Information Assurance
For Accountants
Big Mess (Standards & Laws)
• FISMA• PCI• ISO 17799• COBIT• COSO• HIPAA• GLBA• E-Discovery
• SB 1386• 21 CFR 11• NIST• FIPS• SOX• S239• S496• ITIL• Others
Who’s Qualified?
04/07/2023
CertificationsAICPA• CPA – Certified Public AccountantAssociation of Certified Fraud Examiners• CFE - Certified Fraud ExaminerIIA Institute of Internal Auditors• CIA - Certified Internal Auditor• CCSA – Certification in Control Self-Assessment• CGAP – Certified Government Auditing Professional• CFSA – Certified Financial Services AuditorISACA• CISA – Certified Information Systems Auditor• CISM – Certified Information Security Manager(ISC)2
• CISSP – Certified Information Systems Security Professional
• SSCP - Systems Security Certified Practitioner• CAP - Certification and Accreditation ProfessionalICSA• TICSA - TruSecure ICSA Certified Security Associate• TICSE - TruSecure ICSA Certified Security ExpertDRI International• ABCP - Associate Business Continuity Planner• CBCP - Certified Business Continuity Planner• MBCP - Master Business Continuity PlannerEC-Council• CEH – Certified Ethical Hacker• CHFI – Certified Hacking Forensics Investigator
ASIS• CPP – Certified Protection Professional• PCI – Professional Certified Investigator• PSP – Physical Security ProfessionalCheckpoint• CCSA - Check Point Certified Security Administrator• CCSE - Check Point Certified Security Expert• CCSE Plus - Check Point Certified Security Expert PlusSecurity Certified Program• SCNP - Security Certified Network Professional• SCNA - Security Certified Network ArchitectIntense School• CHCP - Certified Hacking and Countermeasures
Professional• CHCE - Certified Hacking and Countermeasures ExpertLearning Tree• EWSCP - Enterprise and Web Security Certified
Professional• NSCP - Network Security Certified ProfessionalHIPAA Academy• CHP - Certified HIPAA Professional• CHA - Certified HIPAA Administrator• CHSS - Certified HIPAA Security SpecialistCompTIA• Security+
04/07/2023
(ISC)2
CISSP: Broad Certification covering 10 areas of Security:
• Security Management, • Access Control Systems, • Telecommunications and Network
Security, • Cryptography, • Architecture and Models, • Operations Security, • Application and System Development, • Business Continuity Planning, • Law, Investigations and Ethics, • Physical Security.
Requires:• Continuing Education• Adherence to Code of Ethics• Degree or Equivalent work
experience (4 years or BA and 3 years)
Other:• Professional Certification• ISO IEC 17024 Certified• http://www.isc2.org
CISSP – Certified Information Systems Security Professional (Level: Advanced) Concentrations:
ISSEP: Information Systems Security Engineering Professional,ISSAP: Information Systems Security Architecture Professional, andISSMP: Information Systems Security Management Professional
SSCP – Systems Security Certified Practitioner (Level: Intermediate)CAP - Certification and Accreditation Professional (Level: Intermediate)
04/07/2023
ISACA
With more than 28,000 members in over 100 countries, the (ISACA® ) is a recognized global leader in IT governance, control and assurance. Founded in 1969, ISACA sponsors international conferences, training events and a global knowledge network (K-NET), administers the globally respected Certified Information Systems Auditor™ (CISA®) designation earned by more than 30,000 professionals worldwide and the new Certified Information Security Manager™ (CISM™) designation, and develops globally applicable information systems (IS) auditing and control standards.
Requires:Continuing EducationAdherence to Code of EthicsDegree or Equivalent work experience (5 years or BA and 3 years)
Other:Professional Certification
http://www.isaca.org/
CISA - Certified Information Systems Auditor (Level: Advanced) CISM – Certified Information Security Manager
FISMANot a diet cola
9May, 2006
What is FISMA?
• FISMA requires each federal agency to – “develop, document, and implement an agency-
wide information security program – … to provide information security for the
information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source.”
10May, 2006
FISMA Requirements
• At a high level, FISMA requires agencies to:Plan for securityEnsure that appropriate officials are
assigned security responsibilityReview the security controls in their
information systemsAuthorize system processing prior to
operations and, periodically, thereafter
Basics
• Public Law 107-347 (Title III) - FISMA• Homeland Security Presidential Directive 7
– Critical Infrastructure Identification, Prioritization, and Protection
• OMB Circular A-130 (Appendix III)• NIST develops standards for FISMA
– Through a certification and accreditation program
– Risk based approach
Certification
• Certification is the comprehensive assessment and verification of the management, operational, and technical security controls in an information system, made in support of security accreditation, to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.
