” e.g. • http://www.computerweekly.com/answer/Information-security-policy-template-and-tips • Should be agreed by SMT and reflect: • their objectives for security of information • top-down… • strategy for achieving those objectives • requires liaison to find out what is feasible

  31. Writing… (2) • Why not just buy a “security-policy-in-a-box” ? SMT won’t have the time! • needs to be explained in detail by a security professional • once understood… • needs to be formally agreed upon by SMT

  32. Writing… (3) • Even if WAS possible to for management to endorse an off-the-shelf policy… • not the right approach to attempt to teach management how to think about security! • their organisation is unique!

  33. Writing… (4) • First step should be to find out how management views security • security policy… set of management mandates • “top-down” only provides requirements for the security professional to obey… • too restricting without liaison first… (needs some “bottom-up” input

  34. Writing (5) • As a result of discussion with SMT… • Develop top-level IS policy • Includes all topics for policy, but does not break them down into the sort of detail needed for implementation • Example: top level • Example PCI-DSS: http://www.lse.ac.uk/intranet/LSEServices/IMT/about/policies/documents/PCI-DSS-Information-Security-Policy.pdf

  35. Writing (6): What to include… • What are your security objectives, and how do you measure them? • What types of information do you handle, and how do the different types of information need to be protected? • How do you assess risks and select security controls?

  36. What to include… cont • How do you manage and report incidents, and learn from them? • Who is responsible for security? • What is acceptable employee use for Internet, email and other communication channels?

  37. Writing (7) • To implement a top level policy… • need to liaise with relevant staff and create operational policy • e.g. acceptable passwords • e.g. acceptable use of email • Operational policies can be shared with employees during a training session… • not just an email with link… (!)

  38. How achieving a Information Assurance “badge” could help with implementing policy… • Whatever the business: • any new work will have a cost • that cost needs to be qualified • More cost means less profit… • what is the ROI of achieving a high level of information security? • badge can be used to impress (potential) customers

  39. Potential Financial Benefits of Information Assurance? • Need to be sold to senior mgt… • less risk of losing valuable (even strategically important…) data • less likely to get embarrassing leaks, which could even get to the media (!) • less likely to fall foul of the law (!) • Evidence from an ever growing set of examples of businesses who have done both of the above • lost customers AND share price dropped…

More Related