Domain 5 Information Security Governance and Risk Management



Similar documents
Domain 3 Business Continuity and Disaster Recovery Planning

INFORMATION TECHNOLOGY SECURITY STANDARDS

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

REGULATIONS FOR THE SECURITY OF INTERNET BANKING

R345, Information Technology Resource Security 1

Developing the Corporate Security Architecture. Alex Woda July 22, 2009

Information Resources Security Guidelines

Governance and Management of Information Security

Information Security Management Systems

ISO27001 Controls and Objectives

ADMINISTRATIVE POLICY # (2014) Information Security Roles and Responsibilities

ISO Controls and Objectives

Estate Agents Authority

Contact: Henry Torres, (870)

Information Security Policy

Information Security Program

Information Security Policy

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

Wright State University Information Security

DEPARTMENT OF TAXATION AND FINANCE SECURITY OVER PERSONAL INFORMATION. Report 2007-S-77 OFFICE OF THE NEW YORK STATE COMPTROLLER

Information Security Program Management Standard

John Essner, CISO Office of Information Technology State of New Jersey

Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification

Office of the Auditor General Performance Audit Report. Statewide Oracle Database Controls Department of Technology, Management, and Budget

INITIAL APPROVAL DATE INITIAL EFFECTIVE DATE

How To Protect Decd Information From Harm

Build (develop) and document Acceptance Transition to production (installation) Operations and maintenance support (postinstallation)

HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT

Security Controls What Works. Southside Virginia Community College: Security Awareness

Certified Information Systems Auditor (CISA)

security policy Purpose The purpose of this paper is to outline the steps required for developing and maintaining a corporate security policy.

Information Security Program CHARTER

Certification for Information System Security Professional (CISSP)

Auditing your institution's cybersecurity incident/breach response plan. Baker Tilly Virchow Krause, LLP

Utica College. Information Security Plan

FINAL May Guideline on Security Systems for Safeguarding Customer Information

Data Governance Policy. Version October 2015

<Choose> Addendum Windows Azure Data Processing Agreement Amendment ID M129

ELECTRONIC INFORMATION SECURITY A.R.

Managed Hosting & Datacentre PCI DSS v2.0 Obligations

COBIT 5 For Cyber Security Governance and Management. Nasser El-Hout Managing Director Service Management Centre of Excellence (SMCE)

Information Security Awareness Training

Computer Security Incident Response Plan. Date of Approval: 23- FEB- 2015

Data Management Policies. Sage ERP Online

SECURITY RISK MANAGEMENT

Altius IT Policy Collection Compliance and Standards Matrix

AN OVERVIEW OF INFORMATION SECURITY STANDARDS

Domain 1 The Process of Auditing Information Systems

Publication 805-A Revision: Certification and Accreditation

Network Security Policy

Information Security Policy and Handbook Overview. ITSS Information Security June 2015

Table of Contents. Auditor's Guide to Information Systems Auditing Richard E. Cascarino Copyright 2007, John Wiley & Sons, Inc.

State of Oregon. State of Oregon 1

Stepping Through the Info Security Program. Jennifer Bayuk, CISA, CISM

Enrollment for Education Solutions Addendum Microsoft Online Services Agreement Amendment 10 EES

Draft Information Technology Policy

IT Audit in the Cloud

Chapter 1 The Principles of Auditing 1

Microsoft Online Subscription Agreement/Open Program License Amendment Microsoft Online Services Security Amendment Amendment ID MOS10

OVERVIEW. In all, this report makes recommendations in 14 areas, such as. Page iii

Third Party Security Requirements Policy

INFORMATION TECHNOLOGY POLICY

Information Technology Policy

MICHIGAN AUDIT REPORT OFFICE OF THE AUDITOR GENERAL THOMAS H. MCTAVISH, C.P.A. AUDITOR GENERAL

UNIVERSITY OF MAINE SYSTEM STANDARDS FOR SAFEGUARDING INFORMATION ATTACHMENT C

Top Ten Technology Risks Facing Colleges and Universities

SRA International Managed Information Systems Internal Audit Report

Information security controls. Briefing for clients on Experian information security controls

IT Security Standard: Computing Devices

Information Security Policy. Document ID: 3809 Version: 1.0 Owner: Chief Security Officer, Security Services

SITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA

Practical and ethical considerations on the use of cloud computing in accounting

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc.

