sustainable protection of critical corporate information
DESCRIPTION
Presented at the 5th Middle East CIO SummitTRANSCRIPT
Jeremy Hilton and Anas Tawileh
(C) Cardiff University
“Relevant” security Identifying critical information Determining risks Developing the controls Sharing control information
(C) Cardiff University
(C) Cardiff University
(C) Cardiff University
(C) Cardiff University
(C) Cardiff University
(C) Cardiff University
(C) Cardiff University
(C) Cardiff University
(C) Cardiff University
A REAL WORLD ORGANISATION
(C) Cardiff University
A REAL WORLD ORGANISATION
RDs
(C) Cardiff University
A REAL WORLD ORGANISATION
RDs
AN ‘ENTERPRISE’ MODEL RELEVANT TO THE REAL WORLD ORGANISATION
(C) Cardiff University
A REAL WORLD ORGANISATION
RDs
AN ‘ENTERPRISE’ MODEL RELEVANT TO THE REAL WORLD ORGANISATION
(C) Cardiff University
A REAL WORLD ORGANISATION
RDs
AN ‘ENTERPRISE’ MODEL RELEVANT TO THE REAL WORLD ORGANISATION
INFORMATION SUPPORT
(C) Cardiff University
A REAL WORLD ORGANISATION
RDs
AN ‘ENTERPRISE’ MODEL RELEVANT TO THE REAL WORLD ORGANISATION
INFORMATION SUPPORT
LOCAL JUDGEMENT
(C) Cardiff University
A REAL WORLD ORGANISATION
RDs
AN ‘ENTERPRISE’ MODEL RELEVANT TO THE REAL WORLD ORGANISATION
INFORMATION SUPPORT
LOCAL JUDGEMENT
CRITICAL ACTIVITIES
(C) Cardiff University
A REAL WORLD ORGANISATION
RDs
AN ‘ENTERPRISE’ MODEL RELEVANT TO THE REAL WORLD ORGANISATION
INFORMATION SUPPORT
LOCAL JUDGEMENT
CRITICAL ACTIVITIES
CRITICALINFORMATION
REQUIREMENTS
(C) Cardiff University
(C) Cardiff Universityand much more..
(C) Cardiff University
A REAL WORLD ORGANISATION
RDs
AN ‘ENTERPRISE’ MODEL RELEVANT TO THE REAL WORLD ORGANISATION
INFORMATION SUPPORT
LOCAL JUDGEMENT
CRITICAL ACTIVITIES
CRITICALINFORMATION
REQUIREMENTS
A CONCEPT FOR INFORMATION ASSURANCE
(C) Cardiff University
A REAL WORLD ORGANISATION
RDs
AN ‘ENTERPRISE’ MODEL RELEVANT TO THE REAL WORLD ORGANISATION
INFORMATION SUPPORT
LOCAL JUDGEMENT
CRITICAL ACTIVITIES
CRITICALINFORMATION
REQUIREMENTS
A CONCEPT FOR INFORMATION ASSURANCE
(C) Cardiff University
A REAL WORLD ORGANISATION
RDs
AN ‘ENTERPRISE’ MODEL RELEVANT TO THE REAL WORLD ORGANISATION
INFORMATION SUPPORT
LOCAL JUDGEMENT
CRITICAL ACTIVITIES
CRITICALINFORMATION
REQUIREMENTS
A CONCEPT FOR INFORMATION ASSURANCE
ASSESSMENT OF REAL WORLD
SECURITY MEASURES
(C) Cardiff University
Managers of SMEs are busy running their company, trying to survive in a very competitive environment
They rarely address anything that is not a legislative or regulatory requirement, and even then will often only comply if there is a penalty for not doing so
Will avoid spending money, and time is money, training is money
Rarely buy in expertise, staff left to help each other and ‘learn on the job’
(C) Cardiff University
When developing policy(rules), it is critical to consider if and how they can be implemented.
For example, if the policy is that: employees who breach a security rule, say,
disclose information to someone unauthorised to see it, then they will be fired
(C) Cardiff University
People generally do what they want to do, even at work. Hopefully this aligns with the
organisation’s needs
incentivising ; or applying suitable sanctions.
