1 Stepping Through the Info Security Program Jennifer Bayuk, CISA, CISM
2 Infosec Program How to: compose an InfoSec Program cement a relationship between InfoSec program and IT Governance design roles and responsibilities to ensure accountability identify and allocate resources to achieve InfoSec program objectives tell if an InfoSec program is achieving objectives
3 Security Program Composition Strategy Compliance Policy Monitoring Awareness Implementation
4 Infosec Program Definition Process by which an organization effects security In response to a management concern about information systems With respect to computers as assets, operational integrity, data confidentiality, assets controlled by software, or any combination of the above Default process owner is the highest ranking IT manager delegated the responsibility for addressing security concerns with respect to technology
5 CISM InfoSec Manager Tasks Content Area 1 Information Security Governance Develop an information security strategy aligned with business goals and objectives. Align information security strategy with corporate governance. Develop business cases justifying investment in information security. Identify current and potential legal and regulatory requirements affecting information security. Identify drivers affecting the organization (e.g., technology, business environment, risk tolerance, geographic location) and their impact on information security. Obtain senior management commitment to information security. Define roles and responsibilities for information security throughout the organization. Establish internal and external reporting and communication channels that support information security. Content Area 2 Information Risk Management Establish a process for information asset classification and ownership. Implement a systematic and structured information risk assessment process. Ensure that business impact assessments are conducted periodically. Ensure that threat and vulnerability evaluations are performed on an ongoing basis. Identify and periodically evaluate information security controls and countermeasures to mitigate risk to acceptable levels Integrate risk, threat and vulnerability identification and management into lifecycle processes (e.g., development, procurement, and employment lifecycles) Program developed as part of these tasks must cover process by which all these other tasks are accomplished. Report significant changes in information risk to appropriate levels of management for acceptance on both a periodic and event-driven basis. Content Area 3 Information Security Program Development Develop and maintain plans to implement the information security strategy. Specify the activities to be performed within the information security program. Ensure alignment between the information security program and other assurance functions (e.g., physical, HR, quality, IT). Identify internal and external resources (e.g., finances, people, equipment, systems) required to execute the information security program. Ensure the development of information security architectures (e.g., people, processes, technology). Establish, communicate, and maintain information security policies that support the security strategy. Design and develop a program for information security awareness, training, and education. Ensure the development, communication, and maintenance of standards, procedures, and other documentation (e.g., guidelines, baselines, codes of conduct) that support information security policies. Integrate information security requirements into the organization's processes (e.g., change control, mergers and acquisitions) and life cycle activities (e.g., development, employment, procurement) Develop a process to integrate information security controls into contracts (e.g., with joint ventures, outsourced providers, business partners, customers, third parties). Establish metrics to evaluate the effectiveness of the information security program. Content Area 4 Information Security Program Management Manage internal and external resources (e.g., finances, people, equipment, systems) required to execute the information security program. Ensure that processes and procedures are performed in compliance with the organization s information security policies and standards. Ensure that the information security controls agreed to in contracts (e.g., with joint ventures, outsourced providers, business partners, customers, third parties) are performed Monitor, measure, test, and report on the effectiveness and efficiency of information security controls and compliance with information security policies. Ensure that information security is an integral part of the systems development process. Ensure that information security is maintained throughout the organization's processes (e.g., change control, mergers and acquisitions) and life cycle activities (e.g., development, employment, procurement) Ensure that noncompliance issues and other variances are resolved in a timely manner. Provide information security awareness, training and education to stakeholders (e.g., business process owners, users, information technology). Provide information security advice and guidance (e.g., risk analysis, control selection) to the organization. Content Area 5 Incident Management and Response Develop and implement processes for detecting, identifying, analyzing, and responding to information security incidents. Establish escalation and communication processes and lines of authority. Develop plans to respond to and document information security incidents. Establish the capability to investigate information security incidents (e.g., forensics, evidence collection and preservation, log analysis, interviewing) Develop a process to communicate with internal parties and external organizations (e.g., media, law enforcement, customers) Integrate information security incident response plans with the organization s Disaster Recovery (DR) and Business Continuity Plan (BCP). Organize, train, and equip teams to respond to information security incidents. Periodically test and refine information security incident response plans. Manage the response to information security incidents. Conduct reviews to identify causes of information security incidents, develop corrective actions, and reassess risk.
