IT Governance

IT Governance

Information Security Governance

AcknowledgmentsMaterial is sourced from: CISA® Review Manual 2011, © 2010, ISACA. All rights reserved.

Used by permission. CISM® Review Manual 2012, © 2011, ISACA. All rights reserved.

Used by permission. Author: Susan J Lincke, PhD

Univ. of Wisconsin-ParksideReviewers/Contributors: Todd Burri, Kahili Cheng

Funded by National Science Foundation (NSF) Course, Curriculum and Laboratory Improvement (CCLI) grant 0837574: Information Security: Audit, Case Study, and Service Learning.

Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and/or source(s) and do not necessarily reflect the views of the National Science Foundation.

Objectives

Students should be able to:Describe IT governance committees: IT strategic committee, IT steering committee, security steering committee**Describe mission, strategic plan, tactical plan, operational planDefine quality terms: quality assurance, quality controlDescribe security organization members: CISO, CIO, CSO, Board of Directors, Executive Management, Security Architect, Security Administrator Define policy, compliance, IT Balanced Scorecard, measure, ISO 9001, enterprise architectureDefine sourcing practices: insource, outsource, hybrid, onsite, offshoreDefine policy documents: data classification, acceptable usage policy, access control policesPlan/schedule a security implementation.

Corporate Governance

Corporate Governance: Leadership by corporate directors in creating and presenting value for all stakeholders

IT Governance: Ensure the alignment of IT with enterprise objectives

Responsibility of the board of directors and executive mgmt

IT Governance Objectives

IT delivers value to the business IT risk is managed

Processes include: Equip IS functionality and address risk Measure performance of delivering value to the

business Comply with legal and regulatory requirements

IT Governance Committees

Board members& specialists

Business executives(IT users), CIO, keyadvisors (IT, legal, audit,finance)

IT Strategic CommitteeFocuses on Direction and StrategyAdvises board on IT strategy and alignmentOptimization of IT costs and risk

IT Steering CommitteeFocuses on ImplementationMonitors current projectsDecides IT spending

IT Strategy CommitteeMain Concerns Alignment of IT with Business Contribution of IT to the Business Exposure & containment of IT Risk Optimization of IT costs Achievement of strategic IT objectives

IT Steering CommitteeMain Concerns Make decision of IT being centralized vs.

decentralized, and assignment of responsibility Makes recommendations for strategic plans Approves IT architecture Reviews and approves IT plans, budgets,

priorities & milestones Monitors major project plans and delivery

performance

Strategic Planning Process

Strategic: Long-term (3-5 year) direction considers organizational goals, regulation (and for IT: technical advances)

Tactical: 1-year plan moves organization to strategic goal

Operational: Detailed or technical plans

Strategic

Tactical

Operational

Security Strategic Planning

Strategic

Tactical

Operational

Risk Mgmt – LawsGovernance – PolicyOrganizational SecurityData classification Audit – Risk analysisBusiness continuityMetrics developmentIncident responsePhysical securityNetwork securityPolicy complianceMetrics use

Strategic PlanningStrategy: Achieve COBIT Level 4

Tactical: During next 12 months: Each business unit must identify current applications in

use 25% of all stored data must be reviewed to identify

critical resources Business units must achieve regulatory compliance A comprehensive risk assessment must be performed

for each business unit All users must undergo general security training Standards must exist for all policies

Standard IT Balanced Scorecard

Mission

Strategies

Measures

Mission = Direction E.g.: Serve business efficiently

and effectively

Strategies = Objectives E.g.: Quality thru Availability Process Maturity

Measures = Statistics E.g.: Customer satisfaction Operational efficiency

Establish a mechanism for reporting IT strategic aims and progress to the board

IT Balanced ScorecardFinancial Goals

How should we appear to stockholder?

Vision:

Metrics:

Performance:

Internal Business Process

What business processes should we excel at?

Vision:

Metrics:

Performance:

Customer Goals

How should we appear to our customer?

Vision:

Metrics:

Performance:

Learning and Growth Goals

How will we improve internally?

Vision:

Metrics:

Performance:

Case Study: IT Governance Strategic Plan – Tactical Plan

Strategic PlanObjective

Timeframe

Incorporate the business

5 yrs

Pass a professional audit

4 yrs

Tactical Plan:Objective

Timeframe

Perform strategic-level security, includes:

1 yr

Perform risk analysis

6 mos.

