dansk i ts sikkerhedskonference 2012 kim aarenstrup

© 2011 IBM CorporationAll rights reserved.

Sikkerhed & Kommunikation

© 2011 IBM Corporation

Agenda

Kommunikation vs InformationKommunikation vs Information

Modtagerens opfattelse af sikkerhed

Budskaber og punch-lines

Afrunding..


GOD INFORMATION:GOD INFORMATION:

ER ER OBJEKTIVOBJEKTIV

UDDYBENDEUDDYBENDE

OG OG RATIONELRATIONEL

Kilde: Mench


GOD KOMMUNIKATION:GOD KOMMUNIKATION:

ER ER SUBJEKTIVSUBJEKTIV

OVERFLADISKOVERFLADISK

OG OG EMOTIONELEMOTIONEL

Kilde: Mench


Hvor befinder din ledelse sig...?

INFORMATION:

HENVENDER SIG TIL DE SÆRLIGT INTERESSEREDE

KOMMUNIKATION:

KAN INVOLVERE DEM, DER IKKE ER SÆRLIGT INTERESSEREDE!

Kilde: Mench


Information eller kommunikation...?

CLOUDCLOUDellereller

BYODBYOD


Bring Your Own Device - BYOD Purchase or reimburse? In many businesses, employees are mobile — they work at customers’ sites, they go out in the field to procure materials or solicit new clients, and they’re expected to be on call nights and weekends. If your company is considering whether to provide

employees with mobile phones or reimburse them for all or part of their personal cell phone expenses, you’ll want to consider the cost of each option. It makes sense to assume that the company will have more control over the phone if you purchase it in the company’s name, pay the monthly bills directly, and issue it to the employee. You should consult your attorney as to how this decision will affect legal issues that might arise regarding the use of the phone.

One consideration is that if the company purchases the smartphone, it owns the phone number assigned to that device. If the employee leaves the company, that phone number can be given to another employee. If the employee owns the phone and leaves the company, customers and other business contacts who had that phone number will no longer be able to use it to get in touch with the company.

You should also keep in mind that state laws vary widely, and employers and employees may have rights in one location that they don’t have in another.

Dedicated to business? If the company buys and issues the phone and pays the phone bill, will employees be required to use their phones for business use only, and carry a second phone for their own personal use? If so, you should have a written policy stipulating this, and

employees should sign an agreement to abide by the policy when they’re issued their phones.

Many companies tolerate a certain amount of personal use of the company-owned phone. If you decide to allow it, your policy should specify that employees will be required to pay for any services they access on the phone that cost extra, such as text messages, ringtone downloads, entertainment services, and navigation and mobile hotspot services (unless you pay for those so they can use them for business purposes).

Who owns the data? An important consideration that you’ll want to clarify when you issue phones or reimburse employees is who owns the data stored on the devices. Smartphones are really miniature computers and can have all the same sorts of data on them as resides

on a desktop or a laptop computer (email messages, customer contact information, company documents and spreadsheets, and so forth), but almost always in the case of employee-owned phones and often in the case of employer-owned phones, the users will also store personal data on their phones. Who owns what?

If you’re in a regulated industry, such as healthcare or financial services, it’s important to remember that you may be mandated to protect the confidentiality of personal data pertaining to clients. If you own the phones, you can select the models that are most secure, and ensure that they are running the most up-to-date version of the smartphone operating system. In addition, you can enforce encryption of the data stored on them.

Management issues What if the company buys and issues the smartphones, but when an employee quits the job or is terminated, the employee refuses to return the phone? If the phone is in the company’s name, you should be able to contact the carrier and have the

phone deactivated, and the number reassigned to someone else in the company.

