1. 1Corporate Information SecurityCorporate securityJarno Niemel Jargon@iki.fi

2. 2We Do Not Live In The Internet FireBurglaryEmployees stealing from companyKey person becomes unavailableWater damageTerrorist/Activist attackCompetitor spyingConfidential information leaks to pressJarno Niemel Jargon@iki.fi 3. 3Topics For The Day Employee safety and securityBuilding securityAlarms and monitoringBuilding safetyStorage of valuablesRisk managementJarno Niemel Jargon@iki.fi 4. 4Employees The most important assetBut also the greatest riskEmployee skills, efficiency and morale determine how your company does Good personnel management is the most important thing when running a company The basic principle is to keep the good people in and bad people outJarno Niemel Jargon@iki.fi 5. 5Employees As Resource From company point of view employees are WorkforceMost important assent Information storagesGreatest security riskKey employees are critical resources Someone who knows something that no one else doesWithout key person some process is impossiblePrevent this by distributing information and having backup persons for each taskJarno Niemel Jargon@iki.fi 6. 6Employees As a Security Risk Unhappy people work poorly, and may leave Employees leak information, intentionally or not Treat people well, have fair policies Training,where to talk, what to talk, whom to talkEmployees stealing company property Happy and motivated people are unlikely to steal Increase risk of getting caught, conduct inventoriesKeep track what and how your employees do Is there reasons for them to be unhappy?Jarno Niemel Jargon@iki.fi 7. 7Hiring people Look for the right person for the right task Is not overqualified Is qualified and motivated for the for the job Fits with the people you already haveMake sure you know who you hire Do a proper interview, and also one with the teamCheck the background and referencesTest the skills of potential applicantsPersonality tests, what do they tell?Jarno Niemel Jargon@iki.fi 8. 8Checking Background Do you know anyone who knows the applicant?Check that personal information is correctCheck for criminal recordIf working with money, check credit statusDrivers license, traffic violationsEducation and diplomasHealth, medication and treatmentsDon't play spy, don't Google. This sort of information must be obtained by official channelsJarno Niemel Jargon@iki.fi 9. 9Training And Paperwork Very few are incompetent because they want to Make sure that NDAs and other paperwork are doneAdditional training when position changes Introductory training when new employee comesTasks, policies, security and safety issuesKeep employees skills fresh with training People feel that their skills and value in the profession is maintainedEmployees with up to date skills are more efficientWell trained employees also reduce security risksJarno Niemel Jargon@iki.fi 10. 10Keeping People Now that you have good people, you'll want to keep them that way Even the best and most motivated people can become 'bad' if managed improperlyIn personnel security the most important things don't actually have much to do with the 'security' partThe best way to keep people 'good' is good people managementEspecially in YT industry this is very often forgotten, laying off even a few persons hurts the company morale, and personnel productivity long time!Jarno Niemel Jargon@iki.fi 11. 11Employee Leaving Everyone leaves sooner or later 'Hostile' leaving when leaving to competitor, laid off 'Benign' when retiring or changing fieldKnow what to do when an employee leaves Skills transfer to replacementGather back keys, laptops, documents, equipmentDisable accounts, change passwordsAny sensitive processes that need to be modified?Has the employee signed NDA? Better review itJarno Niemel Jargon@iki.fi 12. 12Building security Building security is about making sure that the building is safe for all company assets Equipment People InformationBuilding security is mostly about common sense Good floor plan and passive security is much easier and cheaper than best alarms and guardsJarno Niemel Jargon@iki.fi 13. 13Office layout Divide office areas into access zones Public areas: Reception,public meeting roomsOffice area: Outsiders are allowed only when escorted Outside the office: Company entrance, fencesCritical areas: Data centers, network cabinets, financeZone access control controls who gets in No extra control inside the zoneAll routes from zone to another zone must be knownThere should be extra time/effort needed to get from one zone to anotherJarno Niemel Jargon@iki.fi 14. 14Office Divided Into Zones Outside Reception Offices Server room Critical research areas CEO, Finance officesJarno Niemel Jargon@iki.fi 15. 15Doors What is the purpose of a door Noise dampening Access prevention Fire doorIs the door good enough? Door strengthLock strengthHingesFire isolation (how long the door holds a fire)Jarno Niemel Jargon@iki.fi 16. 