Upload
kim-aarenstrup
View
336
Download
1
Embed Size (px)
DESCRIPTION
Citation preview
© 2011 IBM CorporationAll rights reserved.
Sikkerhed & Kommunikation
© 2011 IBM Corporation
Agenda
Kommunikation vs InformationKommunikation vs Information
Modtagerens opfattelse af sikkerhed
Budskaber og punch-lines
Afrunding..
© 2011 IBM Corporation
GOD INFORMATION:GOD INFORMATION:
ER ER OBJEKTIVOBJEKTIV
UDDYBENDEUDDYBENDE
OG OG RATIONELRATIONEL
Kilde: Mench
© 2011 IBM Corporation
GOD KOMMUNIKATION:GOD KOMMUNIKATION:
ER ER SUBJEKTIVSUBJEKTIV
OVERFLADISKOVERFLADISK
OG OG EMOTIONELEMOTIONEL
Kilde: Mench
© 2011 IBM Corporation
Hvor befinder din ledelse sig...?
INFORMATION:
HENVENDER SIG TIL DE SÆRLIGT INTERESSEREDE
KOMMUNIKATION:
KAN INVOLVERE DEM, DER IKKE ER SÆRLIGT INTERESSEREDE!
Kilde: Mench
© 2011 IBM Corporation
Information eller kommunikation...?
CLOUDCLOUDellereller
BYODBYOD
© 2011 IBM Corporation
Bring Your Own Device - BYOD Purchase or reimburse? In many businesses, employees are mobile — they work at customers’ sites, they go out in the field to procure materials or solicit new clients, and they’re expected to be on call nights and weekends. If your company is considering whether to provide
employees with mobile phones or reimburse them for all or part of their personal cell phone expenses, you’ll want to consider the cost of each option. It makes sense to assume that the company will have more control over the phone if you purchase it in the company’s name, pay the monthly bills directly, and issue it to the employee. You should consult your attorney as to how this decision will affect legal issues that might arise regarding the use of the phone.
One consideration is that if the company purchases the smartphone, it owns the phone number assigned to that device. If the employee leaves the company, that phone number can be given to another employee. If the employee owns the phone and leaves the company, customers and other business contacts who had that phone number will no longer be able to use it to get in touch with the company.
You should also keep in mind that state laws vary widely, and employers and employees may have rights in one location that they don’t have in another.
Dedicated to business? If the company buys and issues the phone and pays the phone bill, will employees be required to use their phones for business use only, and carry a second phone for their own personal use? If so, you should have a written policy stipulating this, and
employees should sign an agreement to abide by the policy when they’re issued their phones.
Many companies tolerate a certain amount of personal use of the company-owned phone. If you decide to allow it, your policy should specify that employees will be required to pay for any services they access on the phone that cost extra, such as text messages, ringtone downloads, entertainment services, and navigation and mobile hotspot services (unless you pay for those so they can use them for business purposes).
Who owns the data? An important consideration that you’ll want to clarify when you issue phones or reimburse employees is who owns the data stored on the devices. Smartphones are really miniature computers and can have all the same sorts of data on them as resides
on a desktop or a laptop computer (email messages, customer contact information, company documents and spreadsheets, and so forth), but almost always in the case of employee-owned phones and often in the case of employer-owned phones, the users will also store personal data on their phones. Who owns what?
If you’re in a regulated industry, such as healthcare or financial services, it’s important to remember that you may be mandated to protect the confidentiality of personal data pertaining to clients. If you own the phones, you can select the models that are most secure, and ensure that they are running the most up-to-date version of the smartphone operating system. In addition, you can enforce encryption of the data stored on them.
Management issues What if the company buys and issues the smartphones, but when an employee quits the job or is terminated, the employee refuses to return the phone? If the phone is in the company’s name, you should be able to contact the carrier and have the
phone deactivated, and the number reassigned to someone else in the company.
Can you have the carrier use the phone’s GPS functionality (or the cell tower triangulation method) to track down the user and retrieve the phone? What legal action can you take against the employee? Can you file theft charges, or would you have to take the former employee to civil court to get a judgment requiring the phone to be returned to you? If you merely reimburse an employee’s mobile phone expenses, you wouldn’t have to worry about any of these issues since the employee would keep the phone. However, you still need to think about whether and how you can make the former employee remove company data from the phone. Can you require the phone’s storage be wiped (factory reset) to ensure that no company data is left on the device? If you have the technological capability to remotely wipe the phone, is it legal for you to do when the phone is owned by the employee?
