Implementing Information Security Policies and Standards. A Real Life Example

Similar documents
Board of Directors Meeting 12/04/2010. Operational Risk Management Charter

A Best Practice Guide

VENDOR RISK MANAGEMENT UPDATE- ARE YOU AT RISK? Larry L. Llirán, CISA, CISM December 10, 2015 ISACA Puerto Rico Symposium

The data breach lifecycle: From prevention to response IAPP global privacy summit March 6, 2014 (4:30-5:30) Draft v

HIPAA and Mental Health Privacy:

Cybersecurity for Nonprofits: How to Protect Your Organization's Data While Still Fulfilling Your Mission. June 25, 2015

Compliance Policy ALCO recommended standard

Why you should adopt the NIST Cybersecurity Framework

IT Vendor Due Diligence. Jennifer McGill CIA, CISA, CGEIT IT Audit Director Carolinas HealthCare System December 9, 2014

HIPAA PRIVACY FOR EMPLOYERS A Comprehensive Introduction. HIPAA Privacy Regulations-General

The Legal Pitfalls of Failing to Develop Secure Cloud Services

INFORMATION SECURITY STRATEGIC PLAN

Managing Risk at Bank of America Corporation. Overview

The New Zealand Human Services Quality Framework - ISO9002:2008 to 2012

Pharmaceutical Compliance and Regulatory Congress 2009

Standards of. Conduct. Important Phone Number for Reporting Violations

Contact: Henry Torres, (870)

Our Commitment to Information Security

Enterprise-Wide Risk Assessment

ISE Northeast Executive Forum and Awards

HIPAA and HITECH Compliance for Cloud Applications

A Guide to Successfully Implementing the NIST Cybersecurity Framework. Jerry Beasley CISM and TraceSecurity Information Security Analyst

Vendor Management: An Enterprise-wide Focus. Susan Orr, CISA CISM CRISC CRP Susan Orr Consulting, Ltd.

VENDOR MANAGEMENT. General Overview

Fraud Prevention and Deterrence

The Changing IT Risk Landscape Understanding and managing existing and emerging risks

Audit, Risk Management and Compliance Committee Charter

Cyber Risks in the Boardroom

fs viewpoint

APPLICATION OF KING III CORPORATE GOVERNANCE PRINCIPLES 2014

BOARD OF DIRECTORS MANDATE

CISM (Certified Information Security Manager) Document version:

Citation for published version (APA): Berthing, H. H. (2014). Vision for IT Audit Abstract from Nordic ISACA Conference 2014, Oslo, Norway.

Question: 1 Which of the following should be the FIRST step in developing an information security plan?

Information Security ISO Standards. Feb 11, Glen Bruce Director, Enterprise Risk Security & Privacy

MANUAL OF UNIVERSITY POLICIES PROCEDURES AND GUIDELINES. Applies to: faculty staff students student employees visitors contractors

INDIANA UNIVERSITY SCHOOL OF OPTOMETRY HIPAA COMPLIANCE PLAN TABLE OF CONTENTS. I. Introduction 2. II. Definitions 3

HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What?

RISK AND COMPLIANCE COMMITTEE CHARTER

PRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES

BUSINESS PRINCIPLES FOR COUNTERING BRIBERY A MULTI-STAKEHOLDER INITIATIVE LED BY TRANSPARENCY INTERNATIONAL

Risk Assessment & Enterprise Risk Management

ASTRAZENECA GLOBAL POLICY SAFEGUARDING COMPANY ASSETS AND RESOURCES

University of Sunderland Business Assurance Information Security Policy

SUMMARY OF POSITION ROLE/RESPONSIBILITIES:

Breaking Down the Silos: A 21st Century Approach to Information Governance. May 2015

Framework for Enterprise Risk Management

INTERNATIONAL STANDARDS FOR THE PROFESSIONAL PRACTICE OF INTERNAL AUDITING (STANDARDS)

INSTITUTIONAL COMPLIANCE PLAN

MISSION VALUES. The guide has been printed by:

3 August 2012 Policy updated to reflect name changes and alignment with current Aurora Energy Group Policy standards.

Title: Data Security Policy Code: Date: rev Approved: WPL INTRODUCTION

How To Write A Risk Management Policy For The University Of Kerry

How To Manage Information Security At A University

How To Ensure Health Information Is Protected

Preventing Fraud: Assessing the Fraud Risk Management Capabilities of Today s Largest Organizations

Standards for the Professional Practice of Internal Auditing

Audit and Risk Committee Charter. 1. Membership of the Committee. 2. Administrative matters

Health Sciences Compliance Plan

Board means the Board of Directors of each of Scentre Group Limited, Scentre Management Limited, RE1 Limited and RE2 Limited.

University of Rhode Island IT Governance

Avondale College Limited Enterprise Risk Management Framework

APPLICATION OF THE KING III REPORT ON CORPORATE GOVERNANCE PRINCIPLES

Cybersecurity. Considerations for the audit committee

Anti-Money Laundering controls in Mergers & Acquisitions

Practice Guide COORDINATING RISK MANAGEMENT AND ASSURANCE

From Information Management to Information Governance: The New Paradigm

U.S. CORPORATE ETHICS AND COMPLIANCE POLICY

ADMINISTRATIVE POLICY # (2014) Information Security Roles and Responsibilities

Board Charter. HCF Life Insurance Company Pty Ltd (ACN ) (the Company )

Navigating the NIST Cybersecurity Framework

Feature. Developing an Information Security and Risk Management Strategy

CHARTER OF THE BOARD OF DIRECTORS

Information Security Program

Mobile App Developer Agreements

Sarbanes-Oxley Control Transformation Through Automation

UC PRIVACY AND INFORMATION SECURITY STEERING COMMITTEE OCTOBER 25, 2010

Third Party Risk Management 12 April 2012

Issue 1.0. UoG/ILS/IS 001. Information Security and Assurance Policy. Information Security and Compliance Manager

Conflicts of Interest Policy

The Cybersecurity Journey How to Begin an Integrated Cybersecurity Program. Version 1.0 March 2005

Generally Accepted Recordkeeping Principles

State of Minnesota. Enterprise Security Strategic Plan. Fiscal Years

GUIDANCE FOR MANAGING THIRD-PARTY RISK

Information Protection Framework: Data Security Compliance and Today s Healthcare Industry

Who Should Know This Policy 2 Definitions 2 Contacts 3 Procedures 3 Forms 5 Related Documents 5 Revision History 5 FAQs 5

Corporate policy statement on ethical business practices of BCD Travel

Information Security Plan May 24, 2011

Transcription:

Implementing Information Security Policies and Standards A Real Life Example Bruce W. Edwards Manager Audit and Assurance - TAS

What we will review 1. Understand InfoSec, why should we? 2. Assess Your organisation s situation 3. Act Address your organisation s situation 4. Maintain Appropriate Information Security which supports privacy

Understand InfoSec, why should we? Recent events check the media! Example - The GCIO security review was prompted by a specific security breach involving MSD kiosks The GCIO security review identified wide-ranging and systemic IT security and privacy issues Subsequent security and privacy breaches (ACC ) in the public sector heightened the need for attention The day to day BAU environment! Is this a surprise? Understand the situation at your organisation

Why InfoSec Policies and Standards? Understanding the Challenges Information Security Research #1 #2 Academics Clinical UofL Donor Fund Raising Athletics Administration Requirements, Responsibilities and Expectations

Why InfoSec Policies and Standards? Understanding the Challenges Information Security Government Suppliers and business partners Clients, Consumers, the Public Your organisation Competitors (Opportunists) Senior Management Employees Requirements, Responsibilities and Expectations