EVALUATION REPORT. Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review. March 13, 2015 REPORT NUMBER 15-07

COLUMBUS STATE COMMUNITY COLLEGE POLICY AND PROCEDURES MANUAL

AUD105-2nd Edition. Auditor s Guide to IT - 20 hours. Objectives

CLASSIFICATION SPECIFICATION FORM

State of West Virginia Office of Technology Policy: Information Security Audit Program Issued by the CTO

BERKELEY COLLEGE DATA SECURITY POLICY

Spillemyndigheden s Certification Programme Information Security Management System

Your Agency Just Had a Privacy Breach Now What?

Sarbanes-Oxley Control Transformation Through Automation

QUANTITATIVE MODEL FOR INFORMATION SECURITY RISK MANAGEMENT

New River Community College. Information Technology Policy and Procedure Manual

CITY UNIVERSITY OF HONG KONG Information Security Incident Management Standard

The Next Generation of Security Leaders

Logging In: Auditing Cybersecurity in an Unsecure World

Data Security Incident Response Plan. [Insert Organization Name]

LEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction

HIPAA COMPLIANCE AND DATA PROTECTION Page 1

Office 365 Data Processing Agreement with Model Clauses

Newcastle University Information Security Procedures Version 3

DUUS Information Technology (IT) Incident Management Standard

Network & Information Security Policy

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

Transcription:

Domain 5 Information Security Governance and Risk Management Security Frameworks CobiT (Control Objectives for Information and related Technology), developed by Information Systems Audit and Control Association (ISACA) and IT Governance Institute (ITGI), consists of four domains: Plan and Organize Acquire and Implement Deliver and Support Monitor and Evaluate CobiT was derived from the COSO framework developed by the Committee of Sponsoring Organizations of the Treadway Commission to combat financial frauds CobiT IT governance Operational level COSO Corporate governance Strategic level ISO 17799, derived from British Standard 7799, is an internationally recognized information security management standard ISO/IEC 27000 series of standards, updated from ISO 17799, serve as blueprints for organizations who want to develop their security programs, addressing the following ten domains: Information security policy for the organization Creation of information security infrastructure Asset classification and control Personnel security Physical and environmental security Communications and operations management Access control

System development and maintenance Business continuity management Compliance ITIL (Information Technology Infrastructure Library) is the de facto standard of best practices for IT service management CobiT and COSO provide the what is to be achieved, whereas ITIL (see Domain 9) and ISO/IEC 27000 series provide the how Information Risk Management Risk Management: the process of identifying, analyzing and assessing, mitigating, or transferring risk First phase: Second phase: Risk: the potential for harm or loss is best expressed as the answers to the four key questions: What could happen? If happened, how bad could it be? How often could it happen? How certain are the answers to the first three questions? Risk Analysis Definition: The process of analyzing a target environment and the relationships of its risk- related attributes [HBH03] The process of measuring or rating the likelihood of the undesirable event occurring and the expected severity of the event [Whe11, p.47] Steps of a risk analysis: Step 1: Assign value to assets For each asset, answer the following questions: What is its value in the company?

How much did it cost to acquire or develop? How much does it cost to maintain? How much does it make in profits for the company? How much would it be worth to the competition? How much would it cost to re- create or recover? How much liability do you face if the asset is compromised? «Amount of insurance required to cover the asset is NOT a concern Steps 2: Estimate potential loss per threat Some of the questions are: How much would the damage cost? What is the value lost if critical devices fail or confidential info is disclosed? What is the cost of recovering from the threat? What is the single loss expectancy for each asset corresponding to each threat? Step 3: Perform a threat analysis Gather info about the likelihood of each threat by examining past records and official security resources that provide this kind of data Calculate the annualized rate of occurrence Step 4: Derive the overall annualized loss potential per threat Combine potential loss and probability Calculate the annualized loss expectancy per threat, using info from the past three steps Choose remedial measures to counteract each threat Carry out cost/benefit analysis on the identified countermeasures Step 5: Mitigate, transfer, avoid, or accept the risk