16Walls And Windows Windows, an easy access to burglar or maybe not Can windows be broken so that it wont be noticed? First and second floor windows should be laminatedWalls What time and equipment is needed to cut trough What is on the other side of the wall?Check the area outside the office Keep the yard clean and don't give tools for attackersIf possible try to prevent anyone using vehicles in attacking the building, use decorations that are heavyJarno Niemel Jargon@iki.fi 17. 17Access control Let the good people in, keep the bad people out Access control allows more accurate control than keys Employees need to accept the control, DONT ABUSE ITAccess control works at the zone borders Doesn't care what people do at the zones Who has been at the zone at any given timeAccess control needs to be done properly Easy to use, suspicion on anyone who cant open doorThe control logs need to be stored securelyReliable, is system keeps failing people will ignore itJarno Niemel Jargon@iki.fi 18. 18Alarms Alarms activate at exceptional situations Window broken, door forced, movement at night, fire, gas Located at the zone borders and inside zonesEach threat needs correct alarm sensor Motion detectors, pressure sensors Physical open/break sensors Fire alarms, gas detectors, moisture sensorsAlarms are useless by themselves When alarm goes off, there must be a reactionAudible alarms at outer zones, and silent at insideJarno Niemel Jargon@iki.fi 19. 19Monitoring Know whats going on, use cameras Recording cameras help investigate what happened Actively monitored detect intrusions and guide guardsMake sure that cameras are of some use Keep the area well lit and situate cameras wellSecure or offside storage for video data Put signs that the area is monitored, cameras are good deterrentKnow what you are allowed to record and where Personal privacy laws are very strong in FinlandJarno Niemel Jargon@iki.fi 20. 20Guards, Guards There are many types of guards Guard that visits the site when making rounds Guard that is located at the site Guard that is alerted when alarm goes offDifferent types have different reaction time Guard from remote location needs transit time Local guard can respond more quickly, but is expensiveOptimize the value of property against the expense of protectionJarno Niemel Jargon@iki.fi 21. 21Fire If possible prevent fires Find out possible ignition sources, make them safe Neatness counts, all extra material must be removedIf fire breaks out, the building should contain it Zone should isolate the fire as well as possible The office needs to be divided into fire zones Fire doors closed, no extra holes in the walls, fire breaksBut remember, the purpose is only to buy time To get people into safetyFor fire brigade to arrive to put the fire outJarno Niemel Jargon@iki.fi 22. 22FIRE, Get The People Out! If fire breaks out make sure that people get out Doors in the escape route must have emergency openerMake sure that escape routes are not blockedThere must be at least two routes from each zone Fire escape routes must be well markedThe routes should be instinctivePeople must be trained how to get out Make sure evacuation responsibilities are assignedAlso have people responsible for first aid, guiding fire brigade and other emergency tasksJarno Niemel Jargon@iki.fi 23. 23Extinguishing Fire For small fires, fire blankets and hand extinguishers When people reach for the extinguisher they don't check the type. So place correct extinguishers at the correct placesMake sure that fire extinguishers are of proper type Water sprinklers are good for general use, but wreak havoc on paper and electronicsFor electronics there are specialized gas extinguishers, but many of them replace air. So people must be able to leave if they activateThere are also extinguishers that can be places inside machinery and devicesJarno Niemel Jargon@iki.fi 24. 24Heat, Water And Air Is the air conditioning sufficient? Are server rooms and other areas properly cooled? If it's too hot or there's not enough air people cannot concentrate Too hot will cause servers to crashFind out where pipes go and where water goes when pipes break More than one server room has been destroyed because there were water pipes at its ceilingIt's good idea to situate critical systems away from any pipingJarno Niemel Jargon@iki.fi 25. 25Physical data security Backups, backups, backups How do you store local backups?How long they survive fire or water Who has access to them? Having off site backups is a very good ideaMore than one small company has gone bust as thief also took the backups Who has physical access to servers?If the server cannot be cracked theres always the server hard-drive...Jarno Niemel Jargon@iki.fi 26. 