FRAMEWORK. Continuous Process Improvement Risk, Information Security, and Compliance

Similar documents
ISO Controls and Objectives

ISO27001 Controls and Objectives

ISO 27002:2013 Version Change Summary

INFORMATION TECHNOLOGY SECURITY STANDARDS

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

Newcastle University Information Security Procedures Version 3

Managing Network-related Risk for SMEs

Information Shield Solution Matrix for CIP Security Standards

Supplier Security Assessment Questionnaire

Supplier Information Security Addendum for GE Restricted Data

INFORMATION SYSTEMS. Revised: August 2013

OVERVIEW. In all, this report makes recommendations in 14 areas, such as. Page iii

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

HIPAA Security Alert

How To Protect Decd Information From Harm

University of Aberdeen Information Security Policy

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

Risk Assessment Guide

HIPAA Compliance Evaluation Report

Network Security Policy

ICT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY

Course: Information Security Management in e-governance

micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) August, 2013 Revision 8.0 MICROS Systems, Inc. Version 8.

Mike Casey Director of IT

IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY

Information Security Policy Manual

IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY (for Cheshire CCGs)

Music Recording Studio Security Program Security Assessment Version 1.1

April 21, 2009 Dines Bjørner: MITS: Models of IT Security: 1. c Dines Bjørner 2006, Fredsvej 11, DK 2840 Holte, Denmark

Information Security Management. Audit Check List

University of Pittsburgh Security Assessment Questionnaire (v1.5)

security policy Purpose The purpose of this paper is to outline the steps required for developing and maintaining a corporate security policy.

Version 1.0. Ratified By

Policy Document. IT Infrastructure Security Policy

UF IT Risk Assessment Standard

INITIAL APPROVAL DATE INITIAL EFFECTIVE DATE

Service Children s Education

VMware vcloud Air HIPAA Matrix

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

Security Controls What Works. Southside Virginia Community College: Security Awareness

GAO INFORMATION SECURITY. Weak Controls Place Interior s Financial and Other Data at Risk. Report to the Secretary of the Interior

Hengtian Information Security White Paper

FINAL May Guideline on Security Systems for Safeguarding Customer Information

ULH-IM&T-ISP06. Information Governance Board

Solution Brief for ISO 27002: 2013 Audit Standard ISO Publication Date: Feb 6, EventTracker 8815 Centre Park Drive, Columbia MD 21045

Client Security Risk Assessment Questionnaire

HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT

INFORMATION SECURITY MANAGEMENT SYSTEM. Version 1c

Appendix 4-2: Sample HIPAA Security Risk Assessment For a Small Physician Practice

CTR System Report FISMA

HIPAA Security. 6 Basics of Risk Analysis and Risk Management. Security Topics

Does it state the management commitment and set out the organizational approach to managing information security?

POLICIES. Campus Data Security Policy. Issued: September, 2009 Responsible Official: Director of IT Responsible Office: IT Central.

Third Party Security Requirements Policy

Estate Agents Authority

IT OUTSOURCING SECURITY

ADEC GROUP INFORMaTiON SecURiTY AND CONTROLS

Network Security: Policies and Guidelines for Effective Network Management

Analysis of Information Security Management Systems at 5 Domestic Hospitals with More than 500 Beds

Library Systems Security: On Premises & Off Premises

HIPAA SECURITY RISK ASSESSMENT SMALL PHYSICIAN PRACTICE

Acceptance Page 2. Revision History 3. Introduction 14. Control Categories 15. Scope 15. General Requirements 15

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

Rajan R. Pant Controller Office of Controller of Certification Ministry of Science & Technology rajan@cca.gov.np

HIPAA Compliance Review Analysis and Summary of Results

Managing internet security

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

Data Management Policies. Sage ERP Online

Guide to INFORMATION SECURITY FOR THE HEALTH CARE SECTOR

Information Systems and Technology

SECTION: SUBJECT: PCI-DSS General Guidelines and Procedures

SITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA

HIPAA Security. assistance with implementation of the. security standards. This series aims to

How to Practice Safely in an era of Cybercrime and Privacy Fears

ISSeG Integrated Site Security for Grids

Intel Enhanced Data Security Assessment Form

RISK ASSESSMENT GUIDELINES

Information Technology Acceptable Use Policies

Information Resources Security Guidelines

Altius IT Policy Collection Compliance and Standards Matrix

Physical Security Policy

INFORMATION SECURITY PROCEDURES

Better secure IT equipment and systems

Using the HITRUST CSF to Assess Cybersecurity Preparedness 1 of 6

1B1 SECURITY RESPONSIBILITY

Central Agency for Information Technology

Executive Summary Program Highlights for FY2009/2010 Mission Statement Authority State Law: University Policy:

