the future direction of information security good practice · a report that... • identifies new...
TRANSCRIPT
![Page 1: The future direction of information security good practice · A report that... • identifies new and changing threats that are likely to impact information security over the next](https://reader031.vdocument.in/reader031/viewer/2022011819/5e955d5254c90e5d6c5bbb60/html5/thumbnails/1.jpg)
The future direction of information security good practice
Presentation to the JNSA
27 January 2010
Bill Caughie ISF Chief Operating Officer
![Page 2: The future direction of information security good practice · A report that... • identifies new and changing threats that are likely to impact information security over the next](https://reader031.vdocument.in/reader031/viewer/2022011819/5e955d5254c90e5d6c5bbb60/html5/thumbnails/2.jpg)
www.securityforum.org ISF Copyright © 2010 Information Security Forum Limited 2
2
Agenda
1. Introduction to the Information Security Forum
2. What is good practice?
3. A look into the future
4. How good practice should evolve
5. Conclusion Looking forwards from 2006…
Facing the future
![Page 3: The future direction of information security good practice · A report that... • identifies new and changing threats that are likely to impact information security over the next](https://reader031.vdocument.in/reader031/viewer/2022011819/5e955d5254c90e5d6c5bbb60/html5/thumbnails/3.jpg)
An introduction to the Information Security Forum
![Page 4: The future direction of information security good practice · A report that... • identifies new and changing threats that are likely to impact information security over the next](https://reader031.vdocument.in/reader031/viewer/2022011819/5e955d5254c90e5d6c5bbb60/html5/thumbnails/4.jpg)
www.securityforum.org ISF Copyright © 2010 Information Security Forum Limited 4
The Information Security Forum
Is a not-for-profit Membership organisation
Has just under 300 Members who are large corporates or governments
Operates in many regions of the world
Delivers:• Research on Member's security issues
• Benchmarking services
• Risk software and tools
• Publishes a standard
![Page 5: The future direction of information security good practice · A report that... • identifies new and changing threats that are likely to impact information security over the next](https://reader031.vdocument.in/reader031/viewer/2022011819/5e955d5254c90e5d6c5bbb60/html5/thumbnails/5.jpg)
What is good practice?
![Page 6: The future direction of information security good practice · A report that... • identifies new and changing threats that are likely to impact information security over the next](https://reader031.vdocument.in/reader031/viewer/2022011819/5e955d5254c90e5d6c5bbb60/html5/thumbnails/6.jpg)
www.securityforum.org ISF Copyright © 2010 Information Security Forum Limited 6
Good practice
• respond to the needs of leading international organisations
• refine areas of best practice for information security
• reflect the most up-to-date thinking in information security
• remain aligned with other information security-related standards, such as ISO 27002 (17799) and COBIT v4.1
• include information on the latest ‘hot topics’.
The ISF publishes a standard defining good practice every two years, based on its research with leading organisations across the world in order to:
![Page 7: The future direction of information security good practice · A report that... • identifies new and changing threats that are likely to impact information security over the next](https://reader031.vdocument.in/reader031/viewer/2022011819/5e955d5254c90e5d6c5bbb60/html5/thumbnails/7.jpg)
www.securityforum.org ISF Copyright © 2010 Information Security Forum Limited 7
The benefits of adopting good practice
Organisations adopting good practice can:
• Improve their information security policies, standards and procedures
• Measure the effectiveness of information security across the organisation
• Raise awareness of information security enterprise-wide
• Develop or improve information security controls
• Comply with internal and external information security requirements
• Undertake information risk analysis of important applications and systems.
![Page 8: The future direction of information security good practice · A report that... • identifies new and changing threats that are likely to impact information security over the next](https://reader031.vdocument.in/reader031/viewer/2022011819/5e955d5254c90e5d6c5bbb60/html5/thumbnails/8.jpg)
www.securityforum.org ISF Copyright © 2010 Information Security Forum Limited 8
How the standard is put together
![Page 9: The future direction of information security good practice · A report that... • identifies new and changing threats that are likely to impact information security over the next](https://reader031.vdocument.in/reader031/viewer/2022011819/5e955d5254c90e5d6c5bbb60/html5/thumbnails/9.jpg)
A look into the future
![Page 10: The future direction of information security good practice · A report that... • identifies new and changing threats that are likely to impact information security over the next](https://reader031.vdocument.in/reader031/viewer/2022011819/5e955d5254c90e5d6c5bbb60/html5/thumbnails/10.jpg)
www.securityforum.org ISF Copyright © 2010 Information Security Forum Limited 10
Why look into the future?
In order to understand how good practice should change in the future we need to understand what threats that we will face in the future and how we should respond to them.
