SlideShare ist ein Scribd-Unternehmen logo
1 von 63
Downloaden Sie, um offline zu lesen
Jeremy Hilton
   With contributions from
Pete Burnap and Anas Tawileh
Business: Security & Privacy
Business: Security & Privacy
    The way people work is changing – ubiquitous
     Internet access
    Web 2.0 technology and Cloud computing is
     supporting/driving a collaborative, on-demand
     culture
    Virtual Organisations are frequently used to
     support collaborative, distributed working
         Government Services (Transformational Government)
         Medical (Patient Records)
         Research (e-Research)
    Inter-disciplinary organisations contribute
     content, others have access to the content
“In relation to rights, the Government
believes piracy of intellectual
property for profit is theft and
will be pursued as such through
the criminal law.”
“However, the Government also
believes, and the evidence suggests,
that most people, given a
reasonable choice would much
prefer not to do wrong or break
the law…”
“Personal data is the new currency of
the digital world. Privacy and
security of that data is an
increasingly critical issue. “



                                         5
6
Business: Security & Privacy
h"p://blog.stop‐idfraud.co.uk/

h"p://www.guardian.co.uk/media/blog/
2009/oct/12/ukcrime‐id‐the?‐rising

    All organisations are unique.
    Each organisation has its own culture and history.
    Each organisation is inhabited (and the processes are
     undertaken) by its own unique group of people.
    These people have their own perceptions,
     (interpretation), of their role.
    They have their own perceptions of the relationship of
     their role to the organisation mission.
    They have their own perceptions of the organisation
     mission itself.
    The range and nature of the multiple perceptions,
     related to the people within an organisation, are
     not necessarily consistent or uni-directional. (This
     gives rise to personal agendas, politics, and
     potential inter-personal conflict).
    These multiple perceptions cannot be ignored in
     any description that tries to be relevant to a
     specific organisation.
    Most organisations are best described as a mess.
How can you think about a Prison as a Human
Activity System ?
  A system to remove rights and privileges
   (punishment)
  A system to control interaction between
   offenders and the community (security)
  A system to instil Society’s norms and values
   (rehabilitation)
  A system to enhance criminal activity (criminal
   education)
    Reality is not any one of these views.
    Reality is some mixture of these views.



There may be little (or no) agreement as to
what this mixture is.
Business: Security & Privacy
Ref: Anas Tawileh – PhD Thesis 2009
Business Purpose



                             Business Objectives
Problem
 Space




           Business                       Information Needs
           Processes

                                                     Information Systems
Solution
 Space




                                                               Information Technology
Administration and infrastructure

 Support      Human resource management
Activities
              Product/technology development
                                                                                               Value added –
                                                                                               cost
              Procurement
                                                                                               = MARGIN
             Inbound         Operations      Outbound      Sales and           Services
             logistics                        logistics    marketing
 Primary
Activities

             • Can we enhance the value added by that activity?
             • Is there an opportunity to reduce the cost of that activity
             • Or eliminate that activity?
             • Can we use that activity to differentiate the organisation?
                                                          Porter, M. E., Competitive Advantage, The Free Press, 1985
Their             Our suppliers   Us                Our            Their retailers
suppliers                                           distributors
                                                                                     Consumer




                                  Our competition


        Demand information

        Supply information
Requirements
           Support
              Product Info                                                        Invoice
                         Order
                                                                        Product
                                       Customer
                           Contracts    Order Fulfillment

                                                     Finished
     Sales & Mktg
                       Forecast                      Goods                 Logistics
 Product       Ideas
Roadmap                                Operations    Finished
                                                     Goods
                              P.O.s                Components
                                                    & Materials

       Product                                                             Finance
     Development                                            Contracts
                                        Supplier                                        Website
                                                                                        Extranet
                                                                                        Intranet
                                                                                        ERP
tures
             Hack




                                Critical
                            Infrastruc
              ers
                                                      Privacy

Copyright

                                               Gove
                                                   rnme
                                                       nt
         k
    emar
Trad
                    Enfor
                     Law
                      cemen
                            t
The Death of the Perimeter

    (Banking) Business is conducted over networks
      –  Multitude of connection points
      –  Multitude of traffic types (protocols, content)
      –  Complication!
    Traditional perimeter security doesn’t scale:
      –  For filtering of addresses or protocols
      –  For management of multiple gateways
    Mobile & wireless technology (largely) ignores the
     perimeter control
    Most large corporates have leaky perimeters
    Perimeter security does nothing about data flow and
     residence
    Companies Act 2006
    The Re-use of Public Sector Information Regulations 2005
    Environmental Information Regulations 2004
    Freedom of Information Act 2000
    Electronic Communications Act 2000
    Regulation of Investigatory Powers Act 2000
    Data Protection Act 1998
    Computer Misuse Act 1990
    Copyright Designs and Patents Act 1988
    Public Records Act 1967
    Public Records Act 1958
    Human Rights Act 1998
    Software Licensing Regulations
As dependency grows …   IT security important?




