Todd Smithson - Thales - Pro-active v’s Re-active security management - how to get ahead of game...
-
Upload
informa-australia -
Category
Government & Nonprofit
-
view
137 -
download
13
Transcript of Todd Smithson - Thales - Pro-active v’s Re-active security management - how to get ahead of game...
www.thalesgroup.com.au THALES GROUP INTERNAL
Proactive vs Reactive Security Management Getting ahead of the game
TODD SMITHSON CHIEF SECURITY OFFICER (AUSTRALIA) & REGIONAL SECURITY MANAGER SOUTH ASIA
2 THALES GROUP INTERNAL
This
do
cu
me
nt
ma
y n
ot
be
re
pro
du
ce
d, m
od
ifie
d,
ad
ap
ted
, p
ub
lish
ed
, tr
an
sla
ted
, in
an
y w
ay, in
wh
ole
or
in
pa
rt o
r d
isc
lose
d t
o a
th
ird
pa
rty w
ith
ou
t th
e p
rior
writt
en
co
nse
nt
of
Tha
les
- ©
Th
ale
s 2
01
5 A
ll rig
hts
re
serv
ed
.
Ref number- date
Thales Australia Template : AUS/080, Rev:002
Thales in Australia
▌ Leading provider of defence capability for the Australian Government, but
also a provider of security, aerospace and transportation solutions.
Explosive Ordinance
Information Systems
Defence Weapons
Protective Vehicles
Air Traffic Control Systems
Naval Solutions
- Above water
- Underwater
3 THALES GROUP INTERNAL
This
do
cu
me
nt
ma
y n
ot
be
re
pro
du
ce
d, m
od
ifie
d,
ad
ap
ted
, p
ub
lish
ed
, tr
an
sla
ted
, in
an
y w
ay, in
wh
ole
or
in
pa
rt o
r d
isc
lose
d t
o a
th
ird
pa
rty w
ith
ou
t th
e p
rior
writt
en
co
nse
nt
of
Tha
les
- ©
Th
ale
s 2
01
5 A
ll rig
hts
re
serv
ed
.
Ref number- date
Thales Australia Template : AUS/080, Rev:002
Must have a comprehensive ‘Security Management System’
Information
•Classification of Documents
•Protection of Pricing
•Protection of IT Systems
Personnel
•Background checks
•Avoiding the ‘trusted insider’
•Traveller safety
Physical
•Gates, Locks, Passes, ‘Layers of Security’
•TSCM Program (Bug Sweeping)
Risk Management
4 THALES GROUP INTERNAL
This
do
cu
me
nt
ma
y n
ot
be
re
pro
du
ce
d, m
od
ifie
d,
ad
ap
ted
, p
ub
lish
ed
, tr
an
sla
ted
, in
an
y w
ay, in
wh
ole
or
in
pa
rt o
r d
isc
lose
d t
o a
th
ird
pa
rty w
ith
ou
t th
e p
rior
writt
en
co
nse
nt
of
Tha
les
- ©
Th
ale
s 2
01
5 A
ll rig
hts
re
serv
ed
.
Ref number- date
Thales Australia Template : AUS/080, Rev:002
Defining and managing your risks
Too often, risks, threats, and
vulnerabilities are confused
5 THALES GROUP INTERNAL
This
do
cu
me
nt
ma
y n
ot
be
re
pro
du
ce
d, m
od
ifie
d,
ad
ap
ted
, p
ub
lish
ed
, tr
an
sla
ted
, in
an
y w
ay, in
wh
ole
or
in
pa
rt o
r d
isc
lose
d t
o a
th
ird
pa
rty w
ith
ou
t th
e p
rior
writt
en
co
nse
nt
of
Tha
les
- ©
Th
ale
s 2
01
5 A
ll rig
hts
re
serv
ed
.
Ref number- date
Thales Australia Template : AUS/080, Rev:002
Define and Manage your risks
Threats:
•Are external to you and your organisation
•Cannot be controlled
•Are normally a mixture of:
•Intent (to do the harm); and
•Capability (to conduct the harm)
Vulnerabilities:
•Are areas of weakness in whatever you are trying to protect
•Can be exploited by threats
•Can be fixed and managed
Risks:
•Are the possibility that a threat could exploit a vulnerability
•i.e. Likelihood v Consequence = Risk
Treating the vulnerability = Managing your risks
6 THALES GROUP INTERNAL
This
do
cu
me
nt
ma
y n
ot
be
re
pro
du
ce
d, m
od
ifie
d,
ad
ap
ted
, p
ub
lish
ed
, tr
an
sla
ted
, in
an
y w
ay, in
wh
ole
or
in
pa
rt o
r d
isc
lose
d t
o a
th
ird
pa
rty w
ith
ou
t th
e p
rior
writt
en
co
nse
nt
of
Tha
les
- ©
Th
ale
s 2
01
5 A
ll rig
hts
re
serv
ed
.
Ref number- date
Thales Australia Template : AUS/080, Rev:002
Part One – Protect your information
Identify &
Classify
Manage &
Control
Train
& Educate
Protect
7 THALES GROUP INTERNAL
This
do
cu
me
nt
ma
y n
ot
be
re
pro
du
ce
d, m
od
ifie
d,
ad
ap
ted
, p
ub
lish
ed
, tr
an
sla
ted
, in
an
y w
ay, in
wh
ole
or
in
pa
rt o
r d
isc
lose
d t
o a
th
ird
pa
rty w
ith
ou
t th
e p
rior
writt
en
co
nse
nt
of
Tha
les
- ©
Th
ale
s 2
01
5 A
ll rig
hts
re
serv
ed
.
Ref number- date
Thales Australia Template : AUS/080, Rev:002
Identify and Classify
▌ Develop a comprehensive internal security management program where:
All information is classified according to its sensitivity
Level 1 Open to the world
Level 2 Company Internal
Level 3 Company Confidential
Level 4 Your Biggest Secret
8 THALES GROUP INTERNAL
This
do
cu
me
nt
ma
y n
ot
be
re
pro
du
ce
d, m
od
ifie
d,
ad
ap
ted
, p
ub
lish
ed
, tr
an
sla
ted
, in
an
y w
ay, in
wh
ole
or
in
pa
rt o
r d
isc
lose
d t
o a
th
ird
pa
rty w
ith
ou
t th
e p
rior
writt
en
co
nse
nt
of
Tha
les
- ©
Th
ale
s 2
01
5 A
ll rig
hts
re
serv
ed
.
Ref number- date
Thales Australia Template : AUS/080, Rev:002
Manage and Control
All sensitive information and documents must be marked appropriately
They must be locked away when not in use
They must not be left on desks in open plan areas
They must not be stored on drives or share points with broad access rights
Access must be kept to the minimum number of people following the ‘need to know’ principle
COMPANY CONFIDENTIAL documents must be shredded or placed in a secure bin for disposal
9 THALES GROUP INTERNAL
This
do
cu
me
nt
ma
y n
ot
be
re
pro
du
ce
d, m
od
ifie
d,
ad
ap
ted
, p
ub
lish
ed
, tr
an
sla
ted
, in
an
y w
ay, in
wh
ole
or
in
pa
rt o
r d
isc
lose
d t
o a
th
ird
pa
rty w
ith
ou
t th
e p
rior
writt
en
co
nse
nt
of
Tha
les
- ©
Th
ale
s 2
01
5 A
ll rig
hts
re
serv
ed
.
Ref number- date
Thales Australia Template : AUS/080, Rev:002
Develop a Technical Surveillance Counter Measure (TSCM) Program
▌ How do you create a TSCM program?
Choose an area such as a board room or bid room
Annually, each designated area must go through a ‘heavy’ sweep by a
professional provider and monthly ‘light’ sweeps by your trained personnel
▌ TSCM Capability
Training of your staff to do ‘light’ sweeps
Purchase the TSCM equipment required to perform ‘light’ sweeps
Establishing the rules and training staff on the rules
Appropriate signage for the designated areas
10 THALES GROUP INTERNAL
This
do
cu
me
nt
ma
y n
ot
be
re
pro
du
ce
d, m
od
ifie
d,
ad
ap
ted
, p
ub
lish
ed
, tr
an
sla
ted
, in
an
y w
ay, in
wh
ole
or
in
pa
rt o
r d
isc
lose
d t
o a
th
ird
pa
rty w
ith
ou
t th
e p
rior
writt
en
co
nse
nt
of
Tha
les
- ©
Th
ale
s 2
01
5 A
ll rig
hts
re
serv
ed
.
Ref number- date
Thales Australia Template : AUS/080, Rev:002
Security of IT Systems
▌ Develop a comprehensive Cyber
Security Program:
Based on the CISSP official guide, there
are 8 elements that need to be included
for a holistic and comprehensive cyber
security program
Treating the vulnerability = Managing your risks
11 THALES GROUP INTERNAL
This
do
cu
me
nt
ma
y n
ot
be
re
pro
du
ce
d, m
od
ifie
d,
ad
ap
ted
, p
ub
lish
ed
, tr
an
sla
ted
, in
an
y w
ay, in
wh
ole
or
in
pa
rt o
r d
isc
lose
d t
o a
th
ird
pa
rty w
ith
ou
t th
e p
rior
writt
en
co
nse
nt
of
Tha
les
- ©
Th
ale
s 2
01
5 A
ll rig
hts
re
serv
ed
.
Ref number- date
Thales Australia Template : AUS/080, Rev:002
Security of IT Systems
•Management and governance around security, risk, compliant, law, regulations, and business continuity
1. Cyber Security and Risk Management
•Protecting the security of cyber assets including data classification, handling privacy, and information retention 2. Asset Security
•Engineering and management of security which includes involvement in all stages of a system or service lifecycle 3. Security Engineering
•Designing and protecting network security 4. Communication and Network Security
12 THALES GROUP INTERNAL
This
do
cu
me
nt
ma
y n
ot
be
re
pro
du
ce
d, m
od
ifie
d,
ad
ap
ted
, p
ub
lish
ed
, tr
an
sla
ted
, in
an
y w
ay, in
wh
ole
or
in
pa
rt o
r d
isc
lose
d t
o a
th
ird
pa
rty w
ith
ou
t th
e p
rior
writt
en
co
nse
nt
of
Tha
les
- ©
Th
ale
s 2
01
5 A
ll rig
hts
re
serv
ed
.
Ref number- date
Thales Australia Template : AUS/080, Rev:002
Security of IT Systems
•Controlling access and managing identity 5. Identity and Access
Management
•Designing, performing, and analysing security testing procedures including vulnerability analysis and firewall testing
6. Security Assessment and Testing
•Investigations, incident management, and disaster recovery 7. Security Operations
•Understanding, applying, and enforcing software security 8. Software Development Security
13 THALES GROUP INTERNAL
This
do
cu
me
nt
ma
y n
ot
be
re
pro
du
ce
d, m
od
ifie
d,
ad
ap
ted
, p
ub
lish
ed
, tr
an
sla
ted
, in
an
y w
ay, in
wh
ole
or
in
pa
rt o
r d
isc
lose
d t
o a
th
ird
pa
rty w
ith
ou
t th
e p
rior
writt
en
co
nse
nt
of
Tha
les
- ©
Th
ale
s 2
01
5 A
ll rig
hts
re
serv
ed
.
Ref number- date
Thales Australia Template : AUS/080, Rev:002
Security Awareness and Behavioural Training for Staff
▌ Regular training and reminders for staff
Their responsibilities, their do’s and don'ts
Where to find the rules and instructions
▌ Knowing and recognising what security breaches mean
Loss of reputation, loss of business, more controls by regulators…..
▌ No sensitive discussions in public
Staff must be cautious of conversations in areas such as restaurants and hotels. All
sensitive discussions should take place within a company facility behind closed doors
▌ Account for all people dialling in to conference calls
Be aware that any organisation or person who has used the meeting number in the past can dial in
Use the security PIN function
14 THALES GROUP INTERNAL
This
do
cu
me
nt
ma
y n
ot
be
re
pro
du
ce
d, m
od
ifie
d,
ad
ap
ted
, p
ub
lish
ed
, tr
an
sla
ted
, in
an
y w
ay, in
wh
ole
or
in
pa
rt o
r d
isc
lose
d t
o a
th
ird
pa
rty w
ith
ou
t th
e p
rior
writt
en
co
nse
nt
of
Tha
les
- ©
Th
ale
s 2
01
5 A
ll rig
hts
re
serv
ed
.
Ref number- date
Thales Australia Template : AUS/080, Rev:002
Part Two - Personnel Security
Avoid the bad eggs
Pre employment screening:
▌ Background checks
Criminal history
Financial checks
▌ Due diligence checks
Resume verification
Verification of qualifications
▌ Social media checks
Facebook, Twitter, Instagram, etc.
Ensure continual monitoring of all of these checks
15 THALES GROUP INTERNAL
This
do
cu
me
nt
ma
y n
ot
be
re
pro
du
ce
d, m
od
ifie
d,
ad
ap
ted
, p
ub
lish
ed
, tr
an
sla
ted
, in
an
y w
ay, in
wh
ole
or
in
pa
rt o
r d
isc
lose
d t
o a
th
ird
pa
rty w
ith
ou
t th
e p
rior
writt
en
co
nse
nt
of
Tha
les
- ©
Th
ale
s 2
01
5 A
ll rig
hts
re
serv
ed
.
Ref number- date
Thales Australia Template : AUS/080, Rev:002
Detecting The Trusted Insider
Changes in Behaviour
Changes in Appearance
and Financial
Status
Changes in Work
Patterns
HR, Security, Colleagues,
and Managers all have a
role in looking for:
• Affected by substances at work • Increased nervousness • Aggressiveness
• Manipulative behaviour
• Unexplained wealth • Signs of financial
instability (e.g. borrowing money at work)
• Signs of gambling
• Irregular working hours
• Unexplained absences • Breaches of company
policies and procedures • Declining work performance
16 THALES GROUP INTERNAL
This
do
cu
me
nt
ma
y n
ot
be
re
pro
du
ce
d, m
od
ifie
d,
ad
ap
ted
, p
ub
lish
ed
, tr
an
sla
ted
, in
an
y w
ay, in
wh
ole
or
in
pa
rt o
r d
isc
lose
d t
o a
th
ird
pa
rty w
ith
ou
t th
e p
rior
writt
en
co
nse
nt
of
Tha
les
- ©
Th
ale
s 2
01
5 A
ll rig
hts
re
serv
ed
.
Ref number- date
Thales Australia Template : AUS/080, Rev:002
Personnel – International Traveller Safety and Security
• The process for travel to risky locations must be documented clearly.
• Country risk levels must be clearly defined based on Government and Professional sources.
• Approval must be given and documented by a senior risk owner. (Head of HR, Head of Operations, Head of Risk, NOT approved by Head of Security, but recommended).
Internal Authority, Accountability, and the Documentation Process
• To provide professional advice on risk levels for countries.
• To assist with briefing and tracking of staff.
Partnership with Global Security Risk Company
• Personnel must be briefed on the risks relevant to their destination.
• Briefing should be in person or over the phone.
Phases of Pre-Travel
17 THALES GROUP INTERNAL
This
do
cu
me
nt
ma
y n
ot
be
re
pro
du
ce
d, m
od
ifie
d,
ad
ap
ted
, p
ub
lish
ed
, tr
an
sla
ted
, in
an
y w
ay, in
wh
ole
or
in
pa
rt o
r d
isc
lose
d t
o a
th
ird
pa
rty w
ith
ou
t th
e p
rior
writt
en
co
nse
nt
of
Tha
les
- ©
Th
ale
s 2
01
5 A
ll rig
hts
re
serv
ed
.
Ref number- date
Thales Australia Template : AUS/080, Rev:002
Management while the travelling is occurring.
• The traveller must have the most up-to-date information.
• Should be sent directly to their phone based on their GPS.
Alerts While Travelling
• You must be able to track the whereabouts of your personnel, this can be done by the travel itinerary or GPS location.
Travel Tracking
• Either a large internal team with resources or,
• A Partnership with an International Travel Company.
Ability to Respond and Manage Incidents
18 THALES GROUP INTERNAL
This
do
cu
me
nt
ma
y n
ot
be
re
pro
du
ce
d, m
od
ifie
d,
ad
ap
ted
, p
ub
lish
ed
, tr
an
sla
ted
, in
an
y w
ay, in
wh
ole
or
in
pa
rt o
r d
isc
lose
d t
o a
th
ird
pa
rty w
ith
ou
t th
e p
rior
writt
en
co
nse
nt
of
Tha
les
- ©
Th
ale
s 2
01
5 A
ll rig
hts
re
serv
ed
.
Ref number- date
Thales Australia Template : AUS/080, Rev:002
Part 3 - Physical Security
• Physical Security is based on actual control points at points of entry.
• Access Control should be limited as much as possible during work hours
• After hours incidents need to be detected and responded to
Fences, Gates, Doors, Locks, Alarms, Cameras,
Guards
• Passes and Identification ensure that only legitimate persons have access
• Visitors and Contractors must be managed carefully at all times!!! Passes and Access
• The most sensitive information and assets should be located within the highest number of layers of physical security and access control
• Access must be limited following the need to know principle Layers and Layers….
Visitors and Contractors are one of your biggest risks and all staff must be aware of
their responsibilities to their visitors
19 THALES GROUP INTERNAL
This
do
cu
me
nt
ma
y n
ot
be
re
pro
du
ce
d, m
od
ifie
d,
ad
ap
ted
, p
ub
lish
ed
, tr
an
sla
ted
, in
an
y w
ay, in
wh
ole
or
in
pa
rt o
r d
isc
lose
d t
o a
th
ird
pa
rty w
ith
ou
t th
e p
rior
writt
en
co
nse
nt
of
Tha
les
- ©
Th
ale
s 2
01
5 A
ll rig
hts
re
serv
ed
.
Ref number- date
Thales Australia Template : AUS/080, Rev:002
When Proactive becomes Reactive - Investigations
▌ A fair and transparent process
Authority to investigate (based on a
documented procedure)
Authority to come from HR / Ops / CEO / Other
A clear ‘terms of reference’ for what the investigation covers
- Scope of investigation
- Personnel appointed to investigate
- Resources used to investigate
- Timeframe for investigation report
Make Recommendations not Decisions
20 THALES GROUP INTERNAL
This
do
cu
me
nt
ma
y n
ot
be
re
pro
du
ce
d, m
od
ifie
d,
ad
ap
ted
, p
ub
lish
ed
, tr
an
sla
ted
, in
an
y w
ay, in
wh
ole
or
in
pa
rt o
r d
isc
lose
d t
o a
th
ird
pa
rty w
ith
ou
t th
e p
rior
writt
en
co
nse
nt
of
Tha
les
- ©
Th
ale
s 2
01
5 A
ll rig
hts
re
serv
ed
.
Ref number- date
Thales Australia Template : AUS/080, Rev:002
Questions and Answers
▌ Questions and further discussion.