1 Introduction to corporate security Teemupekka Virtanen Helsinki University of Technology Telecommunication Software and Multimedia Laboratory teemupekka.virtanen@hut.fi 2 Arrangements Get the handouts Additional material Slides? Register to the course in TOPI Home page Can be found in TML-laboratory course page Slides?
3 2.Lecture Management Security management and organizing security in an organization Security as a part of normal business Security as a function Content Goals Organization Public relationship 4 Security in an organization
5 Security means conflicts The security needs of different parties conflicts each other I am secure if I have a gun and you don t have I must be able to read your e-mail One part of security management is to understand these different needs and take them into account Often one participant just takes its own needs into accout Other tries to arrange their needs by breaking the rules 6 Security as a brandmaker Many customers want to have secure products and services and they are also willing to pay for that Many customers want to transfer part of their risks to a partners and thus require higher security level and continuity There is a market for security products and services The price is often not the main criteria in these market
7 Security and efficiency The main function of security is to prevent failures in the main business The less incidents the more efficient production If too much time is spent in cleaning work the production can t be efficient 8 YRITYSRIKOSTEN MÄÄRÄN KEHITYS Onko yritykseen kohdistuneet rikosriskit ja väärinkäytökset viimeisen kolmen vuoden aikana... n=kaikki vastaajat 0 Lisääntyneet paljon Lisääntyneet jonkin verran Pysyneet ennallaan Vähentyneet jonkin verran Vähentyneet paljon SALDOLUKU Kaikki, n=463 Yrityskoko 5-49, n=252 50-249, n=129 3 31 60 4 1 4 27 64 2 2 3 33 56 7 1 30 28 29 250+, n=82 1 40 56 2 39 Asema Toimitusjohtaja, n=201 4 27 66 21 28 Talouspääll/johtaja, n=1471 30 63 5 1 Turvapääll/johtaja, n=42 2 38 52 7 25 33 Muu, n=72 Toimiala 6 43 46 4 1 43 Teollisuus, n=161 3 26 68 3 26 Rakentaminen, n=33 Kauppa, n=71 Palvelut, n=198 6 30 64 3 35 51 7 4 4 34 58 4 1 36 27 33 Lokakuu 2005 1620 KN/snä/ov 0 10 20 30 40 50 60 70 80 90 100 % Yritysten rikosturvallisuus 2005 Riskit ja niiden hallinta selvitys, www.kauppakamari.fi Yritysturvallisuus 2005
9 Models in security management Confederation of Finnish Industries 10 Confederation of Finnish Industries has been active in security for many years Especially in SME Material and education in security management Based on PhD thesis by Markku Peltonen (1993)
11 Administrative Se curity Physical Secu rity Personel Security Transportation Security Fire Prevention Emergency Su pply Inform ation Security Risk Management E nvi ronm ental Protection Safety 12 VAHTI The Government Information Security Management Board VAHTI by Ministry of Finance Cooperating, steering and developing Government information security The first governmental decision in information security in 1992 Several guides and decisions since then http://www.vm.fi/vm/en/13_public_management_reforms16746/09_information_security/index.jsp
13 ISO 17799 / 27700 Originated as a British standard now an International standard by ISO Several controls which must be part of normal working processes Well defined Same controls everywhere Easy to check 14 Information security by ISO The purpose of information security is to guarantee the continuity of the business and minimize damages to the business by preventing and minimizing the losses caused by security related incidents
15 The structure of the standard Security policy Organizing security work Classification and supervision of information Information security and personnel Physical security and security against the environment The management of computers and networks Access control Development and maintenance of information processing The design of business continuity The compliance 16 The key controls The existence of information security policy Responsibilities in information security Information security education and practising Reporting of the incidents Virus checking The design process for business continuity IPR protection and preventing illegal copies of programs Protecting data Privacy protection Compliance of the information security policy
