board member security

Board member Security

Per ThorsheimCISA, CISM, CISSP-ISSAPSecurity coordinator

April 4, 2011

2

The Codes of Conduct Dilemma• General assembly• Bedriftsforsamling (Norway)• Board of Directors• CEO

– Executive board

• Chief Security Officer (CSO)

Codes of Conduct

Security policy

Standards

Guidelines

?

3

Company (Security) policy

ISACA 4 April 2011 – Per Thorsheim

• May require that all users use pc + phone provided by company

• Require separation between work and other private (work) engangements

• Requires hardening and periodic updating

• Disallows the sharing of accounts / passwords

• A practical challenge for people being a member on many boards

• Easily broken by the above practical challenge

• If computer is personal, than it is by definition insecure and ”illegal” to use

• Personal assistant to the xxx may be a practical challenge to solve

4ISACA 4 April 2011 – Per Thorsheim

5ISACA 4 April 2011 – Per Thorsheim

HACK

ED

6

The Codes of Conduct Dilemma

ISACA 4 April 2011 – Per Thorsheim

• Directors Liability Assurance• ”Styreansvarsforsikring” in Norway• (Gross) Negligence will impact the assurance agreement

If the board does not comply with (their own) Codes of Conduct and/or security policy, will that be considered (gross) negligence by the insurance company?

7

Recommendations (work in progress)

ISACA 4 April 2011 – Per Thorsheim

• Use of personal PC• Remote access• Printouts• Electronic documents• E-mail• Leaving the board• Problems?

• Disallowed. PC from company• Terminal server with 2-factor• Cross-cut shredder• MS Office password protection• Encrypted attachments• Standard company routine• VIP customer service (CSO)

• CSO / IA : ”Right to audit” ?• NASDAQ Directors Desk?

8

Primary insidersPrimary insider

A person who is a member of the board of directors or management of a listed company, or who is associated with the company in some other way, and who is therefore subject to certain requirements in respect of trading and reporting trades carried out, cf. Sections 3-1 and 2-6 of the Securities Trading Act. Each listed company is responsible for identifying its primary insiders, and is responsible for providing an up-to-date list of its primary insiders to Oslo Børs. Each primary insider is personally responsible for ensuring that the requirements imposed on him or her by the Securities Trading Act are adhered to.

9

Definition of Primary insiders

10ISACA 4 April 2011 – Per Thorsheim

Example list of primary insiders(no names shown)

11

However…

ISACA 4 April 2011 – Per Thorsheim

(this is the point where I start to get difficult and annoying…)

12

Externals: Access to inside information

• Advertising agency• Communications agency• Translation service• External auditor

• E-mail (usually unencrypted)• E-mail with attachments

– Usually unencrypted

• Postal mail• Mail by courier• Fax (for signatures!)

• Phone conference service• (Norwegian) post• Postal courier• E-mail MitM attacks

http://www.edb.com/Documents/Articles/E-post_sikkerhet_i_Norge.pdf

13

Internals: Access to inside information

• LEGAL vs technical access• Unauthorized access should be

logged and prosecuted• Company encryption (PCI)• End-to-end encryption

(personal)

• Domain Admins, helpdesk• Administrative access is not

logged (it is technically ”legal”)• Same problem with admins• Difficult, requires education

14

Third-party access to insider information

• Non-Disclosure Agreements (NDA) widely used : reactive control• NDA seems consired as proactive control (?)• Detective controls seems rare• Security requirements in contracts seems sparse (”Trust” is common)

15

Recommendation (the ”easy” one…)

ISACA 4 April 2011 – Per Thorsheim

16

Last, but not least: Passwords^11• 2 day conference on passwords & pins only

– Attacks, defenses, forensics and usability aspects covered– Panel discussion: ”will we ever get rid of passwords?”

• Bergen (Norway), June 7-8• Free-for-all (limited seats available)• International speakers• In collaboration with:

– University of Bergen, Professor Tor Helleseth– Sponsored by NISNET

• Free live streaming on ustream.tv• securitynirvana.blogspot.com & Twitter: #passwords11