Securing computer networks in youth houses

The information security policy in the youth houses

TCP Event - 18 February 2011

2

1. What is it made of?

2. What is being covered?

3. Why implement one?

4. How to implement it?

3

Introduction > What is information security ?

3 main criteria •Confidentiality•Integrity•Availability

What do these criteria refer to?Everything that has a value to an organisation

computers / serversfilesBut also

paper documentscommunication toolsbuildingsstaff"Secrets"

4

Introduction > What is information security ?

Every day, everybody is trying to protect himself against risks

How to define a risk?

The possibility for an attacker to exploit vulnerabilities and cause an impact

5

Introduction > What is information security ?

Example of a risk : the burglar

Vulnerability :Keys under the carpet is the vulnerability of the

door

Threat : Burglar (attacker) tries to get

in

Impact: Burglar breaks furniture, steals money

and causes trouble

Risk = Vulnerability x Threat x ImpactRisk = Vulnerability x Threat x Impact

6

Introduction > What is information security ?

Total security at 100% doesn't existTotal security at 100% doesn't exist

Can we succeed in reducing the risks and be fully protected?

7

The role of the information security policy

The information security policy serves to formalise and to coordinate all technical and organisational approaches to

security of an organisation

8

The role of the information security policy

The information security policy is one solution

• to ensure security on the three criteria (CID)• that is not limited to computers• for all information and resources• Oral• Written on whatever medium (paper, electronic)• To manage and share information• buildings, staff, computers, …

9

2. What is being covered?

10

The basis of the information security policy

International standard ISO 27002:2005• 11 security chapters• 133 security measures

Information security policy blue-print for SME • Based upon ISO 17799:2000• 10 security chapters• Selection of a subset of 41 security checks

(non exhaustive)http://www.cases.public.lu/publications/politique/

11

The 11 chapters of the information security policy

12

The 11 chapters of the information security policy > the 44 security checks (1)

13

The 11 chapters of the information security policy > the 44 security checks (2)

14

3) Why implement one?

15

Why implement an information security policy_?

Obligation to have means of protection

Implementation of a consistent level of

security

Costs for the implementation

Risk to privacy

State of the Art

16

Compliance with legislation

The Youth House has responsibilities with respect to the law in relation to its activities and its members

• Protection of personal data

• IP / Copyright• Downloads• Blogs

• Fight against the inappropriate behaviour• Paedophilia• Viewing pornography in presence of young children• Violence, incitement to hatred• Xenophobia• Cyber bullying• …

…

17

Compliance with legislation

Protection of personal data

• Law of 2 August 2002 on the Protection of Individuals with regard to processing of personal data - NCDB • Declaration of data and their processing • Authorization request (if necessary)• Data quality / legitimacy of treatments• Right of objection of people concerned

• Legal obligation to protect• Justice recognizes and punishes

The responsibility of the author of the attackThe responsibility of the intermediary of the attackThe responsibility of the victim of the attackFailure to secure data in relation with treatment of personal data

• 8 days to 1 year in prison and 251 to 125,000 euro fine

• Any organisation must establish a certain level of security • coherent • adapted

18

Compliance with legislation

• The information security policy applies to all the members of the Youth House • Committee• Educators / PIJ• Young

It aims to inform and explain• their duties and obligations• their responsibilities • The consequences in case of non respect of laws and regulations

in• information security• IP • Protection of personal data

19

4. How to implement it?

20

The implementation of on information security policy.