                        http://www.berr.gov.uk/files/file45714.pdf
Controls are improving   Security has changed




                         http://www.berr.gov.uk/files/file45714.pdf
But some big exposures                  Most companies not doing
remain                                  enough

    Confidential information is
     increasingly at risk, especially
     in large organisations




                                        http://www.berr.gov.uk/files/file45714.pdf
Business: Security & Privacy
Private Sector           % of Enterprises in UK
 Employment
                                            SME
                                            Large
                                            Micro




                 SME
                 Large
    Managers of SMEs are busy running their
     company, trying to survive in a very competitive
     environment
    They rarely address anything that is not a
     legislative or regulatory requirement, and even
     then will often only comply if there is a penalty for
     not doing so
    Will avoid spending money, and time is money,
     training is money
    Rarely buy in expertise, staff left to help each
     other and ‘learn on the job’
http://www.fsb.org.uk/policy/assets/inhibiting%20enterprise%20fsb%20fraud%20&%20online%20crime%20rpt.pdf
http://www.fsb.org.uk/policy/assets/inhibiting%20enterprise%20fsb%20fraud%20&%20online%20crime%20rpt.pdf
Business: Security & Privacy
    Not killing customers (food industry)
    Cash flow
    New orders/repeat business
    Staffing
    Legislation, Regulation
         only so they can continue to trade
         and directors not go to jail!
     … and where does information security &
     privacy fit in?
Business: Security & Privacy
“you have zero privacy, get over it”
                                        Scott McNealy 1999
                               http://www.wired.com/politics/law/news/1999/01/17538




Article 8 of the European Convention on Human
Rights that states:
    Everyone has the right to respect for his private
    and family life, his home and his correspondence
    Process that enables organisations to
          anticipate and address likely impacts of new
          initiatives
         Foresee problems
         Negotiate solutions
    Manage risks
    Design systems to avoid unnecessary privacy
     intrusion
    Requirement by law
    Requirement of government organisational
     policy
    Appreciation that project has significant
     implications that should be subject of
     investigation
    Existing public concerns
ASSETS   THREATS       VULNERABILITIES




               RISKS        ANALYSIS



     COUNTERMEASURES      MANAGEMENT
Business: Security & Privacy
Security Standards - Cobit, ISO 27001
    #2 Define the information architecture
Business: Security & Privacy
Business: Security & Privacy
Business: Security & Privacy
and
much
more..

    When developing policy(rules), it is critical to
     consider if and how they can be implemented.




    For example, if the policy is that:
         employees who breach a security rule, say, disclose
          information to someone unauthorised to see it, then
          they will be fired
    People generally do what they want to do,
     even at work.
         Hopefully this aligns with the organisation’s
          needs
               incentivising ; or
               applying suitable sanctions.


         May achieve short term benefit, but the change is
          short-lived unless
               fundamental change is achieved
               staff have a belief in the desired result
Business: Security & Privacy
    Staff need to be involved, trained and
     supported.
    Tools will be required in order to enable
     the desired controls on information and
     analysis/audit of use
    Accountability and responsibility of staff
     must be clearly defined and agreed.

                                  Tell me and I’ll forget
                            Show me and I’ll remember
                         Involve me and I’ll understand

                                         Old Chinese saying
Adapting the creative commons approach for information classification
and control
Business: Security & Privacy
Business: Security & Privacy
•    A set of licenses that are flexible enough to let you
     add as much or as little restrictions on you work as
     you like
•    Expressed in 3 different formats:
      •    Lawyer-readable
      •    Human-readable
      •    Machine-readable
•    www.creativecommons.org
    A set of classifications that are flexible enough
     to enable to define and communicate the
     controls to be applied to your information
    May be combined with creative commons
     licenses
    Expressed in 3 different formats:
         Security Officer-readable
         Human-readable
         Machine readable
    Use                            Confidentiality
       RA – Restricted Access         PI – Personal Information

       OO – Organisation Only         ND – Non-Disclosure

       CA – Community Access          CG – Corporate Governance

       OA – Open Access               SD – Safe Disposal

                                      CU – Controlled Until
    Integrity                        AD – Approved for Disclosure
       BY – Attribution
     cc                             Authentication
       AB – Authorised By              ND – Non-Derivatives
                                     cc
Restricted Access
    The information is restricted to the nominated
     recipients
    The owner of the information will nominate
     the authorised recipients
    The owner may delegate responsibility for
     nominating authorised recipients
Personal Information
    The information contains personal information
     and consideration must be made before
     sharing the information
    This classification is likely to be used in
     conjunction with other labels such as

                    cc
Avon & Somerset Criminal Justice Board - PRIMADS




                                                   57
    Multi-Agency environment
         Police
         Courts Service
         Probation Service
         Lawyers
         Social Services
         Health, etc
    Offender management
    Privacy issues in data shared during arrest,
     prosecution and detention
    Release under licence
                                                    58
    Changing individuals’ behaviour such that:
          the need for safe handling of information is
          understood & accepted; and
         controls agreed and applied
    Because the individuals choose to, not
     because they are told to.