17 Other ISO-standards ISO 15408 Common Criteria Systems ISO 21827 Security Engineering Capability Maturity Model Processes 18 Own model Developed when designing security policy for the Finnish defence forces The model is organized by organizational units
19 20 The assets All kind of assets which are valuable for an organization The value can be based on Money Functional value Brand / Feeling
21 Property Valuables Value is based on money Money, art etc Real property Functional value (own premises used in business) Money (investments, rented out) Machines and devices Functional value Stock Functional value Risks related in properties OMAISUUTEEN LIITTYVÄT RISKIT Toteutuneet riskit/uhat n=kaikki vastaajat 4 22 Työvälinetai laitevarkaus 34 Murto toimitai tuotantotiloihin 28 Ilkivalta yrityksen 23 muuhun omaisuuteen Ilkivalta toimitai tuotantotiloihin 21 Merkittävä hävikki 7 Kaikki, n=463 Yrityskoko 5-49, n=252 50-249, n=129 250+, n=82 NETTO: TOTEUTUNEET RISKIT/UHAT 53 Lokakuu 2005 1620 KN/snä/ov 0 10 20 30 40 50 60 70 80 90 100 % Kyllä vastausten osuus Yritysturvallisuus 2005 Yritysten rikosturvallisuus 2005 Riskit ja niiden hallinta selvitys, www.kauppakamari.fi
23 Information Required in business processes Raw material Processing tool Value based on money The cost to gather the piece of information The sell out price The value of a piece of information is based on rarity of the information The better it is known the less the price is Risks related in information TIETOON LIITTYVÄT RISKIT Toteutuneet riskit/uhat n=kaikki vastaajat 2 24 Tietoverkkoon murtautumisen tai hakkeroinnin yritys Tietojen kopiointi omaan käyttöön ennen siirtymistä pois yrityksen palveluksesta Kriittisistä yritysasioista kertominen luvatta kolmannelle osapuolelle Yritystiedon (sisällön) luvaton urkkiminen / vakoilu 36 19 14 9 Tiedostojen tahallinen tuhoaminen Tietoverkkoon 6 murtautuminen tai hakkerointi Luottamuksellista yritysasiaa sisältävän asiakirjan luovuttaminen luvatta kolmannelle osapuolelle Yritystiedon (sisällön) luvaton 3 muuttaminen / väärentäminen 6 5 Kaikki, n=463 Yrityskoko 5-49, n=252 50-249, n=129 250+, n=82 NETTO: TOTEUTUNEET RISKIT/UHAT 55 Lokakuu 2005 1620 KN/snä/ov 0 10 20 30 40 50 60 70 80 90 100 % Kyllä vastausten osuus Yritysturvallisuus 2005 Yritysten rikosturvallisuus 2005 Riskit ja niiden hallinta selvitys, www.kauppakamari.fi
25 Personnel People can be divided into Hands Information storages Risks related in people Työntekijää on työssään uhkailtu/häiritty 29 IHMISIIN LIITTYVÄT RISKIT Toteutuneet riskit/uhat n=kaikki vastaajat 1 26 Työntekijä syyllistynyt rikokseen/väärinkäytökseen yritystänne kohtaan 27 Tapahtunut muuta työhön liittyvää rikosta 8 työntekijää kohtaan Avainhenkilöitä tai heidän läheisiään 7 on uhattu työhön liittyen Työntekijä on joutunut työssään 7 väkivallan uhriksi Työntekijä syyllistynyt rikokseen/rväärinkäytökseen asiakastanne kohtaan 6 Kaikki, n=463 Yrityskoko 5-49, n=252 50-249, n=129 250+, n=82 NETTO: TOTEUTUNEET RISKIT/UHAT 44 Lokakuu 2005 1620 KN/snä/ov 0 10 20 30 40 50 60 70 80 90 100 % Kyllä vastausten osuus Yritysturvallisuus 2005 Yritysten rikosturvallisuus 2005 Riskit ja niiden hallinta selvitys, www.kauppakamari.fi
27 Reputation For an organization the reputation is often as important as property and information The stock value is based on reputation The decision which product to by is based on reputation Risks related in operation TOIMINTAAN LIITTYVÄT RISKIT Toteutuneet riskit/uhat n=kaikki vastaajat 3 28 Yhteistyökumppani 33 on ollut epäluotettava Tahallinen perättömän tiedon levittäminen yrityksestä 25 Tuotannossa, kuljetuksissa tai varastoinnissa on ollut epätavallista hävikkiä 17 Toimialalla on pimeää työvoimaa 12 Taloushallintoon liittyvät väärinkäytökset Yritys on kohdannut lahjontaa5 Vahingollisella tiedolla kiristäminen 5 2 Kaikki, n=463 Yrityskoko 5-49, n=252 50-249, n=129 250+, n=82 NETTO: TOTEUTUNEET RISKIT/UHAT 56 Lokakuu 2005 1620 KN/snä/ov 0 10 20 30 40 50 60 70 80 90 100 % Kyllä vastausten osuus Yritysturvallisuus 2005 Yritysten rikosturvallisuus 2005 Riskit ja niiden hallinta selvitys, www.kauppakamari.fi
29 Mandatory protection methods There are some protection methods that must be arranged in every organization All the other protection measures are based on these 30 Security management Combining security with the business It is the business that must be protected The business sets requirements Defining the security requirements The risk analyses Organizing the security function
