business secrecy needs
DESCRIPTION
Security of SecretsTRANSCRIPT
![Page 1: Business Secrecy Needs](https://reader033.vdocuments.site/reader033/viewer/2022052322/55838e27d8b42af07a8b4897/html5/thumbnails/1.jpg)
SecrecyFoundations of Information Security Series
Vicente Aceituno @vaceituno(c)Inovement Europe 2014
![Page 2: Business Secrecy Needs](https://reader033.vdocuments.site/reader033/viewer/2022052322/55838e27d8b42af07a8b4897/html5/thumbnails/2.jpg)
Vicente Aceituno
[email protected] - Skype: vaceitunoLinkedin - linkedin.com/in/vaceitunoInovement Europe - inovement.esVideo Blog - youtube.com/user/vaceitunoBlog - ism3.comTwitter - twitter.com/vaceitunoPresentations - slideshare.net/vaceituno/presentationsArticles - slideshare.net/vaceituno/documents
![Page 3: Business Secrecy Needs](https://reader033.vdocuments.site/reader033/viewer/2022052322/55838e27d8b42af07a8b4897/html5/thumbnails/3.jpg)
Foundations of Information Security Series
Needs Secrecy Intellectual Property you Own Intellectual Property you Use Privacy Availability Retention Expiration Quality
Obligations Technical Compliance Legal
![Page 4: Business Secrecy Needs](https://reader033.vdocuments.site/reader033/viewer/2022052322/55838e27d8b42af07a8b4897/html5/thumbnails/4.jpg)
What is Information Security?
“Information Security” is an emergent property of people using information.
People have expectations about information.
If there is no people or no information, “Information Security” is meaningless, as there are no expectations to meet.
![Page 5: Business Secrecy Needs](https://reader033.vdocuments.site/reader033/viewer/2022052322/55838e27d8b42af07a8b4897/html5/thumbnails/5.jpg)
What is Information Security?
When expectations about information are met, there is “Security”.
When expectations about information are not met, there is an “Incident”.
![Page 6: Business Secrecy Needs](https://reader033.vdocuments.site/reader033/viewer/2022052322/55838e27d8b42af07a8b4897/html5/thumbnails/6.jpg)
What is Information Security?
Some expectations are things people (or organizations) want to happen for their own reasons. These are Needs.
Some expectations are things people (or organizations) want to happen in order to meet technical, legal or standard compliance requirements. These are Obligations.
![Page 7: Business Secrecy Needs](https://reader033.vdocuments.site/reader033/viewer/2022052322/55838e27d8b42af07a8b4897/html5/thumbnails/7.jpg)
Secrecy
![Page 8: Business Secrecy Needs](https://reader033.vdocuments.site/reader033/viewer/2022052322/55838e27d8b42af07a8b4897/html5/thumbnails/8.jpg)
Secrecy
Some expectations of people about information are related to ownership, control and use of information over time.
![Page 9: Business Secrecy Needs](https://reader033.vdocuments.site/reader033/viewer/2022052322/55838e27d8b42af07a8b4897/html5/thumbnails/9.jpg)
Secrecy
Ownership is defined having legal rights and duties on something.
Control is defined as having the ability to: Grant or deny access to users. Attribute to specific users their use of information.
Use is defined as having access to read, write or modify information.
![Page 10: Business Secrecy Needs](https://reader033.vdocuments.site/reader033/viewer/2022052322/55838e27d8b42af07a8b4897/html5/thumbnails/10.jpg)
Secrecy
There are many types of secrets, for example:
Personal and family information. Business information, like financial, strategy, industrial and trade secrets. Law enforcement information, sources and methods. Crime information, like insider trading, organized crime and gangs. Political information:
Weapon designs and technology (nuclear, cryptographic, stealth). Military plans. Diplomatic negotiation positions. Intelligence information, sources and methods. International relations, treaties like the Molotov-Ribbentrop pact, Cuba crisis
agreement, Dover treaty, Quadripartite agreement, Sykes-Picot agreement Social information, like certain religions or secret societies as the masonry. Professional information, like health workers, social workers and journalists.
![Page 11: Business Secrecy Needs](https://reader033.vdocuments.site/reader033/viewer/2022052322/55838e27d8b42af07a8b4897/html5/thumbnails/11.jpg)
Secrecy
There is an expectation that Secrets will be controlled by their owners or authorized administrators only, for as long as they are authorized.
There is an expectation that Secrets will be used by authorized users only, for as long as they are authorized.
