Академический Документы
Профессиональный Документы
Культура Документы
IT Governance
Information Security
Governance
Acknowledgments
Material is sourced from:
CISA® Review Manual 2011, © 2010, ISACA. All rights reserved.
Used by permission.
CISM® Review Manual 2012, © 2011, ISACA. All rights reserved.
Used by permission.
Author: Susan J Lincke, PhD
Univ. of Wisconsin-Parkside
Reviewers/Contributors: Todd Burri, Kahili Cheng
Processes include:
Equip IS functionality and address risk
Measure performance of delivering value to the
business
Comply with legal and regulatory requirements
IT Governance Committees
IT Strategic Committee
Focuses on Direction and Strategy
Advises board on IT strategy and alignment
Board members
& specialists
Optimization of IT costs and risk
IT Steering Committee
Focuses on Implementation
Business executives Monitors current projects
(IT users), CIO, key Decides IT spending
advisors (IT, legal, audit,
finance)
IT Strategy Committee
Main Concerns
Alignment of IT with Business
Contribution of IT to the Business
Exposure & containment of IT Risk
Optimization of IT costs
Achievement of strategic IT objectives
IT Steering Committee
Main Concerns
Make decision of IT being centralized vs.
decentralized, and assignment of responsibility
Makes recommendations for strategic plans
Approves IT architecture
Reviews and approves IT plans, budgets,
priorities & milestones
Monitors major project plans and delivery
performance
Strategic Planning Process
Strategic: Long-term (3-5
year) direction considers
organizational goals,
regulation (and for IT: Strategic
technical advances)
Tactical: 1-year plan moves Tactical
organization to strategic
goal
Operational: Detailed or Operational
technical plans
Security Strategic Planning
Systems Model
Tech Model
Detailed
Representation
Sourcing Practices
Insourced: Performed entirely by the organization’s
staff
Outsourced: Performed entirely by a vendor’s staff
Hybrid: Partial insourced and outsourced
Onsite: Performed at IS dept site
Offsite or Nearshore: Performed in same
geographical area
Offshore: Performed in a different geographical region
Governance
Policy
Risk
Information Security Importance
Organizations are dependent upon and
are driven by information
Software = information on how to process
Data, graphics retained in files
Information & computer crime has
escalated
Therefore information security must be
addressed and supported at highest
levels of the organization
Security Organization
Review Risk assessment & Business Impact Analysis
Define penalties for non-compliance of policies
Board of Directors
Defines security objectives and
institutes security organization
Executive Mgmt
Senior representatives Other positions:
of business functions Chief Risk Officer (CRO)
ensures alignment Chief Compliance Officer (CCO)
of security program
with business Security Chief Info
objectives Steering Security
Committee Officer (CISO)
Security Governance
Strategic Alignment: Security solution consistent with
organization goals and culture
Risk Management: Understand threats and cost-
effectively control risk
Value Delivery: Prioritized and delivered for greatest
business benefit
Performance Measurement: Metrics, independent
assurance
Resource Management: Security architecture
development & documentation
Process Integration: Security is integrated into a well-
functioning organization
Executive Mgmt Info Security
Concerns
Reduce civil and legal liability related to privacy
Provide policy and standards leadership
Control risk to acceptable levels
Optimize limited security resources
Base decisions on accurate information
Allocate responsibility for safeguarding
information
Increase trust and improve reputation outside
organization
Legal Issues
International trade, Industry may be liable under
employment may be legislation:
liable to different SOX: Sarbanes-Oxley:
regulations than exist in Publicly traded corp.
the U.S. affecting: FISMA: Federal Info
Hiring Security Mgmt Act
Internet business HIPAA: Health Insurance
Trans-border data flows Portability and
Cryptography Accountability Act
Copyright, patents, trade GLBA: Gramm-Leach-
secrets Bliley: Financial privacy
Etc.
Road Map for Security
(New Program)
Documentation Interview stakeholders
(HR, legal, finance) to
Security Issues determine org. issues
& concerns
Develop security
Security policies for approval Info Security
Policies to Mgmt Steering Committee
Improve standards
Develop compliance
monitoring strategy
Security Relationships
Security Strategy, Risk, & Alignment
Exec.
Security Mgmt
requirements S /W Human Hiring, training,
Access control Dev. Res. roles & responsibility,
Incident handling
Policies,
Security Security
Standards,
Organization Framework
Procedures
Compliance
Monitoring
Secure Strategy:
Risk Assessment
Five Steps include:
1. Assign Values to Assets:
Where are the Crown Jewels?
2. Determine Loss due to Threats & Vulnerabilities
Confidentiality, Integrity, Availability
Loss = Downtime + Recovery + Liability + Replacement
3. Estimate Likelihood of Exploitation
Weekly, monthly, 1 year, 10 years?
4. Compute Expected Loss
Risk Exposure = ProbabilityOfVulnerability * $Loss
5. Treat Risk
Survey & Select New Controls
Reduce, Transfer, Avoid or Accept Risk
Example Policy Documents
Data Classification: Defines data security
categories, ownership and accountability
Acceptable Usage Policy: Describes permissible
usage of IT equipment/resources
End-User Computing Policy: Defines usage and
parameters of desktop tools
Access Control Policies: Defines how access
permission is defined and allocated
After policy documents are created, they must be
officially reviewed, updated, disseminated, and
tested for compliance
Compliance Function
Compliance: Ensures compliance with
organizational policies
E.g.: Listen to selected help desk calls to verify
proper authorization occurs when resetting
passwords
Best if compliance tests are automated
Compliance: ongoing process
Ensures adherence to policies
Time
Audit: Snapshot of compliance in time
Compliance Program –
Security Review or Audit Test
Objective: Is our web-interface to DB safe?
Scope: Penetration test on DB
Constraints: Must test between 1-4 AM
Approach:
1. Tester has valid session credentials
2. Specific records allocated for test
3. Test: SQL Injection
Result:
These problems were found: …
Security Positions
Security Architect Security Administrator
Design secure network Allocate access to data
topologies, access under data owner
control, security policies Prepare security
& standards. awareness program
Evaluate security Test security architecture
technologies Monitor security violations
Work with compliance, and take corrective action
risk mgmt, audit Review and evaluate
security policy
Security Architect:
Control
Do controls fail secure or fail open?
Analysis
Is restrictive or permissive policy
(denied unless expressly permitted Where are controls located?
or vice versa?) Are controls layered?
Does control align with policy Is control redundancy needed?
& business expectation?
Policy Placement