How ancient Chinese Classics, Great Learning, remains relevant in modern information security profession. This presentation will show side by side of what was true back in 400 BC, can also apply to modern day 21st Century. It is also the first book on MaaS (Management as a Service).
大學的三綱跟(ISC)2和SAN的守則沒有什麼不同。
十資安域和技術信息的知識是對於信息安全專業有必要地。但個人的道德標準是有預期但不多指示、只要按照各種法律/裁決像HIPAA、SOX、GLBA、安全港等就算了。
我相信大學是信息安全(InfoSec)專業倫理有用的指南。
How to Troubleshoot Apps for the Modern Connected Worker
大學與信息安全
1. 大學 & 資訊安全
Great Learning & Information Security
how ancient Chinese Classic remains relevant
in modern information security
Chuan Lin, CISSP
2. Great Learning Background
Who Wrote it
• Zengzi, a disciple of Confucius, wrote Great
Learning back around 450 BC – 436 BC.
• And in Song Dynasty (960 AD – 1270 AD),
Cheng Brothers and their student, Zhu Xi
corrupted the original text and its meaning.
• In recent times, Master Nan Huai Jin and Captain
Chang Teh-Kuang (ret.) are among recent Chinese
scholars attempted to bring Great Learning back
to lost Chinese generation.
What is it
• It is the first self-help book that
withstood the test of time and the
first book on Management as a
Service (MaaS).
3. Great Learning Background II
When was it written
• It was written sometime between
450 – 436 BC during the Spring
and Autumn Period of Chinese
history when China was in a feudal
sovereignty that consisted of
hundred city states owned loyalty to
Zhou Dynasty.
Where was it flourish?
• At the time it was written, Great
Learning was just another school
of thought that contended with
hundred others ideas. Later, it has
became one of three main core
philosophies of China.
4. Great Learning Background III
Why is it matter?
• Its opening statement is no different than the mission statement from (ISC)2
and SAN Code of Ethics.
• While the knowledge of 10 domains and technical information are necessary
for the information security professional (InfoSec Pro), a person’s ethical
standard is expected but not much direction is given other than to follow
various laws/ruling like HIPAA, SOX, GLBA, Safe Harbor, etc.
• I believe Great Learning can be a useful guide for InfoSec Pro ethic.
5. 大學和資訊安全專業的目標
Goals of Great Learning/InfoSec Pro
What do we want to accomplish with our lives and our career?
6. “
”
大
學
之
道
、
在
明
明
德
、
在
親
民
、
在
止
於
至
善
。
The Dao of Great Learning is to illustrate illustrious virtues,
to renovate the people, and to rest in the highest excellence.
Safety of the commonwealth, duty to our principals, and to each other requires that we
adhere, and be seen to adhere, to the highest ethical standards of behavior.
- (ISC)2 Code of Ethics
7. 大學之道、在明明德、在親民、在止於至善。
The Dao of the Great Learning is to illustrate illustrious virtues, to renovate the people, and to rest in the highest excellence.
GAIC Code of Ethic
• Respect for the Public
• Respect for the Certification
• Respect for my Employer
• Respect for Myself
SANS Code of Ethic
• I will strive to know myself and be
honest about my capability
• I will conduct my business in manner
that assures the IT profession is
considered one of integrity and
professionalism.
• I respect privacy and confidentiality.
8. 明明德的七證
7 Steps to Illustrating Illustrious Virtues
Seeking Self Improvement First
9. “
”
知 止 定 靜 安 慮 得
to know to c e ase to still to c alm to quie t to pond e r to obtain
7 Steps to Illustrating Illustrious Virtues
How can these seven internal self improvement have impacts
on oneself and one’s InfoSec career in modern time?
10. 知to know
Self Improvement
• 在商業世界、我們培訓、以利用該公
司的戰略優勢同時和糾正該公司的弱
點。
• 在工程的環境、我們培訓、以查找和
糾正任何產品缺陷在上去市場之前。
• 我們不是應該要在別人或自己啟動零
天攻擊之前找出和糾正自己的弱點嗎?
InfoSec Professional
• To know a company’s security status; where
are its strengths; where are its weaknesses.
• To know the company's business goal, its
chain of command, its culture, its behaviors,
and its processes.
