Presentation is loading. Please wait.

Presentation is loading. Please wait.

Engineering and Management of Secure Computer Networks School of Engineering © Steve Woodhead 2009 Corporate Governance and Information Security (InfoSec)

Similar presentations


Presentation on theme: "Engineering and Management of Secure Computer Networks School of Engineering © Steve Woodhead 2009 Corporate Governance and Information Security (InfoSec)"— Presentation transcript:

1 Engineering and Management of Secure Computer Networks School of Engineering © Steve Woodhead 2009 Corporate Governance and Information Security (InfoSec) Mark Clements Andrew Adekunle

2 Engineering and Management of Secure Computer Networks School of Engineering © Steve Woodhead 2009 Lecture Overview Some InfoSec facts –Recent information security breach surveys Corporate Governance – The infosec perspective Lecture Review Lecture References

3 Engineering and Management of Secure Computer Networks School of Engineering © Steve Woodhead 2009 Information Security Breach Surveys UK Department for Business, Enterprise and Regulatory Reform (BERR) –Survey every two years – last survey published in Spring 2008 Global Survey by Ernst and Young –10 th Annual Global Information Security Survey – published in Dec 2007 We shall focus on the results of the UK BERR 2008 survey

4 Engineering and Management of Secure Computer Networks School of Engineering © Steve Woodhead 2009 BERR Information Security Breach Survey 2008 Company Strategy Security Breach Incidents –Malicious –Accidental

5 Engineering and Management of Secure Computer Networks School of Engineering © Steve Woodhead 2009 Company Strategy Changing business environment Importance of information Documented InfoSec policy InfoSec standards InfoSec qualifications Web site protection Backup and recovery policy

6 Engineering and Management of Secure Computer Networks School of Engineering © Steve Woodhead 2009

7 Engineering and Management of Secure Computer Networks School of Engineering © Steve Woodhead 2009 How does the previous graph relate to you? What do the figures say about the way companies deal with their IT resources? What does the outsourcing result mean for the IT industry generally? Outsource or in-house?

8 Engineering and Management of Secure Computer Networks School of Engineering © Steve Woodhead 2009 Businesses:20022008 Have a documented security policy27%55% Percentage of IT budget spent on security (average) 2%7% Provide ongoing security training to staff20%40% Use multi-factor authentication5%14% Have implemented BS 7799 / ISO 270015%11% The Changing Business Environment

9 Engineering and Management of Secure Computer Networks School of Engineering © Steve Woodhead 2009 Discuss What does the previous slide say about the business view of security from a financial standpoint?

10 Engineering and Management of Secure Computer Networks School of Engineering © Steve Woodhead 2009

11 Engineering and Management of Secure Computer Networks School of Engineering © Steve Woodhead 2009 Discuss: Why have the figures for confidential data been rising year on year?

12 Engineering and Management of Secure Computer Networks School of Engineering © Steve Woodhead 2009 Changing Business Environment and Value of Information Held Information is becoming more accessible Information is becoming more critical for business operations Information integrity and availability are now critical for a growing number of businesses –This is particularly true of large businesses Over half of all businesses outsource some IT operations. –Offshore outsourcing is growing, particularly in large businesses

13 Engineering and Management of Secure Computer Networks School of Engineering © Steve Woodhead 2009

14 Engineering and Management of Secure Computer Networks School of Engineering © Steve Woodhead 2009

15 Engineering and Management of Secure Computer Networks School of Engineering © Steve Woodhead 2009 ISO/IEC 27002 Risk assessment, Security policy Organization of information security Asset management, Human resources security, Physical and environmental security Communications and operations management, Access control Information systems acquisition, development and maintenance Information security incident management Business continuity management, Compliance

16 Engineering and Management of Secure Computer Networks School of Engineering © Steve Woodhead 2009 Documentation, Standards and Formal Staff Qualifications A significant number of businesses have no documented InfoSec policy –Though this is improving Significantly less than half of business have a knowledge of BS7799 Very few personnel with InfoSec responsibilities have any formal qualification in this field –The position is significantly weaker in small companies, compared to large companies

17 Engineering and Management of Secure Computer Networks School of Engineering © Steve Woodhead 2009

18 Engineering and Management of Secure Computer Networks School of Engineering © Steve Woodhead 2009 Security Measures for Web Servers Some businesses have only limited security measures to protect their corporate web site –Although this is improving

19 Engineering and Management of Secure Computer Networks School of Engineering © Steve Woodhead 2009

20 Engineering and Management of Secure Computer Networks School of Engineering © Steve Woodhead 2009

21 Engineering and Management of Secure Computer Networks School of Engineering © Steve Woodhead 2009 Backup and Recovery Policy 82% of businesses operate a daily backup of their servers –But few employ more advanced backup options More businesses are implementing disaster recovery plans –But more testing of these plans is needed

