SlideShare a Scribd company logo

STRATEGIES FOR DEVELOPING & IMPLEMENTING INFORMATION SECURITY POLICIES BASED ON ISO 27001: 2013

Download as PPTX, PDF
Abdul-Hakeem Ajijola
Abdul-Hakeem Ajijola

Presented @ the eNigeria Annual Conference 2015 Theme: ”The Role of ICT & Information Security Towards an Effective Electoral Process in Nigeria” @ the International Conference Centre, Abuja, Nigeria. 05 November 2015

1 of 34
Consultancy Support Services (CS2) Limited., info@consultancyss.com by Abdul-Hakeem Ajijola info@consultancyss.com @ the International Conference Centre, Abuja, Nigeria. 05 November 2015 presented @ the Theme: Hosted by the:
Consultancy Support Services (CS2) Limited., info@consultancyss.com DEFINITIONS ISO27001 An International Standard Information Security Management System (ISMS) Adopted by organizations regardless of type or size Published by International Standard Organization (ISO) http://www.iso.org/iso/home/standa rds/management- standards/iso27001.htm Build from British Standard BS7799-2 Electoral Process A formal decision-making process A population chooses an individual to hold public office Must meet standards to be credible: • Article 25 of the UN International Covenant for Civil and Political Rights (ICCPR of 1966) • Article 21(3) in the Universal Declaration of Human Rights (1948) • 1990 Copenhagen Document of the Conference on Security and Cooperation in Europe (CSCE) • 2002 Venice Commission’s Code of Good Practice in Electoral Matters • OSCE Election Observation Handbook. • UN General Assembly resolution 63/163 (April 12, 2012) Conventions, treaties, protocols, and guidelines: • UN General Assembly, • Organization for Security & Cooperation in Europe (OSCE), • Organization of American States (OAS), • African Union (AU), • United Nations member states Electoral Integrity Project https://sites.google.com/site/electoralintegrityproject4/home ElectionGuide is provided by the International Foundation for Electoral Systems (IFES) http://www.electionguide.org/
Consultancy Support Services (CS2) Limited., info@consultancyss.com PROCESS FLOW
Consultancy Support Services (CS2) Limited., info@consultancyss.com SYSTEMS: DEMOCRATIC OR ELECTRONIC
Consultancy Support Services (CS2) Limited., info@consultancyss.com ELECTRONIC & ELECTORAL PROCESS Transparency Integrity Accountability Confidentiality TRUST
Consultancy Support Services (CS2) Limited., info@consultancyss.com TRANSPARENCY Open Access to how the system works Visibility of the key process Compliance Certification
Consultancy Support Services (CS2) Limited., info@consultancyss.com INTEGRITY Preventing unauthorized modification of user’s information Strong mechanism to prevent unauthorized changes to data (Votes Cast) Including an insider
Consultancy Support Services (CS2) Limited., info@consultancyss.com •Prevent eavesdropping by third parties on communications •User Choices (Casted ballots) collected anonymously CONFIDENTIALITY
Consultancy Support Services (CS2) Limited., info@consultancyss.com ACCOUNTABILITY Providing reliable verified records effective for process auditing
Consultancy Support Services (CS2) Limited., info@consultancyss.com WHY ISO 27001:2013
Consultancy Support Services (CS2) Limited., info@consultancyss.com STRATEGIC APPROACH TO ISO27001:2013 Define the Implementation Scope Draft ISMS Policy Determine ISO 27001 Maturity Level Design Risk Management Strategy Perform Gap Analysis
Consultancy Support Services (CS2) Limited., info@consultancyss.com Source: http://www.vanguardngr.com/2015/03/inec-website-hacked/ LEARNING FROM THE PAST: MARCH 28, 2015
Consultancy Support Services (CS2) Limited., info@consultancyss.com ELECTORAL PROCESS 1. Legal Framework 2. Planning & Implementati on 3. Training & Education 4. Voter Registration 5. Election Campaign 6. Voting Operations & Election Day 7. Verification of Results 8. Post-Election
Consultancy Support Services (CS2) Limited., info@consultancyss.com LEGAL FRAMEWORK Constitution Legislation • Develop & Review Information Security Policies • ISO/IEC 27001 Certification Standard, Section 5.1.1 & 5.1.2 Electoral System & Bodies • Establish Procedures & Responsibilities • Section 12.1 Codes of Conduct • Personnel Security Management • Logs to Records Security Events • Sections 7 & 12.4
Consultancy Support Services (CS2) Limited., info@consultancyss.com ENHANCING LEGAL FRAMEWORKS Enhance electoral process roadmap with key performance indicators for all INEC staff: Address process issues to facilitate incremental improvements; Develop storyboards to track progress: Permanent Voters Card tracking mechanisms Improve documentation of procedures and electronic accountability process Track who did/ took/ got what and when? Articulate a revised technology project management plan Effective project accountability
Consultancy Support Services (CS2) Limited., info@consultancyss.com PLANNING & IMPLEMENTATION • Comply with legal security requirements • Section 18.1 Budgeting, Funding & Financing • Personnel Security Management • Supplier Relationship Management • Section 7 & 15 Recruitment & Procurement • Physical & Operational Security Management • Section 11 & 15 Logistics and Security
Consultancy Support Services (CS2) Limited., info@consultancyss.com IMPLEMENTATION ISSUES Seek ways to add value to existing systems • Understand the finger print reader challenges & how to overcome these issues Decide on if to develop a new voter register database, or not: • There have already been at least 3 voter database efforts; • The Current administrations lack of appetite for expenditure unless proven to be essential • INEC must explore possible alternative/ complimentary funding sources & lower cost alternatives Existing voter registration databases INEC will need to decide: • Merge the existing databases; • Use one or more database; or • Start afresh
Consultancy Support Services (CS2) Limited., info@consultancyss.com TRAINING & EDUCATION Operational Training for Election Officials • Deliver information security awareness programs • Section 7.2.2 Civic & Voter Education • Deliver information security awareness programs • Section 7.2.2
Consultancy Support Services (CS2) Limited., info@consultancyss.com CAPACITY BUILDING Facilitate multi-stakeholder Electoral ecosystem eLearning and e-Library platforms for continuous capacity building of permanent and adhoc staff e-courses & Apps on Electoral Process for Public Awareness Online crowdsourcing allows reporting of voting irregularities Information can even be plotted onto an interactive map online with dashboards
Consultancy Support Services (CS2) Limited., info@consultancyss.com VOTER REGISTRATION Voter Registration • Information Access Management • Cryptography Policy Management • Physical Security Management • Operational Security Management • Protect information transfers • Section 9, 10, 11, 12, & 13.2 Observers Accreditation • Establish Procedures & Responsibilities • Section 12.1
Consultancy Support Services (CS2) Limited., info@consultancyss.com VOTER REGISTRATION MATTERS ARISING • Fibre Optic between Headquarters, Regional Data Centres & State Offices • Wireless Connectivity between local Accreditation and Collation Equipment Ensure INEC has requisite connectivity for online access and backup • Chairman Gubadia registration database with basic text • Chairman Iwu database added voter pictures • Chairman Jega database added fingerprint biometrics The 3 voter registration database efforts include: • Merging structurally different databases is inherently problematic • Database clean-up process is challenging Disparate Voter databases
Consultancy Support Services (CS2) Limited., info@consultancyss.com ELECTION CAMPAIGN •Manage all user access rights Media Access •Personnel Security Management Code of Conduct
