Information Security and Risk Management

Transcription

1 Information Security and Risk Management COSO and COBIT Standards and Requirements Page 1

2 Topics Information Security Industry Standards and COBIT Framework Relation to COSO Internal Control Risk Management IT and Security Concepts COBIT and COSO Perspectives Monitoring Procedural and Technical Page 2

3 Information Security Some Industry Standards International Standards Organization (ISO) Series Information Security Forum (ISF) Standard of Good Practice for Information Security National Institutes of Standards and Technology (NIST) Payment Card Industry Data Security Standard (PCI DSS) SANS Top 20 Controls Page 3

4 Information Security - Definition ISACA defines information security as something that: Ensures that within the enterprise, information is protected against disclosure to unauthorized users (confidentiality), improper modification (integrity), and non-access when required (availability). Page 4

5 COBIT 5 for Information Security Extended view of COBIT 5 Explains each component from information security perspective Provides: Guidance on drivers and benefits Principles from an information security perspective Enablers for support Alignment with standards Page 5

6 COBIT 5 for Information Security Policy Framework Input Information Security Principles Information Security Policy Specific Information Security Policies Information Security Procedures Information Security Requirements and Documentation Mandatory Information Security Standards, Frameworks and Models Generic Information Security Standards, Frameworks and Models Source: COBIT 5 for Information Security, figure ISACA All rights reserved Page 6

7 Information Security and COBIT 5 Information Security Principles Support The Business Defend the Business Promote Responsible Information Security Behavior Information Security Policy Scope including: A definition for the enterprise Responsibilities Vision, with appropriate goals and metrics Page 7

8 Information Security and COBIT 5 (Cont.) Policy Driven by Information Security Access Control Personnel Information Security Policy Physical and Environmental Information Security Policy Policy Driven by the Enterprise including: Business Continuity and Disaster Recovery Acceptable Use Communication and Operations Risk Management Page 8

9 Information Security and COSO Control Environment Principal 1: The organization demonstrates a commitment to integrity and ethical values Principal 3: Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives Principal 5: The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives Page 9

10 Information Security and COSO (cont.) Risk Assessment Principal 6: Identifies and analyzes risk Principal 9: Identifies and analyzes change Control Activities Principal 12: Deploys policies and procedures Monitoring Activities Principal 16: Conducts evaluations Evaluates and communicates deficiencies Page 10

11 COBIT 5 and PCI DSS PCI DSS 3.0 Requirements Page 11

12 COBIT 5 Security and PCI DSS COBIT 5 Enabling Processes Page 12

13 COBIT 5 Security and PCI DSS Example Mapping Page 13

14 Risk Management Page 14

15 Current Threats Statistics Top 5 Threat Actions 1) Use of Stolen Credentials (hack) 2) Export Data (malware) 3) Phishing (social engineering) 4) Ram Scraper (malware) 5) Backdoor (malware) Source: Verizon Data Breaches Investigative Report 2014 Page 15

16 Current Threats Statistics Top 5 Breach Incident Methods 1) 35% Web App Attacks 2) 22% Cyber-espionage 3) 14% POS Intrusions 4) 9% Card Skimmers 5) 8% Insider Misuse Source: Verizon Data Breaches Investigative Report 2014 Page 16

17 Risk Management Have you assessed the risk of your IT environment? For example, your Internal Controls may prevent an employee from creating fraudulent checks, but... Is your (or your customer s) information being siphoned off the network? Page 17

18 Risk Management (cont.) The Goal of an IT Risk Assessment Define threats and potential threats (internal or external) Identify areas that are not adequately protected Identify areas that do not meet regulatory requirements (compliance) Understand the security impact of new technologies Page 18

19 Risk Management (cont.) Identify Threats and Vulnerabilities Critical Asset Known Threats Vulnerabilities Information, Server, Website Cyber attack, DDOS attack, Staff errors Internal network not patched; external defenses weak Page 19

20 Risk Management (cont.) Rank the risk to each asset Likelihood or Probability How likely is the threat to occur? Or how likely is the vulnerability to be exploited? Severity or Impact What would be the cost to the business? Consider downtime, brand name, cost of recovery, and cost of penalties. Page 20

21 Risk Management (cont.) One way to rank risks (time for some math) Probability (%) = Likelihood of threat occurring and being successful (Threat + Vulnerability) Impact (1-5, where 5 is highest impact) = Actual or anticipated cost to the business Risk = Probability X Impact Page 21

22 Monitoring Page 22

23 Incident Discovery Remember the threats from earlier? 98% of all attacks lead to a compromise in LESS THAN 1 DAY! Only 25% of all companies detected the compromise in less than 1 day *Median days to discovery 229 DAYS! Sources: Verizon Data Breaches Investigative Report 2014 *Mandiant M-Trends 2014 Report Page 23

24 Monitoring COSO Monitoring and COBIT 5 16 The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning. MEA02 The COBIT 5 Processes enabler guidance specifically addresses monitoring, evaluation and assessment of internal control adequacy (COBIT 5 process MEA02 Monitor, evaluate and assess the system of internal control). 17 The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate. EDM05 MEA02 In addition to MEA02, COBIT 5 process EDM05 Ensure stakeholder transparency includes practices and activities to evaluate, direct and monitor stakeholder reporting and communication requirements, including those related to control deficiencies, to senior management and the board, as appropriate. Page 24

25 Monitoring Network Activity Network Monitoring It is necessary to understand your network If you do not know what is on your network, you cannot defend it effectively. If you do not know how devices on your network are configured and set up, you cannot know how to protect and secure them. --Dr. Eric Cole, recent inductee to the Infosecurity Europe Hall of Fame Page 25

26 Monitoring Network Activity Don t forget to look inside Your network There s a whole network behind your firewall Page 26 Page 26

27 Monitoring Network Activity Look inside your network to discover Malicious software, trojan horses, spam-bots, etc. All phone home to a command and control (C2) system Watch your outgoing traffic, not just incoming Page 27 Page 27

28 Page 28