This document discusses codes of conduct and security policies for board members. It contains three key points:
1. Company security policies may require board members to use only company-provided devices and separate personal and work engagements, but this poses practical challenges for those serving on multiple boards. Strict adherence could be seen as negligence.
2. Third parties like advisors, auditors, and translators who are given inside information present security risks if protections like non-disclosure agreements and encryption are not used.
3. A conference on passwords and authentication was announced, with topics including attacks, defenses, and usability, aiming to discuss whether we will ever move away from passwords.
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
BOARD MEMBER SECURITY
1. Board member Security Per Thorsheim CISA, CISM, CISSP-ISSAP Security coordinator April 4, 2011
2. The CodesofConduct Dilemma General assembly Bedriftsforsamling (Norway) BoardofDirectors CEO Executiveboard Chief Security Officer (CSO) 2 CodesofConduct Security policy Standards Guidelines ?
3. Company (Security) policy ISACA 4 April 2011 – Per Thorsheim May requirethat all usersuse pc + phoneprovided by company Requireseparationbetweenwork and other private (work) engangements Requireshardening and periodicupdating Disallowsthesharingofaccounts / passwords 3 A practicalchallenge for peoplebeing a memberonmanyboards Easily broken by theabovepracticalchallenge If computer is personal, than it is by definitioninsecure and ”illegal” to use Personal assistant to thexxxmay be a practicalchallenge to solve
6. The CodesofConduct Dilemma ISACA 4 April 2011 – Per Thorsheim DirectorsLiability Assurance ”Styreansvarsforsikring” in Norway (Gross) Negligencewillimpacttheassuranceagreement 6 Iftheboarddoes not complywith (theirown) Codes ofConduct and/or security policy, willthat be considered (gross) negligenceby theinsurancecompany?
7. Recommendations(work in progress) ISACA 4 April 2011 – Per Thorsheim Useof personal PC Remoteaccess Printouts Electronic documents E-mail Leavingtheboard Problems? 7 Disallowed. PC from company Terminal server with 2-factor Cross-cutshredder MS Office passwordprotection Encryptedattachments Standard companyroutine VIP customer service (CSO) CSO / IA : ”Right to audit” ? NASDAQ Directors Desk?
8. Primary insiders Primary insiderA person who is a member of the board of directors or management of a listed company, or who is associated with the company in some other way, and who is therefore subject to certain requirements in respect of trading and reporting trades carried out, cf. Sections 3-1 and 2-6 of the Securities Trading Act. Each listed company is responsible for identifying its primary insiders, and is responsible for providing an up-to-date list of its primary insiders to Oslo Børs. Each primary insider is personally responsible for ensuring that the requirements imposed on him or her by the Securities Trading Act are adhered to. 8
16. Internals: Access to insideinformation LEGAL vstechnicalaccess Unauthorizedaccessshould be logged and prosecuted Company encryption (PCI) End-to-endencryption (personal) 13 DomainAdmins, helpdesk Administrative access is not logged (it is technically ”legal”) Same problem withadmins Difficult, requireseducation
17. Third-partyaccess to insider information Non-DisclosureAgreements (NDA) widely used : reactivecontrol NDA seemsconsired as proactivecontrol(?) Detectivecontrolsseems rare Security requirements in contractsseemssparse (”Trust” is common) 14
19. Last, but not least: Passwords^11 2 dayconferenceonpasswords & pins only Attacks, defenses, forensics and usabilityaspectscovered Panel discussion: ”willwe ever get rid ofpasswords?” Bergen (Norway), June 7-8 Free-for-all (limited seatsavailable) International speakers In collaborationwith: University of Bergen, Professor Tor Helleseth Sponsored by NISNET Free live streamingonustream.tv securitynirvana.blogspot.com& Twitter: #passwords11 16