Again, these are questions to ask your attorney in advance, and to take into consideration when you write your company policies governing cell phone use.
Employee monitoring Another issue that you may want to consult your attorney about is whether you can legally track the employee’s movements via the company cell phone. If you do track the employee, do you have to inform the individual that you’re doing it? Can you
track the employee during off-duty hours when they are carrying the company phone or only during business hours?
Can you require employees to keep their phones on all the time when they’re away from the office? If you do, will you have to pay them “standby pay” for that time? It’s technologically possible to turn a cell phone on remotely; is it legal for you to do this if an employee turns the phone off, and you want to get in touch and/or track their location?
Software is available for several phone platforms that can be installed on a cell phone to allow you to listen to and/or record conversations and remotely read call logs, email messages, and SMS messages. Is it legal for you to use such software to monitor your employees’ company-issued phones? Do you have to notify them that you’re doing so? These are questions you need to ask your attorney.
Liability issues Another question to ask your attorney: What is the company’s liability if an employee uses a company-owned cell phone as a platform for launching an attack, hacking into a network or computer, downloading child pornography, harassing someone, or
committing other illegal acts? Could a wronged party sue the company as well as the individual employee, claiming that by using company equipment, the employee was acting as a representative of the company?
It’s important for you to put policies in place that specifically prohibit employees from using company-issued phones for any illegal activities, or actions that would be likely to result in a civil suit. This helps protect the company by providing tangible evidence that the employee was acting outside the scope of employment.
What if the police need to seize the phone as evidence of a crime? The company may lose the use of it for a very long time as the case winds its way through the court system.
What if you purchase and issue a phone to an employee and it’s defective and overheats or explodes, causing an injury? Could the employee sue you for issuing the defective phone? These may seem like far out scenarios, but it pays to be prepared for every eventuality.
Kilde: techrepublic.com
© 2011 IBM Corporation
BYOD... eksempel på kommunikation om en af CIO’ens udfordringer
Alle enheder Alle lokationer Alle systemer
Standardisering, sikkerhedsikkerhed & omkostningseffektivitetkan sam-eksistere med diversitet
© 2011 IBM Corporation
Agenda
Kommunikation vs Information
Modtagerens opfattelse af sikkerhedModtagerens opfattelse af sikkerhed
Budskaber og punch-lines
Afrunding..
T: +10
© 2011 IBM Corporation
Modtagerens opfattelse af sikkerhed...
Overvej din kommunikation nøje:
– Hvem er publikum
• Hvilke forudsætninger har man forståelsesmæssigt• Vær ikke bange for a blive teknisk – men forklar det• Emner du kan bygge på – strategi/hot topics• Modstanderen er vigtigere end de positive
– Mediet du anvender• Projektor vs Papir• Email
– Hvad er dine hovedbudskaber• 2-3 hovedbudskaber• Anvend analogier – vælg med omhu
– Vær forberedt på at blive kørt af sporet• Hav en redningsplanke klar• Spil med på den satte retning • Vær opmærksom på deres agenda før
og efter (perspektiv)
© 2011 IBM Corporation
Perspektiv...
© 2011 IBM Corporation
Mødet med Søderberg og IT-sikkerhedskomitéen...
© 2011 IBM Corporation
Det visionære indspark fra Peter Ecsery Merrens:
Tænk hvis nu...
© 2011 IBM Corporation
At tale med den øverste ledelse...
Hvad driverøget fokus
hosBestyrelsen
Taletidhos
Bestyrelsen
The Board/C-suite often fear major security breaches or loss of key data, resulting in negative publicity and major negative impacts on the business
H̶ Seen as a small set of riskssmall set of risks that…can essentially take us outtake us out of businessH̶ Registrations seen as treasured informationtreasured informationH̶ A desire to avoid that ending up in the hands of competitioncompetition/wrong customerH̶ Regulatory finesRegulatory fines for inadequate security controls – data leakages
H̶ (controls regarding insider tradeable information...)
