governance, risk and consumerisation policy is the best honesty

© NCC 2008 © The National Computing Centre 2011

Governance, risk and consumerisation

Policy is the best honesty

2

© The National Computing Centre 2011

From case-based research

• What is a policy?• Why have one?• Who is it for?• How to write a

policy?• Where does it fit

in?

3


What’s the difference between...

• Policy• Process• Procedure• Work instruction• Standard• Best practice• Good practice

4


What NCC members say about policies...

• Formality of process• Checks and balances• IT/business alignment• Standardised framework• Control framework for IT provision• Scrutiny and feedback• Demonstrable business process

controls• Infrastructure• Legal control• How IT is managed• Legal and IT business alignment• Operations framework• Channel for communication• Useful framework

• Hierarchy of responsibility and decision making

• Compliance• Direction and control • Setting the corporate direction• Monitoring and measuring• Strategy-objectives-direction-

influence• Pole on the tightrope...and an alarm

clock• Action for the right reasons• Leadership, management, execution• What...no portable storage policy

already?• Every conceivable help short of

useful

5


1. ‘Soft squidgy things between chairs and keyboards’

– consistency with permanent and temporary staff, contractors etc. – insider threats

2. Being in a state of forensic readiness- ‘cos stuff happens

3. Back up…basic activity?…but what’s the scope?

– Data on the network, data in the cloud, server in Huddersfield, data in Athens, you’re in Drumnadrochit with data on an end-user device*

4. Mobile devices .…reliance…hostile take over

5. Mobile devices … ownership…what’s on them?

6. What’s the master data?Which is the copy?

7. Classification of information– Establish the risk before shooting

technology from the hip– IA maturity - licensed to handle

8. Blurring of tools and defences

9. Time is money; social networking can be theft…data leakage

– ‘you can’t undisclose a disclosure’

10.SCADA …hostile take over

*Luggage in Amsterdam?

Top 10 risk assessment

6


Conclusion

Nothing new under the cloud

7


BYOD...crackability

• y/n• Risk culture• Device off

Unclassified• Device on

– Protect– Restricted– Confidential– Secret– Top Secret

8


CharityEducation

Strength of the Human Firewall

Best appetite/worst attitude Worst appetite/attitude

Worst appetite/best attitudeBest appetite/attitude

Healthcare

Central GovernmentConstruction

LawRegistered Social Landlord

Local Government

Insurance

Software

UtilitiesGambling

Local Government

0

100

200

300

400

500

600

700

800

0 500 1000 1500 2000 2500

Attitude to Risk

Ap

pet

ite

for

Ris

k

Organisation is wholly reliant on enforced security policy to protect itself from risk

Ideal zone: good balance of security policy with

staff attitude

Organisation with weak security may rely on its

staff to protect itself from risk

Organisation with weak security cannot rely on its staff to protect itself

from risk

9


Boiling down the numbers – what’s important?

10


• IT team end up supporting a variety of unknown devices*

• But it keeps knowledge local and builds skills

*That there’s policy!

• KISSKeep Interconnection Set-up Simple

• install/reinstall• Fully automated• SAP

...prevent unset

This is reality Greg!

11


Never start with a blank sheet of paper

• Purpose– Why do we need it and what’s the risk of not having it?

• Scope– What it applies to, and what – if anything – is excluded

• What the policy is– Clear, pithy, and imperative

• How it’s monitored– If it’s worth having, it’s worth checking

• What happens if the policy is breached– Because Murphy was right

• What to do to enforce it– Technology, awareness, or a mix of both

• Controls– Processes, procedures and other related documents (the

'how to's)

12


Purpose

• Huge portable storage• iPads: can push out Apps

but can't remove them• Security checks for Apps

– iOS - yes

– Android – no

• Trojan risk– Capture and transmit

intercepted data

– Authentication details...and they’re in!

13


Scope

• Pads, pods, and 'phones

• Operating systems• Apps• Encryption

– Device level encryption for off-line data

– Key management

• Data at rest, in transit

14


What the policy is

• Password/pass code/PIN strength

• Kill switches• Sandbox business data• 'Patch‘; up to date

software• Turn off facilities not in

use– Bluetooth?

– Wifi?

• On-line access only• Whitelisting• Only Apps from trusted

sources– Download like any

other

• Back up– Corporate policy

• Antivirus where available

15


How it’s monitored

• Network monitoring

• Audit– Ensure

good intentions realised

16


What happens if the policy is breached• Build in Security

incident and Event management (SIEM) into your processes

• Remote erasure/'kill switches' from vendors enabled

17


What to do to enforce it...

• Technical policy: network access– Authentication protocol

– Access methods

– Two-factor authentication to VPN

• Use mobile device management product to enforce

• Encryption• Screen locking• Remote wiping• Network sandbox

18


Processes, procedures and other related documents• Training

– Password/pass code/PIN protection

– Treat e-mail attachments with caution

– Most trusted friend's may be compromised.

– Links caution• Do not assume search

engine links are safe

• Be sure of destination

• Acceptable/ Conditional use

• Users: be prepared to accept policy

• Don't 'jail break‘

• Only allow the Apps you push

• Do not allow Apps from App stores

• Admin: be prepared to wipe

19


20


Warning!

478

21


Conclusion

• If it’s easy you are not doing it right• Everything is more urgent than

everything else• Nothing is what it seems• It’s never the right time to do anything• The person who says it cannot be done

should not interrupt the person doing it.

Chinese Proverb

22


governance, risk and consumerisation policy is the best honesty

Documents