The cultural program

Establish
Commitment
Plan
Technical
program
Cultural
program
Evaluate
Agenua
1 8evlew
2 CulLural program
3 AsslgnemenL 1
4 AsslgnemenL 2
nfoimation Secuiity
Nanagement
ulture
Security
culture
Organisation
Unit
Person
Objectives
Security
Objectives
ompetence
Security competence
Must have
Must have Dependent on
Gives
Results
Security results
Performs
Monitor
Work processes
Security activities
Monitoring Follow up
Risk
assessment
Dedicated to
Valid for
Seven categoiies of possible
actions
W nfrasLrucLure Lechnlcal measures
W Crgan|zat|ona| changes
W Cu|ture and att|tude
W ConLrols
W rocedures and guldellnes
W AgreemenLs
W ecur|ty po||c|es
W ;uesLlon do you have any examples ln Lhese caLegorles for e
mall?
ultuial piogiam
W ,aln quesLlons
W Pow Lo esLabllsh an lnformaLlon securlLy culLure ln our
organlsaLlon
W Pow Lo lncrease peoples awareness
W Pow Lo lnvolve everybody ln some way or oLher
W Pow Lo make everybody empowered
W WhaL do we do?
W nformaLlon Lralnlng and lnvolvemenL
W ConLlnue whaL we sLarLed ln Lhe commlLmenL phase
W WhaL happens lf we don'L do lL?
What we say that
we do
What we do
e tiee systems must be in confoimance!
ocumented, Iormal system
Informal system
Formal, but not documented system
at kinu of attituues uo we
want.
W DndersLand lmporLance of lnformaLlon securlLy
W DndersLand Lhe LhreaL slLuaLlon
W DndersLand own lmporLance
W know Lhe organlzaLlons values and securlLy prlnclples
W AccepL and follow Lhe securlLy rules
W Care
W Pave own eLhlcs ln order
we coo oot socceeJ wltb oot secotlty wotk wltboot oo octlve
effott to qet tbe tlqbt kloJs of ottltoJes ooJ o secotlty coltote
loto tbe otqoolzotloo
Suivey in big Noiwegian companies (NN0-
pioject, ca iesponuents)
ave you evei bioken te secuiity iules .
es, deliberately
es, didn't know it
was against the
rules
es, was pressed for time
es, was instructed to
Dont know
No
uestions fiom te suivey
(Scale -)
W Pow much securlLy Lralnlng have you recelved?
W score 19
W Pow lnLeresLed are you ln securlLy Lralnlng?
W score 19 of max 3
W 1o whlch exLenL are you engaged ln securlLy work?
W score 21
W Pow do you raLe your knowledge abouL lnformaLlon securlLy?
W score 33
W s Lhere an acLlve dlalogue on lnformaLlon securlLy beLween Lhe
managemenL and Lhe employees ln your company?
W score 22
Don't be a victim!!!
Social Engineeiing -
psycological manipulation
W xamples
W nlgerla leLLers
W 1elephone calls
W CLher examples?
W hLLp//wwwsecurlLyfocuscom/lnfocus/1327
W hLLp//wwwuscerLgov/cas/Llps/S104014hLml
ongiatulations!!
W rom ,ega romo crossweaver1[llberolL
W SenL ,onday CcLober 06 2008 323 ,
W Sub[ecL CongraLulaLlons!!!
W
W mporLanL nformaLlon your emall has won a prlze of
?200000000 (1wo ,llllonuro)n Lhe flrsL caLegory ,ega
SLaaLsloLerl[romoLlons
no8v,SA/2690/023/028aLchno20/333/,8v Serlal
no3368/06and Award no02031316182023 uo ConLacL Lhe
deLalls ConLacL erson ,r 8oberLPans
mall lnfomage2008[aolcomhone +31613171449 ax +31
84 743 3373
?ours Slncerely
v[erLls von Adrlan (,s) CA
aiticipation
Pow ?
