Embed Size (px)
Citation preview
May 27, 2009 [email protected]
Session 5Standards in e-Government Procurement
Four simple observations on Information Security for Managers
William McDonald BuckMay 27, 2009
May 27, 2009 [email protected]
Observation 1: Know where the challenge isThe main management challenge of Information security is not IT
Understand your information
Determine your risks
Set security policy
Technology skills can be hired; but only management can decide on risk mitigation and policy
May 27, 2009 [email protected]
Observation 2: Be wary of boundariesDon't be confused by organizational or geographical boundaries
Security isn't something that happens at a perimeter
Trust isn't defined by paycheck, location, title, or network connection
Protect information with layersof securityProtected information can be anywhere.Trusted workers anywhere else.
May 27, 2009 [email protected]
Quote from IBMFor what it is worth...
“We guarantee the security ... and we also ensure the separation of workloads through the separation of the virtual machines and also the separation of client data in a shared database.”“Why not take a solution from someone who in some sense can guarantee with their name that at least best practices are followed?” “Service providers are much more likely to secure you than you would yourself...”
Kristof Kloeckner, IBM’s cloud computing CTO
May 27, 2009 [email protected]
Observation 3: First things FirstDon't be distracted by technology or oversold by acronyms
Do the simple things
High payoff, low cost
Most attacks are simple
Most loss is from internal actors/mistakes
Know what risk you are addressing
Balance: attend to the windows as well as the doors
May 27, 2009 [email protected]
Observation 4: But, protect your flexibilityAlways insist upon standards for everything
Avoid sugar candy You can find products with
more features among the proprietary
You can find greater integration from a single vendor
You will regret doing it in the long run
