Information Security Management

Question 1

Implications of the Internet being very new

Answer 1

New uses continually developing

No time for Information Security to mature as a discipline.

• Increased inter-connectivity
  
  • Increased complexity
  • Increased risk
• External threats
  
  • Web sites, external interfaces coded for functionality, not security
  • Continued requirements to break the perimeter
• Internal systems become increasingly high-value
  
  • Increased operational requirements
  • Increased cost of failure
  • Increased threat from internal actors
• Business requirements don’t take into account security cost and risk
  
  • Bring Your Own Device
  • Mobile Working
  • Remote Access

Question 2

Current Issue with Information Security

Answer 2

Security is seen as a Non-Functional Requirement

• No drive to resolve security issues
• Functionality is prioritisedover security
• Security is not given resource

Question 3

What is needed to make security a priority?

Answer 3

Pressure is needed to make security a priority

• Commercial Pressure
• Customer Pressure
• Legal Pressure
• Regulatory Pressure

Question 4

4 questions to start designing information security

Answer 4

What are we protecting?

• Intellectual Property?
  
  • Pharmaceutical Company
  • Trading House
• Customer Information?
  
  • Hospital
  • Bank
  • Government Ministry
• Something with direct value?
  
  • Bank

Who are we protecting against?

• External attackers?
• Internal attackers?

What capability are we worried about?

• Nation-State-level?
• OrganisedCrime?
• Individual actors?
• Hackers?
• Political activists?
• Knowledgeable insiders?

Can we afford it?

• Be reasonable!

Question 5

Possible Approaches to Increase Security

Answer 5

• No remote access. If you need to work, come into the office
• No Internet at the desktop
• Highly visible Physical Security measures
• No BYOD
• Positive management support and attention for Security issues
• Disaster Recovery

Question 6

Defense in Depth

Answer 6

• Defend beyond your secure zone
• Multiple Layers of Security
• Different Forms of Defense
• Protection against a weakness in any one layer
• Each layer can protect against different types of attack
• Weaken the enemy incrementally
• Encourage them to attack points of strength

Question 7

Limitations of Defense in Depth

Answer 7

• Increased complexity
• Usability issues
• Cost versus Reward not guranteed
• Customer perrception may decline

Question 8

3 requirements (strong rec.) for information security

Answer 8

1. Security Policy

• Covers basic security requirements
• Without a policy, you won’t get far
• Typically fairly short – maybe 20 pages

2. Technical Documentation

• Gives specifics on how to implement policy in different circumstances
• Settings on systems
• Design constraints
• Processes and procedures that need to be in place

3. An organisationto support all this

• Security changes rapidly
• Nobody else cares about Security

Question 9

12 things we need in a Security Organisation

Answer 9

1. Security Engineering
2. Identity and Access Management
3. Logging and Monitoring
4. Security Operations
5. Security Architects
6. Application Security
7. Security Compliance
8. Risk Management
9. Physical security
10. Data Protection
11. Internal Audit
12. Audit Response

Question 10

1 Security Engineering

Answer 10

1. Security Engineering

• Firewalls
• Proxies
• Secure Email Systems
• Remote Access Systems
• Intrusion Detection Systems
• Problem – creates a set of ‘Super Users’

Question 11

2 Identity and Access Management

Answer 11

2. Identity and Access Management

• Create User Accounts (Joiners)
• Allocate Privilege
• Remove User Accounts (Leavers)
• Data Classification
• Revalidation of User Accounts
  
  • Privilege Revalidation
  • Employment Revalidation
  • Continued Business Need Revalidation
• Problem – shifts the ‘Super User’ issue to IAM

Question 12

3 Logging and Monitoring

Answer 12

3. Logging and Monitoring

• Log collection – from everything
• Identify unusual activity
• Generate alerts
• Validate alerts
• Watch the Security Organisationand other Super-Users
• This becomes a Big Data challenge very quickly
• Problem – who watches the watchers?

Question 13

4 Security Operations

Answer 13

4. Security Operations

• Implement Separation of Duties
  
  • The team that ‘does things’ has privilege but no wide visibility
• Run day-to-day security processes
  
  • Check security software is still running
  • Chase other teams to do their part
• Respond to alerts
• Set up User Accounts
• Set up privileges
• Incident Management?
• Problem – SecOps is typically the junior team…

Question 14

5 Security Architects

Answer 14

5. Security Architects

• Ensure all solutions are in line with the Security Policy
  
  • Design solutions
  • Approve solutions
• Advice and Guidance to the rest of the organisation
• Focused on infrastructure, networks, platforms

Problems:

• Who validates the advice and guidance?
• Who makes sure the organisationfollows the advice?

Question 15

6 Application Security

Answer 15

6. Application Security

• Ensure Application Development is in line with Security Policy
• Own any in-house security software solutions
• Advice and guidance to Application Development Teams

Question 16

7 Security Compliance

Answer 16

7. Security Compliance

• Check that all the security requirements are being met
• Patches
• Vulnerabilities
• Least Privilege
• Guidance from architects
• Any other requirements from the Policy
• Problem – Separation of Duty

Question 17

8 Risk Management

Answer 17

8. Risk Management

• Understand all the holes, all the outstanding issues
• Rate risks
• Prioritiseresolution
• Communicate risks
• Ensure that risks are owned and responded to

Problems:

• How do we rate risks and get people to accept them?
• What about operational risks?

Question 18

9 Physical Security

Answer 18

9. Physical Security

• Guard the doors!
• Security monitoring
• Check that physical security policy is implemented
  
  • Clear desk
  • Confidential information
  • Hardware / software
• Secure transportation
  
  • Hardware
  • Data
• Executive protection
• Problem – Trust, Separation of Duties

Question 19

10 Data Protection

Answer 19

10. Data Protection

• Regulatory Requirement
• Understand rules around PII, SPI
• Ensure rules are enforced
• Provide evidence to regulators

Question 20

11 Internal Audit

Answer 20

11. Internal Audit

• Check that everybody is doing everything right
• Provide evidence to executives
• Spot problems before they become an external problem
  
  • Regulators
  • Customer impact
  • Security impact

Problems:

• Separation of Duties
• Understanding of the complicated environment

Question 21

12 Regulatory & Audit Response

Answer 21

12. Regulatory & Audit Response

• Understand all other security-related regulations are in place
  
  • Sarbanes Oxley, J-Sox etc
  • Basel II / III, FSA, FED
  • HIPAA
  • …
• Provide Internal / External Audit with required information

Question 22

Pros and Cons of Security Outsourcing

Answer 22

Pros:

• May give you the skills you lack
• Contracts give some security
• Cost known up-front

Cons:

• No gurantee that outsourcer will do as asked
  
  • regulators only care about responsibilities/accountablity
• Anything you don’t include in the contract will cost you a lot of money later
• Outsourcers are very good at doing what THEY want to do
  
  • Offshoring
  • Automating
• Outsourcers have their own problems
  
  • Attrition
  • Doing stuff you couldn’t do for less money than they charge you
• If you don’t have the skills to do the security work, how can you check?
  
  • A new team – Security Outsourcer Checking team!

Question 23

Conclusion and Predictions

Answer 23

• This won’t get any easier
• Security Organisations will get even bigger and better funded
• Governance and compliance will become even more important
• Risk Management will gain increasing focus
• Outsourcing will become increasingly regulated
• InfoSec Management will develop into a much more professional discipline
• InfoSec skills will become increasingly sought-after