Information Security and Audit of Financial Institutions...
Transcript of Information Security and Audit of Financial Institutions...
Szenes 1 Operational Sec. - Sec.-Based Governance
Information Security and Audit of Financial Institutions - Introduction
Dr. Katalin Szenes, CISA, CISM, CGEIT, [email protected]
Obuda UniversityJohn von Neumann Faculty of InformaticsInstitute Software Technology
Szenes Information Security and Audit of Financial Institutions- Introduction
2
is this a normal ATM? - ez egy normál ATM?
Szenes 2 Operational Sec. - Sec.-Based Governance
Szenes Information Security and Audit of Financial Institutions- Introduction
3
add in to the ATM - kütyü az ATM-hez
Szenes Information Security and Audit of Financial Institutions- Introduction
4
a nice case for circulars - egy csinos prospektustartó
Szenes 3 Operational Sec. - Sec.-Based Governance
Szenes Information Security and Audit of Financial Institutions- Introduction
5
is it really for holding papers there? - tényleg papírokat akarunk itt tartani?
Szenes Information Security and Audit of Financial Institutions- Introduction
6
another solution: wireless camera - másik megoldás: drótnélküli kamera
Szenes 4 Operational Sec. - Sec.-Based Governance
Szenes Information Security and Audit of Financial Institutions- Introduction
7
camera parts - kamera alkatrészek
Szenes Information Security and Audit of Financial Institutions- Introduction
8
what are the most dangerous threats?
lists will follow later, now: 1 adverb
1 direction:
INSIDE
Szenes 5 Operational Sec. - Sec.-Based Governance
Szenes Information Security and Audit of Financial Institutions- Introduction
9
how to defend the company?
is defense enough? - no, let's be proactive
to support market success by an improved corporate governancestrategy
strategic goal
subgoal to the strategic goal and / or activity contributing to it
help: ideas taken from:• information security• IT audit
Szenes Information Security and Audit of Financial Institutions- Introduction
10
connection between governance security and auditexpressed by basic information security / IT audit terms
goals - subgoals in information security / IT audit:so-called control objectives
activities in information security / IT audit:so-called control measures
special goals - information security / IT audit advice:(polished) information criteria
classification aspects - pillars of IT / IT security / corporate operations
risk - connected closely to strategy: asset risk . / .
Szenes 6 Operational Sec. - Sec.-Based Governance
Szenes Information Security and Audit of Financial Institutions- Introduction
11
connection between: governance - strategy - risk - business continuity
(operational risk) / IT risk market success
governance - served by / is to serve: strategy
risk: is to be managed: according to the strategic importance of the "things"= assets serving strategy
business continuity is necessary condition even to the survival "only"
Szenes Information Security and Audit of Financial Institutions- Introduction
12
what shall we do?
pave the way from / to security / audit governance
see, how to:☺ serve strategy by securitythe other way round:☺ justify security goals by governance promises
Szenes 7 Operational Sec. - Sec.-Based Governance
Szenes Information Security and Audit of Financial Institutions- Introduction
13
where is the "best" practice, and what are the designations?
www.isaca.orgwww.isc2.orgwww.coso.org
CISA – Certified Information Systems Auditor, CISM - Certified Information Security Manager, CGEIT - Certified in Governance Enterprise IT designator:ISACA: Information Systems Audit and Control Association - USA
CISSP - Certified Information Security Professional designator:ISC2 International Information Systems Security Certification Consortium
- USA
Szenes Information Security and Audit of Financial Institutions- Introduction
14
let's break in (at last)
let the target be an optional company, or even a security company
what is the goal of the attack? still stealing data data supervised by any company are:business infocustomers' data
looking for a weakness ☺ everlasting weak point:
disorder
basic requirement of operational excellence: order
Szenes 8 Operational Sec. - Sec.-Based Governance
Szenes Information Security and Audit of Financial Institutions- Introduction
15
order?
what is order?
☺ top management responsibility for the well-being of the company
the "what", "who" has to be determinedthe responsibility for determining the "how"
etc.: permission, execution, checking, acknowledgement
who will do these? - laterwhat is this exactly?
Szenes Information Security and Audit of Financial Institutions- Introduction
16
order
The order is by definition adequate, if top management takes up the responsibility for the well-being of the institution. This involves, from the one hand, the determination of the strategy, aligning it to the market success, and its continuous maintenance, and, from the other hand, to have the company fulfill the strategic goals.
