Business: Security & Privacy


Published on

Presentation given to BCS South Wales.

Published in: Business, Technology
  • Be the first to comment

Business: Security & Privacy

  1. 1. Jeremy Hilton With contributions from Pete Burnap and Anas Tawileh
  2. 2.   The way people work is changing – ubiquitous Internet access   Web 2.0 technology and Cloud computing is supporting/driving a collaborative, on-demand culture   Virtual Organisations are frequently used to support collaborative, distributed working   Government Services (Transformational Government)   Medical (Patient Records)   Research (e-Research)   Inter-disciplinary organisations contribute content, others have access to the content
  3. 3. “In relation to rights, the Government believes piracy of intellectual property for profit is theft and will be pursued as such through the criminal law.” “However, the Government also believes, and the evidence suggests, that most people, given a reasonable choice would much prefer not to do wrong or break the law…” “Personal data is the new currency of the digital world. Privacy and security of that data is an increasingly critical issue. “ 5
  4. 4. 6
  5. 5. h"p://blog.stop‐

  6. 6. h"p:// 2009/oct/12/ukcrime‐id‐the?‐rising

  7. 7.   All organisations are unique.   Each organisation has its own culture and history.   Each organisation is inhabited (and the processes are undertaken) by its own unique group of people.   These people have their own perceptions, (interpretation), of their role.   They have their own perceptions of the relationship of their role to the organisation mission.   They have their own perceptions of the organisation mission itself.
  8. 8.   The range and nature of the multiple perceptions, related to the people within an organisation, are not necessarily consistent or uni-directional. (This gives rise to personal agendas, politics, and potential inter-personal conflict).   These multiple perceptions cannot be ignored in any description that tries to be relevant to a specific organisation.   Most organisations are best described as a mess.
  9. 9. How can you think about a Prison as a Human Activity System ?   A system to remove rights and privileges (punishment)   A system to control interaction between offenders and the community (security)   A system to instil Society’s norms and values (rehabilitation)   A system to enhance criminal activity (criminal education)
  10. 10.   Reality is not any one of these views.   Reality is some mixture of these views. There may be little (or no) agreement as to what this mixture is.
  11. 11. Ref: Anas Tawileh – PhD Thesis 2009
  12. 12. Business Purpose Business Objectives Problem Space Business Information Needs Processes Information Systems Solution Space Information Technology
  13. 13. Administration and infrastructure Support Human resource management Activities Product/technology development Value added – cost Procurement = MARGIN Inbound Operations Outbound Sales and Services logistics logistics marketing Primary Activities • Can we enhance the value added by that activity? • Is there an opportunity to reduce the cost of that activity • Or eliminate that activity? • Can we use that activity to differentiate the organisation? Porter, M. E., Competitive Advantage, The Free Press, 1985
  14. 14. Their Our suppliers Us Our Their retailers suppliers distributors Consumer Our competition Demand information Supply information
  15. 15. Requirements Support Product Info Invoice Order Product Customer Contracts Order Fulfillment Finished Sales & Mktg Forecast Goods Logistics Product Ideas Roadmap Operations Finished Goods P.O.s Components & Materials Product Finance Development Contracts Supplier Website Extranet Intranet ERP
  16. 16. tures Hack Critical Infrastruc ers Privacy Copyright Gove rnme nt k emar Trad Enfor Law cemen t
  17. 17. The Death of the Perimeter   (Banking) Business is conducted over networks –  Multitude of connection points –  Multitude of traffic types (protocols, content) –  Complication!   Traditional perimeter security doesn’t scale: –  For filtering of addresses or protocols –  For management of multiple gateways   Mobile & wireless technology (largely) ignores the perimeter control   Most large corporates have leaky perimeters   Perimeter security does nothing about data flow and residence
  18. 18.   Companies Act 2006   The Re-use of Public Sector Information Regulations 2005   Environmental Information Regulations 2004   Freedom of Information Act 2000   Electronic Communications Act 2000   Regulation of Investigatory Powers Act 2000   Data Protection Act 1998   Computer Misuse Act 1990   Copyright Designs and Patents Act 1988   Public Records Act 1967   Public Records Act 1958   Human Rights Act 1998   Software Licensing Regulations
  19. 19. As dependency grows … IT security important?
  20. 20. Controls are improving Security has changed
  21. 21. But some big exposures Most companies not doing remain enough   Confidential information is increasingly at risk, especially in large organisations
  22. 22. Private Sector % of Enterprises in UK Employment SME Large Micro SME Large
  23. 23.   Managers of SMEs are busy running their company, trying to survive in a very competitive environment   They rarely address anything that is not a legislative or regulatory requirement, and even then will often only comply if there is a penalty for not doing so   Will avoid spending money, and time is money, training is money   Rarely buy in expertise, staff left to help each other and ‘learn on the job’
  24. 24.
  25. 25.
  26. 26.   Not killing customers (food industry)   Cash flow   New orders/repeat business   Staffing   Legislation, Regulation   only so they can continue to trade   and directors not go to jail!   … and where does information security & privacy fit in?
  27. 27. “you have zero privacy, get over it” Scott McNealy 1999 Article 8 of the European Convention on Human Rights that states: Everyone has the right to respect for his private and family life, his home and his correspondence
  28. 28.   Process that enables organisations to   anticipate and address likely impacts of new initiatives   Foresee problems   Negotiate solutions   Manage risks   Design systems to avoid unnecessary privacy intrusion
  29. 29.   Requirement by law   Requirement of government organisational policy   Appreciation that project has significant implications that should be subject of investigation   Existing public concerns
  31. 31. Security Standards - Cobit, ISO 27001
  32. 32.   #2 Define the information architecture
  33. 33. and

