Presentation is loading. Please wait.

Presentation is loading. Please wait.

COMP3371 Cyber Security Richard Henson University of Worcester October 2015.

Published byRichard Benson Modified over 9 years ago

Similar presentations

Presentation on theme: "COMP3371 Cyber Security Richard Henson University of Worcester October 2015."— Presentation transcript:

1 COMP3371 Cyber Security Richard Henson University of Worcester October 2015

2 Week 2 – Strategies for securing data held within digital systems n Objectives:  Understand principles of maintaining data confidentiality, privacy, integrity, availability  Apply a security strategy in terms of denial of access to unauthorised services and information  Explain that total security is a myth; people are people, and computer technology is constantly evolving…

3 Typical organisational approaches n Outsource n In-house… guru n In-house… committee

4 Outsource/Offshore  Buy in the services of a third party from outside the organisation to “look after security”.  This may be on the back of a general strategy to outsource IT »usually involves managing data and/or processes remotely »outsource… usually still in the UK »offshore… usually outside the UK

5 Seek an in-house solution… guru  Appoint someone internally or from outside »look after (information) security… n development of policy, usually by consensus e.g. via stakeholder committee »annual audit »manage a budget

6 Seek an in-house solution… committee  Senior manager chairs a group consisting of key stakeholders »agree a set of procedures »designated employees should take ownership; ensure these are adhered to »meet at regular intervals as a matter of organisational policy

7 How would you set up an Information Security policy? n BREAK!!! n And discussion again in groups  why outsource?  how could it be done internally »Who would be the “stakeholders”?

8 Relative Merits of using a Third Party … n Advantages:  pass responsibility on to someone else (?!)  pay someone a flat annual fee; easily budgeted n Disadvantages:  Data Controller still has DP Act responsibility…  may also pass control to someone else…  third party may be looking after many other clients…

9 Appointing a “security tzar” with Information Security budget n Will this work, as a single solution? n Is Information Security just an IT spending problem? n Groups again… discuss…

10 “Middle Manager” Solution n Will this work, as a single solution? n Again… groups

11 Answers (to each) n 1. Of course not!!!  organisation still has responsibility!! n 2. Of course not!!!  this is a people problem…  data integrity errors  leaving data on physical devices that can be taken by a third party

12 If this was just about technology, would that make any difference? n Over to you again…

13 If this WAS just about IT, would that make any difference? n It is true that, at considerable effort and expense…  a computer network can be made completely secure at a particular point in time n BUT THEN the following day, a new security threat may be launched onto the Internet from any one of over 2 billion potential sources…  quite a challenge?

14 The Changing Threat… n A good outsourcer will have time and resources to keep up with the reality of many new threats each day  should be on top of this problem… n But merely employing a “security supremo” to buy, install, configure security devices won’t solve the problem  securing data must be ONGOING…  supremo must put procedures into place to deal with a continuing problem… »and company must make sure everybody knows about them…

15 Security as a “Process” n Security cannot ever be “done”  a new threat may be being planned today, and rolled out tomorrow… n Could make the most secure network suddenly very vulnerable!

16 Managing Information Security as a Process n First step…  identify all systems that carry information and decide what controls are in place to protect them  test those controls for potential security breaches  identify what has been forgotten »secure as appropriate through further controls n Next step:  once secure, develop a strategy to MANAGE this process over time...  implement that strategy

17 Information Security Management n Implement a set of agreed procedures to protect data  administered at organisational level  acknowledge the iterative nature of information security & agree on rate of iteration n Appoint someone with institutional responsibility  realistic budget that takes into account the resource and human cost… »may use a third-party outsourcer to provide advice, expertise, implement procedures, but at least they are in control of the policy-making »even better…. develop an Information Security Management System (ISMS)

18 The Costs of securing data n Hardware/software cost  fixed and easily determined n Human resource cost  cost of Information Security supremo  cost the organisation of using staff to implement and enforce data security procedures »more difficult to quantify  cost of testing/retraining employees

19 Costs of Securing Data n Isolated LAN, with no internet connectivity  no need to worry about data in and data out via the Internet  less stringent procedures may be needed/enforced  employees could still mess up or steal data n LAN connected to the Internet:  “secret” data? highly rigorous procedures, implemented frequently – very expensive  no real secrets (political or commercial) more infrequent cycle, less exhaustive procedures »much cheaper…

20 The Costs of Data Breach? n Groups again…

21 The Costs of Data Breach n People not able to work… n Organisation not able to communicate effectively with customers… n Embarrassment of reporting in the media  loss of reputation n Fines, etc., by FSA or ICO n Fall in stock market price n Increase in insurance premiums n Not getting future contracts…

22 Information Security Procedures n In groups again, discuss:  possible procedures the organisation could set up…  how expensive such procedures might be to implement…

23 The ISMS - Making an Information System secure n As ever, the success of rules and procedures depends on  people  how they are managed… n In practice, standards developed based on the concept of an ISMS (Information Security Management System)

24 Developing an ISMS n Each organisation is different! n Original ISO27001 standard for an ISMS identified 133 possible controls  how many of these are actually needed depends on the organisational processes  each control not used »non-use needs to be justified