(K. Szenes: Operational Security - Security Based Corporate Governance in: Procds. of IEEE 9th ICCC)
documentation
inventorychange managementbusiness continuity planning***
Szenes 9 Operational Sec. - Sec.-Based Governance
Szenes Information Security and Audit of Financial Institutions- Introduction
17
let's break in - cont'd
a story "retold" onattacker: Anonymous hacker group against: security company HBGary, that boasted of their cleverness
they aimed at the business of the target, and found- surprisingly "big holes in the shoe of a shoemaker"
Szenes Information Security and Audit of Financial Institutions- Introduction
18
let's break in
CEO used the same password to hisTwitter, linkedIn, and ! company mail admin. account
hacker could reset password of a security advisor with ssh access to a root
+ access rights to inside data from the outside - internet
social hacking: writing a mail "on behalf" hacker got a new password to access internals+ all these company activities have no elaborated workflow
Szenes 10 Operational Sec. - Sec.-Based Governance
Szenes Information Security and Audit of Financial Institutions- Introduction
19
let's break in
and then the hackers exploited the disorder inside
countermeasures:using the 3 pillars of operation, special case: IT
organizational, e.g.:define company organizational units, roles, job descriptions according to
duties
regulational, e.g.: duties, responsibilities, checkpoints, milestones, deliverables
technical support to all these
Szenes Information Security and Audit of Financial Institutions- Introduction
20
help: best practice
ISACA - Information Systems Audit and Control Association:COBIT® - Control Objectives for Information TechnologyCRM - CISA Review Technical Information Manual
ISO / IEC:International Organization for Standardization /international Electrotechnical Commission
PSZÁF: Hungarian Supervisory Authority of Financial Institutions
o availabilityo confidentialityo integrityo + ! functionalityo + ! documentation meaning: %
Szenes 11 Operational Sec. - Sec.-Based Governance
Szenes Information Security and Audit of Financial Institutions- Introduction
21
3 important criteria
availability, confidentiality, integrity
there will be different definitions for the basic criteriamy styleCOBITnotes on corrections
at first - the "my style" version
Szenes Information Security and Audit of Financial Institutions- Introduction
22
help: best practice
availability to a measurable extento in order to serve the business goals + compliance to laws &
regulations
o this is the base of success - company & employee:
survavibility on the market sustainable developmentfulfillment of the strategical & tactical goals
bank speciality -o extreme importance:
if the customer account system is not avaiable ...if the communication is not available ...
Szenes 12 Operational Sec. - Sec.-Based Governance
Szenes Information Security and Audit of Financial Institutions- Introduction
23
help: best practice
confidentialityin order to serve o both business and o private interestthrough compliance to corporate policy and (inter/)national laws
business interest - protected by employersprivate interest - personal: protected by laws & regulations
protection against illegal access
valuable business info: data & business logic (algorythms)is to be accessed by those and only those whose job needs it
Szenes Information Security and Audit of Financial Institutions- Introduction
24
help: best practice
integrity of data & processing: so that they are intact + without incidents
complete data throughout processingpreserve data throughout processingfaultless processing
our important plus security / quality requirements:o security and information security depends on the order
+ ! functionality – user satisfaction (ISO - already from the year 2000 on)
+ ! documentation throughout SDLC must not be omitted
there is no time to hurry
Szenes 13 Operational Sec. - Sec.-Based Governance
Szenes Information Security and Audit of Financial Institutions- Introduction
25
my operational excellence requirements - criteria of excellent governance
two groups:
operational excellence criteriaasset handling excellence criteria
Szenes Information Security and Audit of Financial Institutions- Introduction
26
ISACA COBIT information criteria - till COBIT 4.1
Confidentiality concerns the protection of sensitive informationfrom unauthorised disclosure.
Integrity relates to the accuracy and completeness of information as well as to its validity in accordance with business values andexpectations.
Availability relates to information being available when required by the business process now and in the future. It also concernsthe safeguarding of necessary resources and associated capabilities.
Szenes 14 Operational Sec. - Sec.-Based Governance
Szenes Information Security and Audit of Financial Institutions- Introduction
27
ISACA COBIT information criteria - till COBIT 4.1
Effectiveness deals with information being relevant and pertinent to the business process as well as being delivered in a timely, correct, consistent and usable manner.
Efficiency concerns the provision of information through the optimal (most productive and economical) use of resources.
Compliance deals with complying with the laws, regulations and contractual arrangements to which the business process is subject, i.e., externally imposed business criteria as well as internal policies.
Reliability relates to the provision of appropriate information for management to operate the entity and exercise its fiduciary andgovernance responsibilities.
