The Other Side of Information Security Wilco van Ginkel Ubizen wilco.vanginkelubizen

Slide1 l.jpg
1 / 27
0
0
1351 days ago, 444 views
PowerPoint PPT Presentation

Presentation Transcript

Slide 1

The Other Side of Information Security Wilco van Ginkel – Ubizen wilco.vanginkel@ubizen.com

Slide 2

Purpose of the keynote Give the group of onlookers the opposite side of Information Security more or less Nutshell in light of time requirements

Slide 3

Agenda Introduction Business & Risk Assessment Security Policies & Procedures Security Standards Security Awareness Examples where Organizational meets Technical

Slide 4

Introduction The four key inquiries The parts of an aggregate security arrangement Trend in the market The Security Triangle The Domains

Slide 5

The Four Questions Most associations pose the question: " How would it be a good idea for me to ensure' More imperative is to ask first : For what reason would it be advisable for me to need insurance? How troublesome will it be to ensure? What and against who would it be advisable for me to ensure? At that point

Slide 6

Components Security Solution Assessment Policies Technical Organizational Procedures Legal Awareness 20% 80%

Slide 7

Trend Security is viewed as more as a major aspect of the typical business handle We are not talking 'Advanced science' Does this imply innovation is dead or something? Most associations don't know how to do it…

Slide 8

Security Triangle Assessment & Policies Security Awareness Cryptography

Slide 9

Business Security 2 1 6 4 Requirements The Domains: 1. I.T. 2. Physical 3. Ecological 4. Human 5. Hierarchical 6. Authoritative 7. Lawful 7 3 5

Slide 10

The initial step 'Meet the guardians' Because: They choose about security They ought to reinforcement and bolster security They have power They are mindful… How: Perform Business & Risk Assessment

Slide 11

Business Assessment - 1 Why would it be advisable for me to need assurance: Discuss the stakes Discuss the distinctive sorts of data Discuss the Security Requirements (CIAR) Discuss key inquiries , like: Replacement estimation of IT Targets Is IT simply bolster or vital for the association …

Slide 12

Business Assessment - 2 How troublesome will it be to ensure? Assess the limitations , like Financial Internal learning Dependency on accomplices Calendar …

Slide 13

Risk Assessment - 1 Against what and who would it be advisable for me to ensure? Perform Risk Assessment Be mindful of phrasing: Risk Identification (RI) Risk Assessment (RASS = RI + 'esteem') Risk Management (RM = How would it be advisable for us to ensure ) Risk Analysis (RASS + RM)

Slide 14

Risk Assessment - 2 Some consideration focuses: Different Risk Assessment/Analysis strategies Sometimes hard to decide the "esteem" Make beyond any doubt that you've the right individuals, which means: Who know the business forms Who have power to choose

Slide 15

Security Policies First things first: the CSP Formalization of the Security Strategy and goals High Level

Slide 16

Security Policies - 2 System Security Policies: General portrayal of the Information System Security around the Information System Security on the Information System Technical security settings (OS, database, application) Other critical approaches are, for instance: Asset Classification Malicious Software Policy …

Slide 17

Security Policies – 3 Make beyond any doubt that: The arrangement is upheld by the System Owner You keep away from the 'Ivory Tower Syndrome' The strategy is obviously conveyed The arrangement is helpful and down to business

Slide 18

Security Procedures Who is doing what, why and when? Imperative methodology are, for instance: Boarding Process Incident & Escalation Back-up/Recovery Change & Configuration Management …

Slide 19

Security Standards - 1 Are we all alone? No, there are guidelines out there An arrangement of best practices Can be a decent beginning stage and anticipates to re-imagine the wheel However, be mindful so as not to execute a security standard indiscriminately…

Slide 20

Security Standards - 2 Some outstanding cases are: BS/7799 section 1 + 2 (ISO/7799-1) Cobit-3 ITIL ISO-13335 Common Criteria (ISO-15408) NIST IETF … Interesting could be affirmation

Slide 21

Security Awareness The most basic achievement element of Information Security Mind set Awareness ought to be at any level in the association Relation with brain science…

Slide 22

Organizational meets specialized - 1 Example: CSP ��  Accountability rule Authentication Policy ��  solid confirmation Counter measure ��  Tokens

Slide 23

Organizational meets specialized - 2 Example: CSP ��  Information crosswise over untrusted systems ought to be ensured Cryptography Policy ��  Symmetric Encryption no less than 128 bits, favored decision 3-DES Counter Measure ��  Hardware Encryptors

Slide 24

Organizational meets specialized - 3 Example: Within the business procedure 'Electronic Transactions', there is a high security prerequisite for Integrity and Non-renouncement Defined dangers are: Unauthorized change of the exchange Denial of sending the exchange Digital marks Crypto Policy: Use RSA, least key length no less than 1024 bits

Slide 25

Useful connections www.isaca.org www.bsi-global.com www.nist.gov www.ietf.org www.iso.org www.cse-cst.gc.ca www.bsi.de www.cenorm.be/isss www.cesg.gov.uk www.sse-cmm.org

Slide 26

Reading stuff to fill long winter evenings… ISO TR13335 General Management of IT Security ISO 15408 Common Criteria for assessment and accreditation of IT security Baseline Protection Manual (BSI.DE) BS7799: Code of practice for Information Security Management (two sections) CobiT: Governance, Control and Audit for Information and Related Technology (ISACA) SSE-CMM: System Security Engineering - Capability Maturity Model

Slide 27

Questions, Discussions, … .

SPONSORS