Risk Assessment Definition: The assignment of value to assets, annualized loss expectancy, exposure factors, etc. [HBH03] The function of identifying the threats and vulnerabilities of a given resource, articulating the risk, and the rating that risk exposure on a given scale [Whe11, p.47] Methodologies [Har10]: NIST SP 800-30 Focuses on computer systems NIST SP 800-66 Originally created for the healthcare industry FRAP (Facilitated Risk Analysis Process) Qualitative risk assessment OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation) Risk evaluation for information security AS/NZS 4360 Much broader, non- IT- centric approach to risk management Risk Evaluation: the function of determining the proper steps to manage that risk, whether they be to accept, mitigate, transfer, or avoid the risk exposure Exposure Factor: the subjective, potential percentage of loss to a specific asset if a specific threat is realized Single Loss Expectancy = Asset Value Exposure Factor Annualized Loss Expectancy = Single Loss Expectancy Annualized Rate of Occurrence Tangible Assets: IT facilities, hardware, media, supplies, documentation, IT staff budgets that support the storage,

processing, and information delivery to the user communication Intangible Assets, aka Information Assets, can be divided into categories: Replacement costs for data and software The value of the confidentiality, integrity, and availability of information Information Classification Classification controls Some common controls: Strict and granular access control for all levels of sensitive data and programs Encryption of data while stored or in transmission Auditing and monitoring Separation of duties Periodic reviews of classification levels Backup and recovery procedures Change control procedures Physical security protection Information flow channels Data dictionary review Proper disposal actions, e.g., shredding, degaussing, etc. File and file system permissions Marking and labeling (for documents, digital media, etc.) Data classification procedures The organization should understand the different levels of protection that must be provided, before it can develop the necessary classification levels it will use Define classification levels Specify the criteria that will determine how data are classified Have the data owner indicate the classification of his/her data

Identify the data custodian who will be responsible for maintaining the data Indicate the security controls or protection mechanisms, required for each classification level Document any exception to the previous classification issues Indicate procedures for declassifying data Integrate these issues into the security- awareness program so all employees understand how to handle data at different classification levels Layers of Responsibility Chief Information Officer Reports to the CEO or CFO Becoming more strategic than operational Responsible for [Har10]: business- process management revenue generation how business strategy can be accomplished with the company s underlying technology Chief Privacy Officer Reports to the Chief Security Officer A recently created position, usually assigned to an attorney Responsible for [Har10]: ensuring that customer, company, and employee data are kept safe setting policies on how data are collected, protected, and released to third parties International requirements: If the organization is exchanging data with European entities, it may need to adhere to the safe harbor requirements

Global organizations moving data across country borders must follow the OECD Guidelines and transborder information flow rules Chief Security Officer Reports to? Usually a businessperson in a large organization (while the Chief Information Security Officer has an IT background) Responsible for [Har10]: understanding the organization s business drivers creating and maintaining a security program that facilities these drivers understanding the risks that the company faces mitigating the risks to an acceptable level ensuring compliance with regulations and law, customer expectations and contractual obligations IS Security Steering Committee Headed by the CEO, the committee comprises the CFO, CIO, department managers, chief internal auditor and other people from all over the organization, and should meet at least every 3 months Responsible for [Har10]: determine priorities of security initiatives based on business needs defining the acceptable risk level for the organization developing security objectives and strategies reviewing risk assessment and auditing reports monitoring the business impact of security risks reviewing major security breaches and incidents approving any major change to the security policy and program Audit Committee Appointed by the board of directors

Responsible for [Har10]: the integrity of the company s financial statements and other financial information provided to stockholders and others the company s system of internal controls the engagement and performance of the independent auditors the performance of the internal audit function compliance with legal requirements and company policies regarding ethical conduct Information Owner (Data Owner [Har10]) A business executive or business manager responsible for [HBH03]: assigning initial information classification periodically reviewing the classification to ensure it meets business needs ensuring security controls are in place commensurate with the classification determining the security requirements, access criteria, and backup requirements for the information assets reviewing and ensuring currency of the access rights associated with the information assets perform or delegate: approval of access requests from other business units approval of disclosure of information backup and recovery duties, if not already assigned to custodian act on notifications received concerning security violations against their information assets Information Custodian (Data Custodian [Har10]) An IT or operations person responsible for [HBH03]: performing backups according to the backup requirements established by the Information Owner

