Todd Smithson - Thales - Pro-active v’s Re-active security management - how to get ahead of game...

www.thalesgroup.com.au THALES GROUP INTERNAL

Proactive vs Reactive Security Management Getting ahead of the game

TODD SMITHSON CHIEF SECURITY OFFICER (AUSTRALIA) & REGIONAL SECURITY MANAGER SOUTH ASIA

2 THALES GROUP INTERNAL

This

do

cu

me

nt

ma

y n

ot

be

re

pro

du

ce

d, m

od

ifie

d,

ad

ap

ted

, p

ub

lish

ed

, tr

an

sla

ted

, in

an

y w

ay, in

wh

ole

or

in

pa

rt o

r d

isc

lose

d t

o a

th

ird

pa

rty w

ith

ou

t th

e p

rior

writt

en

co

nse

nt

of

Tha

les

- ©

Th

ale

s 2

01

5 A

ll rig

hts

re

serv

ed

.

Ref number- date

Thales Australia Template : AUS/080, Rev:002

Thales in Australia

▌ Leading provider of defence capability for the Australian Government, but

also a provider of security, aerospace and transportation solutions.

Explosive Ordinance

Information Systems

Defence Weapons

Protective Vehicles

Air Traffic Control Systems

Naval Solutions

- Above water

- Underwater


This

do

cu

me

nt

ma

y n

ot

be

re

pro

du

ce

d, m

od

ifie

d,

ad

ap

ted

, p

ub

lish

ed

, tr

an

sla

ted

, in

an

y w

ay, in

wh

ole

or

in

pa

rt o

r d

isc

lose

d t

o a

th

ird

pa

rty w

ith

ou

t th

e p

rior

writt

en

co

nse

nt

of

Tha

les

- ©

Th

ale

s 2

01

5 A

ll rig

hts

re

serv

ed

.

Ref number- date


Must have a comprehensive ‘Security Management System’

Information

•Classification of Documents

•Protection of Pricing

•Protection of IT Systems

Personnel

•Background checks

•Avoiding the ‘trusted insider’

•Traveller safety

Physical

•Gates, Locks, Passes, ‘Layers of Security’

•TSCM Program (Bug Sweeping)

Risk Management


This

do

cu

me

nt

ma

y n

ot

be

re

pro

du

ce

d, m

od

ifie

d,

ad

ap

ted

, p

ub

lish

ed

, tr

an

sla

ted

, in

an

y w

ay, in

wh

ole

or

in

pa

rt o

r d

isc

lose

d t

o a

th

ird

pa

rty w

ith

ou

t th

e p

rior

writt

en

co

nse

nt

of

Tha

les

- ©

Th

ale

s 2

01

5 A

ll rig

hts

re

serv

ed

.

Ref number- date


Defining and managing your risks

Too often, risks, threats, and

vulnerabilities are confused


This

do

cu

me

nt

ma

y n

ot

be

re

pro

du

ce

d, m

od

ifie

d,

ad

ap

ted

, p

ub

lish

ed

, tr

an

sla

ted

, in

an

y w

ay, in

wh

ole

or

in

pa

rt o

r d

isc

lose

d t

o a

th

ird

pa

rty w

ith

ou

t th

e p

rior

writt

en

co

nse

nt

of

Tha

les

- ©

Th

ale

s 2

01

5 A

ll rig

hts

re

serv

ed

.

Ref number- date


Define and Manage your risks

Threats:

•Are external to you and your organisation

•Cannot be controlled

•Are normally a mixture of:

•Intent (to do the harm); and

•Capability (to conduct the harm)

Vulnerabilities:

•Are areas of weakness in whatever you are trying to protect

•Can be exploited by threats

•Can be fixed and managed

Risks:

•Are the possibility that a threat could exploit a vulnerability

•i.e. Likelihood v Consequence = Risk

Treating the vulnerability = Managing your risks


This

do

cu

me

nt

ma

y n

ot

be

re

pro

du

ce

d, m

od

ifie

d,

ad

ap

ted

, p

ub

lish

ed

, tr

an

sla

ted

, in

an

y w

ay, in

wh

ole

or

in

pa

rt o

r d

isc

lose

d t

o a

th

ird

pa

rty w

ith

ou

t th

e p

rior

writt

en

co

nse

nt

of

Tha

les

- ©

Th

ale

s 2

01

5 A

ll rig

hts

re

serv

ed

.