Perform BIA 1 yr

Define policies 1 yr

Case Study: IT Governance

Operational PlanningObjective and Timeframe Responsibility

Hire an internal auditor and security professional2 months: March 1

VP Finance

Establish security team of business, IT, personnel:

1 month: Feb. 1

VP Finance &Chief Info.

Officer (CIO)

Team initiates risk analysis and prepares initial report

3 months: April 1

CIO & Security Team

Enterprise Architecture

Constructing IT is similar to constructing a building It must be designed and implemented at various levels:

Technical (Hardware, Software) IT Procedures & Operations Business Procedures & Operations

Data Functional (Applic.)

Network

(Tech)

People

(Org.)

Process

(Flow)

Strategy

Scope

Enterprise Model

Systems Model

Tech Model

Detailed

Representation

Sourcing Practices

Insourced: Performed entirely by the organization’s staffOutsourced: Performed entirely by a vendor’s staffHybrid: Partial insourced and outsourcedOnsite: Performed at IS dept siteOffsite or Nearshore: Performed in same geographical

areaOffshore: Performed in a different geographical region

What advantages can you think of for insourcing versus outsourcing?

Quality with ISO 9001

ISO 9001: Standard for Quality Mgmt Systems. Recommendations include:

Quality Manual: Documented procedures HR: Documented standards for personnel

hiring, training, evaluation,… Purchasing: Documented standards for

vendors: equipment & servicesGap Analysis: The difference between where

you are and where you want to be

Quality Definitions

Quality Assurance: Ensures that staff are following defined quality processes: e.g., following standards in design, coding, testing, configuration management

Quality Control: Conducts tests to validate that software is free from defects and meets user expectations

Performance Optimization

Phases of Performance Measurement include: Establish and update performance metrics Establish accountability for performance

measures Gather and analyze performance data Report and use performance results

Note: Strategic direction for how to achieve performance improvements is necessary

Categories of Performance Measures Performance Measurement: What are

indicators of good IT performance? IT Control Profile: How can we measure the

effectiveness of our controls? Risk Awareness: What are the risks of not

achieving our objectives? Benchmarking: How do we perform relative

to others and standards?

IS Auditor & IT Governance

Is IS function aligned with organization’s mission, vision, values, objectives and strategies?

Does IS achieve performance objectives established by the business?

Does IS comply with legal, fiduciary, environmental, privacy, security, and quality requirements?

Are IS risks managed efficiently and effectively? Are IS controls effective and efficient?

Audit: Recognizing Problems

End-user complaints Excessive costs or budget overruns Late projects Poor motivation - high staff turnover High volume of H/W or S/W defects Inexperienced staff – lack of training Unsupported or unauthorized H/W S/W purchases Numerous aborted or suspended development projects Reliance on one or two key personnel Poor computer response time Extensive exception reports, many not tracked to completion

Audit: Review Documentation

IT Strategies, Plans, Budgets Security Policy Documentation Organization charts & Job Descriptions Steering Committee Reports System Development and Program Change Procedures Operations Procedures HR Manuals QA Procedures Contract Standards and Commitments

Bidding, selection, acceptance, maintenance, compliance

Question

The MOST important function of the IT department is:

1. Cost effective implementation of IS functions

2. Alignment with business objectives

3. 24/7 Availability

4. Process improvement

Question

Product testing is most closely associated with which department:

1. Audit

2. Quality Assurance

3. Quality Control

4. Compliance

Question

“Implement virtual private network in the next year” is a goal at the level:

1. Strategic

2. Operational

3. Tactical

4. Mission

Question

Which of the following is not a valid purpose of the IS Audit?

1. Ensure IS strategic plan matches the intent of the enterprise strategic plan

2. Ensure that IS has developed documented processes for software acquisition and/or development (depending on IS functions)

3. Verify that contracts followed a documented process that ensures no conflicts of interest

4. Investigate program code for backdoors, logic bombs, or Trojan horses

Question

Documentation that would not be viewed by the IT Strategy Committee would be:

1. IT Project Plans

2. Risk Analysis & Business Impact Analysis

3. IT Balanced Scorecard

4. IT Policies

Information SecurityGovernance

Governance

Policy

Risk

Information Security Importance

Organizations are dependent upon and are driven by informationSoftware = information on how to processData, graphics retained in files

