Sasa Aksentijevic, MBA ITPh.d. Business Economy cnd./ ICT Manager / C(I)SO / ICT Court Forensic ExpertLinkedIn: linkedin.com/sasaaksentijevic

Information security

Certification, internal audit, CISSPs, CISMs, ISO 27K, BCP, DR, network security, antivirus solutions, anti intrusion, firewalls, ethical hacking, residual risk management, SWOT, GAP, Monte Carlo... ????

Common ICT security mistakes in corporate

environments

A little theory will not hurt anybody

Management has discovered information security or Dilbert approach to information security

Should we include coffee machine into the ISMS scope AKA is certification the final answer to infosec?

“I will write my password on Post-It for you” AKA low level (operative) infosec breaches

How can something be nothing?

Is information security possible? Is ICT security possible?

Q&A

PRESENTATIONContent

Common ICT security mistakes in corporate environments

Infosec

concept

model

PHB or Pointy Haired Boss

Description

Common ICT security mistakes in corporate environments

The pointy-haired boss (often abbreviated to just PHB is Dilbert's boss in the Dilbert comic strip. He is notable for his micromanagement, gross incompetence and unawareness of his surroundings, yet somehow retains power in the workplace.

The phrase "pointy-haired boss" has acquired a generic usage to refer to incompetent managers. It is also possible to speak of someone being pointy-haired or having pointy hair metaphorically, meaning that they possess PHB-like traits.

Common ICT security mistakes in corporate environments

O

ISO 27K (Information technology — Security techniques — Information security management systems — Requirements) is not information security standard. It is a systems management standard.

ISO 27K outlines a framework for ISMS, but it it not a “golden standard” itself.ISO 27K is based on risk assesment: there is no “predefined” acceptable risk; criteria, applicability, inclusion and treatment are decided by organizations.

Efficient implementation requires security analysis of technical aspects. Standard is dealing with policy, scope, risk analysis, procedures and records.

Too many if`s

ISO 27K certification is a proof of compliance with the standard.By itself, it does not guarantee information security.

Organizations decide about applicability (or not) of Annex A controls.The list of controls exists (Annex “A”), but it is just a “suggestion”.Additional controls may be included.

Certification is still the best available tool to achieve information security goals

Common ICT security mistakes in corporate environments

Delegation (of tasks that should not be delegated)

Compliance with local legislation/law requirementsProblems with non compliance

Inadequate resources (human resources, time, money, knowledge…)

Creation of parallel, “backdoor” systems, especially for management authorization process

Lack of interest for information security on behalf of the Management

No BPC, no DR, no periodic updating

Lack of consistent policies, criteria, standards, work instructions and learning from security incidents

Management has no awareness that information security is ongoing, permanent process

Lack of systematic resource and contingency planning, loose control over ICT assets, unclear ownership

Common ICT security mistakes in corporate environments

Revoking of access rights, email access, revision of access right not implemented

No ICT security induction, no periodic refreshment courses

No segregation between work and test environments

SLA for ICT services are not clearly defined (or they are not adhered to)

No implementation of employee background checks

Inadequate physical access controls (especially for guests, third parties, externals and temps)

Saving on insurance, no change management (log), unsafe networking environment

Process of incident learning is not implemented

Controls related to third party relations and NDAs are not implemented

User breaches

USB drives used for

storage and not backup

Data exchange procedures

(encrypting,FTP,snail mail)

No Data Classification/I

nformation Lifecycle

Management

Remote working

equipment (PDAs,MMC,USB,notebooks)

ICT assets not under control

by owners

Common ICT security mistakes in corporate environments

User breaches

Photocopy machines,

printers and network scanners

Password sharing,

passwords on Post-It

Clear workplace and display policy not enforced

Documents not

supervised,lack of access

authorization

Non systematic document disposal

Common ICT security mistakes in corporate environments

User breaches

No continuous learning/interest in security

culture

Data backup procedures

Common network areas

used for personal data

placement

3rd party relations, hardware

repair procedures

Malicious intent

Common ICT security mistakes in corporate environments

Common ICT security mistakes in corporate environments

Technical effort ->BEST PRACTICES, CERTIFICATION, LEGISLATION, FORENSICS, TESTING, PDCA, AUDIT(s)…

Personal effort ->EMPLOYEES (PARTICIPANTS, STAKEHOLDERS)

Organizational effort -> MANAGEMENT

Common ICT security mistakes in corporate environments

Thank you for your attention!

Common ICT security mistakes in corporate environments