                                                          59
60
61
    ASCJS workshops confirmed the usefulness of the
     scenario-based risk assessment and icon-based
     approach for communicating controls
    Identified a number of additional benefits that
     contributed to an increased understanding of the
     distributed community and the need for controls
    In addition, they expressed an interest in the
     ability to implement a technical solution to
     provide fine-grained assess to data-sharing in a
     collaborative, distributed environment

                                                    62
    Know your staff
    Ensure all understand the business and the
     part they play in it’s success
    Be aware of your obligations
    Discuss the issues and how they impact on the
     critical parts of your business
    Involve staff
    Agree controls, ensure accountability from top
     to bottom

Weitere ähnliche Inhalte

Was ist angesagt?

What Can Bond Do For Your Company
What Can Bond Do For Your CompanyWhat Can Bond Do For Your Company
What Can Bond Do For Your Companybirney.james
 
Financial Technology Market Analysis - March 2012
Financial Technology Market Analysis - March 2012Financial Technology Market Analysis - March 2012
Financial Technology Market Analysis - March 2012MMMTechLaw
 
Finding the “Sweet Spot”: Big Data, Smart Technology, and Domain Knowledge
Finding the “Sweet Spot”: Big Data, Smart Technology, and Domain KnowledgeFinding the “Sweet Spot”: Big Data, Smart Technology, and Domain Knowledge
Finding the “Sweet Spot”: Big Data, Smart Technology, and Domain KnowledgeEmPower Research, a Genpact company
 
Financial Technology July Market Analysis
Financial Technology July Market AnalysisFinancial Technology July Market Analysis
Financial Technology July Market AnalysisMMMTechLaw
 
E12 Sox And Identity Management
E12 Sox And Identity ManagementE12 Sox And Identity Management
E12 Sox And Identity ManagementAlexandre Luna
 
Tackling big data with hadoop and open source integration
Tackling big data with hadoop and open source integrationTackling big data with hadoop and open source integration
Tackling big data with hadoop and open source integrationDataWorks Summit
 
Строим сообщество ( или общество единомышленников ) в Интернете . Web -2 нам ...
Строим сообщество ( или общество единомышленников ) в Интернете . Web -2 нам ...Строим сообщество ( или общество единомышленников ) в Интернете . Web -2 нам ...
Строим сообщество ( или общество единомышленников ) в Интернете . Web -2 нам ...Dmitry Tseitlin
 

Was ist angesagt? (8)

What Can Bond Do For Your Company
What Can Bond Do For Your CompanyWhat Can Bond Do For Your Company
What Can Bond Do For Your Company
 
Financial Technology Market Analysis - March 2012
Financial Technology Market Analysis - March 2012Financial Technology Market Analysis - March 2012
Financial Technology Market Analysis - March 2012
 
Finding the “Sweet Spot”: Big Data, Smart Technology, and Domain Knowledge
Finding the “Sweet Spot”: Big Data, Smart Technology, and Domain KnowledgeFinding the “Sweet Spot”: Big Data, Smart Technology, and Domain Knowledge
Finding the “Sweet Spot”: Big Data, Smart Technology, and Domain Knowledge
 
Financial Technology July Market Analysis
Financial Technology July Market AnalysisFinancial Technology July Market Analysis
Financial Technology July Market Analysis
 
E12 Sox And Identity Management
E12 Sox And Identity ManagementE12 Sox And Identity Management
E12 Sox And Identity Management
 
Coutinho IIex sp2013
Coutinho IIex sp2013Coutinho IIex sp2013
Coutinho IIex sp2013
 
Tackling big data with hadoop and open source integration
Tackling big data with hadoop and open source integrationTackling big data with hadoop and open source integration
Tackling big data with hadoop and open source integration
 
Строим сообщество ( или общество единомышленников ) в Интернете . Web -2 нам ...
Строим сообщество ( или общество единомышленников ) в Интернете . Web -2 нам ...Строим сообщество ( или общество единомышленников ) в Интернете . Web -2 нам ...
Строим сообщество ( или общество единомышленников ) в Интернете . Web -2 нам ...
 