Szenes Information Security and Audit of Financial Institutions- Introduction
28
my operational excellence requirements - criteria of excellent governance- 1st group
my operational excellence criteria:
effectivity, efficiency, compliance, reliability, risk management excellence, functionality, order
the first four have the same name, as those of their COBIT predecessors, but their scope I generalized from IT to the whole operations arena
Szenes 15 Operational Sec. - Sec.-Based Governance
Szenes Information Security and Audit of Financial Institutions- Introduction
29
my operational excellence requirements - criteria of excellent governance- 2nd group
asset handling excellence criteria:
availability, integrity, confidentiality
same name, as ISACA / ISO 27000 family (with ancestors)but - for IT polished, for operations extended - meaning
Szenes Information Security and Audit of Financial Institutions- Introduction
30
another important help: my pillars
the 3 pillars are:
organizational, regulational, technical
pillars of operations, pillars of IT operations
classification aspects, and even more ...
Szenes 16 Operational Sec. - Sec.-Based Governance
Szenes Information Security and Audit of Financial Institutions- Introduction
31
most dangerous: the inside
threats to the regulational pillar: almost = with the difficulties in satisfying compliance
threats to the 1st pillar, the organizational / human pillarwith a little technicsof the IT operations, e.g.:
1 maintenance systems engineer from home
hackfamilysocial engineeringetc.
Szenes Information Security and Audit of Financial Institutions- Introduction
32
most dangerous: the inside - a frequent special case: outsource
2 outsource
the most difficult problems perhaps with:organizational / human pillar,
e.g.:
/1 application systems developers leave for better salary, coming back as an outsource partner
/2 they leave the partner firm, and ground a new one again
/3 now let us choose the outsource partner- no docu, no info, etc.
./.
Szenes 17 Operational Sec. - Sec.-Based Governance
Szenes Information Security and Audit of Financial Institutions- Introduction
33
most dangerous: the inside - a frequent special case: outsource
2 outsource - cont'd - sample of the problems onlytasks dangers
choosing partner unworthy partnerinside comm. of the situation enemy from inside
contracting requirements, responsibilitiesnot exactly defined
service level agreement no objective measurement,documentation, order
planning the practical execution with the partner comes the hacker identify the partner job force
preliminary def. of the break off handling the mutual discontent
Szenes Information Security and Audit of Financial Institutions- Introduction
34
most dangerous: the inside
threats to the 3rd pillar, the technical pillar of the IT operations, e.g.
threats to informatics BASES: HW, SW, network, databasecan cause disruption of the operation
all of the components of the infrastructure thatprovides for the services that are necessary for the survival of the institutions
another "good" technical possibility to endanger company operations:applications development
Szenes 18 Operational Sec. - Sec.-Based Governance
Szenes Information Security and Audit of Financial Institutions- Introduction
35
most dangerous: the inside
selected problems in applications development:
tasks dangers
defining the activities in: who - what - when ...life cycles & their phases - job, responsibilty: not known
what is / isn't ready (ready=?)preparedness %?
testing: who, what, how,... functionality? vulnerabilities?
we dream about new methods but we are not ready to use them
Szenes Information Security and Audit of Financial Institutions- Introduction
36
most dangerous: the inside
threats vulnerabilities of the infrastructural elements
vital importance: the inventory of these elementsand that of their state on ∀ sensible level
o computer + generally: the physical level ( the litterbox!)o operating system + utilitieso databaseo applicationo network element these are computers!o defense equipment these too!o business equipments – „automata”
Szenes 19 Operational Sec. - Sec.-Based Governance
Szenes Information Security and Audit of Financial Institutions- Introduction
37
most dangerous: the insidewhen do we feel safe?
what are the requirements to be fulfilled?
what does security mean?
the requirements specifying a known situationare fulfilled to a known level
and deviations are permitted only if they are ofpredefined typemeasure to be forecastedpredictable probability
- that is: they are known
Szenes Information Security and Audit of Financial Institutions- Introduction
38
a special company: a special financial institution: the bank(insurance is easier)
requirements triggered by the involvement of money:
o the threats concerning enterprise & private data / knowledge / property
o the extra & specific challenges that the financial institutionshave to counter:stealing, forging, alteration, counterfeit
o the customers want to have quick and safe banking operations they do not realize the "but" between quick and safe
the bank has to apply extra strong defense, BUTsupporting such customers'equipment that are out of its scope at the customers' site and of uncertain quality
Szenes 20 Operational Sec. - Sec.-Based Governance
Szenes Information Security and Audit of Financial Institutions- Introduction
39
most dangerous: the inside
fraud - BAD WILLED bank employee
false transactions:salami techniquerounding downfalse transfers
tampering with:the operating systemthe databasethe application
think! what kind of PILLARS can be the domain of our countermeasures?
