Download presentation
Presentation is loading. Please wait.
Published byLogan Murphy Modified over 9 years ago
1
Engineering and Management of Secure Computer Networks School of Engineering © Steve Woodhead 2009 Corporate Governance and Information Security (InfoSec) Mark Clements Andrew Adekunle
2
Engineering and Management of Secure Computer Networks School of Engineering © Steve Woodhead 2009 Lecture Overview Some InfoSec facts –Recent information security breach surveys Corporate Governance – The infosec perspective Lecture Review Lecture References
3
Engineering and Management of Secure Computer Networks School of Engineering © Steve Woodhead 2009 Information Security Breach Surveys UK Department for Business, Enterprise and Regulatory Reform (BERR) –Survey every two years – last survey published in Spring 2008 Global Survey by Ernst and Young –10 th Annual Global Information Security Survey – published in Dec 2007 We shall focus on the results of the UK BERR 2008 survey
4
Engineering and Management of Secure Computer Networks School of Engineering © Steve Woodhead 2009 BERR Information Security Breach Survey 2008 Company Strategy Security Breach Incidents –Malicious –Accidental
5
Engineering and Management of Secure Computer Networks School of Engineering © Steve Woodhead 2009 Company Strategy Changing business environment Importance of information Documented InfoSec policy InfoSec standards InfoSec qualifications Web site protection Backup and recovery policy
6
Engineering and Management of Secure Computer Networks School of Engineering © Steve Woodhead 2009
7
Engineering and Management of Secure Computer Networks School of Engineering © Steve Woodhead 2009 How does the previous graph relate to you? What do the figures say about the way companies deal with their IT resources? What does the outsourcing result mean for the IT industry generally? Outsource or in-house?
8
Engineering and Management of Secure Computer Networks School of Engineering © Steve Woodhead 2009 Businesses:20022008 Have a documented security policy27%55% Percentage of IT budget spent on security (average) 2%7% Provide ongoing security training to staff20%40% Use multi-factor authentication5%14% Have implemented BS 7799 / ISO 270015%11% The Changing Business Environment
9
Engineering and Management of Secure Computer Networks School of Engineering © Steve Woodhead 2009 Discuss What does the previous slide say about the business view of security from a financial standpoint?
10
Engineering and Management of Secure Computer Networks School of Engineering © Steve Woodhead 2009
11
Engineering and Management of Secure Computer Networks School of Engineering © Steve Woodhead 2009 Discuss: Why have the figures for confidential data been rising year on year?
12
Engineering and Management of Secure Computer Networks School of Engineering © Steve Woodhead 2009 Changing Business Environment and Value of Information Held Information is becoming more accessible Information is becoming more critical for business operations Information integrity and availability are now critical for a growing number of businesses –This is particularly true of large businesses Over half of all businesses outsource some IT operations. –Offshore outsourcing is growing, particularly in large businesses
13
Engineering and Management of Secure Computer Networks School of Engineering © Steve Woodhead 2009
14
Engineering and Management of Secure Computer Networks School of Engineering © Steve Woodhead 2009
15
Engineering and Management of Secure Computer Networks School of Engineering © Steve Woodhead 2009 ISO/IEC 27002 Risk assessment, Security policy Organization of information security Asset management, Human resources security, Physical and environmental security Communications and operations management, Access control Information systems acquisition, development and maintenance Information security incident management Business continuity management, Compliance
16
Engineering and Management of Secure Computer Networks School of Engineering © Steve Woodhead 2009 Documentation, Standards and Formal Staff Qualifications A significant number of businesses have no documented InfoSec policy –Though this is improving Significantly less than half of business have a knowledge of BS7799 Very few personnel with InfoSec responsibilities have any formal qualification in this field –The position is significantly weaker in small companies, compared to large companies
17
Engineering and Management of Secure Computer Networks School of Engineering © Steve Woodhead 2009
18
Engineering and Management of Secure Computer Networks School of Engineering © Steve Woodhead 2009 Security Measures for Web Servers Some businesses have only limited security measures to protect their corporate web site –Although this is improving
19
Engineering and Management of Secure Computer Networks School of Engineering © Steve Woodhead 2009
20
Engineering and Management of Secure Computer Networks School of Engineering © Steve Woodhead 2009
21
Engineering and Management of Secure Computer Networks School of Engineering © Steve Woodhead 2009 Backup and Recovery Policy 82% of businesses operate a daily backup of their servers –But few employ more advanced backup options More businesses are implementing disaster recovery plans –But more testing of these plans is needed