Consultancy Support Services (CS2) Limited., info@consultancyss.com VERIFICATION OF VOTERS DURING ELECTIONS Explore alternate ways to mitigate the challenges of voter accreditation/ authentication so as to compare biometric databases as part of the INEC data clean-up process • National Identity Management Commission • Immigration • Population Commission • Central Bank of Nigeria (Bank Verification Number) • Federal Road Safety Corps (Drivers Licence) • Nigeria Communications Commission (SIM Card Registration) Fully activate INEC regional Data and Card reader production & Data Backup centres • Umahia • Dutse • Abeokuta
Consultancy Support Services (CS2) Limited., info@consultancyss.com VOTING OPERATIONS & ELECTION DAY Special & External Voting Voting Voting Count • Protect user authentication • Control access to systems • Cryptography Policy Management • Physical Security Management • Establish procedures and responsibilities • Control your operational software • Address your technical vulnerabilities • Network Security Management • Security Incident & Continuity Management • Comply with security requirements • Section 9.3, 9.4, 10, 11, 12.1, 12.5, 12.6, 13, 16, 17, & 18.1
Consultancy Support Services (CS2) Limited., info@consultancyss.com “Card Reader” “Read Card” “Capture finger-prints” Verify/ Authorise “Upload same to server?” CARD READING PROCESS Many INEC applications are not online including voter registration Adhoc staff & none-core databases could be managed using cloud apps with regular backups to the various INEC data centres as a cost cutting option Cloud processing options while cost effective have risks with limitations and can only be used for selective activities
Consultancy Support Services (CS2) Limited., info@consultancyss.com VERIFICATION OF RESULTS Tabulation of results • Comply with legal requirements • Section 18.1 Official result • Information Access, Cryptography Policy, Physical Security, & Operational Security Management • Protect information transfers • Security Compliance Management • Section 9, 10, 11, 12, 13.2, & 18
Consultancy Support Services (CS2) Limited., info@consultancyss.com crypto- currency? ElectronicCardsCashGoldCowries  Any method of verifying that someone is who they claim to be AUTHENTICATION
Consultancy Support Services (CS2) Limited., info@consultancyss.com POST-ELECTION • Use logs to record events • Identify & respond to incidents • Section 12.4 & 16.1 Audits & Evaluations • Security Policy Management • Section 5 Legal Reform • Information Access Management • Section 9 Archiving & research
Consultancy Support Services (CS2) Limited., info@consultancyss.com ISO27001:2013 MATTERS ARISING Compliance Increases Probability but Does NOT Guarantee Absolute Security Signifies Managing Security in-line with Standards Weaknesses Not following established processes Organizational Commitment Lack of Expertise Requirements Management’s commitment Individual ownership & responsibility for Information Security Effective Information Security education & awareness
Consultancy Support Services (CS2) Limited., info@consultancyss.com Types of e-Voting systems • Punch-card: Holes punched into the Ballot Card next to the voters choice • Optical scan: Optical scanner reads and counts marked ballot papers • Direct-recording electronic (DRE): Voter pushes a button or touch screen next to their choice. DRE machine tabulates voting data stored in a removable memory component/ printed copy/ transmits • Internet: Use of Internet to cast/ transmit vote. Remote Internet is uncontrolled; using Polling Site Voting, Kiosk Voting controlled Considerations when selecting • Auditing • Building Trust • Design and Usability Aspects • International Standards & Handbooks on E-Voting • National Legislative Framework • Open Source vs. Proprietary Software • Secrecy of the Vote • Verifiability • Voter Authentication Current Realities: • Voter-verified paper audit trail (VVPAT): Voting systems must have an auditable paper trail • Mechanisms must be in place for detecting changes to votes • Voting systems must not be subject to wide-scale service disruptions • Infrastructure & Human Capacity Limitations in Nigeria NEW VOTING TECHNOLOGY/ E-VOTING
Consultancy Support Services (CS2) Limited., info@consultancyss.com EVOTING & INTERNET VOTING? Section 52 of the Electoral Act, 2010 • “The use of electronic voting machine for the time being is prohibited.” •Source: Electoral Act 2010, Section 52 Para 2 Estonia • World's First National Internet Election • Internet voting 7 times Internet voting is vulnerable • Cyber-Attack & Fraud • Inherent Weakness in Hardware & Software • Manner in which the Internet is Organized Research found it possible to: • Change votes, • Compromise a secret ballot, • Disrupt voting, or • Cast doubt on the legitimacy of the election process Unlikely that these Vulnerabilities will be Eliminated in the near Future Source: http://www.heritage.org/research/reports/2015/07/the- dangers-of-internet-voting
Consultancy Support Services (CS2) Limited., info@consultancyss.com INTERNET VOTING FAILURES California USA - California Internet Voting Task Force report: •“additional technical innovations are necessary before remote Internet voting can be widely implemented….” USA National Science Foundation - 2001 report •“remote Internet voting systems pose significant risk to the integrity of the voting process, and should not be fielded for use in public elections until substantial technical and social science issues are addressed.” USA Pentagon Internet Voting Project report: •“these vulnerabilities are fundamental in the architecture of the Internet and of the PC hardware and software that is ubiquitous today.” Washington, D.C. USA 2010, •A computer science professor and his students broke into the system, changed the results of the mock election, and “gained near-complete control” of the election server France. 2013, •Reporters from “the news site Metronews proved that it was easy to breach the allegedly strict security of the election and vote several times using different names.” Norway Municipal elections in 2011 and 2013 but cancelled the project in 2014, •citing security concerns and the government’s conclusion that, contrary to expectations, the new system had not improved turnout. Canada. In 2014, •“…voting over the Internet has a set of unique challenges that inevitably introduce a number of additional risks.” Australia 2015 •“…. uncovered severe vulnerabilities that could be leveraged to manipulate votes, violate ballot privacy, and subvert the verification mechanism.” Spain, held a referendum in Barcelona in 2010 using the Internet. •“encountered problems in relation to voter identification and identity theft…” Without major technological changes, there is almost no possibility that a secure Internet voting system can be designed for the foreseeable future. When combined with other less technical questions like equal access by voters to the Internet, Internet voting is definitely a technology whose time has not come—and may never come. Source: Hans A. von Spakovsky http://www.heritage.org/research/reports/2015/07/the-dangers-of-internet-voting
Consultancy Support Services (CS2) Limited., info@consultancyss.com Adopt ISO 27001: 2013 Patronize Indigenous Solution Providers Sanitize Data (Biometric) Clear Procedures Implement IPV6 Robust Connectivity Caution on eVoting Research Estonia, Australia, USA, France, Norway, Canada CONCLUSION
Consultancy Support Services (CS2) Limited., info@consultancyss.com for your attention O ṣeun, fun akiyesi rẹ Na gode, don kulawa Imela na igere anyi nti info@consultancyss.com

