Post on 15-Jan-2015
description
Minnesota Office of the Legislative Auditor
COBITBarry Caplin
Chief Information Security OfficerMinnesota Department of Human Services
Christopher BuseInformation Technology Audit Manager
Minnesota Office of the Legislative Auditor
Minnesota Office of the Legislative Auditor
Agenda
• Need for an Information Security governance framework
• COBIT Framework overview
• Use of COBIT in the audit process
• Use of the COBIT Security Baseline at DHS
Minnesota Office of the Legislative Auditor
About Us
• Barry Caplin– CISO for DHS– Member of ISACA, ISSA, InfraGard– CISSP, CISA, CISM, ISSMP
• Christopher Buse– IT Audit Manager for OLA– Active in ISACA– CPA, CIA, CISA, CISSP
Minnesota Office of the Legislative Auditor
Information Security Governance
Why Adopt a Framework?
Minnesota Office of the Legislative Auditor
Information Security Governance
“a framework to provide assurance that information security strategies are aligned with business objectives and consistent with applicable laws and regulations” – www.isaca.org
• Regulations – HIPAA, MGDPA, IRS, SSA, etc.
• Establish a program• Based on Standards, Industry Best Practice
Minnesota Office of the Legislative Auditor
Information Security Governance
With Information Security Governance:• information security strategy supports
business• senior management supports information
security• defined roles and responsibilities• reporting and communication
Minnesota Office of the Legislative Auditor
Information Security Governance
With Information Security Governance:• regulatory issues and impact understood• information security policies support
business goals and objectives• procedures and guidelines support
information security policies
Happiness is sure to follow!
Minnesota Office of the Legislative Auditor
Information Security Governance
Without Information Security Governance:• unclear security strategy inconsistently
supports business• senior management can’t understand or
support information security• Ad hoc roles and responsibilities• Lack of reporting and communication
Minnesota Office of the Legislative Auditor
Information Security Governance
Without Information Security Governance:JIT:• regulatory compliance efforts• information security policies
Out of sync with business
Surprises Conflict
Minnesota Office of the Legislative Auditor
Information Security Governance
Who needs Security Governance?
We do!
Minnesota Office of the Legislative Auditor
Industry Best Practice
What do we need?
• Established and Proven methodology• National or International acceptance• Ability to Measure/Audit
Minnesota Office of the Legislative Auditor
The 10000 Foot View
Information Security Governance Hierarchy
Information LifecycleManagement
Compliance
Information Policy
Information RiskManagement
Information SecurityGovernance Framework
Minnesota Office of the Legislative Auditor
COBIT
What’s it all About?
Minnesota Office of the Legislative Auditor
What is COBIT
• Control Objectives For Information and Related Technology
• Governance framework– Collection of controls that should be done at various
levels in an organization
– Outline of what must be done, not how
• Supporting toolset– Management
– Auditors
Minnesota Office of the Legislative Auditor
Strengths
• Outstanding support
• Incorporates work done by many others
• Business focused
• Publicly available
Minnesota Office of the Legislative Auditor
Support
• Overseen by the IT Governance Institute– Nonprofit and vendor neutral– Heavily supported– Well represented by industry, academia, & government
• COBIT R&D managed by a Steering Committee– Core team and working groups worldwide– Many expert reviewers– User feedback
• Now in 4th edition
Minnesota Office of the Legislative Auditor
Information Sources
• Over 40 recognized standards and best practices• Sources underlying version 4.0 changes
– Committee of Sponsoring Organisations of the Treadway Commission• Internal Control—Integrated Framework, 1994• Enterprise Risk Mangement—Integrated Framework, 2004
– Office of Government Commerce, IT Infrastructure Library, 1999-2004– ISO/IEC 17799, Code of Practice for Information Security Management– Software Engineering Institute
• SEI Capability Maturity Model, 1993• SEI Capability Maturity Model Integration, 2000
– Project Management Institute, Project Management Body of Knowledge– Information Security Forum, The Standard of Good Practice for
Information Security, 2003
Minnesota Office of the Legislative Auditor
Business Focus
• IT resources must be– Managed through standard
processes– To meet business
requirements
• Metrics and maturity models to measure performance
• Responsibilities of business and IT process owners identified
Minnesota Office of the Legislative Auditor
COBIT Framework
• 34 processes, grouped into 4 domains– Plan and Organize– Acquire and Implement– Deliver and Support– Monitor and Evaluate
• Handout: P07 Manage IT Human Resources
Minnesota Office of the Legislative Auditor
Products
• Framework– Control Objectives– Control Practices– Management Guidelines
• Assurance– IT Assurance Guide– Control Objectives for SOX
• Governance– Implementation Guide– Quickstart– Security Baseline– Board Briefing
Minnesota Office of the Legislative Auditor
Cost
Minnesota Office of the Legislative Auditor
Still Interested
• Visit the COBIT Website– http://www.isaca.org
• Watch our local ISACA chapter for training opportunities– http://www.mnisaca.org
