Business Technical Obligations
-
Upload
vicente-aceituno-canal -
Category
Technology
-
view
2.611 -
download
0
Transcript of Business Technical Obligations
TechnicalFoundations of Information Security Series
Vicente Aceituno @vaceituno
(c)Inovement Europe 2014
Vicente Aceituno
[email protected] - Skype: vaceituno
Linkedin - linkedin.com/in/vaceitunoInovement Europe - inovement.esVideo Blog - youtube.com/user/vaceitunoBlog - ism3.comTwitter - twitter.com/vaceitunoPresentations - slideshare.net/vaceituno/presentationsArticles - slideshare.net/vaceituno/documents
Foundations of Information Security Series
Needs
Secrecy Intellectual Property you Own
Intellectual Property you Use
Privacy
Availability
Retention
Expiration
Quality
Obligations
Technical
Compliance
Legal
What is Information Security?
“Information Security” is an emergent property of people using information.
People have expectations about information.
If there is no people or no information, “Information Security” is meaningless, as there are no expectations to meet.
What is Information Security?
When expectations about information are met, there is “Security”.
When expectations about information are not met, there is an “Incident”.
What is Information Security?
Some expectations are things people (or organizations) want to happen for their own reasons. These are Needs.
Some expectations are things people (or organizations) want to happen in order to meet technical, legal or standard compliance requirements. These are Obligations.
Technical Obligations
Press Any Key to Continue
Technical Obligations
Information systems based on the Von-Neumann architecture have inherent technical limitations that lead to weaknesses. This weaknesses can be exploited and lead to failing to meet other, more important, expectations. This is why organizations have the expectation that: Information systems are kept free of weaknesses. Information systems that need to be visible from not trusted
systems are the least visible possible. That information systems run trusted software only. That electricity, temperature and humidity within controlled
limits necessary for the operation of information systems.
Technical Obligations
If these expectations are met or not is independentof the observer.
Technical related incidents
When an information system presents a weakness.
When an information system is visible from not trusted systems.
When an information system runs not trusted software.
When electricity, temperature or humidity are out of controlled limits.
Achieving Technical Security
In order to achieve Technical Security, normally architecture, design, and specific software and appliances are used.
The related O-ISM3 process are: OSP-5: IT Managed Domain Patching
OSP-7: IT Managed Domain Hardening
OSP-8: Software Development Lifecycle Control
OSP-16: Segmentation and Filtering Management
OSP-17: Malware Protection Management
OSP-14: Physical Environment Protection Management
OSP-19: Internal Technical Audit
OSP-22: Alerts Monitoring
OSP-23: Internal Events Detection and Analysis
Technical Obligations
Press Any Key to Continue
The O-ISM3 Challenge
This was an exercise designed to throw into sharp relief the inadequacy of traditional information security concepts.
Check the exercise in full at tiny.cc/indepth
A summary of conclusions from the exercise, in relation to Technical Obligations, follow.
Secrecy
Business Needs
Intellectual
Property
PrivacyBusiness
Obligations
Availability
Retention
Quality
Expiration
Technical Obligations
Security and Technical Obligations
Security and Technical Obligations are not equivalent.
Technical Obligations and Security are not synonymous.
Technical Obligations is not useful to understand Security.
Follow the Foundations of Information Security Series by joining the Linkedin O-ISM3 Group at: tiny.cc/osim3LG
Learn Advanced Information Security Management, joining us at an O-ISM3 Course: tiny.cc/osim3