1. Jeremy Hilton
With contributions from
Pete Burnap and Anas Tawileh
4. The way people work is changing – ubiquitous
Internet access
Web 2.0 technology and Cloud computing is
supporting/driving a collaborative, on-demand
culture
Virtual Organisations are frequently used to
support collaborative, distributed working
Government Services (Transformational Government)
Medical (Patient Records)
Research (e-Research)
Inter-disciplinary organisations contribute
content, others have access to the content
5. “In relation to rights, the Government
believes piracy of intellectual
property for profit is theft and
will be pursued as such through
the criminal law.”
“However, the Government also
believes, and the evidence suggests,
that most people, given a
reasonable choice would much
prefer not to do wrong or break
the law…”
“Personal data is the new currency of
the digital world. Privacy and
security of that data is an
increasingly critical issue. “
5
10. All organisations are unique.
Each organisation has its own culture and history.
Each organisation is inhabited (and the processes are
undertaken) by its own unique group of people.
These people have their own perceptions,
(interpretation), of their role.
They have their own perceptions of the relationship of
their role to the organisation mission.
They have their own perceptions of the organisation
mission itself.
11. The range and nature of the multiple perceptions,
related to the people within an organisation, are
not necessarily consistent or uni-directional. (This
gives rise to personal agendas, politics, and
potential inter-personal conflict).
These multiple perceptions cannot be ignored in
any description that tries to be relevant to a
specific organisation.
Most organisations are best described as a mess.
12. How can you think about a Prison as a Human
Activity System ?
A system to remove rights and privileges
(punishment)
A system to control interaction between
offenders and the community (security)
A system to instil Society’s norms and values
(rehabilitation)
A system to enhance criminal activity (criminal
education)
13. Reality is not any one of these views.
Reality is some mixture of these views.
There may be little (or no) agreement as to
what this mixture is.
16. Business Purpose
Business Objectives
Problem
Space
Business Information Needs
Processes
Information Systems
Solution
Space
Information Technology
17. Administration and infrastructure
Support Human resource management
Activities
Product/technology development
Value added –
cost
Procurement
= MARGIN
Inbound Operations Outbound Sales and Services
logistics logistics marketing
Primary
Activities
• Can we enhance the value added by that activity?
• Is there an opportunity to reduce the cost of that activity
• Or eliminate that activity?
• Can we use that activity to differentiate the organisation?
Porter, M. E., Competitive Advantage, The Free Press, 1985
18. Their Our suppliers Us Our Their retailers
suppliers distributors
Consumer
Our competition
Demand information
Supply information
19. Requirements
Support
Product Info Invoice
Order
Product
Customer
Contracts Order Fulfillment
Finished
Sales & Mktg
Forecast Goods Logistics
Product Ideas
Roadmap Operations Finished
Goods
P.O.s Components
& Materials
Product Finance
Development Contracts
Supplier Website
Extranet
Intranet
ERP
20. tures
Hack
Critical
Infrastruc
ers
Privacy
Copyright
Gove
rnme
nt
k
emar
Trad
Enfor
Law
cemen
t
21. The Death of the Perimeter
(Banking) Business is conducted over networks
– Multitude of connection points
– Multitude of traffic types (protocols, content)
– Complication!
Traditional perimeter security doesn’t scale:
– For filtering of addresses or protocols
– For management of multiple gateways
Mobile & wireless technology (largely) ignores the
perimeter control
Most large corporates have leaky perimeters
Perimeter security does nothing about data flow and
residence
22. Companies Act 2006
The Re-use of Public Sector Information Regulations 2005
Environmental Information Regulations 2004
Freedom of Information Act 2000
Electronic Communications Act 2000
Regulation of Investigatory Powers Act 2000
Data Protection Act 1998
Computer Misuse Act 1990
Copyright Designs and Patents Act 1988
Public Records Act 1967
Public Records Act 1958
Human Rights Act 1998
Software Licensing Regulations
23. As dependency grows … IT security important?
http://www.berr.gov.uk/files/file45714.pdf
25. But some big exposures Most companies not doing
remain enough
Confidential information is
increasingly at risk, especially
in large organisations
http://www.berr.gov.uk/files/file45714.pdf
27. Private Sector % of Enterprises in UK
Employment
SME
Large
Micro
SME
Large
28. Managers of SMEs are busy running their
company, trying to survive in a very competitive
environment
They rarely address anything that is not a
legislative or regulatory requirement, and even
then will often only comply if there is a penalty for
not doing so
Will avoid spending money, and time is money,
training is money
Rarely buy in expertise, staff left to help each
other and ‘learn on the job’
32. Not killing customers (food industry)
Cash flow
New orders/repeat business
Staffing
Legislation, Regulation
only so they can continue to trade
and directors not go to jail!
… and where does information security &
privacy fit in?
34. “you have zero privacy, get over it”
Scott McNealy 1999
http://www.wired.com/politics/law/news/1999/01/17538
Article 8 of the European Convention on Human
Rights that states:
Everyone has the right to respect for his private
and family life, his home and his correspondence
35. Process that enables organisations to
anticipate and address likely impacts of new
initiatives
Foresee problems
Negotiate solutions
Manage risks
Design systems to avoid unnecessary privacy
intrusion
36. Requirement by law
Requirement of government organisational
policy
Appreciation that project has significant
implications that should be subject of
investigation
Existing public concerns
45. When developing policy(rules), it is critical to
consider if and how they can be implemented.
For example, if the policy is that:
employees who breach a security rule, say, disclose
information to someone unauthorised to see it, then
they will be fired
46. People generally do what they want to do,
even at work.
Hopefully this aligns with the organisation’s
needs
incentivising ; or
applying suitable sanctions.
May achieve short term benefit, but the change is
short-lived unless
fundamental change is achieved
staff have a belief in the desired result
48. Staff need to be involved, trained and
supported.
Tools will be required in order to enable
the desired controls on information and
analysis/audit of use
Accountability and responsibility of staff
must be clearly defined and agreed.
Tell me and I’ll forget
Show me and I’ll remember
Involve me and I’ll understand
Old Chinese saying
52. • A set of licenses that are flexible enough to let you
add as much or as little restrictions on you work as
you like
• Expressed in 3 different formats:
• Lawyer-readable
• Human-readable
• Machine-readable
• www.creativecommons.org
53. A set of classifications that are flexible enough
to enable to define and communicate the
controls to be applied to your information
May be combined with creative commons
licenses
Expressed in 3 different formats:
Security Officer-readable
Human-readable
Machine readable
54. Use Confidentiality
RA – Restricted Access PI – Personal Information
OO – Organisation Only ND – Non-Disclosure
CA – Community Access CG – Corporate Governance
OA – Open Access SD – Safe Disposal
CU – Controlled Until
Integrity AD – Approved for Disclosure
BY – Attribution
cc Authentication
AB – Authorised By ND – Non-Derivatives
cc
55. Restricted Access
The information is restricted to the nominated
recipients
The owner of the information will nominate
the authorised recipients
The owner may delegate responsibility for
nominating authorised recipients
56. Personal Information
The information contains personal information
and consideration must be made before
sharing the information
This classification is likely to be used in
conjunction with other labels such as
cc
58. Multi-Agency environment
Police
Courts Service
Probation Service
Lawyers
Social Services
Health, etc
Offender management
Privacy issues in data shared during arrest,
prosecution and detention
Release under licence
58
59. Changing individuals’ behaviour such that:
the need for safe handling of information is
understood & accepted; and
controls agreed and applied
Because the individuals choose to, not
because they are told to.
59
62. ASCJS workshops confirmed the usefulness of the
scenario-based risk assessment and icon-based
approach for communicating controls
Identified a number of additional benefits that
contributed to an increased understanding of the
distributed community and the need for controls
In addition, they expressed an interest in the
ability to implement a technical solution to
provide fine-grained assess to data-sharing in a
collaborative, distributed environment
62
63. Know your staff
Ensure all understand the business and the
part they play in it’s success
Be aware of your obligations
Discuss the issues and how they impact on the
critical parts of your business
Involve staff
Agree controls, ensure accountability from top
to bottom