22 Engineering and Management of Secure Computer Networks School of Engineering © Steve Woodhead 2009 Security Breach Incidents MaliciousAccidental

23 Engineering and Management of Secure Computer Networks School of Engineering © Steve Woodhead 2009 Security Breach Incidents 13% Have detected unauthorised outsiders within their network 9% Had fake (phishing) emails sent asking their customers for data 9% Had customers impersonated (eg after identity theft) 6% Have suffered a confidentiality breach In the 2008 survey, for Large Companies:

24 Engineering and Management of Secure Computer Networks School of Engineering © Steve Woodhead 2009

25 Engineering and Management of Secure Computer Networks School of Engineering © Steve Woodhead 2009

26 Engineering and Management of Secure Computer Networks School of Engineering © Steve Woodhead 2009

27 Engineering and Management of Secure Computer Networks School of Engineering © Steve Woodhead 2009

28 Engineering and Management of Secure Computer Networks School of Engineering © Steve Woodhead 2009 Breach Incident Types Viruses and other malicious software form the basis of fewer breaches in recent years Other malicious breaches remain significant issues –Directed or coordinated breaches e.g. DDOS, Stuxnet Accidental breaches are also a notable threat –For all types, larger companies have a greater exposure to breaches

29 Engineering and Management of Secure Computer Networks School of Engineering © Steve Woodhead 2009 Cost of Incidents Company size<50 staff >250 staff >500 staff Companies that had a security incident in the last year 45%72%96% Median number of incidents (mean) 6 (100) 15 (200) >400 (>1300) Average cost of worst incident in the year £10- 20k £90- 170k £1-2m

30 Engineering and Management of Secure Computer Networks School of Engineering © Steve Woodhead 2009 Summary of Current Issues (1) 10% Of web sites that accept payment details do not encrypt them 21% Spend less than 1% of their IT budget on security 35% Have no controls over staff use of Instant Messaging (discuss!) 48% Of disaster recovery plans have not been tested in the last year 52% Do not carry out any formal security risk assessment (gap in the market!) For UK companies in 2008:

31 Engineering and Management of Secure Computer Networks School of Engineering © Steve Woodhead 2009 Summary of Current Issues (2) 67% Do nothing to prevent confidential data leaving on USB sticks, etc 78% Of companies that had computers stolen did not encrypt the hard disks 79% Are not aware of the contents of BS 7799 / ISO 27001 and 27002 84% Of companies do not scan outgoing email for confidential data For UK companies in 2008 (continued):

32 Engineering and Management of Secure Computer Networks School of Engineering © Steve Woodhead 2009 Security Breach Incidents Summary Viruses and other malicious software are causing less incidents Other malicious incidents remain a significant threat Accidental incidents remain a significant threat There are a number of areas in which many companies need to improve their systems and policies

33 Engineering and Management of Secure Computer Networks School of Engineering © Steve Woodhead 2009 Corporate Governance - the InfoSec Perspective (1) Many businesses now have a high (or very high) reliance on information availability and security –For example e-commerce businesses must have a highly reliable web presence, with all of the information relating to their products readily available –Many businesses store sensitive information about their clients, such as credit card details – these must be kept securely

34 Engineering and Management of Secure Computer Networks School of Engineering © Steve Woodhead 2009 Corporate Governance - the InfoSec Perspective (2) The future of the business maybe at risk if appropriate measures are not taken to ensure information availability and security –For an e-commerce business, non-availability of the web site will be very costly, both immediately and in the medium term –Businesses have closed down as a result of loss of reputation

35 Engineering and Management of Secure Computer Networks School of Engineering © Steve Woodhead 2009 Corporate Governance - the InfoSec Perspective (3) There may also be a range of regulatory and legal InfoSec requirements, which the business must meet –Breach of these may lead to prosecution, as well as loss of reputation

36 Engineering and Management of Secure Computer Networks School of Engineering © Steve Woodhead 2009 Lecture Review Some infosec facts –Recent information security breach surveys Corporate Governance – The infosec perspective Lecture Review Lecture References

37 Engineering and Management of Secure Computer Networks School of Engineering © Steve Woodhead 2009 Lecture References Information Security Breaches Survey 2006, UK BERR, http://www.pwc.co.uk/eng/publications/berr_information_security_breaches_su rvey_2008.html 10 th Global Information Security Survey, Ernst & Young, 2007 http://www.ey.com/Global/assets.nsf/UK/GISS_2007/$file/GISS%202007%20 FINAL.pdf


Download ppt "Engineering and Management of Secure Computer Networks School of Engineering © Steve Woodhead 2009 Corporate Governance and Information Security (InfoSec)"

Similar presentations


Ads by Google