22
Engineering and Management of Secure Computer Networks School of Engineering © Steve Woodhead 2009 Security Breach Incidents MaliciousAccidental
23
Engineering and Management of Secure Computer Networks School of Engineering © Steve Woodhead 2009 Security Breach Incidents 13% Have detected unauthorised outsiders within their network 9% Had fake (phishing) emails sent asking their customers for data 9% Had customers impersonated (eg after identity theft) 6% Have suffered a confidentiality breach In the 2008 survey, for Large Companies:
24
Engineering and Management of Secure Computer Networks School of Engineering © Steve Woodhead 2009
25
Engineering and Management of Secure Computer Networks School of Engineering © Steve Woodhead 2009
26
Engineering and Management of Secure Computer Networks School of Engineering © Steve Woodhead 2009
27
Engineering and Management of Secure Computer Networks School of Engineering © Steve Woodhead 2009
28
Engineering and Management of Secure Computer Networks School of Engineering © Steve Woodhead 2009 Breach Incident Types Viruses and other malicious software form the basis of fewer breaches in recent years Other malicious breaches remain significant issues –Directed or coordinated breaches e.g. DDOS, Stuxnet Accidental breaches are also a notable threat –For all types, larger companies have a greater exposure to breaches
29
Engineering and Management of Secure Computer Networks School of Engineering © Steve Woodhead 2009 Cost of Incidents Company size<50 staff >250 staff >500 staff Companies that had a security incident in the last year 45%72%96% Median number of incidents (mean) 6 (100) 15 (200) >400 (>1300) Average cost of worst incident in the year £10- 20k £90- 170k £1-2m
30
Engineering and Management of Secure Computer Networks School of Engineering © Steve Woodhead 2009 Summary of Current Issues (1) 10% Of web sites that accept payment details do not encrypt them 21% Spend less than 1% of their IT budget on security 35% Have no controls over staff use of Instant Messaging (discuss!) 48% Of disaster recovery plans have not been tested in the last year 52% Do not carry out any formal security risk assessment (gap in the market!) For UK companies in 2008:
31
Engineering and Management of Secure Computer Networks School of Engineering © Steve Woodhead 2009 Summary of Current Issues (2) 67% Do nothing to prevent confidential data leaving on USB sticks, etc 78% Of companies that had computers stolen did not encrypt the hard disks 79% Are not aware of the contents of BS 7799 / ISO 27001 and 27002 84% Of companies do not scan outgoing email for confidential data For UK companies in 2008 (continued):
32
Engineering and Management of Secure Computer Networks School of Engineering © Steve Woodhead 2009 Security Breach Incidents Summary Viruses and other malicious software are causing less incidents Other malicious incidents remain a significant threat Accidental incidents remain a significant threat There are a number of areas in which many companies need to improve their systems and policies
33
Engineering and Management of Secure Computer Networks School of Engineering © Steve Woodhead 2009 Corporate Governance - the InfoSec Perspective (1) Many businesses now have a high (or very high) reliance on information availability and security –For example e-commerce businesses must have a highly reliable web presence, with all of the information relating to their products readily available –Many businesses store sensitive information about their clients, such as credit card details – these must be kept securely
34
Engineering and Management of Secure Computer Networks School of Engineering © Steve Woodhead 2009 Corporate Governance - the InfoSec Perspective (2) The future of the business maybe at risk if appropriate measures are not taken to ensure information availability and security –For an e-commerce business, non-availability of the web site will be very costly, both immediately and in the medium term –Businesses have closed down as a result of loss of reputation
35
Engineering and Management of Secure Computer Networks School of Engineering © Steve Woodhead 2009 Corporate Governance - the InfoSec Perspective (3) There may also be a range of regulatory and legal InfoSec requirements, which the business must meet –Breach of these may lead to prosecution, as well as loss of reputation
36
Engineering and Management of Secure Computer Networks School of Engineering © Steve Woodhead 2009 Lecture Review Some infosec facts –Recent information security breach surveys Corporate Governance – The infosec perspective Lecture Review Lecture References
37
Engineering and Management of Secure Computer Networks School of Engineering © Steve Woodhead 2009 Lecture References Information Security Breaches Survey 2006, UK BERR, http://www.pwc.co.uk/eng/publications/berr_information_security_breaches_su rvey_2008.html 10 th Global Information Security Survey, Ernst & Young, 2007 http://www.ey.com/Global/assets.nsf/UK/GISS_2007/$file/GISS%202007%20 FINAL.pdf
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.