Successfully reported this slideshow.

Board Member Security


Published on

This is my presentation for the Scandinavian ISACA conference in Oslo, Monday April 4, 2011. Please contact if you have any questions or comments.

Published in: Technology, News & Politics
  • Be the first to comment

  • Be the first to like this

Board Member Security

  1. 1. Board member Security<br />Per Thorsheim<br />CISA, CISM, CISSP-ISSAP<br />Security coordinator<br />April 4, 2011<br />
  2. 2. The CodesofConduct Dilemma<br />General assembly<br />Bedriftsforsamling (Norway)<br />BoardofDirectors<br />CEO<br />Executiveboard<br />Chief Security Officer (CSO)<br />2<br />CodesofConduct<br />Security policy<br />Standards<br />Guidelines<br />?<br />
  3. 3. Company (Security) policy<br />ISACA 4 April 2011 – Per Thorsheim<br />May requirethat all usersuse pc + phoneprovided by company<br />Requireseparationbetweenwork and other private (work) engangements<br />Requireshardening and periodicupdating<br />Disallowsthesharingofaccounts / passwords<br />3<br />A practicalchallenge for peoplebeing a memberonmanyboards<br />Easily broken by theabovepracticalchallenge<br />If computer is personal, than it is by definitioninsecure and ”illegal” to use<br />Personal assistant to thexxxmay be a practicalchallenge to solve<br />
  4. 4. ISACA 4 April 2011 – Per Thorsheim<br />4<br />
  5. 5. ISACA 4 April 2011 – Per Thorsheim<br />5<br />HACKED<br />
  6. 6. The CodesofConduct Dilemma<br />ISACA 4 April 2011 – Per Thorsheim<br />DirectorsLiability Assurance<br />”Styreansvarsforsikring” in Norway<br />(Gross) Negligencewillimpacttheassuranceagreement<br />6<br />Iftheboarddoes not complywith (theirown) Codes<br />ofConduct and/or security policy, willthat be considered<br />(gross) negligenceby theinsurancecompany?<br />
  7. 7. Recommendations(work in progress)<br />ISACA 4 April 2011 – Per Thorsheim<br />Useof personal PC<br />Remoteaccess<br />Printouts<br />Electronic documents<br />E-mail<br />Leavingtheboard<br />Problems?<br />7<br />Disallowed. PC from company<br />Terminal server with 2-factor<br />Cross-cutshredder<br />MS Office passwordprotection<br />Encryptedattachments<br />Standard companyroutine<br />VIP customer service (CSO)<br />CSO / IA : ”Right to audit” ?<br />NASDAQ Directors Desk?<br />
  8. 8. Primary insiders<br />Primary insiderA person who is a member of the board of directors or management of a listed company, or who is associated with the company in some other way, and who is therefore subject to certain requirements in respect of trading and reporting trades carried out, cf. Sections 3-1 and 2-6 of the Securities Trading Act. Each listed company is responsible for identifying its primary insiders, and is responsible for providing an up-to-date list of its primary insiders to Oslo Børs. Each primary insider is personally responsible for ensuring that the requirements imposed on him or her by the Securities Trading Act are adhered to.<br />8<br />
  9. 9. DefinitionofPrimary insiders<br />9<br />
  10. 10. ISACA 4 April 2011 – Per Thorsheim<br />10<br />Example list ofprimary insiders(nonamesshown)<br />
  11. 11. However…<br />ISACA 4 April 2011 – Per Thorsheim<br />(this is thepointwhere I start to getdifficult and annoying…)<br />11<br />
  12. 12. Externals: Access to insideinformation<br />Advertisingagency<br />Communications agency<br />Translation service<br />Externalauditor<br />12<br />E-mail (usuallyunencrypted)<br />E-mailwithattachments<br />Usuallyunencrypted<br />Postal mail<br />Mail by courier<br />Fax (for signatures!)<br /><ul><li>Phoneconference service
  13. 13. (Norwegian) post
  14. 14. Postal courier
  15. 15. E-mailMitMattacks</li></ul><br />
  16. 16. Internals: Access to insideinformation<br />LEGAL vstechnicalaccess<br />Unauthorizedaccessshould be logged and prosecuted<br />Company encryption (PCI)<br />End-to-endencryption (personal)<br />13<br />DomainAdmins, helpdesk<br />Administrative access is not logged (it is technically ”legal”)<br />Same problem withadmins<br />Difficult, requireseducation<br />
  17. 17. Third-partyaccess to insider information<br />Non-DisclosureAgreements (NDA) widely used : reactivecontrol<br />NDA seemsconsired as proactivecontrol(?)<br />Detectivecontrolsseems rare<br />Security requirements in contractsseemssparse (”Trust” is common)<br />14<br />
  18. 18. Recommendation(the ”easy” one…)<br />ISACA 4 April 2011 – Per Thorsheim<br />15<br />
  19. 19. Last, but not least: Passwords^11<br />2 dayconferenceonpasswords & pins only<br />Attacks, defenses, forensics and usabilityaspectscovered<br />Panel discussion: ”willwe ever get rid ofpasswords?”<br />Bergen (Norway), June 7-8<br />Free-for-all (limited seatsavailable)<br />International speakers<br />In collaborationwith:<br />University of Bergen, Professor Tor Helleseth<br />Sponsored by NISNET<br />Free live<br /> Twitter: #passwords11<br />16<br />