Fewer than half of the respondents have presented to the Board in the previous twelve months
When they did present, topics included:
H̶ Protecting customer dataProtecting customer data - Securing mobile devicesmobile devicesH̶ Dealing with hackersDealing with hackers - - Options for tightening security tightening securityH̶ Government regulationsGovernment regulations - Actual security incidents - Actual security incidents in the company
© 2011 IBM Corporation
Behov versus motivation…
Education of the organization
Improved processes
Additional staff
Where effort will be focused to prepare for security incidents:
Factors driving growth of information security organization :
New technology
Outsourcing/Using managed provider
Professional development
Better communication and collaboration
Complexity of government regulations or industry standards
Internal threats
External threats
Importance of security to C-suite
N/A—Size will stay the same or shrink
Technology issues
More Mentions
Fewer Mentions
• Mange ser uddannelse og ny teknologi som de vigtigste fokusområder
• Men det er ofte lovgivning og standarder der sikrer bevillingerne…
© 2011 IBM Corporation
Eksempler er fint – men hvad med ”skræmmekampagnerne”...?
© 2011 IBM Corporation
Agenda
Kommunikation vs Information
Modtagerens opfattelse af sikkerhed
Budskaber og punch-linesBudskaber og punch-lines
Afrunding..
T: +30
© 2011 IBM Corporation
Budskaber og punch lines...
Kilder: IBM & ISF – www.securityforum.org
© 2011 IBM Corporation
Budskaber og punch lines...
Nul tolerance områderNul tolerance områder
Beskriv dem på høj-niveau
Mål og rapportér på resultaterne
Sørg for ledelses-opbakning
Gentag dem løbende
KPI / bonus effekten
© 2011 IBM Corporation
Budskaber og punch lines...
The average company’s computer infrastructure The average company’s computer infrastructure is attacked nearly 60,000 times every day. is attacked nearly 60,000 times every day.
- It’s time to take action…It’s time to take action…
© 2011 IBM Corporation
Budskaber og punch lines...
Kilde: ISF – www.securityforum.org
© 2011 IBM Corporation
Har du en strategisk tilgang til din sikkerhedsledelse?
Sikkerhedsledelse på tværs af alle sikkerhedsdomæner?
Overholdelse af love og regler?
Forbedret ROI via simplificering og anvendelse af best practise?
The IBM Security FrameworkThe IBM Security Framework
Common Policy, Event Handling, and Reporting
Security Governance, Risk Management,and Compliance
Physical Infrastructure
People and Identity
Data and Information
Application and Process
Network, Server, and End Point
© 2011 IBM Corporation
Identity Management
Professional Services
Managed Services
Products
Cloud Delivered
New Offerings
Security Governance, Risk and Compliance
Security Information and Event Management (SIEM) & Log Management
Identity & Access Management
Identity Management Access ManagementAccess Management
GRCGRCGRCGRC
Data Security
Database Monitoring & Protection
Encryption & Key Lifecycle Management
Data Loss Prevention Data Entitlement Management
Data Masking
Messaging Security
E-mail Security
Application Security
Web / URL Filtering
Application Vulnerability Scanning
Access & Entitlement Management
Web Application Firewall
SOA Security
Infrastructure Security
Threat Analysis
Firewall, IDS/IPS MFS Management
Physical Security
Mainframe Security Audit, Admin & Compliance
Security Event Management
Security Configuration & Patch Management
Intrusion Prevention System
Endpoint ProtectionVirtual System Security
Vulnerability Assessment
Managed Mobility Svcs
Har du en strategisk investeringsplan for de næste 3-5 år?
© 2011 IBM Corporation
Agenda
Kommunikation vs Information
Modtagerens opfattelse af sikkerhed
Budskaber og punch-lines
Afrunding..Afrunding..
T: +30
© 2011 IBM Corporation
Rich pictures...?
Kilde: ISF – www.securityforum.org
© 2011 IBM Corporation
Business PartnersSupply Chain
Coffee Shop HotelsHome
Inadequate, disjointed technology management
Rich pictures…?
Foes, Gremlins, and Banana Peels
© 2011 IBM Corporation
Kompleksitet kan være nødvendig for at øge forståelsen...
Kilde: ISF – www.securityforum.org
© 2011 IBM Corporation
Humor...?
© 2011 IBM Corporation
Forsimpling kan være særdeles effektivt...
Når man skal beskytte sine systemer handler det først og fremmest om én ting:
Nedbring de kritiske sårbarheder!Nedbring de kritiske sårbarheder!
Det gælder både for virksomheder, datacentre, offentlige systemer, samt militære eller andre samfundskritiske IT installationer...
© 2011 IBM Corporation
Tak – også for spørgsmål...
Kim AarenstrupSecurity Industry LeaderIBM [email protected]