sector - Uninett

Information security in the

Norwegian higher education

sector 2012-13.06

Kenneth Høstland, CISA, CRISC

2

Contents

Policy track

RVA

BCP/DRP and BIA

UFS

3

Policy track

Background

• Protection of personal data

• Compliance to regulations

• The Personal Data Act

• The Personal Data Regulations

• Security management(Section 2-3. )

• Risk assessment(Section 2-4. )

• Efficiency, etc.

• Improve governance and controlI regarding actual threats

• Proportionality requirements – extent and type of business

• Balancing different interests (privacy, availability, confidentiality,

financial, etc.)

4

PDA – def’s

Section 2 Definitions

For the purposes of this Act, the following definitions shall apply:

1)personal data: any information and assessments that may be linked to a natural person,

sensitive personal data: 8) information relating to

a) racial or ethnic origin, or political opinions, philosophical or religious beliefs, b) the fact that a person has been suspected of, charged with, indicted for or convicted of

a criminal act, c) health, d) sex life, e) trade-union membership.

Sensitive personal data shall be processed and stored in secure

areas where only authorized users are granted access. A

business can create multiple secured zones depending on

demand.

5

Policy track

Measures Mapping standpoint,

• IS Audit

• RVA

• Further surveys

o SWOT

o BIA

Measures/ action

• Internal control - Policy (i 3 levels)

• Technical measures/ ICT security infrastructure

• BCP/DRP

6

Policy track

Mapping standpoint – IS Audit

• Based on ISO 27001 (Apendix A)

• regulatory requirements (PDA, The Copyright Act)

• ”Best Practice” (ISACA, ISF, DND, NIST, vendors

recommendations, etc)

• Checklists that reflect the above

• Report

9

ISO 27001 Control Objectives

10

Control objectives in PDA

12

Best Practice

13

A typical agenda for IS Audit / Security

Assessment - 0900-1600

13

14

IS Audit - Check lists

15

IS Audit - Check lists

17

IS Audit - Check lists

18

A typical TOC - IS Audit report

19

Typical IS audit conclusions

The technical security of the existing solutions is mostly satisfactory, and provides relevant security against traditional threats.

A Data Inspectorate audit would have resulted in clear orders that would have to be fulfilled within six months in line with the recommendations in our report.

Some essential governing documents are missing, e,g.

o security policy (incl. security objectives and strategy),

o IT strategy

o continuity and contingency plans for IT.

Outsourcing contracts are inadequate with respect to information security, including missing SLA.

i.e – “The terrain can be good - but the map is missing”

19

20

IS Audit: Overall recommendations

Establish Security Policy based on ISO 27002, and implement it,

including a selection of procedures.

Establish the role of Chief Security Officer (CSO) and formally

anchor the responsibility for information security in senior

management .

Perform risk assessment of systems with personal data with

respect to confidentiality, integrity and availability.

Develop an overview of the Personal Data that are processed

Establish a satisfactory security architecture based on the

concept of security levels

Develop BCP (Business Continuity and Contingency Plans) for

ICT infrastructure.

20

21

Noen risikoer ifht teknologi

Mobility / BYOD rises significant risks Moving boundaries / Security Barriers

Private entity that is often filled with company information

Kompleksitet kan være fiende

o Som følge av unødvendig funksjonalitet

o Som følge av for mye ”Teknologi fokus”

Stadige endringer/ teknologi skifte en trussel

o Gir mindre tid for utvikling av effektive sikkerhetstiltak

Mangelfull/manglende IT-/Teknologi strategi en trussel

o Kan gi tilfeldige anskaffelser

o Være kostbart

o IT-strategi må være forretningsforankret

Unngå ”For mye sikkerhetsteknologi”

o Sett tiltakene etter ROS vurdering

Unngå risikopreget konfigurasjon

o Eksempel: klienter og servere i samme segment/ regime, i kombinasjon med tilgang til lokal administrator på klient/PC – samt tillate BYOD uten ansvarliggjørende tiltak

23

ISO 27001

23

24

ISO 27001

24

25

ISO 27002 in all its cruelty Some of the contents …

25

26

Security with a system – document structure

Why

What

How

1) Security Policy defines the goals, purpose,

responsibility and overall requirements. Governing

document

2) Guidelines for information security. Defines what should be done to comply with the

established policy. Governing document – ISO 27k

structure

3) Standards and procedures Contain detailed guidelines for the implementation

of security. Accomplishing and controlling

documents

26

27

Security put in system

Inspectorate often get questions about how the

company l can adapt to the Data Inspectorate's

requirements for information security. Among

other ¸it is Asked about the relationship with ISO

standards. The regulation is based on ISO

standards . Chapter 2 of the Personal Data

Regulations (The Information Security chapter) is

based on and have the same systematics as the

ISO standard 17799. The standard is more

exhaustive and is another useful tool for

enterprises. The standard series consist of two

parts. The first part is translated into Norwegian.

The standard can be obtained by contacting

Pronorm.

27

28

Security put in system, cont…

28

29

Some procedures

29

31

Definition of risc management – a simple definition

Risk management is about determining acceptable risk, making

risk assessment and prioritize security measures. This is the

senior manager's responsibility.