Recommended

Presentation BIG DATA - 19th February 2018
Presentation BIG DATA - 19th February 2018Presentation BIG DATA - 19th February 2018
Presentation BIG DATA - 19th February 2018
Indian Standards BIS
 
PCI DSS and PA DSS
PCI DSS and PA DSSPCI DSS and PA DSS
PCI DSS and PA DSS
Kimberly Simon MBA
 
Comsec PCI DSS v3 2 - Overview and Summary of Changes - Webinar
Comsec PCI DSS v3 2 - Overview and Summary of Changes - WebinarComsec PCI DSS v3 2 - Overview and Summary of Changes - Webinar
Comsec PCI DSS v3 2 - Overview and Summary of Changes - WebinarAriel Ben-Harosh
 
PCI DSS 3.2
PCI DSS 3.2PCI DSS 3.2
PCI DSS 3.2
Kimberly Simon MBA
 
Isaca new delhi india privacy and big data
Isaca new delhi india privacy and big dataIsaca new delhi india privacy and big data
Isaca new delhi india privacy and big data
Ulf Mattsson
 
1. PCI Compliance Overview
1. PCI Compliance Overview1. PCI Compliance Overview
1. PCI Compliance Overview
okrantz
 
Analysis of Payment Card Industry Data Security Standard [PCI DSS] Compliance...
Analysis of Payment Card Industry Data Security Standard [PCI DSS] Compliance...Analysis of Payment Card Industry Data Security Standard [PCI DSS] Compliance...
Analysis of Payment Card Industry Data Security Standard [PCI DSS] Compliance...
IJERA Editor
 
PCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as UsualPCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as Usual
Kimberly Simon MBA
 

Recommended

Presentation BIG DATA - 19th February 2018
Presentation BIG DATA - 19th February 2018Presentation BIG DATA - 19th February 2018
Presentation BIG DATA - 19th February 2018
Indian Standards BIS
 
PCI DSS and PA DSS
PCI DSS and PA DSSPCI DSS and PA DSS
PCI DSS and PA DSS
Kimberly Simon MBA
 
Comsec PCI DSS v3 2 - Overview and Summary of Changes - Webinar
Comsec PCI DSS v3 2 - Overview and Summary of Changes - WebinarComsec PCI DSS v3 2 - Overview and Summary of Changes - Webinar
Comsec PCI DSS v3 2 - Overview and Summary of Changes - WebinarAriel Ben-Harosh
 
PCI DSS 3.2
PCI DSS 3.2PCI DSS 3.2
PCI DSS 3.2
Kimberly Simon MBA
 
Isaca new delhi india privacy and big data
Isaca new delhi india privacy and big dataIsaca new delhi india privacy and big data
Isaca new delhi india privacy and big data
Ulf Mattsson
 
1. PCI Compliance Overview
1. PCI Compliance Overview1. PCI Compliance Overview
1. PCI Compliance Overview
okrantz
 
Analysis of Payment Card Industry Data Security Standard [PCI DSS] Compliance...
Analysis of Payment Card Industry Data Security Standard [PCI DSS] Compliance...Analysis of Payment Card Industry Data Security Standard [PCI DSS] Compliance...
Analysis of Payment Card Industry Data Security Standard [PCI DSS] Compliance...
IJERA Editor
 
PCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as UsualPCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as Usual
Kimberly Simon MBA
 
PCI-DSS_Overview
PCI-DSS_OverviewPCI-DSS_Overview
PCI-DSS_Overviewsameh Abulfotooh
 
PCI DSS Business as Usual
PCI DSS Business as UsualPCI DSS Business as Usual
PCI DSS Business as Usual
Kimberly Simon MBA
 
PCI DSS Essential Guide
PCI DSS Essential GuidePCI DSS Essential Guide
PCI DSS Essential Guide
Kim Jensen
 
SFISSA - PCI DSS 3.0 - A QSA Perspective
SFISSA - PCI DSS 3.0 - A QSA PerspectiveSFISSA - PCI DSS 3.0 - A QSA Perspective
SFISSA - PCI DSS 3.0 - A QSA PerspectiveMark Akins
 
PCI DSS 3.0 – What You Need to Know
PCI DSS 3.0 – What You Need to KnowPCI DSS 3.0 – What You Need to Know
PCI DSS 3.0 – What You Need to Know
Terra Verde
 
Spirit of PCI DSS by Dr. Anton Chuvakin
Spirit of PCI DSS by Dr. Anton ChuvakinSpirit of PCI DSS by Dr. Anton Chuvakin
Spirit of PCI DSS by Dr. Anton Chuvakin
Anton Chuvakin
 
PCI DSS v3 - Protecting Cardholder data
PCI DSS v3 - Protecting Cardholder dataPCI DSS v3 - Protecting Cardholder data
PCI DSS v3 - Protecting Cardholder data
InMobi Technology
 
CyNation - 7 things you should know about EU-GDPR
CyNation - 7 things you should know about EU-GDPRCyNation - 7 things you should know about EU-GDPR
CyNation - 7 things you should know about EU-GDPRShadi A. Razak
 
PCI DSS
PCI DSSPCI DSS
PCI DSSDuy Do Phan
 
Accelerating Regulatory Compliance for IBM i Systems
Accelerating Regulatory Compliance for IBM i SystemsAccelerating Regulatory Compliance for IBM i Systems
Accelerating Regulatory Compliance for IBM i Systems
Precisely
 
Alcumus ISOQAR PCIDSS Compliance Presentation
Alcumus ISOQAR PCIDSS Compliance PresentationAlcumus ISOQAR PCIDSS Compliance Presentation
Alcumus ISOQAR PCIDSS Compliance PresentationBhargav Upadhyay
 
PCI DSS Compliance
PCI DSS CompliancePCI DSS Compliance
PCI DSS Compliance
Saumya Vishnoi
 
PCIDSS compliance made easier through a collaboration between NC State and UN...
PCIDSS compliance made easier through a collaboration between NC State and UN...PCIDSS compliance made easier through a collaboration between NC State and UN...
PCIDSS compliance made easier through a collaboration between NC State and UN...John Baines
 
Technical Security and Penetration Testing
Technical Security and Penetration TestingTechnical Security and Penetration Testing
Technical Security and Penetration TestingIT Governance Ltd
 
Card fraud and compliance training
Card fraud and compliance trainingCard fraud and compliance training
Card fraud and compliance trainingethnos
 
Webinar - pci dss 4.0 updates
Webinar - pci dss 4.0 updates Webinar - pci dss 4.0 updates
Webinar - pci dss 4.0 updates
VISTA InfoSec
 
Three trends in cybersecurity
Three trends in cybersecurityThree trends in cybersecurity
Three trends in cybersecurity
Alexander Deucalion
 
PCI-DSS for IDRBT
PCI-DSS for IDRBTPCI-DSS for IDRBT
PCI-DSS for IDRBT
Shanmugavel Sankaran
 
BGA SOME/SOC Etkinliği - Kurumsal SOME’ler için SOC Modeli Nasıl Olmalı?
BGA SOME/SOC Etkinliği - Kurumsal SOME’ler için SOC Modeli Nasıl Olmalı?BGA SOME/SOC Etkinliği - Kurumsal SOME’ler için SOC Modeli Nasıl Olmalı?
BGA SOME/SOC Etkinliği - Kurumsal SOME’ler için SOC Modeli Nasıl Olmalı?
BGA Cyber Security
 
eDem&eGov 2014
eDem&eGov 2014eDem&eGov 2014
eDem&eGov 2014
Denys A. Flores, PhD
 
What is the UK Cyber Essentials scheme?
What is the UK Cyber Essentials scheme?What is the UK Cyber Essentials scheme?
What is the UK Cyber Essentials scheme?
IT Governance Ltd
 
CSIRT_16_Jun
CSIRT_16_JunCSIRT_16_Jun
CSIRT_16_JunCandan BOLUKBAS
 

More Related Content

What's hot

PCI DSS Business as Usual
PCI DSS Business as UsualPCI DSS Business as Usual
PCI DSS Business as Usual
Kimberly Simon MBA
 
PCI DSS Essential Guide
PCI DSS Essential GuidePCI DSS Essential Guide
PCI DSS Essential Guide
Kim Jensen
 
SFISSA - PCI DSS 3.0 - A QSA Perspective
SFISSA - PCI DSS 3.0 - A QSA PerspectiveSFISSA - PCI DSS 3.0 - A QSA Perspective
SFISSA - PCI DSS 3.0 - A QSA PerspectiveMark Akins
 
PCI DSS 3.0 – What You Need to Know
PCI DSS 3.0 – What You Need to KnowPCI DSS 3.0 – What You Need to Know
PCI DSS 3.0 – What You Need to Know
Terra Verde
 
