BD&F Information Security

My slides for an upcoming webinar, http://itsecuritypro.co.uk/webinars/ - <iframe src="https://skydrive.live.com/embed?cid=DE5E250FC08CEC24&resid=DE5E250FC08CEC24%21400&authkey=AEcbKpqNKYjHxiA&em=2" width="402" height="327" frameborder="0" scrolling="no"></iframe>

I recently read Don't Talk to Strangers to my son. In the story Christopher Robin leaves the 100 Acre Wood to go visit his grandmother all by himself. Piglet finds this a worry and asks him if he is scared. Christopher Robin says no because he has the Stay-Safe-Rules written by his mother to help protect him.

Of course at that point my security hat went on and I compared how those rules relate to the effort of creating a culture where colleagues are conscious of their responsibilities in protecting Ofcom's data.

AA Milne wrote this story in the late 1920s and today those rules still hold true in many spheres of life. Looking through company’s security policies we see these rules reflected and they have proved to be universal truths indeed.

Don't talk to strangers

Avoid all confidential discussions with colleagues and/or stakeholders in public areas of such buildings or offices. These areas may include receptions, restaurants/cafes, lifts and lift lobbies.

Remember that office buildings are often shared with other tenants. The public areas should therefore be considered to be no more secure than, for example, an external restaurant or train station.

Do not share confidential information with third-parties without appropriate prior approval from a senior manager.

When taking sensitive papers out of the office keep them secure and out of view and do not allow anyone at a conference or meeting to read your documents if they have no legitimate reason to do so.

Never open your door to a stranger

Display companys’ security passes at all times in the offices and be aware of potential tailgaters when entering and leaving. If in doubt about someone's identity ask him/her to show a pass.

Escort visitors at all times, particularly back to reception.

Never take a present from a stranger

Do not install third-party software or hardware applications, disclose password details or access other colleagues' files or emails without appropriate approval.

Act responsibly and reasonably in using company IS systems for personal purposes such as web browsing or email.

Never take a ride from a stranger

As part of their role, some colleagues will from time to time need to speak to or meet other members of the business community. Such contacts should be carefully handled, and are subject to the following rules:

No one should maintain active contacts without ensuring that the group head is fully aware of these and has given written agreement. In particular, lunches and other events should be approved by the group head in advance.

More generally, any conversations should be restricted to gathering information and opinion about the market.

More generally, any conversations should be restricted to gathering information and opinion about the market.

If a stranger does try to talk to you or touch you, yell "NO!" run away, and tell a grown-up you trust as soon as you can

Do not click on links in unsolicited emails. Do not give information to callers whose identity you cannot confirm. If you spot a security flaw in any of the company’s facilities including the offices, network and websites, please report this to the security team.

And remember, if you're going somewhere, it's always friendlier and safer to go with someone you know

Third party service providers offer ways to help managers and their groups perform more efficiently. It is always best to check the levels of security a provider is able to offer and ensure that it is documented in a contract. Buying in external services should not be done without consulting other relevant colleagues.

Safety and security are about creating protective habits in handling what is valuable to us. A good habit to develop is removing any sensitive documents in your possession from meeting rooms, copiers, printers and business centres as soon as the reason for them being there expires.

Christopher’s grandmother understood this and was able to put together a list of cautions that will lead to safe behaviour.

 

All the family went to Berkhamsted Castle last Sunday. It was a sunny day and lots of people were camped out on the grass where an entire community once lived under siege for two weeks. The area looks small today but I can imagine how an entire town can live within the once formidable walls and function on a normal basis.

Castles are part of the iconography of defence and in InfoSec they have been used to illustrate many different aspects of securing information. It is also instructive that they are used to represent an idea of what should be happening when we say we are protecting information.

The popular portrayal of a castle is of a redoubtable village under siege. InfoSec has had this analogy at its disposal from the early years of enterprise networks and it has served its purpose in explaining what was considered good security.

With the castle parallel you get the idea that the castle’s inhabitants could rely on the knights to balk any attack. A network was a complicated, engineered system that protected the company’s data and all who processed it. The metaphor has been tried and tested and it is understood by all.

I will like to add another observation about castle life that is applicable to today’s porous networks that handle consumerisation and Cloud services. With these two challenges you can no longer employ the siege scenario because it suggests that the gates are open while the castle is under attack.

In the life of many castles, attacks will have been occasional. Much of the time, life will be lived under normal conditions with commerce carried out in all spheres. The nearby farmland had to be worked, the livestock tended, trade with other groups and recreation outside the confines. A castle could not be sustained without these comings and goings.

The preparedness of the castle dwellers to revert to ‘lock down’ and to play their part in the survival of a siege will have been important. What did they understand was their expected behaviour when outside of the walls? After a long period of peace, would they have changed behaviours, perhaps be more welcoming to strangers? Will they go out to the fields alone? Did they know what villages were safe to visit? Did they still keep old secrets?

Today, InfoSec could exercise that story of the castle but add that the experts have a duty to raise the level of awareness in all staff about what part they must play to protect the company’s information.

Without trade, villages/company’s die. The knights/InfoSec are skilled with the tools of defence. Dwellers have to work and ensure the castle prospers. In war and in peace, NO ONE! must divulge the source of the castle’s well water.