Information Security Governance

diligentdeputyManagement

Nov 8, 2013 (4 years and 1 day ago)

108 views

Centre for Distributed Computing, Jadavpur University






Information Security Governance

and

Standards


Prof. Chandan Mazumdar

Coordinator, Centre for Distributed Computing,

Department of Computer Science & Engineering,

Jadavpur University, Kolkata


700 032

E
-
mail: chandanm@cse.jdvu.ac.in

Centre for Distributed Computing, Jadavpur University

Corporate Governance


Corporate Governance is the set of processes,
customs, policies, laws and institutions affecting the
way a corporation is directed, administered or
controlled. It is used to monitor whether outcomes
are in accordance with plans.



Major activities


Direct, plan or establish responsibilities


Control outcomes, or ensure implementation, or ensure
compliance



Risk Management is one of the key responsibilities

Centre for Distributed Computing, Jadavpur University

The Players


Strategic Level


Board of Directors & Executive Management


Tactical Level


Senior & Middle Management


Operational Level


Lower Management & Administration




Directives flow from the top


Execution is done at the lowest level


Middle level is responsible for the control and
feedback

Centre for Distributed Computing, Jadavpur University

Components of Corporate Governance


Financial Governance



HR Governance



IT Governance





Centre for Distributed Computing, Jadavpur University

IT Governance


IT Governance consists of the leadership,
organizational structures and processes that ensure
that the organization’s IT posture sustains and
extends the organization’s strategies and objectives



Board should generate such directives as to ensure
that the strategic objectives of the business are not
jeopardized by IT failures and/or compromise of the
IT assets.

Centre for Distributed Computing, Jadavpur University

Compnents and Standards


Components


Performance and capacity governance



Information Security Governance




Standard


COBIT (Control Objectives for Information and Related
Technologies) from ISACA (Information Systems Audit and
Control Association)

Centre for Distributed Computing, Jadavpur University

Information Security


To ensure the protection of the following properties
of information assets:


Confidentiality


Integrity


Availability


Authenticity


Non
-
repudiation


Centre for Distributed Computing, Jadavpur University


Threats


Vulnerabi
lities


Security Risks

Security Controls


Security
Requirements


Asset Values and
Potential Impacts


Assets

Protect

against


exploit


expose



met by



reduce


indicate



increase



have




increase

increase

indicate

Centre for Distributed Computing, Jadavpur University

Dimensions of Information Security


Governance


Organization


Management


Policy


Best Practices


Ethical


Certification


Legal


Insurance


HR


Awareness


Technical


Measurement / Metrics


Audit


Forensics

Centre for Distributed Computing, Jadavpur University

Information Security Governance (ISG)


The Management commitment and leadership, organizational
structures, user awareness and commitment, policies,
procedures, processes, technologies and compliance
enforcement mechanisms all working together to assure that
information security is maintained at all times.



ISG


Is an integral part of Corporate Governance


Should ensure cost
-
effectiveness


Should be risk based


Should ensure that all security appliances are in place


BoD should exercise due diligence and due care in ensuring that a
IS strategy exists and that management implements it

Centre for Distributed Computing, Jadavpur University

Positioning ISG

Corporate Governance

IT

Governance

ISG

Centre for Distributed Computing, Jadavpur University

ISG Model


Management Levels


Strategic Level


Decides “WHAT” must be done



Tactical Level


Decides “HOW” it must be done



Operational Level


Things are actually done according to set procedures,
guidelines and standards

Centre for Distributed Computing, Jadavpur University

ISG Model


Actions


Direct


What must be done should be very clearly specified through a
series of directives reflecting the BoD’s expectation



Control


Directives are expanded into a set of policies, standards,
guidelines and procedures, reflecting the expectation of the
Middle Management of how they want IT assets to be protected.
Compliance to the directives is measured, monitored and
reported.



Execute


The above inputs are expanded into sets of Administrative
Guidelines and Administrative Procedures. Necessary technical
measures to implement the directives from middle management
are physically implemented and managed.

Centre for Distributed Computing, Jadavpur University

ISG Model


Control


Operational Level


Measurement data is extracted from a wide range of entities, like
log files of OS, DB, firewalls, IDSs and many other forms of utility
and specialized software sources



Tactical Level


The operational measurement data is compiled and integrated to
perform measurement and monitoring against the relevant
policies and standards. These measurements are used to control
the operational level. Also, these data are aggregates or abstracted
to indicate the levels of compliance and conformance to the Board
Directives.