25 An ISMS that is “fit for purpose” n Each organisation is different! n ISO27001 standard for an ISMS has identified over 100 possible controls  how many of these are actually needed depends on the organisational processes n ISMS needs to knowledge all aspects of how data is managed  requires an understanding of processes  and identification of where that data may need have security controls n Organisations need to undergo process analysis and risk assessment to determine where controls are needed  no point spending money on controls where they are not needed…

26 An Alternative Approach to Security Controls: PCI DSS n System devised by Credit Card Companies (i.e. banks…) n Guidelines for a number of years… n Now with v3 a sting in the tail for the SME  heavy fines possible  can be refused business merchant facilities… n Will affect small businesses WORLDWIDE selling online directly to consumers

27 Requirements for PCI DSS compliance? (1) n 12 controls  Install and maintain a firewall configuration to protect cardholder data  Do not use vendor-supplied defaults for system passwords and other security parameters  Protect stored cardholder data  Encrypt transmission of cardholder data across open, public networks  Use and regularly update anti-virus software or programs

28 What is needed for PCI DSS compliance? (2)  Develop and maintain secure systems and applications  Restrict access to cardholder data by business need-to- know  Assign a unique ID to each person with computer access  Track and monitor all access to network resources and cardholder data  Regularly test security systems and processes  Maintain a policy that addresses information security for employees and contractors

29 PCI DSS issues n Is it realistic? n Is it essential? n How can it be policed? n Discussion in groups…

30 IASME & Cyber Essentials n IASME uses principles of ISMS and 100+ controls… but more SME friendly n Cyber Essentials uses only 5 controls… but all essentially technical  Cyber Essentials now a minimum for government contracts  Useful starting point? No IS policy!

31 Policy in Action: The Client-Server Model n Excellent way to centralise organisational resources  client can still hold resources »a lot (workstation) »not much (thin client) n Microsoft model: called a domain

32 Request and response 1.All network users use clients 2.Client requests information… 2. Server processes the request, sends a response back to the client

33 A Domain in action… (Today’s practical)

34 The next sessions will explore… a) theoretical aspects related to the technical implementation of information security b) the setting up policies, procedures controls and systems to manage information security

Download ppt "COMP3371 Cyber Security Richard Henson University of Worcester October 2015."

Similar presentations

Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.

Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.
Payment Card Industry Data Security Standard AAFA ISC/SCLC Fall 08.

Payment Card Industry Data Security Standard AAFA ISC/SCLC Fall 08.
Complying With Payment Card Industry Data Security Standards (PCI DSS)

Complying With Payment Card Industry Data Security Standards (PCI DSS)
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
Buying Better Outcomes Workshop 4 Equalities and Contract Management If you do not take it seriously, why should the supplier?

Buying Better Outcomes Workshop 4 Equalities and Contract Management If you do not take it seriously, why should the supplier?
PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.

PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.
Jeff Williams Information Security Officer CSU, Sacramento

Jeff Williams Information Security Officer CSU, Sacramento
Security Controls – What Works

Security Controls – What Works
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance Commonwealth of Massachusetts Office of the State Comptroller March 2007.

Payment Card Industry (PCI) Data Security Standard (DSS) Compliance Commonwealth of Massachusetts Office of the State Comptroller March 2007.
GPUG ® Summit 2011 November 8-11 Caesars Palace – Las Vegas, NV Payment Processing Online and Within Dynamics GP PCI Compliance and Secure Payment Processing.

GPUG ® Summit 2011 November 8-11 Caesars Palace – Las Vegas, NV Payment Processing Online and Within Dynamics GP PCI Compliance and Secure Payment Processing.
CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.

CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.
Contact Center Security Strategies Grant Sainsbury Practice Director, Dimension Data.

Contact Center Security Strategies Grant Sainsbury Practice Director, Dimension Data.
1 Pertemuan 17 Organisational Back Up Matakuliah:A0334/Pengendalian Lingkungan Online Tahun: 2005 Versi: 1/1.

1 Pertemuan 17 Organisational Back Up Matakuliah:A0334/Pengendalian Lingkungan Online Tahun: 2005 Versi: 1/1.
Why Comply with PCI Security Standards?

Why Comply with PCI Security Standards?
Introduction to PCI DSS

Introduction to PCI DSS
Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard
Cloud Computing Stuart Dillon-Roberts. “In the simplest terms, cloud computing means storing & accessing data & programs over the Internet instead of.

Cloud Computing Stuart Dillon-Roberts. “In the simplest terms, cloud computing means storing & accessing data & programs over the Internet instead of.
Payment Card Industry Data Security Standard (PCI DSS) By Roni Argetsinger 515-237-5007.

Payment Card Industry Data Security Standard (PCI DSS) By Roni Argetsinger
E-business Security Dana Vasiloaica Institute of Technology Sligo 22 April 2006.

E-business Security Dana Vasiloaica Institute of Technology Sligo 22 April 2006.
Lecture 12 Electronic Business (MGT-485). Recap – Lecture 11 E-Commerce Security Environment Security Threats in E-commerce Technology Solutions.

Lecture 12 Electronic Business (MGT-485). Recap – Lecture 11 E-Commerce Security Environment Security Threats in E-commerce Technology Solutions.

Similar presentations

Ads by Google