Szenes Information Security and Audit of Financial Institutions- Introduction
40
most dangerous: the inside
bank employeeexample for the requirement "organized corporate": EFT problems
threats to the EFT - electronic fund transfer - files:• handling• access while travelling travelling on the network• access to the database containing the file• access to the application using the EFT
control measures will be the so-called preventive:• authentication, then authorization (- coming later)• securing the network• securing the application environment
Szenes 21 Operational Sec. - Sec.-Based Governance
Szenes Information Security and Audit of Financial Institutions- Introduction
41
my general type of countermeasures
information criteria - criteria of excellent operations= candidates for control objectives
control measures: activities serving the fulfillment of control objectives
pillars of operations / IT operationsrevisited, now they are: help in realization
Szenes Information Security and Audit of Financial Institutions- Introduction
42
countermeasures - criteria / objectives
information criteria - criteria of excellent operations= candidates for control objectives
these are not the goals of the auditors but those of the company
basics: asset handling excellenceavailability, integrity, confidentiality,
+: functionality, documentation
more: operational excellence- order- reliability, effectivity, efficiency, compliance,- risk management excellence
Szenes 22 Operational Sec. - Sec.-Based Governance
Szenes Information Security and Audit of Financial Institutions- Introduction
43
countermeasures - fulfillment of goals: control measures - activities
• control measures: activities serving the fulfillment of control objectives
these are not executed by the auditor, even if "control"
o detectiveo preventiveo corrective
the "what-who-how" actually is = what / domain / range / who / howtype of activities, e.g.:permission, execution, checking, acknowledgement
help in identifying these: the pillars . / .
Szenes Information Security and Audit of Financial Institutions- Introduction
44
countermeasures - help in finding "our" way
pillars of operations / IT operations revisited, now they are: help in realization
the 3 pillars were:organizational, regulational, technical
they are good for:• organizing company life,• classifying the
what / domain / range /who / how / ???
Szenes 23 Operational Sec. - Sec.-Based Governance
Szenes Information Security and Audit of Financial Institutions- Introduction
45
problems from the outside - more or less mishaps
e.g.external sources of danger:
external disordercutting cablessocial movements, strikes
natural disasterearthquake, lighting, etc.
robbery
can we handle these from inside?preventive control measures, e.g.:
guards, safes, cameras, etc.
Szenes Information Security and Audit of Financial Institutions- Introduction
46
problems from the outside - human
crooks & other human threat sources - their reasonscustomeremployee3rd party:
contracting partners - e.g. suppliersstrangers - e.g. hackers, crackers, students, etc.
▼willing - bad-willed
for fun, for benefitunwilling
incidental, ignorance, gullibility, credulity
and ?
Szenes 24 Operational Sec. - Sec.-Based Governance
Szenes Information Security and Audit of Financial Institutions- Introduction
47
problems from the outside - human cont'd
Banks - The Bad-Willed Customer – Counterfeiting
Against forging of money, banking formsdetective & preventive control measure, e.g.:
analyzing / checking devices
Against uncovered / false transactions, detective & preventive control measure, e.g.:well-defined service processes with control pointse.g. 4-eyes principle
homework: MARK THE PILLARS of our meansFIND information / operational excellence criteria
Szenes Information Security and Audit of Financial Institutions- Introduction
48
problems from the outside - human cont'd
Banks - The Bad-Willed Customer – Counterfeiting
Against cheating with investments / false properties: raising money on
estate / fixed assets: jewels, pictures
Against cheating with fictious business entities
homework: MARK THE PILLARSFIND information / operational excellence criteria
Szenes 25 Operational Sec. - Sec.-Based Governance
Szenes Information Security and Audit of Financial Institutions- Introduction
49
problems from the outside - human cont'd
Banks - The Bad-Willed Customer –Suspicious Transactions – Money Laundering
detective control measure is a Hungarian procedural rule:cash to be received ≥ 1 million –> report
technical prevention:inferences based on the investigation of data e.g. strange, unusually big
amount, unusually frequent handling of the same account, etc.:data warehouses, neural networks
homework: MARK THE PILLARSFIND information / operational excellence criteria
Szenes Information Security and Audit of Financial Institutions- Introduction
50
problems from the outside - human cont'd
Banks - The Bad-Willed 3rd party
with forged / stolen cards, e.g. (old) duplicating of magnetic stripsmoney withdrawal from ATMpurchase of goods
ATM tampering:false keyboardcamera hidden e.g. into leaflet holdersskimmer applied onto the ATM slot
(skimmer: microcomputer for reading / storing card info)
preventive control measure COULD BE: social, e.g.informative campaigns, movie, television, ads
Szenes 26 Operational Sec. - Sec.-Based Governance
Szenes Information Security and Audit of Financial Institutions- Introduction
51
problems from the outside - human cont'd
Banks - The Bad-Willed 3rd party
Internet crimesusing stolen card numbers
obtaining customers' data by the means of:phishing - see the GULLIBLE customerfake warehouses, shopping facilities
MAN IN THE MIDDLE - physically, or rather in the (fake) process
for the sake of completeness:man at the end points - BUT THIS IS AN enemy INSIDE
Szenes Information Security and Audit of Financial Institutions- Introduction
52
problems from the outside - human cont'dthe GULLIBLE customer
inclination to believe the impossibleAfrican stories – the hidden money of the tribe
“you won the fortune of the year”http://our bank homepage@bad guy homepageand the like
preventive control measure COULD BE: social, e.g.informative campaigns, movie, television, ads
e-, i-, m- and these bankings
. / .