W 1o parLlclpaLe ln Lhe pro[ecL Leam
W 1o be represenLed by someone LrusLed and accepLed
W 1o parLlclpaLe ln some acLlvlLy wlLh speclal relevance for
own work example ln
W developlng procedures perform rlsk assessmenL or prlorlLlze
among suggesLed measures
W 1o be heard for example Lhrough a consulLaLlve round
W eople llke Lhelr own work
W AccepL rules made by Lhemselves than those forced by others
and specially coming from the top.
Question: Why?
. nfoimation
W WhaL do people wanL Lo know? n shorL whaL's ln lL for me?
W WhaL klnd of changes?
W Pow wlll lL effecL Lhe organlzaLlon?
W Pow wlll lL effecL me?
W Wlll be able Lo cope?
To give the right information is extremely important and very
difficult, but also on the right moment and the right time
: Enuuiance
W ;uesLlon why do we have Lo Lalk abouL endurance Lo
compleLe Lhe pro[ecL? Wouldn'L lL go wlLhouL saylng?
Enuuiance - 0sual pioblems
W 1he managemenL has sLarLed wlLhouL reallzlng Lhe full
lmpllcaLlon
W 1he managemenL has sLarLed buL lack convlcLlon
W 1he resulLs Lake a long Llme Lo maLerlallze Lhe managemenL
looses lnLeresL
W 1he opposlLlon ls Loo sLrong Lhe securlLy efforLs are quleLly
saboLaged
W new managemenL wlLh a dlfferenL agenda
e best insuiance against lack of enuuiance
W SLarL wlLh an assessmenL of Lhe securlLy sLaLus and Lhe a rlsk
assessmenL
W rlorlLlze Lhe mosL lmporLanL or LhaL whlch shows early resulLs
W lan carefully and reallsLlcally
W uo one Lhlng aL a Llme
W rlorlLlze slmple effecLlve soluLlons before compllcaLed and
"perfecL" ones
Secuiity policies
W 1wo levels
W Cverall pollcy coverlng Lhe securlLy work
W ollcles ln lmporLanL areas secure behavlor ln LhaL area
W 8esL examples
W wwwsansorg
W xamples for 30 areas
olicy , pioceuuie, stanuaiu anu guiuelines
W A pollcy ls a documenL wlLh speclflc and hlgh level
requlremenLs LhaL musL be
W A sLandard would Lyplcally be more deLalled and glve you
speclflc rules for an area LhaL everyone has Lo follow
xamples could be a code sLandard or a sLandard for Lhe
composlLlon of a password
W A procedure ls a sLep by sLep lnsLrucLlon for some acLlon or
example we could have a procedure for dlsLrlbuLlon of new
passwords ln Lhe company
W Culdellnes we mlghL use as a collecLlve Lerm for pollcles
procedures and sLandards and also recommendaLlons
ow to wiite a secuiity policy
W Dse a LemplaLe!
W nvolve people!
W 1he pollcy should
W 8e posslble Lo lmplemenL and llve by
W 8e shorL Lo Lhe polnL and easy Lo undersLand
W 8alanced beLween Lhe need Lo proLecL and Lhe flexlblllLy of use
W ConLaln lL's own [usLlflcaLlon
W SLaLe lL's area of appllcaLlon
W SLaLe clearly whaL happens ln case of breach of Lhe pollcy
W 8e revlsed yearly
W SLaLe responslblllLles for malnLenance eLc
iganization
W 1o organlze ls Lo declde who ls responslble for whaL wlLh
respecL Lo lnformaLlon securlLy
W hlerarchy
W uepends on Lhe company's volume
W osslble roles
W Chlef securlLy manager responslble for Lhe overall securlLy work
ln Lhe company
W 1 securlLy offlcer wlLh speclal responslblllLy for lnformaLlon
securlLy
W SecurlLy coordlnaLors responslble for Lhe securlLy work ln
dlfferenL deparLmenLs or for dlfferenL securlLy areas for example
for 1 operaLlons or oLher areas where we need speclal
compeLence Lo develop adequaLe securlLy measures
The management
The chief security officer
T- department
Business unit 1
T securit officer
Security network T
Security network
business units
7,38,943
Business unit 2 Business unit N
iganising te secuiity woik