Ref number- date


Part One – Protect your information

Identify &

Classify

Manage &

Control

Train

& Educate

Protect


This

do

cu

me

nt

ma

y n

ot

be

re

pro

du

ce

d, m

od

ifie

d,

ad

ap

ted

, p

ub

lish

ed

, tr

an

sla

ted

, in

an

y w

ay, in

wh

ole

or

in

pa

rt o

r d

isc

lose

d t

o a

th

ird

pa

rty w

ith

ou

t th

e p

rior

writt

en

co

nse

nt

of

Tha

les

- ©

Th

ale

s 2

01

5 A

ll rig

hts

re

serv

ed

.

Ref number- date


Identify and Classify

▌ Develop a comprehensive internal security management program where:

All information is classified according to its sensitivity

Level 1 Open to the world

Level 2 Company Internal

Level 3 Company Confidential

Level 4 Your Biggest Secret


This

do

cu

me

nt

ma

y n

ot

be

re

pro

du

ce

d, m

od

ifie

d,

ad

ap

ted

, p

ub

lish

ed

, tr

an

sla

ted

, in

an

y w

ay, in

wh

ole

or

in

pa

rt o

r d

isc

lose

d t

o a

th

ird

pa

rty w

ith

ou

t th

e p

rior

writt

en

co

nse

nt

of

Tha

les

- ©

Th

ale

s 2

01

5 A

ll rig

hts

re

serv

ed

.

Ref number- date


Manage and Control

All sensitive information and documents must be marked appropriately

They must be locked away when not in use

They must not be left on desks in open plan areas

They must not be stored on drives or share points with broad access rights

Access must be kept to the minimum number of people following the ‘need to know’ principle

COMPANY CONFIDENTIAL documents must be shredded or placed in a secure bin for disposal


This

do

cu

me

nt

ma

y n

ot

be

re

pro

du

ce

d, m

od

ifie

d,

ad

ap

ted

, p

ub

lish

ed

, tr

an

sla

ted

, in

an

y w

ay, in

wh

ole

or

in

pa

rt o

r d

isc

lose

d t

o a

th

ird

pa

rty w

ith

ou

t th

e p

rior

writt

en

co

nse

nt

of

Tha

les

- ©

Th

ale

s 2

01

5 A

ll rig

hts

re

serv

ed

.

Ref number- date


Develop a Technical Surveillance Counter Measure (TSCM) Program

▌ How do you create a TSCM program?

Choose an area such as a board room or bid room

Annually, each designated area must go through a ‘heavy’ sweep by a

professional provider and monthly ‘light’ sweeps by your trained personnel

▌ TSCM Capability

Training of your staff to do ‘light’ sweeps

Purchase the TSCM equipment required to perform ‘light’ sweeps

Establishing the rules and training staff on the rules

Appropriate signage for the designated areas


This

do

cu

me

nt

ma

y n

ot

be

re

pro

du

ce

d, m

od

ifie

d,

ad

ap

ted

, p

ub

lish

ed

, tr

an

sla

ted

, in

an

y w

ay, in

wh

ole

or

in

pa

rt o

r d

isc

lose

d t

o a

th

ird

pa

rty w

ith

ou

t th

e p

rior

writt

en

co

nse

nt

of

Tha

les

- ©

Th

ale

s 2

01

5 A

ll rig

hts

re

serv

ed

.

Ref number- date


Security of IT Systems

▌ Develop a comprehensive Cyber

Security Program:

Based on the CISSP official guide, there

are 8 elements that need to be included

for a holistic and comprehensive cyber

security program

Treating the vulnerability = Managing your risks


This

do

cu

me

nt

ma

y n

ot

be

re

pro

du

ce

d, m

od

ifie

d,

ad

ap

ted

, p

ub

lish

ed

, tr

an

sla

ted

, in

an

y w

ay, in

wh

ole

or

in

pa

rt o

r d

isc

lose

d t

o a

th

ird

pa

rty w

ith

ou

t th

e p

rior

writt

en

co

nse

nt

of

Tha

les

- ©

Th

ale

s 2

01

5 A

ll rig

hts

re

serv

ed

.