Minnesota Office of the Legislative Auditor
COBIT as an Audit Tool
Use of the COBIT Framework in the Office of the Legislative Auditor
Minnesota Office of the Legislative Auditor
Planning
• COBIT Summary Table used to scope projects– Audit Focus: Data integrity and confidentiality – Question: What control processes have a
primary or secondary impact
Minnesota Office of the Legislative Auditor
Reporting
• Criteria used to help draft report comments• Discussions about issue severity follow maturity
model format
Minnesota Office of the Legislative Auditor
COBIT as a Management Tool
Use of the COBIT Security Baseline at the Department of Human Services
Minnesota Office of the Legislative Auditor
MN DHS
• Mission - helps people meet their basic needs so they can live in dignity and achieve their highest potential
• Consumers include:– seniors who need help paying for hospital and nursing
home bills or who need home-delivered meals– families with children in a financial crisis– parents who need child support enforcement or child
care money– people with physical or developmental disabilities who
need assistance to live as independently as possible
Minnesota Office of the Legislative Auditor
MN DHS
• Direct service through• DHHS – Deaf and Hard of Hearing Services• SOS – State Operated Services includes
– RTC’s – Regional Treatment Centers, including St. Peter, Moose Lake
– Forensics – St. Peter, Moose Lake, METO (MN Extended Treatment Options)
– State-run group homes– New community-based treatment centers– State-run nursing home – Ah-Gwah-Ching
Minnesota Office of the Legislative Auditor
MN DHS
• Administrations (Divisions)• CFS – Children and Family Services – Child
Support Enforcement, Endangerment, Social Services, Medical/Welfare Eligibility
• Chemical and Mental Health Services– including SOS
• Health Care Administration and Operations• Continuing Care• FMO – Finance and Management Operations –
including Information Security, IT
Minnesota Office of the Legislative Auditor
MN DHS
• Programs are state-administered, county-delivered
– Including MinnesotaCare, Medical Assistance, General Assistance Medical Care, mental health services, alternative care services, chemical dependency services and regional treatment center services
• One of the largest state agencies• 2500 CO, 5000 SOS distributed staff• State and Federal funding
Minnesota Office of the Legislative Auditor
COBIT Use in State
• Chosen by CISO/Security Domain team for statewide security implementation
• Separate agency implementation
• Additional technical standards chosen: PCI, OWASP
Minnesota Office of the Legislative Auditor
COBIT and Security
• COBIT Security Baseline
• Includes mapping to ISO17799
• Guide for DHS implementation
• Identifies 39 “steps” (high-level projects)
• Multiple sub-projects
Minnesota Office of the Legislative Auditor
Maturity Model
Measure the maturity of the team/unit/organization to the high level control objectives. Are the processes:
• 0 – non-existent• 1 – Initial/Ad-Hoc• 2 – Repeatable but Intuitive• 3 – Defined Process• 4 – Managed and Measurable• 5 – Optimized
Minnesota Office of the Legislative Auditor
Initial Baseline
Assess maturity of DHS Body of Policy and ISS projects and implementation using Maturity Model– Self rating - ISS– “inner circle” units – central IT, MSD– Business customers – HCO, CFS, SOS, etc.
Minnesota Office of the Legislative Auditor
Implementation Steps
• Review initial maturity assessments• Gap analysis• Selection of initial metrics• Prioritization of Phase 1 COBIT projects• Documentation• Implement Phase 1 projects• Assess• Iterate
Minnesota Office of the Legislative Auditor
Security Baseline Projects
Plan and Organize
• Step 1 - Define the Information Architecture– Security requirements– Projects:
• HIPAA Security Standard implementation
• ZOCA II
Minnesota Office of the Legislative Auditor
Security Baseline Projects
Acquire and Implement
• Step 10 – Identify Automated Solutions– Consider security risks of automated solutions– Projects:
• Vendor Security Questionnaire
• Risk Assessment
• Vulnerability Assessment
Minnesota Office of the Legislative Auditor
Security Baseline Projects
Monitor and Evaluate• Step 38 – Monitor Performance of Security
Controls– Periodically: Assess Controls, Reassess
Exceptions, Evaluate Effectiveness, Monitor Compliance
– Projects:• Vulnerability Assessment• IPW – Information Policy Workgroup• SPCR – Security Policy Compliance Review
Minnesota Office of the Legislative Auditor
Information Lifecycle Management
Concept Analysis Design Develop Deploy Operate
I.T. SecurityRisk
Management
BusinessContinuityPlanning
PrivacyRisk
Management
BusinessRisk
Management
PrivacyRequirementsAnalysis (PIA)
PrivacyPlan (PIA)
PreliminaryRisk Analysis
BusinessRisk Analysis
Project RiskTracking
IT RiskMitigation Plan
(TRA)
IT SecurityTest Plan
IT Risk Audit& Certification
IT RiskRequirements
Plan (TRA)
BusinessImpact
AnalysisBCP/DRP
IncidentResponse
Plans
BCP/DRPTesting &
Maintenance
PrivacyAudit
Project Risk Management
ProgramAudit
*From http://www.cacr.math.uwaterloo.ca/conferences/2005/psw/gingras.ppt
Minnesota Office of the Legislative Auditor
Supporting Work
• Risk Analysis• Business Impact Analysis (BIA)• Business Continuity Plan (BCP/DRP)• Test Plans• Vulnerability Analysis• Incident Response Plan
Minnesota Office of the Legislative Auditor
Discussion?