Information Security Strategy Implementation and Framework ...

1

© Infosec Associates 2001

Information Security StrategyInformation Security Strategy

Implementation andImplementation andFramework SeminarFramework Seminar


David DowlingDavid Dowling Tom FairfaxTom Fairfax


AgendaAgenda

• Putting information security in context

• The information security management system

• Implementation

2


Putting information securityPutting information securityin contextin context


Strong

Weak

External relationships

‘Soft’‘Hard’ Internal relationships

Hierarchical

TrendTrend

Organic

Organizational trendsOrganizational trends


Users Computers

Company Head Office

Other Company sites

Business Partner

Company managedsecurity perimeter

Private links

Yesterday’s solutionYesterday’s solution

3


Home AccessOther Organizations

BusinessPartner

Company Head OfficePublic Network

SharedNetwork

The Internet

Today’s situationToday’s situation


• Increasing threats– threats from viruses, hackers, fraud and espionage increasing

• Increasing exposure– greater dependence on IT, less central control, new entry points for

intruders

• Increasing expectations– managers, business partners, auditors and regulators demand

protective measures

Why information securityWhy information securitymanagement?management?


• Confidentiality– protecting sensitive information from unauthorised disclosure or

intelligible interception

• Integrity– safeguarding the accuracy and completeness of information and

computer software

• Availability– ensuring that information and vital services are available to users

when required

Information securityInformation security

4


Malicious Accidental

Confidentiality

Integrity

Availability

FraudMischief

SabotageVandalism

ErrorsFailures

BreakdownsDisasters

EspionageLeaks

OversightsBreaches Safety

critical systemscause concern

Safety critical systemscause concern

Trends in security threatsTrends in security threats

Increasing threats from espionage andinformation brokers

Increasing threats from espionage andinformation brokers

Fraud increasingwith corporaterestructuring

Fraud increasingwith corporaterestructuring

Increasing sophistication of viruses and hacker groups

Increasing sophistication of viruses and hacker groups


The Holy Grail ofInformation Security

… or is it?

Buy-inBuy-in


• Demonstrate the business benefits– Minimised security risks

– Optimised business partnerships

– Exploitation of electronic commerce

• List other organizations who are committed

• Show horror stories of security breaches

Getting top-down commitmentGetting top-down commitment

5


• Feature

• Benefit

• You appeal

Selling the ideaSelling the idea


So you’ve been givensome money !

… is that all you need?

On-going supportOn-going support


• Watch out for saboteurs !

• Malicious or accidental,they can undermine all ofyour good work

• Make sure themanagement lead byexample

On-going supportOn-going support

6


A short overview ofA short overview ofBS 7799 parts 1 & 2BS 7799 parts 1 & 2


Scope:

Safeguarding the confidentiality, integrity and availabilityof written spoken and computer information

Objective:

To ensure business continuity and minimise businessdamage by preventing and minimising the impact ofsecurity incidents

Information securityInformation security


• A code of practice (not a specification)

• Provides best practice guidance

• Use as required within your business

• Not for certification

• Originally an initiative by DTI, launched in 1993

• Developed into British Standard in 1995

• Further revision issued in May’99, written by industryexperts including international contributions

• Now an international standard - BS ISO/IEC 17799

BS 7799 - part 1BS 7799 - part 1

7


• Security policy

• Organizational security

• Asset classification andcontrol

• Personnel security

• Physical andenvironmental security

• Communications andoperations management

• Access control

• Systems developmentand maintenance

• Business continuitymanagement

• Compliance

Code of practice structureCode of practice structure


• A specification

• Used as a basis for certification

• Requires:

– Risk assessment

– Statement of applicability

– Proof to certification body

BS 7799 - part 2BS 7799 - part 2


Certification requirementsCertification requirements

8

© Infosec Associates 2001 BS 7799 - Information Security Management 2000

BS 7799 Certification

AccreditationBody (UKAS)

CertificationBody

Auditors

Certificated Organization

Formal accreditation accountability


Define the policyDefine the policy


Boundaries defined in terms of:

• Organization

• Location

• Assets

• Technology

Scope of the ISMSScope of the ISMS

9


• Threats to assets

• Vulnerabilities

• Impact onorganization

• Degree of risk

Risk assessmentRisk assessment


• Identify risk to be managed, based on

– approach to risk management

– degree of assurance required

• Determine options for controls to manage the risk

Risk managementRisk management


• Clause 4, BS 7799-2 provides a list ofdetailed controls

• Additional controls may also be required

Select and apply controlsSelect and apply controls

Security

10


“A critique of the objectives and controlsapplicable to the needs of the organization”