Ähnlich wie Business: Security & Privacy

Developing a corporate intelligence strategy from online sources
Developing a corporate intelligence strategy from online sourcesDeveloping a corporate intelligence strategy from online sources
Developing a corporate intelligence strategy from online sourcesEnterprise Security Risk Management
 
Extreme Buyers + Extreme Governance + Extreme Engagement
Extreme Buyers + Extreme Governance + Extreme EngagementExtreme Buyers + Extreme Governance + Extreme Engagement
Extreme Buyers + Extreme Governance + Extreme EngagementJohn Mancini
 
How information gives you competitive advantage
How information gives you competitive advantageHow information gives you competitive advantage
How information gives you competitive advantageSandeep Gunjan
 
Top things to consider when building your outsourcing strategy
Top things to consider when building your outsourcing strategyTop things to consider when building your outsourcing strategy
Top things to consider when building your outsourcing strategyraulzamorano
 
What is an information professional?
What is an information professional?What is an information professional?
What is an information professional?John Mancini
 
E commerce fundamentals-01mar06
E commerce fundamentals-01mar06E commerce fundamentals-01mar06
E commerce fundamentals-01mar06Mavic Pineda
 
Plugin ch12edited-ok
Plugin ch12edited-okPlugin ch12edited-ok
Plugin ch12edited-okdonasiilmu
 
Plugin ch12edited-ok
Plugin ch12edited-okPlugin ch12edited-ok
Plugin ch12edited-okdonasiilmu
 
Wake up, Enterprise IT
Wake up, Enterprise ITWake up, Enterprise IT
Wake up, Enterprise ITJohn Mancini
 
Frank oracle strategy v2.3 fb.ppt [compatibility m
Frank   oracle strategy v2.3 fb.ppt [compatibility mFrank   oracle strategy v2.3 fb.ppt [compatibility m
Frank oracle strategy v2.3 fb.ppt [compatibility mOracle Hrvatska
 
PowerPoint presentation
PowerPoint presentationPowerPoint presentation
PowerPoint presentationwebhostingguy
 
Big Data Analytics
Big Data AnalyticsBig Data Analytics
Big Data AnalyticsEMC
 
Information Management on Mobile Steroids
Information Management on Mobile SteroidsInformation Management on Mobile Steroids
Information Management on Mobile SteroidsJohn Mancini
 

Ähnlich wie Business: Security & Privacy (20)

Developing a corporate intelligence strategy from online sources
Developing a corporate intelligence strategy from online sourcesDeveloping a corporate intelligence strategy from online sources
Developing a corporate intelligence strategy from online sources
 
Extreme Buyers + Extreme Governance + Extreme Engagement
Extreme Buyers + Extreme Governance + Extreme EngagementExtreme Buyers + Extreme Governance + Extreme Engagement
Extreme Buyers + Extreme Governance + Extreme Engagement
 
How information gives you competitive advantage
How information gives you competitive advantageHow information gives you competitive advantage
How information gives you competitive advantage
 
Top things to consider when building your outsourcing strategy
Top things to consider when building your outsourcing strategyTop things to consider when building your outsourcing strategy
Top things to consider when building your outsourcing strategy
 
What is an information professional?
What is an information professional?What is an information professional?
What is an information professional?
 
E commerce fundamentals-01mar06
E commerce fundamentals-01mar06E commerce fundamentals-01mar06
E commerce fundamentals-01mar06
 
Noronesc
NoronescNoronesc
Noronesc
 
Plugin ch12edited-ok
Plugin ch12edited-okPlugin ch12edited-ok
Plugin ch12edited-ok
 
Plugin ch12edited-ok
Plugin ch12edited-okPlugin ch12edited-ok
Plugin ch12edited-ok
 
Wake up, Enterprise IT
Wake up, Enterprise ITWake up, Enterprise IT
Wake up, Enterprise IT
 
Privacy lecture 7 partners
Privacy lecture 7 partnersPrivacy lecture 7 partners
Privacy lecture 7 partners
 
Privacy lecture 8 resources
Privacy lecture 8 resourcesPrivacy lecture 8 resources
Privacy lecture 8 resources
 
Frank oracle strategy v2.3 fb.ppt [compatibility m
Frank   oracle strategy v2.3 fb.ppt [compatibility mFrank   oracle strategy v2.3 fb.ppt [compatibility m
Frank oracle strategy v2.3 fb.ppt [compatibility m
 
Greenplum hadoop
Greenplum hadoopGreenplum hadoop
Greenplum hadoop
 
Greenplum hadoop
Greenplum hadoopGreenplum hadoop
Greenplum hadoop
 
PowerPoint presentation
PowerPoint presentationPowerPoint presentation
PowerPoint presentation
 
Bundling article 2010
Bundling article 2010Bundling article 2010
Bundling article 2010
 
Information Governance
Information GovernanceInformation Governance
Information Governance
 
