Presentation is loading. Please wait.

Presentation is loading. Please wait.

COMP3357 Managing Cyber Risk

Published byThea Danielsen Modified over 5 years ago

Similar presentations

Presentation on theme: "COMP3357 Managing Cyber Risk"— Presentation transcript:

1 COMP3357 Managing Cyber Risk
Richard Henson University of Worcester Jan/Feb 2019

2 Week 2: Developing an Information Security Management System (ISMS)
Objectives: Explain why security is a process that needs managing, and not just something that can be “bought” Explain the term ISMS and how it relates to information security policy Explain the standards an organisation can aspire towards as it develops security controls and its ISMS

3 Management of Information Security
SHOULD BE… An organisation-wide and top-down approach to systematically managing information, summarised in a policy Priorities: value of types of information and importance for business continuity the need to evolve protection in a dangerous and fast moving environment

4 (mis…) Management of Information Security
OR: “That’s another fine mess…” Typically… (Senior) Management... accustomed to the spoken or written word & physical object, may see security as a “thing” (!) or… just an “IT matter” (!!!)

5 Elements of The Process
Risk (of loss of data) Risk Agent… someone who enables data breach Vulnerability… a way in for an external risk agent that enables the risk agent to commit the data breach Threat… a means of exploiting a vulnerability

6 Why do Organisations find Cyber Security difficult?
Each organisation is different each has its own unique way of handling information! Can’t just copy each other… even with “off the shelf” software may well use it in their own way At least one employee needs to be given responsibility & training before they can start…

7 Why can’t they just outsource the whole thing?
Management misconception: data has no value This week: security is a process not a “thing” US gov realised many years ago that security can’t be “done”… Problem: took them a long time to admit that!

8 How can an ISMS help? ISMS = system for managing information security in an organisation should be in place for all organisations Many still see information/cyber security as something they can just spend a little money on now and then annual budget needed to run a system!

9 Developing an ISMS Stage 1: senior management accepts responsibility
that means accepting they need an information security policy Next stage is to write the policy! then to implement policy successfully, a system needs to be in place person to manage the system? known as a CISO (Chief Information Security Officer)

10 Risk-based approach to Management of Security…
Important to: identify risk agents, vulnerabilities of system that enable the threat mitigate the risk use IT professionals to close down the vulnerabilities and prevent the threat happening use HR to train employees so they don’t accidentally threaten data

11 Value of Business Data More success to date with organisational data that affects business availability than with personal data... can put a monetary value on loss to the organisation of e.g. a day’s lost production a 10% fall in share price If customer details are leaked, who cares??? members of the public? the Information Commissioner… would this affect: the business’s availability in the market place the business’s share price?

12 Types of Data used by Organisations (1)
Administration internal use information to government bodies Customer & Supplier information customer information PERSONAL some customer information SENSITIVE both protected through Data Protection Act

13 Types of Data used by organisations (2)
Transaction Information regarded as financial data protected by the Financial Conduct Authority Management decision-making information internal use only System Data

14 Fixing Digital Security…
Set up process(es) involving (led by?) top level management… identify risks, threats, vulnerabilities… put together a top-level information security policy!!! see to it that the policy is enforced throughout the organisation

15 Risk, Threat, Vulnerability…?
Group Exercise… ass1 what are the risks (to data)? what are vulnerabilities (of system)? what are threats (internal/external influences)?

16 Who are “stakeholders” in organisational Information Security?
Who should be responsible for what? (no responsibility… no accountability) Exercise again in groups…

17 Stakeholders A number of jobs involve security of data in one way or another e.g.: Data Controller (Data Protection Act) Head of Personnel/HR Department Heads (especially Finance) Who should bear the responsibility/carry the can?? ISO27001 requirement… tion/iso-survey.htm

18 Information Assurance (IA)
A term introduced by US government to acknowledge that 100% information security was no longer possible… IA is strategic… Policy and set of organisational processes to effectively manage information security ISMS is largely operational putting policies into practice and checking the practice

19 Start at the top…an Information Security Policy
Information is so important to organisations, security of information should be central to organisation’s strategic plan… therefore part of organisational policy… Problem: organisations (especially small ones) are very reluctant to do this…