LogRhythm and NERC CIP Compliance

Microsoft Online Subscription Agreement/Open Program License Amendment Microsoft Online Services Security Amendment Amendment ID MOS10

Wellesley College Written Information Security Program

IT - General Controls Questionnaire

Information Security Team

Information Technology Branch Access Control Technical Standard

BCS IT User Syllabus IT Security for Users Level 2. Version 1.0

Build (develop) and document Acceptance Transition to production (installation) Operations and maintenance support (postinstallation)

Joint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training- Session One Information Security and Challenges

Rotherham CCG Network Security Policy V2.0

Nationwide Review of CMS s HIPAA Oversight. Brian C. Johnson, CPA, CISA. Wednesday, January 19, 2011

Transcription:

FRMEWORK Continuous Process Improvement Risk, Information Security, and Compliance The pragmatic, business-oriented, standardsbased methodology for managing information. CPI-RISC Information Risk Framework v1.3, Feb 2012

Contents Summary 1 Overview 2 Management 3 Legal 4 Finance 5 Purchasing 6 Personnel 7 Facilities 8 IT pplication 9 IT Service 10 Document Information 14

Information Risk Framework Summary The CPI-RISC 1 Information Risk Framework (IRF) was developed as a tool to assess and treat information- and IT-related s. The IRF is based on ISO 27001 2, ISO 27002 3, and the SNS Institute 20 Critical Security Controls 4. dditionally, the IRF is built on the premise that information management is an organizational issue, not exclusively an IT issue. There are three potential problems with existing management and information security standards: 1. IT-oriented structure: Standards are written and structured for information security or IT professionals. This structure is inefficient for non-it professionals to decipher and implement. 2. Complexity: Standards are often lengthy and complex. For example, ISO 27002 has 133 controls organized into 12 sections in 128 pages. s a result of the length and complexity, standards can be difficult to understand by non-technical business managers. 3. Lack of prioritization: Standards typically don t offer concrete guidance in how to prioritize. In order to create an effective security program, it is essential to be able to identify s with the highest priority. The CPI-RISC IRF provides a sensible solution to these problems: 1. Business-oriented structure: The IRF is written and organized for nontechnical business managers. The framework is organized into 8 different business functions that cross the entire organization: - management - personnel - legal - facilities - finance - information technology: application development - purchasing - information technology: services 2. Simplified: The IRF defines 33 areas, categorized into 8 business functions in 12 pages. Information areas for most business functions are defined on a single page. 3. Prioritized: The IRF specifies priority levels for each area, making it more efficient to identify high s: SUMMRY - (high priority) - B (medium priority) - C (low priority) Used with the CPI-RISC Methodology, the CPI-RISC IRF can be part of an efficient and effective assessment program. 1 The Continuous Process Improvement Risk, Information Security, and Compliance (CPI-RISC) methodology is a pragmatic, standards-based, businessoriented approach to information security. CPI-RISC was developed by NOUVEL Strategies and is available for use under the Creative Commons cc-by-sa license. http://cpi-risc.org/ 2 ISO/IEC 27001:2005: Information technology Security techniques Information security management systems Requirements. widely used information security standard. 3 ISO/IEC 27002:2005: Information technology Security techniques Code of practice for information security management. well-respected definition of best practice for information security. 4 The SNS Institute 20 Critical Security Controls were defined by a government/industry consortium to help organizations focus their efforts on security controls that block known attacks. http://www.sans.org/critical-security-controls/ 2012 NOUVEL Strategies Sàrl 1 / 14

OVERVIEW Information Risk Framework Overview The CPI-RISC Information Risk Framework (IRF) defines 33 areas with priority levels, categorized into 8 business functions 1. Management MGT1 MGT2 MGT3 Information management Information security management Compliance management MGT4 Business continuity MGT5 Legal LEG1 Finance Security organization Legal, regulatory, and contractual compliance FIN1 Financial fraud FIN2 Information access control Purchasing PUR1 Third party PUR2 PUR3 Information asset management Software license management Personnel PER1 Pre-employment PER2 Employee B C B IT application development IT1 Development process IT2 pplication-related B IT service ITS1 Data center ITS2 Operational integrity and availability ITS3 Disaster-related ITS4 Network-related ITS5 System-related ITS6 Identity-related ITS7 Malicious software ITS8 ITS9 ITS10 ITS11 ITS12 ITS13 ITS14 Mobile worker-related Third party service management Message service-related Web/eCommercerelated Security incident-related Storage media-related Service planning-related B B B B B C PER3 Post-employment B Facilities FC1 Site-related physical FC2 FC3 Equipment-related physical Workspace-related physical B C 1 The CPI-RISC Methodology specifies that organizations should customize and adapt the business functions, areas, and priority levels of the CPI-RISC IRF as appropriate. 2 / 14 2012 NOUVEL Strategies Sàrl