Ref number- date



•Management and governance around security, risk, compliant, law, regulations, and business continuity

1. Cyber Security and Risk Management

•Protecting the security of cyber assets including data classification, handling privacy, and information retention 2. Asset Security

•Engineering and management of security which includes involvement in all stages of a system or service lifecycle 3. Security Engineering

•Designing and protecting network security 4. Communication and Network Security


This

do

cu

me

nt

ma

y n

ot

be

re

pro

du

ce

d, m

od

ifie

d,

ad

ap

ted

, p

ub

lish

ed

, tr

an

sla

ted

, in

an

y w

ay, in

wh

ole

or

in

pa

rt o

r d

isc

lose

d t

o a

th

ird

pa

rty w

ith

ou

t th

e p

rior

writt

en

co

nse

nt

of

Tha

les

- ©

Th

ale

s 2

01

5 A

ll rig

hts

re

serv

ed

.

Ref number- date



•Controlling access and managing identity 5. Identity and Access

Management

•Designing, performing, and analysing security testing procedures including vulnerability analysis and firewall testing

6. Security Assessment and Testing

•Investigations, incident management, and disaster recovery 7. Security Operations

•Understanding, applying, and enforcing software security 8. Software Development Security


This

do

cu

me

nt

ma

y n

ot

be

re

pro

du

ce

d, m

od

ifie

d,

ad

ap

ted

, p

ub

lish

ed

, tr

an

sla

ted

, in

an

y w

ay, in

wh

ole

or

in

pa

rt o

r d

isc

lose

d t

o a

th

ird

pa

rty w

ith

ou

t th

e p

rior

writt

en

co

nse

nt

of

Tha

les

- ©

Th

ale

s 2

01

5 A

ll rig

hts

re

serv

ed

.

Ref number- date


Security Awareness and Behavioural Training for Staff

▌ Regular training and reminders for staff

Their responsibilities, their do’s and don'ts

Where to find the rules and instructions

▌ Knowing and recognising what security breaches mean

Loss of reputation, loss of business, more controls by regulators…..

▌ No sensitive discussions in public

Staff must be cautious of conversations in areas such as restaurants and hotels. All

sensitive discussions should take place within a company facility behind closed doors

▌ Account for all people dialling in to conference calls

Be aware that any organisation or person who has used the meeting number in the past can dial in

Use the security PIN function


This

do

cu

me

nt

ma

y n

ot

be

re

pro

du

ce

d, m

od

ifie

d,

ad

ap

ted

, p

ub

lish

ed

, tr

an

sla

ted

, in

an

y w

ay, in

wh

ole

or

in

pa

rt o

r d

isc

lose

d t

o a

th

ird

pa

rty w

ith

ou

t th

e p

rior

writt

en

co

nse

nt

of

Tha

les

- ©

Th

ale

s 2

01

5 A

ll rig

hts

re

serv

ed

.

Ref number- date


Part Two - Personnel Security

Avoid the bad eggs

Pre employment screening:

▌ Background checks

Criminal history

Financial checks

▌ Due diligence checks

Resume verification

Verification of qualifications

▌ Social media checks

Facebook, Twitter, Instagram, etc.

Ensure continual monitoring of all of these checks


This

do

cu

me

nt

ma

y n

ot

be

re

pro

du

ce

d, m

od

ifie

d,

ad

ap

ted

, p

ub

lish

ed

, tr

an

sla

ted

, in

an

y w

ay, in

wh

ole

or

in

pa

rt o

r d

isc

lose

d t

o a

th

ird

pa

rty w

ith

ou

t th

e p

rior

writt

en

co

nse

nt

of

Tha

les

- ©

Th

ale

s 2

01

5 A

ll rig

hts

re

serv

ed

.

Ref number- date


Detecting The Trusted Insider

Changes in Behaviour

Changes in Appearance

and Financial

Status

Changes in Work

Patterns

HR, Security, Colleagues,

and Managers all have a

role in looking for:

• Affected by substances at work • Increased nervousness • Aggressiveness

• Manipulative behaviour

• Unexplained wealth • Signs of financial

instability (e.g. borrowing money at work)

• Signs of gambling

• Irregular working hours

• Unexplained absences • Breaches of company

policies and procedures • Declining work performance


This

do

cu

me

nt

ma

y n

ot

be

re

pro

du

ce

d, m

od

ifie

d,

ad

ap

ted

, p

ub

lish

ed

, tr

an

sla

ted

, in

an

y w

ay, in

wh

ole

or

in

pa

rt o

r d

isc

lose

d t

o a

th

ird

pa

rty w

ith

ou

t th

e p

rior

writt

en

co

nse

nt

of

Tha

les

- ©

Th

ale

s 2

01

5 A

ll rig

hts

re

serv

ed

.

