Security For Managers

1
Security For Managers
2
Your ORG
3
Introductions
4
CompuMentor
TechCommons http//www.compumentor.org/techcommons
.html TechSoup.org http//www.techsoup.org/ Te
chSoup Stock http//www.techsoup.org/stock/
5
Sponsored by
6
Designed by
7
Workshop Agenda

• Introductions
• Getting Technical Expertise
• Security Basics
• Assessing Risk
• Break
• Systematic Approach
• Managing Security Changes
• Conclusion

8
Workshop Goals

• To gain awareness of security issues
• To understand how to use CompuMentors Desktop
  Security Audit process
• To understand the role of management and
  leadership in information security
• To be able to apply some tools and techniques for
  making your organization secure

9
Desktop Security Series

Technology
Organizational Culture
10
Desktop Security Series

• Technical workshops covered how to audit Windows
  desktop machines
• Organizational workshop covers how (and why) to
  use the audit to develop a secure technology
  environment

11
Getting Technology Expertise

• Consultants
• On Demand
• Specialists
• Normally charge by the hour
• Volunteers
• Require management too!
• Generally less available

12
Consulting Resources
TechFinder - http//www.techfinder.org Consultant
Commons - http//www.consultantcommons.org Nonprof
it Technology Enterprise Network -
http//www.nten.org NPower - http//www.npower.or
g Local management support organizations Your
Network Ask fellow nonprofits for
recommendations
13
Security Concepts
Confidentiality
Integrity
Availability
14
Confidentiality
Encryption
Access Controls
Trained Users
15
Integrity
Secure Backups
Intrusion Detection
Business Processes
16
Availability
Trained Users
Reliable Systems
Reliable Transport
17
CIA Applied
Confidentiality
Integrity
Availability
File access control by user name and password
Reconcile against number of Employees
Grant access and edit rights to appropriate staff
Protect machine from malware
Reconcile salaries against filed salary forms
Maintain computer and network file is stored on
Encrypt the disk the file is stored on
Train staff to follow editing procedures
Ensure file is backed up securely
Train users not to give out their password
Include formula checks
Train appropriate staff to access the file
Train users not to copy the file, or email it
18
Security Tools

• Operating Systems
• Network Technologies
• Defensive Software

• Strong Passwords
• Application Configuration
• Good Management

19
Threat Factors

• Threats can be due to
• Technology
• Location
• People
• Mission

20
Common Risks

• Risk Impact/Consequence
• Data Loss Costs of recovering data
• Theft Cost of replacement
• Unauthorized Loss of stakeholder confidence
• Access
• Infested Loss of productivity, cost of cleaning
• Computers machines

21
Assessing Risk
Chance x impact risk
Likelihood/year x cost annual risk
22
Systematic Approach
Appropriate

• Standards Based

Proactive

• Consistent

• Maintained

23
Secure Home
What threats does a home need securing against?
24
CompuMentors Desktop Security Audit

• Standardized set of checks for desktop computers
• Based on Windows Best Practices for small NPOs
• Report summarizes frequent, critical and unusual
  vulnerabilities
• Recommendations are just a start
• Feel free to ask questions

25
How Do You Sail to a Secure Horizon?
Prioritize
Set Expectations
Get Resources
Manage Change
26
Prioritizing
Most Frequent
Most Critical
Greatest Capacity to Implement
27
Setting Expectations
Policies
Documentation
Training
Management Check-ins
Rewards
Sanctions
28
Getting Resources Appeal on All Levels
Return on Investment
Horror Stories
Productivity Gains
Personal Improvements
Greater Capacity to Use New Technology
29
Managing Change
Communicate Win Hearts and Minds
Listen to Criticism and Respond to Concerns
Ensure Adequate Training
Allow No Exceptions
Celebrate
30
Conclusion
Undertake the Security Audit
Assess the Recommendations
Implement Systematic Changes
Dont Forget to Train and Maintain