Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
Information security in the
Norwegian higher education
sector 2012-13.06
Kenneth Høstland, CISA, CRISC
3
Policy track
Background
• Protection of personal data
• Compliance to regulations
• The Personal Data Act
• The Personal Data Regulations
• Security management(Section 2-3. )
• Risk assessment(Section 2-4. )
• Efficiency, etc.
• Improve governance and controlI regarding actual threats
• Proportionality requirements – extent and type of business
• Balancing different interests (privacy, availability, confidentiality,
financial, etc.)
4
PDA – def’s
Section 2 Definitions
For the purposes of this Act, the following definitions shall apply:
1)personal data: any information and assessments that may be linked to a natural person,
sensitive personal data: 8) information relating to
a) racial or ethnic origin, or political opinions, philosophical or religious beliefs, b) the fact that a person has been suspected of, charged with, indicted for or convicted of
a criminal act, c) health, d) sex life, e) trade-union membership.
Sensitive personal data shall be processed and stored in secure
areas where only authorized users are granted access. A
business can create multiple secured zones depending on
demand.
5
Policy track
Measures Mapping standpoint,
• IS Audit
• RVA
• Further surveys
o SWOT
o BIA
Measures/ action
• Internal control - Policy (i 3 levels)
• Technical measures/ ICT security infrastructure
• BCP/DRP
6
Policy track
Mapping standpoint – IS Audit
• Based on ISO 27001 (Apendix A)
• regulatory requirements (PDA, The Copyright Act)
• ”Best Practice” (ISACA, ISF, DND, NIST, vendors
recommendations, etc)
• Checklists that reflect the above
• Report
19
Typical IS audit conclusions
The technical security of the existing solutions is mostly satisfactory, and provides relevant security against traditional threats.
A Data Inspectorate audit would have resulted in clear orders that would have to be fulfilled within six months in line with the recommendations in our report.
Some essential governing documents are missing, e,g.
o security policy (incl. security objectives and strategy),
o IT strategy
o continuity and contingency plans for IT.
Outsourcing contracts are inadequate with respect to information security, including missing SLA.
i.e – “The terrain can be good - but the map is missing”
19
20
IS Audit: Overall recommendations
Establish Security Policy based on ISO 27002, and implement it,
including a selection of procedures.
Establish the role of Chief Security Officer (CSO) and formally
anchor the responsibility for information security in senior
management .
Perform risk assessment of systems with personal data with
respect to confidentiality, integrity and availability.
Develop an overview of the Personal Data that are processed
Establish a satisfactory security architecture based on the
concept of security levels
Develop BCP (Business Continuity and Contingency Plans) for
ICT infrastructure.
20
21
Noen risikoer ifht teknologi
Mobility / BYOD rises significant risks Moving boundaries / Security Barriers
Private entity that is often filled with company information
Kompleksitet kan være fiende
o Som følge av unødvendig funksjonalitet
o Som følge av for mye ”Teknologi fokus”
Stadige endringer/ teknologi skifte en trussel
o Gir mindre tid for utvikling av effektive sikkerhetstiltak
Mangelfull/manglende IT-/Teknologi strategi en trussel
o Kan gi tilfeldige anskaffelser
o Være kostbart
o IT-strategi må være forretningsforankret
Unngå ”For mye sikkerhetsteknologi”
o Sett tiltakene etter ROS vurdering
Unngå risikopreget konfigurasjon
o Eksempel: klienter og servere i samme segment/ regime, i kombinasjon med tilgang til lokal administrator på klient/PC – samt tillate BYOD uten ansvarliggjørende tiltak
26
Security with a system – document structure
Why
What
How
1) Security Policy defines the goals, purpose,
responsibility and overall requirements. Governing
document
2) Guidelines for information security. Defines what should be done to comply with the
established policy. Governing document – ISO 27k
structure
3) Standards and procedures Contain detailed guidelines for the implementation
of security. Accomplishing and controlling
documents
26
27
Security put in system
Inspectorate often get questions about how the
company l can adapt to the Data Inspectorate's
requirements for information security. Among
other ¸it is Asked about the relationship with ISO
standards. The regulation is based on ISO
standards . Chapter 2 of the Personal Data
Regulations (The Information Security chapter) is
based on and have the same systematics as the
ISO standard 17799. The standard is more
exhaustive and is another useful tool for
enterprises. The standard series consist of two
parts. The first part is translated into Norwegian.
The standard can be obtained by contacting
Pronorm.
27
31
Definition of risc management – a simple definition
Risk management is about determining acceptable risk, making
risk assessment and prioritize security measures. This is the
senior manager's responsibility.