when necessary, restoring lost of corrupted information backup media performing related management functions as required to ensure availability of the information to the business ensuring record retention requirements are met based on the Information Owner s analysis Note: It is the Information Owner, rather than the Information Custodian, who determines the security requirements of the information assets, and ensures the necessary security controls are in place. The Security Administrator administers access rights on the Information Owners behalf. System Owner Personnel responsible for [Har10]: integrating security considerations into application and system purchasing decisions and development projects ensuring that adequate security is being provided by the necessary controls, password management, remote access controls, operating system configurations, and so on ensuring the systems are properly assessed for vulnerabilities and must report any to the incident response team and Information Owners Application Owner Manager of the business unit who is accountable for the performance of the business function served by the application, responsible for [HBH03]: establishing user access criteria and availability requirements of their applications ensuring the security controls associated with the application are commensurate with the highest level of information classification used by the application perform or delegate: day- to- day security administration in conjunction with the organization s security policy

approval of exception access requests appropriate actions on security violations when notified by security administration review and approval of all changes to the application prior to being placed in the production environment verification of the currency of user access rights to the application User Manager (Supervisor [Har10]) The immediate manager or supervisor of an employee responsible for [HBH03]: informing the Security Administrator of the transfer or termination of any employee reporting any security incident or suspected incident to Information Security ensuring the currency of user ID information such as employee ID and account information receiving and distributing initial passwords for newly created user IDs educating employees with regard to security policies, procedures, and standard for which they are accountable Note: The User Manager, rather than the Security Administrator, distributes the initial passwords. Security Administrator Any company employee who owns and administrative user ID responsible for [HBH03]: understanding the different data environments and the impact of granting access to them ensuring access requests are consistent with the policies and security guidelines administering access rights according to criteria established by Information Owners creating and removing user IDs as directed by the User Manager

administering the system security within the scope of their job description and functional responsibilities distributing and following up (with Information Owners) on security violation reports Security Analyst Strategic (design- level, not implementation- level) personnel responsible for [Har10, HBH03]: developing security policies, standards, and guidelines, as well as various baselines providing data security design input, consulting, and review developing a basic understanding of the information to ensure proper controls are implemented Change Control Analyst Personnel responsible for [HBH03]: analyzing the requested changes to the IT infrastructure, and determining the impact on applications, databases, data- related tools, etc. Data Analyst Personnel responsible for [HBH03]: designing data structure to meet business needs designing physical database structure creating and maintaining logical data models based on business requirements providing technical assistance to Information Owners in developing data architectures recording metadata in the data library creating, maintaining, and using metadata to effectively manage database deployment Solution Provider Aka integrator, application provider, programmer, IT provider whose responsibilities are [HBH03]:

working with Data Analysts to ensure that the application and data will work together to meet business needs giving technical requirements to Data Analysts to ensure performance and reporting requirements are met Process Owner Personnel responsible for the management, implementation, and continuous improvement of a process [HBH03], by: ensuring that data requirements are defined to support the business process (NOT done by Information Owners) working with Information Owners to define and champion data quality program for data within the process resolving data- related issues that span applications within business processes Product Line Manager Personnel who (in short) for evaluates different products in the market, works with vendors, researches available options, and advises management and business units on the suitable solutions [Har10] Detailed responsibilities [HBH03]: translating business requirements into product requirements working with vendor/user to ensure product meets requirements monitoring new releases working with stakeholders when movement to a new release is required ensuring new software releases are evaluated and upgrades are planned for an properly implemented ensuring compliance with software license agreements monitoring performance of production against business expectations analyzing product usage, trends, options, and competitive sourcing, etc., to identify actions needed to meet project demands

Note: Product Line Managers advise on purchase; System Owners make sure their systems are secure; Application Owners control access to their applications. References [EC10] EC- Council, Network Defense: Security and Vulnerability Assessment, Cengage Learning, 2010. [Gup02] M. Gupta, Storage Area Network Fundamentals, Cisco Press, 2002. [HBH03] S. Hansche, J. Berti, and C. Hare, Official (ISC)2 Guide to the CISSP Exam, Auerbach Publications, 2003. [Har10] S. Harris, CISSP All- in- One Exam Guide, Fifth Edition, McGraw- Hill Osborne Media, 2010. [Tip09] H. F. Tipton, Official (ISC)2 Guide to the CISSP CBK, Second Edition, Auerbach Publications, 2009. [Whe11] E. Wheeler, Security Risk Management : Building an Information Security Risk Management Program from the Ground Up, Syngress, 2011.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information