business: security & privacy
DESCRIPTION
Presentation given to BCS South Wales.TRANSCRIPT
Jeremy Hilton With contributions from
Pete Burnap and Anas Tawileh
The way people work is changing – ubiquitous Internet access
Web 2.0 technology and Cloud computing is supporting/driving a collaborative, on-demand culture
Virtual Organisations are frequently used to support collaborative, distributed working Government Services (Transformational Government) Medical (Patient Records) Research (e-Research)
Inter-disciplinary organisations contribute content, others have access to the content
“In relation to rights, the Government believes piracy of intellectual property for profit is theft and will be pursued as such through the criminal law.”
“However, the Government also believes, and the evidence suggests, that most people, given a reasonable choice would much prefer not to do wrong or break the law…”
“Personal data is the new currency of the digital world. Privacy and security of that data is an increasingly critical issue. “
5
6
h"p://blog.stop‐idfraud.co.uk/
h"p://www.guardian.co.uk/media/blog/2009/oct/12/ukcrime‐id‐the?‐rising
All organisations are unique. Each organisation has its own culture and history. Each organisation is inhabited (and the processes are
undertaken) by its own unique group of people. These people have their own perceptions,
(interpretation), of their role. They have their own perceptions of the relationship of
their role to the organisation mission. They have their own perceptions of the organisation
mission itself.
The range and nature of the multiple perceptions, related to the people within an organisation, are not necessarily consistent or uni-directional. (This gives rise to personal agendas, politics, and potential inter-personal conflict).
These multiple perceptions cannot be ignored in any description that tries to be relevant to a specific organisation.
Most organisations are best described as a mess.
How can you think about a Prison as a Human Activity System ? A system to remove rights and privileges
(punishment) A system to control interaction between
offenders and the community (security) A system to instil Society’s norms and values
(rehabilitation) A system to enhance criminal activity (criminal
education)
Reality is not any one of these views. Reality is some mixture of these views.
There may be little (or no) agreement as to what this mixture is.
Ref: Anas Tawileh – PhD Thesis 2009
Business Purpose
Business Objectives
Information Needs
Information Systems
Information Technology
Business Processes
Prob
lem
Sp
ace
Solu
tion
Spac
e
Administration and infrastructure
Human resource management
Product/technology development
Inbound logistics
Operations Outbound logistics
Sales and marketing
Services
Value added – cost = MARGIN
Support Activities
Primary Activities
Procurement
• Can we enhance the value added by that activity? • Is there an opportunity to reduce the cost of that activity • Or eliminate that activity? • Can we use that activity to differentiate the organisation?
Porter, M. E., Competitive Advantage, The Free Press, 1985
Us Our distributors
Their retailers Our suppliers Their suppliers
Our competition
Demand information
Supply information
Consumer
Intranet Extranet Website
ERP
Ideas Product Roadmap
Order Fulfillment
Forecast
Contracts
Invoice
Requirements
P.O.s
Order
Contracts Customer
Operations
Supplier
Logistics
Finance
Sales & Mktg
Product Development
Support Product Info
Product
Finished Goods
Components & Materials
Finished Goods
Critical
Infr
astr
uctu
res
Copyright
Trademark
Government Law
Enforcement
Hackers
Privacy
The Death of the Perimeter
(Banking) Business is conducted over networks – Multitude of connection points – Multitude of traffic types (protocols, content) – Complication!
Traditional perimeter security doesn’t scale: – For filtering of addresses or protocols – For management of multiple gateways
Mobile & wireless technology (largely) ignores the perimeter control
Most large corporates have leaky perimeters Perimeter security does nothing about data flow and
residence
Companies Act 2006 The Re-use of Public Sector Information Regulations 2005 Environmental Information Regulations 2004 Freedom of Information Act 2000 Electronic Communications Act 2000 Regulation of Investigatory Powers Act 2000 Data Protection Act 1998 Computer Misuse Act 1990 Copyright Designs and Patents Act 1988 Public Records Act 1967 Public Records Act 1958 Human Rights Act 1998 Software Licensing Regulations
As dependency grows … IT security important?
