0607 Lec 21 Enterprise Security

8/6/2019 0607 Lec 21 Enterprise Security

1/21

Lecture 21

Enterprise Security


2/21

Enterprise securityPutting Security on the Strategy

Agenda

John Hartwright


3/21

Introduction

jWhat is your idea of security?

Traditional view

Its all about

access control


4/21

Introduction

jWhat is your idea of security?

New technology

view

Its the job of

the IT People


5/21

Does this have anything to do

with strategy?jStrategy concerns

objectives at a high level

large numbers of variables tend to be long term

be applicable across an organisation

tend towards generality


6/21

Computer security

jOften summed up by the acronym CIA

Confidentiality

Integrity

Availability

jBalance needed between all three

aspects


7/21

Technical fixes

jAnti virus software

jEncryption

jPasswords and biometricsjFirewalls


8/21

Weakness of technical fixes

jHoax viruses

jSocial engineering

jUsersj Black box fixes


9/21

Human fixes

jHard to define what you are securing

jChanges in location of data

jChanges in nature of viruses andmalware

j Increasing use of email

j Increasing need to use e-commerce


10/21

Physical security

jAlarm systems

jCCTV

jSecurity taggingjPanic alarms/screens

jGuards


11/21

What do you need to secure?

Details of

planned

takeover

Crucial Trivial

Order forpaperclips?


12/21

Disaster planning

jWhat will we do if we cant use the

computer?

jBackup systems e.g. hot sites, cold sites, mobile solutions

jBackup data

e.g. tape drives need secure accessible storage


13/21

Business Continuity Planning

jWhat destroys the computer may

destroy the office

jNeed to consider IT

Personnel

Office space

Communications links

Public relations


14/21

Business Continuity Planning

j Its about business survival

j It wont mean the business is unaffected

j It does need testingjCannot predict all eventualities but the

plan is improved by testing


15/21

Employee security

j IT may check for viruses on email but

who checks the post for anthrax?

who knows what to do when they take aphone call and its a bomb threat?

who checks that the windows are designed

to cope with a car bomb?

who knows if the Chairmans chauffeurunderstands how to avoid a hijack?


16/21

Forgotten dimensions

jPublic relations

turning adversity into positive news

who is talking to the media?jStress

what support is available to staff?


17/21

Structured security

jThe security department is the

protector or guardian of the companys

property, product or merchandise,

assets, equipment, reputation and

employees (Sennewald, 1998)

jMay also need to consider non-

employees such as visitors andcustomers


18/21

Bringing it together

j Increasing recognition that

organisations need a coherent and

cohesive strategy

It will be expensive

It will affect the whole organisation

It will change the way we organise and do

business


19/21

Key issues

j Mail handling

j Travel

j Employee protection

j Risk assessmentj Infrastructure protection

j Office and plant protection

j Employee morale

NoneNone of these are traditional issues for aof these are traditional issues for a

security departmentsecurity department


20/21

Final thought

j There is no end to the imagination of

the terrorist so we should not be

surprised when what they do surprises

us. Yonah Alexander, Potomac Institute for Policy Studies


21/21

Enterprise securityPutting Security on the Strategy

Agenda

John Hartwright

0607 Lec 21 Enterprise Security

Documents

Transcript of 0607 Lec 21 Enterprise Security