View
10
Download
0
Category
Preview:
Citation preview
Secure information Secure Catalyst
Adrian LeungHead of Information Security
3rd March 2016
Classification: Restricted
1. Catalyst’s security & privacyjourney
2. Awareness & cultural change3. Information classification &
handling4. Gone phishing5. Housing security & privacy forum
Agenda
Classification: Restricted
InformationSecurity
DataProtection
Classification: Restricted
The world of security & privacy
PCIDSS
Information Security Data Protection PCIDSS
Driver Business Compliance Compliance
Focus Corporate strategy Customer focused Customer focused
Scope All information (electronic,hardcopy, verbal)
Personally identifiable electronicdata
Payment card details
Framework ISO27001, UK Gov CyberEssentials
UK Data Protection Act PCIDSS 3.0
Classification: Restricted
Classification: Restricted
People-centric approach
Users/People
Devices/Endpoints
Data/Information
Applications/Networks
Classification: Restricted
Users/People
Devices/Endpoints
Applications/Networks
Data/Information
People-centric approach
Classification: Restricted
People-centric approach
“People-centric security is a strategy that representsan alternative to conventional information securitypractice. It places more personal responsibility forprotecting information resources on the shoulders ofindividual employees in return for reducing oreliminating restrictive, preventative controls.”
Gartner Research
Classification: Restricted
Awareness & cultural changeCreating a brand
Classification: Restricted
Awareness & cultural changeEngaging the business - Quarterly topics
Classification: Restricted
Awareness & cultural changeEngaging the business
Classification: Restricted
Awareness & cultural changeEngaging the business
Classification: Restricted
Awareness & cultural changeEngaging the business
Classification: Restricted
Classification: Restricted
Classification: Restricted
Confidential Restricted Unrestricted
Classification: Restricted
Confidential Restricted Unrestricted
Insert Classification Here
Information classified asConfidential should only
be accessed by peoplewith a business need toknow, including a limited
number of Catalystemployees and specific
external parties.
Unauthorised accesswould be damaging.
Information classified asRestricted is normally
intended to be accessedonly by Catalystemployees and,
potentially, relevantexternal parties.
Unauthorised accesswould be undesirable.
We classify information asUnrestricted when there
would be no negativeconsequence if anyone
was to see it, even thoughit may be intended for a
specific audience.
Classification: Restricted
Classification: Restricted
Each time we create new information, we will classify and label it.
This is yourinformation,
so you have aresponsibilityto make sure that
you and otherslook after it
Classificationengages
people. It makesus think!
Recipientsknow howto handle
classifiedinformation
It helps us focusinformation
managementinvestment
according to risk
Classification: Restricted
Classification: Restricted
Classification: Restricted
Gone PhishingFrom Phishing to Whaling
Classification: Restricted
“Connect” with the CEO
Classification: Restricted
??Reportedthe email
??Gave overtheir user
credentials
??Clicked on
a link
The results
704Received the
30Reportedthe email
Classification: Restricted
What clues should we look out for?
The links and email usedwere not from LinkedIn,they were “Linkediin”
Phishing emails often…• Pose as someone in a position of
authority• Have a sense of urgency, asking you to
do something immediately• Ask you to open attachments or
provide personal information• Provide you with malicious links to click
Classification: Restricted
Spot the difference
1.http://www.Internet.org
2.http://www.lnternet.org
Classification: Restricted
1.http://www.Internet.org
2.http://www.lnternet.org
Lessons learnt
1. Culture eats Security for breakfast2. Business engagement is key (build rapport)3. Focus on the crown jewels4. Collaborate with colleagues5. Reach out & network with peers (join the Housing
Security & Privacy Forum today)
Classification: Restricted
Classification: Restricted
Housing Security and Privacy Forum
Classification: Restricted
Forum objectives
A friendly platform to:• Share and exchange knowledge and good practice
• Discuss common challenges
• Keep abreast of developments in sector
• Collaborate & pool resources -> Value for Money• Develop guidance and standards
• Raise maturity level in sector
Classification: Restricted
Classification: Restricted
Housing Security and Privacy Forum
Next event (Free to attend)
Date: 16th March (Wed)Venue: London South Bank UniversityHosted by: PeabodyRegistration: https://www.eventbrite.co.uk/e/security-and-privacy-is-your-house-in-order-tickets-20806588065
Classification: Restricted
Housing Security and Privacy Forum
Contact usEmail: Adrian.Leung@chg.org.ukEmail: Information.Security@chg.org.uk
Classification: Restricted
Recommended