Management Information areas that are the responsibility of general management. MGT1 Information management Overall associated with not assessing and treating information. Risk controls include: - performing periodic information- and IT-related assessments - developing and approving treatment plan Step 1 of CPI-RISC ISO 27001:2005 4.2.1d-h MGT2 Information security management Overall associated with not managing information security. Risk controls include: - developing and maintaining an information security policy that addresses the organization s information- and ITrelated s - management support for information security Step 2 of CPI-RISC ISO 27001:2005.5.1.1,.5.1.2,.6.1.1 MGT3 Compliance management Overall associated with not auditing or assessing information security. Risk controls include: - performing periodic, independent reviews of information security - using automated, technical assessment tools Step 3 of CPI-RISC ISO 27001:2005.6.1.8,.15.2.1,.15.2.2; SNS CC10, CC17 MGT4 Business continuity Risk of disruptive event negatively impacting business. Disruptive events could include natural disasters, severe weather, or labor disputes. Risk controls include: - developing and testing business continuity plans ISO 27001:2005.14.1.4,.14.1.5 MGT5 Security organization C Risk of not being able to manage information- and ITrelated s due to a lack of organization and coordination. Risk controls include: - coordinating activities between different business functions - defining information security responsibilities ISO 27001:2005.6.1.2,.6.1.3 MNGEMENT 2012 NOUVEL Strategies Sàrl 3 / 14

LEGL Legal Information areas that are the responsibility of the legal department. LEG1 Legal, regulatory, and contractual compliance Risk of noncompliance with legal, regulatory, or contractual requirements for information security. Includes national laws as well as contractual obligations to customers. Risk controls include: - verifying compliance with national laws and regulations - verifying compliance with data protection and privacy law - verifying compliance with legal requirements for records retention - verifying compliance with contracts for services provided to customers ISO 27001:2005.6.2.2,.15.1.1,.15.1.3,.15.1.4 4 / 14 2012 NOUVEL Strategies Sàrl

Finance Information areas that are the responsibility of the finance department. FIN1 Financial fraud Risk of financial fraud. Includes theft of money from the organization by manipulating finance-related processes. Risk controls include: - segregating duties and areas of responsibilities - eliminating job duties that create a conflict of interest, particularly with finance-related jobs ISO 27001:2005.10.1.3; SNS CC9 FIN2 Information access control and management Risk of improper information access or modification. Risk controls include: - preventing unauthorized or unintentional access, modification, or misuse of information assets - developing and enforcing an ccess Control Policy and cceptable Use Policy - ongoing maintenance and monitoring of access and access rights ISO 27001:2005.7.1.3..7.2.1,.11.1.1,.11.2.4 FINNCE 2012 NOUVEL Strategies Sàrl 5 / 14

PURCHSING Purchasing Information areas that are the responsibility of the purchasing department. PUR1 Third party Risk of information assets being accidentally or maliciously compromised by third party service providers. Includes network service providers, IT support service providers, outsourced software development, and temp or contract workers provided by staffing agencies. Risk controls include: - identifying areas with third party providers - ensuring that third parties are contractually obligated to protect information assets - addressing security with outsourced software development contracts ISO 27001:2005.6.2.1,.6.2.3,.12.5.5 PUR2 Information asset management Risk of losing information assets by inadequate asset management. Risk controls include: - maintaining a current inventory of all information assets and asset owners - ensuring appropriate labeling and handling for sensitive information assets ISO 27001:2005.7.1.1,.7.1.2,.7.2.2; SNS CC1 PUR3 Software license management B Risk of unlicensed commercial software. Includes legal as well as availability (self-disabling software). Risk controls include: - maintaining purchase records for all licensed software - ensuring software is being used according to license agreements ISO 27001:2005.15.1.2; SNS CC2 6 / 14 2012 NOUVEL Strategies Sàrl

