Presentation is loading. Please wait.

Presentation is loading. Please wait.

COMP3371 Cyber Security Richard Henson University of Worcester November 2015.

Published bySolomon Cain Modified over 9 years ago

Similar presentations

Presentation on theme: "COMP3371 Cyber Security Richard Henson University of Worcester November 2015."— Presentation transcript:

1 COMP3371 Cyber Security Richard Henson University of Worcester November 2015

2 Week 8: Implementation of a Security Policy n Objectives:  Explain the importance of having a system for managing information security  Explain, with examples, the balance of risk v cost in organisational security  Explain the complexity of decision-making on whether, or whether not, to spend on security  Identify the important roles in implementation of information security policy

3 Role of Advisor/Consultant after agreement of policy n Putting policy into action is important as production of Information Security policy  often difficult to change “from within”  important guidance role for advisor/consultant »role shouldn’t stop just because policy has been agreed and filed…

4 Role of Adviser/Consultant for Implementation of Policy n Enforcement of policy essential…  otherwise policy-making a worthless exercise! n Needs procedures  agreed at institutional level  implemented by departments? n Knowledge & experience will be really useful to an organisation developing a secure online facility to meet business strategic needs

5 Implementation and Standards n Why do organisations get accredited to an information assurance standard?  actions required to get accredited ensure… »policy implementation processes in place n executed through “controls” »implementation is cyclical and lessons are learned from the failure of a control

6 Implementation of Policy (Technical) n Matter of operationalising the agreed technologies that CURRENTLY combat a particular threat  e.g. threat (1): unauthorised internal access »control: careful choice of parameters in GROUP POLICIES makes sure that Windows network users only have access to files & services they need  e.g. threat (2): unauthorised access via web »control: authenticate a secure site for buying online – check, read, approve server certificate

7 Implementation of Policy (Technical) n Good consultant will be able to offer useful advice regarding;  embedding any new technologies into existing systems as seamlessly and transparently as possible!  bring about a set of procedures from the agreed “tools for the job” that should cover all eventualities…

8 Implementation of Procedures (People - 1) n Some procedures will be implemented by IT/networking/backend staff:  applied to ensure security of servers and of data coming into/leaving the organisation  specialist staff, generally good understanding n Procedures involving end-user security  implemented by ALL staff »must UNDERSTAND procedures and their crucial importance to the organisation »otherwise reluctant to change habits

9 Implementing of Procedures (People - 2) n Set of procedures distributed to end- users by email…  will have little effect!  people will resent being told to do it differently  often carry on in their own sweet way…

10 Implementing of Procedures (People - 3) n Senior Management must also provide the means to enforce policy through “carrot-and- stick”  penalties for not using procedures  reward for following policy through taking new procedures on-board n To do this fairly, need a means of measuring whether employee is following new procedures..

11 Impact at the Operational Level n New procedures may well affect work practices  impact of each needs to be carefully considered… n Pilot scheme first  carefully trialled at operational level…  time for retraining realistically assessed  accurate capital costing for roll-out n When lessons learned…  Sold positively to staff i.e: »YES, does mean learning new procedures »BUT, there’ll be less threat from viruses, pop-ups, etc.

12 Testing Implementation of Policy n A wise manager will not impose something new on employees without checking first that it is WORKABLE  pilot with a small group first…  get feedback…  learn lessons…  make changes (if needed)  devise a PLAN for roll out across the organisation

13 Selling the new procedures n Most policies implemented on a departmental basis  job of enforcement may be through departmental line managers n To enforce a policy, line managers must be able to understand it!  first stage should be EDUCATION of the managers  will be time issues, so centrally managed

14 Selling the Policy n Once the penny drops, managers will be aware it will mean changes to working practices…  need to assure about training  need be assured that it is worth doing: »for the individual employee »for the department »for the whole organisation

15 Reviewing the Policy/Procedures n If the problem is understood at a conceptual level…  POLICY changes shouldn’t be necessary n However…  security technology does not stand still!  PROCEDURES may need to be revised… »every year? every six months? »whenever a new threat becomes apparent? »balance!!