Big Data Analytics
Big Data AnalyticsBig Data Analytics
Big Data Analytics
 
Information Management on Mobile Steroids
Information Management on Mobile SteroidsInformation Management on Mobile Steroids
Information Management on Mobile Steroids
 

Kürzlich hochgeladen

Harvard Business Review.pptx | Navigating Labor Unrest (March-April 2024)
Harvard Business Review.pptx | Navigating Labor Unrest (March-April 2024)Harvard Business Review.pptx | Navigating Labor Unrest (March-April 2024)
Harvard Business Review.pptx | Navigating Labor Unrest (March-April 2024)tazeenaila12
 
ISONIKE Ltd Accreditation for the Conformity Assessment and Certification of ...
ISONIKE Ltd Accreditation for the Conformity Assessment and Certification of ...ISONIKE Ltd Accreditation for the Conformity Assessment and Certification of ...
ISONIKE Ltd Accreditation for the Conformity Assessment and Certification of ...ISONIKELtd
 
Introduction to The overview of GAAP LO 1-5.pptx
Introduction to The overview of GAAP LO 1-5.pptxIntroduction to The overview of GAAP LO 1-5.pptx
Introduction to The overview of GAAP LO 1-5.pptxJemalSeid25
 
Ethical stalking by Mark Williams. UpliftLive 2024
Ethical stalking by Mark Williams. UpliftLive 2024Ethical stalking by Mark Williams. UpliftLive 2024
Ethical stalking by Mark Williams. UpliftLive 2024Winbusinessin
 
Data skills for Agile Teams- Killing story points
Data skills for Agile Teams- Killing story pointsData skills for Agile Teams- Killing story points
Data skills for Agile Teams- Killing story pointsyasinnathani
 
Trauma Training Service for First Responders
Trauma Training Service for First RespondersTrauma Training Service for First Responders
Trauma Training Service for First RespondersBPOQe
 
Borderless Access - Global B2B Panel book-unlock 2024
Borderless Access - Global B2B Panel book-unlock 2024Borderless Access - Global B2B Panel book-unlock 2024
Borderless Access - Global B2B Panel book-unlock 2024Borderless Access
 
Anyhr.io | Presentation HR&Recruiting agency
Anyhr.io | Presentation HR&Recruiting agencyAnyhr.io | Presentation HR&Recruiting agency
Anyhr.io | Presentation HR&Recruiting agencyHanna Klim
 
BCE24 | Virtual Brand Ambassadors: Making Brands Personal - John Meulemans
BCE24 | Virtual Brand Ambassadors: Making Brands Personal - John MeulemansBCE24 | Virtual Brand Ambassadors: Making Brands Personal - John Meulemans
BCE24 | Virtual Brand Ambassadors: Making Brands Personal - John MeulemansBBPMedia1
 
A flour, rice and Suji company in Jhang.
A flour, rice and Suji company in Jhang.A flour, rice and Suji company in Jhang.
A flour, rice and Suji company in Jhang.mcshagufta46
 
Scrum Events & How to run them effectively
Scrum Events & How to run them effectivelyScrum Events & How to run them effectively
Scrum Events & How to run them effectivelyMarianna Nakou
 
Upgrade Your Banking Experience with Advanced Core Banking Applications
Upgrade Your Banking Experience with Advanced Core Banking ApplicationsUpgrade Your Banking Experience with Advanced Core Banking Applications
Upgrade Your Banking Experience with Advanced Core Banking ApplicationsIntellect Design Arena Ltd
 
MoneyBridge Pitch Deck - Investor Presentation
MoneyBridge Pitch Deck - Investor PresentationMoneyBridge Pitch Deck - Investor Presentation
MoneyBridge Pitch Deck - Investor Presentationbaron83
 
MC Heights construction company in Jhang
MC Heights construction company in JhangMC Heights construction company in Jhang
MC Heights construction company in Jhangmcgroupjeya
 
Q2 2024 APCO Geopolitical Radar - The Global Operating Environment for Business
Q2 2024 APCO Geopolitical Radar - The Global Operating Environment for BusinessQ2 2024 APCO Geopolitical Radar - The Global Operating Environment for Business
Q2 2024 APCO Geopolitical Radar - The Global Operating Environment for BusinessAPCO
 
Developing Coaching Skills: Mine, Yours, Ours
Developing Coaching Skills: Mine, Yours, OursDeveloping Coaching Skills: Mine, Yours, Ours
Developing Coaching Skills: Mine, Yours, OursKaiNexus
 
The Vietnam Believer Newsletter_MARCH 25, 2024_EN_Vol. 003
The Vietnam Believer Newsletter_MARCH 25, 2024_EN_Vol. 003The Vietnam Believer Newsletter_MARCH 25, 2024_EN_Vol. 003
The Vietnam Believer Newsletter_MARCH 25, 2024_EN_Vol. 003believeminhh
 
