Saudi Arabia National Information Security Strategy, current situation
•Download as PPTX, PDF•
2 likes•933 views
the presentation attempts to answer 3 question about Saudi Arabia National Information Security Strategy (NISS): 1. Do we have a NISS? 2. Do we need to have one? and why? 3. How it should look like?
Recommended
More Related Content
Similar to Saudi Arabia National Information Security Strategy, current situation
Similar to Saudi Arabia National Information Security Strategy, current situation (20)
Recently uploaded
Recently uploaded (20)
Saudi Arabia National Information Security Strategy, current situation
- 1. National IS Strategy 2 May 2016 Sultan @Abukoshaim CIO & Governor’s Advisor SASO
- 2. Engineer Sultan AbuKoshaim is working now as CIO at the Saudi Standards, Metrology and Quality Organization. He has strong working experience in the field of Information Systems that spans over 10 years, where he has taken on positions ranging from telecom to banking to government services. Most recently he worked as executive director of information security and strategic planning at the Saudi food and drug authority. During his career Sultan was able to obtain a number of certifications such as: ISO27001 Lead Auditor, CEH, SABSA SF, SOC Supervisor, BPM Professional. Sultan holds a B.Sc. in computer Engineering from Saudi Arabia. He also holds an MBA from the Leicester university, masters degree in Strategic Information Systems from Cardiff University, and High Potential Leadership Program from Harvard Business School. @Abukoshaim Abukoshaim Abukoshaim@gmail.com Abukoshaim
- 6. Do we have a NISS? 1
- 7. Do We have NISS? 1 National Policy for Science and Technology 2001 – 2020 10 Goals – 10 Strategies – 60 Policies National IT Strategy 1426H - 7 Goals Anti-Cyber Crime Law 3 pages CERT Incident Handling and Reporting Council of Ministers Decision 1431 H Draft: National Information Security Strategy MCIT
- 8. Do we need NISS? Why? 2
- 11. 2
- 12. IOT2 • 1 IDC; 2 MC/EDC: The Digital Universe of Opportunities; 3 Goldman Sachs; 4 IMS Research • Intel Security
- 14. 2
- 15. Always increasing2 • Intel Security
- 16. How NISS should look like? 3 3
- 17. FISMA3 Inventory Categorize Control Risk Assessment Security Plan Certification Monitoring
- 20. “IS” Vs “National IS”3 C A I
- 21. “IS” Vs “National IS”3 C A I Culture/ Social Life/ Health
- 22. “You can avoid reality, but you can’t avoid the Consequences of reality” Any Rand 1905- 1985
Editor's Notes
- I’ve been in the field of IT and information security for about 14 years. So this topic has been smowehat close to me for a while as you might imagine. Although I have to admit that only a few years ago that I started looking at it from a new angle with a forward looking view to the future. From that point on the subject had became part of my daily thoughts and routines and I started realizing the extent and magnitude of where we needed to mitigate risk and have good controls in our Technology enabled future. And of course the answer was always: we needed it everywhere! And let me try to explain what I mean when I say “everywhere"… last week I got a call to participate in this conference and share my experience in IT security strategies. So I got down to it and started putting the slides together on my laptop relying a lot on my own experiences and some gained thoughts and knowledge over the years. As I was writing along, my son Abdulkarim (who’s 6 years old), walked into the room, stood by me and asked what I was doing. I explained that I was getting ready to meet some people and share some thoughts on something called the national information security strategy. He asked what that meant? I stopped typing, and said: Well, it means that in the future, everything will change. Each one of your toys will have a name and an identity. Our refrigerator will tell us when it feels hungry to be stocked with the needed food!. Our car will take us to our friends without the need of a driver! it will also mean that your bed will miss you and call you to come if you stayed awake beyond your regular bedtime. And when you come to sleep, your comfy bed will tell your favorite bedtime stories! When that time comes, we need to be sure that things don’t go crazy. We need to make sure that your pretty toys will not spy on us. We need to make sure that our refrigerator will not lie about being hungry! That our car will not take us to wrong or dangerouse places instead of our friends house. We also need to make sure that your comfy bed will choose for you a good bedtime story, not a scary one! I stopped and looked at him waiting to see if he was following me… then he said: Can you sleep with me, I can’t trust my bed anymore? Good enough.. let’s go! :) dad can you read me a bedtime story
- In jun 2013, Edward Snowden, a former Boz Allen Hamilton employee, revealed thousands of classified documents to the news. He revealed documents about PRIMS. PRISM is a clandestine[1] surveillance program under which the United States National Security Agency (NSA) collects internet communications from at least nine major US internet companies. and escaped from US to Russia after he 100 of thousand of documents that shows how the US government works with most major IT companies and service providers to spy on internet traffic. The spying surveillance program is called PRISM. They Angela Merkel> Government Chancellor. PRISM start in 2007 under Bosh administration. In 2013: The guardian + Washington post Compnaies: Yahoo, google, apple, MS, Skype, aol, Facebook, YouTube, NOT twitter. Edward work: CIA, DELL, BOZ allen > NSA
- نظام مكافحة الجرائم المعلوماتية، تترواح العقوبة بين 500 الف إلى 5 مليون National IT strategy (7 Objectives under long term vision) It has 5 years plan that has: 26 goals, 62 polices, and 98 projects Non of these state the need to build OS or HW or Network components تقييم الوضع عدم وجود سياسات ومعايير مشرتكة لادارة امن المعلومات تقوم كل منشاء بتطبيق معاييرها الخاصة في ادارة امن المعلومات، مع عدم وجود طريقة مشتركة بين تلك الجهات. يسر تكتفي حاليا بالربط مع الجهات وبدات في دورتها الاخيرة بوضع معايير لامن المعلومات. لا تخضع عملية تقييم امن المعلومات وادارة المخاطر لاطار عملي مشترك بين الجهات. يوجد نقص واضح في تأهيل واعداد المتخصصين في امن المعلومات. لايوجد اي معلومات عن انظمة SCADA ومستوى امن المعلومات لديها. ماذا عن خطط احتواء الكوارث، موجودة في بعض الجهات وليس جميعها.
