1 / 26

Stories from the trenches: Designing a good security policy

Stories from the trenches: Designing a good security policy. Jean-Michel Lamby Architect Microsoft & Security Solutions. Risk is the mirror image of opportunity. Agenda. Presentation Objectives Some questions… Information security policy Information security & the business

seamus
Télécharger la présentation

Stories from the trenches: Designing a good security policy

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Stories from the trenches:Designing a good security policy Jean-Michel Lamby Architect Microsoft & Security Solutions

  2. Risk is the mirror image of opportunity

  3. Agenda. • Presentation Objectives • Some questions… • Information security policy • Information security & the business • Information security & ICT • Managing information security • A framework for managing operations • ICT Operations: Management Framework • Tracks for quick wins… • Where are you today?

  4. Objectives • To provide high level guidance for the process of developping a good information security policy • To identify tracks for « quick wins »

  5. Stories from the trenches • I once was an infosec manager • Real life experiences....

  6. Some questions... • Just a few questions... • Easy ones...

  7. Some questions... (Ctd) • Are you in control?

  8. Some questions... (Ctd) • Is information a strategic and valuable asset for your company? • Do your employees know it? • Do they know it is considered as such by the management? • Do they know who’s in charge? • Do they care?

  9. Some questions... (Ctd) • The human being is weak and we all make mistakes from time to time... But • When it comes about information security, do your employees know what their responsibilities are? • Is this somehow integrated in the work regulation? • Are they aware of the risks? • Do they know where to find guidelines and procedures? • Do they know how to react in case of an incident? • Do they know they are controlled? • Do you comply with the legislation about privacy protection?

  10. Some questions...(Ctd) • Do your employees know how to manage sensitive data? • What about removable storage media? • What about outdated backup tapes? • What about crashed disks? • What about laptops. • What about e-mail attachment? • What about « 3rd party webmail »? • What about data transfer?

  11. More questions... • A critical business process is down.....because of the unavailability of an ICT service.... • Was your service delivery in line with the business requirements? • Business what? • Where does your responsibility start? • Where does your responsibility end?

  12. More questions... (ctd) • Do you know whether your systems are securely configured? • Are you sure of this? • When was it controlled for the last time? • What was the results of the control? • Any corrective action? • Implemented? • How many changes implemented since then? • How many new vulnerabilities since then? • And do you exclusively expose services required by the business?

  13. Stop with these questions!!! • Ok

  14. Stop with these questions!!! • Still in control?

  15. Information security policy • Aimed at providing a complete and consistent reference framework for the management of information security • Will cleraly state the respective roles and responsibilities • Will ensure your security posture is appropriate for your business • Will ensure the level of achieved security is maintained and controlable. • Will help maintain awareness and involvement

  16. Information Security & the Business • Securing the busines process by protectingInformation, Service and SystemConfidentiality, Integrity and Availability

  17. Information security & ICT • Information Security is a global business issue… • Information is a strategic asset… • ICT is part of the Busines… • ICT to participate to the collaborative effort aimed at protecting the business

  18. Managing Information Security

  19. Managing Information Security Legal Requirements Regulatory Requirements Standard Requirements CorporateInformation Security Policy Visibility Credibility Direction Commitment Responsibilities Information Security Program Scope and objectives Sponsorship Information SecurityStrategy Security Awareness Risk Management Assets Identification Business Impact Analysis Risk Assessment

  20. Managing Information Security Legal Requirements TailoredSecurity Management Framework: PoliciesStandards Procedures Controls CISPSecurity OrganizationAsset Classification and ControlPersonnel SecurityPhysical and Environmental SecurityOperations and Communications ManagementAccess ControlSystem Development and MaintenanceBusiness ContinuityCompliance Regulatory Requirements Certification Requirements Assets Identification Security ManagementFramework Business Impact Analysis Risk Assessment Standard and Best Practice Requirements: ISO/IEC 17799ISO13335BS7799ITIL Security ManagementFIRMWebTrustX9.79TS101456…

  21. Policies, standards & procedures • Not litterature! • Operational documents! • Policies: recognition of a problematic and high level statements about the intentions of the management • Standards:What you are going to do about this problematic. • Procedures:How you are going to do it (auditability) • Technology: to support specific controls

  22. A framework for managing operations • Information security is not an additional layer • It is to be integrated within daily business • And for ICT it is to be integrated in the management of daily operations (MOF, ITIL, TOM, eTOM...)

  23. ICT Operations: Mgt Framework

  24. Tracks for Quick Wins • CISP • SAD program  • Personnel security • E-Mail and Internet acceptable use • Malicious software protection • System & Svc Management (including patch mgt and fw mgt) • Network management • Business continuity: crisis mgt framework

  25. Initiate Security Management Assets Identification Business Impact Analysis Risk Assessment Strategy Organization and Implementation Planning Implement Risk Mitigation Develop InfoSec Plans Develop Policies Develop and Implement Standards and procedures Initial Testing Where are you today? Maturity Level Stage 1:Initiation Stage 2:Requirements and Strategy 1 2 Stage 3:Implementation 3 4 5 Stage 4:Operational Management ChangeControl Testing Review 6 Educationand awareness Training Assurance Freely adapted from the ITIL BCM Maturity Model

  26. Thank you • If you have any question or request for information feel free to contact me at: • Jean-Michel.Lamby@Unisys.com

More Related