• To know their defenses-in-layers structure,
their logs control, their state of readiness,
their state of responsiveness, and etc.
11. 止to cease
Self Improvement
• 止是為了防止丟失個人控制。
• 止個人的惡習以通過逐漸減少、重定
方向到更健康的代替、或通過恆心的
切斷方法。
• 止個人的惡習以通過形成新的習慣,
自我獎勵、和參加支援組。
InfoSec Professional
• To Cease is to prevent the lost of control.
• To Cease internal risks through reduction,
mitigation, avoidance, or elimination.
• To Cease through log controls, separation
of duty, enforcement of least privilege,
secured software development lifecycle,
and employees security awareness.
12. 定to still
Self Improvement
• 定能讓我們知道自己的長處和
弱點
• 定能讓我們制止自己的積習和
增強自己的特長
• 定能給我們信心對抗外來的壓
力和打擊。
InfoSec Professional
• To know about a company’s
security status.
• To cease a company’s risks.
• This will give InfoSec Pro the
confidence to remain level headed
when external threats appear.
13. 靜to calm
Self Improvement
• 心靜因為你不必擔心你的
缺點被別人利用。
• 心靜能過濾你的心思。
• 心靜通向身體健康。
InfoSec Profession
• To calm is when a company does
not have to worry about its
information been misused.
• To calm allows a company to plan
its business strategy.
• To calm allows a company to
become healthy.
14. 安to quiet
Self Improvement
• 靜才能安。心亂則身不能安。
社會動亂則國不能安。
• 心輕安、身輕安。
• 靜能讓你想清楚、安能讓你做
事不受干擾。
InfoSec Profession
• To Calm allows to be quiet. When
information is exposed, then a
company can not maintain Quiet.
• Management desires Quiet; employees
desire Quiet.
• Stillness allows a company to plan;
Quietness allows a company to carry
out its plan without disruption.
15. 慮to ponder
Self Improvement
• 慮、謂處事精詳。
慮、謂精思。
• 想、謂頭腦裡粗淺現象。
思、謂頭腦裡細緻現象。
• 慮能讓你計畫人生大事。
InfoSec Profession
• Pondering is planning InfoSec carefully.
Pondering is to have InfoSec awareness at
the back of employees mind.
• Thought about current InfoSec need.
Pondering about future InfoSec need.
• Pondering allows both a company and an
InfoSec Pro to plan out long range
strategy.
17. 內聖外王I n t e r n a l S a g a c i t y, E x t e r n a l S o ve r e i g n t y
How To Renovate People and Rest at Highest Excellences
Or How to Manage Self Before Managing Others
18. 格物 致知 誠意 正心 脩身
Investigation of Things Knowledge Sincerity Rectification Self Cultivation
• Before managing others, first make
sure you have successfully managed
yourself.
• You must be able to withstand the
scrutiny of others.
• Your actions, your behaviors, and
your words will be constantly
observed and judged.
• This is especially true in the
age of Facebook, Twitter, and
Instagram where every little
transgression will be caught on
recording devices and spread like
fire through media.
• There are people who love nothing
more than to tear down a hypocrite.
19. 格物Investigation of Things
Self Improvement
• 與天地相似、故不違。
知周乎萬物、而道濟天下、故不過。
旁行而不流、樂天知命、故不憂。
安土敦乎仁、故能愛。
• 範圍天地之化而不過、曲成萬物而不遺,
通乎晝夜之道而知、故神無方、而易無
體。
• 顯諸仁、藏諸用、鼓萬物而不與聖人同
憂、盛德大業、至矣哉!
InfoSec Profession
• Information Security (InfoSec) is about providing data
availability, confidentially, and integrity.
• Ideally, InfoSec Professional (InfoSec Pro) needs to get
involve at the start of all projects because of information
security concern .
• Externally, InfoSec Pro needs to know what regulations,
laws, and audits are required for a project.
• Internally, InfoSec Pro needs to know what technical,
administrative, and physical constraints required for a
project.
20. 致知Knowledge
Self Improvement
• 知幾其神乎!窮神知化、德之盛
也。
• 和順於道德而理於義。窮理、
盡性、以至於命。
• 將以順性命之理。
InfoSec Profession
• InfoSec Pro shares risk and vulnerability
assessment with key consultants, managers,
programmers, and other project members.