6 Information Security Governance Certified Information Security Manager Governance Tasks are: 1 Develop an information security strategy aligned with business goals and objectives. 2 Align information security strategy with corporate governance. 3 Develop business cases justifying investment in information security. 4 Identify current and potential legal and regulatory requirements affecting information security. 5 Identify drivers affecting the organization (e.g., technology, business environment, risk tolerance, geographic location) and their impact on information security. 6 Obtain senior management commitment to information security. 7 Defineroles and responsibilities for information security throughout the organization. 8 Establish internal and external reporting and communication channels that support information security.
7 Information Security Risk Management Certified Information Security Manager Risk Management Tasks are: 1 Establish a process for information asset classification and ownership. 2 Implement a systematic and structured information risk assessment process. 3 Ensure that business impact assessments are conducted periodically. 4 Ensure that threat and vulnerability evaluations are performed on an ongoing basis. 5 Identify and periodically evaluate information security controls and countermeasures to mitigate risk to acceptable levels 6 Integrate risk, threat and vulnerability identification and management into lifecycle processes (e.g., development, procurement, and employment lifecycles) 7 Report significant changes in information risk to appropriate levels of management for acceptance on both a periodic and event-driven basis.
8 Information Security Program Management Certified Information Security Manager Program Management Tasks are: 1 Manage internal and external resources required to execute the information security program. 2 Ensure that processes and procedures are performed in compliance with the organization s information security policies and standards. 3 Ensure that the information security controls agreed to in contracts are performed 4 Monitor, measure, test, and report on the effectiveness and efficiency of information security controls and compliance with information security policies. 5 Ensure that information security is an integral part of the systems development process. 6 Ensure that information security is maintained throughout the organization's processes and life cycle activities 7 Ensure that noncompliance issues and other variances are resolved in a timely manner. 8 Provide information security awareness, training and education to stakeholders. 9 Provide information security advice and guidance to the organization.
9 Incident Management and Response Certified Information Security Manager Incident Management and Response Tasks are: 1. Develop and implement processes for detecting, identifying, analyzing, and responding to information security incidents. 2. Establish escalation and communication processes and lines of authority. 3. Develop plans to respond to and document information security incidents. 4. Establish the capability to investigate information security incidents. 5. Develop a process to communicate with internal parties and external organizations. 6. Integrate information security incident response plans with the organization s Disaster Recovery (DR) and Business Continuity Plan (BCP). 7. Organize, train, and equip teams to respond to information security incidents. 8. Periodically test and refine information security incident response plans. 9. Manage the response to information security incidents. 10. Conduct reviews to identify causes of information security incidents, develop corrective actions, and reassess risk.
10 Information Security & IT Governance Infosec program evolution Chief Security Administrator Ambassador from the IT Governor
11 Ambassadors need a home base What does your org chart look like? President President President CFO COO CFO CIO COO CFO CRO COO CIO CPO CAO CIO YOU YOU YOU Whose support do you need to make organization-wide policy?
12 Information Security & IT Governance There are five basic outcomes of effective security governance: Strategic alignment Risk management Value delivery Resource management Performance measurement What does management want from the security program? What constitutes success? This can only be done in conjunction with whoever commissioned the program. CISM Program Development Task 1: Develop & maintain plans to implement the InfoSec strategy. Source: IT Governance Institute
13 ISM is the point of escalation for security issues that may require investigation Security Management Program Overview Compliance Strategy Strategic Alignment with business/organization objectives Policy ISM writes and publishes Monitoring ISM reviews critical configurations on a periodic basis, and maintains metrics on security configuration and logs of user activity Implementation Awareness ISM conducts classes and publishes announcements Via the security review process as well as occasional security-specific projects, ISM contributes secure architecture, design, and engineering strategy
14 Risk Management is business driven and comprises: Credit Risk Market Risk Operational Risk Information technology Information Security
15 Information Security Risk Assessment All business functions have vulnerabilities, however Vulnerabilities!= Exploits Threats!= Exploits Vulnerabilities + Threats!= Exploits Vulnerabilities + Threats allow Exploits Exploits!= Damage Exploits + Service/Data/Financial Loss = Damage Controls minimize probability of Exploits Evaluation of expectation of damage must be continuous. Controls must be proportionate to damage expectation.