  34. 34.   When developing policy(rules), it is critical to consider if and how they can be implemented.   For example, if the policy is that:   employees who breach a security rule, say, disclose information to someone unauthorised to see it, then they will be fired
  35. 35.   People generally do what they want to do, even at work.   Hopefully this aligns with the organisation’s needs   incentivising ; or   applying suitable sanctions.   May achieve short term benefit, but the change is short-lived unless   fundamental change is achieved   staff have a belief in the desired result
  36. 36.   Staff need to be involved, trained and supported.   Tools will be required in order to enable the desired controls on information and analysis/audit of use   Accountability and responsibility of staff must be clearly defined and agreed. Tell me and I’ll forget Show me and I’ll remember Involve me and I’ll understand Old Chinese saying
  37. 37. Adapting the creative commons approach for information classification and control
  38. 38. •  A set of licenses that are flexible enough to let you add as much or as little restrictions on you work as you like •  Expressed in 3 different formats: •  Lawyer-readable •  Human-readable •  Machine-readable •
  39. 39.   A set of classifications that are flexible enough to enable to define and communicate the controls to be applied to your information   May be combined with creative commons licenses   Expressed in 3 different formats:   Security Officer-readable   Human-readable   Machine readable
  40. 40.   Use   Confidentiality RA – Restricted Access PI – Personal Information OO – Organisation Only ND – Non-Disclosure CA – Community Access CG – Corporate Governance OA – Open Access SD – Safe Disposal CU – Controlled Until   Integrity AD – Approved for Disclosure BY – Attribution cc   Authentication AB – Authorised By ND – Non-Derivatives cc
  41. 41. Restricted Access   The information is restricted to the nominated recipients   The owner of the information will nominate the authorised recipients   The owner may delegate responsibility for nominating authorised recipients
  42. 42. Personal Information   The information contains personal information and consideration must be made before sharing the information   This classification is likely to be used in conjunction with other labels such as cc
  43. 43. Avon & Somerset Criminal Justice Board - PRIMADS 57
  44. 44.   Multi-Agency environment   Police   Courts Service   Probation Service   Lawyers   Social Services   Health, etc   Offender management   Privacy issues in data shared during arrest, prosecution and detention   Release under licence 58
  45. 45.   Changing individuals’ behaviour such that:   the need for safe handling of information is understood & accepted; and   controls agreed and applied   Because the individuals choose to, not because they are told to. 59
  46. 46. 60
  47. 47. 61
  48. 48.   ASCJS workshops confirmed the usefulness of the scenario-based risk assessment and icon-based approach for communicating controls   Identified a number of additional benefits that contributed to an increased understanding of the distributed community and the need for controls   In addition, they expressed an interest in the ability to implement a technical solution to provide fine-grained assess to data-sharing in a collaborative, distributed environment 62
  49. 49.   Know your staff   Ensure all understand the business and the part they play in it’s success   Be aware of your obligations   Discuss the issues and how they impact on the critical parts of your business   Involve staff   Agree controls, ensure accountability from top to bottom