Spirit of PCI DSS by Dr. Anton Chuvakin
Spirit of PCI DSS by Dr. Anton ChuvakinSpirit of PCI DSS by Dr. Anton Chuvakin
Spirit of PCI DSS by Dr. Anton Chuvakin
Anton Chuvakin
 
PCI DSS v3 - Protecting Cardholder data
PCI DSS v3 - Protecting Cardholder dataPCI DSS v3 - Protecting Cardholder data
PCI DSS v3 - Protecting Cardholder data
InMobi Technology
 
CyNation - 7 things you should know about EU-GDPR
CyNation - 7 things you should know about EU-GDPRCyNation - 7 things you should know about EU-GDPR
CyNation - 7 things you should know about EU-GDPRShadi A. Razak
 
Accelerating Regulatory Compliance for IBM i Systems
Accelerating Regulatory Compliance for IBM i SystemsAccelerating Regulatory Compliance for IBM i Systems
Accelerating Regulatory Compliance for IBM i Systems
Precisely
 
Alcumus ISOQAR PCIDSS Compliance Presentation
Alcumus ISOQAR PCIDSS Compliance PresentationAlcumus ISOQAR PCIDSS Compliance Presentation
Alcumus ISOQAR PCIDSS Compliance PresentationBhargav Upadhyay
 
PCI DSS Compliance
PCI DSS CompliancePCI DSS Compliance
PCI DSS Compliance
Saumya Vishnoi
 
PCIDSS compliance made easier through a collaboration between NC State and UN...
PCIDSS compliance made easier through a collaboration between NC State and UN...PCIDSS compliance made easier through a collaboration between NC State and UN...
PCIDSS compliance made easier through a collaboration between NC State and UN...John Baines
 
Technical Security and Penetration Testing
Technical Security and Penetration TestingTechnical Security and Penetration Testing
Technical Security and Penetration TestingIT Governance Ltd
 
Card fraud and compliance training
Card fraud and compliance trainingCard fraud and compliance training
Card fraud and compliance trainingethnos
 
Webinar - pci dss 4.0 updates
Webinar - pci dss 4.0 updates Webinar - pci dss 4.0 updates
Webinar - pci dss 4.0 updates
VISTA InfoSec
 

What's hot (16)

PCI-DSS_Overview
PCI-DSS_OverviewPCI-DSS_Overview
PCI-DSS_Overview
 
PCI DSS Business as Usual
PCI DSS Business as UsualPCI DSS Business as Usual
PCI DSS Business as Usual
 
PCI DSS Essential Guide
PCI DSS Essential GuidePCI DSS Essential Guide
PCI DSS Essential Guide
 
SFISSA - PCI DSS 3.0 - A QSA Perspective
SFISSA - PCI DSS 3.0 - A QSA PerspectiveSFISSA - PCI DSS 3.0 - A QSA Perspective
SFISSA - PCI DSS 3.0 - A QSA Perspective
 
PCI DSS 3.0 – What You Need to Know
PCI DSS 3.0 – What You Need to KnowPCI DSS 3.0 – What You Need to Know
PCI DSS 3.0 – What You Need to Know
 
Spirit of PCI DSS by Dr. Anton Chuvakin
Spirit of PCI DSS by Dr. Anton ChuvakinSpirit of PCI DSS by Dr. Anton Chuvakin
Spirit of PCI DSS by Dr. Anton Chuvakin
 
PCI DSS v3 - Protecting Cardholder data
PCI DSS v3 - Protecting Cardholder dataPCI DSS v3 - Protecting Cardholder data
PCI DSS v3 - Protecting Cardholder data
 
CyNation - 7 things you should know about EU-GDPR
CyNation - 7 things you should know about EU-GDPRCyNation - 7 things you should know about EU-GDPR
CyNation - 7 things you should know about EU-GDPR
 
PCI DSS
PCI DSSPCI DSS
PCI DSS
 
Accelerating Regulatory Compliance for IBM i Systems
Accelerating Regulatory Compliance for IBM i SystemsAccelerating Regulatory Compliance for IBM i Systems
Accelerating Regulatory Compliance for IBM i Systems
 
Alcumus ISOQAR PCIDSS Compliance Presentation
Alcumus ISOQAR PCIDSS Compliance PresentationAlcumus ISOQAR PCIDSS Compliance Presentation
Alcumus ISOQAR PCIDSS Compliance Presentation
 
PCI DSS Compliance
PCI DSS CompliancePCI DSS Compliance
PCI DSS Compliance
 
PCIDSS compliance made easier through a collaboration between NC State and UN...
PCIDSS compliance made easier through a collaboration between NC State and UN...PCIDSS compliance made easier through a collaboration between NC State and UN...
PCIDSS compliance made easier through a collaboration between NC State and UN...
 
Technical Security and Penetration Testing
Technical Security and Penetration TestingTechnical Security and Penetration Testing
Technical Security and Penetration Testing
 
Card fraud and compliance training
Card fraud and compliance trainingCard fraud and compliance training
Card fraud and compliance training
 
Webinar - pci dss 4.0 updates
Webinar - pci dss 4.0 updates Webinar - pci dss 4.0 updates
Webinar - pci dss 4.0 updates
 

Similar to STRATEGIES FOR DEVELOPING & IMPLEMENTING INFORMATION SECURITY POLICIES BASED ON ISO 27001: 2013

Three trends in cybersecurity
Three trends in cybersecurityThree trends in cybersecurity
Three trends in cybersecurity
Alexander Deucalion
 
PCI-DSS for IDRBT
PCI-DSS for IDRBTPCI-DSS for IDRBT
PCI-DSS for IDRBT
Shanmugavel Sankaran
 
BGA SOME/SOC Etkinliği - Kurumsal SOME’ler için SOC Modeli Nasıl Olmalı?
BGA SOME/SOC Etkinliği - Kurumsal SOME’ler için SOC Modeli Nasıl Olmalı?BGA SOME/SOC Etkinliği - Kurumsal SOME’ler için SOC Modeli Nasıl Olmalı?
BGA SOME/SOC Etkinliği - Kurumsal SOME’ler için SOC Modeli Nasıl Olmalı?
BGA Cyber Security
 
eDem&eGov 2014
eDem&eGov 2014eDem&eGov 2014
eDem&eGov 2014
Denys A. Flores, PhD
 
What is the UK Cyber Essentials scheme?
What is the UK Cyber Essentials scheme?What is the UK Cyber Essentials scheme?
What is the UK Cyber Essentials scheme?
IT Governance Ltd
 
Metamorfosis Menuju Auditor Millenial Handal
Metamorfosis Menuju Auditor Millenial HandalMetamorfosis Menuju Auditor Millenial Handal
Metamorfosis Menuju Auditor Millenial Handal
The Vision and Insight Corner
 
Online Voting System
Online Voting SystemOnline Voting System
Online Voting System
IRJET Journal
 
Verderber Rothke What’s New With PCI
Verderber Rothke What’s New With PCIVerderber Rothke What’s New With PCI
Verderber Rothke What’s New With PCI
Ben Rothke
 
S nandakumar
S nandakumarS nandakumar
S nandakumarIPPAI
 
S nandakumar_banglore
S nandakumar_bangloreS nandakumar_banglore
S nandakumar_bangloreIPPAI
 
Cybersecurity Slides
Cybersecurity SlidesCybersecurity Slides
Cybersecurity Slides
Jim Kaplan CIA CFE
 
Understanding Identity Management and Security.
Understanding Identity Management and Security.Understanding Identity Management and Security.
Understanding Identity Management and Security.
Chinatu Uzuegbu
 