16 Cost of Losing Organisational Data… n Plenty of data around to supporting the observation that organisations have been leaking data for years  actual problem has to be worse…  could be far worse…  not all data losses ever get reported! n Is there is a cost to the organisation of losing their data?  can a figure be put on this cost?

17 What about Losing Personal Data? n Same systemic failures and potential cover-ups as for organisation data… n Direct cost to the organisation probably regarded as very low?  why?  public reaction to loss?  is all personal data equal?

18 Cost of tightening up Information Security n Human time/cost associated with new procedures  completing new documentation  re-educating and re-training staff to make best use of new procedures n Cost of deploying new technology  purchase  installation  day-to-day management

19 Indirect Costs of Losing Data (many, overlooked…) - 1 n Cost of falling foul of the law…  time spent in court  Fines n Cost of bad publicity  public embarrassment & loss of credibility  making statements explaining how it wasn’t as bad as reported  stock market price may fall…

20 Indirect Costs of Losing Data (many, overlooked…) - 2 n Cost of losing respect of customers  send their personal data (and custom) elsewhere n Cost of losing respect of business partners  find someone they can trust with their data n Cost of business insurance  perceived as higher risk  premiums more expensive n Others?

21 Differences in Organisations and approach to Data n Is there a difference?  If strategic business data is lost, with no back up »cannot do new business »cannot fulfil existing business »the business will fold  If public organisation data is similarly lost »service level drops or becomes zero »ICO must be informed »people get angry, write to media »public sector body gets lots of bad publicity »system gets patched up and limps on »…»…»…»…

22 Differences in Personal Data between Public & Private Sectors - 2 n A business losing personal data usually does nothing  if information leaked to the media… »need a “brand management procedure” in place »can (e.g. Virgin media) be taken to court n HMRC’s huge (26 million) records loss in 2007 changed govt approach  result: media ALWAYS must report a public sector data loss  Hefty fines for repeat offenders…

23 Differences in Personal Data between Public & Private Sectors - 3 n Small businesses “light touch” by Information Commissioner  currently don’t have to declare data breach unless a telco  All this bout to change as EU law catches up with US Law on data breaches… »public/private sector breaches may get equal treatment (fines?) »this won’t come into full force until the start of 2018

24 The Concept of “Value” of Data n People don’t look after what they perceive not to have any value… n If organisational and personal data given intrinsic monetary value…  employees might look after it better?  businesses might wish to protect data as a monetary asset in its own right?

25 Economics of Information Security n Academic research area  seeking to produce economic models for organisations to attribute value to data n Back to basics of Information Security:  Confidentiality – relationship between confidentiality & intrinsic value?  Integrity – very difficult to quantify  Availability – if loss of particular data: »causes system failure »puts the business temporarily out of business »Must have intrinsic value

26 Value of Business Data n More success to date with organisational data that affects business availability than with personal data...  can put a monetary value on loss to the organisation of e.g. »a day’s lost production »a 10% fall in share price  If 10000 customer details are leaked, who cares??? »members of the public? »The Information Commissioner… »would this affect: n the business’s availability in the market place n the business’s share price?

27 Further Research n Prediction of contents of 2015/16 GDPR n http://www.scmagazineuk.com/new-eu-data- protection-law-to-arrive-in- 2015/article/395142/ http://www.scmagazineuk.com/new-eu-data- protection-law-to-arrive-in- 2015/article/395142/ http://www.scmagazineuk.com/new-eu-data- protection-law-to-arrive-in- 2015/article/395142/ n Information Commissioner’s current website – huge collection of documents:  http://www.ico.gov.uk http://www.ico.gov.uk

Download ppt "COMP3371 Cyber Security Richard Henson University of Worcester November 2015."