• Basically an audit of the controls
Accreditation
• Accreditation is the official management decision given by a senior official to authorize operation of an information system and to explicitly accept the risk to operations (including mission, functions, image, or reputation), assets, or individuals, based on the implementation of an agreed upon set of security controls.
• Accountability for senior management
C&A Lifecycle
Initiation Phase
Certification Phase
Accreditation Phase
Monitoring Phase
Control Section by ClassCLASS FAMILY IDENTIFIER # OF CONTROLS
Management Risk Assessment RA 5
Management Planning PL 5
Management System and Services Acquisition SA 11
Management Certification, Accreditation, and Security Assessments
CA 7
Operational Personnel Security PS 8
Operational Physical and Environmental Protection PE 17
Operational Contingency Planning CP 10
Operational Configuration Management CM 7
Operational Maintenance MA 6
Operational System and Information Integrity SI 12
Operational Media Protection MP 7
Operational Incident Response IR 7
Operational Awareness and Training AT 4
Technical Identification and Authentication IA 7
Technical Access Control AC 20
Technical Audit and Accountability AU 11
Technical System and Communications Protection SC 19
Unique
• Require C&A every 3 years or if there is a major change to the system
• Requirement for Federal agencies and those who process information owned by the agencies
• States and Private companies are now looking to become FISMA compliant
PCI Payment Card IndustryIntroduction
Problem
TJ Maxx
• Computer Breach • TJMaxx, Marshels, HomeGoods, AJ Wright• Loses to date 45.7 million• 455,000 customer’s information
– Credit Card numbers, Drivers license, Military ID, check information
• 5 million to correct problem
Various Standards
American Express, DSOP
Discover Network,
DISC
Master Card, SDP
Visa, CISP
PCI Council Standards
American Express, DSOP
Discover Network,
DISC
Master Card, SDP
Visa, CISP
PCI Data Security Standard
What does the PCI Council do?• Own and manage PCI DSS, including
maintenance, revisions, interpretation and distribution
• Define common audit requirements to validate compliance
• Manage certification process for security assessors and network scanning vendors
• Establish minimum qualification requirements• Maintain and publish a list of certified
assessors and vendors
Players• Acquirer
– Bankcard association member that initiates and maintains relationships with merchants that accept payment cards
• Cardholder– Customer to whom a card is issued or
individual authorized to use the card• Hosting Provider
– Offer various services to merchants and other service providers.
• Merchant– Provides goods and services for
compensation
Card Brand
Acquirer
Hosting Provider
Merchant
Cardholder
Players
• Card Brand– Issue fines
• PCI Council– Maintain standards for PCI– Administer ASV & QSA
• Approved Scanning Vendor– Certified to provide quarterly
scans
• Qualified Security Assessors– Certified to provide annual
audits
Card Brand
Acquirer
Hosting Provider
Merchant
Cardholder
PCI Council
QSA
ASV
PCI DSS
Merchant Levels
MerchantLevel
Audit QuarterlyScan
SelfAssessment
1 Annually Quarterly -
2 - Quarterly Annually
3 - Quarterly Annually
4 - Quarterly Annually
Requirements
Merchant Case• Company Brand
– Future revenues• Mandatory
– Golden rule “He who has the gold makes the rules”
• Termination of processing privileges– Can’t accept credit cards - loss
• Safe Harbor– Who is responsible for losses?
Acquirer Case• One time payment for every merchant 100%
compliant by March 31, 2007• Partial payment for every merchant 100% compliant
by August 31, 2007• Reduced processing rates if all merchants are 100%
compliant by October 1, 2007• Fined up to 10k per month for each level 1 & 2
merchant storing track 2 data, by March 31, 2007• Fined 5-25k per month for each level 1 & 2 merchant
not validated by 9-31-07 and 12-31-07• Fined for each merchant data compromise
In the event of incident
Incident
Evaluation
Safe Harbor
$$$$$$
"Many Major Merchants Still Lax on Credit Card Data Security"
Electronic Payments International (06/28/07) P. 7
Maze & AssociatesInformation Assurance
Services
Maze & AssociatesInformation Assurance Services
• Security Assessments • Vulnerability Scanning • PCI Services
– Approved Scanning Vendor
– Consulting
• FISMA– Consulting– Audit (In the future??)
• Training– PCI DSS– FISMA (NIST)– IT– Security
Maze & AssociatesInformation Assurance Services
• Security Assessments – Based on client’s needs– Based on any of a number of standards– Customizable– Quality– Meaningful Results– FISMA or PCI Reviews
Maze & AssociatesInformation Assurance Services• Vulnerability Scanning
– Customizable Scanning Solutions– PCI Approved Scanning Vendor– A Different Approach
Top Related