1 / 22

Governance, risk and consumerisation Policy is the best honesty

Governance, risk and consumerisation Policy is the best honesty. From case-based research. What is a policy? Why have one? Who is it for? How to write a policy? Where does it fit in?. What’s the difference between. Policy Process Procedure Work instruction Standard Best practice

Download Presentation

Governance, risk and consumerisation Policy is the best honesty

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Governance, risk and consumerisationPolicy is the best honesty

  2. From case-based research • What is a policy? • Why have one? • Who is it for? • How to write a policy? • Where does it fit in?

  3. What’s the difference between... • Policy • Process • Procedure • Work instruction • Standard • Best practice • Good practice

  4. What NCC members say about policies... • Formality of process • Checks and balances • IT/business alignment • Standardised framework • Control framework for IT provision • Scrutiny and feedback • Demonstrable business process controls • Infrastructure • Legal control • How IT is managed • Legal and IT business alignment • Operations framework • Channel for communication • Useful framework • Hierarchy of responsibility and decision making • Compliance • Direction and control • Setting the corporate direction • Monitoring and measuring • Strategy-objectives-direction-influence • Pole on the tightrope...and an alarm clock • Action for the right reasons • Leadership, management, execution • What...no portable storage policy already? • Every conceivable help short of useful

  5. Top 10 risk assessment • ‘Soft squidgy things between chairs and keyboards’ • consistency with permanent and temporary staff, contractors etc. – insider threats • Being in a state of forensic readiness- ‘cos stuff happens • Back up…basic activity?…but what’s the scope? • Data on the network, data in the cloud, server in Huddersfield, data in Athens, you’re in Drumnadrochit with data on an end-user device* • Mobile devices .…reliance…hostile take over • Mobile devices … ownership…what’s on them? • What’s the master data?Which is the copy? • Classification of information • Establish the risk before shooting technology from the hip • IA maturity - licensed to handle • Blurring of tools and defences • Time is money; social networking can be theft…data leakage • ‘you can’t undisclose a disclosure’ • SCADA …hostile take over *Luggage in Amsterdam?

  6. Conclusion Nothing new under the cloud

  7. BYOD...crackability • y/n • Risk culture • Device offUnclassified • Device on • Protect • Restricted • Confidential • Secret • Top Secret

  8. Organisation with weak Strength of the Human Firewall Organisation with weak security rely on its may security cannot rely on staff to protect itself its staff to protect itself from risk from risk 800 Best appetite/worst attitude Worst appetite/attitude 700 Insurance Software 600 Local Government 500 Healthcare Utilities Gambling Registered Social Landlord Education Law Local Government Central Government Charity Appetite for Risk 400 Construction 300 Organisation is wholly reliant on enforced security policy to protect Best appetite/attitude Worst appetite/best attitude itself from risk 200 100 0 Ideal zone: good balance of security policy with 0 500 1000 1500 2000 2500 staff attitude Attitude to Risk

  9. Boiling down the numbers – what’s important?

  10. This is reality Greg! • KISSKeep Interconnection Set-up Simple • install/reinstall • Fully automated • SAP...prevent unset • IT team end up supporting a variety of unknown devices* • But it keeps knowledge local and builds skills *That there’s policy!

  11. Never start with a blank sheet of paper • Purpose • Why do we need it and what’s the risk of not having it? • Scope • What it applies to, and what – if anything – is excluded • What the policy is • Clear, pithy, and imperative • How it’s monitored • If it’s worth having, it’s worth checking • What happens if the policy is breached • Because Murphy was right • What to do to enforce it • Technology, awareness, or a mix of both • Controls • Processes, procedures and other related documents (the 'how to's)

  12. Purpose • Huge portable storage • iPads: can push out Apps but can't remove them • Security checks for Apps • iOS - yes • Android – no • Trojan risk • Capture and transmit intercepted data • Authentication details...and they’re in!

  13. Scope • Pads, pods, and 'phones • Operating systems • Apps • Encryption • Device level encryption for off-line data • Key management • Data at rest, in transit

  14. What the policy is • Password/pass code/PIN strength • Kill switches • Sandbox business data • 'Patch‘; up to date software • Turn off facilities not in use • Bluetooth? • Wifi? • On-line access only • Whitelisting • Only Apps from trusted sources • Download like any other • Back up • Corporate policy • Antivirus where available

  15. How it’s monitored • Network monitoring • Audit • Ensure good intentions realised

  16. What happens if the policy is breached • Build in Security incident and Event management (SIEM) into your processes • Remote erasure/'kill switches' from vendors enabled

  17. What to do to enforce it... • Technical policy: network access • Authentication protocol • Access methods • Two-factor authentication to VPN • Use mobile device management product to enforce • Encryption • Screen locking • Remote wiping • Network sandbox

  18. Processes, procedures and other related documents • Training • Password/pass code/PIN protection • Treat e-mail attachments with caution • Most trusted friend's may be compromised. • Links caution • Do not assume search engine links are safe • Be sure of destination • Acceptable/ Conditional use • Users: be prepared to accept policy • Don't 'jail break‘ • Only allow the Apps you push • Do not allow Apps from App stores • Admin: be prepared to wipe

  19. Warning! 478

  20. Conclusion • If it’s easy you are not doing it right • Everything is more urgent than everything else • Nothing is what it seems • It’s never the right time to do anything • The person who says it cannot be done should not interrupt the person doing it. Chinese Proverb

More Related