Pci standards, from participation to implementation and review
Pci standards, from participation to implementation and reviewPci standards, from participation to implementation and review
Pci standards, from participation to implementation and review
isc2-hellenic
 
Service Research in Luxembourg: a focus on Service System Governance and Ente...
Service Research in Luxembourg: a focus on Service System Governance and Ente...Service Research in Luxembourg: a focus on Service System Governance and Ente...
Service Research in Luxembourg: a focus on Service System Governance and Ente...
International Society of Service Innovation Professionals
 
Implementing Legal within Tech. What are the Cyber Security issues?
Implementing Legal within Tech. What are the Cyber Security issues?Implementing Legal within Tech. What are the Cyber Security issues?
Implementing Legal within Tech. What are the Cyber Security issues?
Cyber Security Partners
 
Implementing a Security Management Framework
Implementing a Security Management FrameworkImplementing a Security Management Framework
Implementing a Security Management Framework
Joseph Wynn
 
CyberSecurity Update Slides
CyberSecurity Update SlidesCyberSecurity Update Slides
CyberSecurity Update Slides
Jim Kaplan CIA CFE
 
Webinar: Protect Your Customers, Protect Yourself Learn How to Take Precautio...
Webinar: Protect Your Customers, Protect Yourself Learn How to Take Precautio...Webinar: Protect Your Customers, Protect Yourself Learn How to Take Precautio...
Webinar: Protect Your Customers, Protect Yourself Learn How to Take Precautio...
i2Coalition
 
Secrets for Successful Regulatory Compliance Projects
Secrets for Successful Regulatory Compliance ProjectsSecrets for Successful Regulatory Compliance Projects
Secrets for Successful Regulatory Compliance Projects
Christopher Foot
 

Similar to STRATEGIES FOR DEVELOPING & IMPLEMENTING INFORMATION SECURITY POLICIES BASED ON ISO 27001: 2013 (20)

Three trends in cybersecurity
Three trends in cybersecurityThree trends in cybersecurity
Three trends in cybersecurity
 
PCI-DSS for IDRBT
PCI-DSS for IDRBTPCI-DSS for IDRBT
PCI-DSS for IDRBT
 
BGA SOME/SOC Etkinliği - Kurumsal SOME’ler için SOC Modeli Nasıl Olmalı?
BGA SOME/SOC Etkinliği - Kurumsal SOME’ler için SOC Modeli Nasıl Olmalı?BGA SOME/SOC Etkinliği - Kurumsal SOME’ler için SOC Modeli Nasıl Olmalı?
BGA SOME/SOC Etkinliği - Kurumsal SOME’ler için SOC Modeli Nasıl Olmalı?
 
eDem&eGov 2014
eDem&eGov 2014eDem&eGov 2014
eDem&eGov 2014
 
What is the UK Cyber Essentials scheme?
What is the UK Cyber Essentials scheme?What is the UK Cyber Essentials scheme?
What is the UK Cyber Essentials scheme?
 
CSIRT_16_Jun
CSIRT_16_JunCSIRT_16_Jun
CSIRT_16_Jun
 
Metamorfosis Menuju Auditor Millenial Handal
Metamorfosis Menuju Auditor Millenial HandalMetamorfosis Menuju Auditor Millenial Handal
Metamorfosis Menuju Auditor Millenial Handal
 
Online Voting System
Online Voting SystemOnline Voting System
Online Voting System
 
Verderber Rothke What’s New With PCI
Verderber Rothke What’s New With PCIVerderber Rothke What’s New With PCI
Verderber Rothke What’s New With PCI
 
S nandakumar
S nandakumarS nandakumar
S nandakumar
 
S nandakumar_banglore
S nandakumar_bangloreS nandakumar_banglore
S nandakumar_banglore
 
Cybersecurity Slides
Cybersecurity SlidesCybersecurity Slides
Cybersecurity Slides
 
Understanding Identity Management and Security.
Understanding Identity Management and Security.Understanding Identity Management and Security.
Understanding Identity Management and Security.
 
Pci standards, from participation to implementation and review
Pci standards, from participation to implementation and reviewPci standards, from participation to implementation and review
Pci standards, from participation to implementation and review
 
Service Research in Luxembourg: a focus on Service System Governance and Ente...
Service Research in Luxembourg: a focus on Service System Governance and Ente...Service Research in Luxembourg: a focus on Service System Governance and Ente...
Service Research in Luxembourg: a focus on Service System Governance and Ente...
 
Implementing Legal within Tech. What are the Cyber Security issues?
Implementing Legal within Tech. What are the Cyber Security issues?Implementing Legal within Tech. What are the Cyber Security issues?
Implementing Legal within Tech. What are the Cyber Security issues?
 
Implementing a Security Management Framework
Implementing a Security Management FrameworkImplementing a Security Management Framework
Implementing a Security Management Framework
 
CyberSecurity Update Slides
CyberSecurity Update SlidesCyberSecurity Update Slides
CyberSecurity Update Slides
 
Webinar: Protect Your Customers, Protect Yourself Learn How to Take Precautio...
Webinar: Protect Your Customers, Protect Yourself Learn How to Take Precautio...Webinar: Protect Your Customers, Protect Yourself Learn How to Take Precautio...
Webinar: Protect Your Customers, Protect Yourself Learn How to Take Precautio...
 
Secrets for Successful Regulatory Compliance Projects
Secrets for Successful Regulatory Compliance ProjectsSecrets for Successful Regulatory Compliance Projects
Secrets for Successful Regulatory Compliance Projects
 

Recently uploaded

Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
BookNet Canada
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
DianaGray10
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
Alan Dix
 
Free Complete Python - A step towards Data Science
Free Complete Python - A step towards Data ScienceFree Complete Python - A step towards Data Science
Free Complete Python - A step towards Data Science
RinaMondal9
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
Ralf Eggert
 
Assure Contact Center Experiences for Your Customers With ThousandEyes
Assure Contact Center Experiences for Your Customers With ThousandEyesAssure Contact Center Experiences for Your Customers With ThousandEyes
Assure Contact Center Experiences for Your Customers With ThousandEyes
ThousandEyes
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
Aftab Hussain
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Albert Hoitingh
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
Kari Kakkonen
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance
 
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfSAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
Peter Spielvogel
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
sonjaschweigert1
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
Laura Byrne
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
Alpen-Adria-Universität
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
91mobiles
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
ControlCase
 
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex ProofszkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
Alex Pruden
 
The Metaverse and AI: how can decision-makers harness the Metaverse for their...
The Metaverse and AI: how can decision-makers harness the Metaverse for their...The Metaverse and AI: how can decision-makers harness the Metaverse for their...
The Metaverse and AI: how can decision-makers harness the Metaverse for their...
Jen Stirrup
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
Adtran
 

Recently uploaded (20)

Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
 
Free Complete Python - A step towards Data Science
Free Complete Python - A step towards Data ScienceFree Complete Python - A step towards Data Science
Free Complete Python - A step towards Data Science
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
 
Assure Contact Center Experiences for Your Customers With ThousandEyes
Assure Contact Center Experiences for Your Customers With ThousandEyesAssure Contact Center Experiences for Your Customers With ThousandEyes
Assure Contact Center Experiences for Your Customers With ThousandEyes
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
 
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfSAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
 
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex ProofszkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
 
The Metaverse and AI: how can decision-makers harness the Metaverse for their...
The Metaverse and AI: how can decision-makers harness the Metaverse for their...The Metaverse and AI: how can decision-makers harness the Metaverse for their...
The Metaverse and AI: how can decision-makers harness the Metaverse for their...
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
 

