COMP3371 Cyber Security Richard Henson University of Worcester November 2015
Week 8: Implementation of a Security Policy n Objectives: Explain the importance of having a system for managing information security Explain, with examples, the balance of risk v cost in organisational security Explain the complexity of decision-making on whether, or whether not, to spend on security Identify the important roles in implementation of information security policy
Role of Advisor/Consultant after agreement of policy n Putting policy into action is important as production of Information Security policy often difficult to change “from within” important guidance role for advisor/consultant »role shouldn’t stop just because policy has been agreed and filed…
Role of Adviser/Consultant for Implementation of Policy n Enforcement of policy essential… otherwise policy-making a worthless exercise! n Needs procedures agreed at institutional level implemented by departments? n Knowledge & experience will be really useful to an organisation developing a secure online facility to meet business strategic needs
Implementation and Standards n Why do organisations get accredited to an information assurance standard? actions required to get accredited ensure… »policy implementation processes in place n executed through “controls” »implementation is cyclical and lessons are learned from the failure of a control
Implementation of Policy (Technical) n Matter of operationalising the agreed technologies that CURRENTLY combat a particular threat e.g. threat (1): unauthorised internal access »control: careful choice of parameters in GROUP POLICIES makes sure that Windows network users only have access to files & services they need e.g. threat (2): unauthorised access via web »control: authenticate a secure site for buying online – check, read, approve server certificate
Implementation of Policy (Technical) n Good consultant will be able to offer useful advice regarding; embedding any new technologies into existing systems as seamlessly and transparently as possible! bring about a set of procedures from the agreed “tools for the job” that should cover all eventualities…
Implementation of Procedures (People - 1) n Some procedures will be implemented by IT/networking/backend staff: applied to ensure security of servers and of data coming into/leaving the organisation specialist staff, generally good understanding n Procedures involving end-user security implemented by ALL staff »must UNDERSTAND procedures and their crucial importance to the organisation »otherwise reluctant to change habits
Implementing of Procedures (People - 2) n Set of procedures distributed to end- users by … will have little effect! people will resent being told to do it differently often carry on in their own sweet way…
Implementing of Procedures (People - 3) n Senior Management must also provide the means to enforce policy through “carrot-and- stick” penalties for not using procedures reward for following policy through taking new procedures on-board n To do this fairly, need a means of measuring whether employee is following new procedures..
Impact at the Operational Level n New procedures may well affect work practices impact of each needs to be carefully considered… n Pilot scheme first carefully trialled at operational level… time for retraining realistically assessed accurate capital costing for roll-out n When lessons learned… Sold positively to staff i.e: »YES, does mean learning new procedures »BUT, there’ll be less threat from viruses, pop-ups, etc.
Testing Implementation of Policy n A wise manager will not impose something new on employees without checking first that it is WORKABLE pilot with a small group first… get feedback… learn lessons… make changes (if needed) devise a PLAN for roll out across the organisation
Selling the new procedures n Most policies implemented on a departmental basis job of enforcement may be through departmental line managers n To enforce a policy, line managers must be able to understand it! first stage should be EDUCATION of the managers will be time issues, so centrally managed
Selling the Policy n Once the penny drops, managers will be aware it will mean changes to working practices… need to assure about training need be assured that it is worth doing: »for the individual employee »for the department »for the whole organisation
Reviewing the Policy/Procedures n If the problem is understood at a conceptual level… POLICY changes shouldn’t be necessary n However… security technology does not stand still! PROCEDURES may need to be revised… »every year? every six months? »whenever a new threat becomes apparent? »balance!!
Cost of Losing Organisational Data… n Plenty of data around to supporting the observation that organisations have been leaking data for years actual problem has to be worse… could be far worse… not all data losses ever get reported! n Is there is a cost to the organisation of losing their data? can a figure be put on this cost?
What about Losing Personal Data? n Same systemic failures and potential cover-ups as for organisation data… n Direct cost to the organisation probably regarded as very low? why? public reaction to loss? is all personal data equal?
Cost of tightening up Information Security n Human time/cost associated with new procedures completing new documentation re-educating and re-training staff to make best use of new procedures n Cost of deploying new technology purchase installation day-to-day management
Indirect Costs of Losing Data (many, overlooked…) - 1 n Cost of falling foul of the law… time spent in court Fines n Cost of bad publicity public embarrassment & loss of credibility making statements explaining how it wasn’t as bad as reported stock market price may fall…
Indirect Costs of Losing Data (many, overlooked…) - 2 n Cost of losing respect of customers send their personal data (and custom) elsewhere n Cost of losing respect of business partners find someone they can trust with their data n Cost of business insurance perceived as higher risk premiums more expensive n Others?
Differences in Organisations and approach to Data n Is there a difference? If strategic business data is lost, with no back up »cannot do new business »cannot fulfil existing business »the business will fold If public organisation data is similarly lost »service level drops or becomes zero »ICO must be informed »people get angry, write to media »public sector body gets lots of bad publicity »system gets patched up and limps on »…»…»…»…
Differences in Personal Data between Public & Private Sectors - 2 n A business losing personal data usually does nothing if information leaked to the media… »need a “brand management procedure” in place »can (e.g. Virgin media) be taken to court n HMRC’s huge (26 million) records loss in 2007 changed govt approach result: media ALWAYS must report a public sector data loss Hefty fines for repeat offenders…
Differences in Personal Data between Public & Private Sectors - 3 n Small businesses “light touch” by Information Commissioner currently don’t have to declare data breach unless a telco All this bout to change as EU law catches up with US Law on data breaches… »public/private sector breaches may get equal treatment (fines?) »this won’t come into full force until the start of 2018
The Concept of “Value” of Data n People don’t look after what they perceive not to have any value… n If organisational and personal data given intrinsic monetary value… employees might look after it better? businesses might wish to protect data as a monetary asset in its own right?
Economics of Information Security n Academic research area seeking to produce economic models for organisations to attribute value to data n Back to basics of Information Security: Confidentiality – relationship between confidentiality & intrinsic value? Integrity – very difficult to quantify Availability – if loss of particular data: »causes system failure »puts the business temporarily out of business »Must have intrinsic value
Value of Business Data n More success to date with organisational data that affects business availability than with personal data... can put a monetary value on loss to the organisation of e.g. »a day’s lost production »a 10% fall in share price If customer details are leaked, who cares??? »members of the public? »The Information Commissioner… »would this affect: n the business’s availability in the market place n the business’s share price?
Further Research n Prediction of contents of 2015/16 GDPR n protection-law-to-arrive-in- 2015/article/395142/ protection-law-to-arrive-in- 2015/article/395142/ protection-law-to-arrive-in- 2015/article/395142/ n Information Commissioner’s current website – huge collection of documents: