the presentation attempts to answer 3 question about Saudi Arabia National Information Security Strategy (NISS):
1. Do we have a NISS?
2. Do we need to have one? and why?
3. How it should look like?
2. Engineer Sultan AbuKoshaim is working now as CIO at the
Saudi Standards, Metrology and Quality Organization.
He has strong working experience in the field of Information
Systems that spans over 10 years, where he has taken on
positions ranging from telecom to banking to government
services. Most recently he worked as executive director of
information security and strategic planning at the Saudi food
and drug authority.
During his career Sultan was able to obtain a number of
certifications such as: ISO27001 Lead Auditor, CEH, SABSA SF,
SOC Supervisor, BPM Professional.
Sultan holds a B.Sc. in computer Engineering from Saudi
Arabia. He also holds an MBA from the Leicester university,
masters degree in Strategic Information Systems from Cardiff
University, and High Potential Leadership Program from
Harvard Business School.
@Abukoshaim
Abukoshaim
Abukoshaim@gmail.com
Abukoshaim
7. Do We have NISS?
1 National Policy for Science and Technology
2001 – 2020
10 Goals – 10 Strategies – 60 Policies
National IT Strategy
1426H - 7 Goals
Anti-Cyber Crime Law
3 pages
CERT
Incident Handling and Reporting
Council of Ministers Decision
1431 H
Draft: National Information Security Strategy
MCIT
I’ve been in the field of IT and information security for about 14 years.
So this topic has been smowehat close to me for a while as you might imagine.
Although I have to admit that only a few years ago that I started looking at it from a new angle with a forward looking view to the future.
From that point on the subject had became part of my daily thoughts and routines and I started realizing the extent and magnitude of where we needed to mitigate risk and have good controls in our Technology enabled future.
And of course the answer was always: we needed it everywhere!
And let me try to explain what I mean when I say “everywhere"… last week I got a call to participate in this conference and share my experience in IT security strategies. So I got down to it and started putting the slides together on my laptop relying a lot on my own experiences and some gained thoughts and knowledge over the years. As I was writing along, my son Abdulkarim (who’s 6 years old), walked into the room, stood by me and asked what I was doing. I explained that I was getting ready to meet some people and share some thoughts on something called the national information security strategy.
He asked what that meant?
I stopped typing, and said: Well, it means that in the future, everything will change.
Each one of your toys will have a name and an identity.
Our refrigerator will tell us when it feels hungry to be stocked with the needed food!.
Our car will take us to our friends without the need of a driver!
it will also mean that your bed will miss you and call you to come if you stayed awake beyond your regular bedtime. And when you come to sleep, your comfy bed will tell your favorite bedtime stories!
When that time comes, we need to be sure that things don’t go crazy.
We need to make sure that your pretty toys will not spy on us.
We need to make sure that our refrigerator will not lie about being hungry!
That our car will not take us to wrong or dangerouse places instead of our friends house.
We also need to make sure that your comfy bed will choose for you a good bedtime story, not a scary one!
I stopped and looked at him waiting to see if he was following me… then he said: Can you sleep with me, I can’t trust my bed anymore?
Good enough.. let’s go! :)
dad can you read me a bedtime story
In jun 2013, Edward Snowden, a former Boz Allen Hamilton employee, revealed thousands of classified documents to the news.
He revealed documents about PRIMS.
PRISM is a clandestine[1] surveillance program under which the United States National Security Agency (NSA) collects internet communications from at least nine major US internet companies.
and escaped from US to Russia after he
100 of thousand of documents that shows how the US government works with most major IT companies and service providers to spy on internet traffic.
The spying surveillance program is called PRISM.
They
Angela Merkel> Government Chancellor.
PRISM start in 2007 under Bosh administration.
In 2013: The guardian + Washington post
Compnaies: Yahoo, google, apple, MS, Skype, aol, Facebook, YouTube, NOT twitter.
Edward work: CIA, DELL, BOZ allen > NSA
نظام مكافحة الجرائم المعلوماتية،
تترواح العقوبة بين 500 الف إلى 5 مليون
National IT strategy (7 Objectives under long term vision)
It has 5 years plan that has: 26 goals, 62 polices, and 98 projects
Non of these state the need to build OS or HW or Network components
تقييم الوضع
عدم وجود سياسات ومعايير مشرتكة لادارة امن المعلومات
تقوم كل منشاء بتطبيق معاييرها الخاصة في ادارة امن المعلومات، مع عدم وجود طريقة مشتركة بين تلك الجهات.
