The Other Side of Information Security Wilco van Ginkel – Ubizen wilco.vanginkel@

  • View
    213

  • Download
    0

Embed Size (px)

Text of The Other Side of Information Security Wilco van Ginkel – Ubizen wilco.vanginkel@

  • Slide 1
  • The Other Side of Information Security Wilco van Ginkel Ubizen wilco.vanginkel@ubizen.com
  • Slide 2
  • Purpose of the keynote Give the audience the other side of Information Security in a nutshell Nutshell because of time constraints
  • Slide 3
  • Agenda Introduction Business & Risk Assessment Security Policies & Procedures Security Standards Security Awareness Examples where Organisational meets Technical
  • Slide 4
  • Introduction The four fundamental questions The components of a total security solution Trend in the market The Security Triangle The Domains
  • Slide 5
  • The Four Questions Most organisations ask the question: How should I protect More important is to ask first: 1. Why should I need protection? 2. How difficult will it be to protect? 3. What and against who should I protect? 4. Then
  • Slide 6
  • Components Security Solution TechnicalOrganisational Assessment Policies Procedures Awareness Legal 20%80%
  • Slide 7
  • Trend Security is considered more and more as part of the normal business process We are not talking Rocket Science Does this mean that technology is dead or something? Most organisations dont know how to do it
  • Slide 8
  • Security Triangle Assessment & Policies Security Awareness Cryptography
  • Slide 9
  • The Domains Security Requirements 5 73 1 Business Requirements 2 46 Domains: 1. I.T. 2. Physical 3. Environmental 4. Human 5. Organizational 6. Administrative 7. Legal
  • Slide 10
  • The first step Meet the parents Because: They decide about security They should backup and support security They have authority They are responsible How: Perform Business & Risk Assessment
  • Slide 11
  • Business Assessment - 1 Why should I need protection: Discuss the stakes Discuss the different types of information Discuss the Security Requirements (CIAR) Discuss strategic questions, like: Replacement value of IT Targets Is IT just support or strategic for the organisation
  • Slide 12
  • Business Assessment - 2 How difficult will it be to protect? Evaluate the constraints, like Financial Internal knowledge Dependency on partners Calendar
  • Slide 13
  • Risk Assessment - 1 Against what and who should I protect? Perform Risk Assessment Be aware of terminology: Risk Identification (RI) Risk Assessment (RASS = RI + value) Risk Management (RM = How should we protect) Risk Analysis (RASS + RM)
  • Slide 14
  • Risk Assessment - 2 Some attention points: Different Risk Assessment/Analysis methodologies Sometimes difficult to determine the value Make sure that youve the right people, meaning: Who know the business processes Who have authority to decide
  • Slide 15
  • Security Policies First things first: the CSP Formalisation of the Security Strategy and objectives High Level
  • Slide 16
  • Security Policies - 2 System Security Policies: General description of the Information System Security around the Information System Security on the Information System Technical security settings (OS, database, application) Other important policies are, for example: Asset Classification Malicious Software Policy
  • Slide 17
  • Security Policies 3 Make sure that: The policy is supported by the System Owner You avoid the Ivory Tower Syndrome The policy is clearly communicated The policy is useful and pragmatic
  • Slide 18
  • Security Procedures Who is doing what, why and when? Important procedures are, for example: Boarding Process Incident & Escalation Back-up/Recovery Change & Configuration Management
  • Slide 19
  • Security Standards - 1 Are we on our own? No, there are standards out there A set of best practices Can be a good starting point and prevents to re-invent the wheel However, be careful not to implement a security standard blindly
  • Slide 20
  • Security Standards - 2 Some well-known examples are: BS/7799 part 1 + 2 (ISO/7799-1) Cobit-3 ITIL ISO-13335 Common Criteria (ISO-15408) NIST IETF Interesting could be certification
  • Slide 21
  • Security Awareness The most critical success factor of Information Security Mind set Awareness should be at any level in the organisation Relation with psychology
  • Slide 22
  • Organisational meets technical - 1 Example: CSP Accountability principle Authentication Policy strong authentication Counter measure Tokens
  • Slide 23
  • Organisational meets technical - 2 Example: CSP Information across untrusted networks should be protected Cryptography Policy Symmetric Encryption at least 128 bits, preferred choice 3-DES Counter Measure Hardware Encryptors
  • Slide 24
  • Organisational meets technical - 3 Example: Within the business process Electronic Transactions, there is a high security requirement for Integrity and Non-repudiation Defined risks are: Unauthorised change of the transaction Denial of sending the transaction Digital signatures Crypto Policy: Use RSA, minimum key length at least 1024 bits
  • Slide 25
  • Useful links www.isaca.org www.bsi-global.com www.nist.gov www.ietf.org www.iso.org www.cse-cst.gc.ca www.bsi.de www.cenorm.be/isss www.cesg.gov.uk www.sse-cmm.org
  • Slide 26
  • Reading stuff to fill long winter nights ISO TR13335 General Management of IT Security ISO 15408 Common Criteria for evaluation and certification of IT security Baseline Protection Manual (BSI.DE) BS7799: Code of practice for Information Security Management (two parts) CobiT: Governance, Control and Audit for Information and Related Technology (ISACA) SSE-CMM: System Security Engineering - Capability Maturity Model
  • Slide 27
  • Questions, Discussions, .