16 Risk/Reward Tradeoff IT Environment
17 Value Delivery Controls $ Controls Damage Damage IT Environment
18 Information Security Strategy Task 2: Specify the activities to be performed within the InfoSec program. Process Metrics Organizational workflow designed to achieve management goals for information protection. Measurable artifacts that demonstrate management goals for information protection are met. Both must be transparent enough to allow executive/business management to understand where & how support is required to maintain Information Security Objectives.
19 InfoSec Program Stages Use executive and stakeholder support to create steering committee Use steering committee to draft policy Create policy awareness and identify gaps Implement prevention, detection and correction processes STAGE 1 STAGE 2 STAGE 3 STAGE 4
20 Human Resources and Legal take the lead on many issues, Product Owners, Operations Managers contribute Operations Managers and Internal Audit have primary responsibility, Managers of platform maintenance contribute Security Management Program Contributors Compliance Monitoring Strategy Prevention Correction Detection Implementation Technology Steering Committee, Outsource Management, Legal, Physical Security, and other executive management Policy Awareness Subject Matter Experts, Technology Architects, Product Owners, Managers of Platform Maintenance, Systems Administrators, Operations Managers, Executive Assistants All stakeholders contribute Legal and Human Resources take the lead on many issues, Business Application and Data Owners, Operations and Product Managers reinforce
21 Human Resources and Legal take the lead on many issues, Product Owners, Operations Managers contribute Operations Managers and Internal Audit have primary responsibility, Managers of platform maintenance contribute Security Management Program Contributors Compliance Monitoring Strategy Prevention Correction Detection Implementation Technology Steering Committee, Outsource Management, Legal, Physical Security, and other executive management Policy Awareness Subject Matter Experts, Technology Architects, Product Owners, Managers of Platform Maintenance, Systems Administrators, Operations Managers, Executive Assistants All stakeholders contribute Legal and Human Resources take the lead on many issues, Business Application and Data Owners, Operations and Product Managers reinforce
22 InfoSec Resources Task 3: Ensure alignment between the InfoSec program & other assurance functions. Executive Management Steering Committee Chief Risk Officer Chief Privacy Officer Information Security Manager Director of IT Operations IT Site Operations Manager IT Implementation Management IT Subject Matter Experts Application Architects IT Project Managers IT Product Owners Security Administrators Business Application Owner Business Data Owner Procurement Manager Compliance Manager Physical Security Organization Compliance, Legal, HR take the lead on many issues, Product Owners, Site Operations Managers contribute Operations Managers and Internal Audit have primary responsibility, MDs of platform maintenance contribute Compliance Monitoring Strategy Implementation Technology Council in coordination with Outsource Management, IT Compliance, Information Protection Counselor, Physical Security, and other executive management Policy Awareness Subject Matter Experts, Application Architects, Product Owners, MDs of Platform Maintenance, Security Managers, Site Operations Managers, Digital Identity Liaisons All stakeholders contribute Legal, Compliance, and HR take the lead on many issues, Business Application and Data Owners, Project Managers reinforce
23 InfoSec Roles and Responsibilities Task 4: Identify internal & external resources required to execute the InfoSec program Where a person performs this role: Manages the lifecycle of IT applications and platforms An associated InfoSec process responsibility is: Security Review Participation Security Requirements Capture Application Security Design Change Control A sample key performance indicator is: Security-policy-compliant systems configuration Business requirements for confidentiality, integrity, and availability are documented Technical implementation plans for meeting business process security requirements Secure archive, retrieval, and compilation of organization-maintained source code and product customizations Security Upgrade Management Testing and application of security software fixes Procures IT services Security Requirements Capture Formal requirements for security in all Requests for Product Information and Proposals Contract Requirements Business requirements for confidentiality, integrity, and availability in information service provider and technology maintenance contracts Given realms of business operation, resource identification involves not only specifying areas of responsibilities, but also making use of existing business and operational process.