Borderless Access - Global Panel book-unlock 2024
Borderless Access - Global Panel book-unlock 2024Borderless Access - Global Panel book-unlock 2024
Borderless Access - Global Panel book-unlock 2024Borderless Access
 
Amazon ppt.pptx Amazon about the company
Amazon ppt.pptx Amazon about the companyAmazon ppt.pptx Amazon about the company
Amazon ppt.pptx Amazon about the companyfashionfound007
 

Kürzlich hochgeladen (20)

Harvard Business Review.pptx | Navigating Labor Unrest (March-April 2024)
Harvard Business Review.pptx | Navigating Labor Unrest (March-April 2024)Harvard Business Review.pptx | Navigating Labor Unrest (March-April 2024)
Harvard Business Review.pptx | Navigating Labor Unrest (March-April 2024)
 
ISONIKE Ltd Accreditation for the Conformity Assessment and Certification of ...
ISONIKE Ltd Accreditation for the Conformity Assessment and Certification of ...ISONIKE Ltd Accreditation for the Conformity Assessment and Certification of ...
ISONIKE Ltd Accreditation for the Conformity Assessment and Certification of ...
 
Introduction to The overview of GAAP LO 1-5.pptx
Introduction to The overview of GAAP LO 1-5.pptxIntroduction to The overview of GAAP LO 1-5.pptx
Introduction to The overview of GAAP LO 1-5.pptx
 
Ethical stalking by Mark Williams. UpliftLive 2024
Ethical stalking by Mark Williams. UpliftLive 2024Ethical stalking by Mark Williams. UpliftLive 2024
Ethical stalking by Mark Williams. UpliftLive 2024
 
Data skills for Agile Teams- Killing story points
Data skills for Agile Teams- Killing story pointsData skills for Agile Teams- Killing story points
Data skills for Agile Teams- Killing story points
 
Trauma Training Service for First Responders
Trauma Training Service for First RespondersTrauma Training Service for First Responders
Trauma Training Service for First Responders
 
Borderless Access - Global B2B Panel book-unlock 2024
Borderless Access - Global B2B Panel book-unlock 2024Borderless Access - Global B2B Panel book-unlock 2024
Borderless Access - Global B2B Panel book-unlock 2024
 
Anyhr.io | Presentation HR&Recruiting agency
Anyhr.io | Presentation HR&Recruiting agencyAnyhr.io | Presentation HR&Recruiting agency
Anyhr.io | Presentation HR&Recruiting agency
 
BCE24 | Virtual Brand Ambassadors: Making Brands Personal - John Meulemans
BCE24 | Virtual Brand Ambassadors: Making Brands Personal - John MeulemansBCE24 | Virtual Brand Ambassadors: Making Brands Personal - John Meulemans
BCE24 | Virtual Brand Ambassadors: Making Brands Personal - John Meulemans
 
WAM Corporate Presentation Mar 25 2024.pdf
WAM Corporate Presentation Mar 25 2024.pdfWAM Corporate Presentation Mar 25 2024.pdf
WAM Corporate Presentation Mar 25 2024.pdf
 
A flour, rice and Suji company in Jhang.
A flour, rice and Suji company in Jhang.A flour, rice and Suji company in Jhang.
A flour, rice and Suji company in Jhang.
 
Scrum Events & How to run them effectively
Scrum Events & How to run them effectivelyScrum Events & How to run them effectively
Scrum Events & How to run them effectively
 
Upgrade Your Banking Experience with Advanced Core Banking Applications
Upgrade Your Banking Experience with Advanced Core Banking ApplicationsUpgrade Your Banking Experience with Advanced Core Banking Applications
Upgrade Your Banking Experience with Advanced Core Banking Applications
 
MoneyBridge Pitch Deck - Investor Presentation
MoneyBridge Pitch Deck - Investor PresentationMoneyBridge Pitch Deck - Investor Presentation
MoneyBridge Pitch Deck - Investor Presentation
 
MC Heights construction company in Jhang
MC Heights construction company in JhangMC Heights construction company in Jhang
MC Heights construction company in Jhang
 
Q2 2024 APCO Geopolitical Radar - The Global Operating Environment for Business
Q2 2024 APCO Geopolitical Radar - The Global Operating Environment for BusinessQ2 2024 APCO Geopolitical Radar - The Global Operating Environment for Business
Q2 2024 APCO Geopolitical Radar - The Global Operating Environment for Business
 
Developing Coaching Skills: Mine, Yours, Ours
Developing Coaching Skills: Mine, Yours, OursDeveloping Coaching Skills: Mine, Yours, Ours
Developing Coaching Skills: Mine, Yours, Ours
 
