INFORMATION SECURITYINFORMATION SECURITYTHE NEXT GENERATIONTHE NEXT GENERATION

1313thth World Electronics Forum World Electronics Forum

IsraelIsrael Christopher JoscelyneChristopher Joscelyne

Board Member & Membership ChairmanBoard Member & Membership ChairmanAEEMAAEEMA

November 2007November 2007

Boundaries between personal and business Boundaries between personal and business computing have become difficult to define because computing have become difficult to define because everyone and everything is becoming linked. everyone and everything is becoming linked.

In order to survive, enterprises must manage the In order to survive, enterprises must manage the new risks this environment creates.new risks this environment creates.

SIGNIFICANT CHALLENGESSIGNIFICANT CHALLENGES

The enormous quantity of information assets in most The enormous quantity of information assets in most organisations.organisations.

Assets' inherent vulnerabilities and the potential Assets' inherent vulnerabilities and the potential

threats to their confidentiality, integrity, and threats to their confidentiality, integrity, and availability. availability.

Rapid adoption of new devices and methods of use Rapid adoption of new devices and methods of use inside and outside the enterpriseinside and outside the enterprise

SIGNIFICANT CHALLENGESSIGNIFICANT CHALLENGES

A variety of co-workers, with inconsistent attitudes to A variety of co-workers, with inconsistent attitudes to information security, working together and sharing information security, working together and sharing informationinformation

The many requirements for information security, The many requirements for information security, including legal and regulatory, marketplace including legal and regulatory, marketplace requirements from customers and partners, and requirements from customers and partners, and corporate governance.corporate governance.

COMMON THREATSCOMMON THREATS

Lost or stolen laptop computers (over 600,000 per Lost or stolen laptop computers (over 600,000 per year in the US, of which 97% are not recovered)year in the US, of which 97% are not recovered)

Lost or stolen PDAs (current estimate is double the Lost or stolen PDAs (current estimate is double the number of lost or stolen laptop computers)number of lost or stolen laptop computers)

Lost or stolen USB flash memory devices (millions lost Lost or stolen USB flash memory devices (millions lost with no protection of the stored data)with no protection of the stored data)

LACK OF SKILLS IS A SIGNIFICANT PROBLEMLACK OF SKILLS IS A SIGNIFICANT PROBLEM

According to recent research, while 87 percent of According to recent research, while 87 percent of organizations are confident that they can deal with organizations are confident that they can deal with viruses, spam and malware, only 35 percent feel they viruses, spam and malware, only 35 percent feel they are able to deal with the prospect of lost data. are able to deal with the prospect of lost data.

Kace Research Study – May 2007Kace Research Study – May 2007

INFORMATION SECURITY – KEY MOTIVATORSINFORMATION SECURITY – KEY MOTIVATORS

RealizationRealization that corporate knowledge is a high that corporate knowledge is a high value information asset that is worth protectingvalue information asset that is worth protecting

AcceptanceAcceptance at boardroom level that protection of at boardroom level that protection of information assets is a corporate responsibilityinformation assets is a corporate responsibility

ActionAction at boardroom level to implement information at boardroom level to implement information security initiativessecurity initiatives

NON-TECHNICAL TREND IN 2007NON-TECHNICAL TREND IN 2007

Induction process for new employees that communicates Induction process for new employees that communicates policy in clear non-technical language that is understoodpolicy in clear non-technical language that is understood

Ongoing education programs to create and maintain a culture of Ongoing education programs to create and maintain a culture of respect for information and the need to protect itrespect for information and the need to protect it

TECHNICAL TREND IN 2007TECHNICAL TREND IN 2007

New and emerging technologies that protect data without New and emerging technologies that protect data without choking productivity, inside and outside the enterprisechoking productivity, inside and outside the enterprise

Security Security is becoming embedded in the infrastructure is becoming embedded in the infrastructure

Convergence of disk encryption, removable media Convergence of disk encryption, removable media encryption, end point security, data loss protection, encryption, end point security, data loss protection, document content security and digital rights management document content security and digital rights management into a suite of compatible modulesinto a suite of compatible modules

SOME PRACTICAL CONSIDERATIONSSOME PRACTICAL CONSIDERATIONS

““One size fits all” usually fails to meet the varying needs of One size fits all” usually fails to meet the varying needs of enterprise employeesenterprise employees

Granular approach to policy enforcement allows flexibilityGranular approach to policy enforcement allows flexibility

Implementation must reflect levels of trust and encourage staff Implementation must reflect levels of trust and encourage staff productivityproductivity

Greater tracking and auditing of Greater tracking and auditing of incomingincoming data and data and outgoingoutgoing data creates reports that are meaningful for fine tuning of data creates reports that are meaningful for fine tuning of security policiessecurity policies

ENGAGING WITH VENDORSENGAGING WITH VENDORS

Select “mix and match” modules from one or more Select “mix and match” modules from one or more vendors, based on your priorities, to ensure you get vendors, based on your priorities, to ensure you get what you want, when you want it, using your available what you want, when you want it, using your available technical resourcestechnical resources

THE TASKS FOR ASSOCIATIONSTHE TASKS FOR ASSOCIATIONS

Establish security policies that can be enforced Establish security policies that can be enforced Guard information assets and protect data integrityGuard information assets and protect data integrity Audit and review all processes and proceduresAudit and review all processes and procedures Educate staff with an ongoing program that Educate staff with an ongoing program that

reinforces the value of information securityreinforces the value of information security Maintain and develop a culture of security as a Maintain and develop a culture of security as a

practical example to members and others who practical example to members and others who engage with or interact with the associationengage with or interact with the association

FURTHER INFORMATIONFURTHER INFORMATION

CHRISTOPHER JOSCELYNECHRISTOPHER JOSCELYNE

chris@apro.com.auchris@apro.com.au

SafeKnowledgeSafeKnowledge®®

AUSTRALIAN PROJECTSAUSTRALIAN PROJECTS