24 Segue into Architecture Task 5: Ensure the development of InfoSec architectures.
25 Security Controls Design
26 Efficiency and Effectiveness Outlook Inventory Strategy Internal Alerts Synthesis Compliance Monitoring Context Policy Awareness Implementation External Alerts From: Alert Service - Vulnerabilities Subject: VULNERABILITY ALERT!!! Date: 5/10/2006 1:20 PM Summary: A buffer overflow has been discovered in the XYZ software that can be exploited to gain administrative access. Impact: Denial of service; possible code execution Severity: 2 (Medium) Corrective Action: Administrators are advised to upgrade to the latest version of XYZ, Version 12.3, available at: ( ) END ALERT Best Practices ISO ISF ISACA Information Security Governance Establish and maintain a framework to provide assurance that information security strategies are aligned with the business objectives and consistent with applicable laws and regulations. Information Risk Management Identify and manage information security risks to achieve business objectives. Information Security Program Development Create and maintain a program to implement the information security strategy. Information Security Program Management Oversee and direct information security activities to execute the information security program. Incident Management and Response Plan, develop, and manage a capability to detect, respond to, and recover from information security incidents.
27 Best Practices Comparison Security Requirements Risk-Based Security Tests Risk Analysis External Review Abuse Cases Risk Analysis Code Review Penetration testing Security Operation Requirements and Use Cases Architecture and Design Test Plans Code Tests and Test Results Feedback from the Field Source: Software Security
28 Detailed Control Design/Assessments
29 Security Awareness Task 6: Establish, communicate, & maintain InfoSec policies that support the InfoSec strategy. Basic - applies to all, even if there is just one, e.g. Google Appliance, Stratus Architectural - warranted where data exposure warrants redundant controls Database Management Systems Network Telecommunications etc etc etc Operating System Platform - warranted where multiple instances warrant consistency UNIX Microsoft z/os etc etc etc Situational - applies to process more than technology Internet and Third Party Personal Computing Security Service Level Agreement Vendor Access etc etc etc Application - applies to business applications whether developed in house or externally
30 Security Training Task 7: Design and develop a program for InfoSec awareness, training, & education.
31 Layers of support Task 8: Ensure the development, communication, & maintenance of standards, procedures, & other documentation that support InfoSec policies. Policy Standards Graphic shows hierarchy rather than overlap required to enforce consistency. Procedures Guidelines
32 Security Controls Implementation Task 9: Integrate InfoSec requirements into the organization's processes & life cycle activities. Plan-Do-Check-Correct The COBIT version Plan-Secure-Confirm-Remediate A popular Software Vulnerability guide version Prepare-Detect-Respond-Improve Carnegie Mellon s CERT version Observe-Orient-Decide-Act A US Military version Restrict-Run-Recover A Big 4 consultant s version Compliance Monitoring Strategy Prevention Detection Correction Implementation Policy Awareness Source: COBIT