The Vietnam Believer Newsletter_MARCH 25, 2024_EN_Vol. 003
The Vietnam Believer Newsletter_MARCH 25, 2024_EN_Vol. 003The Vietnam Believer Newsletter_MARCH 25, 2024_EN_Vol. 003
The Vietnam Believer Newsletter_MARCH 25, 2024_EN_Vol. 003
 
Borderless Access - Global Panel book-unlock 2024
Borderless Access - Global Panel book-unlock 2024Borderless Access - Global Panel book-unlock 2024
Borderless Access - Global Panel book-unlock 2024
 
Amazon ppt.pptx Amazon about the company
Amazon ppt.pptx Amazon about the companyAmazon ppt.pptx Amazon about the company
Amazon ppt.pptx Amazon about the company
 

Business: Security & Privacy

  • 1. Jeremy Hilton With contributions from Pete Burnap and Anas Tawileh
  • 4.   The way people work is changing – ubiquitous Internet access   Web 2.0 technology and Cloud computing is supporting/driving a collaborative, on-demand culture   Virtual Organisations are frequently used to support collaborative, distributed working   Government Services (Transformational Government)   Medical (Patient Records)   Research (e-Research)   Inter-disciplinary organisations contribute content, others have access to the content
  • 5. “In relation to rights, the Government believes piracy of intellectual property for profit is theft and will be pursued as such through the criminal law.” “However, the Government also believes, and the evidence suggests, that most people, given a reasonable choice would much prefer not to do wrong or break the law…” “Personal data is the new currency of the digital world. Privacy and security of that data is an increasingly critical issue. “ 5
  • 6. 6
  • 10.   All organisations are unique.   Each organisation has its own culture and history.   Each organisation is inhabited (and the processes are undertaken) by its own unique group of people.   These people have their own perceptions, (interpretation), of their role.   They have their own perceptions of the relationship of their role to the organisation mission.   They have their own perceptions of the organisation mission itself.
  • 11.   The range and nature of the multiple perceptions, related to the people within an organisation, are not necessarily consistent or uni-directional. (This gives rise to personal agendas, politics, and potential inter-personal conflict).   These multiple perceptions cannot be ignored in any description that tries to be relevant to a specific organisation.   Most organisations are best described as a mess.
  • 12. How can you think about a Prison as a Human Activity System ?   A system to remove rights and privileges (punishment)   A system to control interaction between offenders and the community (security)   A system to instil Society’s norms and values (rehabilitation)   A system to enhance criminal activity (criminal education)
  • 13.   Reality is not any one of these views.   Reality is some mixture of these views. There may be little (or no) agreement as to what this mixture is.
  • 15. Ref: Anas Tawileh – PhD Thesis 2009
  • 16. Business Purpose Business Objectives Problem Space Business Information Needs Processes Information Systems Solution Space Information Technology
  • 17. Administration and infrastructure Support Human resource management Activities Product/technology development Value added – cost Procurement = MARGIN Inbound Operations Outbound Sales and Services logistics logistics marketing Primary Activities • Can we enhance the value added by that activity? • Is there an opportunity to reduce the cost of that activity • Or eliminate that activity? • Can we use that activity to differentiate the organisation? Porter, M. E., Competitive Advantage, The Free Press, 1985
  • 18. Their Our suppliers Us Our Their retailers suppliers distributors Consumer Our competition Demand information Supply information
  • 19. Requirements Support Product Info Invoice Order Product Customer Contracts Order Fulfillment Finished Sales & Mktg Forecast Goods Logistics Product Ideas Roadmap Operations Finished Goods P.O.s Components & Materials Product Finance Development Contracts Supplier Website Extranet Intranet ERP
  • 20. tures Hack Critical Infrastruc ers Privacy Copyright Gove rnme nt k emar Trad Enfor Law cemen t
  • 21. The Death of the Perimeter   (Banking) Business is conducted over networks –  Multitude of connection points –  Multitude of traffic types (protocols, content) –  Complication!   Traditional perimeter security doesn’t scale: –  For filtering of addresses or protocols –  For management of multiple gateways   Mobile & wireless technology (largely) ignores the perimeter control   Most large corporates have leaky perimeters   Perimeter security does nothing about data flow and residence
  • 22.   Companies Act 2006   The Re-use of Public Sector Information Regulations 2005   Environmental Information Regulations 2004   Freedom of Information Act 2000   Electronic Communications Act 2000   Regulation of Investigatory Powers Act 2000   Data Protection Act 1998   Computer Misuse Act 1990   Copyright Designs and Patents Act 1988   Public Records Act 1967   Public Records Act 1958   Human Rights Act 1998   Software Licensing Regulations
  • 23. As dependency grows … IT security important? http://www.berr.gov.uk/files/file45714.pdf
  • 24. Controls are improving Security has changed http://www.berr.gov.uk/files/file45714.pdf
