Presentation is loading. Please wait.

Presentation is loading. Please wait.

Richard Henson University of Worcester February 2018

Published byFrank Hudson Modified over 6 years ago

Similar presentations

Presentation on theme: "Richard Henson University of Worcester February 2018"— Presentation transcript:

1 Richard Henson University of Worcester February 2018
COMP3371 Cyber Security Richard Henson University of Worcester February 2018

2 Week 2: Developing an Information Security Management System (ISMS)
Objectives: Explain why security is a process, and not just something that can be “bought” Explain the term ISMS and how it relates to information security policy Explain the standards an organisation can aspire towards as it develops security controls and its ISMS

3 Why do Organisations find Cyber Security difficult?
Each organisation is different each has its own unique way of handling information! Can’t just copy each other… even with “off the shelf” software may well use it in their own way At least one employee needs to be given responsibility & training before they can start…

4 Why can’t they just outsource the whole thing?
Last week’s management misconception: data has no value This week: security is a process not a “thing” US gov realised many years ago that security can’t be “done”… Problem: took them a long time to admit that!

5 How can an ISMS help? ISMS = system for managing information security in an organisation should be in place for all organisations Many still see information/cyber security as something they can just spend a little money on now and then annual budget needed to run a system!

6 Developing an ISMS Stage 1: senior management accepts responsibility
that means accepting they need an information security policy Next stage is to write the policy! then to implement policy successfully, a system needs to be in place

7 Information Assurance (IA)
A term introduced by US government to acknowledge that 100% information security was no longer possible… IA is strategic… Policy and set of organisational processes to effectively manage information security ISMS is largely operational putting policies into practice and checking the practice

8 An ISMS that is “fit for purpose”
Organisation needs to know… [or acknowledge through the work of an analyst] all aspects of how data is managed Requires an understanding of processes and associated data can then identify data flows, storage, etc… risk assessment essential (importance of each…) determine how much effort is needed to protect each of the data flows, data stores, etc. …

9 International Standard for IA and ISMS (ISO 27001)
Developed in UK as BS7799 before the millennium (!) Became International in 2005 revised in 2013 regarded as the “gold standard” 80% of certificates held in Japan (!)

10 Information Assurance Standards and Certification
ISO27001 lists over 100 controls unless explicitly stated/justified, assumes all controls are needed risk assessment needed… no point spending money on controls where they are not needed but exemptions need justifying… Other information assurance standards have been developed to encourage appropriate ISMS development and use

11 PCI DSS: Approach to Security Controls; less focus on ISMS
System devised by Credit Card Companies (i.e. banks…) Guidelines for a number of years… Now with v3 a sting in the tail for the SME heavy fines possible can be refused business merchant facilities… Will affect small businesses WORLDWIDE selling online directly to consumers

12 Requirements for PCI DSS compliance? (1)
12 controls (11 Technical) Install and maintain a firewall configuration to protect cardholder data Do not use vendor-supplied defaults for system passwords and other security parameters Protect stored cardholder data Encrypt transmission of cardholder data across open, public networks Use and regularly update anti-virus software or programs

13 What is needed for PCI DSS compliance? (2)
Develop and maintain secure systems and applications Restrict access to cardholder data by business need-to- know Assign a unique ID to each person with computer access Track and monitor all access to network resources and cardholder data Regularly test security systems and processes Maintain a policy that addresses information security for employees and contractors

14 PCI DSS issues Is it realistic? Is it essential?
How can it be policed? Discussion in groups…

15 IASME Standard developed for UK SMEs same basic principles as ISO27001
emphasis on risk assessment to reduce controls actually needed requires some scrutiny of an organisation’s processes more streamlined than ISO27001 more relevant to SMEs number of templates available to help with policy and procedure development

16 IASME & Cyber Essentials
IASME potentially uses 100+ controls… designed to be more SME friendly BUT.. ISMS development tricky for SMEs… GCHQ introduced Cyber Essentials now a minimum for government contracts useful starting point! BUT requires only 5 controls… all essentially technical no formal requirement for an IS policy some documented process expected… encourages thinking about policy, procedures, ISMS

17 Break

18 Reality of Information Security Policy?
Colleagues conducted a study (2009): about 60% of businesses had a policy consistent with a government-funded survey the previous year BIG PROBLEM!

19 What is Policy? A series of statements… what the organisation would like to do, and aspires to do not effective until implemented! What would an organisation like to do about security... Over to you!

20 Policy and System! Where to start Writing policy is easy…
What others have done? What advisers advise? Use a template and change the name? Writing policy is easy… writing a policy capable of implementation is the difficult bit!

