Sec

urity

and

Pro

tect

ion

of I

nfor

mat

ion

Con

fere

nce

Apr

il 28

– 3

0,

2003

Brn

o, C

zech

Rep

ubl

ic

Unification of information security policies towards a

NATO-wide Information Security Scheme

Arturo Herrera Colmenero

Risk Analysis Consultants

Prague, Czech Republic

Sec

urity

and

Pro

tect

ion

of I

nfor

mat

ion

Con

fere

nce

Apr

il 28

– 3

0,

2003

Brn

o, C

zech

Rep

ubl

ic

DOCHECK

PLAN

ACT

DocumentedGui del i nes,

standards, etc.

Typical Approach

Sec

urity

and

Pro

tect

ion

of I

nfor

mat

ion

Con

fere

nce

Apr

il 28

– 3

0,

2003

Brn

o, C

zech

Rep

ubl

ic

Objectives and Planning

Strategic IT PlanISMS

NATIONAL SECURITY PLAN

Financial Goals

Research and Development

Peace missions

Other goals

NATO (regional) SECURITY PLAN

Sec

urity

and

Pro

tect

ion

of I

nfor

mat

ion

Con

fere

nce

Apr

il 28

– 3

0,

2003

Brn

o, C

zech

Rep

ubl

ic

New challenges, Prague Summit, 2002

NATO Requirements

Co-operation

IT based defence

technology

Reliable informatio

n

Accesible informatio

n

Accurate informatio

n

Interoperability

NATO enlargemen

t

Network centric warfare, cyber attacks

NATO Response Force

New Military Command Structure

Civil emergency planing action

Sec

urity

and

Pro

tect

ion

of I

nfor

mat

ion

Con

fere

nce

Apr

il 28

– 3

0,

2003

Brn

o, C

zech

Rep

ubl

ic

Planning and

preparation

Policy

Components

Types of

Policies

Co-operation

Principles

NATO standards

NATO

Interoperability

Platform

NATO-wide perspective

Member states efforts

Sec

urity

and

Pro

tect

ion

of I

nfor

mat

ion

Con

fere

nce

Apr

il 28

– 3

0,

2003

Brn

o, C

zech

Rep

ubl

ic

Planning and Preparation problems

Sponsor’s politicaly, legaly,

technicaly unaware

Uncompatible Risk Analysis

methods

Uncompatible Interviews

Omited or unaccesible references

Personnel Unawarenes

Sec

urity

and

Pro

tect

ion

of I

nfor

mat

ion

Con

fere

nce

Apr

il 28

– 3

0,

2003

Brn

o, C

zech

Rep

ubl

ic

Policy Components problemsUnclear

Statements

Insufficient Management commitment

Uncomparable evaluation indicators

Similar roles with unequal

responsibilities

Contradictory reactions upon violations

Unmatching starting and revision dates

Sec

urity

and

Pro

tect

ion

of I

nfor

mat

ion

Con

fere

nce

Apr

il 28

– 3

0,

2003

Brn

o, C

zech

Rep

ubl

ic

Types of Policies

Regul at or y Advi sor y I nf ormat i ve

Sec

urity

and

Pro

tect

ion

of I

nfor

mat

ion

Con

fere

nce

Apr

il 28

– 3

0,

2003

Brn

o, C

zech

Rep

ubl

ic

Lack of interoperability

Distribution

?

?? ?

?

???

Sec

urity

and

Pro

tect

ion

of I

nfor

mat

ion

Con

fere

nce

Apr

il 28

– 3

0,

2003

Brn

o, C

zech

Rep

ubl

ic

Co-operation Principles

Sharing resources

Muttual Support

Common interests

Bigger goals

Resources efficiency

Sturdier achievements

Sec

urity

and

Pro

tect

ion

of I

nfor

mat

ion

Con

fere

nce

Apr

il 28

– 3

0,

2003

Brn

o, C

zech

Rep

ubl

ic

NATO Standards

NATO AdvancedData StorageInterface

NATO StandardImage LibraryInterface

NATO PrimaryImage Format

NATO SecondaryImage Format

NATO C3TechnicalArqhitecture

Sec

urity

and

Pro

tect

ion

of I

nfor

mat

ion

Con

fere

nce

Apr

il 28

– 3

0,

2003

Brn

o, C

zech

Rep

ubl

ic

Planning and Preparation Advantages

Homologous sponsorship

Compatible Risk Assessments

Development team with sufficient “Know-how”

Compatible interviews outputs

Common Definitions

Similar Personnel Awareness programs

Statement in focus

Bigger references bank

Common evaluation indicators

Even Sanctions

Exceptions tolerance

Coordinated dates

Policy Components Advantages

Sec

urity

and

Pro

tect

ion

of I

nfor

mat

ion

Con

fere

nce

Apr

il 28

– 3

0,

2003

Brn

o, C

zech

Rep

ubl

ic

Final remarks

Network centric warfare for fighting new international threats depends on reliable IT systems’ interoperability.

NATO-wide Information Security Scheme will enhance the overall organization’s capabilities.

Interoperability will never be achieved if ISMS’s lead to divergent objectives.

Sec

urity

and

Pro

tect

ion

of I

nfor

mat

ion

Con

fere

nce

Apr

il 28

– 3

0,

2003

Brn

o, C

zech

Rep

ubl

ic

Final remarks

NATO spirit is to unite efforts for collective defence and for the preservation of peace and security. (North Atlantic Treaty, 1949)

Existing standardization work in NATO provides a set of useful tools.

Sec

urity

and

Pro

tect

ion

of I

nfor

mat

ion

Con

fere

nce

Apr

il 28

– 3

0,

2003

Brn

o, C

zech

Rep

ubl

ic

Thank you for your timeArturo Herrera Colmenero

herrera@rac.cz

Risk Analysis Consultants

www.rac.cz

Španělská 2

120 00 Prague 2

Czech Republic