Can you have the carrier use the phone’s GPS functionality (or the cell tower triangulation method) to track down the user and retrieve the phone? What legal action can you take against the employee? Can you file theft charges, or would you have to take the former employee to civil court to get a judgment requiring the phone to be returned to you? If you merely reimburse an employee’s mobile phone expenses, you wouldn’t have to worry about any of these issues since the employee would keep the phone. However, you still need to think about whether and how you can make the former employee remove company data from the phone. Can you require the phone’s storage be wiped (factory reset) to ensure that no company data is left on the device? If you have the technological capability to remotely wipe the phone, is it legal for you to do when the phone is owned by the employee?

Again, these are questions to ask your attorney in advance, and to take into consideration when you write your company policies governing cell phone use.

Employee monitoring Another issue that you may want to consult your attorney about is whether you can legally track the employee’s movements via the company cell phone. If you do track the employee, do you have to inform the individual that you’re doing it? Can you

track the employee during off-duty hours when they are carrying the company phone or only during business hours?

Can you require employees to keep their phones on all the time when they’re away from the office? If you do, will you have to pay them “standby pay” for that time? It’s technologically possible to turn a cell phone on remotely; is it legal for you to do this if an employee turns the phone off, and you want to get in touch and/or track their location?

Software is available for several phone platforms that can be installed on a cell phone to allow you to listen to and/or record conversations and remotely read call logs, email messages, and SMS messages. Is it legal for you to use such software to monitor your employees’ company-issued phones? Do you have to notify them that you’re doing so? These are questions you need to ask your attorney.

Liability issues Another question to ask your attorney: What is the company’s liability if an employee uses a company-owned cell phone as a platform for launching an attack, hacking into a network or computer, downloading child pornography, harassing someone, or

committing other illegal acts? Could a wronged party sue the company as well as the individual employee, claiming that by using company equipment, the employee was acting as a representative of the company?

It’s important for you to put policies in place that specifically prohibit employees from using company-issued phones for any illegal activities, or actions that would be likely to result in a civil suit. This helps protect the company by providing tangible evidence that the employee was acting outside the scope of employment.

What if the police need to seize the phone as evidence of a crime? The company may lose the use of it for a very long time as the case winds its way through the court system.

What if you purchase and issue a phone to an employee and it’s defective and overheats or explodes, causing an injury? Could the employee sue you for issuing the defective phone? These may seem like far out scenarios, but it pays to be prepared for every eventuality.

Kilde: techrepublic.com


BYOD... eksempel på kommunikation om en af CIO’ens udfordringer

Alle enheder Alle lokationer Alle systemer

Standardisering, sikkerhedsikkerhed & omkostningseffektivitetkan sam-eksistere med diversitet


Agenda

Kommunikation vs Information

Modtagerens opfattelse af sikkerhedModtagerens opfattelse af sikkerhed


Afrunding..

T: +10


Modtagerens opfattelse af sikkerhed...

Overvej din kommunikation nøje:

– Hvem er publikum

• Hvilke forudsætninger har man forståelsesmæssigt• Vær ikke bange for a blive teknisk – men forklar det• Emner du kan bygge på – strategi/hot topics• Modstanderen er vigtigere end de positive

– Mediet du anvender• Projektor vs Papir• Email

– Hvad er dine hovedbudskaber• 2-3 hovedbudskaber• Anvend analogier – vælg med omhu

– Vær forberedt på at blive kørt af sporet• Hav en redningsplanke klar• Spil med på den satte retning • Vær opmærksom på deres agenda før

og efter (perspektiv)


Perspektiv...


Mødet med Søderberg og IT-sikkerhedskomitéen...


Det visionære indspark fra Peter Ecsery Merrens:

Tænk hvis nu...


At tale med den øverste ledelse...

Hvad driverøget fokus

hosBestyrelsen

Taletidhos

Bestyrelsen

The Board/C-suite often fear major security breaches or loss of key data, resulting in negative publicity and major negative impacts on the business

H̶ Seen as a small set of riskssmall set of risks that…can essentially take us outtake us out of businessH̶ Registrations seen as treasured informationtreasured informationH̶ A desire to avoid that ending up in the hands of competitioncompetition/wrong customerH̶ Regulatory finesRegulatory fines for inadequate security controls – data leakages

H̶ (controls regarding insider tradeable information...)