Szenes 27 Operational Sec. - Sec.-Based Governance
Szenes Information Security and Audit of Financial Institutions- Introduction
53
problems from the outside - human cont'dthe GULLIBLE customer also cont'd
old: e-banking with a client program:controlled security level but resricted place of availability
connecting to an internet banking system from a computer withnot patched operating systemvirus, trojan, key-logger
mobile - wireless threats
preventive control measure COULD BE: social, e.g.informative campaigns, movie, television, ads
and ./.
Szenes Information Security and Audit of Financial Institutions- Introduction
54
back to the countermeasures
technical preventive control measures: inferences based on the customers’ usual ways:
data warehouses, neural networksSSL VPN + tokenpassword, balance, acknowledgment of request sent in SMS
these are good against IGNORANT / GULLIBLE customer /that is e-, i-. m-banking threats
this is good against inside enemy, e.g.:ACCOUNT TAMPERING, too !
THE PILLAR is trivial here
Szenes 28 Operational Sec. - Sec.-Based Governance
Szenes Information Security and Audit of Financial Institutions- Introduction
55
back to the countermeasures, or rather: contribution to improvement
a best practice, that should already be a routine(what is "best"? - depends on the auditors' interpretation)
plan before act & continuous documentation
risk management, based onbusiness process /data / systems classification
results:• separation (segregation) of duties • access provision management for units / roles / tasks• dynamic inventory management• dynamic documentation & change management
homework: MARK THE PILLARSFIND information / operational excellence criteria
Szenes Information Security and Audit of Financial Institutions- Introduction
56
countermeasures, or rather: contribution to improvement
organisational & human basesof the information security:
o risk management - based separation (segregation) of duties access provision management for units / roles / tasks
both need: authentication + authorization ./.
segregation of duties: • preparing job description, • consisting of roles, describing• duties = allocation of the the who of the "what-who-how",• and their connectionshw: identify pillars, criteria
Szenes 29 Operational Sec. - Sec.-Based Governance
Szenes Information Security and Audit of Financial Institutions- Introduction
57
an important, and old countermeasure - authentication + authorization
this belongs to the preconditions identity management
authentication - e.g. in the dictionary:
act of verifying athe identity of a userathe user’s eligibility to access ...aprior knowledge info
authentic: accurate, ... authoritative, ... certain, dependable, factual, trustworthy, ...
authenticate: ... authorize, ... certify, confirm,... guarantee, validate, verify, ...
. / .
Szenes Information Security and Audit of Financial Institutions- Introduction
58
authentication + authorization cont'd
authentication – IT best practice
The authentication is a 2 step process by which the system verifies the identity of the user
1st : the computer system verifies the validity of the logon ID
2nd :the computer system forces the user to substantiate his/her validity via a password
logon ID: individual identification and authenticationpassword: prevents unauthorized use
Szenes 30 Operational Sec. - Sec.-Based Governance
Szenes Information Security and Audit of Financial Institutions- Introduction
59
authentication + authorization cont'd
authorize - e.g. in the dictionary:
accredit, ... entitle...ability, blank cheque, ... approval, credentials,leave.. -... permission
authorization – IT best practice:user is authorized has the authority to access
test question:
The password is best described as a method of userA identification B AUTHORIZATIONC AUTHENTICATION D confirmation
Szenes Information Security and Audit of Financial Institutions- Introduction
60
a base of the control measures / improving activities to be introduced: strategy - driven risk management
my proved solution:
strategy-based security supporting strategy by security
risk strategic value of the asset * probability of the threatening
weighting the criteria according to the current requirements of the strategy
is the best practice really the best?
try a feasible special case ./.