• They need to take into account of InfoSec Pro
concerns into project designs.
• Any data leak will be detriment to the company
image, reputation, confidences, and not to
mention, possible lawsuits.
21. 誠意Sincerity
Self Improvement
• 所謂誠其意者、毋自欺也、如惡惡
臭、如好好色、此之謂自謙。
• 曾子曰:「十目所視、十手所指、
其嚴乎。」
• 湯之盤銘曰:「苟日新、日日新、
又日新。 」
InfoSec Profession
• InfoSec Pro shows sincerity toward data
preservation through sharing security
knowledge and advocating security
awareness.
• Every word and action will affect how
employees view Information Security and
its Awareness.
• Dao of Hacking Improves, Technology
Improves, InfoSec Improves.
22. 正心Rectification
Self Improvement
• 正其心者:
• 身有所忿懥、則不得其正
• 有所恐懼、則不得其正
• 有所好樂、則不得其正
• 有所憂患、則不得其正
InfoSec Profession
• InfoSec Pro has to rectify his heart to
prevent preoccupation of the followings:
• Anger
• Fear
• Desire
• Worry
• These prevent him from doing his job.
23. 脩身Self Cultivation
Self Improvement
• 人生是一小天地。
• 富潤屋、德潤身、心廣體
胖
• 斐君子、如切如磋、如琢
如磨。
InfoSec Profession
• A company is its universe.
• Wealth enriches a company, virtues
enrich employees, enterprises broaden
that expand ventures.
• InfoSec Prof is constantly trimmed
and scrubbed; he is frequently been cut
and polished
24. 齊家 治國 平天下
Maintain Family Regulate State (Company) Pacify Heaven Below (the Gird)
• 大學是第一個管理作為一項服
務 (Management as a Service or MaaS)
的經典。
• 只對個人修養興趣嗎? 讀完脩身
• 只對維持家庭/部門興趣嗎? 讀完
齊家
• 只對維持政府/公司興趣嗎? 讀完
治國
• 只對維持天下/跨國公司興趣嗎?
讀完平天下
• External Sovereignty is less about utilized latest
and greatest technology and more about
managing people.
• Social Engineering is the battle of hearts and
minds that can get pass through the world most
secured firewall, IDS, IPS, and defense in layers.
• Despite advanced technology, people’s heart
and soul still remained the same. They can
enforce or enfeeble information security.
25. 齊家Maintain Family
Self Improvement
• 所謂齊其家在修其身者:
• 人之其所親愛而闢焉
• 之其所賤惡而闢焉
• 之其所畏敬而闢焉
• 故:「人莫知其子之惡.莫知
其苗之碩。」
InfoSec Profession
• Maintaining a department comes about after
self-cultivation.
• It should be free from
• Favoritism
• Disapproval
• Fear
• These will decrease employees security
awareness.
26. 治國Regulate State (Company)
Self Improvement
• 一家仁、一國興仁;
• 一家讓、一國興讓;
• 一人貪戾、一國作亂;
• 其機如此、此謂一言僨事、一
人定國。
InfoSec Profession
• When a department behaves securely,
entire company promotes vigilance.
• When a department limits its access, entire
company promotes data control.
• When a man neglected and corrupted,
entire company becomes vulnerable.
• Hence, a word can instigate a threat; a man
can secure a company.
27. 平天下Pacify Heaven Below (the Gird)
Self Improvement
• 君子有絜矩之道
• 道得眾則得國、失眾則失
國
• 言悖而出者、亦悖而入;貨
悖而入者、亦悖而出。
InfoSec Profession
• An InfoSec Professional lives and
breathes the Code of Ethic.
• Practice InfoSec, others engages, and
company enacts. Disregard InfoSec,
others forgets, and company neglects.
• Law of Consequence can be found in
personal, social, career, financial and
political aspects.
28. Great Learning & InfoSec Recaps
• As the first self-help book, it has withstood the test of time. As the first
book on MaaS (Management as a Service), it shows how to serve others by
first improving oneself.
• Instructions for management is no different than instructions for self
improvement. It is all about Lead by Example.
• Despite advanced technology, people’s heart and soul still remained the same.
They can enforce or enfeeble information security.