![Page 12: Business Secrecy Needs](https://reader033.vdocuments.site/reader033/viewer/2022052322/55838e27d8b42af07a8b4897/html5/thumbnails/12.jpg)
Secrecy
If these expectations are met or not is independent of the observer and repeatable.
Secrecy expectations can be determined answering the following questions:
Who should control the Secrets? Who should not control the Secrets? Who should use the Secrets? Who should not use the Secrets?
Answering these questions renders lists that can be enumerated, measured and managed.
![Page 13: Business Secrecy Needs](https://reader033.vdocuments.site/reader033/viewer/2022052322/55838e27d8b42af07a8b4897/html5/thumbnails/13.jpg)
Secrecy related incidents
When Secrets are controlled by people who are not or have never been the owners or the authorized administrators. For example: Granting access to unauthorized users. Denying access to authorized users. Lack of, or misattribution to specific users of their use of information.
When Secrets are used by people who are not or have never been authorized users.
For a more complete list of incidents check tiny.cc/incidents
![Page 14: Business Secrecy Needs](https://reader033.vdocuments.site/reader033/viewer/2022052322/55838e27d8b42af07a8b4897/html5/thumbnails/14.jpg)
Achieving Secrecy
In order to achieve Secrecy, normally Access Control measures are taken.
Cryptography is an important technology for Access Control.
The Access Control related O-ISM3 processes are: OSP-11 Access Control OSP-12 User Registration
![Page 15: Business Secrecy Needs](https://reader033.vdocuments.site/reader033/viewer/2022052322/55838e27d8b42af07a8b4897/html5/thumbnails/15.jpg)
Measuring degrees of Secrecy
Check the video that explains this metric at tiny.cc/secrecy
![Page 16: Business Secrecy Needs](https://reader033.vdocuments.site/reader033/viewer/2022052322/55838e27d8b42af07a8b4897/html5/thumbnails/16.jpg)
Secrecy
![Page 17: Business Secrecy Needs](https://reader033.vdocuments.site/reader033/viewer/2022052322/55838e27d8b42af07a8b4897/html5/thumbnails/17.jpg)
The O-ISM3 Challenge
This was an exercise designed to throw into sharp relief the inadequacy of traditional information security concepts.
Check the exercise in full at tiny.cc/indepth
A summary of conclusions from the exercise, in relation to Secrecy, follow.
![Page 18: Business Secrecy Needs](https://reader033.vdocuments.site/reader033/viewer/2022052322/55838e27d8b42af07a8b4897/html5/thumbnails/18.jpg)
Secrecy Business Needs
IntellectualProperty
PrivacyConfidentiality
Business
Obligations
Confidentiality
![Page 19: Business Secrecy Needs](https://reader033.vdocuments.site/reader033/viewer/2022052322/55838e27d8b42af07a8b4897/html5/thumbnails/19.jpg)
Confidentiality
ISO Definition: The property that information is not made available or disclosed to unauthorized individuals, entities, or processes.
ITIL Definition: A security principle that requires that data should only be accessed by authorized people.
CobIT Definition: Concerns the protection of sensitive information from unauthorized disclosure.
![Page 20: Business Secrecy Needs](https://reader033.vdocuments.site/reader033/viewer/2022052322/55838e27d8b42af07a8b4897/html5/thumbnails/20.jpg)
Secrecy and Confidentiality
Confidentiality can’t be measured (it doesn’t have units). Therefore is not independent of the observer nor repeatable like Secrecy is.
Secrecy can be used to measure, communicate and manage a specific expectation of people about information.
Confidentiality is not necessary to understand or measure Secrecy.
![Page 21: Business Secrecy Needs](https://reader033.vdocuments.site/reader033/viewer/2022052322/55838e27d8b42af07a8b4897/html5/thumbnails/21.jpg)
Secrecy and Confidentiality
Secrecy and Confidentiality are not equivalent.
Confidentiality and Secrecy are not synonymous.
Confidentiality is not useful to understand Secrecy.
![Page 22: Business Secrecy Needs](https://reader033.vdocuments.site/reader033/viewer/2022052322/55838e27d8b42af07a8b4897/html5/thumbnails/22.jpg)
![Page 23: Business Secrecy Needs](https://reader033.vdocuments.site/reader033/viewer/2022052322/55838e27d8b42af07a8b4897/html5/thumbnails/23.jpg)
Follow the Foundations of Information Security Series by joining the Linkedin O-ISM3 Group at: tiny.cc/osim3LG
Learn Advanced Information Security Management, joining us at an O-ISM3 Course: tiny.cc/osim3