Szenes 31 Operational Sec. - Sec.-Based Governance
Szenes Information Security and Audit of Financial Institutions- Introduction
61
a base of the control measures / improving activities to be introduced: strategy - driven risk management
the development & application of detective / preventive / corrective control measures depend:
on the parameters of the thing - here the risk - to be handled
risk impact = value of the asset * probability of the attack mishap
the value of the asset classification of the (information-related) assets
the role of the information sec. methods in the enterprise risk mgmgt.:identification of the vulnerabilitiesinvention of the methods to handle these
HOW TO DO THIS - 3 pillars: organizational, technical, regulational/ detective - preventive - corrective,
and matrices with, e.g. the criteria
Szenes Information Security and Audit of Financial Institutions- Introduction
62
back to the 3 pillars - organizational
requirements organizational units
availability top managementintegriy ITconfidentiality physical /
access control logical IT security - independent from ITlegal, regulatory compliance dept. internal auditfunctionality legal dept.best professional practice
external audit (enterpreneur)
support:IT steering committeerisk management shadow organization
Szenes 32 Operational Sec. - Sec.-Based Governance
Szenes Information Security and Audit of Financial Institutions- Introduction
63
back to the 3 pillars - regulational
usual information systems (IS) security prescriptions:
IS security rulebookvírus preventioninternet usagemail usage(IT & non-IT) BCP &disaster recovery - new: BC management! documentational prescriptions backup - restore, (=/= archiving)physical security rulebook
new: IS security short practical guidetake care: with the use of the term "policy"?!
Szenes Information Security and Audit of Financial Institutions- Introduction
64
back to the 3 pillars - technical
requirement:to contribute to the transportation of the info to its destination +to ensure its proper access (to those and only those who need it to their work)
to the elements of the technical solution belong:
o develop & align network topology to our tasks and size o to choose, implement & maintain defense equipments
to prevent + detect:firewallsintrusion defense: network-, resident sensors
o tracing the activities - logging
Szenes 33 Operational Sec. - Sec.-Based Governance
Szenes Information Security and Audit of Financial Institutions- Introduction
65
back to the criteria - they have to be polished, e.g. availability
"Availability relates to information being available when required by the business process now and in the future. It also concerns the safeguarding of necessary resources and associated capabilities." [COBIT 4.1]
proposal for the IT case: Availability of the information: if it concerns a given matter, then it is available to every competent employee, who is competent in this
matter, in a planned, predictable, and documented way, according to the preliminary agreements on its accessibility.
√ to a measurable extent, the predictability of the availability; the way of access, the time interval for which the information is available, etc.
The COBIT definition mixes confidentiality into availabilitythe mutual dependence of the criteria had to be clarified, too
Szenes Information Security and Audit of Financial Institutions- Introduction
66
back to the criteria - compliance: regulatory aspects
regulatory requirements:laws from: laws relevant:
national to the given branch of industryEuropean Union to the order of the governmental unit
branch specific prescriptions:supervisory regulations & advice
(best practice recommendations - not only conventions for decorum)
to these the IS SDLC - information system's system development life cycle
has to be aligned mostly by the means of information security methods
Szenes 34 Operational Sec. - Sec.-Based Governance
Szenes Information Security and Audit of Financial Institutions- Introduction
67
back to the criteria - compliance: regulatory aspects
general - Hungarian:
Data Protection Act of 1992 LXIII.
branch specific - financial institution specific amendment:effective from 2004:
in the financial institutions there must be:data protection officerdata protection procedural rulebookobligatory reports on handling personal data
modified: 2011. évi CXII. törvény az információs önrendelkezési jogról és az információszabadságról
right to self-determination concerning information; freedom of info.NAIH (National DP Office) with new authorization - finestalk on data transfer, etc.
Szenes Information Security and Audit of Financial Institutions- Introduction
68
back to the criteria - compliance: regulatory aspects
general - Hungarian: - cont'dAuthors' Right Act of 1999 LXXVI.
licence mgmgt. costly technical ctrl. measures
Act On The Recording of the Personal Data and Home Address of Citizens 1992 LXVI.
brand new, different sources:2013. évi L. törvény: Az állami és önkormányzati szervek elektronikus
információbiztonságáról (MK 69. szám, 2013. április 25.)on the electronic information security of gov. and munic. units
classification of the (application) systems, based on CMM -Capability Maturity Model, taken from COBIT, not from SEI -SW Eng. Inst. - alas! this relates to organizations, not to systems
∃ information strategy - ...
