Upload
linda-phelps
View
216
Download
1
Tags:
Embed Size (px)
Citation preview
Sasa Aksentijevic, MBA ITPh.d. Business Economy cnd./ ICT Manager / C(I)SO / ICT Court Forensic ExpertLinkedIn: linkedin.com/sasaaksentijevic
Information security
Certification, internal audit, CISSPs, CISMs, ISO 27K, BCP, DR, network security, antivirus solutions, anti intrusion, firewalls, ethical hacking, residual risk management, SWOT, GAP, Monte Carlo... ????
Common ICT security mistakes in corporate
environments
A little theory will not hurt anybody
Management has discovered information security or Dilbert approach to information security
Should we include coffee machine into the ISMS scope AKA is certification the final answer to infosec?
“I will write my password on Post-It for you” AKA low level (operative) infosec breaches
How can something be nothing?
Is information security possible? Is ICT security possible?
Q&A
PRESENTATIONContent
Common ICT security mistakes in corporate environments
Infosec
concept
model
PHB or Pointy Haired Boss
Description
Common ICT security mistakes in corporate environments
The pointy-haired boss (often abbreviated to just PHB is Dilbert's boss in the Dilbert comic strip. He is notable for his micromanagement, gross incompetence and unawareness of his surroundings, yet somehow retains power in the workplace.
The phrase "pointy-haired boss" has acquired a generic usage to refer to incompetent managers. It is also possible to speak of someone being pointy-haired or having pointy hair metaphorically, meaning that they possess PHB-like traits.
Common ICT security mistakes in corporate environments
O
ISO 27K (Information technology — Security techniques — Information security management systems — Requirements) is not information security standard. It is a systems management standard.
ISO 27K outlines a framework for ISMS, but it it not a “golden standard” itself.ISO 27K is based on risk assesment: there is no “predefined” acceptable risk; criteria, applicability, inclusion and treatment are decided by organizations.
Efficient implementation requires security analysis of technical aspects. Standard is dealing with policy, scope, risk analysis, procedures and records.
Too many if`s
ISO 27K certification is a proof of compliance with the standard.By itself, it does not guarantee information security.
Organizations decide about applicability (or not) of Annex A controls.The list of controls exists (Annex “A”), but it is just a “suggestion”.Additional controls may be included.
Certification is still the best available tool to achieve information security goals
Common ICT security mistakes in corporate environments
Delegation (of tasks that should not be delegated)
Compliance with local legislation/law requirementsProblems with non compliance
Inadequate resources (human resources, time, money, knowledge…)
Creation of parallel, “backdoor” systems, especially for management authorization process
Lack of interest for information security on behalf of the Management
No BPC, no DR, no periodic updating
Lack of consistent policies, criteria, standards, work instructions and learning from security incidents
Management has no awareness that information security is ongoing, permanent process
Lack of systematic resource and contingency planning, loose control over ICT assets, unclear ownership
Common ICT security mistakes in corporate environments
Revoking of access rights, email access, revision of access right not implemented
No ICT security induction, no periodic refreshment courses
No segregation between work and test environments
SLA for ICT services are not clearly defined (or they are not adhered to)
No implementation of employee background checks
Inadequate physical access controls (especially for guests, third parties, externals and temps)
Saving on insurance, no change management (log), unsafe networking environment
Process of incident learning is not implemented
Controls related to third party relations and NDAs are not implemented
User breaches
USB drives used for
storage and not backup
Data exchange procedures
(encrypting,FTP,snail mail)
No Data Classification/I
nformation Lifecycle
Management
Remote working
equipment (PDAs,MMC,USB,notebooks)
ICT assets not under control
by owners
Common ICT security mistakes in corporate environments
User breaches
Photocopy machines,
printers and network scanners
Password sharing,
passwords on Post-It
Clear workplace and display policy not enforced
Documents not
supervised,lack of access
authorization
Non systematic document disposal
Common ICT security mistakes in corporate environments
User breaches
No continuous learning/interest in security
culture
Data backup procedures
Common network areas
used for personal data
placement
3rd party relations, hardware
repair procedures
Malicious intent
Common ICT security mistakes in corporate environments
Common ICT security mistakes in corporate environments
Technical effort ->BEST PRACTICES, CERTIFICATION, LEGISLATION, FORENSICS, TESTING, PDCA, AUDIT(s)…
Personal effort ->EMPLOYEES (PARTICIPANTS, STAKEHOLDERS)
Organizational effort -> MANAGEMENT
Common ICT security mistakes in corporate environments
Thank you for your attention!
Common ICT security mistakes in corporate environments