jeremy hilton and anas tawileh. “relevant” security identifying critical information identifying...
TRANSCRIPT
Jeremy Hilton and Anas Tawileh
“Relevant” security Identifying critical information Identifying the risks Developing the controls Sharing control information
(C) Cardiff University
(C) Cardiff University
(C) Cardiff University
(C) Cardiff University
(C) Cardiff University
© Brian Wilson(Used with permission.)
(C) Cardiff University
A REAL WORLD ORGANISATION RDs
AN ‘ENTERPRISE’ MODEL RELEVANT TO THE REAL WORLD ORGANISATION
INFORMATION SUPPORT
LOCAL JUDGEMENT
CRITICAL ACTIVITIES
CRITICALINFORMATION
REQUIREMENTS
A system operated by appropriately skilled and experienced staff, partner producers, appropriate external parties and selected suppliers to build Delicia’s presence as a major participant in the dairy commodity markets by providing an effective and unique sourcing option, product innovation and developing, marketing and delivering branded speciality and healthy living products, and ongoing commodity trading to major multiple retailers, food service organisations and food manufacturers.
Critical Information Requirements at DeliciaActivity Information Requirements
Sourcing4 Determine Effectiveness of Existing Souring Options Information about Participants in the Dairy Market
Knowledge about Existing Sourcing Options
Definition of Effectiveness
5 Decide on How to Make the Provided Sourcing Option Effective Evaluation of the Effectiveness of Existing Sourcing Options
Partnerships23 Assess Relationships with External Partners Partners Information
24 Decide on How to Develop Relationships with External Partners to
Support the Company’s Market Presence
Assessment of Customer Relations
29 Assess Relationships with External Partners Partners Information
30 Identify Requirements to Meet External Partners’ Requirements Evaluation of Existing Capabilities
Branding37 Define Innovation NA
38 Decide on How to Measure the Company’s Reputation as an Innovator Definition of Innovation
39 Baseline the Company’s Reputation Reputation Measurement Criteria
40 Evaluate the Company’s Reputation as an Innovator Reputation Measurement Criteria
Managers of SMEs are busy running their company, trying to survive in a very competitive environment
They rarely address anything that is not a legislative or regulatory requirement, and even then will often only comply if there is a penalty for not doing so
Will avoid spending money, and time is money, training is money
Rarely buy in expertise, staff left to help each other and ‘learn on the job’
When developing policy(rules), it is critical to consider if and how they can be implemented.
For example, if the policy is that: employees who breach a security rule, say,
disclose information to someone unauthorised to see it, then they will be fired
People generally do what they want to do, even at work. Hopefully this aligns with the organisation’s
needs incentivising ; or applying suitable sanctions.
May achieve short term benefit, but the change is short-lived unless
fundamental change is achieved staff have a belief in the desired result
Staff need to be involved, trained and supported.
Tools will be required in order to enable the desired controls on information and analysis/audit of use
Accountability and responsibility of staff must be clearly defined and agreed. Tell me and I’ll forget
Show me and I’ll rememberInvolve me and I’ll understand
Old Chinese saying
Traffic Light Protocol Philosophymapped to the Business Impact and Control Categories
Developed to control information sharing between G8 countries, Business Impact levels added.
( 34 )How to Use the Creative Commons Licenses
Creative Commons
A set of classifications that are flexible enough to enable to define and communicate the controls to be applied to your information
May be combined with creative commons licenses
Expressed in 3 different formats: Security Officer-readable Human-readable Machine readable
Confidentiality
Authentication
Use
Integrity
CA – Community Access
RA – Restricted Access PI – Personal Information
OO – Organisation Only ND – Non-Disclosure
CG – Corporate Governance
SD – Safe Disposal
CU – Controlled Until
AB – Authorised By ND – Non-Derivatives
BY – Attributioncc
cc
The information may be shared within the organisation, but is not to be disclosed outside
Organisation Only
The information is restricted to members of a community; generally multi-agency
Though it may change, membership of the community is controlled
All members of the community agree to specific terms and conditions
Community Access
The information contains personal information and consideration must be made before sharing the information
This classification is likely to be used in conjunction with other labels such as
Personal Information
cc
The information has been received under non-disclosure
The label will link to the specific terms of the NDA
This classification is likely to be used in conjunction with other labels such as
Non-Disclosure
cccc
Medical Record
Personnel record
Patent under development
Published Patent
Draft Annual Report
Approved report prior to release
Post Releasecc
cc DTG
cc cc
cccc cc
Thank You
““Others inspire us, Others inspire us, information feeds us, information feeds us, practice improves our practice improves our performance, but we need performance, but we need quiet time to figure things quiet time to figure things out, to emerge with new out, to emerge with new discoveries, to unearth discoveries, to unearth original answers.”original answers.”
- Esther Buchholz- Esther Buchholz