Fewer than half of the respondents have presented to the Board in the previous twelve months

When they did present, topics included:

H̶ Protecting customer dataProtecting customer data - Securing mobile devicesmobile devicesH̶ Dealing with hackersDealing with hackers - - Options for tightening security tightening securityH̶ Government regulationsGovernment regulations - Actual security incidents - Actual security incidents in the company


Behov versus motivation…

Education of the organization

Improved processes

Additional staff

Where effort will be focused to prepare for security incidents:

Factors driving growth of information security organization :

New technology

Outsourcing/Using managed provider

Professional development

Better communication and collaboration

Complexity of government regulations or industry standards

Internal threats

External threats

Importance of security to C-suite

N/A—Size will stay the same or shrink

Technology issues

More Mentions

Fewer Mentions

• Mange ser uddannelse og ny teknologi som de vigtigste fokusområder

• Men det er ofte lovgivning og standarder der sikrer bevillingerne…


Eksempler er fint – men hvad med ”skræmmekampagnerne”...?


Agenda



Budskaber og punch-linesBudskaber og punch-lines

Afrunding..

T: +30


Budskaber og punch lines...

Kilder: IBM & ISF – www.securityforum.org



Nul tolerance områderNul tolerance områder

Beskriv dem på høj-niveau

Mål og rapportér på resultaterne

Sørg for ledelses-opbakning

Gentag dem løbende

KPI / bonus effekten



The average company’s computer infrastructure The average company’s computer infrastructure is attacked nearly 60,000 times every day. is attacked nearly 60,000 times every day.

- It’s time to take action…It’s time to take action…



Kilde: ISF – www.securityforum.org


Har du en strategisk tilgang til din sikkerhedsledelse?

Sikkerhedsledelse på tværs af alle sikkerhedsdomæner?

Overholdelse af love og regler?

Forbedret ROI via simplificering og anvendelse af best practise?

The IBM Security FrameworkThe IBM Security Framework

Common Policy, Event Handling, and Reporting

Security Governance, Risk Management,and Compliance

Physical Infrastructure

People and Identity

Data and Information

Application and Process

Network, Server, and End Point


Identity Management

Professional Services

Managed Services

Products

Cloud Delivered

New Offerings

Security Governance, Risk and Compliance

Security Information and Event Management (SIEM) & Log Management

Identity & Access Management

Identity Management Access ManagementAccess Management

GRCGRCGRCGRC

Data Security

Database Monitoring & Protection

Encryption & Key Lifecycle Management

Data Loss Prevention Data Entitlement Management

Data Masking

Messaging Security

E-mail Security

Application Security

Web / URL Filtering

Application Vulnerability Scanning

Access & Entitlement Management

Web Application Firewall

SOA Security

Infrastructure Security

Threat Analysis

Firewall, IDS/IPS MFS Management

Physical Security

Mainframe Security Audit, Admin & Compliance

Security Event Management

Security Configuration & Patch Management

Intrusion Prevention System

Endpoint ProtectionVirtual System Security

Vulnerability Assessment

Managed Mobility Svcs

Har du en strategisk investeringsplan for de næste 3-5 år?


Agenda




Afrunding..Afrunding..

T: +30


Rich pictures...?



Business PartnersSupply Chain

Coffee Shop HotelsHome

Inadequate, disjointed technology management

Rich pictures…?

Foes, Gremlins, and Banana Peels


Kompleksitet kan være nødvendig for at øge forståelsen...



Humor...?


Forsimpling kan være særdeles effektivt...

Når man skal beskytte sine systemer handler det først og fremmest om én ting:

Nedbring de kritiske sårbarheder!Nedbring de kritiske sårbarheder!

Det gælder både for virksomheder, datacentre, offentlige systemer, samt militære eller andre samfundskritiske IT installationer...


Tak – også for spørgsmål...

Kim AarenstrupSecurity Industry LeaderIBM [email protected]