(Norsis)
32
Risikostyring - overordnet Steg NSM /Datatilsynet/ NOSIS DFØ/COSO
1. Planning and organization
a Planning
b Organization
C. Identification of values
D. Identification of risks
Identification of the overall measure for
a Goals and values
b reliable financial reporting and financial
management
C. Compliance with laws and regulations
2. Implementation of the ROS analysis
(assessment)
A. Identification of adverse events
Determination of Likelihood and Consequence
C. Determination of Risk
D. Evaluation of risk and acceptable R
Identifying CSF
3. Preparation and implementation of
measures
a survey of existing measures
b Preparation of security measures
C. Assessment of Benefits and costs
D. Communication with decision makers
Identifying Risks
4. Control and Audit
Monitoring and control of safety
Management's evaluation
Assessment and prioritization of risks
5. Assesment of P & C
6. Prioritization of risks -> avoid, reduce, share or
accept the risk.
38
Risikohåndtering – fire kategorier:
• Å unngå – Å gå ut av de aktivitetene som er en kilde til risiko
• Å redusere – Tiltak blir iverksatt for å redusere sannsynligheten for eller konsekvensen av risikoen, eller begge deler
• Å dele – Å redusere risikoens sannsynlighet eller konsekvens ved å overføre, eller på annen måte dele en bit av risikoen med andre
• Å akseptere – Ingen tiltak blir iverksatt for å påvirke risikoens sannsynlighet eller konsekvens
Risikohåndtering
41 Utfordringer Naturkatastrofer
Miljøkriser
Tekniske feil
Menneskeskapte kriser
Virksomheter evne til å overleve en krise er direkte relatert til hvor omfattende katastrofeplanen var FØR krisen
inntraff
42
BIA - Impact assessment of outage
The business must find the optimal "point" to restore IT
services by balancing the costs of recovery and the costs /
losses from downtime.
BIA provides downtime costs and evaluation of the recovery
strategy provides
costs of recovery.
43
BCM
Should be based on
BS 25999-1 -> ISO
22301:2012
ISACA guidelines for BCM
ITIL – ITSCM3500 Continuity
Management
Other guidelines (NIST oa)
44
Nye termer i ISO 22301 (vs. BS25999)
• Hendelse som medfører driftsstans “Disruptive incident”
• Informasjon og dets medium som skal kontrolleres og vedlikeholdes av virksomheten
“Documented information”
• Maksimal tid en aktivtet kan stoppe til driften hemmes mer enn akseptabelt
“Maximum Acceptable Outage”
• Forhåndsbestemt tid innen aktivtet må være gjenopptatt eller ressurser være gjenopprettet.
“Recovery Time objective (RTO)”
• Maksimalt tap av data eller minimum data som må kunne gjenopprettes
“Recovery Point Objective (RPO)”
• Handling for å korrigere et oppdaget avvik “Correction”
46
Forberedelse
Mål
Etablere nødvendig aksept for de
steg som må til for å få en sterk
forankring av behovet for og
nødvendigheten av en
kontinuitetsplan
Oppgaver/Steg
• Utarbeide en Policy for
Katastrofe håndtering.
• Gjøre en sårbarhetsanalyse
(BIA)
• Identifisere preventive
kontroller
• Strategiske planer for
gjenoppretting (på bakgrunn av
RA/BIA
• Utvikling av planen (inkl.
kriseledelse og reaksjons
Team)
• Testing og øvelse
• Vedlikehold
Forberedelse
Reaksjon
Testing & øving
evaluering og
vedlikehold
Avverge/Forbygge Gjenoppretting
47
Integrert verdikjede (Eksempel fra produksjonsbedrift)
7. Ledelse
8. Økonomi
9. Personal/Lønn/HMS
10. IT
12. QA
11. FoU/Industrialisering
1.
Markeds-
føring
2.
Kontrakt
3.
Beordring
4.
Produksjon
5.
Leveranse
6.
Install. &
Comm
7.
CS
48 ..
..
..
…
…
…
…
…
…
…
…
Verdikjede –
System
System
Ap
plik
as
jon
s
tje
nes
ter
System
Fo
rre
tnin
gs
-
pro
se
ss
er
Infr
as
tru
ktu
r
tje
nes
ter
Org
an
isa
sjo
n
server
server
server
server
kommunikasjon/distribusjon
Fysiske rammebetingelser
System System System
5. Proses E
4. Prosess D
3. Prosess C
2. Prosess B
1. Prosess A
56
Oppsummering
En kan oppnå tilstrekkelig sikkerhet ved å
være i stand til proaktivt å identifisere trusler
du kan effektivisere sikkerhet med virkemidler du allerede har
adressere ”80 prosenten”
utvikle omdømme
kan faktisk oppnå konkuransefortrinn
Unngå at ”BYOD” blir
Dette betinger en metodisk tilnærming:
IT revisjon/ kartlegging av ståsted
ROS analyse/ vurdering
Styrende dokumenter
Policy og prosedyrer
Forretningsstrategi IT-strategi
KBP
Opplæring, holdningsskapende tiltak
Kortversjon:
etterlever lover& regler
oppfyller forretnigsmessige krav
oppnår “tilstrekkelig sikkerhet”
”Bring Your Own Disaster”
59
Helt til slutt
http://www.isaca.org
http://www.sfso.no
http://www.nsm.no
http://www.datatilsynet.no
Kontakt: [email protected] 416 69 141