STRATEGIES FOR DEVELOPING & IMPLEMENTING INFORMATION SECURITY POLICIES BASED ON ISO 27001: 2013

  • 1. Consultancy Support Services (CS2) Limited., info@consultancyss.com by Abdul-Hakeem Ajijola info@consultancyss.com @ the International Conference Centre, Abuja, Nigeria. 05 November 2015 presented @ the Theme: Hosted by the:
  • 2. Consultancy Support Services (CS2) Limited., info@consultancyss.com DEFINITIONS ISO27001 An International Standard Information Security Management System (ISMS) Adopted by organizations regardless of type or size Published by International Standard Organization (ISO) http://www.iso.org/iso/home/standa rds/management- standards/iso27001.htm Build from British Standard BS7799-2 Electoral Process A formal decision-making process A population chooses an individual to hold public office Must meet standards to be credible: • Article 25 of the UN International Covenant for Civil and Political Rights (ICCPR of 1966) • Article 21(3) in the Universal Declaration of Human Rights (1948) • 1990 Copenhagen Document of the Conference on Security and Cooperation in Europe (CSCE) • 2002 Venice Commission’s Code of Good Practice in Electoral Matters • OSCE Election Observation Handbook. • UN General Assembly resolution 63/163 (April 12, 2012) Conventions, treaties, protocols, and guidelines: • UN General Assembly, • Organization for Security & Cooperation in Europe (OSCE), • Organization of American States (OAS), • African Union (AU), • United Nations member states Electoral Integrity Project https://sites.google.com/site/electoralintegrityproject4/home ElectionGuide is provided by the International Foundation for Electoral Systems (IFES) http://www.electionguide.org/
  • 3. Consultancy Support Services (CS2) Limited., info@consultancyss.com PROCESS FLOW
  • 4. Consultancy Support Services (CS2) Limited., info@consultancyss.com SYSTEMS: DEMOCRATIC OR ELECTRONIC
  • 5. Consultancy Support Services (CS2) Limited., info@consultancyss.com ELECTRONIC & ELECTORAL PROCESS Transparency Integrity Accountability Confidentiality TRUST
  • 6. Consultancy Support Services (CS2) Limited., info@consultancyss.com TRANSPARENCY Open Access to how the system works Visibility of the key process Compliance Certification
  • 7. Consultancy Support Services (CS2) Limited., info@consultancyss.com INTEGRITY Preventing unauthorized modification of user’s information Strong mechanism to prevent unauthorized changes to data (Votes Cast) Including an insider
  • 8. Consultancy Support Services (CS2) Limited., info@consultancyss.com •Prevent eavesdropping by third parties on communications •User Choices (Casted ballots) collected anonymously CONFIDENTIALITY
  • 9. Consultancy Support Services (CS2) Limited., info@consultancyss.com ACCOUNTABILITY Providing reliable verified records effective for process auditing
  • 10. Consultancy Support Services (CS2) Limited., info@consultancyss.com WHY ISO 27001:2013
  • 11. Consultancy Support Services (CS2) Limited., info@consultancyss.com STRATEGIC APPROACH TO ISO27001:2013 Define the Implementation Scope Draft ISMS Policy Determine ISO 27001 Maturity Level Design Risk Management Strategy Perform Gap Analysis
  • 12. Consultancy Support Services (CS2) Limited., info@consultancyss.com Source: http://www.vanguardngr.com/2015/03/inec-website-hacked/ LEARNING FROM THE PAST: MARCH 28, 2015
  • 13. Consultancy Support Services (CS2) Limited., info@consultancyss.com ELECTORAL PROCESS 1. Legal Framework 2. Planning & Implementati on 3. Training & Education 4. Voter Registration 5. Election Campaign 6. Voting Operations & Election Day 7. Verification of Results 8. Post-Election
  • 14. Consultancy Support Services (CS2) Limited., info@consultancyss.com LEGAL FRAMEWORK Constitution Legislation • Develop & Review Information Security Policies • ISO/IEC 27001 Certification Standard, Section 5.1.1 & 5.1.2 Electoral System & Bodies • Establish Procedures & Responsibilities • Section 12.1 Codes of Conduct • Personnel Security Management • Logs to Records Security Events • Sections 7 & 12.4
  • 15. Consultancy Support Services (CS2) Limited., info@consultancyss.com ENHANCING LEGAL FRAMEWORKS Enhance electoral process roadmap with key performance indicators for all INEC staff: Address process issues to facilitate incremental improvements; Develop storyboards to track progress: Permanent Voters Card tracking mechanisms Improve documentation of procedures and electronic accountability process Track who did/ took/ got what and when? Articulate a revised technology project management plan Effective project accountability
  • 16. Consultancy Support Services (CS2) Limited., info@consultancyss.com PLANNING & IMPLEMENTATION • Comply with legal security requirements • Section 18.1 Budgeting, Funding & Financing • Personnel Security Management • Supplier Relationship Management • Section 7 & 15 Recruitment & Procurement • Physical & Operational Security Management • Section 11 & 15 Logistics and Security
  • 17. Consultancy Support Services (CS2) Limited., info@consultancyss.com IMPLEMENTATION ISSUES Seek ways to add value to existing systems • Understand the finger print reader challenges & how to overcome these issues Decide on if to develop a new voter register database, or not: • There have already been at least 3 voter database efforts; • The Current administrations lack of appetite for expenditure unless proven to be essential • INEC must explore possible alternative/ complimentary funding sources & lower cost alternatives Existing voter registration databases INEC will need to decide: • Merge the existing databases; • Use one or more database; or • Start afresh
  • 18. Consultancy Support Services (CS2) Limited., info@consultancyss.com TRAINING & EDUCATION Operational Training for Election Officials • Deliver information security awareness programs • Section 7.2.2 Civic & Voter Education • Deliver information security awareness programs • Section 7.2.2
  • 19. Consultancy Support Services (CS2) Limited., info@consultancyss.com CAPACITY BUILDING Facilitate multi-stakeholder Electoral ecosystem eLearning and e-Library platforms for continuous capacity building of permanent and adhoc staff e-courses & Apps on Electoral Process for Public Awareness Online crowdsourcing allows reporting of voting irregularities Information can even be plotted onto an interactive map online with dashboards
  • 20. Consultancy Support Services (CS2) Limited., info@consultancyss.com VOTER REGISTRATION Voter Registration • Information Access Management • Cryptography Policy Management • Physical Security Management • Operational Security Management • Protect information transfers • Section 9, 10, 11, 12, & 13.2 Observers Accreditation • Establish Procedures & Responsibilities • Section 12.1
  • 21. Consultancy Support Services (CS2) Limited., info@consultancyss.com VOTER REGISTRATION MATTERS ARISING • Fibre Optic between Headquarters, Regional Data Centres & State Offices • Wireless Connectivity between local Accreditation and Collation Equipment Ensure INEC has requisite connectivity for online access and backup • Chairman Gubadia registration database with basic text • Chairman Iwu database added voter pictures • Chairman Jega database added fingerprint biometrics The 3 voter registration database efforts include: • Merging structurally different databases is inherently problematic • Database clean-up process is challenging Disparate Voter databases
  • 22. Consultancy Support Services (CS2) Limited., info@consultancyss.com ELECTION CAMPAIGN •Manage all user access rights Media Access •Personnel Security Management Code of Conduct