Information & computer crime has escalated Therefore information security must be

addressed and supported at highest levels of the organization

Security Organization

Board of Directors

Review Risk assessment & Business Impact AnalysisDefine penalties for non-compliance of policies

Executive Mgmt

Defines security objectives and institutes security organization

Security Steering

Committee

Chief InfoSecurity

Officer (CISO)

Senior representativesof business functions

ensures alignmentof security program

with business objectives

Other positions:Chief Risk Officer (CRO)Chief Compliance Officer (CCO)

Security Governance

Strategic Alignment: Security solution consistent with organization goals and culture

Risk Management: Understand threats and cost-effectively control risk

Value Delivery: Prioritized and delivered for greatest business benefit

Performance Measurement: Metrics, independent assuranceResource Management: Security architecture development &

documentationProcess Integration: Security is integrated into a well-

functioning organization

Executive Mgmt Info Security Concerns Reduce civil and legal liability related to privacy Provide policy and standards leadership Control risk to acceptable levels Optimize limited security resources Base decisions on accurate information Allocate responsibility for safeguarding information Increase trust and improve reputation outside

organization

Legal Issues

International trade, employment may be liable to different regulations than exist in the U.S. affecting:

Hiring Internet business Trans-border data flows Cryptography Copyright, patents, trade

secrets

Industry may be liable under legislation:

SOX: Sarbanes-Oxley: Publicly traded corp.

FISMA: Federal Info Security Mgmt Act

HIPAA: Health Insurance Portability and Accountability Act

GLBA: Gramm-Leach-Bliley: Financial privacy

Etc.

Road Map for Security (New Program)

Interview stakeholders (HR, legal, finance) to determine org. issues

& concerns

Develop securitypolicies for approval

to MgmtSecurity Policies

Security Issues

Info SecuritySteering Committee

Conduct securitytraining & test for

compliance

Improve standardsDevelop compliancemonitoring strategy

Trainingmaterials

Documentation

Security RelationshipsSecurity Strategy, Risk, & Alignment

Security requirements sign-off, Acceptance test,Access authorization

Laws & Regulations

Security monitoring, Incident resp.,Site inventory, Crisis management

Security requirements and reviewChange controlSecurity upgrade/test

Security requirements in RFPContract requirements

Security requirementsAccess control

Hiring, training,roles & responsibility,Incident handling

Security Governance Framework

SecurityOrganization

ComplianceMonitoring

Policies,Standards,Procedures

SecurityStrategy

SecurityFramework

Secure Strategy:Risk AssessmentFive Steps include:1. Assign Values to Assets:

Where are the Crown Jewels?

2. Determine Loss due to Threats & Vulnerabilities Confidentiality, Integrity, Availability Loss = Downtime + Recovery + Liability + Replacement

3. Estimate Likelihood of Exploitation Weekly, monthly, 1 year, 10 years?

4. Compute Expected Loss Risk Exposure = ProbabilityOfVulnerability * $Loss

5. Treat Risk Survey & Select New Controls Reduce, Transfer, Avoid or Accept Risk

Example Policy Documents

Data Classification: Defines data security categories, ownership and accountability

Acceptable Usage Policy: Describes permissible usage of IT equipment/resources

End-User Computing Policy: Defines usage and parameters of desktop tools

Access Control Policies: Defines how access permission is defined and allocated

After policy documents are created, they must be officially reviewed, updated, disseminated, and tested for compliance

Compliance Function

Compliance: Ensures compliance with organizational policies

E.g.: Listen to selected help desk calls to verify proper authorization occurs when resetting passwords

Best if compliance tests are automated

Time

Audit: Snapshot of compliance in time

Compliance: ongoing processEnsures adherence to policies

Compliance Program – Security Review or Audit Test

Objective: Is our web-interface to DB safe?Scope: Penetration test on DBConstraints: Must test between 1-4 AMApproach: 1. Tester has valid session credentials2. Specific records allocated for test3. Test: SQL InjectionResult:These problems were found: …

Security Positions

Security Architect Design secure network

topologies, access control, security policies & standards.

Evaluate security technologies

Work with compliance, risk mgmt, audit

Security Administrator Allocate access to data

under data owner Prepare security

awareness program Test security architecture Monitor security violations

and take corrective action Review and evaluate

security policy

Security Architect: Control Analysis

Placement

Effectiveness

Efficiency

Policy

Implemen-tation

Where are controls located? Are controls layered? Is control redundancy needed?

Does control protect broadly or one application?If control fails, is there a control remaining? (single point of failure)If control fails, does appl. fail?

Are controls reliable?Do they inhibit productivity?

Are they automated or manual?Are key controls monitored in real-time?

Are controls easily circumvented?

Do controls fail secure or fail open?Is restrictive or permissive policy (denied unless expressly permitted or vice versa?)Does control align with policy & business expectation?

Have controls been tested?Are controls self-protecting?Do controls meet control objectives?Will controls alert security personnel if they fail?Are control activities logged and reviewed?

Control Practices

These may be useful in particular conditions:Automate Controls: Make technically infeasible to bypassAccess Control: Users should be identified, authenticated and

authorized before accessing resourcesSecure Failure: If compromise possible, stop processingCompartmentalize to Minimize Damage: Access control required per

system resource setTransparency: Communicate so that average layperson understands

control->understanding & supportTrust: Verify communicating partner through trusted 3rd party (e.g.,

PKI)Trust No One: Oversight controls (e.g., CCTV)Segregation of Duties: Require collusion to defraud the organizationPrinciple of Least Privilege: Minimize system privileges

Security Administrator:Security Operations

Identity Mgmt & Access control System patching & configuration mgmt Change control & release mgmt Security metrics collection & reporting Control technology maintenance Incident response, investigation, and

resolution

Summary of Security Mgmt Functions Develop security strategy

Linked with business objectives Regulatory & legal issues are addressed Sr Mgmt acceptance & support Complete set of policies Standards & Procedures for all relevant policies

Security awareness for all users and security training as needed

Classified information assets by criticality and sensitivity

Summary of Security Mgmt Functions Effective compliance & enforcement processes

Metrics are maintained and disseminated Monitoring of compliance & controls Utilization of security resources is effective Noncompliance is resolved in a timely manner

Effective risk mgmt and business impact assessment Risks are assessed, communicated, and managed Controls are designed, implemented, maintained, tested Incident and emergency response processes are tested Business Continuity & Disaster Recover Plans are tested

Summary of Security Mgmt Functions Develop security strategy, oversee security

program, liaise with business process owners for ongoing alignment Clear assignment of roles & responsibilities Security participation with Change Management Address security issues with 3rd party service

providers Liaise with other assurance providers to eliminate

gaps and overlaps

Question

Who can contribute the MOST to determining the priorities and risk impacts to the organization’s information resources?

1. Chief Risk Officer

2. Business Process Owners

3. Security Manager

4. Auditor

Question

A document that describes how access permission is defined and allocated is the:

1. Data Classification

2. Acceptable Usage Policy

3. End-User Computing Policy

4. Access Control Policies

Question

The role of the Information Security Manager in relation to the security strategy is:

1. Primary author with business input2. Communicator to other departments3. Reviewer4. Approves the strategy

Question

The role most likely to test a control is the:

1. Security Administrator

2. Security Architect

3. Quality Control Analyst

4. Security Steering Committee

Question

The Role responsible for defining security objectives and instituting a security organization is the:

1. Chief Security Officer2. Executive Management3. Board of Directors4. Chief Information Security Officer

Question

When implementing a control, the PRIMARY guide to implementation adheres to:

1. Organizational Policy

2. Security frameworks such as COBIT, NIST, ISO/IEC

3. Prevention, Detection, Correction

4. A layered defense

Question

The persons on the Security Steering Committee who can contribute the BEST information relating to insuring Information Security success is:

1. Chief Information Security Officer

2. Business process owners

3. Executive Management

4. Chief Information Officer

ReferenceSlide # Slide Title Source of Information

4 Corporate Governance CISA: page 87, 88

6 IT Governance Committees CISA: page 90

7 IT Strategy Committee CISA: page 90

12 Standard IT Balance Scorecard CISA: page 91

16 Enterprise Architecture CISA: page 94, 95 Exhibit 2.5

17 Sourcing Practices CISA: page 106

18 Quality with ISO 9001 CISA: page 112

19 Quality Definitions CISA: page 116

20 Performance Optimization CISA: page 113, 114

21 Categories of Performance Measures CISA: page 114

32 Security Organization CISA: page 94, 95 Exhibit 2.4

33 Security Governance CISA: page 92, 93

39 Secure Strategy: Risk Assessment CISM: page 100

40 Example Policy Documents CISA: page 100

43 Security Positions CISA: page 116, 117