Strategic Level


Reports reflecting compliance and conformance to relevant
directives are tendered and Risk situation is elicited

Centre for Distributed Computing, Jadavpur University

Information Security Policy Architecture

Board Directive

Corporate Information Security
Policy

Issue Specific
Policy 1

Issue Specific
Policy 2

Issue Specific
Policy 3

Procedure 1.1

Procedure 1.2

Centre for Distributed Computing, Jadavpur University

Corporate Information Security Policy (CISP)


Must indicate the Board’s Support and Commitment


Accepted and signed by the CEO


Should be “Crisp” document


Should be a “Stable” document


Must be “Technology Neutral”


Must indicate the “owner” and other responsible roles


Must indicate the “Scope”


Must refer to the disciplinary actions in case of violations of
CISP and its sub
-
policies


Must be widely disseminated


Must have a compliance clause

Centre for Distributed Computing, Jadavpur University

Representative Set of Issue Specific Policies


Acceptable Usage Policy


Email Policy


Anti
-
virus Policy


Backup Policy


Information Security Incident Policy


Network Security Policy


Access Control Policy


Physical and Environmental Security Policy


Third Party Access Policy


Remote Access Policy


Data Classification Policy



Information Security Awareness Policy


Centre for Distributed Computing, Jadavpur University

Compliance Management


Include compliance clause with each policy


Each compliance should include


Compliance checking cycle


Nature of Report to be provided


How the data for reporting has to be captured




You can not manage what you can not measure


Centre for Distributed Computing, Jadavpur University

Compliance Management Approach


Which IT Security Risks are to be monitored?


Which data are needed to monitor the status of these
Risks?


In what way the results are to be reported to the
Executive Management / BoD so that they can
understand the situation?




The database for compliance management may be
populated manually or automatically.

Centre for Distributed Computing, Jadavpur University

Risk Management

High Probability

Low Probability

Low

Impact

High

Impact

Contain

& Control

Prevent

Ignore

Insurance &

Back
-
up Plan

Centre for Distributed Computing, Jadavpur University

Risk Management Approach


Risk Assessment


Risk Analysis: Process to identify all major risks



Risk Evaluation: Process to evaluate every major risk and to
allocate some value or size to the risk



Risk treatment


Process to identify and implement suitable controls to
mitigate the risk to an acceptable level

Centre for Distributed Computing, Jadavpur University

Management involvement


Strategic Level


Indicates which major information
-
related risks bother
management



Tactical Level


Does Event/Impact Analysis to identify possible risks
based on questionnaires



Operational Level


Does the formal risk assessment and evaluation

Centre for Distributed Computing, Jadavpur University

ISG Organization


Operational Management


Implement Information Security Management System by
creating Policies & Procedures, organizing Awareness
Programs, implementing safeguards and controls enforce
the CISP




Compliance Management


Receives data from IT Dept., Audit Dept., Users, and other
Depts., compiles and aggregates the data, finds out the
compliance and conformance status and reports to the BoD
for proper governance

Centre for Distributed Computing, Jadavpur University

Use of Standards in ISG


COBIT is a good best practices guideline for IT
Governance



ISO 27002 is a good best practices guideline for
Information Security Management System