- Preparing for a future where everything is connected to the Web It’s no secret that the Internet of Things is exploding: Already, things like medical devices, cars, and electric meters connect to the Web. Google's Parent Company Alphabet Wants to Build a New City From the Ground Up New York. Portland. San Francisco. Seattle. The debate rages on about the mostinnovative city in America. But if Google parent company Alphabet has its way, there soon may be a new contender. Sidewalk Labs, which Google created last June and has since spun off as a subsidiary--is reportedly scouting locations to build an entire city, a highly connected utopia that will make the aforementioned cities look obsolete. Think: self-driving cars, high-speed Wi-Fi, internet of things-enabled everything. According to The Information, the Denver and Detroit areas, so far, look like the frontrunners. Sidewalk Labs has consulted with more than 100 urban planning experts and forward thinkers, such as Anthony Townsend, research director of Institute for the Future. Sidewalk Labs already has some heavy-hitting city planners in its own ranks, including its CEO, Dan Doctoroff, a former New York City deputy mayor.
- We stated to be connected pace by pace. We are taken by storm to this IOT Gartner Says 6.4 Billion Connected "Things" Will Be in Use in 2016, Up 30 Percent From 2015 Analysts to Explore the Value and Impact of IoT on Business at Gartner Symposium/ITxpo 2015, November 8-12 in Barcelona, Spain Gartner, Inc. forecasts that 6.4 billion connected things will be in use worldwide in 2016, up 30 percent from 2015, and will reach 20.8 billion by 2020. In 2016, 5.5 million new things will get connected every day.
- In 2014 2 white hat hackers trier to hack into a Jeep. And they successfully managed to access it remotely and take over the almost everything in the care. The driving wheel. The accelartor. The breaks. The airconditiosn. and The music player. They stopped the engine of the care where the victim where in the care in middle of the highway. https://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/
- Hacktivism, Hacktivist
- Ransomware is Becoming a big thing nowdays. 2 million samples. The total number of ransomware sampels in the McAfee labs zoo surpassed 2 million in 2014 Clould based storage. Ransomware will target endpoint that subscribe to cloud based storage services. Attempting to use the stored credintials. $255k stolen. This is the only observed. Mobile Space. it attacks even mobiles
- Cyber Security Strategy Documents https://ccdcoe.org/strategies-policies.html
- FISMA federal IS management Act FISMA assigns responsibilities to various agencies to ensure the security of data in the federal government. The act requires program officials, and the head of each agency, to conduct annual reviews of information security programs, with the intent of keeping risks at or below specified acceptable levels in a cost-effective, timely and efficient manner. The National Institute of Standards and Technology ( NIST ) outlines nine steps toward compliance with FISMA: Categorize the information to be protected. Select minimum baseline controls. Refine controls using a risk assessment procedure. Document the controls in the system security plan. Implement security controls in appropriate information systems. Assess the effectiveness of the security controls once they have been implemented. Determine agency-level risk to the mission or business case. Authorize the information system for processing. Monitor the security controls on a continuous basis. It is essential that agency officials have the most complete, accurate, and trustworthy information possible on the security status of their information systems in order to make timely, credible, risk-based decisions on whether to authorize operation of those systems. FISMA as a well-intentioned but fundamentally flawed tool, and argued that the compliance and reporting methodology mandated by FISMA measures security planning rather than measuring information security. and if security people view FISMA as just a checklist, nothing is going to get done.
- NOW. This is a classical process of developing strategies. It is very crucial for us to focus on these high level process before getting anywhere with the details.
- There is a difference in kind not a different in degree when we compare ISS Vs. NISS While the classical exercise of IS start with identifitying assets in had to be protected. NISS looks into futuristic assets; which we are expecting to have and connect in the futre.
- There is a difference in kind not a different in degree when we compare ISS Vs. NISS While the classical exercise of IS start with identifitying assets in had to be protected. NISS looks into futuristic assets; which we are expecting to have and connect in the futre.