Understand Why do we need InfoSec Policies and Standards? A common foundation to address and/or support Regulations, laws, requirements NZISM, PCI-DSS, contracts, GCIO mandate, Official Information Act 1982, Health Information Privacy Code 1994, Mental Health (Compulsory Assessment and Treatment) Act 1992, Intellectual Disability (Compulsory Care and Rehabilitation) Act 2003, Health Act 1956, Health and Disability Services Consumers Rights Regulations 1996, Public Records Act 2005, Privacy Act 1993, Official Information Act, other legislation/regulation Expectations Stakeholders, customers, clients, sponsors, partners/collaborators, shareholders, our constituents, media, the public Efficiency Unified approach is more effective, less confusing, easier to understand Well designed polices and standards are ultimately an enabler Numerous areas, similar requirements and expectations

Understand Why Policies and Standards? What is a policy? (from http://www.m-w.com/) 1 a : prudence or wisdom in the management of affairs b : management or procedure based primarily on material interest 2 a : a definite course or method of action selected from among alternatives and in light of given conditions to guide and determine present and future decisions b : a high-level overall plan embracing the general goals and acceptable procedures especially of a governmental body UofL InfoSec: High level requirement statement or paragraph about a type of technology or behavior in the IS/IT/ICT environment.

Understand Why Policies and Standards? What are standards? A required approach for conducting an activity or task, utilizing a product, etc. Many times a standard is a best practice that must be followed to have a better chance of overall success. From: www.tensteppb.com/90.1glossary.htm) -and/or-? What about good enough? Descriptive requirements for a behavior based policy.

Understand Why Policies and Standards? Procedures: Clear steps to follow to accomplish specific tasks or behave in certain ways. Procedures should support organization, contractual, regulatory and/or statutory obligations and requirements. Examples: - Set-up a software firewall - Encrypting sensitive email

Understand Why Policies and Standards? What good are policies? What would an organisation look like without any policies and standards? Policies and Standards: Set the foundation for compliance expectations of constituents (employees, senior management, faculty, staff, students, partners, collaborators, vendors, etc.)

Understand So what s the goal? UofL s objectives were: Not over restrictive An organisation with consistent, common-sense policies that: 1. Pass muster in the event of a regulatory review or audit and 2. Allow flexibility for academic, research and Support organisational strategy operational requirements 3. while supporting the required CIA (confidentiality, integrity and availability) of sensitive information.

Assess Establish InfoSec policies and standards for the organization What should be included? Guidance adequate to meet the organisation s risk tolerance relative to InfoSec risks (incidents, legal and regulatory exposure, lost business, PR ) To be effective, must take into account: 1. Strategic Alignment 2. Risk Assessment and Management 3. Value Delivery

Assess 1. Strategic Alignment Establish InfoSec policies and standards for the organization Align InfoSec with business strategy (support organisational objectives) We are in this together! Account for culture, governance style, technology, organisational structure Tone from the top - executive support!

Assess Establish InfoSec policies and standards for the organization 2. Risk Assessment and Management Identify InfoSec risks to the organization Understand exposure to consequences of adverse events Risk mitigation only to acceptable levels of residual risk Educate - Risk acceptance (inaction is acceptance)

Assess Establish InfoSec policies and standards for the organization 2. Risk Assessment and Management Sensitive Information? Sensitive information is information of a confidential or proprietary nature as well as other information that would not be routinely published for unrestricted public access or where disclosure is prohibited by laws, regulations, contractual agreements or company University policy. Sensitive information includes but is not limited to information such as medical and health records, grades and other enrollment information, credit card, bank account and other financial information, social security numbers, personal addresses, phone numbers, etc. Note: Sensitive information does not include personal information of a particular individual which that individual elects to reveal.