33 Security Service-level Agreements Task 10: Develop a process to integrate InfoSec controls into contracts.
34 Security Metrics Task 11: Establish metrics to evaluate the effectiveness of the InfoSec program.
35 Performance Measurement Cement the relationship between the InfoSec Program and IT Governance with meaningful report, such as: Risk Management: Stability and auditability of prevention measures. Incident Response and Recovery Preparedness. Value Delivery: Earned value analysis on projects plus overall trend analysis on the ISM portfolio, complete with updated projections based on variance analysis. Resource Management: Staffing, technology and organizational dependency data used in analysis of facilitation and/or impact to the security program. Performance measurement: Metrics that verify that control activities are achieving desired results. For example, an automated monitoring of security configuration and feedback on user anomaly reports
State of Louisiana Information Security Program CHARTER Date Published: 12, 09, 2015 Contents Executive Sponsors... 3 Program Owner... 3 Introduction... 4 Statewide Information Security Strategy... 4 Information
Certified Information Systems Auditor (CISA ) Certification Course Description Our 5-day ISACA Certified Information Systems Auditor (CISA) training course equips information professionals with the knowledge
Information Security Manager: Architecture, Planning, and Governance (Instructor-led; 3 Days) Module I. Information Security Governance A. Introduction to Information Security Governance B. Overview of
CISM ITEM DEVELOPMENT GUIDE TABLE OF CONTENTS CISM ITEM DEVELOPMENT GUIDE Content Page Purpose of the CISM Item Development Guide 2 CISM Exam Structure 2 Item Writing Campaigns 2 Why Participate as a CISM
TERMS OF REFERENCE (TORs) OF CONSULTANTS - (EAG) Consultant - Enterprise Systems & Applications 1. Reporting Function. The Applications Consultant reports directly to the CIO 2. Qualification and Experience
Application for CISM Certification 4/2015 Requirements to Become a Certified Information Security Manager become a Certified Information Security Manager (CISM), an applicant must: 1. Score a passing grade
COMMUNIQUE 14-COM-002 July 14, 2014 Information Technology (IT) Governance Guidance The Credit Union Prudential Supervisors Association (CUPSA) has established an IT Risk Working Group to focus on IT governance
Certified Information Systems Auditor (CISA) Course Introduction Course Introduction Module 01 - The Process of Auditing Information Systems Lesson 1: Management of the Audit Function Organization of the
www.mpi.mb.ca CLASSIFICATION SPECIFICATION FORM Human Resources CLASSIFICATION TITLE: POSITION TITLE: (If different from above) DEPARTMENT: DIVISION: LOCATION: Executive Director Executive Director, Information
Architecture, Standards and Planning Branch Office of the CIO Province of BC Document Version 1.0 April 2015 Table of Contents 1.0 Document Control... 3 2.0 Introduction... 4 3.0 Roles and Responsibilities...
What is it and how to audit it 21 April 2009 Agenda Can you define What are the key objectives of How should be structured Roles and responsibilities Key challenges and barriers Auditing Scope Test procedures
1 ISACA - CISM Certified Information Security Manager Exam Set: 1, INFORMATION SECURITY GOVERNANCE Question: 1 Which of the following should be the FIRST step in developing an information security plan?
Information Security Governance: Designing and Implementing Security Effectively 2 nd Athens International Forum on Security 15 16 Jan 2009 Anestis Demopoulos, CISA, CISSP, CIA President of ISACA Athens
CISM (Certified Information Security Manager) Document version: 6.28.11 Important Note About CISM PDF techexams CISM PDF is a comprehensive compilation of questions and answers that have been developed
THE MARKET LEADER IN IT, SECURITY AND COMPLIANCE SERVICES FOR COMMUNITY FINANCIAL INSTITUTIONS The Emergence of the ISO in Community Banking Patrick H. Whelan CISA IT Security & Compliance Consultant Agenda
Name of Approver: Mary Ann Blair Date of Approval: 23- FEB- 2015 Date of Review: 22- FEB- 2015 Effective Date: 23- FEB- 2015 Name of Reviewer: John Lerchey Table of Contents Table of Contents... 2 Introduction...