Statement of applicabilityStatement of applicability

• Selected control objectives and controls

• The reasons for their selection

• Justification of any controls not selected


• A basis for assessment

• A basis for a formal certification scheme

• Compatibility with Data Protection

BS 7799 part 2BS 7799 part 2


• Clause 1: Scope

• Clause 2: Terms and definitions

• Clause 3: ISMS Requirements

• Clause 4: Detailed controls

Part 2 structurePart 2 structure

11


• Same as your ISMS

or

• Statement of Applicability

Scope of auditScope of audit


• Select anappropriate body(ask UKAS)

• Provide informationto help them withtheir proposal

Selecting a certification bodySelecting a certification body


• Document review

• On-site audit

• Correction ofnon-compliance

• Issue of certificate

• Maintaining certification

The review processThe review process

12


What is anWhat is aninformation securityinformation security

management system?management system?


BS 7799-1:2000 identifies these:– security policy, objectives and activities that reflect business

objectives

– approach consistent with the organization’s culture

– visible support and commitment from management

– good understanding of security requirements, risk assessment andrisk management

– effective marketing of security to all managers and employees

– distribution of comprehensive guidance and education & training

– comprehensive and balanced system of measurement

Critical success factorsCritical success factors


ISMS (from BS7799)ISMS (from BS7799)

13


ISMSISMSInfoSecInfoSecAssociatesAssociatesVersionVersion




• Gets you startedcheaply and easily

• Must be integratedwith risk assessment!

Healthcheck / gap analysisHealthcheck / gap analysis

14


The objective of the gap analysis is to establish:

• where we are

• where we want to go

• what we need to do to get there



• Review project terms of reference

• Look at the shape of the system

• Look at what controls are in place?



• Review organizational mandates

• Review any standards supporting the terms ofreference?


15


• Formal organization– is there a formal or informal security organization?

• Policy– is it current

– when did it last change

• Requirements analysis– Was the system pulled out of a hat or does it reflect the

needs of the organization?

• Review and change history– Is the system a dinosaur?

• Policy dissemination and training



• Why was the control implemented?

• How effectively is it implemented?

• Does it reflect organizational needs?

• Is further work required?

Look at what controls are in place?Look at what controls are in place?


• Independence

• Imagination

• Credibility


16


Initial document fact findInitial document fact find

• Organization chart

• Any existing security policies

• Staff handbook

• Contract of employment

• Confidentiality agreement

• Capital equipment asset register and also anyregisters of software licenses and of critical data


Lining up the interviews - 1Lining up the interviews - 1

• Information security policy and organization

• IT policy and plans

• Computer operations & housekeeping

• New IT systems planning and acceptance process

• IT help desk

• Network management

• EDI and inter-company connectivity

• User access management

• In-house or third-party software development

• Third-party relationships

• Internet access and e-mail


• Personnel and training

• Physical security, including buildings and visitor control

• Business continuity planning for each site

• Legal compliance issues (usually answered by the companysecretary, data protection officer and IT manager)

• A representative from Computer Audit should be very helpful!

• Half an hour will be needed with each of a selection of“users”. Say two “power users” (people who really exploittheir PCs), two people with administrative roles (such assecretaries) and two managers.

Lining up the interviews - 2Lining up the interviews - 2

17


• Gap analysis report

• Recommendations

• Action plan

DeliverableDeliverable


• Independent reviewers

• Management system documentation

• Software tools

• Policy documentation

ResourcesResources


• Asset Valuation

• Threats

• Vulnerabilities

• Impacts


18


• Valuable

– expensive to replace

• Sensitive

– disclosure may damagethe business

• Critical– health & safety

– mission critical

Asset valuation



• The business harmlikely to result from asignificant breach

• The realisticlikelihood of such abreach occurring



Select an approach which is:

• Suitable for theorganization

• Suitable for its securityrequirements


19


Risk Management Process

Risk Assessment Process

Identification and Selectionof Security Controls

Reducing the Risks

Risk Acceptance

Risk managementRisk management




• Critical actions– Threaten the business now!

• Tactical actions– Quick wins

• Strategic actions– Require planning & budget

• The rest!– Can be mopped up later

Action plan: Sorting & weightingAction plan: Sorting & weighting

20


• Who is on the ISSG?

• Who is the InformationSecurity champion?

• Assign responsibilities

– Who? When? How?

• Agree meeting schedule

– Milestones and reviews

Action plan: Review meetingAction plan: Review meeting


The BoardApprove policy and overall responsibilities

Monitor exposure and review incidentsApprove major initiatives

Information Owner

Information Security Steering GroupSpecific roles & responsibilities

Specific methods and processesPromoting visibility

Security organizationSecurity organization


• Information Security Manager

• Board-level sponsor

• Personnel / HR

• IT

• Internal audit

• Quality Management

• External advisor

Information security steering groupInformation security steering group

21


• Information Owner

• Information Custodian

• Information User

• Line Manager

• Information Security Manager

• Security Contact or Help Desk

Define responsibilitiesDefine responsibilities


InfosecManager

Line Manager

User

Service Provider

Promote &Oversee Security

MaintainSecurity for IT

Services

Security inApplications

Co-ordinateSecurity Policy &

Education


• Personnel / HR

• IT

• Software development

• Internal audit

• Security / Building services

• Procurement

• Business Continuity Planning

• Quality Management

• Board members

Get helpGet help

22




Code ofPractice

Code ofPractice

ImplementationStandards


InterpretationGuides


GroupPolicy

GroupPolicy

Users andManagers

ServiceProviders

CompanyPolicy

Information security documentsInformation security documents


Information security policyInformation security policy

A policy document should beapproved by management, publishedand communicated, as appropriate,to all employees.

It should state managementcommitment and set out theorganization's approach to managinginformation security.

This policy should be communicatedthroughout the organization to usersin a form that is relevant, accessibleand understandable to the intendedreader.

23


• States management commitment

• Sets out the organization's approach tomanaging information security

• Is published

• Is communicated throughout the organization ina form that is relevant, accessible andunderstandable

Information security policyInformation security policy


Code of practiceCode of practice

BS 7799 Part 1

• This code of practice may be regarded as a startingpoint for developing organization specific guidance.

• Not all of the guidance and controls in this code ofpractice may be applicable. Furthermore, additionalcontrols not included in this document may berequired. When this happens it may be useful toretain cross-references which will facilitatecompliance checking by auditors and businesspartners.


• Must be relevant

• Must reflect organizational culture

• Must be accessible

Code of practiceCode of practice

24


Employee guidelinesEmployee guidelines

• Relevant

• Short

• Easy to read

• Accessible

• Cross-referenced to yourCode of Practice & Procedures




ServiceProviders

Code ofPractice

Code ofPractice



GroupPolicy

GroupPolicy

Users andManagers

CompanyPolicy

Procedures & technical standardsProcedures & technical standards


• How to - referenced to yourCode of Practice

• Situation-specific orplatform-specific

• Easy to follow

• Consistent design

• Change controlled

• Thoroughly tested

• Centrally maintained

Procedures & technical standardsProcedures & technical standards

25




Why distribute the documentation?Why distribute the documentation?

26




27






28


Why do staff awareness?Why do staff awareness?


Why do staff awareness?Why do staff awareness?

Over 70% ofinformation securityincidents are directlyattributable to humanerror or ignorance

- Source: BCS

They could be your‘weak link’


Awareness(I know it exists)

Understanding(I know what it is)

Value(I know why it’s worthwhile)

Ownership(I agree with it)

Commitment(I’ll do it)

Communication(I’ll promote it)

Development(I’ll help enhance it)

The Awareness cycleThe Awareness cycle

29


Culture &Methodology

Analysis

ProgrammeStructure

Time-tabling

Launch Follow-upSessions

Self-study

Review

Launch Event

MaterialsProduction

Administration

TrainingRequirements

Planning

TraditionalTraining

ReinforcementSessions

Promotional

The Delivery

Objectives &Benefits

Generic training / awareness roll-outGeneric training / awareness roll-out


Objectives & benefits analysisObjectives & benefits analysis

Purpose

• To enable you to understand the business objectives andbenefits of the awareness campaign and to ensure thatthey are addressed appropriately.

Method

• An Information Security Health Check, or similar audit, willdefine the project objectives and perceived benefits.


Purpose

• To enable you to understand the culture of yourorganization, existing training methodologies and anyresistance to change. You are then able to proposeappropriate training methods.

Method

Key personnel from each site are identified and interviewed.The staff are asked three key questions:• What do you currently do that does not work?• What do you currently do that does work?• What else could be done that might work?

Culture & methodology analysisCulture & methodology analysis

30


Purpose

• To ensure that the programme content is appropriate foryour organization’s culture. To structure the awarenessprogramme to make the most efficient use of time andresources.

Method

• A meeting with your training contact.

Programme structure designProgramme structure design


Purpose

• To act as the basis for self-study, traditional training orpromotional activities, to reinforce the programme contentand act as reference material.

DeliverableThe materials could be almost anything.Some examples would be:

CBT VideosPosters Self-study/ reference materials (books/CDs/disks)E-mail Mouse mats, mugs, etc.

Materials productionMaterials production


Method

• Meet with representatives from each site, department, workgroup and local training units to determine which of theoptions best suit the department, group or location.

Deliverable

• A plan of who receives which portions or variations of theawareness programme.

Training requirements planningTraining requirements planning

31


Purpose

• These are key to the success of the awareness programme.The launch events are used to achieve fast buy-in to theprogramme by staff, focusing on the key issues and to setthe backdrop for the rest of the programme.

Method

• Methods are tailored to suit the message, culture andphysical environment.

Launch eventLaunch event


Purpose

• To effectively drive home messages on key security issues,such as password management, visitor control or viruses.

Method

• Methods are tailored to suit the message, culture andphysical environment.

Training method selectionTraining method selection


Purpose

• These meetings provide an opportunity to consolidatefeedback from delegates, managers and presenters toevaluate the programme on an on-going basis.

Method

• Review meetings are held with representatives from thebusiness areas. Corrections and improvements to materialsand methods are also discussed and authorised in thisforum.

ReviewsReviews

32




Technical checks includingTechnical checks includingrevisiting the health checkrevisiting the health check


• Is my Code ofPractice up to dateand appropriate?

• Do I comply with myCode of Practice?

Review proceduresReview procedures

33




To validate current status or to drive change?

Audit and reviewAudit and review

34


• Define scope and objectives

• Desktop review

• Compliance audit

• Recommendations

• Close out

ComponentsComponents


• Relevance

• Planning

• Co-operation

• Routine

• Imagination



• Audit report

• Recommendations

DeliverableDeliverable

35


• Policy

• Internal or external resource

• Key personnel

• Software tools

ResourcesResources




ImplementationImplementation

36


The cost of doing nothingThe cost of doing nothing

UnacceptableUnacceptableRiskRisk


Seven stages of implementationSeven stages of implementation

OrganizationOrganization





Gap analysisGap analysis


OrganizationOrganization Gap AnalysisGap Analysis

37



Risk assessment / managementRisk assessment / management



RiskRiskManagementManagement



Authoring policy / COPAuthoring policy / COP



RiskRiskManagementManagement AuthoringAuthoring

Policy & COPPolicy & COP



Issuing policy / COPIssuing policy / COP





IssuingIssuingPolicyPolicy

& COP& COP

38



Awareness & educationAwareness & education






& COP& COPEducationEducation



Audit & reviewAudit & review







Audit &Audit &ReviewReview


The objective is to remove the costThe objective is to remove the costof not being secureof not being secure

This can only be done onceThis can only be done oncethe bridge is completethe bridge is complete







39






To create and maintain conditions to support theeffective implementation of ISM within yourorganization

Organization - ObjectivesOrganization - Objectives


Organization - Critical success factorsOrganization - Critical success factors

• Get the right people

• Give them the skills and information

• Make them accountable

• Make them care

40


Organization -Organization -Common pitfalls and problem areasCommon pitfalls and problem areas

• Failure to create a strong guiding coalition

• Failure to tie in support at a high enough level

• Failure to engage or enable supporters

• Failure to engage the whole organization

• Failure to identify with business objectives

• Failure to integrate ISM with business practices


Organization -Organization -Strategies & deliverablesStrategies & deliverables

• Maintain a register of responsibilities

• Include non IT personnel in the steering group

• Clearly define the project support structure

• Maintain a visible review mechanism

• Use existing fora or structures


Organization -Organization -Tools & productsTools & products

• Existing fora or structures

• External consultancy resource

• Decision support information

• Proteus

• RA tool

• Cobra

41


• Organizational mapping

• Register of security responsibilities

• Contact or call-tree management

• Primary and secondary levels of accountability

Organization -Organization -Feature checklistFeature checklist






Gap analysis -Gap analysis -ObjectivesObjectives

Establish….

• Where we are now?

• Where we want to go?

• What must we do to get there?

42


Gap analysis -Gap analysis -Critical success factorsCritical success factors

You should be able to:

• Conduct an independent analysis

• Relate analysis to organizational objectives

• Relate analysis to risk environment

• Update analysis as the situation changes


Gap analysis -Gap analysis -Common pitfalls and problem areasCommon pitfalls and problem areas

Beware…

• Irrelevant information or excessive detail

• Out of date assumptions and values

• Lack of visibility

• Biased findings


Gap analysis -Gap analysis -Strategies & deliverablesStrategies & deliverables

• Achieve independence - Use external resource

• Collate information using gap analysis tool

• Benchmark against industry best practice

• Prioritise against organizational objectives

• Work top down and bottom up

43


• Cobra

• Proteus

• RA Tool

• Risk Limited

• DIY

Gap analysis -Gap analysis -Tools & productsTools & products


• Scalability

• Flexibility

• Identification of relevant controls

• Reporting – Management information

• Prioritisation of controls

• Prioritisation of tasks

• Ongoing management and reporting ofexposure levels

Gap analysis -Gap analysis -Feature checklistFeature checklist





RiskRiskManagementManagement

44


To ensure that proportional measures areimplemented in order to bring risk affecting theorganization within acceptable limits

Risk management -Risk management -ObjectivesObjectives


• Ensure the strategy consistent withorganizational objectives

• Ensure that the strategy reflects the riskenvironment

• Find the most efficient compromise between costand benefit

• Integrate risk management with organizationaldecision making process at all levels

• Ensure risk owners are accountable at all levels

Risk management -Risk management -Critical success factorsCritical success factors


• Over complexity

• Failure to conform to organizational context

• Failure to evolve with organizational changes

• Failure to present risk in relevant form

• Failure assign ownership at appropriate level

• Failure to consider risks associated with statusquo

• Inappropriate measurement criteria

Risk management -Risk management -Common pitfalls and problem areasCommon pitfalls and problem areas

45


• Use third party resource

• Use software tool / combination

• Use manual methods

• Select quantitative / qualitative strategy

• Use operational risk management strategies

Risk management -Risk management -Strategies & deliverablesStrategies & deliverables


• Existing fora or structures

• External consultancy resource

• Decision Support Information

– CRAMM

– InfoSec Associates

– Proteus Plus

– RA Tool

– Risk Limited (Corporate governance tool)

Risk management -Risk management -Tools & productsTools & products


• Link to organizational objectives

– Explicit or implicit

• Identification and valuation of assets / capabilities

• Risk management policy identification

• Risk assessment functions

• Ease of use / speed of review / practicality

• Audit trail / change control

• Reporting and management information

• Integration with other tools

Risk management -Risk management -Feature checklistFeature checklist

46








The policy, code of practice and procedures tellstaff what they can do, what they cannot do, whatthey must do, and what their responsibilitiestowards information security are

Authoring policy / COP -Authoring policy / COP -ObjectivesObjectives


All documentation must be:

• In a style suited to its purpose

• In a style suited to the culture of its audience

• Relevant

• Easy to read and accessible

• Reviewed regularly

Authoring policy / COP -Authoring policy / COP -Critical success factorsCritical success factors

47


• It is more difficult to produce good, effectivedocumentation than most people believe

• Re-inventing wheels - what already exists?

• Can be very time consuming

• Blank paper syndrome

• Poor proof reading

• Ineffective distribution

• Lack of version & change control

Authoring policy / COP -Authoring policy / COP -Common pitfalls and problem areasCommon pitfalls and problem areas


Authoring policy / COP -Authoring policy / COP -Strategies & deliverablesStrategies & deliverables

• Gather all existing related documents fromwithin the organization

• Define the style before pen hits paper

• Buy-in template versions to fill any gaps andmodify them

• Get help - You cannot proof read your own work

• Define distribution methods suitable to theorganization

• Adopt version & change control


• Existing documentation

• BS 7799

• Charles Cresson Wood

• Gee Publishing

• InfoSec Associates

• DIY

Authoring policy / COP -Authoring policy / COP -Tools & productsTools & products

48








& COP& COP


To ensure all staff members have easy access tosecurity documentation in a format that is easy touse and is acceptable to them

Issuing policy / COP -Issuing policy / COP -ObjectivesObjectives


Make sure that it is:

• Publicised (location, content, responsibilities)

• Accessible

• Easy to use

• Has functionality (search, index, bookmarking)

• Has regular, controlled updates

Issuing policy / COP -Issuing policy / COP -Critical success factorsCritical success factors

49


Avoid using a format that is:

