Post on 22-Dec-2015
IT Governance
IT Governance
Information Security Governance
AcknowledgmentsMaterial is sourced from: CISA® Review Manual 2011, © 2010, ISACA. All rights reserved.
Used by permission. CISM® Review Manual 2012, © 2011, ISACA. All rights reserved.
Used by permission. Author: Susan J Lincke, PhD
Univ. of Wisconsin-ParksideReviewers/Contributors: Todd Burri, Kahili Cheng
Funded by National Science Foundation (NSF) Course, Curriculum and Laboratory Improvement (CCLI) grant 0837574: Information Security: Audit, Case Study, and Service Learning.
Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and/or source(s) and do not necessarily reflect the views of the National Science Foundation.
Objectives
Students should be able to:Describe IT governance committees: IT strategic committee, IT steering committee, security steering committee**Describe mission, strategic plan, tactical plan, operational planDefine quality terms: quality assurance, quality controlDescribe security organization members: CISO, CIO, CSO, Board of Directors, Executive Management, Security Architect, Security Administrator Define policy, compliance, IT Balanced Scorecard, measure, ISO 9001, enterprise architectureDefine sourcing practices: insource, outsource, hybrid, onsite, offshoreDefine policy documents: data classification, acceptable usage policy, access control policesPlan/schedule a security implementation.
Corporate Governance
Corporate Governance: Leadership by corporate directors in creating and presenting value for all stakeholders
IT Governance: Ensure the alignment of IT with enterprise objectives
Responsibility of the board of directors and executive mgmt
IT Governance Objectives
IT delivers value to the business IT risk is managed
Processes include: Equip IS functionality and address risk Measure performance of delivering value to the
business Comply with legal and regulatory requirements
IT Governance Committees
Board members& specialists
Business executives(IT users), CIO, keyadvisors (IT, legal, audit,finance)
IT Strategic CommitteeFocuses on Direction and StrategyAdvises board on IT strategy and alignmentOptimization of IT costs and risk
IT Steering CommitteeFocuses on ImplementationMonitors current projectsDecides IT spending
IT Strategy CommitteeMain Concerns Alignment of IT with Business Contribution of IT to the Business Exposure & containment of IT Risk Optimization of IT costs Achievement of strategic IT objectives
IT Steering CommitteeMain Concerns Make decision of IT being centralized vs.
decentralized, and assignment of responsibility Makes recommendations for strategic plans Approves IT architecture Reviews and approves IT plans, budgets,
priorities & milestones Monitors major project plans and delivery
performance
Strategic Planning Process
Strategic: Long-term (3-5 year) direction considers organizational goals, regulation (and for IT: technical advances)
Tactical: 1-year plan moves organization to strategic goal
Operational: Detailed or technical plans
Strategic
Tactical
Operational
Security Strategic Planning
Strategic
Tactical
Operational
Risk Mgmt – LawsGovernance – PolicyOrganizational SecurityData classification Audit – Risk analysisBusiness continuityMetrics developmentIncident responsePhysical securityNetwork securityPolicy complianceMetrics use
Strategic PlanningStrategy: Achieve COBIT Level 4
Tactical: During next 12 months: Each business unit must identify current applications in
use 25% of all stored data must be reviewed to identify
critical resources Business units must achieve regulatory compliance A comprehensive risk assessment must be performed
for each business unit All users must undergo general security training Standards must exist for all policies
Standard IT Balanced Scorecard
Mission
Strategies
Measures
Mission = Direction E.g.: Serve business efficiently
and effectively
Strategies = Objectives E.g.: Quality thru Availability Process Maturity
Measures = Statistics E.g.: Customer satisfaction Operational efficiency
Establish a mechanism for reporting IT strategic aims and progress to the board
IT Balanced ScorecardFinancial Goals
How should we appear to stockholder?
Vision:
Metrics:
Performance:
Internal Business Process
What business processes should we excel at?
Vision:
Metrics:
Performance:
Customer Goals
How should we appear to our customer?
Vision:
Metrics:
Performance:
Learning and Growth Goals
How will we improve internally?
Vision:
Metrics:
Performance:
Case Study: IT Governance Strategic Plan – Tactical Plan
Strategic PlanObjective
Timeframe
Incorporate the business
5 yrs
Pass a professional audit
4 yrs
Tactical Plan:Objective
Timeframe
Perform strategic-level security, includes:
1 yr
Perform risk analysis
6 mos.
Perform BIA 1 yr
Define policies 1 yr
Case Study: IT Governance
Operational PlanningObjective and Timeframe Responsibility
Hire an internal auditor and security professional2 months: March 1
VP Finance
Establish security team of business, IT, personnel:
1 month: Feb. 1
VP Finance &Chief Info.
Officer (CIO)
Team initiates risk analysis and prepares initial report
3 months: April 1
CIO & Security Team
Enterprise Architecture
Constructing IT is similar to constructing a building It must be designed and implemented at various levels:
Technical (Hardware, Software) IT Procedures & Operations Business Procedures & Operations
Data Functional (Applic.)
Network
(Tech)
People
(Org.)
Process
(Flow)
Strategy
Scope
Enterprise Model
Systems Model
Tech Model
Detailed
Representation
Sourcing Practices
Insourced: Performed entirely by the organization’s staffOutsourced: Performed entirely by a vendor’s staffHybrid: Partial insourced and outsourcedOnsite: Performed at IS dept siteOffsite or Nearshore: Performed in same geographical
areaOffshore: Performed in a different geographical region
What advantages can you think of for insourcing versus outsourcing?
Quality with ISO 9001
ISO 9001: Standard for Quality Mgmt Systems. Recommendations include:
Quality Manual: Documented procedures HR: Documented standards for personnel
hiring, training, evaluation,… Purchasing: Documented standards for
vendors: equipment & servicesGap Analysis: The difference between where
you are and where you want to be
Quality Definitions
Quality Assurance: Ensures that staff are following defined quality processes: e.g., following standards in design, coding, testing, configuration management
Quality Control: Conducts tests to validate that software is free from defects and meets user expectations
Performance Optimization
Phases of Performance Measurement include: Establish and update performance metrics Establish accountability for performance
measures Gather and analyze performance data Report and use performance results
Note: Strategic direction for how to achieve performance improvements is necessary
Categories of Performance Measures Performance Measurement: What are
indicators of good IT performance? IT Control Profile: How can we measure the
effectiveness of our controls? Risk Awareness: What are the risks of not
achieving our objectives? Benchmarking: How do we perform relative
to others and standards?
IS Auditor & IT Governance
Is IS function aligned with organization’s mission, vision, values, objectives and strategies?
Does IS achieve performance objectives established by the business?
Does IS comply with legal, fiduciary, environmental, privacy, security, and quality requirements?
Are IS risks managed efficiently and effectively? Are IS controls effective and efficient?
Audit: Recognizing Problems
End-user complaints Excessive costs or budget overruns Late projects Poor motivation - high staff turnover High volume of H/W or S/W defects Inexperienced staff – lack of training Unsupported or unauthorized H/W S/W purchases Numerous aborted or suspended development projects Reliance on one or two key personnel Poor computer response time Extensive exception reports, many not tracked to completion
Audit: Review Documentation
IT Strategies, Plans, Budgets Security Policy Documentation Organization charts & Job Descriptions Steering Committee Reports System Development and Program Change Procedures Operations Procedures HR Manuals QA Procedures Contract Standards and Commitments
Bidding, selection, acceptance, maintenance, compliance
Question
The MOST important function of the IT department is:
1. Cost effective implementation of IS functions
2. Alignment with business objectives
3. 24/7 Availability
4. Process improvement
Question
Product testing is most closely associated with which department:
1. Audit
2. Quality Assurance
3. Quality Control
4. Compliance
Question
“Implement virtual private network in the next year” is a goal at the level:
1. Strategic
2. Operational
3. Tactical
4. Mission
Question
Which of the following is not a valid purpose of the IS Audit?
1. Ensure IS strategic plan matches the intent of the enterprise strategic plan
2. Ensure that IS has developed documented processes for software acquisition and/or development (depending on IS functions)
3. Verify that contracts followed a documented process that ensures no conflicts of interest
4. Investigate program code for backdoors, logic bombs, or Trojan horses
Question
Documentation that would not be viewed by the IT Strategy Committee would be:
1. IT Project Plans
2. Risk Analysis & Business Impact Analysis
3. IT Balanced Scorecard
4. IT Policies
Information SecurityGovernance
Governance
Policy
Risk
Information Security Importance
Organizations are dependent upon and are driven by informationSoftware = information on how to processData, graphics retained in files
Information & computer crime has escalated Therefore information security must be
addressed and supported at highest levels of the organization
Security Organization
Board of Directors
Review Risk assessment & Business Impact AnalysisDefine penalties for non-compliance of policies
Executive Mgmt
Defines security objectives and institutes security organization
Security Steering
Committee
Chief InfoSecurity
Officer (CISO)
Senior representativesof business functions
ensures alignmentof security program
with business objectives
Other positions:Chief Risk Officer (CRO)Chief Compliance Officer (CCO)
Security Governance
Strategic Alignment: Security solution consistent with organization goals and culture
Risk Management: Understand threats and cost-effectively control risk
Value Delivery: Prioritized and delivered for greatest business benefit
Performance Measurement: Metrics, independent assuranceResource Management: Security architecture development &
documentationProcess Integration: Security is integrated into a well-
functioning organization
Executive Mgmt Info Security Concerns Reduce civil and legal liability related to privacy Provide policy and standards leadership Control risk to acceptable levels Optimize limited security resources Base decisions on accurate information Allocate responsibility for safeguarding information Increase trust and improve reputation outside
organization
Legal Issues
International trade, employment may be liable to different regulations than exist in the U.S. affecting:
Hiring Internet business Trans-border data flows Cryptography Copyright, patents, trade
secrets
Industry may be liable under legislation:
SOX: Sarbanes-Oxley: Publicly traded corp.
FISMA: Federal Info Security Mgmt Act
HIPAA: Health Insurance Portability and Accountability Act
GLBA: Gramm-Leach-Bliley: Financial privacy
Etc.
Road Map for Security (New Program)
Interview stakeholders (HR, legal, finance) to determine org. issues
& concerns
Develop securitypolicies for approval
to MgmtSecurity Policies
Security Issues
Info SecuritySteering Committee
Conduct securitytraining & test for
compliance
Improve standardsDevelop compliancemonitoring strategy
Trainingmaterials
Documentation
Security RelationshipsSecurity Strategy, Risk, & Alignment
Security requirements sign-off, Acceptance test,Access authorization
Laws & Regulations
Security monitoring, Incident resp.,Site inventory, Crisis management
Security requirements and reviewChange controlSecurity upgrade/test
Security requirements in RFPContract requirements
Security requirementsAccess control
Hiring, training,roles & responsibility,Incident handling
Security Governance Framework
SecurityOrganization
ComplianceMonitoring
Policies,Standards,Procedures
SecurityStrategy
SecurityFramework
Secure Strategy:Risk AssessmentFive Steps include:1. Assign Values to Assets:
Where are the Crown Jewels?
2. Determine Loss due to Threats & Vulnerabilities Confidentiality, Integrity, Availability Loss = Downtime + Recovery + Liability + Replacement
3. Estimate Likelihood of Exploitation Weekly, monthly, 1 year, 10 years?
4. Compute Expected Loss Risk Exposure = ProbabilityOfVulnerability * $Loss
5. Treat Risk Survey & Select New Controls Reduce, Transfer, Avoid or Accept Risk
Example Policy Documents
Data Classification: Defines data security categories, ownership and accountability
Acceptable Usage Policy: Describes permissible usage of IT equipment/resources
End-User Computing Policy: Defines usage and parameters of desktop tools
Access Control Policies: Defines how access permission is defined and allocated
After policy documents are created, they must be officially reviewed, updated, disseminated, and tested for compliance
Compliance Function
Compliance: Ensures compliance with organizational policies
E.g.: Listen to selected help desk calls to verify proper authorization occurs when resetting passwords
Best if compliance tests are automated
Time
Audit: Snapshot of compliance in time
Compliance: ongoing processEnsures adherence to policies
Compliance Program – Security Review or Audit Test
Objective: Is our web-interface to DB safe?Scope: Penetration test on DBConstraints: Must test between 1-4 AMApproach: 1. Tester has valid session credentials2. Specific records allocated for test3. Test: SQL InjectionResult:These problems were found: …
Security Positions
Security Architect Design secure network
topologies, access control, security policies & standards.
Evaluate security technologies
Work with compliance, risk mgmt, audit
Security Administrator Allocate access to data
under data owner Prepare security
awareness program Test security architecture Monitor security violations
and take corrective action Review and evaluate
security policy
Security Architect: Control Analysis
Placement
Effectiveness
Efficiency
Policy
Implemen-tation
Where are controls located? Are controls layered? Is control redundancy needed?
Does control protect broadly or one application?If control fails, is there a control remaining? (single point of failure)If control fails, does appl. fail?
Are controls reliable?Do they inhibit productivity?
Are they automated or manual?Are key controls monitored in real-time?
Are controls easily circumvented?
Do controls fail secure or fail open?Is restrictive or permissive policy (denied unless expressly permitted or vice versa?)Does control align with policy & business expectation?
Have controls been tested?Are controls self-protecting?Do controls meet control objectives?Will controls alert security personnel if they fail?Are control activities logged and reviewed?
Control Practices
These may be useful in particular conditions:Automate Controls: Make technically infeasible to bypassAccess Control: Users should be identified, authenticated and
authorized before accessing resourcesSecure Failure: If compromise possible, stop processingCompartmentalize to Minimize Damage: Access control required per
system resource setTransparency: Communicate so that average layperson understands
control->understanding & supportTrust: Verify communicating partner through trusted 3rd party (e.g.,
PKI)Trust No One: Oversight controls (e.g., CCTV)Segregation of Duties: Require collusion to defraud the organizationPrinciple of Least Privilege: Minimize system privileges
Security Administrator:Security Operations
Identity Mgmt & Access control System patching & configuration mgmt Change control & release mgmt Security metrics collection & reporting Control technology maintenance Incident response, investigation, and
resolution
Summary of Security Mgmt Functions Develop security strategy
Linked with business objectives Regulatory & legal issues are addressed Sr Mgmt acceptance & support Complete set of policies Standards & Procedures for all relevant policies
Security awareness for all users and security training as needed
Classified information assets by criticality and sensitivity
Summary of Security Mgmt Functions Effective compliance & enforcement processes
Metrics are maintained and disseminated Monitoring of compliance & controls Utilization of security resources is effective Noncompliance is resolved in a timely manner
Effective risk mgmt and business impact assessment Risks are assessed, communicated, and managed Controls are designed, implemented, maintained, tested Incident and emergency response processes are tested Business Continuity & Disaster Recover Plans are tested
Summary of Security Mgmt Functions Develop security strategy, oversee security
program, liaise with business process owners for ongoing alignment Clear assignment of roles & responsibilities Security participation with Change Management Address security issues with 3rd party service
providers Liaise with other assurance providers to eliminate
gaps and overlaps
Question
Who can contribute the MOST to determining the priorities and risk impacts to the organization’s information resources?
1. Chief Risk Officer
2. Business Process Owners
3. Security Manager
4. Auditor
Question
A document that describes how access permission is defined and allocated is the:
1. Data Classification
2. Acceptable Usage Policy
3. End-User Computing Policy
4. Access Control Policies
Question
The role of the Information Security Manager in relation to the security strategy is:
1. Primary author with business input2. Communicator to other departments3. Reviewer4. Approves the strategy
Question
The role most likely to test a control is the:
1. Security Administrator
2. Security Architect
3. Quality Control Analyst
4. Security Steering Committee
Question
The Role responsible for defining security objectives and instituting a security organization is the:
1. Chief Security Officer2. Executive Management3. Board of Directors4. Chief Information Security Officer
Question
When implementing a control, the PRIMARY guide to implementation adheres to:
1. Organizational Policy
2. Security frameworks such as COBIT, NIST, ISO/IEC
3. Prevention, Detection, Correction
4. A layered defense
Question
The persons on the Security Steering Committee who can contribute the BEST information relating to insuring Information Security success is:
1. Chief Information Security Officer
2. Business process owners
3. Executive Management
4. Chief Information Officer
ReferenceSlide # Slide Title Source of Information
4 Corporate Governance CISA: page 87, 88
6 IT Governance Committees CISA: page 90
7 IT Strategy Committee CISA: page 90
12 Standard IT Balance Scorecard CISA: page 91
16 Enterprise Architecture CISA: page 94, 95 Exhibit 2.5
17 Sourcing Practices CISA: page 106
18 Quality with ISO 9001 CISA: page 112
19 Quality Definitions CISA: page 116
20 Performance Optimization CISA: page 113, 114
21 Categories of Performance Measures CISA: page 114
32 Security Organization CISA: page 94, 95 Exhibit 2.4
33 Security Governance CISA: page 92, 93
39 Secure Strategy: Risk Assessment CISM: page 100
40 Example Policy Documents CISA: page 100
43 Security Positions CISA: page 116, 117