Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Board Member Security

1,658 views

Published on

This is my presentation for the Scandinavian ISACA conference in Oslo, Monday April 4, 2011. Please contact if you have any questions or comments.

Published in: Technology, News & Politics
  • DOWNLOAD FULL BOOKS, INTO AVAILABLE FORMAT ......................................................................................................................... ......................................................................................................................... 1.DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... 1.DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... 1.DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... 1.DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... 1.DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... 1.DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... ......................................................................................................................... ......................................................................................................................... .............. Browse by Genre Available eBooks ......................................................................................................................... Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult,
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Be the first to like this

Board Member Security

  1. 1. Board member Security<br />Per Thorsheim<br />CISA, CISM, CISSP-ISSAP<br />Security coordinator<br />April 4, 2011<br />
  2. 2. The CodesofConduct Dilemma<br />General assembly<br />Bedriftsforsamling (Norway)<br />BoardofDirectors<br />CEO<br />Executiveboard<br />Chief Security Officer (CSO)<br />2<br />CodesofConduct<br />Security policy<br />Standards<br />Guidelines<br />?<br />
  3. 3. Company (Security) policy<br />ISACA 4 April 2011 – Per Thorsheim<br />May requirethat all usersuse pc + phoneprovided by company<br />Requireseparationbetweenwork and other private (work) engangements<br />Requireshardening and periodicupdating<br />Disallowsthesharingofaccounts / passwords<br />3<br />A practicalchallenge for peoplebeing a memberonmanyboards<br />Easily broken by theabovepracticalchallenge<br />If computer is personal, than it is by definitioninsecure and ”illegal” to use<br />Personal assistant to thexxxmay be a practicalchallenge to solve<br />
  4. 4. ISACA 4 April 2011 – Per Thorsheim<br />4<br />
  5. 5. ISACA 4 April 2011 – Per Thorsheim<br />5<br />HACKED<br />
  6. 6. The CodesofConduct Dilemma<br />ISACA 4 April 2011 – Per Thorsheim<br />DirectorsLiability Assurance<br />”Styreansvarsforsikring” in Norway<br />(Gross) Negligencewillimpacttheassuranceagreement<br />6<br />Iftheboarddoes not complywith (theirown) Codes<br />ofConduct and/or security policy, willthat be considered<br />(gross) negligenceby theinsurancecompany?<br />
  7. 7. Recommendations(work in progress)<br />ISACA 4 April 2011 – Per Thorsheim<br />Useof personal PC<br />Remoteaccess<br />Printouts<br />Electronic documents<br />E-mail<br />Leavingtheboard<br />Problems?<br />7<br />Disallowed. PC from company<br />Terminal server with 2-factor<br />Cross-cutshredder<br />MS Office passwordprotection<br />Encryptedattachments<br />Standard companyroutine<br />VIP customer service (CSO)<br />CSO / IA : ”Right to audit” ?<br />NASDAQ Directors Desk?<br />
  8. 8. Primary insiders<br />Primary insiderA person who is a member of the board of directors or management of a listed company, or who is associated with the company in some other way, and who is therefore subject to certain requirements in respect of trading and reporting trades carried out, cf. Sections 3-1 and 2-6 of the Securities Trading Act. Each listed company is responsible for identifying its primary insiders, and is responsible for providing an up-to-date list of its primary insiders to Oslo Børs. Each primary insider is personally responsible for ensuring that the requirements imposed on him or her by the Securities Trading Act are adhered to.<br />8<br />
  9. 9. DefinitionofPrimary insiders<br />9<br />
  10. 10. ISACA 4 April 2011 – Per Thorsheim<br />10<br />Example list ofprimary insiders(nonamesshown)<br />
  11. 11. However…<br />ISACA 4 April 2011 – Per Thorsheim<br />(this is thepointwhere I start to getdifficult and annoying…)<br />11<br />
  12. 12. Externals: Access to insideinformation<br />Advertisingagency<br />Communications agency<br />Translation service<br />Externalauditor<br />12<br />E-mail (usuallyunencrypted)<br />E-mailwithattachments<br />Usuallyunencrypted<br />Postal mail<br />Mail by courier<br />Fax (for signatures!)<br /><ul><li>Phoneconference service
  13. 13. (Norwegian) post
  14. 14. Postal courier
  15. 15. E-mailMitMattacks</li></ul>http://www.edb.com/Documents/Articles/E-post_sikkerhet_i_Norge.pdf<br />
  16. 16. Internals: Access to insideinformation<br />LEGAL vstechnicalaccess<br />Unauthorizedaccessshould be logged and prosecuted<br />Company encryption (PCI)<br />End-to-endencryption (personal)<br />13<br />DomainAdmins, helpdesk<br />Administrative access is not logged (it is technically ”legal”)<br />Same problem withadmins<br />Difficult, requireseducation<br />
  17. 17. Third-partyaccess to insider information<br />Non-DisclosureAgreements (NDA) widely used : reactivecontrol<br />NDA seemsconsired as proactivecontrol(?)<br />Detectivecontrolsseems rare<br />Security requirements in contractsseemssparse (”Trust” is common)<br />14<br />
  18. 18. Recommendation(the ”easy” one…)<br />ISACA 4 April 2011 – Per Thorsheim<br />15<br />
  19. 19. Last, but not least: Passwords^11<br />2 dayconferenceonpasswords & pins only<br />Attacks, defenses, forensics and usabilityaspectscovered<br />Panel discussion: ”willwe ever get rid ofpasswords?”<br />Bergen (Norway), June 7-8<br />Free-for-all (limited seatsavailable)<br />International speakers<br />In collaborationwith:<br />University of Bergen, Professor Tor Helleseth<br />Sponsored by NISNET<br />Free live streamingonustream.tv<br />securitynirvana.blogspot.com& Twitter: #passwords11<br />16<br />

×