| Information Security Manager: | | Our Security Manager is involved in ever new business project to ensure that adequate security is built-in and not bolted-on afterwards. | | The levels of security needed come from many sources including our Risk Manager, Continuity Manager and Availability Manager. | | By coordinating all this diverse set of information, a security plan emerges that correctly balances security with cost - the client cannot justify excessive security and the client cannot suffer cheap inadequate security. |
| Abstract: | | Our Information Security Management Service (ISMS) is a set of policies and auditable implementation documents that are concerned with information security and IT risk management. | | ISO 27001 is the standard we have used to not only implement an effective security solution, but to demonstrate with regular audit that we choose to comply with IT security best practices. | | Our Information Technology Infrastructure Library (ITIL) implementation (chapter 2.4) covers security management as ISO/IEC 27002. |
| Information Security Management: | | Security is NOT a purely technical matter - it is a continual management process without a solution. | | Cyber warfare is a defensive strategy - the multi-billion pound agency vs a 14 year old in their bedroom. The concept of attack or retaliation is stupid. Cyber warfare is a sport where the clever little guy with negligible assets outsmarts the powerful agency or corporation with poorly managed assets. | | Cyber warfare is in its infancy with massive clusters of artificial intelligent bots being prepared to access anything and close anything down at any time. Blackmail is the chosen business model perfected by anti-virus software vendors who need viruses to maximise their revenue - it has become a UK legal requirement to install anti-virus software. Blackmail is the chosen business model perfected by search engine optimisation (SEO) and DNS protection vendors who need DNS and SEO attacks to maximise their revenue. Blackmailers imagine they are in the protection market when they may be operating a protection racket. | | Governments are run by people who are fifty years out of touch with reality - they spend defensive funds for fighting wars that ended fifty years ago and spend nothing on fighting cyber wars that are happening today. New aircraft carriers are built when the threat is a person with a backpack who blows up a tube train. New fighter jets are built when the threat is riots on the streets because not enough houses have been built. | | AI has a characteristic of persistence - it can persistantly defend and it can persistantly attack until it finds a flaw. It is said that China used many thousands of people more than five years to crack to RSA encrytion key, but long term persistance eventually paid off and many USA corporations had their IP stolen. Modern AI bots can dramatically reduce that delay, reduce the cost and attack many more businesses just to know what they are doing. |
| ISO/IEC Standards: | | * 27000 ISMS overview and vocabulary. | | * 27001 ISMS requirements. | | * 27002 ISMS code of practice. | | * 27003 ISMS implementation guidance. | | * 27004 ISMS measurement. | | * 27005 ISMS risk management. | | * 27006 ISMS audit and certification. | | * 27033 ISMS network security. |
| ISO/IEC 27002 Code of Practice: | | 1. Risk Assessment (2.3). | | 2. Security Policy (2.7). | | 3. Organization (3.2). | | 4. Asset Management (2.1). | | 5. Human resources security. | | 6. Physical and Environmental (4.7). | | 7. Communications and Operations (4.6). | | 8. Access Control (4.4). | | 9. Development and Maintenance (3.3). | | 10. Incident Management (4.2). | | 11. Business Continuity (2.6). | | 12. Compliance and Conformance (2.8). |
| 3.2 Security Policy | | The cyber criminal and penetration test team are faced with multiple layers of security that include: | | 1. Security begins with dedicated firewalled servers where all unused services have been disabled. | | 2. Security means that servers do not have any vulnerable programs installed such as language compilers, Office, Adobe, etc.. | | 3. Security shows the criminal only one program as "index.c2" to attack - this one program has been purposefully designed to detect and stop all attacks. | | 4. In-depth security means that even if a criminal got access to a web server, they could not get to the DB server, the database or any information. | | 5. Security means NOT permitting any incomming emails or attachments to be stored on any of these servers - creating and sending outgoing emails is safe and supported. | | 6. This three-tier architecture may be too expensive for competitors to emulate, so they must experience more vulnerabilities and take more risks. | | 7. The same three-tier architecture is replicated to a swarm of secure data centers with very high speed Internet conections. | | 8. Security means nothing without exceptional availability, resiliance and business continuity. |
| | | Cyber Warfare: | | Knowledge is security. | | Cyber warfare rules of engagement exist between state sponsored agencies, but what NSA can do today, criminals will be able to do tommorrow. | | Those businesses that simple accept that state sponsored agencies will access their data, copy their emails and exploit their intelectual property, may not be ready to resist attacks by criminals using similar techniques. | | War or peace was easy to identify in the good old days when countries declared their allegencies, but with terrorism involving many parties in one countries and across country boundaries, the old rules of engagement are no longer valid. | | Munition and armament corporations are moving from physical weapon sales to cyber warfare weapons - some of these weapons will get into the hands of criminals. | | Knowledge is security - it is critical to stay at the leading edge with many levels of security because every security standard that has ever existed has eventually been cracked. |
| Factors: | | * Security depends on people rather than technology. | | * Internal people are a greater threat to information security than outside people. | | * Security is like a chain - it is as strong as its weakest link. | | * The degree of security depends on: (1) risk, (2) functionality and (3) cost of reducing risk. | | * Security is not a status - it is a continual process that get harder and harder every year. |
| How to be secure: | | * We have the absolute continuous and visible support of the entire executive team. | | * Security is managed centrally with a common documented policy for all application services. | | * Security is built-into the process of managing applicaiton services by reflecting risk management with controls that deliver what is needed. | | * We have security objectives bound to business objectives to ensure they evolve hand-in-glove. | | * We manage security to the degree required to avoid over-control and waste resources on controls that are not needed. | | * We have a security system then enables people to do their job in proportion to their accountability. | | * Security training and awareness is used to empower people without excessive disciplinary measures. | | * Security is a relentless continuing activity that must improve. |
| Document Control: | | 1. Document Title: Information Security Manager. | | 2. Reference: 162700. | | 3. Keywords: Information Security Manager. | | 4. Description: Information Security Manager. | | 5. Privacy: Public education service as a benefit to humanity. | | 6. Issued: 13 Feb 2017. | | 7. Edition: 2.2. |
|