  • 23. Consultancy Support Services (CS2) Limited., info@consultancyss.com VERIFICATION OF VOTERS DURING ELECTIONS Explore alternate ways to mitigate the challenges of voter accreditation/ authentication so as to compare biometric databases as part of the INEC data clean-up process • National Identity Management Commission • Immigration • Population Commission • Central Bank of Nigeria (Bank Verification Number) • Federal Road Safety Corps (Drivers Licence) • Nigeria Communications Commission (SIM Card Registration) Fully activate INEC regional Data and Card reader production & Data Backup centres • Umahia • Dutse • Abeokuta
  • 24. Consultancy Support Services (CS2) Limited., info@consultancyss.com VOTING OPERATIONS & ELECTION DAY Special & External Voting Voting Voting Count • Protect user authentication • Control access to systems • Cryptography Policy Management • Physical Security Management • Establish procedures and responsibilities • Control your operational software • Address your technical vulnerabilities • Network Security Management • Security Incident & Continuity Management • Comply with security requirements • Section 9.3, 9.4, 10, 11, 12.1, 12.5, 12.6, 13, 16, 17, & 18.1
  • 25. Consultancy Support Services (CS2) Limited., info@consultancyss.com “Card Reader” “Read Card” “Capture finger-prints” Verify/ Authorise “Upload same to server?” CARD READING PROCESS Many INEC applications are not online including voter registration Adhoc staff & none-core databases could be managed using cloud apps with regular backups to the various INEC data centres as a cost cutting option Cloud processing options while cost effective have risks with limitations and can only be used for selective activities
  • 26. Consultancy Support Services (CS2) Limited., info@consultancyss.com VERIFICATION OF RESULTS Tabulation of results • Comply with legal requirements • Section 18.1 Official result • Information Access, Cryptography Policy, Physical Security, & Operational Security Management • Protect information transfers • Security Compliance Management • Section 9, 10, 11, 12, 13.2, & 18
  • 27. Consultancy Support Services (CS2) Limited., info@consultancyss.com crypto- currency? ElectronicCardsCashGoldCowries  Any method of verifying that someone is who they claim to be AUTHENTICATION
  • 28. Consultancy Support Services (CS2) Limited., info@consultancyss.com POST-ELECTION • Use logs to record events • Identify & respond to incidents • Section 12.4 & 16.1 Audits & Evaluations • Security Policy Management • Section 5 Legal Reform • Information Access Management • Section 9 Archiving & research
  • 29. Consultancy Support Services (CS2) Limited., info@consultancyss.com ISO27001:2013 MATTERS ARISING Compliance Increases Probability but Does NOT Guarantee Absolute Security Signifies Managing Security in-line with Standards Weaknesses Not following established processes Organizational Commitment Lack of Expertise Requirements Management’s commitment Individual ownership & responsibility for Information Security Effective Information Security education & awareness
  • 30. Consultancy Support Services (CS2) Limited., info@consultancyss.com Types of e-Voting systems • Punch-card: Holes punched into the Ballot Card next to the voters choice • Optical scan: Optical scanner reads and counts marked ballot papers • Direct-recording electronic (DRE): Voter pushes a button or touch screen next to their choice. DRE machine tabulates voting data stored in a removable memory component/ printed copy/ transmits • Internet: Use of Internet to cast/ transmit vote. Remote Internet is uncontrolled; using Polling Site Voting, Kiosk Voting controlled Considerations when selecting • Auditing • Building Trust • Design and Usability Aspects • International Standards & Handbooks on E-Voting • National Legislative Framework • Open Source vs. Proprietary Software • Secrecy of the Vote • Verifiability • Voter Authentication Current Realities: • Voter-verified paper audit trail (VVPAT): Voting systems must have an auditable paper trail • Mechanisms must be in place for detecting changes to votes • Voting systems must not be subject to wide-scale service disruptions • Infrastructure & Human Capacity Limitations in Nigeria NEW VOTING TECHNOLOGY/ E-VOTING
  • 31. Consultancy Support Services (CS2) Limited., info@consultancyss.com EVOTING & INTERNET VOTING? Section 52 of the Electoral Act, 2010 • “The use of electronic voting machine for the time being is prohibited.” •Source: Electoral Act 2010, Section 52 Para 2 Estonia • World's First National Internet Election • Internet voting 7 times Internet voting is vulnerable • Cyber-Attack & Fraud • Inherent Weakness in Hardware & Software • Manner in which the Internet is Organized Research found it possible to: • Change votes, • Compromise a secret ballot, • Disrupt voting, or • Cast doubt on the legitimacy of the election process Unlikely that these Vulnerabilities will be Eliminated in the near Future Source: http://www.heritage.org/research/reports/2015/07/the- dangers-of-internet-voting
  • 32. Consultancy Support Services (CS2) Limited., info@consultancyss.com INTERNET VOTING FAILURES California USA - California Internet Voting Task Force report: •“additional technical innovations are necessary before remote Internet voting can be widely implemented….” USA National Science Foundation - 2001 report •“remote Internet voting systems pose significant risk to the integrity of the voting process, and should not be fielded for use in public elections until substantial technical and social science issues are addressed.” USA Pentagon Internet Voting Project report: •“these vulnerabilities are fundamental in the architecture of the Internet and of the PC hardware and software that is ubiquitous today.” Washington, D.C. USA 2010, •A computer science professor and his students broke into the system, changed the results of the mock election, and “gained near-complete control” of the election server France. 2013, •Reporters from “the news site Metronews proved that it was easy to breach the allegedly strict security of the election and vote several times using different names.” Norway Municipal elections in 2011 and 2013 but cancelled the project in 2014, •citing security concerns and the government’s conclusion that, contrary to expectations, the new system had not improved turnout. Canada. In 2014, •“…voting over the Internet has a set of unique challenges that inevitably introduce a number of additional risks.” Australia 2015 •“…. uncovered severe vulnerabilities that could be leveraged to manipulate votes, violate ballot privacy, and subvert the verification mechanism.” Spain, held a referendum in Barcelona in 2010 using the Internet. •“encountered problems in relation to voter identification and identity theft…” Without major technological changes, there is almost no possibility that a secure Internet voting system can be designed for the foreseeable future. When combined with other less technical questions like equal access by voters to the Internet, Internet voting is definitely a technology whose time has not come—and may never come. Source: Hans A. von Spakovsky http://www.heritage.org/research/reports/2015/07/the-dangers-of-internet-voting
  • 33. Consultancy Support Services (CS2) Limited., info@consultancyss.com Adopt ISO 27001: 2013 Patronize Indigenous Solution Providers Sanitize Data (Biometric) Clear Procedures Implement IPV6 Robust Connectivity Caution on eVoting Research Estonia, Australia, USA, France, Norway, Canada CONCLUSION
  • 34. Consultancy Support Services (CS2) Limited., info@consultancyss.com for your attention O ṣeun, fun akiyesi rẹ Na gode, don kulawa Imela na igere anyi nti info@consultancyss.com