Assess Establish InfoSec policies and standards for the organization 3. Value Delivery Standard security baseline InfoSec policies, standards, procedures now aligned with business objectives and risk tolerance $ Supports InfoSec investments congruent with business objectives and risk tolerance Information Security Supports Privacy

Assess Establish InfoSec policies and standards for the organization 3. Value Delivery Policy and Standard Adoption BEWARE: Now we are done with that! Review Buy-in Official Adoption

Assess Establish InfoSec policies and standards for the organization * Sufficient mgt buy-in * Legitimacy of policy source * Adequacy of policies * Mgt understanding of trade-offs (stringent vs increased risk) * Motivation/incentive to follow policy * Encompasses relevant laws, regs, accepted practice * Adequate resources * One size fits all approach Policy Pitfalls to Beware! * Marketing, awareness, training (training attendance, user ability) * Regular review and updating * Policy compliance monitoring and auditing * Policy and business goals alignment * Underlying documentation (procedures) * On-going risk assessment to foster continued examination * Proactive vs reactive

Assess Where was UofL? Information Security Policies, Standards and Procedures: - Disjointed - Hap-hazard - Delineation between Policy, Standard, Procedure not always clear, not consistent - Each policy evolved organically to fit a perceived need at the time (not a structured approach)

Assess Information Security Policies, Standards and Procedures: - Not part of a cohesive, consistent and unified package - Not organised, no clear cohesion to policies - Hard to find Where was UofL? - Not effectively communicated to all constituents - Policies written/implemented in a manner not conducive to academic constituent support

Assess Where was UofL? Information Security Policies, Standards and Procedures: - Old policies DID NOT allow for the possibility of self-direction (with regards to technology) within a structured framework - Unclear and/or inconsistent sanctions - Sanction enforcement, what is that? - Unclear Senior Management Support Different InfoSec policy Approaches: General or specific Technology neutral or specific - Highly variable support within the organization

Act Where is UofL now? - Support from Senior Management - Received support for consistently enforced sanctions - Radical approach (for UofL) for this cohesive whole: * As technology neutral as possible Policy defines expectations for a technology but not the specific technology that must be used * Overall Policies and Standards Not written for a specific regulation (example: HIPAA) but inclusive of regulatory requirements

Act Policy and Standards Adoption Process Review and comments from representatives of the University Strategic Technology Executive Committee (Fall 2005) Audit Services (Winter 2005-2006) InfoSec Awareness Team (Spring 2006) InfoSec Policy Review Group (Spring 2006) ATC Policy Review Subcommittee (Summer 2006) Information and Data Security Task Force (Fall 2006) General Counsel (Fall 2006) Approved! Research Deans (January 9, 2007) Council of Academic Officers (March 21, 2007) Research Compliance Committee (April 2, 2007) HSC Compliance Oversight Committee (April 19, 2007) Tier 1 Personnel (all, via e-mail, May 9, 2007) Business Advisory Group (May 18, 2007) Strategic Technology Executive Committee (June 1, 2007) Compliance Oversight Council (July 23, 2007)

Act Where is UofL now? Policy and Standard Framework General Accounts and Usage Computing Devices Network Services Data Centers and Facilities

Act Policy and Standards Overview Encryption IS PS018

Act Policy and Standards Overview

Maintain Strategy for Policy and Standards Implementation 1. Educate and Encourage Use Training Awareness Consulting 2. Improve Compliance using Consulting Auditing and Monitoring, Assessment, Adjustment Enforcement 3. Maintain Policy Relevance using Self Assessment/audit Feedback Adjustment

Maintain Awareness Efforts include Annual Cyber-Security Awareness Week

Maintain

Summing up UofL became An organisation with consistent, common-sense policies that: 1. Pass muster in the event of a regulatory review or audit and 2. Allow flexibility for academic, research and operational requirements 3. while supporting the required CIA (confidentiality, integrity and availability) of sensitive information.

Final points to ponder 1. On-going process of continuous improvement, no guarantees. 2. Diligence, education, awareness (at all levels) can provide a defensible position for compliance risk while supporting our organisations in doing their work effectively. 3. Policies and standards are a key part of this. ------ 4. Tone from the Top Most important: Executive leadership by example 5. Training and Awareness! More important than fancy technology 6. Technology Use technology effectively, not as a substitute for #1 or #2!

Questions? Bruce W. Edwards CIA, CISA, CISM, CRISC Manager Audit and Assurance TAS/DHBSS Bruce@BruceEdwards.net.nz BEdwards@centraltas.co.nz http://www.centraltas.co.nz

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information