20 How can organisations be encouraged to have a policy?
Over to you again…

21 Forcing an Information Security Policy…
Now a commercial imperative for do any large on-line business thanks to PCI DSS guidelines… other information assurance schemes require this (e.g. ISO27001, COBIT, IASME) more rigorously enforced by ICO… Logic: should base IS policy on existing organisational strategy Implement tactically and operationally through its organisational structure

22 GDPR and Organisational Responsibility
Some of the changes from DPA when GDPR was announced Quote: “An in-house Data Protection Officer (DPO) role for organisations that require regular and systematic monitoring of peoples’ personal data on a large scale”

23 Role of DPO (Data Protection Officer)
Needed under GDPR if “core activities” consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale;” or consist of processing on a large scale of “special categories of data” or “data relating to criminal convictions and offences.” Estimation: an additional DPOs will be needed across the EU to cover this (!)

24 An ISMS that is “fit for purpose”
Organisation needs to know… [or acknowledge through the work of an analyst] all aspects of how data is managed Requires an understanding of processes and associated data can then identify data flows, storage, etc… risk assessment essential (importance of each…) determine how much effort is needed to protect each of the data flows, data stores, etc. …

25 International Standard for IA and ISMS (ISO 27001)
Developed in UK as BS7799 before the millennium (!) Became International in 2005 revised in 2013 regarded as the “gold standard” 80% of certificates held in Japan (!)

26 Information Assurance Standards and Certification
ISO27001 lists over 100 controls unless explicitly stated/justified, assumes all controls are needed risk assessment needed… no point spending money on controls where they are not needed but exemptions need justifying… Other information assurance standards have been developed to encourage appropriate ISMS development and use

27 PCI DSS: Approach to Security Controls; less focus on ISMS
System devised by Credit Card Companies (i.e. banks…) Guidelines for a number of years… Now with v3 a sting in the tail for the SME heavy fines possible can be refused business merchant facilities… Will affect small businesses WORLDWIDE selling online directly to consumers

28 Requirements for PCI DSS compliance? (1)
12 controls (11 Technical) Install and maintain a firewall configuration to protect cardholder data Do not use vendor-supplied defaults for system passwords and other security parameters Protect stored cardholder data Encrypt transmission of cardholder data across open, public networks Use and regularly update anti-virus software or programs

29 What is needed for PCI DSS compliance? (2)
Develop and maintain secure systems and applications Restrict access to cardholder data by business need-to- know Assign a unique ID to each person with computer access Track and monitor all access to network resources and cardholder data Regularly test security systems and processes Maintain a policy that addresses information security for employees and contractors

30 PCI DSS issues Is it realistic? Is it essential?
How can it be policed? Discussion in groups…

31 IASME Standard developed for UK SMEs same basic principles as ISO27001
emphasis on risk assessment to reduce controls actually needed requires some scrutiny of an organisation’s processes more streamlined than ISO27001 more relevant to SMEs number of templates available to help with policy and procedure development

32 IASME & Cyber Essentials
IASME potentially uses 100+ controls… designed to be more SME friendly BUT.. ISMS development tricky for SMEs… GCHQ introduced Cyber Essentials now a minimum for government contracts useful starting point! BUT requires only 5 controls… all essentially technical no formal requirement for an IS policy some documented process expected… encourages thinking about policy, procedures, ISMS

33 The Costs of securing data
Hardware/software cost fixed and easily determined Human resource cost cost of Information Security supremo cost the organisation of using staff to implement and enforce data security procedures more difficult to quantify cost of testing knowledge off/retraining employees

34 Costs of Securing Data Isolated LAN, with no internet connectivity
no need to worry about data in and data out via the Internet less stringent procedures may be needed/enforced employees could still mess up or steal data LAN connected to the Internet: “secret” data? highly rigorous procedures, implemented frequently – very expensive no real secrets (political or commercial) more infrequent cycle, less exhaustive procedures much cheaper…

35 The Costs of Data Breach?
Groups again…

36 The Costs of Data Breach
People not able to work… Organisation not able to communicate effectively with customers… Embarrassment of reporting in the media loss of reputation Fines, etc., by FCA or ICO Fall in stock market price Increase in insurance premiums Not getting future contracts…

