Securing computer networks in youth houses
The information security policy in the youth houses
TCP Event - 18 February 2011
3
Introduction > What is information security ?
3 main criteria •Confidentiality•Integrity•Availability
What do these criteria refer to?Everything that has a value to an organisation
computers / serversfilesBut also
paper documentscommunication toolsbuildingsstaff"Secrets"
4
Introduction > What is information security ?
Every day, everybody is trying to protect himself against risks
How to define a risk?
The possibility for an attacker to exploit vulnerabilities and cause an impact
5
Introduction > What is information security ?
Example of a risk : the burglar
Vulnerability :Keys under the carpet is the vulnerability of the
door
Threat : Burglar (attacker) tries to get
in
Impact: Burglar breaks furniture, steals money
and causes trouble
Risk = Vulnerability x Threat x ImpactRisk = Vulnerability x Threat x Impact
6
Introduction > What is information security ?
Total security at 100% doesn't existTotal security at 100% doesn't exist
Can we succeed in reducing the risks and be fully protected?
7
The role of the information security policy
The information security policy serves to formalise and to coordinate all technical and organisational approaches to
security of an organisation
8
The role of the information security policy
The information security policy is one solution
• to ensure security on the three criteria (CID)• that is not limited to computers• for all information and resources• Oral• Written on whatever medium (paper, electronic)• To manage and share information• buildings, staff, computers, …
10
The basis of the information security policy
International standard ISO 27002:2005• 11 security chapters• 133 security measures
Information security policy blue-print for SME • Based upon ISO 17799:2000• 10 security chapters• Selection of a subset of 41 security checks
(non exhaustive)http://www.cases.public.lu/publications/politique/
15
Why implement an information security policy_?
Obligation to have means of protection
Implementation of a consistent level of
security
Costs for the implementation
Risk to privacy
State of the Art
16
Compliance with legislation
The Youth House has responsibilities with respect to the law in relation to its activities and its members
• Protection of personal data
• IP / Copyright• Downloads• Blogs
• Fight against the inappropriate behaviour• Paedophilia• Viewing pornography in presence of young children• Violence, incitement to hatred• Xenophobia• Cyber bullying• …
…
17
Compliance with legislation
Protection of personal data
• Law of 2 August 2002 on the Protection of Individuals with regard to processing of personal data - NCDB • Declaration of data and their processing • Authorization request (if necessary)• Data quality / legitimacy of treatments• Right of objection of people concerned
• Legal obligation to protect• Justice recognizes and punishes
The responsibility of the author of the attackThe responsibility of the intermediary of the attackThe responsibility of the victim of the attackFailure to secure data in relation with treatment of personal data
• 8 days to 1 year in prison and 251 to 125,000 euro fine
• Any organisation must establish a certain level of security • coherent • adapted
18
Compliance with legislation
• The information security policy applies to all the members of the Youth House • Committee• Educators / PIJ• Young
It aims to inform and explain• their duties and obligations• their responsibilities • The consequences in case of non respect of laws and regulations
in• information security• IP • Protection of personal data
20
The implementation of on information security policy.
Collaboration with a "pilot" Youth House
Re-usage of the information security policy blue-print for SME on www.cases.lu
Adaptation to the specific context National Youth Service Youth House
Proposition of a blue-print of an information security policyIt's on of many possible blue-prints It is not THE blue-print
21
The 6 pillars of security
i. awareness raising
• Committee's commitment to the information security• Involve the entire organization of the Youth House in the
implementation of the information security policy
ii. identification and classification of assets and threats • identification of threats / risk assessment in order to identify the critical
assets
iii. Defining responsibilities
• Responsibilise persons depending on assets and associated risks
iv. Implementation of organisational and technical measures
• Implement controls / counter-measures to attain security objectives
v. Continual reassessment of security • Strive for continuous improvement of the overall information security
management systemvi. L
eg
al asp
ects
22
Implementation examples
Minimum security recommendations for Youth Houses
• Guarantee a separation of network zones
• Guarantee a level of security for the computers under the responsibility of the Youth House
• Propose a Internet filter for the « surf » computers
• Implement backup procedures
23
Implementation examples
Minimum security recommendations for Youth Houses
• Guarantee a separation of network zones• Separation of the zones• Implement access controls
• Guarantee a level of security for the computers under the responsibility of the Youth House
• Propose a Internet filter for the « surf » computers
• Implement backup procedures
24
Separation of network zones
• Definition of the four zones• Internet• Surf• Multimedia• Office
• Separation of the zones and definition of the rules for inter-zone traffic
27
Implementation examples
Minimum security recommendations for Youth Houses
Guarantee a separation of network zones
Guarantee a level of security for the computers under the responsibility of the Youth House
Anti-virus usage
Propose a Internet filter for the « surf » computers
Implement backup procedures
28
Guarantee a level of security for the computers
Example of a security control
• Anti-virus usage• regular updates• regular scans• installation on computers
http://www.cases.public.lu/fr/pratique/solutions/freeantivirus/ http://www.cases.public.lu/fr/publications/fiches/anti-virus/
+ Usage of a SecureMJ box
• Define an Access Control List for computers• Do not give uncontrolled access to the computers of educators
29
Implementation examples
Minimum security recommendations for Youth Houses
Guarantee a separation of network zones
Guarantee a level of security for the computers under the responsibility of the Youth House
Propose a Internet filter for the « surf » computersFilter the visited sitesManage the "surf" time
Implement backup procedures
30
Internet filter for the "surf" computers
BEE SECURE tips
• Ideas• Limit surfing to "special" sites• usage of filters
• Manage the "surf" time• The Youth House is not only a cyber café
use the SecureMJ box
31
Implementation examples
Minimum security recommendations for Youth Houses
Guarantee a separation of network zones
Guarantee a level of security for the computers under the responsibility of the Youth House
Propose a Internet filter for the « surf » computers
Implement backup proceduresIdentify the data that has to be backed-upStorage of backup media
32
security back-up
Appoint a responsible for backup
• Define • information to be backed-up• backup frequency• backup media (CD, DVD, external hard disk, ...)• location for backups storage• the security of backed-up data
• do not forget • to regularly test back-ups• to store copies of paper documents
34
Deliverables
Information security policy implementation guide
Guide complete à destination du personnel de la Youth House. • Committee • Educators• Technical operators
Examples of applications, forms, tips, legal annexes
36
All this is not so complicated
• You all know the most important information of your Youth Houses
• You already have implemented security measures that are in the information security policy blue-print• Just write what you are doing or must do
• ... and not say that you do something you don't or can't do
• The information security policy blue-print gives you the bricks and the means to meet the security requirements that you must complete
39
2 key messages
security is everyone's business
Everybody is responsible for the information security of the Youth House.
© Jostein Nordengen, Agder University College
41
Link CASES
CASES - the information security portalwww.cases.lu
Behaviour rules provided by CASESwww.cases.public.lu/fr/pratique/comportement/
fact sheetswww.cases.public.lu/fr/publications/fiches/
free anti-viruswww.cases.public.lu/fr/pratique/solutions/freeantivirus/
information security policy (SME)www.cases.public.lu/fr/publications/politique/
BEE-SECUREwww.bee-secure.lu