يسر تكتفي حاليا بالربط مع الجهات وبدات في دورتها الاخيرة بوضع معايير لامن المعلومات.
لا تخضع عملية تقييم امن المعلومات وادارة المخاطر لاطار عملي مشترك بين الجهات.
يوجد نقص واضح في تأهيل واعداد المتخصصين في امن المعلومات.
لايوجد اي معلومات عن انظمة SCADA ومستوى امن المعلومات لديها.
ماذا عن خطط احتواء الكوارث، موجودة في بعض الجهات وليس جميعها.
Preparing for a future where everything is connected to the Web
It’s no secret that the Internet of Things is exploding: Already, things like medical devices, cars, and electric meters connect to the Web.
Google's Parent Company Alphabet Wants to Build a New City From the Ground Up
New York. Portland. San Francisco. Seattle. The debate rages on about the mostinnovative city in America. But if Google parent company Alphabet has its way, there soon may be a new contender.
Sidewalk Labs, which Google created last June and has since spun off as a subsidiary--is reportedly scouting locations to build an entire city, a highly connected utopia that will make the aforementioned cities look obsolete. Think: self-driving cars, high-speed Wi-Fi, internet of things-enabled everything.
According to The Information, the Denver and Detroit areas, so far, look like the frontrunners. Sidewalk Labs has consulted with more than 100 urban planning experts and forward thinkers, such as Anthony Townsend, research director of Institute for the Future. Sidewalk Labs already has some heavy-hitting city planners in its own ranks, including its CEO, Dan Doctoroff, a former New York City deputy mayor.
We stated to be connected pace by pace.
We are taken by storm to this IOT
Gartner Says 6.4 Billion Connected "Things" Will Be in Use in 2016, Up 30 Percent From 2015
Analysts to Explore the Value and Impact of IoT on Business at Gartner Symposium/ITxpo 2015, November 8-12 in Barcelona, Spain
Gartner, Inc. forecasts that 6.4 billion connected things will be in use worldwide in 2016, up 30 percent from 2015, and will reach 20.8 billion by 2020. In 2016, 5.5 million new things will get connected every day.
In 2014 2 white hat hackers trier to hack into a Jeep. And they successfully managed to access it remotely and take over the almost everything in the care.
The driving wheel. The accelartor. The breaks. The airconditiosn. and The music player.
They stopped the engine of the care where the victim where in the care in middle of the highway.
https://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/
Hacktivism, Hacktivist
Ransomware is Becoming a big thing nowdays.
2 million samples. The total number of ransomware sampels in the McAfee labs zoo surpassed 2 million in 2014
Clould based storage. Ransomware will target endpoint that subscribe to cloud based storage services. Attempting to use the stored credintials.
$255k stolen. This is the only observed.
Mobile Space. it attacks even mobiles
FISMA federal IS management Act
FISMA assigns responsibilities to various agencies to ensure the security of data in the federal government.
The act requires program officials, and the head of each agency, to conduct annual reviews of information security programs, with the intent of keeping risks at or below specified acceptable levels in a cost-effective, timely and efficient manner. The
National Institute of Standards and Technology ( NIST ) outlines nine steps toward compliance with FISMA:
Categorize the information to be protected.
Select minimum baseline controls.
Refine controls using a risk assessment procedure.
Document the controls in the system security plan.
Implement security controls in appropriate information systems.
Assess the effectiveness of the security controls once they have been implemented.
Determine agency-level risk to the mission or business case.
Authorize the information system for processing.
Monitor the security controls on a continuous basis.
It is essential that agency officials have the most complete, accurate, and trustworthy information possible on the security status of their information systems in order to make timely, credible, risk-based decisions on whether to authorize operation of those systems.
FISMA as a well-intentioned but fundamentally flawed tool, and argued that the compliance and reporting methodology mandated by FISMA measures security planning rather than measuring information security.
and if security people view FISMA as just a checklist, nothing is going to get done.
NOW. This is a classical process of developing strategies. It is very crucial for us to focus on these high level process before getting anywhere with the details.
There is a difference in kind not a different in degree when we compare ISS Vs. NISS
While the classical exercise of IS start with identifitying assets in had to be protected.
NISS looks into futuristic assets; which we are expecting to have and connect in the futre.
There is a difference in kind not a different in degree when we compare ISS Vs. NISS
While the classical exercise of IS start with identifitying assets in had to be protected.
NISS looks into futuristic assets; which we are expecting to have and connect in the futre.