Embed Size (px)
Citation preview
Office of the Government Chief Information Officer (OGCIO)
Information Security Best Practices for SMEs
Presented by Sammy Leung
Important Notice All rights, including copyright, in this PowerPoint file are owned and reserved by the Office of the Government Chief Information Officer (OGCIO). Unless prior permission in writing is given by OGCIO, you may not use the materials other than for your personal learning and in the course of your official duty.
重 要 告 示 政府資訊科技總監辦公室持有並保留本簡報檔案包括版權在內的所有權益。除預先獲得本辦公室書面許可外,本簡報檔案只可用作個人學習及處 理公務上用途。
Disclaimer The security sharing follows is based on well known security practices in the industry. It has no relations with the security measures in the OGCIO.
聲 明 這個講座所分享的內容是基於行業提倡的安全實踐,它與政府資訊科技總監辦公室的保安措施無關。
Information Security
Management Quartet
Web Security
Cloud Security
Bring Your
Own Device
(BYOD)
個案一:全球擁有超過三千萬用戶的另類交友網站被黑客入侵,報道稱,有些敏感的個人資料更一度被公諸網上。
Why Does Information Security Concern Me?
個案二 :酒店集團旗下2間香港酒店,去年6月至今年2月均有住客的信用卡資料被黑客盜取。
Why Does Information Security Concern Me?
Source: 賽門鐵克 - 2015 年網路安全威脅研究報告,第 20 期 https://www.symantec.com/zh/tw/security_response/publications/threatreport.jsp
Information Security Management
Quartet
Information Security Management Quartet
Assessing Security Risks
Implementing & Maintaining a
Secure Framework
Monitoring & Recording
Reviewing
&
Improving
Information Security Management Quartet
Assessing Security Risks
Implementing & Maintaining a
Secure Framework
Monitoring & Recording
Reviewing
&
Improving
Information Security Management Quartet • Assessing Security Risks
Information Asset
Confidentiality Integrity Availability
Personal Data Privacy
Intellectual property (design, art work)
Price List
Client Contact Database
Information Security Management Quartet
Assessing Security Risks
Implementing & Maintaining a
Secure Framework
Monitoring & Recording
Reviewing
&
Improving
Policy, guidelines
Technical measures
Information Security Management Quartet • Implementing & Maintaining a Secure Framework
• Security Policy
• Ensure everyone has a common set of expectation and objectives • Specify requirements • Define the roles and responsibilities • Accepted and validated by the board and executive management
• Examples • Baseline IT Security Policy (S17) • IT Security Guidelines (G3) http://www.ogcio.gov.hk/en/information_security/policy_and_gui
delines/
• Guidelines
• Provide general guidance
OGCIO’s IT Security Policy and Guidelines
Baseline IT Security Policy (S17)
Baseline IT Security Policy (S17)
Information Security Management Quartet • Implementing & Maintaining a Secure Framework
• Example of Policy, Standards, Guidelines
• ISO/IEC 27000 Family • ISO/IEC 27001:2013
• ISMS Requirements • ISO/IEC 27002:2013
• Code of practice for information security controls
• Collection of policies and guidelines available at InfoSec http://www.infosec.gov.hk/english/technical/standards.html
InfoSec > Technical References > IT Security Standards and Best Practices
Information Security Management Quartet • Implementing & Maintaining a Secure Framework
• Example of Policy, Standards, Guidelines
• HKCERT • Bring Your Own Device (BYOD) Security Guidelines • Cloud Storage Security • Guideline of Web Security • Guideline of Mobile Security https://www.hkcert.org/security-guideline
HKCERT > Publications > Security Guideline
Information Security Management Quartet • Implementing & Maintaining a Secure Framework
• Select and Implement Technological Measures
Cloud Security Web Security BYOD Security
Bring Your Own Device (BYOD)
Security
Bring Your Own Device (BYOD)
• Risk
• Data leakage • Remote intrusion • Cross platform infection • Strategy
• Which information and system are available for BYOD • BYOD Policy, Best Practices • User awareness and user buy-in
- Encrypted WiFi network (e.g. WPA2) - MAC address filtering
- Setup VPN
WPA2 VPN
- Setup a firewall for BYOD to connect to company network
- Adopt Mobile Device Management (MDM) - detect jailbroken device - create security profile - track and control running apps
Firewall MDM
Update
圖片來源: GuidingTech - [Quick Tip] How to Delay Android Screen Lock Time http://www.guidingtech.com/16416/delay-android-screen-lock-time/
Web Security
Web Security • User-side
• Update web browser
• Update Adobe Flash • Update Java
• Remove all unused plug-in and extension
• Enable browser's anti-phishing feature
• Disable browser's plugins autorun feature
Web Security Guideline • User-side
Web Security • User-side
• Beware of shortened URL
http://tinyurl.com/XXXXXX into http://preview.tinyurl.com/XXXXXX http://bit.ly/XXXXXX+ http://bit.ly/XXXXXX into http://bit.ly/info/XXXXXX http://goo.gl/XXXXX+ http://goo.gl/XXXXX into http://goo.gl/info/XXXXX
• Use preview feature
Web Security • User-side
• Beware of malicious website
VirusTotal http://www.virustotal.com URLVoid http://www.urlvoid.com/ AVG Online Web Page Scanner http://www.avgthreatlabs.com/ww-en/website-safety-reports/ Quttera Online Website Malware Scanner http://quttera.com/website-malware-scanner#
• Use online website scanners
Cloud Security
Cloud Security • Cloud Service
• Selecting Cloud Service Providers
• Read the Terms of Service and Security & Privacy Policy • How is your data stored and protected?
• Clear policy on data protection • Good reputation
• How to report an incident?
• Clear reporting mechanism • Provide incident problem report
• Does the Privacy Policy follow the data protection principles of the Personal Data (Privacy) Ordinance?
• PCPD’s Cloud Computing leaflet http://www.pcpd.org.hk/english/resources_centre/publications/information_leaflet/flipbook/cloud_computing/index.html#1/z
Cloud Security • Cloud Service
• Selecting Cloud Service Providers
• Data Ownership • Check whether the service provider can use, disclose, or make your information public • Check whether data can be permanently erased from the cloud, backup, when data are deleted or when you terminate the service.
• Other concerns: • Data in motion – Support SSL • Strong authentication – 2-factor authentication; 2-step verification • Access control - different access privilege for different users/groups
Cloud Security • Cloud Service
• Selecting Cloud Service Providers
• Supported by an independent information security management certification (e.g. ISO/IEC 27001)
• Read the scope statement carefully
Cloud Security • Cloud Service
• Selecting Cloud Service Providers
• Other References:
• ISO/IEC 27000 Family • ISO/IEC 27017:2013
• Code of practice for information security controls based on ISO/IEC 27002 for cloud services • Under development
• ISO/IEC 27018:2014 • Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors
Cloud Security • Cloud Service
• Selecting Cloud Service Providers
• Other References: • InfoCloud http://www.infocloud.gov.hk/
Other Resources
https://twitter.com/cybersecurityhk
www.infosec.gov.hk
Youtube Channel
infosecgovhk
香港電腦保安事故協調中心 (HKCERT) https://www.hkcert.org 香港警務處 - 預防科技罪案 http://www.police.gov.hk/ppp_tc/04_crime_matters/tcd/index.html 香港警務處 - 童叟無欺 http://www.police.gov.hk/ppp_tc/04_crime_matters/ccb/index.html 香港個人資料私隱專員公署 http://www.pcpd.org.hk
Thank You
Presentation template and clipart from PresenterMedia