Collaboration with a "pilot" Youth House

Re-usage of the information security policy blue-print for SME on www.cases.lu

Adaptation to the specific context National Youth Service Youth House

Proposition of a blue-print of an information security policyIt's on of many possible blue-prints It is not THE blue-print

21

The 6 pillars of security

i. awareness raising

• Committee's commitment to the information security• Involve the entire organization of the Youth House in the

implementation of the information security policy

ii. identification and classification of assets and threats • identification of threats / risk assessment in order to identify the critical

assets

iii. Defining responsibilities

• Responsibilise persons depending on assets and associated risks

iv. Implementation of organisational and technical measures

• Implement controls / counter-measures to attain security objectives

v. Continual reassessment of security • Strive for continuous improvement of the overall information security

management systemvi. L

eg

al asp

ects

22

Implementation examples

Minimum security recommendations for Youth Houses

• Guarantee a separation of network zones

• Guarantee a level of security for the computers under the responsibility of the Youth House

• Propose a Internet filter for the « surf » computers

• Implement backup procedures

23

Implementation examples

Minimum security recommendations for Youth Houses

• Guarantee a separation of network zones• Separation of the zones• Implement access controls

• Guarantee a level of security for the computers under the responsibility of the Youth House

• Propose a Internet filter for the « surf » computers

• Implement backup procedures

24

Separation of network zones

• Definition of the four zones• Internet• Surf• Multimedia• Office

• Separation of the zones and definition of the rules for inter-zone traffic

25

Separation of network zones

Possible adaptation of SecureMJ to all needs

26

Separation of network zones

Raise awareness for the correct usage of passwords

27

Implementation examples

Minimum security recommendations for Youth Houses

Guarantee a separation of network zones

Guarantee a level of security for the computers under the responsibility of the Youth House

Anti-virus usage

Propose a Internet filter for the « surf » computers

Implement backup procedures

28

Guarantee a level of security for the computers

Example of a security control

• Anti-virus usage• regular updates• regular scans• installation on computers

http://www.cases.public.lu/fr/pratique/solutions/freeantivirus/ http://www.cases.public.lu/fr/publications/fiches/anti-virus/

+ Usage of a SecureMJ box

• Define an Access Control List for computers• Do not give uncontrolled access to the computers of educators

29

Implementation examples

Minimum security recommendations for Youth Houses

Guarantee a separation of network zones

Guarantee a level of security for the computers under the responsibility of the Youth House

Propose a Internet filter for the « surf » computersFilter the visited sitesManage the "surf" time

Implement backup procedures

30

Internet filter for the "surf" computers

BEE SECURE tips

• Ideas• Limit surfing to "special" sites• usage of filters

• Manage the "surf" time• The Youth House is not only a cyber café

use the SecureMJ box

31

Implementation examples

Minimum security recommendations for Youth Houses

Guarantee a separation of network zones

Guarantee a level of security for the computers under the responsibility of the Youth House

Propose a Internet filter for the « surf » computers

Implement backup proceduresIdentify the data that has to be backed-upStorage of backup media

32

security back-up

Appoint a responsible for backup

• Define • information to be backed-up• backup frequency• backup media (CD, DVD, external hard disk, ...)• location for backups storage• the security of backed-up data

• do not forget • to regularly test back-ups• to store copies of paper documents

33

Deliverables

34

Deliverables

Information security policy implementation guide

Guide complete à destination du personnel de la Youth House. • Committee • Educators• Technical operators

Examples of applications, forms, tips, legal annexes

35

All this is not so complicated

36

All this is not so complicated

• You all know the most important information of your Youth Houses

• You already have implemented security measures that are in the information security policy blue-print• Just write what you are doing or must do

• ... and not say that you do something you don't or can't do

• The information security policy blue-print gives you the bricks and the means to meet the security requirements that you must complete

37

To keep in mind

Security must not be an obstacle

38

39

2 key messages

security is everyone's business

Everybody is responsible for the information security of the Youth House.

© Jostein Nordengen, Agder University College

40

Conclusion > Don't forget…

security is

Organisation and

awareness raising

technology

41

Link CASES

CASES - the information security portalwww.cases.lu

Behaviour rules provided by CASESwww.cases.public.lu/fr/pratique/comportement/

fact sheetswww.cases.public.lu/fr/publications/fiches/

free anti-viruswww.cases.public.lu/fr/pratique/solutions/freeantivirus/

information security policy (SME)www.cases.public.lu/fr/publications/politique/

BEE-SECUREwww.bee-secure.lu

Thank you for your attention

François Thill , francois.thill@eco.etat.lu