It is a well-known fact in computer security that security problems are very often a direct result of software bugs. That leads security researches to pay lots of attention to software engineering. The
DRII/BCI Professional Practice Narrative: Establish the need for a Business Continuity Plan (BCP), including obtaining management support and organizing and managing the BCP project to completion. (This
Information Technology Manag gement Framework Roles and Respo onsibilities Version 1.2 Novemb ber 20122 ITM Roles and Version History Version ed By Revision Date Approved By Approval Date Description of
Overview In light of the increasing volume and sophistication of cyber threats, the Federal Financial Institutions Examination Council 1 (FFIEC) developed the Cybersecurity Tool (), on behalf of its members,
COBIT 5 For Cyber Security Governance and Management Nasser El-Hout Managing Director Service Management Centre of Excellence (SMCE) Cybersecurity Governance using COBIT5 Cyber Defence Summit Riyadh, KSA
Director, IT Security District Office Kern Community College District JOB DESCRIPTION Definition Reporting to the Chief Information Officer, the Director of IT Security develops and implements procedures,
Practical Approaches to Achieving Sustainable IT Governance Beyond Mandates: Getting to Sustainable IT Governance Best Practices Agenda IT Governance Definition IT Governance Principles IT Governance Decisions
"Introduction to Governance with CobiT4.1 and CobiTQuickstart" ISACA Joint Session San Francisco Chapter and Silicon Valley Chapter April 23, 2008 Debra Mallette CISA (Information Systems Audit and Control
DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy IT Risk Strategy V0.1 April 21, 2014 Revision History Update this table every time a new edition of the document is published Date Authored
Governance and Management of Information Security Øivind Høiem, CISA CRISC Senior Advisor Information Security UNINETT, the Norwegian NREN About Øivind Senior Adviser at the HE sector secretary for information
Specialist Position Description February 9, 2015 Specialist Position Description February 9, 2015 Page i Table of Contents General Characteristics... 1 Career Path... 2 Explanation of Proficiency Level
Italy EY s Global Information Security Survey 2013 EY s Global Information Security Survey 2013 This year s survey our 16th edition captures the responses of 1,909 C-suite and senior level IT and information
Domain 5 Information Security Governance and Risk Management Security Frameworks CobiT (Control Objectives for Information and related Technology), developed by Information Systems Audit and Control Association
SHARED ASSESSMENTS PROGRAM STANDARD INFORMATION GATHERING (SIG) QUESTIONNAIRE 2014 MAPPING TO OCC GUIDANCE (2013-29) ON THIRD PARTY RELATIONSHIPS An overview of how the Shared Assessments Program SIG 2014
Organizational Structure What Works Evan Wheeler Director, Omgeo Session ID: PROF-001 Session Classification: Professional Development Once you have gotten past the first few months, you will be presented
Cybersecurity Audit Why are we still Vulnerable? November 30, 2015 John R. Robles, CISA, CISM, CRISC www.johnrrobles.com email@example.com 787-647-3961 John R. Robles- 787-647-3961 1 9/11-2001 The event
State of South Carolina Initial Security Assessment Deloitte & Touche LLP Date: May 1, 2013 Our services were performed in accordance with the Statement on Standards for Consulting Services that is issued
Virginia Commonwealth University School of Medicine Information Security Standard Title: Scope: Business Continuity Management Standard for IT Systems This standard is applicable to all VCU School of Medicine
Enterprise Security Architecture for Cyber Security M.M.Veeraragaloo 5 th September 2013 Outline Cyber Security Overview TOGAF and Sherwood Applied Business Security Architecture (SABSA) o o Overview of
Microsoft s Compliance Framework for Online Services Online Services Security and Compliance Executive summary Contents Executive summary 1 The changing landscape for online services compliance 4 How Microsoft
Presented by Mike O. Villegas, CISA, CISSP Agenda Information Security (IS) Vision at Newegg.com Typical Issues at Most Organizations Information Security Governance Four Inter-related CoBIT Domains ISO