  • 25. But some big exposures Most companies not doing remain enough   Confidential information is increasingly at risk, especially in large organisations http://www.berr.gov.uk/files/file45714.pdf
  • 27. Private Sector % of Enterprises in UK Employment SME Large Micro SME Large
  • 28.   Managers of SMEs are busy running their company, trying to survive in a very competitive environment   They rarely address anything that is not a legislative or regulatory requirement, and even then will often only comply if there is a penalty for not doing so   Will avoid spending money, and time is money, training is money   Rarely buy in expertise, staff left to help each other and ‘learn on the job’
  • 32.   Not killing customers (food industry)   Cash flow   New orders/repeat business   Staffing   Legislation, Regulation   only so they can continue to trade   and directors not go to jail!   … and where does information security & privacy fit in?
  • 34. “you have zero privacy, get over it” Scott McNealy 1999 http://www.wired.com/politics/law/news/1999/01/17538 Article 8 of the European Convention on Human Rights that states: Everyone has the right to respect for his private and family life, his home and his correspondence
  • 35.   Process that enables organisations to   anticipate and address likely impacts of new initiatives   Foresee problems   Negotiate solutions   Manage risks   Design systems to avoid unnecessary privacy intrusion
  • 36.   Requirement by law   Requirement of government organisational policy   Appreciation that project has significant implications that should be subject of investigation   Existing public concerns
  • 37. ASSETS THREATS VULNERABILITIES RISKS ANALYSIS COUNTERMEASURES MANAGEMENT
  • 39. Security Standards - Cobit, ISO 27001
  • 40.   #2 Define the information architecture
  • 45.   When developing policy(rules), it is critical to consider if and how they can be implemented.   For example, if the policy is that:   employees who breach a security rule, say, disclose information to someone unauthorised to see it, then they will be fired
  • 46.   People generally do what they want to do, even at work.   Hopefully this aligns with the organisation’s needs   incentivising ; or   applying suitable sanctions.   May achieve short term benefit, but the change is short-lived unless   fundamental change is achieved   staff have a belief in the desired result
  • 48.   Staff need to be involved, trained and supported.   Tools will be required in order to enable the desired controls on information and analysis/audit of use   Accountability and responsibility of staff must be clearly defined and agreed. Tell me and I’ll forget Show me and I’ll remember Involve me and I’ll understand Old Chinese saying
  • 49. Adapting the creative commons approach for information classification and control
  • 52. •  A set of licenses that are flexible enough to let you add as much or as little restrictions on you work as you like •  Expressed in 3 different formats: •  Lawyer-readable •  Human-readable •  Machine-readable •  www.creativecommons.org
  • 53.   A set of classifications that are flexible enough to enable to define and communicate the controls to be applied to your information   May be combined with creative commons licenses   Expressed in 3 different formats:   Security Officer-readable   Human-readable   Machine readable
  • 54.   Use   Confidentiality RA – Restricted Access PI – Personal Information OO – Organisation Only ND – Non-Disclosure CA – Community Access CG – Corporate Governance OA – Open Access SD – Safe Disposal CU – Controlled Until   Integrity AD – Approved for Disclosure BY – Attribution cc   Authentication AB – Authorised By ND – Non-Derivatives cc
  • 55. Restricted Access   The information is restricted to the nominated recipients   The owner of the information will nominate the authorised recipients   The owner may delegate responsibility for nominating authorised recipients
  • 56. Personal Information   The information contains personal information and consideration must be made before sharing the information   This classification is likely to be used in conjunction with other labels such as cc
  • 57. Avon & Somerset Criminal Justice Board - PRIMADS 57
  • 58.   Multi-Agency environment   Police   Courts Service   Probation Service   Lawyers   Social Services   Health, etc   Offender management   Privacy issues in data shared during arrest, prosecution and detention   Release under licence 58
  • 59.   Changing individuals’ behaviour such that:   the need for safe handling of information is understood & accepted; and   controls agreed and applied   Because the individuals choose to, not because they are told to. 59
  • 60. 60
  • 61. 61
  • 62.   ASCJS workshops confirmed the usefulness of the scenario-based risk assessment and icon-based approach for communicating controls   Identified a number of additional benefits that contributed to an increased understanding of the distributed community and the need for controls   In addition, they expressed an interest in the ability to implement a technical solution to provide fine-grained assess to data-sharing in a collaborative, distributed environment 62
  • 63.   Know your staff   Ensure all understand the business and the part they play in it’s success   Be aware of your obligations   Discuss the issues and how they impact on the critical parts of your business   Involve staff   Agree controls, ensure accountability from top to bottom