Centre for Distributed Computing, Jadavpur University

COBIT Structure


Domains


Domains are Groups of Processes


Follow the Responsibility Domains and Management
Lifecycle



Processes


Processes are sequences of Activities / Tasks



Activities / Task


Activities and Tasks are needed to achieve a measurable
result


Activities have life
-
cycle concept, tasks are more discrete

Centre for Distributed Computing, Jadavpur University

COBIT Domains


Planning and Organization



Acquisition and Implementation



Delivery and Support



Monitoring

Centre for Distributed Computing, Jadavpur University

Planning and Organization

Id

Process

PO1

Define a Strategic IT Plan

PO2

Define the Information Architecture

PO3

Determine Technological Direction

PO4

Define the IT Processes, Organization and
Relationships

PO5

Manage the IT investment

PO6

Communicate Management Aims and direction

PO7

Manage IT Human resources

PO8

Manage Quality

PO9

Assess and Manage IT Risks

PO10

Manage Projects

Centre for Distributed Computing, Jadavpur University

Acquisition and Implementation

Id

Process

AI1

Identify Automated Solutions

AI2

Acquire and maintain application software

AI3

Acquire and maintain technology infrastructure

AI4

Enable Operation and Use

AI5

Procure IT Resources

AI6

Manage changes


AI7

Install and Accredit Solutions and Changes

Centre for Distributed Computing, Jadavpur University

Delivery and Support

Id

Process

DS1

Define and manage service levels

DS2

Manage third
-
party services

DS3

Manage performance and capacity

DS4

Ensure continuous service

DS5

Ensure systems security

DS6

Identify and allocate costs

DS7

Educate and train users

DS8

Manage Service Desk and Incidents

DS9

Manage the configuration

DS10

Manage problems

DS11

Manage data

DS12

Manage Physical Environment

DS13

Manage operations

Centre for Distributed Computing, Jadavpur University

Monitor and Evaluate

Id

Process

ME1

Monitor and Evaluate IT Performance

ME2

Monitor and Evaluate Internal Control


ME3

Ensure Compliance with External Requirements

ME4

Provide IT Governance

Centre for Distributed Computing, Jadavpur University

Control Objectives of DS5

Control Id

Control Objective

DS5.1

Manage Security Measures

DS5.2

Identification, Authentication and Access

DS5.3

Security of Online Access to Data

DS5.4

User Account Management

DS5.5

Management Review of User Accounts

DS5.6

User Control of User Accounts

DS5.7

Security Surveillance

DS5.8

Data Classification

DS5.9

Central Identification and Access Rights
Management

DS5.10

Violation and Security Activity Reports

DS5.11

Incident Handling

Centre for Distributed Computing, Jadavpur University

Control Objectives of DS5 (contd.)

Control Id

Control Objective

DS5.12

Re
-
accreditation

DS5.13

Counterparty Trust

DS5.14

Transaction Authorization

DS5.15

Non
-
Repudiation

DS5.16

Trusted Path

DS5.17

Protection of Security Functions

DS5.18

Cryptographic Key Management

DS5.19

Malicious Software Prevention, Detection and
Correction

DS5.20

Firewall Architectures and Connections with
Public Networks

DS5.21

Protection of Electronic Value

Centre for Distributed Computing, Jadavpur University

Use of COBIT in ISG Compliance


62 out of 318 Control Objectives have direct impact
on Information Security



These can be used to implement the monitoring and
compliance checking


Centre for Distributed Computing, Jadavpur University

ISO 27002 Structure


Provides a well proven framework to implement
security within an organization



It offers a business
-
led approach to best practice for
information security management in the
organization



Information security is characterized within BS 7799
by preservation of


Confidentiality


Integrity


Availability


Centre for Distributed Computing, Jadavpur University

ISO 27002: Security Domains, Objectives
and Controls


It consist of




11 Causes



39 Security Categories



134 Controls


Centre for Distributed Computing, Jadavpur University


ISO 17799: SECURITY DOMAINS

DOMAIN NUMBER

NAME

5

SECURITY POLICY


6

ORGANIZATION

OF INFORMATION
SECURITY

7

ASSET MANAGEMENT


8

HUMAN RESOURCE SECURITY


9

PHYSICAL AND ENVIRONMENTAL SECURITY


10

COMMUNICATIONS AND OPERATIONS
MANAGEMENT


11


ACCESS CONTROL


12

INFORMATION SYSTEMS ACQUISITION,
DEVELOPMENT AND MAINTAINENCE


13

INFORMATION SECURITY INCIDENT
MANAGEMENT

14

BUSINESS CONTINUITY MANAGEMENT


15

COMPLIANCE

Centre for Distributed Computing, Jadavpur University

Conclusion


Information Security Governance is part of
Corporate Governance



ISG encompasses ISMS and Compliance
Management



COBIT and ISO 27002 can be used to implement ISG


Centre for Distributed Computing, Jadavpur University

References


Solms and Solms, Information Security Governance,
Springer 2009



COBIT 4.1



ISO 27002


Centre for Distributed Computing, Jadavpur University

THANK YOU