Friday, 11 January 2013

Symposium on Information Security

Symposium on Information Security:
Governance, Sharing and Risk in a Digital Age.

For those who are not from Edinburgh or did not have a chance to attend the Symposium on Information Security, this blog will provide some basic information on what the symposium was about.
David and I managed to attend the symposium, mainly David needed to, as he was one of the speakers.

In general the Symposium was well organised, with some delays to the actual start of the presentations, but you would expect that. As the name suggest lot of presentation was about the sharing data and mostly with focus on e-Health systems. Prof, Bill Buchanan, from Napier Edinburgh University and person behind the conference opened the day and passed the event to Prof George Crooks and his talk about the NHS Scotland Telehealth and Telcare. The talk shows the vision forNHS Scotland. How and what they are proposing and working on. Especially in terms of creating and delivering the e-Health system for the patients using modern technologies. The NHS already has a pilot programme called DALLAS, where they can test the system before it will be widely deployed. The system centralised the e-Helath record for the patients and any NHS doctor who you granted the permission to see the file can access it.

Next speaker Ted Boyle presented how e-Health system can be similar to the Bank system. Scotland is ahead of medical sharing of data compare to the rest of the UK and as such, implementing full e-Health systems would be it easier in Scotland than in the rest of the UK.  The proposed system would allow sharing of medical information with the Police, Local Authority, Government and the 3rd Sector (Voluntary). There are factors which need to be defined as: How to share the data between all of the parties mentioned above and how to ensure that parties who have access to the record, follow the Data Protection Act and mainly in how to secure all of this data.  To establish this type of the system would require the creation of one ID per person, which will be used to store all of this information. To do this would bring more problems, one of them being the financial requirements needed to consolidate all of the data from different parties under one ID, not to mentioned deciding who is responsible for which part of the data, who can accesses, delete amend etc. The people using this system need to be educated and there is a need for support to be available for them to allow such as system to work properly.
These are the issues of implementing the centralised system, which need to be resolved.

David Livingston presented the Economic Opportunity in Cyber Security. Nowadays the changes within the cyberspace allow businesses create new ways to approach clients, it brings financial savings and the ability to reach clients globally. These changes also bring new risks, as organised crime is moving from traditional approach to cyberspace. Hactivist, espionage and terrorism. These risks have a big impact on potential financial loss, loss of intellectual property, compromise of identity and infrastructure compromise.  

UK Cyber strategy vision is to create a more secure place to do business, be more resilient to the cyber attacks, help shape an open cyberspace. 

The main key pillars to Cyber Security are: critical infrastructure, e-Crime, Informational Assurance, Digital Participation and Enterprise. The approach to deliver this is through:

  •  Focus on organisational concepts and rely less on technology.
  • Develop a risk based approach.
  • Increase a knowledge of cyberspace.
  • Develop skills and support innovation.
  • Improve communications.
Government will set the direction, but experts will set this up, this is already happening as David Stubley, our director is a Cyber Security Strategy Adviser on the Resilience Advisory Board for Scotland (RABS).

Andrew Wadsworth from Amor group, talked about the Critical National Infrastructure and about proces controls. There are many processes, which do not provide as high a security control as they should. It is not just computer systems, which are targeted, but also the Control System itself. Some of the examples presented showed how easy it can be to fail on a large scale, e.g. Stuxnet (we heard and read about it a lot last year),  a further example provided was around medical devices, which are controlled wirelessly but do not provide any form of authentication or encryption. The problems with Critical Infrastructure are: old systems running old type of the software, there is no authentication and no encryption, poor or no network segregation. Some of the fact related to Process Control Systems were shocking: Average time for successful attack to be detected is 18 month, Anti-Virus are out of date, 75 % of oil and gas installations have viruses. The life cycle for thepatching is 24 month. These are the issues, which need to be resolved to ensure t the higher protection of the Critical Infrastructure.

This brings us up to lunch. Over the lunch brake we had a time to catch up with the rest of the audience and share our opinions on the industry and talks so far. In part two of my blog we will look at the afternoon sessions. 


No comments:

Post a Comment