(Norsis)

32

Risikostyring - overordnet Steg NSM /Datatilsynet/ NOSIS DFØ/COSO

1. Planning and organization

a Planning

b Organization

C. Identification of values

D. Identification of risks

Identification of the overall measure for

a Goals and values

b reliable financial reporting and financial

management

C. Compliance with laws and regulations

2. Implementation of the ROS analysis

(assessment)

A. Identification of adverse events

Determination of Likelihood and Consequence

C. Determination of Risk

D. Evaluation of risk and acceptable R

Identifying CSF

3. Preparation and implementation of

measures

a survey of existing measures

b Preparation of security measures

C. Assessment of Benefits and costs

D. Communication with decision makers

Identifying Risks

4. Control and Audit

Monitoring and control of safety

Management's evaluation

Assessment and prioritization of risks

5. Assesment of P & C

6. Prioritization of risks -> avoid, reduce, share or

accept the risk.

33

ROS – enkel metodikk

34

Sannsynlighet – må fastsettes av LEDELSEN

RVA methodology - Probability

35

RVA methodology - Consequence

Konsekvens – må fastsettes av LEDELSEN

36

ROS metodikk RVA methodology - Consequence

37

ROS metodikk

Probability

X

Consequences

38

Risikohåndtering – fire kategorier:

• Å unngå – Å gå ut av de aktivitetene som er en kilde til risiko

• Å redusere – Tiltak blir iverksatt for å redusere sannsynligheten for eller konsekvensen av risikoen, eller begge deler

• Å dele – Å redusere risikoens sannsynlighet eller konsekvens ved å overføre, eller på annen måte dele en bit av risikoen med andre

• Å akseptere – Ingen tiltak blir iverksatt for å påvirke risikoens sannsynlighet eller konsekvens

Risikohåndtering

39

ROS metodikk - resultater

40

Noen referanser og rammeverk

41 Utfordringer Naturkatastrofer

Miljøkriser

Tekniske feil

Menneskeskapte kriser

Virksomheter evne til å overleve en krise er direkte relatert til hvor omfattende katastrofeplanen var FØR krisen

inntraff

42

BIA - Impact assessment of outage

The business must find the optimal "point" to restore IT

services by balancing the costs of recovery and the costs /

losses from downtime.

BIA provides downtime costs and evaluation of the recovery

strategy provides

costs of recovery.

43

BCM

Should be based on

BS 25999-1 -> ISO

22301:2012

ISACA guidelines for BCM

ITIL – ITSCM3500 Continuity

Management

Other guidelines (NIST oa)

44

Nye termer i ISO 22301 (vs. BS25999)

• Hendelse som medfører driftsstans “Disruptive incident”

• Informasjon og dets medium som skal kontrolleres og vedlikeholdes av virksomheten

“Documented information”

• Maksimal tid en aktivtet kan stoppe til driften hemmes mer enn akseptabelt

“Maximum Acceptable Outage”

• Forhåndsbestemt tid innen aktivtet må være gjenopptatt eller ressurser være gjenopprettet.

“Recovery Time objective (RTO)”

• Maksimalt tap av data eller minimum data som må kunne gjenopprettes

“Recovery Point Objective (RPO)”

• Handling for å korrigere et oppdaget avvik “Correction”

45

Relasjoner

46

Forberedelse

Mål

Etablere nødvendig aksept for de

steg som må til for å få en sterk

forankring av behovet for og

nødvendigheten av en

kontinuitetsplan

Oppgaver/Steg

• Utarbeide en Policy for

Katastrofe håndtering.

• Gjøre en sårbarhetsanalyse

(BIA)

• Identifisere preventive

kontroller

• Strategiske planer for

gjenoppretting (på bakgrunn av

RA/BIA

• Utvikling av planen (inkl.

kriseledelse og reaksjons

Team)

• Testing og øvelse

• Vedlikehold

Forberedelse

Reaksjon

Testing & øving

evaluering og

vedlikehold

Avverge/Forbygge Gjenoppretting

47

Integrert verdikjede (Eksempel fra produksjonsbedrift)

7. Ledelse

8. Økonomi

9. Personal/Lønn/HMS

10. IT

12. QA

11. FoU/Industrialisering

1.

Markeds-

føring

2.

Kontrakt

3.

Beordring

4.

Produksjon

5.

Leveranse

6.

Install. &

Comm

7.

CS

48 ..

..

..

…

…

…

…

…

…

…

…

Verdikjede –

System

System

Ap

plik

as

jon

s

tje

nes

ter

System

Fo

rre

tnin

gs

-

pro

se

ss

er

Infr

as

tru

ktu

r

tje

nes

ter

Org

an

isa

sjo

n

server

server

server

server

kommunikasjon/distribusjon

Fysiske rammebetingelser

System System System

5. Proses E

4. Prosess D

3. Prosess C

2. Prosess B

1. Prosess A

49

BIA – Criteria

50

BIA – kriterier

51

BIA – kortversjonen

53

54

UFS 122

55

UFS 122 -Example

56

Oppsummering

En kan oppnå tilstrekkelig sikkerhet ved å

være i stand til proaktivt å identifisere trusler

du kan effektivisere sikkerhet med virkemidler du allerede har

adressere ”80 prosenten”

utvikle omdømme

kan faktisk oppnå konkuransefortrinn

Unngå at ”BYOD” blir

Dette betinger en metodisk tilnærming:

IT revisjon/ kartlegging av ståsted

ROS analyse/ vurdering

Styrende dokumenter

Policy og prosedyrer

Forretningsstrategi IT-strategi

KBP

Opplæring, holdningsskapende tiltak

Kortversjon:

etterlever lover& regler

oppfyller forretnigsmessige krav

oppnår “tilstrekkelig sikkerhet”

”Bring Your Own Disaster”

58

TAKK FOR OPPMERKSOMHETEN!

Spørsmål?

59

Helt til slutt

http://www.isaca.org

http://www.sfso.no

http://www.nsm.no

http://www.datatilsynet.no

Kontakt: [email protected] 416 69 141