130 likes | 222 Views
Sa s a Aksentijevi c , MBA IT Ph.d. Business Economy cnd./ ICT Manager / C(I)SO / ICT Court Forensic Expert LinkedIn: linkedin.com/sasaaksentijevic. Common ICT security mistakes in corporate environments. Information security
E N D
Sasa Aksentijevic, MBA IT Ph.d. Business Economy cnd./ ICT Manager / C(I)SO / ICT Court Forensic Expert LinkedIn: linkedin.com/sasaaksentijevic Common ICT security mistakes in corporate environments Information security Certification, internal audit, CISSPs, CISMs, ISO 27K, BCP, DR, network security, antivirus solutions, anti intrusion, firewalls, ethical hacking, residual risk management, SWOT, GAP, Monte Carlo... ????
PRESENTATION Content A little theory will not hurt anybody Management has discovered information security or Dilbert approach to information security Should we include coffee machine into the ISMS scope AKA is certification the final answer to infosec? “I will write my password on Post-It for you” AKA low level (operative) infosec breaches How can something be nothing? Is information security possible? Is ICT security possible? Q&A
Common ICT security mistakes in corporate environments Infosec concept model
Common ICT security mistakes in corporate environments PHB or Pointy Haired Boss Description The pointy-haired boss (often abbreviated to just PHB is Dilbert's boss in the Dilbert comic strip. He is notable for his micromanagement, gross incompetence and unawareness of his surroundings, yet somehow retains power in the workplace. The phrase "pointy-haired boss" has acquired a generic usage to refer to incompetent managers. It is also possible to speak of someone being pointy-haired or having pointy hair metaphorically, meaning that they possess PHB-like traits.
Common ICT security mistakes in corporate environments ISO 27K (Information technology — Security techniques — Information security management systems — Requirements) is not information security standard.It is asystems management standard. ISO 27K outlines a framework for ISMS, but it it not a “golden standard” itself. ISO 27K is based on risk assesment: there is no “predefined” acceptable risk; criteria, applicability, inclusion and treatment are decided by organizations. Organizations decide about applicability (or not) of Annex A controls. The list of controls exists (Annex “A”), but it is just a “suggestion”. Additional controls may be included. O Certification is still the best available tool to achieve information security goals Efficient implementation requires security analysis of technical aspects. Standard is dealing with policy, scope, risk analysis, procedures and records. ISO 27K certification is a proof of compliance with the standard. By itself, it does not guarantee information security. Too many if`s
Common ICT security mistakes in corporate environments Compliance with local legislation/law requirements Problems with non compliance Management has no awareness that information security is ongoing, permanent process Lack of interest for information security on behalf of the Management Delegation (of tasks that should not be delegated) Lack of consistent policies, criteria, standards, work instructions and learning from security incidents Creation of parallel, “backdoor” systems, especially for management authorization process Inadequate resources (human resources, time, money, knowledge…) Lack of systematic resource and contingency planning, loose control over ICT assets, unclear ownership No BPC, no DR, no periodic updating
Common ICT security mistakes in corporate environments No ICT security induction, no periodic refreshment courses Process of incident learning is not implemented No implementation of employee background checks Revoking of access rights, email access, revision of access right not implemented Saving on insurance, no change management (log), unsafe networking environment SLA for ICT services are not clearly defined (or they are not adhered to) No segregation between work and test environments Controls related to third party relations and NDAs are not implemented Inadequate physical access controls (especially for guests, third parties, externals and temps)
Common ICT security mistakes in corporate environments No Data Classification/Information Lifecycle Management Remote working equipment (PDAs,MMC,USB,notebooks) Data exchange procedures (encrypting,FTP,snail mail) User breaches USB drives used for storage and not backup ICT assets not under control by owners
Common ICT security mistakes in corporate environments Clear workplace and display policy not enforced Documents not supervised,lack of access authorization Password sharing, passwords on Post-It User breaches Photocopy machines, printers and network scanners Non systematic document disposal
Common ICT security mistakes in corporate environments Data backup procedures Common network areas used for personal data placement Malicious intent User breaches 3rd party relations, hardware repair procedures No continuous learning/interest in security culture
Common ICT security mistakes in corporate environments Organizational effort -> MANAGEMENT Personal effort -> EMPLOYEES (PARTICIPANTS, STAKEHOLDERS) Technical effort -> BEST PRACTICES, CERTIFICATION, LEGISLATION, FORENSICS, TESTING, PDCA, AUDIT(s)…
Common ICT security mistakes in corporate environments Thank you for your attention!