21 Policy and the SME (like Ticketmania or FixDomestic):
Why do they need an information security policy? Who would write it? who would approve it Over to you… Remember it needs to be capable of implementation?

22 Policy and Technology Policy implementation always a headache for organisations to implement requires employee training may cause employee unrest Technologies can be used to implement policies degree of success in the latter depends on: communication of policies (and WHY!) understanding of technologies

23 Creating a Policy Same principles apply as with ANY change in organisational policy MUST come from the top!!! Possible implementation issues also needs to be: identified communicated to employees Problem: Senior Management generally don’t understand IT… unlikely to want to stand in front of employees and discuss… wheel an “expert” in?

24 Information Security Policy matters
Threats… who will quantify? Head of IT? (or outsourcer) External Consultant? both? Who will suggest strategies to mitigate against those threats? as above? Who will make the policies? Senior Management (with guidance…)

25 Managing Information Security as a Process
First step… identify all systems that carry information and decide what controls are in place to protect them test those controls for potential security breaches identify what has been forgotten secure as appropriate through further controls Next step: once secure, develop a strategy to MANAGE this process over time... implement that strategy

26 Informatiom Security Strategy: Where to start?
Can’t START with technology need to start with ISSUES that need addressing policy to address them should follow Should be primarily “top down” concerned with policies, not technical matters… can be supplemented by “bottom up” approach

27 IT Manager, and Implementation
Needs to be able to do it right… likely to need a big budget! Big responsibility on the IT manager to convince senior management: that the policy (change) really is necessary! that the organisation won’t suffer financially the consequences of NOT changing

28 Going beyond Creating a Policy…
According to the latest figures, many now businesses say they DO have an information security policy big questions… is it implemented??? will it be? by when? One possible approach… implement through getting ISO27001, PCI-DSS, IASME or other information assurance standard

29 Information Security Management
Oversee implementation of policy will be never ending! Can’t begin to evolve into an ISMS until policy has been agreed and signed off…

30 Policy… making a start (1)
Produce a draft… what is needed Think how that could be put into action… set of agreed procedures to protect data accept that administering them is an organisational level matter acknowledge the iterative nature of checking implementation & agree a rate of iteration (e.g. yearly) Now have the makings of policy with ISMS first stage towards ISO27001 (if they wish?)

31 Making a start (2) Appoint someone with institutional responsibility
in control of the policy-making, and evolution Role should NOT be outsourced! need to provide advice, expertise, implement procedures need realistic budget that takes into account the resource and human cost…

32 GDPR and Organisational Responsibility
Some of the changes from DPA when GDPR was announced Quote: “An in-house Data Protection Officer (DPO) role for organisations that require regular and systematic monitoring of peoples’ personal data on a large scale”

33 Role of DPO Needed under GDPR if
“core activities” consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale;” or consist of processing on a large scale of “special categories of data” or “data relating to criminal convictions and offences.” Estimation: an additional DPOs will be needed across the EU to cover this (!)

34 The Costs of securing data
Hardware/software cost fixed and easily determined Human resource cost cost of Information Security supremo cost the organisation of using staff to implement and enforce data security procedures more difficult to quantify cost of testing knowledge off/retraining employees

35 Costs of Securing Data Isolated LAN, with no internet connectivity
no need to worry about data in and data out via the Internet less stringent procedures may be needed/enforced employees could still mess up or steal data LAN connected to the Internet: “secret” data? highly rigorous procedures, implemented frequently – very expensive no real secrets (political or commercial) more infrequent cycle, less exhaustive procedures much cheaper…

36 The Costs of Data Breach?
Groups again…

37 The Costs of Data Breach
People not able to work… Organisation not able to communicate effectively with customers… Embarrassment of reporting in the media loss of reputation Fines, etc., by FCA or ICO Fall in stock market price Increase in insurance premiums Not getting future contracts…

38 Information Security Procedures
In groups, discuss: possible procedures the organisation could set up… how expensive such procedures might be to implement… how “realistic” procedures could be laid out in a policy…

39 Writing that Policy (1) Written as a “Management Report” e.g.
Should be agreed by SMT and reflect: their objectives for security of information top-down… strategy for achieving those objectives requires liaison to find out what is feasible

40 Writing… (2) Why not just buy a “security-policy-in-a-box” ? SMT won’t have the time! needs to be explained in detail by a security professional once understood… needs to be formally agreed upon by SMT

41 Writing… (3) Even if WAS possible to for management to endorse an off-the-shelf policy… not the right approach to attempt to teach management how to think about security! their organisation is unique!