Personnel Information areas that are the responsibility of the personnel department. PER1 Pre-employment Risk of hiring malicious employees who will compromise information assets. Risk controls include: - defining security roles and responsibilities in job descriptions - requiring signed confidentiality agreements - requiring signed employment contracts - performing background checks for sensitive positions ISO 27001:2005.6.1.5,.8.1.1,.8.1.2,.8.1.3 PER2 Employee B Risk of information assets being accidentally or maliciously compromised by employees. Risk controls include: - awareness programs for new workers - periodic awareness program updates for all workers - periodic security training for workers with information security responsibilities ISO 27001:2005.8.2.2; SNS CC20 PER3 Post-employment B Risk of terminated employees compromising information assets. Risk controls include: - utilizing a formal worker termination procedure - verifying information assets are returned - verifying access rights are removed and user accounts are deleted ISO 27001:2005.8.3.1,.8.3.2,.8.3.3 PERSONNEL 2012 NOUVEL Strategies Sàrl 7 / 14

FCILITIES Facilities Information areas that are the responsibility of the facilities department. FC1 Site-related physical Risk of theft of information assets from buildings or business locations due to a lack of physical security. Risk controls include: - defining a physical security perimeter - installing and maintaining keyed or electronic door locks - requiring workers and visitors to wear identification badges - maintaining a physical or electronic access log - protecting buildings or business locations from external and environmental threats, including fire, flood, earthquakes, and civil unrest - ensuring delivery and loading areas are secure ISO 27001:2005.9.1.1,.9.1.2,.9.1.4,.9.1.6 FC2 Equipment-related B Risk of theft of workstations, laptops, or PDs (or information from such devices) due to a lack of physical security. Risk controls include: - preventing loss, damage, theft, or compromise of equipment - ensuring that equipment leaves the premises via a formal process - ensuring secure equipment disposal ISO 27001:2005.9.2.1,.9.2.6,.9.2.7 FC3 Workspace-related C Risks due to theft of information from a work area. Risk controls include: - protecting unattended equipment - keeping desks and screens clear ISO 27001:2005.11.3.2,.11.3.3 8 / 14 2012 NOUVEL Strategies Sàrl

IT application development pplication development-related information areas that are the responsibility of the IT department. IT1 Development process Risk of security vulnerabilities in software due to a flawed software development process. Risk controls include: - analyzing security requirements for business systems - using formal change control to manage the development process - using a formal system acceptance process to document and test operational requirements of new systems ISO 27001:2005.10.3.2,.12.1.1,.12.5.1 IT2 pplication-related B Risk of leaked information or incorrect results due to software flaws. Risk controls include: - detecting errors in input data - preventing errors in output data - utilizing cryptography to prevent the inadvertent disclosure of data ISO 27001:2005.12.2.1,.12.2.4,.12.3.1; SNS CC7 IT PPLICTION 2012 NOUVEL Strategies Sàrl 9 / 14

IT SERVICE IT service Service-related information areas that are the responsibility of the IT department. ITS1 Data center Risk of inability to use server room or data center due to inadequate data center management. Risk controls include: - locating data processing equipment in locations that are discreetly located and physically secure - requiring management approval for all new data processing facilities - ensuring adequate supporting utilities in data processing facilities - ensuring secure cabling in data processing facilities - ensuring equipment maintenance is contracted and performed in data processing facilities ISO 27001:2005.6.1.4,.9.1.3,.9.1.5,.9.2.2,.9.2.3,.9.2.4 ITS2 Operational integrity and availability Risk of loss of integrity or use of IT resources due to inadequate documentation, change management, or monitoring. Risk controls include: - documenting operating procedures - using formal change management to ensure stable operations - separating development, test, and production environments - maintaining and analyzing system event and log files - protecting system log files ISO 27001:2005.10.1.1,.10.1.2,.10.1.4,.10.10.1,.10.10.2,. 10.10.3,.10.10.6; SNS CC6 ITS3 Disaster Risk of loss of use of IT resources due to a disruptive event. Disruptive events could include natural disasters, hackers, application errors, or user error. Risk controls include: - creating backup copies of data - storing backups in a secure, offsite location - developing and testing a disaster recovery plan ISO 27001:2005.10.5.1,.14.1.3; SNS CC19 ITS4 Network-related Risk of attack of IT resources via the network due to inadequate network security or network flaws; of inability to use network or network services. Risk controls include: - implementing a securely designed network - implementing a securely designed wireless network - implementing a securely designed network perimeter - using secure network device configurations - preventing unauthorized access to network services ISO 27001:2005.10.6.1,.10.6.2,.11.4.1,.11.4.5,.11.4.6,. 11.4.7; SNS CC4, CC5, CC13, CC14, CC16 10 / 14 2012 NOUVEL Strategies Sàrl