31 Classification Find the assets which are valuable for the organization Find out in which way they are valuable Confidentiality Integrity - Availability Define the value using some measurements 32 Optional methods The protection is build using optional methods The methods are selected according protected asset, situation and environment The level of the protection is important, the methods can be changed
33 Physical security Creation of different zones and controlling the access to each zone Prevention, detection, reaction 34 IT security Creation of different zones and controlling the access to each zone Prevention, detection, reaction
35 Personnel security Defines who can be trusted and who is outsider Makes sure that own staff is not a threat Employment process Annual processes Kick out process Ensure the quality of the staff Will Capability 36 Operational security The quality of the main function of an organization Desinging processes in such a way that work can be done in a secure way Resource management Staff Time Processes that can be supervised and inspected
Further development of security TURVALLISUUDEN KEHITTÄMINEN Mitkä ovat tulevaisuuden painopisteet turvallisuuden kehittämisessä n=kaikki vastaajat 5 37 Nykyistä enemmän Saman verran kuin nykyisin Ei osaa sanoa Nykyistä vähemmän SALDOLUKU Tietoturvallisuus 63 35 1 63 Avainhenkilöturvallisuus 26 71 2 26 Tuotantotilojen ja välineiden turvallisuus 26 71 2 26 Henkilöturvallisuus 25 74 2 25 Muiden uhkien torjunta 14 78 7 14 Terrorismiin varautuminen 6 79 13 2 5 Lokakuu 2005 1620 KN/snä/ov 0 10 20 30 40 50 60 70 80 90 100 % Yritysturvallisuus 2005 Yritysten rikosturvallisuus 2005 Riskit ja niiden hallinta selvitys,www.kauppakamari.fi 38 Organizing security in an organization
39 Traditional security organization There must be defined staff for certain functions, like protecting the working conditions and environment Security is one of these Security manager or security department is a special function directly connected to the CEO Security policy and orders come from security department signed byt the CEO 40 Security management using the normal command chain Security is a part of normal operations When defining goal some restrictions are defined in the same time The lower level can set its own security level higher if needed
41 90 Get requirement from the upper level The mail service has to work Assign the requirem ents for the subprocesses 90 The Internetconnection has to work 90 The Intranetconnection has to work 45 Mail server A has to work 45 90 The workstation has to work Send the requirements to the lower level Mail server B has to work 42 Organizing the own model Security management is part of normal management Setting goal according the strategy of the business Personnell security is normal work for personnel management Employment, benefits, annual discussions Physical security is part of the management of the premises IT-security is part of IT management Operational security is part of normal job
43 Outsourcing If the definitions are made properly the outsourcing is easy Security requirements must be included in the agreements The price of security is a part of the normal price It is not possible to outsource everything One can outsource application but not definition Security requirements support the business targets and usually they can t be outsourced 44 Public relationship and security Public relationship is part of incident management When making plans for an incident there should also be a plan for PR Who How much should be told What is the message The success in PR affects on Reputation Business continuity
45 The purpose of incident PR Stakeholders know what is happened Stakeholders can act correctly in the new situation Keeping trust between stakeholders 46 Problems in PR The spokeman is not define Several spokemans, conflicting messages Which message is the correct one? The spokeman don t know enough The message is wrong or not belieaveable The wrong message is told The truth will be found out anyway Several messages
47 Some experiences from real life Understanding the role of security Sonera Information security manager of GE Moneyn Privacy protection in messaging 48 Conclusions Security is a support function to achieve business goals With security it is possible to find new customers and build a better brand Security is a way to make business processes more efficient by preventing incidents and failures There are many ways to organize security in an organization