42 Writing… (4) First step should be to find out how management views security security policy… set of management mandates “top-down” only provides requirements for the security professional to obey… too restricting without liaison first… (needs some “bottom-up” input

43 Writing (5) As a result of discussion with SMT… Example: top level
Develop top-level IS policy Includes all topics for policy, but does not break them down into the sort of detail needed for implementation Example: top level Example PCI-DSS:

44 Writing (6): What to include…
What are your security objectives, and how do you measure them? What types of information do you handle, and how do the different types of information need to be protected? How do you assess risks and select security controls?

45 What to include… cont How do you manage and report incidents, and learn from them? Who is responsible for security? What is acceptable employee use for Internet, and other communication channels?

46 Writing (7) To implement a top level policy…
need to liaise with relevant staff and create operational policy e.g. acceptable passwords e.g. acceptable use of Operational policies can be shared with employees during a training session… not just an with link… (!)

47 How achieving a Information Assurance “badge” could help with implementing policy…
Whatever the business: any new work will have a cost that cost needs to be qualified More cost means less profit… what is the ROI of achieving a high level of information security? badge can be used to impress (potential) customers

48 Potential Financial Benefits of Information Assurance?
Need to be sold to senior mgt… less risk of losing valuable (even strategically important…) data less likely to get embarrassing leaks, which could even get to the media (!) less likely to fall foul of the law (!) Evidence from an ever growing set of examples of businesses who have done both of the above lost customers AND share price dropped…

Download ppt "Richard Henson University of Worcester February 2018"

Similar presentations

Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.

Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.
Complying With Payment Card Industry Data Security Standards (PCI DSS)

Complying With Payment Card Industry Data Security Standards (PCI DSS)
JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.

JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.
PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.

PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.
Jeff Williams Information Security Officer CSU, Sacramento

Jeff Williams Information Security Officer CSU, Sacramento
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance Commonwealth of Massachusetts Office of the State Comptroller March 2007.

Payment Card Industry (PCI) Data Security Standard (DSS) Compliance Commonwealth of Massachusetts Office of the State Comptroller March 2007.
CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.

CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.
Why Comply with PCI Security Standards?

Why Comply with PCI Security Standards?
Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard
Network security policy: best practices

Network security policy: best practices
Payment Card Industry Data Security Standard (PCI DSS) By Roni Argetsinger 515-237-5007.

Payment Card Industry Data Security Standard (PCI DSS) By Roni Argetsinger
An Introduction to PCI Compliance. Data Breach Trends About PCI-SSC 12 Requirements of PCI-DSS Establishing Your Validation Level PCI Basics Benefits.

An Introduction to PCI Compliance. Data Breach Trends About PCI-SSC 12 Requirements of PCI-DSS Establishing Your Validation Level PCI Basics Benefits.
Your cybersecurity breach will happen! Here’s what to do to mitigate your risk Thursday, 25 September 2014.

Your cybersecurity breach will happen! Here’s what to do to mitigate your risk Thursday, 25 September 2014.
PCI: As complicated as it sounds? Gerry Lawrence CTO

PCI: As complicated as it sounds? Gerry Lawrence CTO
Information Assurance Market Research June 2009. Executive Summary Small response rate (n=43) General low awareness of information security controls and.

Information Assurance Market Research June Executive Summary Small response rate (n=43) General low awareness of information security controls and.
PCI Compliance: The Gateway to Paradise PCI Compliance: The Gateway to Paradise.

PCI Compliance: The Gateway to Paradise PCI Compliance: The Gateway to Paradise.
SMEs: Why Information Assurance is Important Richard Henson Worcester Business School November 2012.

SMEs: Why Information Assurance is Important Richard Henson Worcester Business School November 2012.
Data Security and Payment Card Acceptance Presented by: Brian Ridder Senior Vice President First National September 10, 2009.

Data Security and Payment Card Acceptance Presented by: Brian Ridder Senior Vice President First National September 10, 2009.
Information Security 2013 Roadshow - PCI. Roadshow Outline  What IS PCI  Why we Care about PCI  What PCI Means to You and Me.

Information Security 2013 Roadshow - PCI. Roadshow Outline  What IS PCI  Why we Care about PCI  What PCI Means to You and Me.
ThankQ Solutions Pty Ltd Tech Forum 2013 PCI Compliance.

ThankQ Solutions Pty Ltd Tech Forum 2013 PCI Compliance.

Similar presentations

Ads by Google