© ncc 2008 © the national computing centre 2011 governance, risk and consumerisation policy is the...
TRANSCRIPT
© NCC 2008 © The National Computing Centre 2011
Governance, risk and consumerisation
Policy is the best honesty
2
© The National Computing Centre 2011
From case-based research
• What is a policy?• Why have one?• Who is it for?• How to write a
policy?• Where does it fit
in?
3
© The National Computing Centre 2011
What’s the difference between...
• Policy• Process• Procedure• Work instruction• Standard• Best practice• Good practice
4
© The National Computing Centre 2011
What NCC members say about policies...
• Formality of process• Checks and balances• IT/business alignment• Standardised framework• Control framework for IT provision• Scrutiny and feedback• Demonstrable business process
controls• Infrastructure• Legal control• How IT is managed• Legal and IT business alignment• Operations framework• Channel for communication• Useful framework
• Hierarchy of responsibility and decision making
• Compliance• Direction and control • Setting the corporate direction• Monitoring and measuring• Strategy-objectives-direction-
influence• Pole on the tightrope...and an alarm
clock• Action for the right reasons• Leadership, management, execution• What...no portable storage policy
already?• Every conceivable help short of
useful
5
© The National Computing Centre 2011
1. ‘Soft squidgy things between chairs and keyboards’
– consistency with permanent and temporary staff, contractors etc. – insider threats
2. Being in a state of forensic readiness- ‘cos stuff happens
3. Back up…basic activity?…but what’s the scope?
– Data on the network, data in the cloud, server in Huddersfield, data in Athens, you’re in Drumnadrochit with data on an end-user device*
4. Mobile devices .…reliance…hostile take over
5. Mobile devices … ownership…what’s on them?
6. What’s the master data?Which is the copy?
7. Classification of information– Establish the risk before shooting
technology from the hip– IA maturity - licensed to handle
8. Blurring of tools and defences
9. Time is money; social networking can be theft…data leakage
– ‘you can’t undisclose a disclosure’
10.SCADA …hostile take over
*Luggage in Amsterdam?
Top 10 risk assessment
6
© The National Computing Centre 2011
Conclusion
Nothing new under the cloud
7
© The National Computing Centre 2011
BYOD...crackability
• y/n• Risk culture• Device off
Unclassified• Device on
– Protect– Restricted– Confidential– Secret– Top Secret
8
© The National Computing Centre 2011
CharityEducation
Strength of the Human Firewall
Best appetite/worst attitude Worst appetite/attitude
Worst appetite/best attitudeBest appetite/attitude
Healthcare
Central GovernmentConstruction
LawRegistered Social Landlord
Local Government
Insurance
Software
UtilitiesGambling
Local Government
0
100
200
300
400
500
600
700
800
0 500 1000 1500 2000 2500
Attitude to Risk
Ap
pet
ite
for
Ris
k
Organisation is wholly reliant on enforced security policy to protect itself from risk
Ideal zone: good balance of security policy with
staff attitude
Organisation with weak security may rely on its
staff to protect itself from risk
Organisation with weak security cannot rely on its staff to protect itself
from risk
9
© The National Computing Centre 2011
Boiling down the numbers – what’s important?
10
© The National Computing Centre 2011
• IT team end up supporting a variety of unknown devices*
• But it keeps knowledge local and builds skills
*That there’s policy!
• KISSKeep Interconnection Set-up Simple
• install/reinstall• Fully automated• SAP
...prevent unset
This is reality Greg!
11
© The National Computing Centre 2011
Never start with a blank sheet of paper
• Purpose– Why do we need it and what’s the risk of not having it?
• Scope– What it applies to, and what – if anything – is excluded
• What the policy is– Clear, pithy, and imperative
• How it’s monitored– If it’s worth having, it’s worth checking
• What happens if the policy is breached– Because Murphy was right
• What to do to enforce it– Technology, awareness, or a mix of both
• Controls– Processes, procedures and other related documents (the
'how to's)
12
© The National Computing Centre 2011
Purpose
• Huge portable storage• iPads: can push out Apps
but can't remove them• Security checks for Apps
– iOS - yes
– Android – no
• Trojan risk– Capture and transmit
intercepted data
– Authentication details...and they’re in!
13
© The National Computing Centre 2011
Scope
• Pads, pods, and 'phones
• Operating systems• Apps• Encryption
– Device level encryption for off-line data
– Key management
• Data at rest, in transit
14
© The National Computing Centre 2011
What the policy is
• Password/pass code/PIN strength
• Kill switches• Sandbox business data• 'Patch‘; up to date
software• Turn off facilities not in
use– Bluetooth?
– Wifi?
• On-line access only• Whitelisting• Only Apps from trusted
sources– Download like any
other
• Back up– Corporate policy
• Antivirus where available
15
© The National Computing Centre 2011
How it’s monitored
• Network monitoring
• Audit– Ensure
good intentions realised
16
© The National Computing Centre 2011
What happens if the policy is breached• Build in Security
incident and Event management (SIEM) into your processes
• Remote erasure/'kill switches' from vendors enabled
17
© The National Computing Centre 2011
What to do to enforce it...
• Technical policy: network access– Authentication protocol
– Access methods
– Two-factor authentication to VPN
• Use mobile device management product to enforce
• Encryption• Screen locking• Remote wiping• Network sandbox
18
© The National Computing Centre 2011
Processes, procedures and other related documents• Training
– Password/pass code/PIN protection
– Treat e-mail attachments with caution
– Most trusted friend's may be compromised.
– Links caution• Do not assume search
engine links are safe
• Be sure of destination
• Acceptable/ Conditional use
• Users: be prepared to accept policy
• Don't 'jail break‘
• Only allow the Apps you push
• Do not allow Apps from App stores
• Admin: be prepared to wipe
19
© The National Computing Centre 2011
20
© The National Computing Centre 2011
Warning!
478
21
© The National Computing Centre 2011
Conclusion
• If it’s easy you are not doing it right• Everything is more urgent than
everything else• Nothing is what it seems• It’s never the right time to do anything• The person who says it cannot be done
should not interrupt the person doing it.
Chinese Proverb
22
© The National Computing Centre 2011