Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Business Technical Obligations


Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Business Technical Obligations

  1. 1. TechnicalFoundations of Information Security Series Vicente Aceituno @vaceituno (c)Inovement Europe 2014
  2. 2. Vicente Aceituno - Skype: vaceituno Linkedin - Inovement Europe - Video Blog - Blog - Twitter - Presentations - Articles -
  3. 3. Foundations of Information Security Series  Needs  Secrecy  Intellectual Property you Own  Intellectual Property you Use  Privacy  Availability  Retention  Expiration  Quality  Obligations  Technical  Compliance  Legal
  4. 4. What is Information Security?  “Information Security” is an emergent property of people using information.  People have expectations about information.  If there is no people or no information, “Information Security” is meaningless, as there are no expectations to meet.
  5. 5. What is Information Security?  When expectations about information are met, there is “Security”.  When expectations about information are not met, there is an “Incident”.
  6. 6. What is Information Security?  Some expectations are things people (or organizations) want to happen for their own reasons. These are Needs.  Some expectations are things people (or organizations) want to happen in order to meet technical, legal or standard compliance requirements. These are Obligations.
  7. 7. Technical Obligations Press Any Key to Continue
  8. 8. Technical Obligations  Information systems based on the Von-Neumann architecture have inherent technical limitations that lead to weaknesses. This weaknesses can be exploited and lead to failing to meet other, more important, expectations. This is why organizations have the expectation that:  Information systems are kept free of weaknesses.  Information systems that need to be visible from not trusted systems are the least visible possible.  That information systems run trusted software only.  That electricity, temperature and humidity within controlled limits necessary for the operation of information systems.
  9. 9. Technical Obligations  If these expectations are met or not is independent of the observer.
  10. 10. Technical related incidents  When an information system presents a weakness.  When an information system is visible from not trusted systems.  When an information system runs not trusted software.  When electricity, temperature or humidity are out of controlled limits.
  11. 11. Achieving Technical Security  In order to achieve Technical Security, normally architecture, design, and specific software and appliances are used.  The related O-ISM3 process are:  OSP-5: IT Managed Domain Patching  OSP-7: IT Managed Domain Hardening  OSP-8: Software Development Lifecycle Control  OSP-16: Segmentation and Filtering Management  OSP-17: Malware Protection Management  OSP-14: Physical Environment Protection Management  OSP-19: Internal Technical Audit  OSP-22: Alerts Monitoring  OSP-23: Internal Events Detection and Analysis
  12. 12. Technical Obligations Press Any Key to Continue
  13. 13. The O-ISM3 Challenge  This was an exercise designed to throw into sharp relief the inadequacy of traditional information security concepts.  Check the exercise in full at  A summary of conclusions from the exercise, in relation to Technical Obligations, follow.
  14. 14. Secrecy Business Needs Intellectual Property Privacy Business Obligations Availability Retention Quality Expiration Technical Obligations
  15. 15. Security and Technical Obligations  Security and Technical Obligations are not equivalent.  Technical Obligations and Security are not synonymous.  Technical Obligations is not useful to understand Security.
  16. 16.  Follow the Foundations of Information Security Series by joining the Linkedin O- ISM3 Group at:  Learn Advanced Information Security Management, joining us at an O-ISM3 Course: