Professional Documents
Culture Documents
Acknowledgments
Material is sourced from: CISA Review Manual 2009, 2008, ISACA. All rights reserved. Used by permission. CISM Review Manual 2009, 2008, ISACA. All rights reserved. Used by permission. Author: Susan J Lincke, PhD Univ. of Wisconsin-Parkside Reviewers/Contributors: Todd Burri Funded by National Science Foundation (NSF) Course, Curriculum and Laboratory Improvement (CCLI) grant 0837574: Information Security: Audit, Case Study, and Service Learning. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and/or source(s) and do not necessarily reflect the views of the National Science Foundation.
Corporate Governance
Corporate Governance: Leadership by corporate directors in creating and presenting value for all stakeholders
IT Governance: Ensure the alignment of IT with enterprise objectives Responsibility of the board of directors and executive mgmt
IT Governance Objectives
Processes include: Equip IS functionality and address risk Measure performance of delivering value to the business Comply with legal and regulatory requirements
IT Governance Committees
Board members & specialists
IT Strategic Committee Focuses on Direction and Strategy Advises board on IT strategy and alignment Optimization of IT costs and risk
Business executives (IT users), CIO, key advisors (IT, legal, audit, finance)
Alignment of IT with Business Contribution of IT to the Business Exposure & containment of IT Risk Optimization of IT costs Achievement of strategic IT objectives
Make decision of IT being centralized vs. decentralized, and assignment of responsibility Makes recommendations for strategic plans Approves IT architecture Reviews and approves IT plans, budgets, priorities & milestones Monitors major project plans and delivery performance
Strategic
Tactical
Operational
Strategic
Tactical
Operational
Strategic Planning
Strategy: Achieve COBIT Level 4 Tactical: During next 12 months: Each business unit must identify current applications in use 25% of all stored data must be reviewed to identify critical resources Business units must achieve regulatory compliance A comprehensive risk assessment must be performed for each business unit All users must undergo general security training Standards must exist for all policies
Mission
Strategies
Measures
IT Balanced Scorecard
Financial Goals How should we appear to stockholder? Vision: Metrics: Performance: Customer Goals How should we appear to our customer? Vision: Metrics: Performance: Internal Business Process What business processes should we excel at? Vision: Metrics: Performance: Learning and Growth Goals How will we improve internally? Vision: Metrics: Performance:
5 yrs 4 yrs
Time frame
1 yr
6 mos.
Perform BIA
Define policies
1 yr
1 yr
Operational Planning
Objective and Timeframe Hire an internal auditor and security professional 2 months: March 1 Establish security team of business, IT, personnel: 1 month: Feb. 1 Team initiates risk analysis and prepares initial report 3 months: April 1 Responsibility VP Finance
VP Finance & Chief Info. Officer (CIO) CIO & Security Team
Enterprise Architecture
Constructing IT is similar to constructing a building It must be designed and implemented at various levels:
Technical (Hardware, Software) IT Procedures & Operations Business Procedures & Operations
Data
Functional Network
(Applic.)
Scope
Enterprise Model
(Tech)
People (Org.)
Process (Flow)
Strategy
Systems Model
Tech Model
Detailed Representation
Sourcing Practices
Insourced: Performed entirely by the organizations staff Outsourced: Performed entirely by a vendors staff Hybrid: Partial insourced and outsourced Onsite: Performed at IS dept site Offsite or Nearshore: Performed in same geographical area Offshore: Performed in a different geographical region
What advantages can you think of for insourcing versus outsourcing?
Quality Definitions
Quality Assurance: Ensures that staff are following defined quality processes: e.g., following standards in design, coding, testing, configuration management Quality Control: Conducts tests to validate that software is free from defects and meets user expectations
Performance Optimization
Phases of Performance Measurement include: Establish and update performance metrics Establish accountability for performance measures Gather and analyze performance data Report and use performance results Note: Strategic direction for how to achieve performance improvements is necessary
Is IS function aligned with organizations mission, vision, values, objectives and strategies? Does IS achieve performance objectives established by the business? Does IS comply with legal, fiduciary, environmental, privacy, security, and quality requirements? Are IS risks managed efficiently and effectively? Are IS controls effective and efficient?
End-user complaints Excessive costs or budget overruns Late projects Poor motivation - high staff turnover High volume of H/W or S/W defects Inexperienced staff lack of training Unsupported or unauthorized H/W S/W purchases Numerous aborted or suspended development projects Reliance on one or two key personnel Poor computer response time Extensive exception reports, many not tracked to completion
IT Strategies, Plans, Budgets Security Policy Documentation Organization charts & Job Descriptions Steering Committee Reports System Development and Program Change Procedures Operations Procedures HR Manuals QA Procedures Contract Standards and Commitments
Question
The MOST important function of the IT department is: Cost effective implementation of IS functions Alignment with business objectives 24/7 Availability Process improvement
1.
2. 3. 4.
Question
Product testing is most closely associated with which department: Audit Quality Assurance Quality Control Compliance
1. 2. 3. 4.
Question
Implement virtual private network in the next year is a goal at the level: Strategic Operational Tactical Mission
1. 2. 3. 4.
Question
Which of the following is not a valid purpose of the IS Audit? 1. Ensure IS strategic plan matches the intent of the enterprise strategic plan 2. Ensure that IS has developed documented processes for software acquisition and/or development (depending on IS functions) 3. Verify that contracts followed a documented process that ensures no conflicts of interest 4. Investigate program code for backdoors, logic bombs, or Trojan horses
Question
Documentation that would not be viewed by the IT Strategy Committee would be: 1. IT Project Plans 2. Risk Analysis & Business Impact Analysis 3. IT Balanced Scorecard 4. IT Policies
Information & computer crime has escalated Therefore information security must be addressed and supported at highest levels of the organization
Security Organization
Review Risk assessment & Business Impact Analysis Define penalties for non-compliance of policies Board of Directors Defines security objectives and institutes security organization
Executive Mgmt Senior representatives of business functions ensures alignment of security program Security with business Steering objectives Committee Other positions: Chief Risk Officer (CRO) Chief Compliance Officer (CCO) Chief Info Security Officer (CISO)
Security Governance
Strategic Alignment: Security solution consistent with organization goals and culture Risk Management: Understand threats and costeffectively control risk Value Delivery: Prioritized and delivered for greatest business benefit Performance Measurement: Metrics, independent assurance Resource Management: Security architecture development & documentation Process Integration: Security is integrated into a wellfunctioning organization
Reduce civil and legal liability related to privacy Provide policy and standards leadership Control risk to acceptable levels Optimize limited security resources Base decisions on accurate information Allocate responsibility for safeguarding information Increase trust and improve reputation outside organization
Legal Issues
International trade, employment may be liable to different regulations than exist in the U.S. affecting: Hiring Internet business Trans-border data flows Cryptography Copyright, patents, trade secrets Industry may be liable under legislation: SOX: Sarbanes-Oxley: Publicly traded corp. FISMA: Federal Info Security Mgmt Act HIPAA: Health Insurance Portability and Accountability Act GLBA: Gramm-LeachBliley: Financial privacy Etc.
Security Policies
Training materials
Security Relationships
Security requirements Access control
Exec. Mgmt
S /W Dev.
Purchasing
CISO
Quality Control
IT Operations
Legal Dept
Security Organization
Security Framework
Compliance Monitoring
Where are the Crown Jewels? Confidentiality, Integrity, Availability Loss = Downtime + Recovery + Liability + Replacement Weekly, monthly, 1 year, 10 years? Risk Exposure = ProbabilityOfVulnerability * $Loss Survey & Select New Controls Reduce, Transfer, Avoid or Accept Risk
2.
3. 4. 5.
Compliance Function
Compliance: Ensures compliance with organizational policies E.g.: Listen to selected help desk calls to verify proper authorization occurs when resetting passwords Best if compliance tests are automated
Compliance: ongoing process Ensures adherence to policies
Security Positions
Security Architect Design secure network topologies, access control, security policies & standards. Evaluate security technologies Work with compliance, risk mgmt, audit Security Administrator Allocate access to data under data owner Prepare security awareness program Test security architecture Monitor security violations and take corrective action Review and evaluate security policy
Does control protect ImplemenEfficiency broadly or one application? Have controls been tested? tation If control fails, is there a Are controls self-protecting? control remaining? Do controls meet control Effectiveness (single point of failure) objectives? If control fails, does appl. fail? Will controls alert security Are controls reliable? personnel if they fail? Do they inhibit productivity? Are control activities logged Are they automated or manual? and reviewed? Are key controls monitored in real-time? Are controls easily circumvented?
Control Practices
These may be useful in particular conditions: Automate Controls: Make technically infeasible to bypass Access Control: Users should be identified, authenticated and authorized before accessing resources Secure Failure: If compromise possible, stop processing Compartmentalize to Minimize Damage: Access control required per system resource set Transparency: Communicate so that average layperson understands control->understanding & support Trust: Verify communicating partner through trusted 3rd party (e.g., PKI) Trust No One: Oversight controls (e.g., CCTV) Segregation of Duties: Require collusion to defraud the organization Principle of Least Privilege: Minimize system privileges
Security awareness for all users and security training as needed Classified information assets by criticality and sensitivity
Metrics are maintained and disseminated Monitoring of compliance & controls Utilization of security resources is effective Noncompliance is resolved in a timely manner Risks are assessed, communicated, and managed Controls are designed, implemented, maintained, tested Incident and emergency response processes are tested Business Continuity & Disaster Recover Plans are tested
Develop security strategy, oversee security program, liaise with business process owners for ongoing alignment
Clear
assignment of roles & responsibilities Security participation with Change Management Address security issues with 3rd party service providers Liaise with other assurance providers to eliminate gaps and overlaps
Question
Who can contribute the MOST to determining the priorities and risk impacts to the organizations information resources? 1. Chief Risk Officer 2. Business Process Owners 3. Security Manager 4. Auditor
Question
A document that describes how access permission is defined and allocated is the: Data Classification Acceptable Usage Policy End-User Computing Policy Access Control Policies
1.
2. 3. 4.
Question
The role of the Information Security Manager in relation to the security strategy is: Primary author with business input Communicator to other departments Reviewer Approves the strategy
1.
2. 3.
4.
Question
1. 2. 3. 4.
The role most likely to test a control is the: Security Administrator Security Architect Quality Control Analyst Security Steering Committee
Question
The Role responsible for defining security objectives and instituting a security organization is the: Chief Security Officer Executive Management Board of Directors Chief Information Security Officer
1.
2. 3.
4.
Question
When implementing a control, the PRIMARY guide to implementation adheres to: 1. Organizational Policy 2. Security frameworks such as COBIT, NIST, ISO/IEC 3. Prevention, Detection, Correction 4. A layered defense
Question
The persons on the Security Steering Committee who can contribute the BEST information relating to insuring Information Security success is: Chief Information Security Officer Business process owners Executive Management Chief Information Officer
1. 2. 3. 4.
IT strategic committee, IT steering committee, Security steering committee Mission, Strategic plan, Tactical plan, Operational plan Quality Assurance, Quality Control CISO, CIO, CSO, Board of Directors, Executive Mgmt, Security Architect, Security Administrator Policy, Compliance IT Balanced Scorecard, Measure, ISO 9000