Upload
per-thorsheim
View
846
Download
1
Tags:
Embed Size (px)
DESCRIPTION
This is my presentation for the Scandinavian ISACA conference in Oslo, Monday April 4, 2011. Please contact if you have any questions or comments.
Citation preview
Board member Security
Per ThorsheimCISA, CISM, CISSP-ISSAPSecurity coordinator
April 4, 2011
2
The Codes of Conduct Dilemma• General assembly• Bedriftsforsamling (Norway)• Board of Directors• CEO
– Executive board
• Chief Security Officer (CSO)
Codes of Conduct
Security policy
Standards
Guidelines
?
3
Company (Security) policy
ISACA 4 April 2011 – Per Thorsheim
• May require that all users use pc + phone provided by company
• Require separation between work and other private (work) engangements
• Requires hardening and periodic updating
• Disallows the sharing of accounts / passwords
• A practical challenge for people being a member on many boards
• Easily broken by the above practical challenge
• If computer is personal, than it is by definition insecure and ”illegal” to use
• Personal assistant to the xxx may be a practical challenge to solve
4ISACA 4 April 2011 – Per Thorsheim
5ISACA 4 April 2011 – Per Thorsheim
HACK
ED
6
The Codes of Conduct Dilemma
ISACA 4 April 2011 – Per Thorsheim
• Directors Liability Assurance• ”Styreansvarsforsikring” in Norway• (Gross) Negligence will impact the assurance agreement
If the board does not comply with (their own) Codes of Conduct and/or security policy, will that be considered (gross) negligence by the insurance company?
7
Recommendations (work in progress)
ISACA 4 April 2011 – Per Thorsheim
• Use of personal PC• Remote access• Printouts• Electronic documents• E-mail• Leaving the board• Problems?
• Disallowed. PC from company• Terminal server with 2-factor• Cross-cut shredder• MS Office password protection• Encrypted attachments• Standard company routine• VIP customer service (CSO)
• CSO / IA : ”Right to audit” ?• NASDAQ Directors Desk?
8
Primary insidersPrimary insider
A person who is a member of the board of directors or management of a listed company, or who is associated with the company in some other way, and who is therefore subject to certain requirements in respect of trading and reporting trades carried out, cf. Sections 3-1 and 2-6 of the Securities Trading Act. Each listed company is responsible for identifying its primary insiders, and is responsible for providing an up-to-date list of its primary insiders to Oslo Børs. Each primary insider is personally responsible for ensuring that the requirements imposed on him or her by the Securities Trading Act are adhered to.
9
Definition of Primary insiders
10ISACA 4 April 2011 – Per Thorsheim
Example list of primary insiders(no names shown)
11
However…
ISACA 4 April 2011 – Per Thorsheim
(this is the point where I start to get difficult and annoying…)
12
Externals: Access to inside information
• Advertising agency• Communications agency• Translation service• External auditor
• E-mail (usually unencrypted)• E-mail with attachments
– Usually unencrypted
• Postal mail• Mail by courier• Fax (for signatures!)
• Phone conference service• (Norwegian) post• Postal courier• E-mail MitM attacks
http://www.edb.com/Documents/Articles/E-post_sikkerhet_i_Norge.pdf
13
Internals: Access to inside information
• LEGAL vs technical access• Unauthorized access should be
logged and prosecuted• Company encryption (PCI)• End-to-end encryption
(personal)
• Domain Admins, helpdesk• Administrative access is not
logged (it is technically ”legal”)• Same problem with admins• Difficult, requires education
14
Third-party access to insider information
• Non-Disclosure Agreements (NDA) widely used : reactive control• NDA seems consired as proactive control (?)• Detective controls seems rare• Security requirements in contracts seems sparse (”Trust” is common)
15
Recommendation (the ”easy” one…)
ISACA 4 April 2011 – Per Thorsheim
16
Last, but not least: Passwords^11• 2 day conference on passwords & pins only
– Attacks, defenses, forensics and usability aspects covered– Panel discussion: ”will we ever get rid of passwords?”
• Bergen (Norway), June 7-8• Free-for-all (limited seats available)• International speakers• In collaboration with:
– University of Bergen, Professor Tor Helleseth– Sponsored by NISNET
• Free live streaming on ustream.tv• securitynirvana.blogspot.com & Twitter: #passwords11