ISO 27002 Compliance Guide September 2015 Contents Compliance Guide 01 02 03 Introduction 1 Detailed Controls Mapping 2 About Rapid7 7 01 INTRODUCTION If you re looking for a comprehensive, global framework
INFOTEC Overview Department of Information and Technology Management Introduction The Information and Technology Management Department (INFOTEC) is responsible for providing modern, secure, fit for purpose
State of South Carolina Policy Guidance and Training Policy Workshop Small Agency Threat and Vulnerability Management Policy May 2014 Agenda Questions & Follow-Up Policy Workshop Overview & Timeline Policy
White Paper Achieving GLBA Compliance through Security Information Management White Paper / GLBA Contents Executive Summary... 1 Introduction: Brief Overview of GLBA... 1 The GLBA Challenge: Securing Financial
Information Technology Capability Maturity Model Information Security Managing The Risk Introduction Information Security continues to be business critical and is increasingly complex to manage for the
Information security controls Briefing for clients on Experian information security controls Introduction Security sits at the core of Experian s operations. The vast majority of modern organisations face
OCCUPATIONAL GROUP: Information Technology CLASS FAMILY: Security CLASS FAMILY DESCRIPTION: This family of positions provides security and monitoring for the transmission of information in voice, data,
MONITORING AND VULNERABILITY MANAGEMENT PCI COMPLIANCE JUNE 2014 COMPLIANCE SCHEDULE REQUIREMENT PERIOD DESCRIPTION REQUIREMENT PERIOD DESCRIPTION 8.5.6 As Needed 11.1 Monthly 1.3 Quarterly 1.1.6 Semi-Annually
Security Services A Solution for Providing BPM of Security Services within the Enterprise Environment. First steps towards Next Generations Operations (OPS) to drive Gross Margin Dear security colleagues,
Office of the Chief Information Officer Business Plan: 2012 2015 Department / Ministère: Executive Council Date: November 15, 2012 1 P a g e This Page Left Intentionally Blank 2 P a g e Contents The Business
Office of the Auditor General Performance Audit Report Statewide UNIX Security Controls Department of Technology, Management, and Budget December 2015 State of Michigan Auditor General Doug A. Ringler,
Certification and Training CSE 4471: Information Security Instructor: Adam C. Champion Autumn Semester 2013 Based on slides by a former student (CSE 551) Outline Organizational information security personnel
Government FISCAL PLAN RESPONSE TO THE AUDITOR GENERAL OCTOBER 2015 127 TABLE OF CONTENTS RESPONSE TO THE AUDITOR GENERAL October 2015.... 129 128 RESPONSE TO THE AUDITOR GENERAL FISCAL PLAN 2016 19 RESPONSE
CRISC Glossary Term Access control Access rights Application controls Asset Authentication The processes, rules and deployment mechanisms that control access to information systems, resources and physical
Project Audit & Review Checklist The following provides a detailed checklist to assist the PPO with reviewing the health of a project: Relevance (at this time) Theory & Practice (How relevant is this attribute
Security Controls What Works Southside Virginia Community College: Security Awareness Session Overview Identification of Information Security Drivers Identification of Regulations and Acts Introduction
IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: 1. IT Cost Containment 84 topics 2. Cloud Computing Readiness 225
SECURITY RISK MANAGEMENT ISACA Atlanta Chapter, Geek Week August 20, 2013 Scott Ritchie, Manager, HA&W Information Assurance Services Scott Ritchie CISSP, CISA, PCI QSA, ISO 27001 Auditor Manager, HA&W
IT Governance Regulatory Perspective P.K.Patel AGM, MoF Agenda What is IT Governance? Aspects of IT Governance What banks should consider before implementing these aspects? What banks should do for implementation
LINUX / INFORMATION SECURITY CERTIFICATE IN LINUX SYSTEM ADMINISTRATION The Linux open source operating system offers a wide range of graphical and command line tools that can be used to implement a high-performance,
Vendor: Isaca Exam Code: CISM Exam Name: Certified Information Security Manager Version: DEMO QUESTION 1 Senior management commitment and support for information security will BEST be attained by an information
Certified Information Security Manager 2011 Candidate s Guide to the CISM Exam and Certification 2 CISM Exams 2011 Important Date Information Exam Date 11 June 2011 Early registration deadline: 9 February
