Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.

Board Member Security

1 655 vues

Publié le

This is my presentation for the Scandinavian ISACA conference in Oslo, Monday April 4, 2011. Please contact if you have any questions or comments.

  • DOWNLOAD FULL BOOKS, INTO AVAILABLE FORMAT ......................................................................................................................... ......................................................................................................................... 1.DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... 1.DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... 1.DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... 1.DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... 1.DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... 1.DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... ......................................................................................................................... ......................................................................................................................... .............. Browse by Genre Available eBooks ......................................................................................................................... Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult,
       Répondre 
    Voulez-vous vraiment ?  Oui  Non
    Votre message apparaîtra ici
  • Soyez le premier à aimer ceci

Board Member Security

  1. 1. Board member Security<br />Per Thorsheim<br />CISA, CISM, CISSP-ISSAP<br />Security coordinator<br />April 4, 2011<br />
  2. 2. The CodesofConduct Dilemma<br />General assembly<br />Bedriftsforsamling (Norway)<br />BoardofDirectors<br />CEO<br />Executiveboard<br />Chief Security Officer (CSO)<br />2<br />CodesofConduct<br />Security policy<br />Standards<br />Guidelines<br />?<br />
  3. 3. Company (Security) policy<br />ISACA 4 April 2011 – Per Thorsheim<br />May requirethat all usersuse pc + phoneprovided by company<br />Requireseparationbetweenwork and other private (work) engangements<br />Requireshardening and periodicupdating<br />Disallowsthesharingofaccounts / passwords<br />3<br />A practicalchallenge for peoplebeing a memberonmanyboards<br />Easily broken by theabovepracticalchallenge<br />If computer is personal, than it is by definitioninsecure and ”illegal” to use<br />Personal assistant to thexxxmay be a practicalchallenge to solve<br />
  4. 4. ISACA 4 April 2011 – Per Thorsheim<br />4<br />
  5. 5. ISACA 4 April 2011 – Per Thorsheim<br />5<br />HACKED<br />
  6. 6. The CodesofConduct Dilemma<br />ISACA 4 April 2011 – Per Thorsheim<br />DirectorsLiability Assurance<br />”Styreansvarsforsikring” in Norway<br />(Gross) Negligencewillimpacttheassuranceagreement<br />6<br />Iftheboarddoes not complywith (theirown) Codes<br />ofConduct and/or security policy, willthat be considered<br />(gross) negligenceby theinsurancecompany?<br />
  7. 7. Recommendations(work in progress)<br />ISACA 4 April 2011 – Per Thorsheim<br />Useof personal PC<br />Remoteaccess<br />Printouts<br />Electronic documents<br />E-mail<br />Leavingtheboard<br />Problems?<br />7<br />Disallowed. PC from company<br />Terminal server with 2-factor<br />Cross-cutshredder<br />MS Office passwordprotection<br />Encryptedattachments<br />Standard companyroutine<br />VIP customer service (CSO)<br />CSO / IA : ”Right to audit” ?<br />NASDAQ Directors Desk?<br />
  8. 8. Primary insiders<br />Primary insiderA person who is a member of the board of directors or management of a listed company, or who is associated with the company in some other way, and who is therefore subject to certain requirements in respect of trading and reporting trades carried out, cf. Sections 3-1 and 2-6 of the Securities Trading Act. Each listed company is responsible for identifying its primary insiders, and is responsible for providing an up-to-date list of its primary insiders to Oslo Børs. Each primary insider is personally responsible for ensuring that the requirements imposed on him or her by the Securities Trading Act are adhered to.<br />8<br />
  9. 9. DefinitionofPrimary insiders<br />9<br />
  10. 10. ISACA 4 April 2011 – Per Thorsheim<br />10<br />Example list ofprimary insiders(nonamesshown)<br />
  11. 11. However…<br />ISACA 4 April 2011 – Per Thorsheim<br />(this is thepointwhere I start to getdifficult and annoying…)<br />11<br />
  12. 12. Externals: Access to insideinformation<br />Advertisingagency<br />Communications agency<br />Translation service<br />Externalauditor<br />12<br />E-mail (usuallyunencrypted)<br />E-mailwithattachments<br />Usuallyunencrypted<br />Postal mail<br />Mail by courier<br />Fax (for signatures!)<br /><ul><li>Phoneconference service
  13. 13. (Norwegian) post
  14. 14. Postal courier
  15. 15. E-mailMitMattacks</li></ul>http://www.edb.com/Documents/Articles/E-post_sikkerhet_i_Norge.pdf<br />
  16. 16. Internals: Access to insideinformation<br />LEGAL vstechnicalaccess<br />Unauthorizedaccessshould be logged and prosecuted<br />Company encryption (PCI)<br />End-to-endencryption (personal)<br />13<br />DomainAdmins, helpdesk<br />Administrative access is not logged (it is technically ”legal”)<br />Same problem withadmins<br />Difficult, requireseducation<br />
  17. 17. Third-partyaccess to insider information<br />Non-DisclosureAgreements (NDA) widely used : reactivecontrol<br />NDA seemsconsired as proactivecontrol(?)<br />Detectivecontrolsseems rare<br />Security requirements in contractsseemssparse (”Trust” is common)<br />14<br />
  18. 18. Recommendation(the ”easy” one…)<br />ISACA 4 April 2011 – Per Thorsheim<br />15<br />
  19. 19. Last, but not least: Passwords^11<br />2 dayconferenceonpasswords & pins only<br />Attacks, defenses, forensics and usabilityaspectscovered<br />Panel discussion: ”willwe ever get rid ofpasswords?”<br />Bergen (Norway), June 7-8<br />Free-for-all (limited seatsavailable)<br />International speakers<br />In collaborationwith:<br />University of Bergen, Professor Tor Helleseth<br />Sponsored by NISNET<br />Free live streamingonustream.tv<br />securitynirvana.blogspot.com& Twitter: #passwords11<br />16<br />

×