The ISF call this the
Threat Horizon
![Page 11: The future direction of information security good practice · A report that... • identifies new and changing threats that are likely to impact information security over the next](https://reader031.vdocument.in/reader031/viewer/2022011819/5e955d5254c90e5d6c5bbb60/html5/thumbnails/11.jpg)
www.securityforum.org ISF Copyright © 2010 Information Security Forum Limited 11
What is the threat horizon?
A report that...• identifies new and changing threats that are likely to impact
information security over the next 24 months• is written for both information security and business audiences• informs information security strategy.
2009
![Page 12: The future direction of information security good practice · A report that... • identifies new and changing threats that are likely to impact information security over the next](https://reader031.vdocument.in/reader031/viewer/2022011819/5e955d5254c90e5d6c5bbb60/html5/thumbnails/12.jpg)
www.securityforum.org ISF Copyright © 2010 Information Security Forum Limited 12
Threat horizon methodology
POLITICAL
LEGAL
ECONOMIC
SOCIO-CULTURAL
TECHNICAL
Consider the world of the future and how this may give rise to information security threats
![Page 13: The future direction of information security good practice · A report that... • identifies new and changing threats that are likely to impact information security over the next](https://reader031.vdocument.in/reader031/viewer/2022011819/5e955d5254c90e5d6c5bbb60/html5/thumbnails/13.jpg)
www.securityforum.org ISF Copyright © 2010 Information Security Forum Limited 13
Threat horizon framework
![Page 14: The future direction of information security good practice · A report that... • identifies new and changing threats that are likely to impact information security over the next](https://reader031.vdocument.in/reader031/viewer/2022011819/5e955d5254c90e5d6c5bbb60/html5/thumbnails/14.jpg)
www.securityforum.org ISF Copyright © 2010 Information Security Forum Limited 14
2006 headlines
Unintentional actions will have the biggest business impacts
It’s not outside… it’s inside as well
More malware
Organised crime muscles in
Threats aren’t single anymore… they’re clustered
Look both ways – inside and out to the near horizon
![Page 15: The future direction of information security good practice · A report that... • identifies new and changing threats that are likely to impact information security over the next](https://reader031.vdocument.in/reader031/viewer/2022011819/5e955d5254c90e5d6c5bbb60/html5/thumbnails/15.jpg)
www.securityforum.org ISF Copyright © 2010 Information Security Forum Limited 15
And here’s the proof….
Source Various, including BBC / The Register 2007 / InsideIDTheft.info
![Page 16: The future direction of information security good practice · A report that... • identifies new and changing threats that are likely to impact information security over the next](https://reader031.vdocument.in/reader031/viewer/2022011819/5e955d5254c90e5d6c5bbb60/html5/thumbnails/16.jpg)
www.securityforum.org ISF Copyright © 2010 Information Security Forum Limited 16
2006 predictions for 2008
2008Instability
EnergyTerrorism
Political Legal
Discovery
Compliance Record Mgt
Economic
Organisedcrime
ExtremeWeatherE-economy
Technical
New products
Digital convergence
Device convergence
Home vs.work
Remote WorkingGen Y
Socio-cultural
![Page 17: The future direction of information security good practice · A report that... • identifies new and changing threats that are likely to impact information security over the next](https://reader031.vdocument.in/reader031/viewer/2022011819/5e955d5254c90e5d6c5bbb60/html5/thumbnails/17.jpg)
www.securityforum.org ISF Copyright © 2010 Information Security Forum Limited 17
2008 for 2010… What changed?
2010Cyber-
terrorism
Lack oftrustTerrorism
Political Legal
Electronic evidence
Intellectual property ID theft
Economic
Organisedcrime
Complexownership
Emergingeconomies
Technical
Solar flares
ProcesscontrolWeb 2.0
Demo-graphics
Corporateloyalty
Socio-cultural
Terrorism and organised crime are the only two
threats to stay on the list
![Page 18: The future direction of information security good practice · A report that... • identifies new and changing threats that are likely to impact information security over the next](https://reader031.vdocument.in/reader031/viewer/2022011819/5e955d5254c90e5d6c5bbb60/html5/thumbnails/18.jpg)
www.securityforum.org ISF Copyright © 2010 Information Security Forum Limited 18
The threats of 2010
![Page 19: The future direction of information security good practice · A report that... • identifies new and changing threats that are likely to impact information security over the next](https://reader031.vdocument.in/reader031/viewer/2022011819/5e955d5254c90e5d6c5bbb60/html5/thumbnails/19.jpg)
www.securityforum.org ISF Copyright © 2010 Information Security Forum Limited 19
The threats of 2010
![Page 20: The future direction of information security good practice · A report that... • identifies new and changing threats that are likely to impact information security over the next](https://reader031.vdocument.in/reader031/viewer/2022011819/5e955d5254c90e5d6c5bbb60/html5/thumbnails/20.jpg)
www.securityforum.org ISF Copyright © 2010 Information Security Forum Limited 20
The impact of the credit crunch
![Page 21: The future direction of information security good practice · A report that... • identifies new and changing threats that are likely to impact information security over the next](https://reader031.vdocument.in/reader031/viewer/2022011819/5e955d5254c90e5d6c5bbb60/html5/thumbnails/21.jpg)
www.securityforum.org ISF Copyright © 2010 Information Security Forum Limited 21
Succeeding in the new world order...
