COMP 3371 Cyber Security Richard Henson University of

  • Slides: 24
Download presentation
COMP 3371 Cyber Security Richard Henson University of Worcester February 2017

COMP 3371 Cyber Security Richard Henson University of Worcester February 2017

Week 3: Data, Information and Organisations n Objectives: ØExplain why, before an ISMS can

Week 3: Data, Information and Organisations n Objectives: ØExplain why, before an ISMS can even be considered, information flows between an organisation and the rest of the universe need mapping, and to actually do this ØExplain why it is important also to gather information to map information flows within an organisation, and to do this as well

Organisations and Systems n As already discussed Ø each organisation has a purpose Ø

Organisations and Systems n As already discussed Ø each organisation has a purpose Ø each organisation is different! No template ISMS is therefore possible n Normally, the organisation creates some kind of system to enable them to fulfil their purpose!

Inputs and Outputs n Many organisations decide to produce something… Ø and then sell

Inputs and Outputs n Many organisations decide to produce something… Ø and then sell it to people (B 2 C) or organisations (B 2 B) who become their customers Ø but they need to get the stuff to make it, first… jnput organisation output

Machinery, Tools and Consumables (developing the system - 1) n Before they started up

Machinery, Tools and Consumables (developing the system - 1) n Before they started up as a business, the founders would need to do a lot of planning and answer a lot of questions… Ø how will they get customers (website? other channels) Ø how will they get their product (outputs) to their customers Ø how will they get the right raw materials (inputs) to make that product

Machinery, Tools and Consumables (developing the system - 2) n Also… Ø what tools

Machinery, Tools and Consumables (developing the system - 2) n Also… Ø what tools and machinery do they need to make the product (requires expenditure) Ø how will their equipment be maintained Ø what government departments need to be involved when they start trading! Ø what sort of information will the government need?

Developing a System n All organisations set up a system to cope with all

Developing a System n All organisations set up a system to cope with all the inputs and outputs Øinputs and outputs could be things or data Øas part of their planning, they draw diagrams showing flows for both Øusually stick to the plan to get the business running, so the system works

Getting out of Control! n Then… if the business succeeds… the system grows Øbusy

Getting out of Control! n Then… if the business succeeds… the system grows Øbusy running the business » concentrate of their purpose, which they should be realising through meeting their business objectives » may well find they are spending more than expected to keep that system going Øwon’t necessarily update the plan… » 10 years later they may not have a clue about their current information flows!

Developing a Context Diagram n Get the plan to manage information BACK INTO FOCUS

Developing a Context Diagram n Get the plan to manage information BACK INTO FOCUS Ølot of talk about Business Transformation Øfirst stage is to establish where the business is NOW! » start with context diagram n useful also from information security perspective! » then look at flows within the organisation

External Entities n n Any external organisations that share information with the business Could

External Entities n n Any external organisations that share information with the business Could be a lot of them… Ø Ø suppliers: of products and services business customers government bodies private sector industry bodies (local or national)

Suppliers n Businesses: Ø that provide raw materials Ø that provide equipment & consumables

Suppliers n Businesses: Ø that provide raw materials Ø that provide equipment & consumables Ø that provide services n All have important information flows Ø each has an individual channel for information flow Ø needs to be categorised as H, M or L risk » risk quantified in terms of consequences of losing data

Customers Need to have details to supply goods n Could be business or consumer

Customers Need to have details to supply goods n Could be business or consumer n Øboth involve confidential data but consumer data is protected by law!

Government Agencies n Companies House & Tax Office Ø if registered as a business

Government Agencies n Companies House & Tax Office Ø if registered as a business n Local Government Ø payment due for business premises

Private Organisations Accountant n Web Site Provider n Media (advertising) n Internet access provider

Private Organisations Accountant n Web Site Provider n Media (advertising) n Internet access provider n Solicitor n Business support organisations n Others… n

Information Flow to Externals list (and risks…) n A business exchanges information with a

Information Flow to Externals list (and risks…) n A business exchanges information with a lot of organisations Øorganisation will be surprised at how much information needs to go in and out Øinformation flow to each external entity needs to be “risk assessed” Øconvenient to create a list… External Type of information Risk level (H, M or L)

Drawing that Context Diagram n Provided that all externals are listed… should be easy

Drawing that Context Diagram n Provided that all externals are listed… should be easy to complete external Data flow Internal system Øhttps: //www. visualparadigm. com/tutorials/data-flow-diagramexample-food-ordering-system. jsp

Events n Processing events within the system Øidentify those that could in theory cause

Events n Processing events within the system Øidentify those that could in theory cause a data breach » e. g. customer places order » E. g. management requires sales report

System within a System n Inside the business system boundary… ØOrders have to be

System within a System n Inside the business system boundary… ØOrders have to be processed ØPurchases have to be made ØAccounting has to be quantified ØOthers? n All of these need data flows, data processing, data storage… mapped through Data Flow diagrams

Scope n With large organisations, it may be useful just to focus on information

Scope n With large organisations, it may be useful just to focus on information risk in a small part of that organisation Øscope defines the system boundary from a risk assessment (and even information assurance) perspective n Context diagram still possible… Ørest of the organisation also represented as “externals”

Data Flow Diagrams (DFDs) n Arranged in a hierarchical order: ØLevel 1… level 2…

Data Flow Diagrams (DFDs) n Arranged in a hierarchical order: ØLevel 1… level 2… level 3, etc. n For high level risk analysis, DFD level 1 is sufficient

Level 1 DFDs Identify top-level processes within a system n Each process should interface

Level 1 DFDs Identify top-level processes within a system n Each process should interface with an external n Processes may have associated data stores, or pass data direct to further toplevel processes, or both n

DFD symbols n Process n Data Store n Data Flow

DFD symbols n Process n Data Store n Data Flow

High, Medium or Low Risk? Internal processes only manipulated by employees n Still important

High, Medium or Low Risk? Internal processes only manipulated by employees n Still important to identify flows and stores as involving high, low or medium risk data n As with external flows… n Øvalue of that data to the organisation is an important factor in assessing risk

Risk and Resources n Results from risk assessment… Øorganisation more aware of what needs

Risk and Resources n Results from risk assessment… Øorganisation more aware of what needs to be protected most ØTake steps to reduce vulnerabilities n If information is high risk… Ømore resources to protect data; put it in a safer place (cost? ) Øgreater training for staff involved with that data ØPenalties for data mismanagement?