This document discusses codes of conduct and security policies for board members. It contains three key points: 1. Company security policies may require board members to use only company-provided devices and separate personal and work engagements, but this poses practical challenges for those serving on multiple boards. Strict adherence could be seen as negligence. 2. Third parties like advisors, auditors, and translators who are given inside information present security risks if protections like non-disclosure agreements and encryption are not used. 3. A conference on passwords and authentication was announced, with topics including attacks, defenses, and usability, aiming to discuss whether we will ever move away from passwords.

1. Board member Security Per Thorsheim CISA, CISM, CISSP-ISSAP Security coordinator April 4, 2011

2. The CodesofConduct Dilemma General assembly Bedriftsforsamling (Norway) BoardofDirectors CEO Executiveboard Chief Security Officer (CSO) 2 CodesofConduct Security policy Standards Guidelines ?

3. Company (Security) policy ISACA 4 April 2011 – Per Thorsheim May requirethat all usersuse pc + phoneprovided by company Requireseparationbetweenwork and other private (work) engangements Requireshardening and periodicupdating Disallowsthesharingofaccounts / passwords 3 A practicalchallenge for peoplebeing a memberonmanyboards Easily broken by theabovepracticalchallenge If computer is personal, than it is by definitioninsecure and ”illegal” to use Personal assistant to thexxxmay be a practicalchallenge to solve

4. ISACA 4 April 2011 – Per Thorsheim 4

5. ISACA 4 April 2011 – Per Thorsheim 5 HACKED

6. The CodesofConduct Dilemma ISACA 4 April 2011 – Per Thorsheim DirectorsLiability Assurance ”Styreansvarsforsikring” in Norway (Gross) Negligencewillimpacttheassuranceagreement 6 Iftheboarddoes not complywith (theirown) Codes ofConduct and/or security policy, willthat be considered (gross) negligenceby theinsurancecompany?

7. Recommendations(work in progress) ISACA 4 April 2011 – Per Thorsheim Useof personal PC Remoteaccess Printouts Electronic documents E-mail Leavingtheboard Problems? 7 Disallowed. PC from company Terminal server with 2-factor Cross-cutshredder MS Office passwordprotection Encryptedattachments Standard companyroutine VIP customer service (CSO) CSO / IA : ”Right to audit” ? NASDAQ Directors Desk?

8. Primary insiders Primary insiderA person who is a member of the board of directors or management of a listed company, or who is associated with the company in some other way, and who is therefore subject to certain requirements in respect of trading and reporting trades carried out, cf. Sections 3-1 and 2-6 of the Securities Trading Act. Each listed company is responsible for identifying its primary insiders, and is responsible for providing an up-to-date list of its primary insiders to Oslo Børs. Each primary insider is personally responsible for ensuring that the requirements imposed on him or her by the Securities Trading Act are adhered to. 8

9. DefinitionofPrimary insiders 9

10. ISACA 4 April 2011 – Per Thorsheim 10 Example list ofprimary insiders(nonamesshown)

11. However… ISACA 4 April 2011 – Per Thorsheim (this is thepointwhere I start to getdifficult and annoying…) 11

13. (Norwegian) post

14. Postal courier

15. E-mailMitMattackshttp://www.edb.com/Documents/Articles/E-post_sikkerhet_i_Norge.pdf

16. Internals: Access to insideinformation LEGAL vstechnicalaccess Unauthorizedaccessshould be logged and prosecuted Company encryption (PCI) End-to-endencryption (personal) 13 DomainAdmins, helpdesk Administrative access is not logged (it is technically ”legal”) Same problem withadmins Difficult, requireseducation

17. Third-partyaccess to insider information Non-DisclosureAgreements (NDA) widely used : reactivecontrol NDA seemsconsired as proactivecontrol(?) Detectivecontrolsseems rare Security requirements in contractsseemssparse (”Trust” is common) 14

18. Recommendation(the ”easy” one…) ISACA 4 April 2011 – Per Thorsheim 15

19. Last, but not least: Passwords^11 2 dayconferenceonpasswords & pins only Attacks, defenses, forensics and usabilityaspectscovered Panel discussion: ”willwe ever get rid ofpasswords?” Bergen (Norway), June 7-8 Free-for-all (limited seatsavailable) International speakers In collaborationwith: University of Bergen, Professor Tor Helleseth Sponsored by NISNET Free live streamingonustream.tv securitynirvana.blogspot.com& Twitter: #passwords11 16