Domain 5 Information Security Governance and Risk Management

Transcription

1 Domain 5 Information Security Governance and Risk Management Security Frameworks CobiT (Control Objectives for Information and related Technology), developed by Information Systems Audit and Control Association (ISACA) and IT Governance Institute (ITGI), consists of four domains: Plan and Organize Acquire and Implement Deliver and Support Monitor and Evaluate CobiT was derived from the COSO framework developed by the Committee of Sponsoring Organizations of the Treadway Commission to combat financial frauds CobiT IT governance Operational level COSO Corporate governance Strategic level ISO 17799, derived from British Standard 7799, is an internationally recognized information security management standard ISO/IEC series of standards, updated from ISO 17799, serve as blueprints for organizations who want to develop their security programs, addressing the following ten domains: Information security policy for the organization Creation of information security infrastructure Asset classification and control Personnel security Physical and environmental security Communications and operations management Access control

2 System development and maintenance Business continuity management Compliance ITIL (Information Technology Infrastructure Library) is the de facto standard of best practices for IT service management CobiT and COSO provide the what is to be achieved, whereas ITIL (see Domain 9) and ISO/IEC series provide the how Information Risk Management Risk Management: the process of identifying, analyzing and assessing, mitigating, or transferring risk First phase: Second phase: Risk: the potential for harm or loss is best expressed as the answers to the four key questions: What could happen? If happened, how bad could it be? How often could it happen? How certain are the answers to the first three questions? Risk Analysis Definition: The process of analyzing a target environment and the relationships of its risk- related attributes [HBH03] The process of measuring or rating the likelihood of the undesirable event occurring and the expected severity of the event [Whe11, p.47] Steps of a risk analysis: Step 1: Assign value to assets For each asset, answer the following questions: What is its value in the company?

3 How much did it cost to acquire or develop? How much does it cost to maintain? How much does it make in profits for the company? How much would it be worth to the competition? How much would it cost to re- create or recover? How much liability do you face if the asset is compromised? «Amount of insurance required to cover the asset is NOT a concern Steps 2: Estimate potential loss per threat Some of the questions are: How much would the damage cost? What is the value lost if critical devices fail or confidential info is disclosed? What is the cost of recovering from the threat? What is the single loss expectancy for each asset corresponding to each threat? Step 3: Perform a threat analysis Gather info about the likelihood of each threat by examining past records and official security resources that provide this kind of data Calculate the annualized rate of occurrence Step 4: Derive the overall annualized loss potential per threat Combine potential loss and probability Calculate the annualized loss expectancy per threat, using info from the past three steps Choose remedial measures to counteract each threat Carry out cost/benefit analysis on the identified countermeasures Step 5: Mitigate, transfer, avoid, or accept the risk

4 Risk Assessment Definition: The assignment of value to assets, annualized loss expectancy, exposure factors, etc. [HBH03] The function of identifying the threats and vulnerabilities of a given resource, articulating the risk, and the rating that risk exposure on a given scale [Whe11, p.47] Methodologies [Har10]: NIST SP Focuses on computer systems NIST SP Originally created for the healthcare industry FRAP (Facilitated Risk Analysis Process) Qualitative risk assessment OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation) Risk evaluation for information security AS/NZS 4360 Much broader, non- IT- centric approach to risk management Risk Evaluation: the function of determining the proper steps to manage that risk, whether they be to accept, mitigate, transfer, or avoid the risk exposure Exposure Factor: the subjective, potential percentage of loss to a specific asset if a specific threat is realized Single Loss Expectancy = Asset Value Exposure Factor Annualized Loss Expectancy = Single Loss Expectancy Annualized Rate of Occurrence Tangible Assets: IT facilities, hardware, media, supplies, documentation, IT staff budgets that support the storage,

5 processing, and information delivery to the user communication Intangible Assets, aka Information Assets, can be divided into categories: Replacement costs for data and software The value of the confidentiality, integrity, and availability of information Information Classification Classification controls Some common controls: Strict and granular access control for all levels of sensitive data and programs Encryption of data while stored or in transmission Auditing and monitoring Separation of duties Periodic reviews of classification levels Backup and recovery procedures Change control procedures Physical security protection Information flow channels Data dictionary review Proper disposal actions, e.g., shredding, degaussing, etc. File and file system permissions Marking and labeling (for documents, digital media, etc.) Data classification procedures The organization should understand the different levels of protection that must be provided, before it can develop the necessary classification levels it will use Define classification levels Specify the criteria that will determine how data are classified Have the data owner indicate the classification of his/her data

6 Identify the data custodian who will be responsible for maintaining the data Indicate the security controls or protection mechanisms, required for each classification level Document any exception to the previous classification issues Indicate procedures for declassifying data Integrate these issues into the security- awareness program so all employees understand how to handle data at different classification levels Layers of Responsibility Chief Information Officer Reports to the CEO or CFO Becoming more strategic than operational Responsible for [Har10]: business- process management revenue generation how business strategy can be accomplished with the company s underlying technology Chief Privacy Officer Reports to the Chief Security Officer A recently created position, usually assigned to an attorney Responsible for [Har10]: ensuring that customer, company, and employee data are kept safe setting policies on how data are collected, protected, and released to third parties International requirements: If the organization is exchanging data with European entities, it may need to adhere to the safe harbor requirements

7 Global organizations moving data across country borders must follow the OECD Guidelines and transborder information flow rules Chief Security Officer Reports to? Usually a businessperson in a large organization (while the Chief Information Security Officer has an IT background) Responsible for [Har10]: understanding the organization s business drivers creating and maintaining a security program that facilities these drivers understanding the risks that the company faces mitigating the risks to an acceptable level ensuring compliance with regulations and law, customer expectations and contractual obligations IS Security Steering Committee Headed by the CEO, the committee comprises the CFO, CIO, department managers, chief internal auditor and other people from all over the organization, and should meet at least every 3 months Responsible for [Har10]: determine priorities of security initiatives based on business needs defining the acceptable risk level for the organization developing security objectives and strategies reviewing risk assessment and auditing reports monitoring the business impact of security risks reviewing major security breaches and incidents approving any major change to the security policy and program Audit Committee Appointed by the board of directors