Ref number- date


Personnel – International Traveller Safety and Security

• The process for travel to risky locations must be documented clearly.

• Country risk levels must be clearly defined based on Government and Professional sources.

• Approval must be given and documented by a senior risk owner. (Head of HR, Head of Operations, Head of Risk, NOT approved by Head of Security, but recommended).

Internal Authority, Accountability, and the Documentation Process

• To provide professional advice on risk levels for countries.

• To assist with briefing and tracking of staff.

Partnership with Global Security Risk Company

• Personnel must be briefed on the risks relevant to their destination.

• Briefing should be in person or over the phone.

Phases of Pre-Travel


This

do

cu

me

nt

ma

y n

ot

be

re

pro

du

ce

d, m

od

ifie

d,

ad

ap

ted

, p

ub

lish

ed

, tr

an

sla

ted

, in

an

y w

ay, in

wh

ole

or

in

pa

rt o

r d

isc

lose

d t

o a

th

ird

pa

rty w

ith

ou

t th

e p

rior

writt

en

co

nse

nt

of

Tha

les

- ©

Th

ale

s 2

01

5 A

ll rig

hts

re

serv

ed

.

Ref number- date


Management while the travelling is occurring.

• The traveller must have the most up-to-date information.

• Should be sent directly to their phone based on their GPS.

Alerts While Travelling

• You must be able to track the whereabouts of your personnel, this can be done by the travel itinerary or GPS location.

Travel Tracking

• Either a large internal team with resources or,

• A Partnership with an International Travel Company.

Ability to Respond and Manage Incidents


This

do

cu

me

nt

ma

y n

ot

be

re

pro

du

ce

d, m

od

ifie

d,

ad

ap

ted

, p

ub

lish

ed

, tr

an

sla

ted

, in

an

y w

ay, in

wh

ole

or

in

pa

rt o

r d

isc

lose

d t

o a

th

ird

pa

rty w

ith

ou

t th

e p

rior

writt

en

co

nse

nt

of

Tha

les

- ©

Th

ale

s 2

01

5 A

ll rig

hts

re

serv

ed

.

Ref number- date


Part 3 - Physical Security

• Physical Security is based on actual control points at points of entry.

• Access Control should be limited as much as possible during work hours

• After hours incidents need to be detected and responded to

Fences, Gates, Doors, Locks, Alarms, Cameras,

Guards

• Passes and Identification ensure that only legitimate persons have access

• Visitors and Contractors must be managed carefully at all times!!! Passes and Access

• The most sensitive information and assets should be located within the highest number of layers of physical security and access control

• Access must be limited following the need to know principle Layers and Layers….

Visitors and Contractors are one of your biggest risks and all staff must be aware of

their responsibilities to their visitors


This

do

cu

me

nt

ma

y n

ot

be

re

pro

du

ce

d, m

od

ifie

d,

ad

ap

ted

, p

ub

lish

ed

, tr

an

sla

ted

, in

an

y w

ay, in

wh

ole

or

in

pa

rt o

r d

isc

lose

d t

o a

th

ird

pa

rty w

ith

ou

t th

e p

rior

writt

en

co

nse

nt

of

Tha

les

- ©

Th

ale

s 2

01

5 A

ll rig

hts

re

serv

ed

.

Ref number- date


When Proactive becomes Reactive - Investigations

▌ A fair and transparent process

Authority to investigate (based on a

documented procedure)

Authority to come from HR / Ops / CEO / Other

A clear ‘terms of reference’ for what the investigation covers

- Scope of investigation

- Personnel appointed to investigate

- Resources used to investigate

- Timeframe for investigation report

Make Recommendations not Decisions


This

do

cu

me

nt

ma

y n

ot

be

re

pro

du

ce

d, m

od

ifie

d,

ad

ap

ted

, p

ub

lish

ed

, tr

an

sla

ted

, in

an

y w

ay, in

wh

ole

or

in

pa

rt o

r d

isc

lose

d t

o a

th

ird

pa

rty w

ith

ou

t th

e p

rior

writt

en

co

nse

nt

of

Tha

les

- ©

Th

ale

s 2

01

5 A

ll rig

hts

re

serv

ed

.

Ref number- date


Questions and Answers

▌ Questions and further discussion.

Todd Smithson - Thales - Pro-active v’s Re-active security management - how to get ahead of game...

Government & Nonprofit

Transcript of Todd Smithson - Thales - Pro-active v’s Re-active security management - how to get ahead of game...