Editor's Notes

  1. 19/07/2017
  2. ISO27001 is an International Standard Electoral Process is a formal decision-making activity where a population chooses an individual to hold public office. However, It must meet global standards to be credible.
  3. Both the ISO standards & our Electoral Processes flow in cycles and in this presentation we will endeavour to demonstrate where they are congruent and complimentary.
  4. Democratic and Electronic process must be trusted by users to be effective.
  5. To gain TRUST both Process must display Transparency, Integrity, Accountability and Confidentiality.
  6. TRANSPARENCY is fostered by the Visibility of the key sub-process.
  7. Integrity includes Preventing unauthorized modification of user’s information and mechanisms to prevent unauthorized changes to data. Furthermore, a critical source of security threats and vulnerability is the insider.
  8. Confidentiality demands secure information transmission and a degree of anonymity of the users e.g. voters.
  9. Accountability auditing includes field, operational, accounting & related sub-processes.
  10. ISO 27001: 2013 is a reputable and trusted global platform that supports compliance with other regulations while facilitating Secure Sourcing, Storage and Exchange of Information.
  11. The optimal Strategic Approach to ISO implementation is to 1. Define the Implementation Scope; 2. Draft ISMS Policy; 3. Determine ISO 27001 Maturity Level; 4. Design Risk Management Strategy & 5. Perform Gap Analysis
  12. On 28 March 2015 the INEC website was hacked. Thus we must consider the threats of what could happen in the context what has already happened.
  13. The Electoral Process in Nigeria has 8 phases of which voting is only one aspect of a single phase.
  14. In the case of the Nigeria Electoral Legal Framework we have mapped it to Section 5.1.1 & 5.1.2 of the ISO standard which addresses Certification Standards that include the Development & Review Information Security Policies.
  15. We suggest that INEC Enhances its Frameworks by: 1. Facilitating incremental improvements; 2. Improve documentation of procedures and electronic accountability, & 3. Articulating a revised technology project management plan.
  16. Election Planning & Implementation require a high-level of Security Management for, and by INEC Personnel, as well as strengthening the security of the various value and supply chains.
  17. When implementing, we suggest that INEC: 1. Seek ways to add value to existing systems like the finger print reader; 2. Decide on if to develop a new voter register database or merge existing ones Noting that at least 3 voter database efforts have been made in the recent past; 3. Use one or more database or Start afresh voter registration process.
  18. Various Information security awareness programs need to be directed at: 1. Operational & Election Officials 2. Voters, candidates, other participants & the public at-large.
  19. We recommend that INEC Training & Education efforts focus on: 1. Facilitate a multi-stakeholder Electoral ecosystem 2. eLearning and e-Library platforms for continuous capacity building of permanent and adhoc staff 3. e-courses & Apps on Electoral Process for Public Awareness 4. Crowdsourcing system that allows reporting of irregularities where Information can be plotted onto online maps and dashboards.
  20. The Voter Registration sub-process requires: 1. Physical Security Management 2. Operational Security Management As defined in ISO 27001 Section 9, 10, 11, 12, & 13.2
  21. Several matters arise from the Voter Registration phase such as: 1.Types of connectivity. 2. Merging structurally different databases is inherently problematic and the Database clean-up process is challenging. Story of Multiprocessor Video Cards for parallel processing for the clean-up of voter databases @ Mimos Behard, Malaysia Nigerian Researchers and Institutes can learn from Mimos
  22. The Election Campaign sub-process requires: 1. Finesse in granting Media Access as well as 2. Enforcement of a Code of Conduct for INEC and related officials.
  23. President Buhari has had cause to wonder why Nigeria has many different biometric databases? This is cause for concern as what can be done once your biometric data has been compromised e.g. copied by a miscreant on to an identity card with your name but their face/ finger print or vice-versa? How do we reset our biometric data once it has been compromised? For the Verification and clean-up of the Voters database we advise INEC partner with: 1. National Identity Management Commission 2. National Population Commission 3. Nigeria Communications Commission (SIM Card Registration) We further suggest that INEC fully activate its regional Data, Card production & Data Backup centres: 1. Umahia, 2. Dutse, and 3. Abeokuta
  24. On election day Transmitted data needs: 1. Cryptography Policy Management 2. Network Security Management While any Channels of communication used must Comply with legal security requirements
  25. The Card Reading and Voter Authentication Process remains unclear. Are the users biometric details Uploaded to an INEC server in real time and then authenticated or does the card reader “trust” the content of the card? If so, what happens if a card has your name but a miscreants face and finger print? What is the consequence of losing trust in your voters card? It seems possible that some INEC applications could move online. We suggest that: 1. Adhoc staff & none-core databases could be managed using cloud apps with regular backups to the various INEC data centres as a cost cutting option. 2. That said we must caution that Cloud processing options while cost effective have risks with limitations and can only be used for selective activities.
  26. Verification of Results phase requires compliance with our nations legal requirements and ISO standards. The formal results must be secured physically and electronically prior to formal and controlled release.
  27. Why is Authentication a big deal? What is Authentication? It is any method of verifying that someone is who they claim to be. For a credible and acceptable election, only Authenticated Voters & their votes can count. We now must ask ourselves “What is money?” 1. Money is “Trusted” INTERMEDIARY of value 2. Electronic currencies are replacing paper currency Future electronic crypto-currencies will be based on Authentication data, Servers & Infrastructure The new golden rule: “He who has the Authentication, Rules!!!”
  28. Important Post-Election activities such as: 1. Audits & Evaluations which rely on event and incident logs, especially when post-election tribunal forensic activities are initiated in line with our laws. 2. ISO 27001: 2013 compliance is a plus to minimize INECs liability. 3. Significant amounts of data such as election as well as voter biometric details and authentication logs details must be archived. 4. Subsequent research must depersonalise identification details. These Information Access Management requirements are guided by ISO 27001: 2013.
  29. We must note that: 1. Compliance ISO 27001: 2013 Increases Probability security but Does NOT Guarantee Absolute Security 2. ISO 27001: 2013 show significant Weaknesses when: a. Established processes are NOT followed b. Organizational Commitment is low c. Lack of Expertise 3. ISO 27001: 2013 requires Individual, as well as organizational, ownership & responsibility for Information Security
  30. Nigerians have been discussing New Voting Technology/ e-Voting 1. There are several types of e‑Voting systems. 2. We Note that Internet voting is a sub-set of e-Voting. Nigeria must Consider the following when selecting an e‑Voting system 1. Design and Usability Aspects 2. International Standards of E-Voting 3. National Legislative Framework Our Current Realities demand that we consider as priority: 1. Voting systems must have an auditable paper trail 2. Mechanisms must be in place for detecting changes to votes 3. Voting systems must not be subject to wide-scale service disruptions 4. Infrastructure & Human Capacity Limitations in Nigeria
  31. Section 52, Para 2, of the Electoral Act, 2010 states that “The use of electronic voting machine for the time being is prohibited.” Current e‑Voting systems have challenges: Take the case of Estonia which claims to have held the World's First National Internet Election and have used Internet voting 7 times so far. 2. Subsequent Research has found it possible to Cast doubt on the legitimacy of the election process We Note that Internet voting is vulnerable due to: 1. Inherent Weakness in current Hardware & Software systems 2. The Manner in which the Internet is Organized As is often the case the challenge it is more about people than systems. Unfortunately, it is Unlikely that these Vulnerabilities will be Eliminated in the near Future.
  32. In 2008, 32 respected computer scientists & Technologists’ issued a Statement on Internet Voting. They recommended that Internet voting not be adopted until and unless the “…. technical challenges have been overcome.” The challenges listed included: Preventing malicious software, firmware, or hardware that can change, fabricate, or delete votes, deceive the user in myriad ways including modifying the ballot presentation, leaking information about votes to enable voter coercion, preventing or discouraging voting, or performing online electioneering; We must find strong mechanisms to prevent changes to votes not only by outsiders, but also by insiders such as: 1. equipment manufacturers, 2. technicians, 3. system administrators, and 4. election officials who have legitimate access to election software and data; Furthermore, research has found that, Internet Voting did NOT increase voter participation Internet voting is definitely a technology whose time has not come—and may never come.
  33. Our recommendations to the Nigerian Electoral process and INEC in particular are: 1. Adopt ISO 27001: 2013 2. Patronize Indigenous Solution Providers 3 .Sanitize Biometric Databases 4. Employ Clear Procedures 5. Implement Internet Protocol version 6 (IPV6) 6. Ensure Robust & Secure Connectivity at all levels 7. Exercise Caution on e-Voting & follow the ongoing Research in Estonia, Australia, USA, France, Norway, Canada as well as fund indigenous e-Voting research initiatives.
  34. 19/07/2017