Turning Policy Into Reality Tony S Krzyżewski Director, Chief Technical Officer Protocol Policy...
35
Turning Policy Into Reality Tony S Krzyżewski Director, Chief Technical Officer Protocol Policy Systems
-
Upload
dominic-acey -
Category
Documents
-
view
218 -
download
0
Transcript of Turning Policy Into Reality Tony S Krzyżewski Director, Chief Technical Officer Protocol Policy...
Turning Policy Into Reality
Tony S KrzyżewskiDirector, Chief Technical Officer
Protocol Policy Systems
Digital Presence
Mobility
InternetLAN
Micro
2
The Challenge of Digital Enablement
Mainframe
Information ExposureIncreases
Management AbilityDecreases
Record Record Record
RecordRecord
Record Record Record
RecordRecord
Record Record Record
RecordRecord
Record Record Record
RecordRecord
How You See Your Information
How Staff See Your Information
Record Record Record
Record
Record Record Record
RecordRecord
Record Re…… Record
Record
Record Record Record
RecordRecord
Record
USB
Record
Record
Record
How the Public Want to See Your Information
Everywhere… and at all times!
The Policy Protection Model
Policy
Technology
Identifies
Procedures
Which Requires
Processes Leading To
Educate
Then We
Control and Audit
And
For compliance with
Policies Set Our Expectations
Users must not publish corporate information (applications,
internal documents or files, press releases, price lists etc.) on any
public facing computer system (e.g. website, social media site)
unless the item has been authorised by the appropriate Manager
and the Communications and Publicity Manager for public
consumption. Online Services Policy: User 19.6 The Organisation must confirm the
responsibilities of the cloud service
provider with regard to information
security. These responsibilities must be
documented in an agreement which is
signed by both the Organisation and the
cloud service provider. Cloud Computing Policy: Technical 5.1.2
The access privileges of all users, systems and
applications must be restricted based on the
"need to know" and "least access" principles
which require that there is a legitimate business
need before access to any information systems
resource is granted.
Information Management Policy: Technical 2.3.2
Where do IT Policies Fit?
Why we are here
What Constrains Us
What We are Going To Do
Who or What Does It
How We Are Going to Do It
IT Policies
IT Strategy
Regulatory Framework
Procedures & Processes
People & Technology
Why Have IT Policies?
They don’t…
Employers presume everyoneknows about computers andIT Security
Consistent Rules and Guidelines
Align With Best Practice
Set AuditBenchmarks
First line of Threat Defence
Protect Corporate Information
Good Governance
Why Have IT Policies?
Ensure compliance
Affects everyone – not just IT• Users• HR• Risk Managers and Auditors• Managers• Stakeholders• CEO – the buck stops here
IT Policies Are Holistic
IT policies that are copies of best practice guides are like diet and exercise manuals….
Something to aspire to that you cannever achieve
IT Policies Must Be Relevant
Need to know versus need to withhold principle
Well defined rules ensurethat everyone knows whatis expected of them
IT Policies are an Access Enabler
IT Policies kept in a book on the back shelf in the IT Manager’s office will never be read
Publish them on the Intranet
And Available to All
But What Normally Happens…Defining Policy is too hard so no one actually gets around to it.
Technology gets purchasedwithout regard to policy
Vulnerabilities get introduced because there are no rules
So you have IT PoliciesWhat Now?
Perception by UsersNot applicable to me
Prevent me having my
stuff
Stop me working effectively
ScaryDictatorial
NegativeIT Police
Let People Have Their Say
Human Resources
Risk Managers
Management
Union Representatives
Auditors
UsersConsultation is
the key to Success
Review Feedback
Feedback will be:-
Constructive
Positive
Indifferent
Unhelpful
Critical
Ridicule
Disparaging
Incorporate FeedbackFeedback should be incorporated if is:-
Valid Relevant Helpful Achievable
Doesn’t Negatively Impact on Anything Else
Workshop for ManagersImportant because:-
Managers Lead By Example
Managers Are Responsible for Their Staff
Consistent IT Security Message for All
If Managers Aren’t Supportive, No One Else Will Be
Get Sign-OffThis is really important!!!
Management endorsement gives the IT Policies credibility
If Management endorse them, HR will enforce them
Talk to HRHR have an important role to play in IT Security:-
• New employees sign the Acceptable Use Policy• Induction process• During Employment
Add usersChange user accessTerminating users
• Termination process• IT Policy enforcement
Technical ReviewEnforce policy by:-
• Implementing the appropriate technology
• Configuring the technology accordingly• Ensure you can monitor for compliance
Create a work plan:-• Upgrade technology if needed• Update technical skills where required
Workshops for StaffRaise security awareness by:-
Show Staff the Policy System; Explain why it’s important
Tell War Stories
Concentrate on Highlights, Don’t Overdo the Detail
Repercussions for Non Compliance
Monitor Staff Usage of Resources
Raising Staff Awareness
Is SPAM a danger to our information?
Why we want you to change your password
The IT Policy Lifecycle
Tony S KrzyżewskiDirector, Chief Technical Officer
Protocol Policy SystemsEmail: [email protected]: www.protocolpolicy.comVideo: www.youtu.be/whbywf8ovK0Demo: demo.protocolpolicy.com
