Information  Security  Awareness    

www.coralesecure.com

 Agenda  

Ø What  is  Information  and  14  more  questions!    

What  is  Information?    

www.coralesecure.com

Information  

Anything  which  has  a  business  value!  

www.coralesecure.com

Information  –  Where  is  it?  

Services  

Software  

Physical  (Hardware)  

Personnel  

Paper  

Service  Provider  

Information  

Literally ..”everywhere”

What  is  Security?  What  are  the  key  terms?  

www.coralesecure.com

ConFidentiality?  Ensuring  that  information  is  accessible  only  to  those  authorised  to  have  access.  

Integrity?  Safeguarding  the  accuracy  and  completeness  of  information    and  processing  methods.  

Availability?  Ensuring  that  authorised  users  have  access    to  information  and  associated  assets    when  required.  

What  is  CIA?  

E x a m p l e?

Why  do  we  need  to  protect  information?  

www.coralesecure.com

Why  is  Information  Security  needed?  

To  prevent  unauthorized  modi>ication/alteration  (Integrity)  

To  protect  against  Loss/Destruction      natural/man-­‐made  (Availability)  

To  prevent  unauthorised  disclosure  (ConFidentiality)  

Business  Requirements  

Legislative  Requirements  

Bene>its  of  Information  Security  

1.  Protects  your  job  2.  Protects  business  –  enables  ‘Continuity’  3.  Partner  Trust  4.  Security  in  ‘everything’  we  do  5.  Reduce  response  time  in  case  of  ‘incident’    *Not  exhaustive  

Who  is  interested  in  your  information?  

What  is  ISO  27001?  

www.coralesecure.com

Domains  Control  Objectives   Controls  

A.5  Security  policy   1   2  

A.6  Organization  of  information  security   2   7  

A.7  Human  resource  security   3   6  

A.8  Asset  management   3   10  

A.9  Access  control   4   14  

A.10  Cryptography   1   2  

A.11  Physical  and  environmental  security   2   15  

A.12  Operations  Security   7   14  

A.13  Communications  security     2   7  

A.14  System  acquisition,  development  and  maintenance   3   13  

A.15  Supplier  relationships   2   5  

A.  16  Information  security  incident  management   1   7  

A.  17  Information  security  aspects  of  business  continuity  management   2   4  

A.  18  Compliance   2   8  

Total  14   35   114  

ISO  27001  Domain  &  Controls  

Physical  security  controls  covers  all  aspects  of  physical  security  such  as  doors,  access  control  systems,  entry  and  exit  areas,  and  associated  processes  (such  as  Fire  evacuation,  visitor  management  to  name  a  few..)      Technical  controls  can  cover  user  ID  and  password,  Antivirus,  encryption,  Firewall  and  associated  processes  (such  as  change  management,  access  management)      Personnel  controls  such  as  background  screening,  induction  training,  revocation  of  access  upon  employee  departure  (not  exhaustive)      Administrative  controls  such  as  asset  identiFication,  document  classiFication,  risk  assessment,  documentation  to  name  a  few..    Anything  else?  

What  is  a  vulnerability?  

16

Vulnerability Types

Process Vulnerability No formal change management process No induction process of information security

Implementation Flaw Door’s lock is not working No responsibility for Firewall configuration Unnecessary services running on the server Insecure Product/Protocol telnet instead of ssh http instead of https Plain text instead of encrypted data store

Insecure Practices/Usage No screen saver in the machines Irregular backups Wrong allocation of password rights Tail gating Irregular patch management Insecure Development Process Absence of security in development LC

No check in application for invalid

characters

What  is  the  difference  between  incident  and  weakness?  

When  do  YOU  become  a  security  incident?  

How  to  report  a  security  incident/weakness?  

By  Phone!  By  Email!  By  Direct  Reporting!  

Which  policy  document  you  must  read  to  know  about  your  security  Dos’  and  Donts’?  

Acceptable  Usage  Policy  

Acceptable Usage Policy (AUP) – Table of Contents 1.! Purpose ............................................................................................................................ 3!2.! ISO.27001.–.2013.reference ............................................................................................. 3!3.! Definition.of.Information.Assets ...................................................................................... 3!4.! Responsibility ................................................................................................................... 3!5.! General.Security.Practices ................................................................................................ 3!6.! Userid.&.Password.Protection ......................................................................................... 3!7.! Usage.of.Electronic.Mail.(email) ...................................................................................... 4!8.! Prohibited.Actions.Using.Email ........................................................................................ 5!9.! Usage.of.Office.Network.&.Communication.Infrastructure ............................................ 5!10.! Usage.of.Desktop.Computer ............................................................................................ 6!11.! Usage.of.Notebook/Laptop.Computer ............................................................................. 6!12.! Connecting.to.Internet.from.Public.places ....................................................................... 7!13.! Secure.usage.of.mobile.devices ....................................................................................... 7!14.! Secure.usage.of.physical.access.cards ............................................................................. 8!15.! Secure.usage.of.cryptographic.keys ................................................................................. 8!16.! Internet.usage.policy ........................................................................................................ 8!17.! Clear.Desk.and.Clear.Screen.Policy .................................................................................. 8!18.! Teleworking.Policy ........................................................................................................... 9!19.! Social.Media/Social.networking.Policy ............................................................................ 9!20.! Weakness.&.Incident.Reporting ....................................................................................... 9!21.! Consequence.Management/Disciplinary.action.Procedure.(DAP) ................................ 10!22.! Intellectual.Property/ownership .................................................................................... 10!23.! Right.to.audit ................................................................................................................. 10!24.! Question/clarifications/improvements .......................................................................... 10!

Reading and accepting terms of AUP is mandatory!

Common  End  User  Security  Expectations  

•  You  are  ‘eyes’  and  ‘ears’  for  securing  information/organisation  •  Clear  desk  and  clear  screen  policy  –  Learn  [Windows]  +  L!  •  Do  not  exploit  a  weakness  –  report  it!  •  Use  complex  passwords  •  Protect  your  smartphone  by  adding  password  •  Know  your  security  manager  •  Read  Policy  -­‐  Acceptable  Usage    

www.coralesecure.com

& Q A

www.coralesecure.com

! Thank You