Similar presentations

Information Security and Common Sense Richard Henson University of Worcester October 2008.

Information Security and Common Sense Richard Henson University of Worcester October 2008.
Freedom of Information Act 2000 and the PCT Audit Procedure Background: The Act was passed in November 2000. The Act will be fully in force by January.

Freedom of Information Act 2000 and the PCT Audit Procedure Background: The Act was passed in November The Act will be fully in force by January.
Buying Better Outcomes Workshop 4 Equalities and Contract Management If you do not take it seriously, why should the supplier?

Buying Better Outcomes Workshop 4 Equalities and Contract Management If you do not take it seriously, why should the supplier?
Www.dataprotection.gov.je The Data Protection (Jersey) Law 2005.

The Data Protection (Jersey) Law 2005.
Read to Learn The four main ways to become a business owner and the advantages and disadvantages of each The different forms of legal business ownership.

Read to Learn The four main ways to become a business owner and the advantages and disadvantages of each The different forms of legal business ownership.
Outcomes focused regulation and compliance in practice Peter Scott Peter Scott Consulting www.peterscottconsult.co.uk.

Outcomes focused regulation and compliance in practice Peter Scott Peter Scott Consulting
Data-Sharing and Governance Consultation ANALYSIS OF RESPONSES.

Data-Sharing and Governance Consultation ANALYSIS OF RESPONSES.
IT Technical Support Policies and Procedures South Nottingham College.

IT Technical Support Policies and Procedures South Nottingham College.
Data Protection webinar: Data Protection & Volunteers 19 th June 2014 Welcome. We’re just making the last few preparations for the webinar to start at.

Data Protection webinar: Data Protection & Volunteers 19 th June 2014 Welcome. We’re just making the last few preparations for the webinar to start at.
PERFORMANCE FOR ALL The Project & the System. A HE project co-ordinated by University of Bristol, open to HE internationally. Developing the requirements.

PERFORMANCE FOR ALL The Project & the System. A HE project co-ordinated by University of Bristol, open to HE internationally. Developing the requirements.
COMP3123 Internet Security Richard Henson University of Worcester December 2010.

COMP3123 Internet Security Richard Henson University of Worcester December 2010.
Www.oaic.gov.au Introduction to the APPs and the OAIC’s regulatory approach Presented by: Este Darin-Cooper Director, Regulation and Strategy May 2015.

Introduction to the APPs and the OAIC’s regulatory approach Presented by: Este Darin-Cooper Director, Regulation and Strategy May 2015.
TUTORIAL Grant Preparation & Project Management. Grant preparation What are the procedures during the grant preparations?  The coordinator - on behalf.

TUTORIAL Grant Preparation & Project Management. Grant preparation What are the procedures during the grant preparations?  The coordinator - on behalf.
WHAT’S A TECHNOLOGY SYSTEM? A technology system is a machine that processes digital data. A computer is a technology system. A computer installation is.

WHAT’S A TECHNOLOGY SYSTEM? A technology system is a machine that processes digital data. A computer is a technology system. A computer installation is.
Data Protection Recruitment Process

Data Protection Recruitment Process
Regulating the dental sector Tracy Norton Compliance Manager (Central Region) 4 October 2012.

Regulating the dental sector Tracy Norton Compliance Manager (Central Region) 4 October 2012.
Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.

Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.
1 Continuity Planning An Overview…. 2 Continuity Planning Bill Scott CBCP Contingency Planning Coordinator Great Lakes Educational Loan Services, Inc.

1 Continuity Planning An Overview…. 2 Continuity Planning Bill Scott CBCP Contingency Planning Coordinator Great Lakes Educational Loan Services, Inc.
Release & Deployment ITIL Version 3

Release & Deployment ITIL Version 3
Business in Contemporary Society Factors Affecting the Operation of Business.

Business in Contemporary Society Factors Affecting the Operation of Business.

Similar presentations

Ads by Google