26Document handling Document life cycle: Create, use, destroy When a document is created it should be classified Customer/contractor/partner confidentialConfidentialPublicRestrictedDocuments must be handled by to their level Care should be taken on storage and handling of high level documents For consistency only important documents should have high level. Don't mark everything classified!Jarno Niemel Jargon@iki.fi 27. 27Destroying documents When document is not used anymore it must be destroyed All confidential documents must be shreddedDocument shredding companies should not be trusted with most critical documentsAlso disks, hard-drives and other mediasPeople must be trained, and shredding should be convenient so that people do itSometimes have a look at waster paper bins at the company, there are sometimes rather interesting documents there :)Jarno Niemel Jargon@iki.fi 28. 28Storage Of Valuables Know what you have that needs protection Backups Critical documents Money and other valuablesKnow from what you want to protect from Protection from fire or from burglar needs different protection. Theres no such thing as just 'safe'Don't just buy something that just looks secureA fire proof safe may look big and impressive but will open less than in a minute with a crowbarJarno Niemel Jargon@iki.fi 29. 29Selecting A Correct Safe Paper and data storage needs rated fire proof safe DIS rating will indicate how long diskettes and other material will survive P rating indicates how long paper will survive. F.EX P-60 means paper will survive 60 minutes in fire of 1000CSelect either fireproof safe is data box in normal safeEN 1143-1 rating tells safe armor rating E I is recommended for maximum 10 000 EUR of content valueE II is recommended for maximum 30 000 EUR of valueE III is recommended for maximum 60 000 EUR of valueE IV is recommended for maximum 120 000 EUR of valueJarno Niemel Jargon@iki.fi 30. 30Installing And Using The Safe Choose a good location Place into protected zone that has alarm/monitoringRemember the safe only buys time, don't give too muchBolt the safe down, so it cant be removed easilyDon't put the safe into cellar, if fire comes the cellar will flood with extinguishing waterDon't leave the keys for burglar If the safe has a key, store it into separate locationIf the safe uses a code, either don't record the code, or store it into safe place (bank vault)Jarno Niemel Jargon@iki.fi 31. 31What you cannot prevent insure Sometimes, shit happens, so make sure you have insurances But even with best insurances the accident costs more than the insurance company pays EquipmentTimeProductionMissed sales and oppoturnitiesJarno Niemel Jargon@iki.fi 32. 32Risk Management Risk Management is the process of understanding what risks company has Risk= Probability of threat * DamageRisk Management is Finding out what threats there are Estimating probability of threat realizing Estimating the damage caused by a threat Analyzing the risks that were deducted from the gathered informationJarno Niemel Jargon@iki.fi 33. 33Finding Out Risks Identify risk areas Know what the company does and howDo vulnerability analysis for each business area Think what can go wrong and how Analyze past history, brainstorm, play what ifEstimate the damage caused by vulnerabilities you found Make a risk matrix Calculate each risk, and see what have high scoresJarno Niemel Jargon@iki.fi 34. 34Tools For Vulnerability Analysis Questionnaire method Set of questions, from which the result can be derived Level of success depends very much on questionsFault tree analysis (FTA) A tree where threat or result is at top and causes at branches What needs to fail for the event to happenEvent tree analysis (ETA) Starts from single failure, maps what else needs to fail and combines probabilities for event chainsJarno Niemel Jargon@iki.fi 35. 35Fault Tree Analysis Server hacked or Password leakedand Password guessedJarno Niemel Jargon@iki.fiUnpatched vulnerabilityOpen in firewall 36. 36Process Of Risk Management For each risk found decide how to manage it Ignore itPreventing is more expensive than damages Reduce the probability of threatBetter process control, security measures Limit the damageMinimize the loss caused when risk realizes Have recovery processMinimize the downtime and loss of productionJarno Niemel Jargon@iki.fi 37. 37Conclusion I'm not an expert on this and neither are you Get an expert to check the building,fire and other safetyThere are many laws that govern this field But don't think that doing things at the level required by law is enoughThe laws are there to protect others from your companyLaws don't protect you from yourself (at least not much)Jarno Niemel Jargon@iki.fi 38. 38References Security Basics http://www.csoonline.com/article/486621/security-basics The business of resilience http://www.demos.co.uk/files/thebusinessofresilience.pdf Laki turvallisuus-selvityksist http://www.finlex.fi/fi/laki/ajantasa/2002/20020177 PK-yrityksen riskienhallinta http://www.pk-rh.com/Suomen Pelastusalan Keskusjrjest http://www.spek.fiJarno Niemel Jargon@iki.fi