http://www.berr.gov.uk/files/file45714.pdf
Controls are improving Security has changed
http://www.berr.gov.uk/files/file45714.pdf
But some big exposures remain
Confidential information is increasingly at risk, especially in large organisations
Most companies not doing enough
http://www.berr.gov.uk/files/file45714.pdf
% of Enterprises in UK
SME
Large
Micro
Private Sector Employment
SME
Large
Managers of SMEs are busy running their company, trying to survive in a very competitive environment
They rarely address anything that is not a legislative or regulatory requirement, and even then will often only comply if there is a penalty for not doing so
Will avoid spending money, and time is money, training is money
Rarely buy in expertise, staff left to help each other and ‘learn on the job’
http://www.fsb.org.uk/policy/assets/inhibiting%20enterprise%20fsb%20fraud%20&%20online%20crime%20rpt.pdf
http://www.fsb.org.uk/policy/assets/inhibiting%20enterprise%20fsb%20fraud%20&%20online%20crime%20rpt.pdf
Not killing customers (food industry) Cash flow New orders/repeat business Staffing Legislation, Regulation
only so they can continue to trade and directors not go to jail!
… and where does information security & privacy fit in?
“you have zero privacy, get over it” Scott McNealy 1999
http://www.wired.com/politics/law/news/1999/01/17538
Article 8 of the European Convention on Human Rights that states:
Everyone has the right to respect for his private and family life, his home and his correspondence
Process that enables organisations to anticipate and address likely impacts of new
initiatives Foresee problems Negotiate solutions
Manage risks Design systems to avoid unnecessary privacy
intrusion
Requirement by law Requirement of government organisational
policy Appreciation that project has significant
implications that should be subject of investigation
Existing public concerns
ASSETS THREATS VULNERABILITIES
RISKS
COUNTERMEASURES
ANALYSIS
MANAGEMENT
Security Standards - Cobit, ISO 27001
#2 Define the information architecture
andmuchmore..
When developing policy(rules), it is critical to consider if and how they can be implemented.
For example, if the policy is that: employees who breach a security rule, say, disclose
information to someone unauthorised to see it, then they will be fired
People generally do what they want to do, even at work. Hopefully this aligns with the organisation’s
needs incentivising ; or applying suitable sanctions.
May achieve short term benefit, but the change is short-lived unless
fundamental change is achieved staff have a belief in the desired result
Staff need to be involved, trained and supported.
Tools will be required in order to enable the desired controls on information and analysis/audit of use
Accountability and responsibility of staff must be clearly defined and agreed.
Tell me and I’ll forget Show me and I’ll remember
Involve me and I’ll understand
Old Chinese saying
Adapting the creative commons approach for information classification and control
• A set of licenses that are flexible enough to let you add as much or as little restrictions on you work as you like
• Expressed in 3 different formats:
• Lawyer-readable
• Human-readable
• Machine-readable
• www.creativecommons.org
A set of classifications that are flexible enough to enable to define and communicate the controls to be applied to your information
May be combined with creative commons licenses
Expressed in 3 different formats: Security Officer-readable Human-readable Machine readable
Use
Integrity
Confidentiality
Authentication
CA – Community Access
RA – Restricted Access PI – Personal Information
OO – Organisation Only ND – Non-Disclosure
CG – Corporate Governance
SD – Safe Disposal
CU – Controlled Until
AB – Authorised By ND – Non-Derivatives
BY – Attribution cc
cc
AD – Approved for Disclosure
OA – Open Access
The information is restricted to the nominated recipients
The owner of the information will nominate the authorised recipients
The owner may delegate responsibility for nominating authorised recipients
Restricted Access
The information contains personal information and consideration must be made before sharing the information
This classification is likely to be used in conjunction with other labels such as
Personal Information
cc
Avon & Somerset Criminal Justice Board - PRIMADS
57
Multi-Agency environment Police Courts Service Probation Service Lawyers Social Services Health, etc
Offender management Privacy issues in data shared during arrest,
prosecution and detention Release under licence
58
Changing individuals’ behaviour such that: the need for safe handling of information is
understood & accepted; and controls agreed and applied
Because the individuals choose to, not because they are told to.
59
60
61
ASCJS workshops confirmed the usefulness of the scenario-based risk assessment and icon-based approach for communicating controls
Identified a number of additional benefits that contributed to an increased understanding of the distributed community and the need for controls
In addition, they expressed an interest in the ability to implement a technical solution to provide fine-grained assess to data-sharing in a collaborative, distributed environment
62
Know your staff Ensure all understand the business and the
part they play in it’s success Be aware of your obligations Discuss the issues and how they impact on the
critical parts of your business Involve staff Agree controls, ensure accountability from top
to bottom