37 How achieving a Information Assurance “badge” could help with implementing policy…
Whatever the business: any new work will have a cost that cost needs to be qualified More cost means less profit… what is the ROI of achieving a high level of information security? badge can be used to impress (potential) customers

38 Potential Financial Benefits of Information Assurance?
Need to be sold to senior mgt… less risk of losing valuable (even strategically important…) data less likely to get embarrassing leaks, which could even get to the media (!) less likely to fall foul of the law (!) Evidence from an ever growing set of examples of businesses who have done both of the above lost customers AND share price dropped…

39 Break

40 Reality of Information Security Policy?
Colleagues conducted a study (2009): about 60% of businesses had a policy consistent with a government-funded survey the previous year BIG PROBLEM!

41 What is Policy? A series of statements… what the organisation would like to do, and aspires to do not effective until implemented! What would an organisation like to do about security... Over to you!

42 Policy and System! Where to start Writing policy is easy…
What others have done? What advisers advise? Use a template and change the name? Writing policy is easy… writing a policy capable of implementation is the difficult bit!

43 Policy and the SME (like Ticketmania or FixDomestic):
Why do they need an information security policy? Who would write it? who would approve it Over to you… Remember it needs to be capable of implementation?

44 Policy and Technology Policy implementation always a headache for organisations to implement requires employee training may cause employee unrest Technologies can be used to implement policies degree of success in the latter depends on: communication of policies (and WHY!) understanding of technologies

45 Creating a Policy Same principles apply as with ANY change in organisational policy MUST come from the top!!! Possible implementation issues also needs to be: identified communicated to employees Problem: Senior Management generally don’t understand IT… unlikely to want to stand in front of employees and discuss… wheel an “expert” in?

46 Information Security Policy matters
Threats… who will quantify? Head of IT? (or outsourcer) External Consultant? both? Who will suggest strategies to mitigate against those threats? as above? Who will make the policies? Senior Management (with guidance…)

47 Managing Information Security as a Process
First step… identify all systems that carry information and decide what controls are in place to protect them test those controls for potential security breaches identify what has been forgotten secure as appropriate through further controls Next step: once secure, develop a strategy to MANAGE this process over time... implement that strategy

48 Informatiom Security Strategy: Where to start?
Can’t START with technology need to start with ISSUES that need addressing policy to address them should follow Should be primarily “top down” concerned with policies, not technical matters… can be supplemented by “bottom up” approach

49 IT Manager, and Implementation
Needs to be able to do it right… likely to need a big budget! Big responsibility on the IT manager to convince senior management: that the policy (change) really is necessary! that the organisation won’t suffer financially the consequences of NOT changing

50 Going beyond Creating a Policy…
According to the latest figures, many now businesses say they DO have an information security policy big questions… is it implemented??? will it be? by when? One possible approach… implement through getting ISO27001, PCI-DSS, IASME or other information assurance standard

51 Information Security Management
Oversee implementation of policy will be never ending! Can’t begin to evolve into an ISMS until policy has been agreed and signed off…

52 Policy… making a start (1)
Produce a draft… what is needed Think how that could be put into action… set of agreed procedures to protect data accept that administering them is an organisational level matter acknowledge the iterative nature of checking implementation & agree a rate of iteration (e.g. yearly) Now have the makings of policy with ISMS first stage towards ISO27001 (if they wish?)

53 Making a start (2) Appoint someone with institutional responsibility
in control of the policy-making, and evolution Role should NOT be outsourced! need to provide advice, expertise, implement procedures need realistic budget that takes into account the resource and human cost…

54 Information Security Procedures
In groups, discuss: possible procedures the organisation could set up… how expensive such procedures might be to implement… how “realistic” procedures could be laid out in a policy…

55 Writing that Policy (1) Written as a “Management Report” e.g.
Should be agreed by SMT and reflect: their objectives for security of information top-down… strategy for achieving those objectives requires liaison to find out what is feasible

56 Writing… (2) Why not just buy a “security-policy-in-a-box” ? SMT won’t have the time! needs to be explained in detail by a security professional once understood… needs to be formally agreed upon by SMT

57 Writing… (3) Even if WAS possible to for management to endorse an off-the-shelf policy… not the right approach to attempt to teach management how to think about security! their organisation is unique!