Szenes 35 Operational Sec. - Sec.-Based Governance
Szenes Information Security and Audit of Financial Institutions- Introduction
69
back to the criteria - compliance: regulatory aspects
Hungarian laws concerning financial institutions:
Act on Credit Institutions & Financial Enterprises of 1996 CXIIinformation security requirements: "Hpt. § 13" purpose: availability, confidentiality, integrity
"modification": 2004. XXII. - reorg. of the Supervisory Authorityothers: enterprise governance, risk mgmgt., capital requirements
numerous modifications
new! 196, 200/2007 government decrees on credit / operational risk
Szenes Information Security and Audit of Financial Institutions- Introduction
70
back to the criteria - compliance: regulatory aspects
the good old:Directive 95/46/EC of the European Parliament and of the Council of 24
October 1995 on the protection of individuals with regard to theprocessing of personal data and on the free movement of such dataOfficial Journal L 281 , 23/11/1995 P. 0031 - 0050
EU general, e.g.:
NATO Security Policy - [C-M(2002)49]Personnel Security Directive - [NATO AC/35-D/2000]Physical Security Directive - [NATO AC/35-D/2001]EU Council’s Security Regulations - [2001/264/EC]
Szenes 36 Operational Sec. - Sec.-Based Governance
Szenes Information Security and Audit of Financial Institutions- Introduction
71
back to the criteria - compliance: regulatory aspects
EU laws concerning financial institutions:2006/48, 49/EK, 2007/18/EK - BASEL2permission for the activities, capital requirements (the fulfillment of requrirements characterizing the quality of IT support enlightens capital requirements)
2004/39/EK – Investment Services Directive - Markets in Financial Instruments Directive (MiFID)
responsibilities of the actors in card payment:Payment Card Industry - PCI - Security Standards Council requirementsPCI DSS: Payment Card Industry Data Security Standardsee e.g.https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdfhttps://www.pcisecuritystandards.org/security_standards/index.php
Szenes Information Security and Audit of Financial Institutions- Introduction
72
governance excellence criteria (+) - example for the necessity of improvement: e.g. availability
"Availability relates to information being available when required by the business process now and in the future. It also concerns the safeguarding of necessary resources and associated capabilities." [COBIT 4.1]
proposal for the IT case: Availability of the information: if it concerns a given matter, then it is available to every competent employee, who is competent in this
matter, in a planned, predictable, and documented way, according to the preliminary agreements on its accessibility.
√ to a measurable extent, the predictability of the availability; the way of access, the time interval for which the information is available, etc.
The COBIT definition mixes confidentiality into availabilitythe mutual dependence of the criteria had to be clarified, too
Szenes 37 Operational Sec. - Sec.-Based Governance
Szenes Information Security and Audit of Financial Institutions- Introduction
73
governance excellence criteria (+) - example for the necessity of improvement: e.g. availability
"Availability" - my proposal for the IT case:
Availability of the information means, that if it concerns a given matter, then it is available to every competent employee, who is competent in this
matter,in a planned, predictable, and documented way according to the preliminary agreements on its accessibility.
Szenes Information Security and Audit of Financial Institutions- Introduction
74
supporting references - ISACA
CISA Review Technical Information Manualed.: Information Systems Audit and
Control AssociationRolling Meadows, Illinois, USA
- personal involvement: I have been member of the Quality Assurance Team, 1998
COBIT® and related materials(COBIT = Control Objectives for Information Technology) Copyright © IT Governance Institute®
COBIT improvements, e.g.:Capability Maturity Model - maturityperformance - Balanced ScoreCard
Szenes 38 Operational Sec. - Sec.-Based Governance
Szenes Information Security and Audit of Financial Institutions- Introduction
75
supporting references - ISACA
COBIT Executive Summary, April 1998 2nd EditionReleased by the COBIT Steering Committee and the Information Systems Audit and Control Foundation
COBIT® 3rd Edition, July 2000Released by the COBIT Steering Committee and the IT Governance Institute™editor: Information Systems Audit and Control Association - ISACA
COBIT® 4.0 Control Objectives, Management Guidelines, Maturity ModelsCopyright © IT Governance Institute® , 2005
COBIT® 4.1 Framework, Management Guidelines, Maturity ModelsCopyright © IT Governance Institute® , 2007
Szenes Information Security and Audit of Financial Institutions- Introduction
76
supporting references - ISACA
COBIT® 5 Design Paper Exposure Draft© 2010 ISACA
other COBIT® 5 materials followed- personal involvement: I was member of the Subject Matter Expert Group
COBIT 5.0 Vol. I – The Framework” and “COBIT 5.0 Vol. IIa – Process Reference Guide © 2011 ISACA, working paper
Enabling Processes - COBIT 5 An ISACA FrameworkCopyright © 2012 ISACA
Szenes 39 Operational Sec. - Sec.-Based Governance
Szenes Information Security and Audit of Financial Institutions- Introduction
77
supporting references – ISO
the 27000 family:
International Standard ISO/IEC 27000 First edition 2009-05-01, Information technology — Security techniques — Information security management systems — Overview and vocabulary, Reference number: ISO/IEC 27000:2009(E) Copyright © ISO/IEC 2009
International Standard ISO/IEC 27001 2700227005
others, such as:ISO Guide 73:2009
. /.