![Page 22: The future direction of information security good practice · A report that... • identifies new and changing threats that are likely to impact information security over the next](https://reader031.vdocument.in/reader031/viewer/2022011819/5e955d5254c90e5d6c5bbb60/html5/thumbnails/22.jpg)
How good practice should evolve
![Page 23: The future direction of information security good practice · A report that... • identifies new and changing threats that are likely to impact information security over the next](https://reader031.vdocument.in/reader031/viewer/2022011819/5e955d5254c90e5d6c5bbb60/html5/thumbnails/23.jpg)
www.securityforum.org ISF Copyright © 2010 Information Security Forum Limited 23
Responding to the threat horizon
Information security controls that defend against threats are:
Often part of a wide infrastructure project (eg firewall, network segregation)
Sometimes difficult to justify to the business
AND
Sometime can take years to plan and deliver
THEREFORE
We need to start to plan controls for future threats NOW!
![Page 24: The future direction of information security good practice · A report that... • identifies new and changing threats that are likely to impact information security over the next](https://reader031.vdocument.in/reader031/viewer/2022011819/5e955d5254c90e5d6c5bbb60/html5/thumbnails/24.jpg)
www.securityforum.org ISF Copyright © 2010 Information Security Forum Limited 24
What do I do now? – at a strategic level
Re-assess the risks to your organisation and its information• Inside and outside…
Change your thinking about threats• Don’t rely on trends or historical data
Revise your information security arrangements• Question ‘security as usual’
Focus on the basics• That includes people, not just technology!
Prepare for the future• Be ready to support initiatives such as cloud computing
![Page 25: The future direction of information security good practice · A report that... • identifies new and changing threats that are likely to impact information security over the next](https://reader031.vdocument.in/reader031/viewer/2022011819/5e955d5254c90e5d6c5bbb60/html5/thumbnails/25.jpg)
www.securityforum.org ISF Copyright © 2010 Information Security Forum Limited 25
• Cloud computing
• Social networking
• Third party security
• Risk convergence
• Privacy
• Encryption
• Risk reporting
• Security audits
What do I do now? – at a practical level
The ISF has produced recent research reports on these topics:
![Page 26: The future direction of information security good practice · A report that... • identifies new and changing threats that are likely to impact information security over the next](https://reader031.vdocument.in/reader031/viewer/2022011819/5e955d5254c90e5d6c5bbb60/html5/thumbnails/26.jpg)
www.securityforum.org ISF Copyright © 2010 Information Security Forum Limited 26
What do I do now? – at a practical level
With recommendations such as:
![Page 27: The future direction of information security good practice · A report that... • identifies new and changing threats that are likely to impact information security over the next](https://reader031.vdocument.in/reader031/viewer/2022011819/5e955d5254c90e5d6c5bbb60/html5/thumbnails/27.jpg)
www.securityforum.org ISF Copyright © 2010 Information Security Forum Limited 27
What do I do now? – at a practical level
Which will be incorporated into the next version of
![Page 28: The future direction of information security good practice · A report that... • identifies new and changing threats that are likely to impact information security over the next](https://reader031.vdocument.in/reader031/viewer/2022011819/5e955d5254c90e5d6c5bbb60/html5/thumbnails/28.jpg)
Conclusion
![Page 29: The future direction of information security good practice · A report that... • identifies new and changing threats that are likely to impact information security over the next](https://reader031.vdocument.in/reader031/viewer/2022011819/5e955d5254c90e5d6c5bbb60/html5/thumbnails/29.jpg)
www.securityforum.org ISF Copyright © 2010 Information Security Forum Limited 29
Conclusion
Threats change quickly and in sophisticated and unexpected ways.
To compromise an organisation's information security an attacker needs to find only one way to get around organisational defences.
Information security professionals however, need to think of ALL the ways that this could happen
Good practice in information security includes adopting known good practice, but also predicting future good practice in order to stay ahead of threats
![Page 30: The future direction of information security good practice · A report that... • identifies new and changing threats that are likely to impact information security over the next](https://reader031.vdocument.in/reader031/viewer/2022011819/5e955d5254c90e5d6c5bbb60/html5/thumbnails/30.jpg)
www.securityforum.org ISF Copyright © 2010 Information Security Forum Limited 30
Thank you for your attention
Bill Caughie
Chief Operating OfficeE-mail: [email protected] Web: www.securityforum.org