ITS5 System-related Risk of attack of IT resources via the operating system due to inadequate system security or system flaws; of inability to use systems or application services. Risk controls include: - implementing securely configured systems - maintaining a configuration management database - implementing an operating system and application patch management system - controlling the use of operating system and application privileges ISO 27001:2005.11.2.2,.12.4.1,.12.5.2,.12.6.1; SNS CC3, CC8 ITS6 Identity-related Risk of unauthorized access or modification of information resources due to inadequate management of user accounts and passwords. Risk controls include: - assigning user accounts and passwords securely - requiring secure logon to all systems and applications - implementing good password management - monitoring account usage ISO 27001:2005.11.2.1,.11.2.3,.11.3.1,.11.5.1,.11.5.3; SNS CC11 ITS7 Malicious software Risk of unauthorized access or modification of information resources due to inadequate protection against malicious software attack; of inability to access IT resources due to inadequate protection against malicious software attack. Risk controls include: - installing and maintaining anti-virus software on applicable devices ISO 27001:2005.10.4.1; SNS CC12 ITS8 Mobile worker-related Risk of unauthorized access or modification of information resources due to inadequate protection of mobile computing resources. Risk of theft of mobile devices. Includes laptop systems, PDs, and smartphones. Risk controls include: - maintaining an inventory of mobile devices - providing appropriate security for mobile devices - providing appropriate security for mobile workers using mobile devices in unprotected environments - requiring strong authentication for remote access to information resources ISO 27001:2005.9.2.5,.9.2.7,.11.4.2,.11.7.1 2012 NOUVEL Strategies Sàrl 11 / 14

ITS9 Third party service management B Risk of information assets being accidentally or maliciously compromised due to inadequate management and monitoring of third party providers. Limited to IT service providers. Risk controls include: - ensuring compliance with service level agreements (SLs) - monitoring third party service providers - verifying the information security provided by third parties ISO 27001:2005.10.2.1,.10.2.2,.10.2.3 ITS10 Message service-related B Risk of unauthorized access to messages due to inadequately secured message system. Includes email, instant messaging, and any other messaging systems in use. Risk controls include: - protecting Email systems - limiting unsolicited bulk Email (Spam) - protecting instant messaging and other messaging systems ISO 27001:2005.10.8.4 ITS11 Web/eCommerce-related B Risk of unauthorized access or modification to information in web-based or ecommerce-based applications due to inadequate security. Risk controls include: - providing secure web or ecommerce services - providing secure online transaction processing (OLTP) services ISO 27001:2005.10.9.1,.10.9.3 ITS12 Security incident-related B Risk of loss of use of IT resources due to inadequate response to and escalation of security incidents. Risk controls include: - using an incident handling procedure for promptly managing events - reporting security weaknesses and vulnerabilities ISO 27001:2005.13.1.1,.13.1.2; SNS CC18 12 / 14 2012 NOUVEL Strategies Sàrl

ITS13 Storage media-related B Risk of loss or exposure of confidential data due to inadequate management of storage media. Includes USB keys, memory cards, magnetic media, and optical media. Risk controls include: - managing the use of removable media or storage devices - providing for the secure disposal of media - providing for the secure transportation of media ISO 27001:2005.10.7.1,.10.7.2,.10.8.3; SNS CC15 ITS14 Service planning-related C Risk of loss of use of IT resources due to inadequate capacity planning. Risk controls include: - ensuring the availability of future computing resources - ensuring the availability of future infrastructure ISO 27001:2005.10.3.1 2012 NOUVEL Strategies Sàrl 13 / 14

Document Information CPI-RISC Information Framework v 1.3, Feb 2012 Lead uthor: Jim Herbeck Managing Partner, NOUVEL Strategies Sàrl Member of Faculty, The SNS Institute dvisory Board Member, CCSIE, Geneva School of Business dminsitration Legal: The Continuous Process Improvement Risk, Information Security, and Compliance (CPI-RISC) methodology was developed by NOUVEL Strategies Sàrl in conjunction with the Business Information Security Competency Center (CCSIE) at the Geneva School of Business dministration (HEG). The CPI-RISC Information Framework is available for use under the Creative Commons cc-by-sa license. See license at http://cpi-risc.org/ Limit of Liability/Disclaimer of Warranty: While the publishers and authors have used their best efforts in preparing this work, they make no representations or warranties with respect to the accuracy or completeness of its contents and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. The CPI-RISC methodology specifies that this work is to be adapted to be made appropriate for use by different organizations. You should consult with an information security professional where appropriate. Neither the publishers nor authors shall be liable for any loss of profit or any other commercial damages, including, but not limited to, special, incidental, consequential, or other damages.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information