8 Responsible for [Har10]: the integrity of the company s financial statements and other financial information provided to stockholders and others the company s system of internal controls the engagement and performance of the independent auditors the performance of the internal audit function compliance with legal requirements and company policies regarding ethical conduct Information Owner (Data Owner [Har10]) A business executive or business manager responsible for [HBH03]: assigning initial information classification periodically reviewing the classification to ensure it meets business needs ensuring security controls are in place commensurate with the classification determining the security requirements, access criteria, and backup requirements for the information assets reviewing and ensuring currency of the access rights associated with the information assets perform or delegate: approval of access requests from other business units approval of disclosure of information backup and recovery duties, if not already assigned to custodian act on notifications received concerning security violations against their information assets Information Custodian (Data Custodian [Har10]) An IT or operations person responsible for [HBH03]: performing backups according to the backup requirements established by the Information Owner

9 when necessary, restoring lost of corrupted information backup media performing related management functions as required to ensure availability of the information to the business ensuring record retention requirements are met based on the Information Owner s analysis Note: It is the Information Owner, rather than the Information Custodian, who determines the security requirements of the information assets, and ensures the necessary security controls are in place. The Security Administrator administers access rights on the Information Owners behalf. System Owner Personnel responsible for [Har10]: integrating security considerations into application and system purchasing decisions and development projects ensuring that adequate security is being provided by the necessary controls, password management, remote access controls, operating system configurations, and so on ensuring the systems are properly assessed for vulnerabilities and must report any to the incident response team and Information Owners Application Owner Manager of the business unit who is accountable for the performance of the business function served by the application, responsible for [HBH03]: establishing user access criteria and availability requirements of their applications ensuring the security controls associated with the application are commensurate with the highest level of information classification used by the application perform or delegate: day- to- day security administration in conjunction with the organization s security policy

10 approval of exception access requests appropriate actions on security violations when notified by security administration review and approval of all changes to the application prior to being placed in the production environment verification of the currency of user access rights to the application User Manager (Supervisor [Har10]) The immediate manager or supervisor of an employee responsible for [HBH03]: informing the Security Administrator of the transfer or termination of any employee reporting any security incident or suspected incident to Information Security ensuring the currency of user ID information such as employee ID and account information receiving and distributing initial passwords for newly created user IDs educating employees with regard to security policies, procedures, and standard for which they are accountable Note: The User Manager, rather than the Security Administrator, distributes the initial passwords. Security Administrator Any company employee who owns and administrative user ID responsible for [HBH03]: understanding the different data environments and the impact of granting access to them ensuring access requests are consistent with the policies and security guidelines administering access rights according to criteria established by Information Owners creating and removing user IDs as directed by the User Manager

11 administering the system security within the scope of their job description and functional responsibilities distributing and following up (with Information Owners) on security violation reports Security Analyst Strategic (design- level, not implementation- level) personnel responsible for [Har10, HBH03]: developing security policies, standards, and guidelines, as well as various baselines providing data security design input, consulting, and review developing a basic understanding of the information to ensure proper controls are implemented Change Control Analyst Personnel responsible for [HBH03]: analyzing the requested changes to the IT infrastructure, and determining the impact on applications, databases, data- related tools, etc. Data Analyst Personnel responsible for [HBH03]: designing data structure to meet business needs designing physical database structure creating and maintaining logical data models based on business requirements providing technical assistance to Information Owners in developing data architectures recording metadata in the data library creating, maintaining, and using metadata to effectively manage database deployment Solution Provider Aka integrator, application provider, programmer, IT provider whose responsibilities are [HBH03]:

12 working with Data Analysts to ensure that the application and data will work together to meet business needs giving technical requirements to Data Analysts to ensure performance and reporting requirements are met Process Owner Personnel responsible for the management, implementation, and continuous improvement of a process [HBH03], by: ensuring that data requirements are defined to support the business process (NOT done by Information Owners) working with Information Owners to define and champion data quality program for data within the process resolving data- related issues that span applications within business processes Product Line Manager Personnel who (in short) for evaluates different products in the market, works with vendors, researches available options, and advises management and business units on the suitable solutions [Har10] Detailed responsibilities [HBH03]: translating business requirements into product requirements working with vendor/user to ensure product meets requirements monitoring new releases working with stakeholders when movement to a new release is required ensuring new software releases are evaluated and upgrades are planned for an properly implemented ensuring compliance with software license agreements monitoring performance of production against business expectations analyzing product usage, trends, options, and competitive sourcing, etc., to identify actions needed to meet project demands

13 Note: Product Line Managers advise on purchase; System Owners make sure their systems are secure; Application Owners control access to their applications. References [EC10] EC- Council, Network Defense: Security and Vulnerability Assessment, Cengage Learning, [Gup02] M. Gupta, Storage Area Network Fundamentals, Cisco Press, [HBH03] S. Hansche, J. Berti, and C. Hare, Official (ISC)2 Guide to the CISSP Exam, Auerbach Publications, [Har10] S. Harris, CISSP All- in- One Exam Guide, Fifth Edition, McGraw- Hill Osborne Media, [Tip09] H. F. Tipton, Official (ISC)2 Guide to the CISSP CBK, Second Edition, Auerbach Publications, [Whe11] E. Wheeler, Security Risk Management : Building an Information Security Risk Management Program from the Ground Up, Syngress, 2011.