Jeremy Hilton and Anas Tawileh

“Relevant” security Identifying critical information Identifying the risks Developing the controls Sharing control information

(C) Cardiff University

(C) Cardiff University

(C) Cardiff University

(C) Cardiff University

(C) Cardiff University

© Brian Wilson(Used with permission.)

(C) Cardiff University

A REAL WORLD ORGANISATION RDs

AN ‘ENTERPRISE’ MODEL RELEVANT TO THE REAL WORLD ORGANISATION

INFORMATION SUPPORT

LOCAL JUDGEMENT

CRITICAL ACTIVITIES

CRITICALINFORMATION

REQUIREMENTS

A system operated by appropriately skilled and experienced staff, partner producers, appropriate external parties and selected suppliers to build Delicia’s presence as a major participant in the dairy commodity markets by providing an effective and unique sourcing option, product innovation and developing, marketing and delivering branded speciality and healthy living products, and ongoing commodity trading to major multiple retailers, food service organisations and food manufacturers.

Critical Information Requirements at DeliciaActivity Information Requirements

Sourcing4 Determine Effectiveness of Existing Souring Options Information about Participants in the Dairy Market

    Knowledge about Existing Sourcing Options

    Definition of Effectiveness

5 Decide on How to Make the Provided Sourcing Option Effective Evaluation of the Effectiveness of Existing Sourcing Options

Partnerships23 Assess Relationships with External Partners Partners Information

24 Decide on How to Develop Relationships with External Partners to

Support the Company’s Market Presence

Assessment of Customer Relations

29 Assess Relationships with External Partners Partners Information

30 Identify Requirements to Meet External Partners’ Requirements Evaluation of Existing Capabilities

Branding37 Define Innovation NA

38 Decide on How to Measure the Company’s Reputation as an Innovator Definition of Innovation

39 Baseline the Company’s Reputation Reputation Measurement Criteria

40 Evaluate the Company’s Reputation as an Innovator Reputation Measurement Criteria

Managers of SMEs are busy running their company, trying to survive in a very competitive environment

They rarely address anything that is not a legislative or regulatory requirement, and even then will often only comply if there is a penalty for not doing so

Will avoid spending money, and time is money, training is money

Rarely buy in expertise, staff left to help each other and ‘learn on the job’

When developing policy(rules), it is critical to consider if and how they can be implemented.

For example, if the policy is that: employees who breach a security rule, say,

disclose information to someone unauthorised to see it, then they will be fired

People generally do what they want to do, even at work. Hopefully this aligns with the organisation’s

needs incentivising ; or applying suitable sanctions.

May achieve short term benefit, but the change is short-lived unless

fundamental change is achieved staff have a belief in the desired result

Staff need to be involved, trained and supported.

Tools will be required in order to enable the desired controls on information and analysis/audit of use

Accountability and responsibility of staff must be clearly defined and agreed. Tell me and I’ll forget

Show me and I’ll rememberInvolve me and I’ll understand

Old Chinese saying

Traffic Light Protocol Philosophymapped to the Business Impact and Control Categories

Developed to control information sharing between G8 countries, Business Impact levels added.

( 34 )How to Use the Creative Commons Licenses

Creative Commons

A set of classifications that are flexible enough to enable to define and communicate the controls to be applied to your information

May be combined with creative commons licenses

Expressed in 3 different formats: Security Officer-readable Human-readable Machine readable

Confidentiality

Authentication

Use

Integrity

CA – Community Access

RA – Restricted Access PI – Personal Information

OO – Organisation Only ND – Non-Disclosure

CG – Corporate Governance

SD – Safe Disposal

CU – Controlled Until

AB – Authorised By ND – Non-Derivatives

BY – Attributioncc

cc

The information may be shared within the organisation, but is not to be disclosed outside

Organisation Only

The information is restricted to members of a community; generally multi-agency

Though it may change, membership of the community is controlled

All members of the community agree to specific terms and conditions

Community Access

The information contains personal information and consideration must be made before sharing the information

This classification is likely to be used in conjunction with other labels such as

Personal Information

cc

The information has been received under non-disclosure

The label will link to the specific terms of the NDA

This classification is likely to be used in conjunction with other labels such as

Non-Disclosure

cccc

Medical Record

Personnel record

Patent under development

Published Patent

Draft Annual Report

Approved report prior to release

Post Releasecc

cc DTG

cc cc

cccc cc

Thank You

““Others inspire us, Others inspire us, information feeds us, information feeds us, practice improves our practice improves our performance, but we need performance, but we need quiet time to figure things quiet time to figure things out, to emerge with new out, to emerge with new discoveries, to unearth discoveries, to unearth original answers.”original answers.”

- Esther Buchholz- Esther Buchholz