Szenes Information Security and Audit of Financial Institutions- Introduction
78
supporting references – ISO
ISO/IEC 15408Information technology — Security techniques — Evaluation criteria for IT security(Common Criteria)(ITCSEC, majd ITSEC, majd CC)
Magyar Szabvány MSZ ISO/IEC 12207:2000Magyar Szabványügyi TestületInformatika. Szoftveréletciklus-folyamatokInformation technology. Software life cycle processesmegfelel: az ISO/IEC 12207:1995 verziónak
etc.
Szenes 40 Operational Sec. - Sec.-Based Governance
Szenes Information Security and Audit of Financial Institutions- Introduction
79
a short sample from my publications used in the transparents
2010: "IT GRC versus ? Enterprise GRC but: IT GRC is a Basis of Strategic Governance"; EuroCACS 2010
2011: Enterprise Governance Against Hacking. Procds. of the 3rd IEEE International Symposium on Logistics and Industrial Informatics -LINDI 2011 August 25–27, 2011, Budapest, Hungary
2011:Serving Strategy by Corporate Governance - Case Study: Outsourcing of Operational Activities; Procds. of 17th International Business Information Management Association - IBIMA November 14-15, 2011, Milan, Italy, ed. Khalid S. Soliman
2012: Extending IT security methods to support enterprise management, operations and risk management - Hungarian(Informatikai biztonsági módszerek kiterjesztése a vállalatirányítás, a működés, és a kockázatkezelés támogatására) in Hungarian JournalQuality and Reliability (Minőség és Megbízhatóság)
Szenes Information Security and Audit of Financial Institutions- Introduction
80
some of my publications on outsource
2010: Auditing outsourcing of IT resources, Part I., Part II. - Hungarian(Az informatikai erőforrás-kihelyezés auditálási szempontjai, I., II. rész)in: Information Security Handbook(Az Informatikai biztonság kézikönyve)Verlag Dashöfer, Budapest, Hungary
Part I. February, 2010 p. 8.10. 1. – 26. (26 pages)Part II. December, 2010 p. 8.10. 27. – 158. (132 pages)total 158 pages
2011: Serving Strategy by Corporate Governance - Case Study: Outsourcing of Operational Activities; Procds. of 17th International Business Information Management Association - IBIMA November 14-15, 2011, Milan, Italy
Szenes 41 Operational Sec. - Sec.-Based Governance
Szenes Information Security and Audit of Financial Institutions- Introduction
81
publications on my opinion concerning legislation and its use
K.: Informatikai biztonsági megfontolások a Sarbanes - Oxley törvény ürügyén; (A 2002-es Sarbanes - Oxley törvény hatásai az informatikai biztonsági rendszerekre és az informatikai ellenőrök feladataira. A jelentésszolgálat és a többi kulcsfontosságú alkalmazás felügyeletének kérdései); Hungarian - IT security considerations triggered by SOX; in: Az Informatikai biztonság kézikönyve, 22. aktualizálásVerlag Dashöfer, 2006. október, 2.2.1.1. old. - 2.2.8.8. old. - 96 oldalp. 2.2.1.1. - 2.2.8.8. total: 96 pages
Az informatikai biztonsággal kapcsolatos törvényekről és rendeletekről; Hungarian - On the Hungarian laws and regulations dealing with IT security in: Az Informatikai biztonság kézikönyve, 33. aktualizálásVerlag Dashöfer, 2009. május, 3.4.1. old. - 3.4.34. old. - 34 oldalp. 3.4.1. - 3.4.34. total: 34 pages