58 Writing… (4) First step should be to find out how management views security security policy… set of management mandates “top-down” only provides requirements for the security professional to obey… too restricting without liaison first… (needs some “bottom-up” input

59 Writing (5) As a result of discussion with SMT… Example: top level
Develop top-level IS policy Includes all topics for policy, but does not break them down into the sort of detail needed for implementation Example: top level Example PCI-DSS:

60 Writing (6): What to include…
What are your security objectives, and how do you measure them? What types of information do you handle, and how do the different types of information need to be protected? How do you assess risks and select security controls?

61 What to include… cont How do you manage and report incidents, and learn from them? Who is responsible for security? What is acceptable employee use for Internet, and other communication channels?

62 Writing (7) To implement a top level policy…
need to liaise with relevant staff and create operational policy e.g. acceptable passwords e.g. acceptable use of Operational policies can be shared with employees during a training session… not just an with link… (!)

63 Economics of Information Security
Academic research area seeks to produce economic models for organisations to attribute value to data Back to basics of Information Security: Confidentiality – relationship between confidentiality & intrinsic value? Integrity – very difficult to quantify Availability – if loss of particular data: causes system failure puts the business temporarily out of business must have intrinsic value

Download ppt "COMP3357 Managing Cyber Risk"

Similar presentations

Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.

Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance Commonwealth of Massachusetts Office of the State Comptroller March 2007.

Payment Card Industry (PCI) Data Security Standard (DSS) Compliance Commonwealth of Massachusetts Office of the State Comptroller March 2007.
CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.

CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.
Why Comply with PCI Security Standards?

Why Comply with PCI Security Standards?
Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard
Network security policy: best practices

Network security policy: best practices
PCI: As complicated as it sounds? Gerry Lawrence CTO

PCI: As complicated as it sounds? Gerry Lawrence CTO
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.

Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Information Assurance Market Research June 2009. Executive Summary Small response rate (n=43) General low awareness of information security controls and.

Information Assurance Market Research June Executive Summary Small response rate (n=43) General low awareness of information security controls and.
PCI Compliance: The Gateway to Paradise PCI Compliance: The Gateway to Paradise.

PCI Compliance: The Gateway to Paradise PCI Compliance: The Gateway to Paradise.
Security Policies and Procedures. cs490ns-cotter2 Objectives Define the security policy cycle Explain risk identification Design a security policy –Define.

Security Policies and Procedures. cs490ns-cotter2 Objectives Define the security policy cycle Explain risk identification Design a security policy –Define.
Data Security and Payment Card Acceptance Presented by: Brian Ridder Senior Vice President First National September 10, 2009.

Data Security and Payment Card Acceptance Presented by: Brian Ridder Senior Vice President First National September 10, 2009.
ThankQ Solutions Pty Ltd Tech Forum 2013 PCI Compliance.

ThankQ Solutions Pty Ltd Tech Forum 2013 PCI Compliance.
COMP3371 Cyber Security Richard Henson University of Worcester September 2015.

COMP3371 Cyber Security Richard Henson University of Worcester September 2015.
COMP3371 Cyber Security Richard Henson University of Worcester November 2015.

COMP3371 Cyber Security Richard Henson University of Worcester November 2015.
COMP3371 Cyber Security Richard Henson University of Worcester October 2015.

COMP3371 Cyber Security Richard Henson University of Worcester October 2015.
CMG Events 2016 Cybersecurity Briefing 24 February 2016 John Magee William Fry.

CMG Events 2016 Cybersecurity Briefing 24 February 2016 John Magee William Fry.
1 Information Governance (For Dental Practices) Norman Pottinger Information Governance Manager NHS Suffolk.

1 Information Governance (For Dental Practices) Norman Pottinger Information Governance Manager NHS Suffolk.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.

Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
ISO17799 / BS 7799-2 ISO 17799 / BS 7799-2. Introduction Information security has always been a major challenge to most organizations. Computer infections.

ISO17799 / BS ISO / BS Introduction Information security has always been a major challenge to most organizations. Computer infections.

Similar presentations

Ads by Google