• Something that you like but others don’t

• Difficult or expensive to update

• Inaccessible to portions of the target audience

Issuing policy / COP -Issuing policy / COP -Common pitfalls and problem areasCommon pitfalls and problem areas


• Intranet– CHM– HTML– PDF

• Hard copy

• Pentasafe

• Visflow

• Outsourced

– InfoSec Associates

Issuing policy / COP -Issuing policy / COP -Tools & productsTools & products


• Ease of access

• Ease of update

• Multi-format from a single source

• Existing technology (no learning curve)

Issuing policy / COP -Issuing policy / COP -Feature checklistFeature checklist

50










To gain commitment to the principlesand good practice associated withinformation security

Awareness & education -Awareness & education -ObjectivesObjectives


Awareness & education -Awareness & education -Critical success factorsCritical success factors

Awareness must be:

• Aimed at changing attitudes, not merely theunderstanding of rules

• In a style suited to the organizational culture

• Directed by a clear statement of objectives

• Relevant to the audience

• Accessible

• Timely / On-going

51


Awareness fails if it is:

• Done as training instead of education

– WHY is more important than HOW

• Too time consuming

• Boring

• Irrelevant (even partially)

• Not supported from the top

Awareness & education -Awareness & education -Common pitfalls and problem areasCommon pitfalls and problem areas


Awareness & education -Awareness & education -Tools & productsTools & products

• Easy-I

• Mission Possible

• SMH

• Traditional teaching– Outsourced– InfoSec Associates– Purchased materials

• Marketing products


• Match contents to your objectives

• Takes an appropriate time to complete

• Fully customisable in content and appearance

• Modular– Relevant to specific audiences

• Accessible– Multi-format

• Suited to organizational culture

• Fits the budget

• On-going education requirements

• NOT BORING

Awareness & education -Awareness & education -Feature checklistFeature checklist

52











Establish….

• Where we are now

• Is our strategy still relevant?

• How effective our our controls?

• Where do we need to make changes?

Audit and review -Audit and review -ObjectivesObjectives


• Regular and periodic

• Independent mandate

• Positive attitude – changes are positive!

• Whole organizational support

• Consistent approach

• Ensure changes are implemented

Audit and review -Audit and review -Critical success factorsCritical success factors

53


Beware…

• Political and operational resistance

• Negative or defensive attitude

• Lack of “close out”

• Impractical observations

Audit and review -Audit and review -Common pitfalls and problem areasCommon pitfalls and problem areas


• Achieve independence - Use external resource

• Collate information using audit tool

• Benchmark against industry best practice

• Prioritise against organizational objectives

• Work top down and bottom up

Audit and review -Audit and review -Strategies & deliverablesStrategies & deliverables


• Cobra

• RA Tool

• Proteus Plus

• Risk Limited

• In house tools

• Templated material

Audit and review -Audit and review -Tools & productsTools & products

54


• Ease of Use

• Maximum use of existing data

• Identification of changes to assumptions

• Reporting

– Technical

– Managerial

• Audit Trail

• Benchmarking and progress reporting

Audit and review -Audit and review -Feature checklistFeature checklist


If you have got it right, you can removeIf you have got it right, you can removemost of the cost of not being securemost of the cost of not being secure

Maintenance costs?Maintenance costs?Think Forth bridge!Think Forth bridge!















55


The ten immutable laws of IT security according to Microsoft

Law #1: If a bad guy can persuade you to run his program on your computer,it’s not your computer anymore.

Law #2: If a bad guy can alter the operating system on your computer,it’s not your computer anymore.

Law #3: If a bad guy has unrestricted physical access to your computer,it’s not your computer anymore.

Law #4: If you allow a bad guy to upload programs to your web site,it’s not your web site any more.

Law #5: Weak passwords trump strong security.

Law #6: A machine is only as secure as the administrator is trustworthy.

Law #7: Encrypted data is only as secure as the decryption key.

Law #8: An out of date virus scanner is only marginally better than no virusscanner at all.

Law #9: Absolute anonymity isn't practical, in real life or on the web.

Law #10: Technology is not a panacea.


www.Infosec-Associates.co.ukwww.Infosec-Associates.co.uk

www.FirstBase.co.ukwww.FirstBase.co.uk

www.c-cure.orgwww.c-cure.org

www.www.bkbk-up.co.uk-up.co.uk

Information Security Strategy Implementation and Framework ...

Documents

Transcript of Information Security Strategy Implementation and Framework ...