May achieve short term benefit, but the change is short-lived unless
fundamental change is achieved staff have a belief in the desired result
(C) Cardiff University
““Others inspire us, Others inspire us, information feeds us, information feeds us, practice improves our practice improves our performance, but we need performance, but we need quiet time to figure things quiet time to figure things out, to emerge with new out, to emerge with new discoveries, to unearth discoveries, to unearth original answers.”original answers.”
- Esther Buchholz- Esther Buchholz
(C) Cardiff University
(C) Cardiff University
Staff need to be involved, trained and supported.
Tools will be required in order to enable the desired controls on information and analysis/audit of use
Accountability and responsibility of staff must be clearly defined and agreed. Tell me and I’ll forget
Show me and I’ll rememberInvolve me and I’ll understand
Old Chinese saying(C) Cardiff University
(C) Cardiff University
#2 Define the information architecture
( 34 )How to Use the Creative Commons Licenses
Creative CommonsCreative Commons
Traffic Light Protocol Philosophymapped to the Business Impact and Control Categories
RED SENSITIVITY = HIGHLY
SENSITIVE
Personal for named recipients only
WHITE SENSITIVITY= PUBLIC
Unlimited Control(Apart from legal
recourse)
Uncontrolled
AMBER SENSITIVITY = SENSITIVE
Limited distribution
GREEN
SENSITIVITY = NORMAL BUSINESS
Business Community wide
CATASTROPHICSecured Segregated
MATERIALSecured
MAJORRestricted
MINORControlled
INSIGNIFICANTControlled
Developed to control information sharing between G8 countries, Business Impact levels added.
Generic “Org X” Architecture Trust Model
External SecuredThis zone is similar to the secured zone but is owned and operated by a business partner. The trust relationship between the Org X and the business partner is stronger than in the restricted zones. Information Assets: Distributed to named individuals only.
Secured
This zone is the most secured area within the architecture.
Access should be limited to highly trusted principals.
Information Access limited to named principals only.
External RestrictedSimilar to Restricted Zone but owned /operated by a business partner. The trust relationship is stronger that that in the External Controlled Zone. Information Access limited to Groups of authenticated principals
RestrictedThe restricted Zone is the next higher level of security above Controlled. Access is Restricted to authenticated users or processes.
Most data processing and storage occurs here.
Information Access limited to pre-defined groups made up of authenticated principals.
External ControlledSimilar to Controlled Zone but owned /operated by an external organisation.
ControlledThis is where the lowest levels of control are applied to manage Information Assets with the prime goals of managing Availability and Compliance
Uncontrolled (Public)The uncontrolled environment outside the control of Org X.
Managed Belongs to IT and is used to administer servers, network devices and other managed devices. May be implemented with secure sessions (SSH) separate out of band networks or greater controls on Admin devices.
A set of classifications that are flexible enough to enable to define and communicate the controls to be applied to your information
May be combined with creative commons licenses
Expressed in 3 different formats: Security Officer-readable Human-readable Machine readable
Confidentiality
Authentication
Use
Integrity
CA – Community Access
RA – Restricted Access PI – Personal Information
OO – Organisation Only ND – Non-Disclosure
CG – Corporate Governance
SD – Safe Disposal
CU – Controlled Until
AB – Authorised By ND – Non-Derivatives
BY – Attributioncc
cc
The information may be shared within the organisation, but is not to be disclosed outside
Organisation Only
The information is restricted to members of a community; generally multi-agency
Though it may change, membership of the community is controlled
All members of the community agree to specific terms and conditions
Community Access
The information contains personal information and consideration must be made before sharing the information
This classification is likely to be used in conjunction with other labels such as
Personal Information
cc
The information has been received under non-disclosure
The label will link to the specific terms of the NDA
This classification is likely to be used in conjunction with other labels such as
Non-Disclosure
cccc
Medical Record
Personnel record
Patent under development
Published Patent
Draft Annual Report
Approved report prior to release
Post Releasecc
cc DTG
cc cc
cccc cc
Thank You