Sustainable Protection of Critical Corporate Information


Published on

Presented at the 5th Middle East CIO Summit

Published in: Technology, Education, Spiritual
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Sustainable Protection of Critical Corporate Information

    1. 1. Jeremy Hilton and Anas Tawileh (C) Cardiff University
    2. 2. <ul><li>“ Relevant” security </li></ul><ul><li>Identifying critical information </li></ul><ul><li>Determining risks </li></ul><ul><li>Developing the controls </li></ul><ul><li>Sharing control information </li></ul>(C) Cardiff University
    3. 3. (C) Cardiff University
    4. 4. (C) Cardiff University
    5. 5. (C) Cardiff University
    6. 6. (C) Cardiff University
    7. 7. (C) Cardiff University
    8. 8. (C) Cardiff University
    9. 9. (C) Cardiff University
    10. 10. (C) Cardiff University
    11. 11. (C) Cardiff University
    12. 12. (C) Cardiff University
    13. 13. (C) Cardiff University
    14. 14. (C) Cardiff University
    15. 15. (C) Cardiff University
    16. 16. (C) Cardiff University
    17. 17. (C) Cardiff University
    18. 18. (C) Cardiff University
    19. 19. (C) Cardiff University and much more..
    20. 20. (C) Cardiff University
    21. 21. (C) Cardiff University
    22. 22. (C) Cardiff University
    23. 23. (C) Cardiff University
    24. 24. <ul><ul><li>Managers of SMEs are busy running their company, trying to survive in a very competitive environment </li></ul></ul><ul><ul><li>They rarely address anything that is not a legislative or regulatory requirement, and even then will often only comply if there is a penalty for not doing so </li></ul></ul><ul><ul><li>Will avoid spending money, and time is money, training is money </li></ul></ul><ul><ul><li>Rarely buy in expertise, staff left to help each other and ‘learn on the job’ </li></ul></ul>(C) Cardiff University
    25. 25. <ul><li>When developing policy(rules), it is critical to consider if and how they can be implemented. </li></ul><ul><li>For example, if the policy is that: </li></ul><ul><ul><li>employees who breach a security rule, say, disclose information to someone unauthorised to see it, then they will be fired </li></ul></ul>(C) Cardiff University
    26. 26. <ul><li>People generally do what they want to do, even at work. </li></ul><ul><ul><li>Hopefully this aligns with the organisation’s needs </li></ul></ul><ul><ul><ul><li>incentivising ; or </li></ul></ul></ul><ul><ul><ul><li>applying suitable sanctions. </li></ul></ul></ul><ul><ul><li>May achieve short term benefit, but the change is short-lived unless </li></ul></ul><ul><ul><ul><li>fundamental change is achieved </li></ul></ul></ul><ul><ul><ul><li>staff have a belief in the desired result </li></ul></ul></ul>(C) Cardiff University
    27. 27. “ Others inspire us, information feeds us, practice improves our performance, but we need quiet time to figure things out, to emerge with new discoveries, to unearth original answers.” - Esther Buchholz (C) Cardiff University
    28. 28. (C) Cardiff University
    29. 29. <ul><ul><li>Staff need to be involved, trained and supported. </li></ul></ul><ul><ul><li>Tools will be required in order to enable the desired controls on information and analysis/audit of use </li></ul></ul><ul><ul><li>Accountability and responsibility of staff must be clearly defined and agreed. </li></ul></ul>Tell me and I’ll forget Show me and I’ll remember Involve me and I’ll understand Old Chinese saying (C) Cardiff University
    30. 30. (C) Cardiff University
    31. 31. <ul><li>#2 Define the information architecture </li></ul>
    32. 34. Creative Commons
    33. 36. Traffic Light Protocol Philosophy mapped to the Business Impact and Control Categories RED SENSITIVITY = HIGHLY SENSITIVE Personal for named recipients only WHITE SENSITIVITY = PUBLIC Unlimited Control (Apart from legal recourse) Uncontrolled AMBER SENSITIVITY = SENSITIVE Limited distribution GREEN SENSITIVITY = NORMAL BUSINESS Business Community wide CATASTROPHIC Secured Segregated MATERIAL Secured MAJOR Restricted MINOR Controlled INSIGNIFICANT Controlled Developed to control information sharing between G8 countries, Business Impact levels added.
    34. 37. Generic “Org X” Architecture Trust Model External Secured This zone is similar to the secured zone but is owned and operated by a business partner. The trust relationship between the Org X and the business partner is stronger than in the restricted zones. Information Assets: Distributed to named individuals only. Secured This zone is the most secured area within the architecture. Access should be limited to highly trusted principals. Information Access limited to named principals only. External Restricted Similar to Restricted Zone but owned /operated by a business partner. The trust relationship is stronger that that in the External Controlled Zone. Information Access limited to Groups of authenticated principals Restricted The restricted Zone is the next higher level of security above Controlled. Access is Restricted to authenticated users or processes. Most data processing and storage occurs here. Information Access limited to pre-defined groups made up of authenticated principals. External Controlled Similar to Controlled Zone but owned /operated by an external organisation. Controlled This is where the lowest levels of control are applied to manage Information Assets with the prime goals of managing Availability and Compliance Uncontrolled (Public) The uncontrolled environment outside the control of Org X. Managed Belongs to IT and is used to administer servers, network devices and other managed devices. May be implemented with secure sessions (SSH) separate out of band networks or greater controls on Admin devices.
    35. 38. <ul><li>A set of classifications that are flexible enough to enable to define and communicate the controls to be applied to your information </li></ul><ul><li>May be combined with creative commons licenses </li></ul><ul><li>Expressed in 3 different formats: </li></ul><ul><ul><li>Security Officer-readable </li></ul></ul><ul><ul><li>Human-readable </li></ul></ul><ul><ul><li>Machine readable </li></ul></ul>
    36. 39. <ul><li>Confidentiality </li></ul><ul><li>Authentication </li></ul><ul><li>Use </li></ul><ul><li>Integrity </li></ul>CA – Community Access RA – Restricted Access PI – Personal Information OO – Organisation Only ND – Non-Disclosure CG – Corporate Governance SD – Safe Disposal CU – Controlled Until AB – Authorised By ND – Non-Derivatives BY – Attribution cc cc
    37. 40. <ul><li>The information may be shared within the organisation, but is not to be disclosed outside </li></ul>Organisation Only
    38. 41. <ul><li>The information is restricted to members of a community; generally multi-agency </li></ul><ul><li>Though it may change, membership of the community is controlled </li></ul><ul><li>All members of the community agree to specific terms and conditions </li></ul>Community Access
    39. 42. <ul><li>The information contains personal information and consideration must be made before sharing the information </li></ul><ul><li>This classification is likely to be used in conjunction with other labels such as </li></ul>Personal Information cc
    40. 43. <ul><li>The information has been received under non-disclosure </li></ul><ul><li>The label will link to the specific terms of the NDA </li></ul><ul><li>This classification is likely to be used in conjunction with other labels such as </li></ul>Non-Disclosure cc cc
    41. 44. <ul><li>Medical Record </li></ul><ul><li>Personnel record </li></ul><ul><li>Patent under development </li></ul><ul><li>Published Patent </li></ul><ul><li>Draft Annual Report </li></ul><ul><li>Approved report prior to release </li></ul><ul><li>Post Release </li></ul>cc cc DTG cc cc cc cc cc
    42. 45. Thank You