#L09 Without Which None: Key Data Points for IT Governance Metrics Jennifer Bayuk, CISA, CISM, CGEIT Independent Information Security Consultant www.bayuk.com Session Content 1. How to compartmentalize
Utica College Information Security Plan Author: James Farr (Information Security Officer) Version: 1.0 November 1 2012 Contents Introduction... 3 Scope... 3 Information Security Organization... 4 Roles
2014 Vendor Risk Management Benchmark Study Introduction/Executive Summary You can have all the security in the world inside your company s four walls, but all it takes is a compromise at one third-party
Guide for the Role and Responsibilities of an Information Security Officer Within State Government Table of Contents Introduction 3 The ISO in State Government 4 Successful ISOs Necessary Skills and Abilities
Based on 2008 Survey of 255 Non-IT CEOs/Executives > 50% Ranked ITG as very important > 75% of businesses consider ITG to be an integral part of enterprise governance, but the overall maturity level is
An enterprise grade information security & forensic technical team 1-647-892-3363 About Us Pyramid Cyber Security & Forensic (P) Limited is an ISO 9001-2008 and ISO 27001-2005 certified boutique Digital
Developing the Corporate Security Architecture www.avient.ca Alex Woda July 22, 2009 Avient Solutions Group Avient Solutions Group is based in Markham and is a professional services firm specializing in
Business Continuity Plan October 2007 Agenda Business continuity plan definition Evolution of the business continuity plan Business continuity plan life cycle FFIEC & Business continuity plan Questions
EMC PERSPECTIVE Information Management Shared Services Framework Reader ROI Information management shared services can benefit life sciences businesses by improving decision making by increasing organizational
HKITPC Competency Definition for the Certification copyright 2011 HKITPC HKITPC Competency Definition Document Number: HKCS-CD-L1L2 Version: 1.0 Date: June 2011 Prepared by Hong Kong IT Professional Certification
1 VENDOR RISK MANAGEMENT UPDATE- ARE YOU AT RISK? Larry L. Llirán, CISA, CISM December 10, 2015 ISACA Puerto Rico Symposium 2 Agenda Introduction Vendor Management what is? Available Guidance Vendor Management
Feature Developing an Information Security and Risk Management Strategy John P. Pironti, CISA, CISM, CGEIT, CISSP, ISSAP, ISSMP, is the president of IP Architects LLC. He has designed and implemented enterprisewide
IT Security Risk Management Model for Cloud Computing: A Need for a New Escalation Approach. Gunnar Wahlgren 1, Stewart Kowalski 2 Stockholm University 1: (firstname.lastname@example.org), 2: (email@example.com) ABSTRACT
Revised October 2013 Version 3.0 (Live) Page 0 Owner: Chief Examiner CONTENTS: 1. Introduction..2 2. Foundation Certificate 2 2.1 The Purpose of the COBIT 5 Foundation Certificate.2 2.2 The Target Audience
Risk Assessment Check List Information Security Policy 1. Information security policy document Does an Information security policy exist, which is approved by the management, published and communicated
Effective Software Security Management choosing the right drivers for applying application security Author: Dharmesh M Mehta firstname.lastname@example.org / email@example.com Table of Contents Abstract... 1
Overview for Chief Executive Officers and Boards of Directors In light of the increasing volume and sophistication of cyber threats, the Federal Financial Institutions Examination Council 1 (FFIEC) developed
Evaluation Report Weaknesses Identified During the FY 2013 Federal Information Security Management Act Review April 30, 2014 Report Number 14-12 U.S. Small Business Administration Office of Inspector General
IT Compliance 24.09. AHS After Hours Seminar Zurich Improving IT Risk & Compliance Management (RCM) Bruno J. Wiederkehr Member of the Board ISACA Switzerland Chapter Agenda 1. Understanding the RCM Requirements
Volume 3, July 2014 Come join the discussion! Alberto León Lozano will respond to questions in the discussion area of the COBIT 5 Use It Effectively topic beginning 21 July 2014. Mapping COBIT 5 with IT
Ecom Infotech Page 1 of 6 Page 2 of 6 IBM Q Radar SIEM Intelligence 1. Security Intelligence and Compliance Analytics Organizations are exposed to a greater volume and variety of threats and compliance